Top 10 Security Nightmares of the Decade
6. Albert Gonzalez
It wasn't organized crime but rather a confederacy of criminals that caused some of the largest data breaches over the last few years--attacks that victimized Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX, to name just a few. One man, Albert Gonzalez, pleaded guilty for most of these heists, and was implicated in others. Gonzalez and his crew entered malicious code through the Web-facing sites of these major companies. In turn, the malware infiltrated the internal network, where it could look for unencrypted credit card data.
To combat such data breaches, in 2005 the Payment Card Industry (PCI) produced 12 requirements that all of its member merchants must follow; the PCI Security Council updates those requirements every two years. What lies ahead is end-to-end encryption of the credit card data, so that your personal information is never in the clear from cash register to card brand.
7. Gone Phishing
More effective than spam, yet short of a full-blown data breach, is phishing. The idea here is that a creatively designed e-mail can lure you into visiting a believable-looking site designed solely to steal your personal information. Often these sites use "fast flux," the ability to switch domains quickly so that you can't lead law enforcement back to the site.
Using logos and designs from banks and e-commerce sites, some phishing sites seem entirely realistic, a vast improvement over the crude pages full of misspellings of a few years ago. The best defense? Don't click!
8. Old Protocol, New Problem
Behind the Internet are protocols, some of which today perform functions far beyond what they were originally designed to do. Perhaps the most well-known of the overextended protocols is the Domain Name System (DNS), which, as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning.
DNS converts a Website's common name (for example, www.pcworld.com) into its numerical server address (for example, 18.104.22.168). Cache poisoning means that the stored address for a common name could be incorrect, thus leading a user to a compromised site rather than to the intended site--and the user had no way to know. Kaminsky managed to keep the flaw known to a limited group of companies for about six months, and then rolled out a coordinated series of patches that seemed to address many of the more serious vulnerabilities.
Similarly, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn't a vendor-specific problem, but a protocol-level flaw. Ray, like Kaminsky, also set about coordinating a patch among affected vendors. However, a second researcher stumbled upon roughly the same thing, so Ray felt compelled to come forward with his vulnerability, even though some of the patches are still to come.
Disclosures such as these have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.
9. Microsoft Patch Tuesdays
A decade ago, Microsoft released its patches only as needed. Sometimes that was late on a Friday afternoon, which meant that bad guys had all weekend to reverse-engineer the patch and exploit the vulnerability before system administrators showed up for work on Monday.
Starting in the fall of 2003, Microsoft released its patches on a simple schedule: the second Tuesday of every month. What has become known as "Patch Tuesday" has, over the last six years, produced a crop of fresh patches every month, except for four. Oracle patches quarterly, and Adobe recently announced that it would patch quarterly, on or near Microsoft's Patch Tuesday. Apple remains the only major vendor that doesn't adhere to a regular cycle for its patches.
10. Paid Vulnerability Disclosure
Independent researchers have debated for years whether to go public with a newly found flaw or to stay with the vendor until a patch is created. In some cases the vendor doesn't get back to the researcher, or doesn't make publication of the flaw enough of a priority, so the researcher goes public. On the other side of the fence, criminals certainly don't go public, knowing that such vulnerability information is worth serious money on the black market.
After years of back and forth, in recent times one or two security companies have decided to pay researchers to stay quiet; in exchange, the company works with the necessary vendor to see that the patch is produced in a timely fashion and that clients of the company get details of the flaw sooner than the general public.
For instance, at the CanSecWest Applied Security Conference, Tipping Point Technologies annually awards $10,000 to the researcher who can hack a given system. And payment-for-vulnerabilities programs have matured in recent years. For example, in Microsoft's December 2009 Patch Tuesday release, all five of the Internet Explorer vulnerabilities patched can be attributed to the iDefense Zero Day Initiative program.
Robert Vamosi is an award-winning computer-virus and security columnist, and a security analyst.
Top 10 Security Nightmares of the Decade