Review of 2006: Total recall
It's been a good year for some and a bad one for Microsoft. And with so many mergers, it has changed the sector. Rob Buckley looks back.
The year in security began more or less as it planned to go on: acquisitions, patches, data leaks, minor virus outbreaks and escalating security fears. RSA Security completed its acquisition of Cyota, which creates online security and anti-fraud technology for financial institutions. The deal cost $145 million (£76.5 million) and made the company even more attractive to future owner EMC (see June).
Honeywell suffered the first public data leak of the year when details of 19,000 staff were published on a website by a former employee. The company claimed in court papers that Howard Nugent had “intentionally exceeded authorised access”, but still maintained that “nobody hacked into systems”.
Microsoft's Windows continued to impress with its range of weaknesses, including a zero-day vulnerability and a new variety of worm. The former allowed viruses and worms to infect Windows systems via any application that automatically displays a Windows Metafile format (.wmf) image. It took Microsoft weeks to develop a patch, leading some security vendors to suggest protecting systems with third-party patches.
Microsoft could take some comfort from a report by the US government's computer security group suggesting that Linux and Unix faced nearly three times the number of vulnerabilities in 2005 than Windows had. But that was soon erased from people's memories as the Kama Sutra ActiveX worm kicked in, deleting files and spoofing digital certificates to fool Windows into installing other malicious software.
It was a far from quiet year for Sony too, as the company finally settled its root kit class action suit, agreeing not to try copy-protection technology on CDs for another two years.
Milliondollarhomepage.com found itself the victim of a distributed denial-of-service (DoS) attack designed to blackmail the owners – presumably for $1 million (£530,000). Meanwhile, Oracle's then record-breaking 82 security patches made Microsoft users feel almost well off.
Symantec CEO John Thompson might have been thinking of phishers when he said: “Trust ultimately is the foundation of the online world. We can't allow trust to continue to erode,” at the RSA conference. But his comments could have been directed at Microsoft. Not only had the company's Live OneCare security service, still in beta, already created a huge debate about the data it was collecting from participants, but its Windows AntiSpyware software chose to flag up two of Symantec's anti-virus products as password-stealing programs.
Still, Thompson's comments were timely for other reasons. Anti-spyware firm Webroot claimed that three times as many spyware components had been found in 2005 than in the previous year. The DTI's bi-annual Information Security Breaches Survey also found spyware to be an increasing threat to enterprises, although virus infection was still the biggest cause of security incidents.
Meanwhile, Forrester Research predicted 2006 would see a number of headline security incidents involving mobile devices. “Device loss and theft will pose the most significant risk… but viruses and other malicious code will begin to emerge as a serious problem,” the company's report said.
This was a month of new threats and broken security – and of analysts proved right. The Mobile Antivirus Research Association sparked fury among fellow security researchers when it refused to share a sample of the first mobile phone Trojan that could cross from Windows mobiles to desktops. Almost simultaneously, a Java-based Trojan capable of running on mobile phones broke into the wild and instant messaging worms ran amok on Microsoft and AOL's networks. Dutch researchers created a proof-of-concept RFID virus, and a botnet was found to be stealing banking info. After that, eEye Digital Security's discovery of a zero-day flaw in Internet Explorer and the cracking of Microsoft's Fingerprint Reader seemed like small fry.
When three Florida banks were hacked and their customers redirected to a bogus homepage, it was little surprise that certain vendors got twitchy about security – or that banks were told they needed to improve theirs.
Meanwhile, plans by Check Point to buy Sourcefire fell through after a federal investigation decided the company was too integral to US security needs to be owned by a foreign company.
Politicians on both sides of the Atlantic started to latch on to the issue of computer security, with the Data Accountability and Trust Act in the US and changes to the Computer Misuse Act in the UK gaining support. The US legislation requires organisations that have a data breach to notify everyone whose personal information was acquired. It also mandated audits of companies that let data loose or are hacked. Meanwhile, the UK Government proposed to make denial of service attacks illegal and increase the maximum jail sentence for hacking. Plans for an additional measure to criminalise anyone who makes and distributes hacking tools spread fear among IT security professionals and those who write software for them. Home Office minister Vernon Coaker tried to assuage those concerns: “In the case of the producer of the hacking tool, it would not be sufficient for the prosecution to show that the tool has been used for illegal purposes on some occasions.” Nevertheless, the proposed changes were clarified later in the year.
