Review of 2007: Lost in translation

JANUARY

Systems administrators got their usual New Year's greeting - a new worm that installed variants of Tibs, Nuwar, Banwarum and Glowa as well as two rootkits. Welcome to 2007.

And that was only the first outbreak of the month. A fourth zero-day vulnerability was found in Word, while the malware of the year, the Storm Worm Trojan, took advantage of bad weather in Europe, promising news of storm fatalities but only providing its creators with backdoors on to thousands of PCs.

Despite these bad omens, things were looking up for IT security, with the first jury conviction of a spammer under the US's CAN-SPAM Act and a drop in spam levels. Cisco made moves on IronPort Systems, while Symantec pledged $830 million (£400 million) for IT management software company Altiris.

But while the world looked on distracted as Gordon Brown took time out from his tour of India to apologise for Celebrity Big Brother's treatment of Shilpa Shetty (pictured), a new Bluetooth hacking tool came out, and Finjan was busy predicting a rise in complex code attacks.

In short, 2007 was shaping up to be the year when hackers went truly global and started to look for other ways past security.

FEBRUARY

Despite featuring the fourth annual "Safer Internet Day", February proved no safer than any other month. An old vulnerability reared its ugly head in a new OS, as Vista proved susceptible to takeover via its speech recognition software. Meanwhile, a new vulnerability appeared in an old OS, with Solaris's Telnet proving to be compromisable.

But it was new attacks that really grabbed the headlines - when they could get past Britney Spears' shaved head (pictured in her happier days). RSS proved syndicating XSS was really simple. JavaScript turned out to be capable of resetting the DNS settings of certain routers. Another zero-day flaw in Word was uncovered, as well as a remote exploit in Office 2007. And an attempt to deny service to the web's DNS system was nipped in the bud - although some theorised it was only a trial run.

After January's period of grace, the ritual of laptop theft began anew, with one stolen from a New York state tax auditors' apartment containing personal details of hundreds of people. The Nationwide building society was fined £980,000 for losing a laptop in 2006.

MARCH

Remember that drop in spam levels mentioned in January? Three-quarters of all messages were now reported to be spam, following a fifth consecutive month of increases. Just goes to show it all depends on who you talk to ... Porn spam was at an all-time low, but anyone thinking that it wasn't going to come back in another form would be proven extremely wrong.

Almost to prove their own cleverness, hackers came up with a new kind of exploit in March: a flaw in Windows' animated cursors function; while spammers took advantage of blogs' trackback functions to launch their own brand of mischief. VeriSign warned that HTML injections blended with rootkits are set to become a new form of attack.

Meanwhile, the stolen data market thrived, according to reports, with Gartner saying that ID theft had risen 50 per cent in the past three years in - which was handy, because several UK banks were found to be putting sensitive data into bins outside their premises and a Halifax branch had a number of its customers' details stolen. It seemed only the attorney general wanted to do something about leaked data: he took out an injunction stopping the BBC from airing a news segment about the "cash for honours" scandal.

APRIL

Porn was back. Britney Spears, Paris Hilton and porn star Jenna Jameson were among the lures used in 450 exploits of the animated Windows cursor vulnerability uncovered in March. After Microsoft finally managed to patch the flaw in April, Britney et al remained irresistible to Skype users, propagating a new IM worm. Never missing an opportunity to use a large-scale loss of life as a hook, hackers also used the Virginia Tech shootings to help propagate another worm to curious email users. Windows Server's DNS service became an attraction for hackers that was to last for most of the year, while some spammers began to combine their emails with malware.

Globally, 40 per cent of companies reported suffering disruptions from malware, according to research. However, more earth-shattering than the 4.3 magnitude earthquake that hit Kent, was a survey from Network Box that found 99 per cent of SMEs said they did not know how often their AV software was updated.

Websense acquired rival SurfControl for $400 million (£193 million).

Alleged hacker Gary McKinnon (pictured) lost his High Court appeal against extradition to the US. However, he didn't give up the fight.

MAY

In the same month that a young girl called Madeleine disappears while on holiday with her parents in Portugal, cyberwar broke out between Russia and Estonia. The Baltic state blamed its neighbour for launching DDoS attacks against its websites in revenge for the removal of a war memorial.

Following April's "month of MySpace Bugs", a "month of ActiveX Bugs" begins with revelations of yet more flaws in MS Office. More worryingly, flaws are found in McAfee's, Symantec's and Trend Micro's security products, as well as Cisco's IOS.

It was a case of all change in the world of security vendors, with Google making its first security acquisition, GreenBorder Technologies; VeriSign CEO Stratton D Sclavos resigning; nCircle acquiring Cambia Security; Cisco agreeing to buy BroadWare; and Verizon announcing plans to acquire CyberTrust.

The month was full of embarrassing data breaches: Marks & Spencer lost some of its employee data, PlusNet admitted it had suffered "a security breach" and the Foreign Office suffered its own breach with its online visa application service - although this was not to remain the worst government data loss of the year by any means.

JUNE

While image spam had worried some since its arrival last year, by June it was proving to be a spent force, with the number of such messages starting to decrease substantially, according to Symantec. Never ones to give up easily, spammers tried other techniques, swapping images for PDFs and Excel files in "pump-and-dump" campaigns - with little more success.

Malware writers weren't letting up either. The Italian Job Trojan took on English-speaking malware dominance and infected thousands of servers. The Pentagon (pictured) suffered a hack attack that took 1,500 computers offline - with the finger of blame pointing at the Chinese military. And the FBI revealed around a million IP addresses of botnet-compromised PCs.

Security vendors were spurred into action - and promptly began acquiring each other again: EMC went after authentication provider Verid; SonicWall bought Aventail; PatchLink took over SecureWave; and HP acquired SPI Dynamics. Microsoft released its first ever Vista-only security patch.

Oh yes, and Tony Blair finally stood down as Prime Minister.

JULY

Amazing though it may seem, the world wasn't quite complete until July, with the arrival of the iPhone (in the US; those desperate to be among the first to buy one in the UK had to wait until a cold November night to queue for the launch). Keeping their eyes on the news, malware writers tried to cash in on its release, as well as that of The Simpsons Movie later in the month.

Despite attempts by spammers to use Excel documents to spread their stock tips, it was the security people who proved more innovative - just like their real-world counterparts who managed to track down the perpetrators of attempted bomb attacks in London and Glasgow.

WabiSabiLabi, an eBay-style marketplace for security professionals to buy and sell vulnerabilities, was born. One slightly worrying thing is the fact that one of its founders, Roberto Preatoni, was subsequently arrested in November in connection with an ongoing spying scandal at Telecom Italia.

Google, meanwhile, made a second acquisition, Postini; 3Com announced it was planning an IPO of its TippingPoint subsidiary, and Oracle acquired identity theft and fraud prevention specialist Bharosa.

AUGUST

While Russian submarines were busily trying to claim oil under the North Pole for the first time, spammers turned to.zip files to bypass filters for their pump-and-dump scams, which pushed spam levels up by 30 per cent, according to Sophos.

Two new hacking tools, Ferret and Hamster, showed that nothing short of SSL, two-factor authentication and behavioural analysis software was going to make public WiFi truly secure. Flaws were found in both MSN and Yahoo! Messenger. But the good guys had new technology too, with Websense unveiling an early-warning system for Web 2.0 threats.

Vendor consolidation continued. IBM added Princeton Softech to its portfolio, RSA bought Tablus, Novell swallowed Senforce Technology and Sourcefire acquired ClamAV.

Security breaches were everywhere. Monster.com suffered a malware attack that exposed over 1.6 million customer records, then waited five days before telling its users. And the UN's website was hacked.

Fortunately, there was some good news, with "pharmacy spam king" Christopher Smith sentenced to 30 years in the US.

SEPTEMBER

With the new High Speed 1 Eurostar breaking the speed record for a journey from London to Paris, September was a truly international month. The Bank of India website was discovered to have been hacked and serving 30 different types of malware to unsuspecting readers. Meanwhile, Chinese hackers turned out to have been busily breaking their way not just into the Pentagon but British government systems, including the Foreign Office.

Not that the British government was incapable of losing data all by itself: HMRC suffered what would turn out to be a relatively minor loss when one of its laptops went missing with 400 personal data records on it.

Private companies proved more than capable of losing their data, too. Pharma giant Pfizer revealed that it had had three security breaches over the previous year, losing 34,000 staff profiles through internal theft, more employee information from two laptop thefts, and thousands more employees' details through peer-to-peer software.

A survey by the Computer Security Institute revealed the average annual loss for US businesses from computer crime had doubled in 2007 to $350,424 (£169,000), with almost a fifth of those that had suffered a security breach experiencing a targeted attack.

OCTOBER

Angelina Jolie was being blamed for surges at the start of October - this time, the surge was in malware, which was using promised images of her to attract double-clicks. A new exploit for Acrobat led to PDF-based spam once again spreading like the Californian wildfires, while YouTube turned out to be a handy mechanism for spam propagation.

The alleged owner of a botnet network was arrested for attacking organisations including anti-phishing community CastleCops.

October also saw McAfee make moves on ScanAlert, Oracle agreeing to buy LogicalApps and Trend Micro acquiring Provilla.

The data breach at TJX, which had had its customer records hacked over 2005 and 2006, returned to haunt the retailer: investigations revealed that 94 million customer account numbers may have been compromised, the biggest loss in history. HMRC, clearly looking for bigger and better data losses of its own, managed to lose a disk in the post containing the pension details of 15,000 Standard Life customers. But it wouldn't be until November that it achieved its full potential.

Finally, alleged hacker Gary McKinnon was given leave to appeal his extradition to the US.

NOVEMBER

With hundreds of people evacuated to avoid the threat of a three-metre storm tide heading for the English Channel, it seemed appropriate that Storm returned in November, this time to blast the world's inboxes with Geocities spam/malware.

But it was HMRC's decision to finally show the world that it had what it took to be a world-class data leaker that filled the headlines. A "junior official" was blamed for couriering the personal details - including bank accounts - of 25 million people on disks that mysteriously disappeared. Salesforce.com's leaked customer list was positively small fry in comparison.

The Times of India had to shut down its website after being hacked, this time with a cross-site scripting attack that downloaded malware onto visitors' PCs. Not that Mac users had much to be happy about, following the discovery of the first professional-grade Trojan for the formerly impregnable OS.

VeriSign decided to divest itself of any business units not related to security in order to focus on web infrastructure services. Acquisitions continued apace, with Cisco bagging Securent and Symantec taking over Vontu.

2008: WHAT WILL HAPPEN IN THE OLYMPIC YEAR?

With spammers running out of clever ways to bypass email filters, the year of the Beijing Olympics is likely to be the year alternative propagation mechanisms grow in strength. Email spam is likely to get simpler and simpler, with the relatively undefended IM and social networking sites facing the brunt of the spam and malware attacks.

Simple doesn't mean ineffective, however, and the rise of targeted spam from criminal gangs hints at a far more dangerous breed of malware-related spam to come.

Web-based threats will also grow, with cross-site scripting attacks, RSS-based malware and other browser-based exploits that are hard to spot taking on increasing prominence.

As the alternative threats increase, smaller vendors will start to develop suitable protection - only to get gobbled up by larger companies. Outsourcing services will continue to grow in popularity as beleaguered IT managers find themselves unable to cope with new threats.

Data loss will continue to be a growing problem, with more companies finding themselves at the wrong end of the FSA and other statutory bodies, not just for losing data, but for failing to follow the correct procedures in the first place. And it won't just be private companies losing data - governments will continue to show an inability to keep the public's personal details secret. The first UK projects to receive greater scrutiny with be the National ID scheme and the NHS IT upgrade.

Copyright © SC Magazine, US edition

inlostofreviewsecuritytranslation