Security Year in Review

If there was one force driving the computer security industry this year, it was money, plain and simple. Gone were the days when teenage hackers vied for bragging rights by defacing a website or writing an annoying worm. In 2005, a more sinister class of hacker emerged, working for money and often using quieter, more precise techniques. This was also the year that the financial cost of security breaches became crystal clear, thanks to a California disclosure law that is expected to become a model for upcoming federal legislation in the U.S.Crime Pays, When You’re OnlinePrivacy MattersThe Network Becomes the TargetRootkits for EveryoneMicrosoft Eyes the Security Market

Online crime was a going concern this year as a growing number of malicious programs were designed for theft or extortion. Although there was no Internet-crippling virus outbreak, as had been seen in years past, hackers created countless variations on worms and viruses designed to sneak past antivirus software and take control of PCs. These growing armies of infected computers, called “botnets,” were then used to host fraudulent websites or, as part of extortion schemes, to mount sophisticated denial of service (DoS) attacks.

If you’re still wondering about the financial justification for security spending, just ask the folks at ChoicePoint Inc. They took a $6 million charge this year after information thieves collected data on thousands of consumers from the company. And credit card processor CardSystems Solutions Inc. may yet go out of business from the fallout of a major security breach at the company’s Tucson, Arizona, operations center. With more than 20 state laws on the books requiring disclosure of security breaches, U.S. companies found themselves paying a stiff public-relations penalty whenever computer systems were compromised. According to a recent survey of security breach victims, consumers don’t take the loss of their data lightly. Sixty percent of respondents said they were, at least, thinking of terminating their relationships with the company in charge of the data.

Michael Lynn may have lost his job at the Black Hat 2005 conference this year, but he gained worldwide attention for pointing out something that had previously only been understood by a select group of security experts: Routers can be hacked, too. Lynn, formerly a researcher with Internet Security Systems, was sued after giving a controversial presentation that showed how he had been able to run unauthorized software, called shell code, on a Cisco Systems router. Since Lynn’s presentation, Cisco has patched a number of related bugs in the Internetwork Operating System that runs on its routers, and security experts are wondering if we may someday see the first worm written for routers.

Last year, rootkits were considered a relatively obscure form of Trojan horse program made for Unix computers. But in November, the rootkit went mainstream, thanks to Sony BMG Music Entertainment, which shipped a rootkit as part of the copy protection software on a few million of its CDs. After weeks of consumer backlash, Sony issued a product recall, but according to security experts, Windows-based rootkits are here to stay.

After building the antivirus software market into a respectable $2.5 billion per year industry, software vendors Symantec and McAfee are nervously waiting to see what will happen when Microsoft becomes a competitor. The software giant is already shipping a free beta version of its antispyware product, and an early release of the company’s corporate-focused Microsoft Client Protection antivirus software is expected any day now. Though Symantec has downplayed reports that it has called for a European antitrust investigation into Microsoft, company CEO John Thompson clearly has this new competitor in mind: “They can’t use their Windows monopoly unfairly, and the world will be watching,” he said of Microsoft earlier this year, adding, “And we will as well.”

–Robert McMillan, IDG News Service