Novell continued to improve its security portfolio with the $72 million (£38 million) acquisition of e-Security and its Sentinel 5 real-time security monitoring software. “We've focused on security and identity management as a core business,” said Novell's then-CEO Jack Messman at the time. McAfee began its first acquisition of the year, taking on anti-phishing firm SiteAdvisor. And there were more security problems for Microsoft, this time with the return of the Bagel worm and from its own patches.
Following increased interest in security legislation in the UK and US, it was the European Commission's turn to take notice, proposing a continent-wide effort to track and analyse security incidents. But, in typical EU fashion, a report on progress isn't due until mid-2007.
As the weather began to hot up, so too did the acquisitions market. Microsoft, whose Live OneCare service finally went public at the end of the month, acquired SSL VPN start-up Whale. Meanwhile, stalwart Fortinet bought the intellectual property behind CoSine's virtualised firewall/VPN platform.
May also saw the return of prank worms. One called Owl targeted networked printers. Fortunately, only one company and its print queues were hit – and all it did was print an owl. Other attacks were less amusing. Blue Security was forced to stop all anti-spam operations after a distributed DoS and other attacks. SQL injection exploits were on the increase, too. SecureWorks saw attacks on its clients double to 200 a day until March, but that was nothing compared with the 8,000 a day it eventually had to deal with.
Meanwhile, the Banwarum worm stole email addresses before using its own built-in mail server to flood networks with traffic promising World Cup tickets. An unknown piece of malware leaked details of a Japanese power plant on to the web, while ISP Wanadoo and the US Department of Veterans Affairs both suffered data leaks. The latter was blamed on a mobile worker taking unauthorised data home on his laptop. Forrester was right again.
Consolidation hit the headlines, with 180Solutions and Hotbar merging to form Zango. Bitter rivals NetMotion Wireless and Padcom decided to bury the hatchet – and their lawsuit – and merge. Blue Coat took a different course, splashing out $23 million (£12 million) to buy the NetCache web content and security appliance line from Network Appliance. McAfee continued its buying spree, snapping up risk management tech company Preventsys for an undisclosed sum.
These were all small fry, though, compared with EMC's $2.1 billion (£1.1 billion) acquisition of RSA. “Businesses can't secure what they don't manage, and when it comes to securing information, that means simply two things: managing the data and managing access to the data,” said EMC CEO Joe Tucci of his company's reasons for the purchase.
May's data leaks became a flood in June, with AIG, KDDI, Oregon's department of revenue, the FTC, ING, Minnesota's state auditor, the US agriculture department and the US Navy all losing personal data or getting hacked. Vulnerabilities were found in software and websites as wide-ranging as the Asterisk telephone system, PayPal, Google Pages, and Cisco's WCS WiFi management platform.
The UK's first ethical hacking degree, the BSc (Hons) in Ethical Hacking and Countermeasures, was launched by Abertay University of Dundee's School of Computing and Creative Technologies. It will teach students “skills and techniques used by criminal hackers to crack government and private sector security systems causing billions of pounds-worth of damage and loss every year”. Luckily it also promised to turn out students who would use their skills only for good.
July's heatwave coincided with a flurry of mergers and acquisitions. Cisco bought endpoint security firm Meetinghouse. Secure Computing and CipherTrust agreed to merge in a $273.6 million (£144.3 million) deal. SurfControl bought BlackSpider, Viisage acquired iris-recognition company Iridian, and Entrust snapped up Business Signatures. Microsoft bought Winternals Software, home to Sony rootkit foiler Mark Russinovich. There were financial woes for the CEO of Trend Micro, Eva Chen, with the SEC considering launching a civil enforcement action over alleged securities violations.
