2006: The year in security

PC users didn't feel a lot more secure in 2006

Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cybercriminals has emerged as public enemy No. 1. Microsoft Corp. patched more bugs than ever, and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.

And, oh yes, spam is back.

Following are five of the top computer security stories in 2006.

Cybercrime dividends

Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit.

Much of the trouble centered on phishing, a type of attack where fake Web pages are constructed to harvest log-in details, credit card numbers or other personal information. Credit card numbers are often sold online for illicit gain.

In May, 20,000 phishing complaints were reported, a 34% increase over the previous year, according to a U.S. Department of Justice report. The U.S. hosts the largest percentage of phishing sites, it said.

But law enforcement agencies are getting more organized and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have contacts available around the clock to aid in quickly securing electronic evidence for transborder cybercrime investigations.

The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East and the U.S. against alleged phishers throughout 2006.

It's a brand-new zero day

With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006, they turned to zero-day attacks as never before.

These attacks take advantage of previously unreported flaws in software, and in 2006, they became a top concern, according to the SANS Institute. In fact, hackers kicked off the new year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled Windows Metafile documents.

This was followed later in the year by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack -- this one targeting a flaw in Word -- just this Tuesday (see "Microsoft warns of zero-day attack on Word").

To underline the scope of the zero-day problem, security researchers launched widely publicized "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.

Spam avalanche

Microsoft's Chief Software Architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.

Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90% of all e-mail was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.

Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.

Web 2.0 gets Hacked 1.0

MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty.

That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the Web site. And this was not even the first worm to hit MySpace. In October, another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors' profiles, quickly making him appear to be the most popular member of the MySpace community (see "Teen uses worm to boost ratings on MySpace.com").

Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other Web sites or send e-mail.

Vista lockout irks vendors

Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.

Vendors, led by Symantec Corp. and McAfee Inc., argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the operating system. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make application programming interfaces (API) available.

The APIs will allow host intrusion-prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon