Looking Back At Computer Security In 2005

What follows are some of the biggest events of 2005 with comments by (in no particular order):

• Bruce Schneier – CTO of Counterpane Internet Security and acclaimed security technologist and author.
• Howard Schmidt – former Special Adviser for Cyberspace Security for the White House, was CSO of eBay and Microsoft.
• Dr. Gerhard Eschelbeck – CTO and VP of engineering for Qualys, named one of Infoworld’s 25 Most Influential CTO’s in 2003 and 2004.
• Mikko H. Hypp?¶nen – Chief Research Officer at F-Secure.
• Fyodor – acclaimed security researcher and author of nmap.
• Ira Winkler – author of “Spies Among Us”.

Introduction

An increasing number of techniques and easier access to computer equipment enhances the knowledge of both the malicious users and the security professionals. However, it always seems that the “dark side” has much more free time on their hands since they tend to be ahead of the industry.

Windows users are fighting with all sorts of malware and security holes year after year. “I know it is popular to blame Microsoft for security woes, but they really deserve it this year! From remotely exploitable vulnerabilities in Windows core services like UPnP and MSDTC, to a barrage of severe IE vulnerabilities, Windows users were constantly under attack.” said Fyodor. “Microsoft spends many marketing dollars touting their security, but they need to start backing this up with action.” he added.

The media tends to spread FUD by writing stories where large percentages of Internet users are very afraid to shop online, we see exceptionally big numbers when it comes to identity theft and yet e-commerce is booming and everyone and their mother are getting gifts for the holidays online. The truth is always somewhere in between – despite the media trying to publish “horror stories” in order to increase readership.

When it comes to all these reports where we see average users very paranoid Ira Winkler has another view on the situation: “As time goes on, people will only be more comfortable with computers. They will use it for more and more applications. Security is at best an afterthought, and the more ubiquitous the computer becomes, the less they will consider the threats involved with its usage.”

Every year analysts inform us that this year was the worst yet and that a bleak digital future awaits just around the corner. I tend to be skeptical about such predictions so I’m going to let you decide what to make of 2005. The events depicted in this article all left a mark on both the industry and the users. As repercussions go, some are evident and some will be seen in the upcoming months. All in all, it was an interesting year.

Not a great year for credit cards

CardSystems processed payments for multiple credit card companies. In May the company suffered the largest data security breach to date when around 40 million credit card numbers were stolen. The affected companies were MasterCard, Visa, American Express and Discover. The problem was not only in the fact that the incident occurred in the first place but in the fact that CardSystems did not comply with the regulations that their customers had in place. Audits showed that they weren’t as secure as they had to be. The result? Not surprisingly, even after complying to the demands of increased security the company was sold in October.

Bruce Schneier comments on this situation: “Every credit card company is terrified that people will reduce their credit card usage. They’re worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They’re worried about how their brands are perceived by the public. And they don’t want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud.”

Howard Schmidt said: “I think that anytime a breach of security of any size, especially one that contains consumer private information causes executives to ask “Can this happen to us and if so how do we fix it” With the compliance issues taking a bigger role in corporate governance world wide I would expect this to continue to be a board room discussion which will increase security.”

And just in time for the holidays, Guidance Software (a self-proclaimed leader in incident response and computer forensics) suffered a breach that will probably get a lot of people fired. The incident during which some 3,800 customer credit card numbers have been stolen, occurred on November 25th but wasn’t discovered until December 7th. Did Guidance Software contact their customers immediately? No. In the age where even children use mobile phones, IM and e-mail, they chose to send out notices of the breaches via regular mail. Why? They claim people change e-mail addresses too frequently while the location of the offices stays the same. I guess they think these companies also change their phone numbers all the time. Even if they do, shouldn’t they keep an up-to-date database with contact information?

To make things even worse, the company stored customer records in databases that were not encrypted and if that wasn’t bad enough they also kept the three digit Card Value Verification (CVV) numbers despite the guidelines by MasterCard and Visa that prohibit the storage of the CVV numbers after a transaction and require the databases to be encrypted. The company says they didn’t know these numbers were stored for a longer period of time. I don’t know if this makes things better or worse.

Rootkits go mainstream

On October 31st Mark Russinovich posted an entry on his blog entitled “Sony, Rootkits and Digital Rights Management Gone Too Far” that sparked a media frenzy. Russinovich discovered that Sony was using a rootkit as a method of control for some of their CDs. Sony got under much fire as both privacy advocates and the users were raging against such vile control actions and started boycotting certain Sony titles, bad reviews were starting to show up on shopping sites and Amazon.com contacted their customers and offered them a complete refund if they returned the “infected” CDs. At least now the public is much more aware of certain problems.

F-Secure made an interesting t-shirt that shows just how much Sony is “concerned” about their customers.