To have one security breach may be regarded as a misfortune; to have two looks like carelessness. At least, that's what many observers thought following the posting of personal information of 100,000 sailors and marines on a public site, following June's previous breach of the US Navy's files.
Nevertheless, there was reason enough to give them the benefit of the doubt. VoIP, Windows device drivers, WebEx, network printers and embedded devices all revealed security flaws in July. A new Trojan horse called DNSChanger.eg was able to rewrite DNS entries on client PCs so that phishing sites looked legitimate. Citigate Bank found itself the victim of a man-in-the-middle attack and, with a DC lobbying firm accusing even IBM of hacking its servers, it seemed no one was safe. Fortunately, there was some cheer to be had after CSI/FBI produced research that showed security violations were down, even if the costs of individual incidents had risen.
Mobile devices were again the biggest security fear in August, with Intel warning of flaws in its Centrino wireless drivers and F-Secure finding another virus that targeted the Symbian operating system. The BlackBerry, so far immune to most security concerns, found itself to be a vector for attacks following a proof-of-concept piece of code that could give an attacker access to enterprise networks.
Information security groups were united in praising the US Senate for ratifying the Council of Europe's convention on cybercrime, just hours before Congress broke for a month-long recess.
It couldn't have been more timely: a large botnet swamped the UK with more than eight million phishing emails and the US Department of Justice turned conventional security wisdom on its head by showing the biggest threats to enterprises were external, not internal.
However, the big news of the month was IBM's $1.3 billion (£695 million) acquisition of ISS, a move that pleased and bewildered analysts in equal measure. “The whole threat-protection angle was something IBM was lacking,” said Forrester analyst Thomas Raschke. “Now IBM is set to emerge as the most complete vendor in the security space.”
After the torrent of activity in the summer, the acquisitions market cooled down with only two big deals: SecureWorks and Lurhq agreed a long-rumoured merger, while EMC, despite not yet having digested RSA, decided to acquire Network Intelligence. Nevertheless, it was all change at F-Secure and eEye Digital Security, both of which appointed new CEOs, Kimmo Alkio, former vice-president of consulting and integration at Nokia, took the helm at F-Secure, while eEye promoted its former COO, Ross Brown.
The summer sun seemed to have gone to someone's head at CA, as the company released a faulty update to its anti-virus software forcing IT administrators around the world to scramble into action. “Black hat” hackers appeared to take fewer vacations as the Gromozon root kit had managed to infect 250,000 PCs by the start of the month. Users of Second Life had to change their passwords after a zero-day exploit hit the online virtual reality game's servers. A zero-day flaw in Microsoft's VML implementation proved increasingly attractive to virus writers as well.
Happily, Carnegie Mellon researchers were able to reassure the world that certain kinds of hackers are few and far between: they determined that 70 per cent of DoS attacks originate from a mere 50 sources.
Acquisitions were again the name of the game. McAfee picked up Citadel Security for $60 million (£31 million and Onigma for $20 million (£11 million). St Bernard Software acquired Singlefin. BT bought US company Counterpane for more than £11 million, making security guru Bruce Schneier a BT employee for the first time. Meanwhile, Sourcefire decided to launch its IPO.
As if to prove that security is only ever as good as its weakest link, a single compromised PC was found to be the open door that let cyber attackers wreak havoc at online broker E-Trade. Thieves were able to conduct fraudulent transactions that cost the company $18 million (£9 million) during its third quarter. TD Ameritrade had to cover $4 million (£2 million) of identity fraud in the same period.
Oracle released 101 security fixes, the largest critical patch update in more than a year, but even that couldn't steal the thunder from Microsoft's Internet Explorer 7, which was found to have security flaws within hours of its release.
The most interesting new threat was SpamThru, a Trojan, that was able to use pirated anti-virus software to scan for other malware and disable it. It also used a custom p2p protocol to share information with other infected machines.
So 2006 draws to a close; but some things don't change. At the time of writing, Nationwide admitted losing customer data on, you guessed it, a stolen company laptop.