1. Cyberwar
Michael Calce, aka Mafiaboy, pleaded guilty to 55 of 66 counts of mischief and was sentenced to eight months detention. Calce later wrote a book about his experience, entitled Mafiaboy: How I Cracked the Internet and Why It’s Still Broken. Some experts say that all security threats progress through a cycle that moves from fun to profit to politics, and DDoS attacks were no different: Opportunist criminals next started using DDoS to hold various gambling sites for ransom.
In May 2007, DDoS attacks turned political, with hundreds of online Russian sympathizers blocking Estonian government Websites, all because a World War II memorial had been relocated. The attacks continued through the summer until Computer Emergency Response Teams (CERT) from various nations mitigated them. The following year, Russian organized crime targeted the government of Georgia with a DDoS attack.
While some people think the United States might not be ready for the upcoming cyberwars, experts from CERT are now advising the U.S. government on how better to protect its infrastructure based on the attacks we’ve seen thus far.
2. Malware Makes Strange Bedfellows
Two years later, Microsoft again teamed with the U.S. Secret Service, the FBI, and later Interpol to offer a $250,000 reward for information leading to the arrest of those responsible for SoBig, MSBlast, and other major viruses at the time.
Such public-private cooperation is rare, but it happened again in early 2009 when Conficker was poised to wreak havoc on the Internet at midnight on April 1. That didn’t happen, thanks in part to a unique coalition of rival antivirus companies that collaborated with government agencies under the Conficker Working Group name. To this day, this group continues to monitor the worm. Organizations are stronger when they team up against a common enemy, and even security companies can put aside their differences for the common good.
3. MySpace, Facebook, and Twitter Attacks
The battle initally focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.
In 2005, a teenager authored the Samy worm on MySpace, which highlighted a central problem of Web 2.0–that user-contributed content could contain malware. Even as Facebook endured a few privacy snafus, it also had its own worm, called Koobface.
In 2009, Twitter came of age, too, attracting its own malware and highlighting the dangers of shortened URLs–with them, you can’t see what’s waiting on the other side. Twitter also suffered from spam…or did Guy Kawasaki really send you that porn link?
4. Organized Viruses and Organized Crime
As e-mail spam filters improved to block bulk mailings, malicious coders looked elsewhere, turning to self-propagating worms like MSBlast, which exploited a flaw in Remote Procedure Call messages, and Sasser, which exploited a flaw in Internet Information Services (IIS). About this time, viruses and worms began using Simple Mail Transfer Protocol (SMTP) to bypass e-mail filters so that the compromised machines could spew pharmaceutical spam to random addresses on the Net.
Shortly after Microsoft’s Reward program netted Sven Jaschen, author of Netsky and Sasser, in 2004, the image of a single author creating viruses in a parents’ basement fell out of favor, replaced by organized crime operations with financial ties to porn and bulk pharmaceutical companies. (In 2005, PCWorld wrote a series on the problem, “Web of Crime.”) Groups such as the Russian Business Network (RBN) ran sophisticated spam campaigns, including pump-and-dump penny-stock spam.
5. Botnets
In 2007, the Storm worm–which began like any other virus–started talking to other Storm-compromised computers, forming a network of compromised computers all using the Overnet peer-to-peer protocol. This protocol allowed the operator to send out a spam campaign or to use the compromised computers to launch a DDoS attack.
Storm was not alone. Nugache, another virus, was building a botnet, too. And there were others. Today, botnets have spread to the Mac OS and Linux operating systems. The chances are approaching 50/50 that you might have at least one bot on one of your computers now.
6. Albert Gonzalez
To combat such data breaches, in 2005 the Payment Card Industry (PCI) produced 12 requirements that all of its member merchants must follow; the PCI Security Council updates those requirements every two years. What lies ahead is end-to-end encryption of the credit card data, so that your personal information is never in the clear from cash register to card brand.
7. Gone Phishing
Using logos and designs from banks and e-commerce sites, some phishing sites seem entirely realistic, a vast improvement over the crude pages full of misspellings of a few years ago. The best defense? Don’t click!
8. Old Protocol, New Problem
DNS converts a Website’s common name (for example, www.pcworld.com) into its numerical server address (for example, 123.12.123.123). Cache poisoning means that the stored address for a common name could be incorrect, thus leading a user to a compromised site rather than to the intended site–and the user had no way to know. Kaminsky managed to keep the flaw known to a limited group of companies for about six months, and then rolled out a coordinated series of patches that seemed to address many of the more serious vulnerabilities.
Similarly, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn’t a vendor-specific problem, but a protocol-level flaw. Ray, like Kaminsky, also set about coordinating a patch among affected vendors. However, a second researcher stumbled upon roughly the same thing, so Ray felt compelled to come forward with his vulnerability, even though some of the patches are still to come.
Disclosures such as these have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.
9. Microsoft Patch Tuesdays
Starting in the fall of 2003, Microsoft released its patches on a simple schedule: the second Tuesday of every month. What has become known as “Patch Tuesday” has, over the last six years, produced a crop of fresh patches every month, except for four. Oracle patches quarterly, and Adobe recently announced that it would patch quarterly, on or near Microsoft’s Patch Tuesday. Apple remains the only major vendor that doesn’t adhere to a regular cycle for its patches.
10. Paid Vulnerability Disclosure
After years of back and forth, in recent times one or two security companies have decided to pay researchers to stay quiet; in exchange, the company works with the necessary vendor to see that the patch is produced in a timely fashion and that clients of the company get details of the flaw sooner than the general public.
For instance, at the CanSecWest Applied Security Conference, Tipping Point Technologies annually awards $10,000 to the researcher who can hack a given system. And payment-for-vulnerabilities programs have matured in recent years. For example, in Microsoft’s December 2009 Patch Tuesday release, all five of the Internet Explorer vulnerabilities patched can be attributed to the iDefense Zero Day Initiative program.
Robert Vamosi is an award-winning computer-virus and security columnist, and a security analyst.