Assorted malware

Not surprisingly this year had thousands of pages filled with reports of various types of malware wrecking havoc. So, are things getting any better or just worse when it comes to virus outbreaks? “It seems better. In 2003 we had tons of large outbreaks. In 2004 we saw some. This year only a handful.” says Mikko H. Hypp?¶nen. “However, the transformation from hobbyist virus writers to professionals also means more targeted attacks. These stay under the radar and don’t become front page news – the criminals don’t want to end up on the front page. We’re seeing less outbreaks – so the situation seems to be getting better. It’s actually getting worse.” he adds.

The most talked about virus of 2005 is certainly Sober which caused a lot of problems and disrupted e-mail traffic for both MSN and Hotmail. F-Secure cracked the code and learned how Sober activates. More than 20 variants of the virus have been found since October.

Other “popular” viruses in 2005 were Zafi.D and several variants of Zotob. When it comes to numbers, Hypp?¶nen says the situation seems better: “All of these cases were smaller than cases like the Mydoom/Bagle/Netsky war or the Sasser outbreak from 2004.”

Is there any hope in sight for 2006? “We’re afraid of several things. Automatic mobile phone viruses. WLAN viruses. Skype viruses. I’m afraid it’s not going to get better.” according to Hypp?¶nen.

Ciscogate

A lot of media attention was on the Black Hat Conference in Las Vegas this year. Michael Lynn, a researcher working for ISS, did a presentation on a security hole in Cisco’s IOS. Since Cisco threatened to shut down the conference Lynn first resigned from his position at Internet Security Systems but wouldn’t back down from the presentation. What was a sad example of bad PR is everything that Cisco did. They instructed the people behind the conference to get the promotional material and rip out the pages containing the slides of Lynn’s presentation. So 1984 of them.

Cisco claims the presentation was dangerous since it contains information on IOS and that the information was obtained illegally. Lynn found the problem while working for ISS under specific instructions to reverse-engineer the Cisco operating system. He noted that the release of information was necessary since the IOS source code was already stolen earlier and it was only a matter of time before someone decided to engage in some illegal activity. To get his perspective on things I suggest you read this interview. As regards a discussion on whether he should have gone on with full disclosure or not check out this page at Slashdot.

I’m positive that if they hadn’t made all this noise, much less interest would have surrounded this presentation. Immediately after the conference Cisco released a patch for the IOS vulnerability. Lynn was hired by Juniper Networks in November.

Common Vulnerability Scoring System (CVSS)

The issues surrounding the scoring of vulnerabilities got a possible solution this year with the creation of the CVSS. Gerhard Eschelbeck said: “CVSS allows IT managers to create a single standardized and prioritized ranking of security vulnerabilities across multiple vendors and platforms. CVSS is relevant in all stages of the vulnerability lifecycle, from the time a vulnerability is identified by a researcher to the time a vulnerability needs patching within an enterprise. For computing the vulnerability score, CVSS considers not only the technical aspects of a vulnerability, but also how widely a vulnerable technology is deployed within an enterprise. A multitude of vendors have indicated their commitment to support CVSS in their products, and enterprises are currently introducing CVSS into their environments. By utilizing this scoring system, organizations can patch critical issues quicker, spending less resources on low priority issues.”

Phishing

This is the year when phishing stopped being confused with fishing and basically everyone knows what it means. Howard Schmidt comments: “I agree that the number of phishing scams is on the increase all indications are that LESS people are falling for the scams. In some cases the international law enforcement have made arrests of people who are running these scams which has proven that people can be caught and will be prosecuted. Also, MANY technology steps have been taken to reduce the likelihood one will even see the phishing emails. There was a period of time where some people were scared away from online commerce because of phishing but all indications that there is limited “if any” impact at all.”

Opinions on top problems in 2005

The security related event that defined 2005

Fyodor: “I think the continued rise of botnets has been the year’s greatest trend. The Honeynet Project has been researching these and identified more than 100 botnets containing at least 226,585 unique compromised hosts. Much of this excellent work was done by the German Honeynet Project, and we released a paper. In the months since then, we’ve seen several people arrested for running botnets of more than 100,000
machines each. Increasingly, they have been using these for extortion: threatening crippling distributed denial of service (DDoS) attacks unless companies pay up.”

The biggest online security threats in 2005

Gerhard Eschelbeck: “The security research community as well as vendors identify and publish on average 40 new security vulnerabilities per week. These vulnerabilities provide a multitude of avenues for attack and originate from many different areas. Incorrectly configured systems, unchanged default passwords, product flaws, or missing security patches are among the most typical causes. Security vulnerabilities linger and consequently create a breeding ground for attacks, leading to security breaches. Improperly patched systems not only endanger themselves, but also put other users at risk. It is not the security holes and vulnerabilities we know about and can respond to that are the biggest concern – it is the security holes and vulnerabilities we do not know about and will be the target of tomorrow.”

Final thoughts

Was it worse than 2004? Better? Or did it just evolve to what you expected a year ago? It depends on how you look at it, how much influence a certain event had on your job, on your home computer or on your neighbor that just won’t patch his machine and you have to help every weekend.

We all rate the importance of an event based on how it affected us. The industry will take care of itself. Its revenue has been rising every year and you can look at it like this – more incidents, more compliance or both.

See you in a year and we’ll see what happens. Happy holidays everyone!