HTML5, the incoming web language, will present a huge target for cybercriminals, security firm Sophos has warned.
Its predecessor, HTML4, has dominated websites for years but is a relatively basic language, said James Lyne, senior technology strategist at Sophos, at an event in London. Because of this developers have introduced many add-ons and plug-ins, such as Flash, Google Gears and JavaScript.
However as Lyne points out many of these can remain unpatched, making the whole system very insecure. HTML5 removes the need for many of these add-ons and plug-ins because its advanced nature means similar capabilities are built in.
While this many sound more secure, Lyne said that this will make HTML5 a big target for cybercriminals because it means huge amounts of data will be stored within the browser itself.
"HTML5 is potentially going to be very painful," Lyne said. "The way it works is much like the idea of a thin client and cloud computing. But this means lots of data will be stored in the browser, which will become the target. Traditionally the browser has been used as a way of getting into the PC, now cybercriminals will be targeting the browser itself to get at the data."
HTML5 is rapidly being adopted across the web, particularly for mobile sites. Adobe recently announced that it would no longer invest resources in developing Flash for mobile devices, insisting that HTML5 will offer the best alternative as it will be universally supported. Apple never allowed the use of Flash on its iPhone or iPad devices, severely hampering its adoption.
Sophos’ Lyne also warned that cyber attacks on national infrastructure, such as nuclear and power stations, would increase in 2012, despite labelling the attacks seen in 2011 as "massively over-hyped."
Lyne name-checked the Stuxnet and Duqu worms as examples of threats that could target national infrastructure. But he also claimed they had both been over-hyped, as they were examples of simple malware that exploited common vulnerabilities. They also had little impact, he said.
Lyne added that the potential impact on a successful cyber attack being launched against a country’s national infrastructure was, "serious" and that, "we will see more over the next year because control systems have not grown as IT security has over the last 20 years, so there are security holes."
Lyne added however that the lack of a financial reward for this sort of attack – compared to stealing IP or credit card information – means only a limited number of cybercriminals will focus on this area.