Gallery

Review of 2008

Posted on 3 Mar 2009 at 17:35

This month, Davey Winder has been looking back over things that have made him go "ooh" during 2008...

What was probably the biggest security story of the year also broke in July - Dan Kaminsky's DNS vulnerability. This security researcher stumbled across a fundamental security flaw in the Domain Name System that forms the basis of the internet, one that could potentially have left hundreds of thousands of websites at risk of malicious code injection. But far from becoming yet another security scandal and another black day for the internet, this story proved to be something of a triumph for the IT security business. It illustrated how the industry can pull together in a crisis to fix things for the greater good. Kaminsky approached the big boys such as Microsoft, Cisco and Juniper to get them to agree to work on a fix, enabling a host of hardware vendors to release security patches simultaneously without any news of the vulnerability leaking out first, thus minimising the impact of what remains one of the most potentially serious security flaws for a very long time. Nice one Dan, you truly are the man of 2008 as far as I'm concerned...

Ironic security story of the year

August is traditionally a slow news month as people tend to disappear on their holidays, which can lead to some rather amusing stories escaping into the wild, like one that hit my inbox reporting that NASA had confirmed that the International Space Station had been infected by worms. At least one worm, the W32.Gammima.AG worm to be precise. Apparently, an ISS commander had discovered, using Norton, that a Russian laptop was infected. Just how the worm got on-board in the first place wasn't made clear, especially as it turned out to be a highly specific version developed to steal online gaming data for a Chinese multiplayer game. NASA, meanwhile, went to great lengths to assure the press that this worm was never a threat to any command or control systems on the ISS.

Just as daft, but a lot more worrying from my perspective down here on Planet Earth, was the news that 88% of IT administrators would be prepared to steal sensitive company data and walk out of the door with it if sacked or made redundant. That means data such as board-level passwords, customer databases and financial reports. And these people have the nerve to call themselves IT professionals? Jeez! But the award for Most Ironic Security Story of the Year has to go to the Black Hat hacker conference in Las Vegas, where the organisers banned three reporters from attending after discovering they'd hacked the press room's private network!

September brought another smile to my face, and my Dumbass Hacker of the Year award went to a 21-year-old Bangladeshi computer science student called Shahee Mirza. This guy apparently indulged in a little hacktivism, defacing a Bangladesh government website by placing a message on the homepage that included statements such as, "HACKERS R NOT CRIMINAL. THEY R 10 TIME BETTER THAN YOUR EXPERT." Unfortunately, it also included a big banner telling all and sundry that the site had been "Hacked by Shahee Mirza", then went on to give his real email address at the foot of the page in case anyone wanted to contact him. It seems to have worked, because within 24 hours the police did just that...

I had to take my hat off to Microsoft in September for striking a small blow against the scareware merchants. These are people who do the security software equivalent of shouting "Fire!" through your letterbox and then trying to sell you a fire extinguisher. Fed up with folk selling software using pop-up adverts that emulate Windows system messages, warning of corrupted registries and critical errors, Microsoft made its move using Washington State law (the Computer Spyware Act) that makes it an offence to mislead users into believing software is required for security and labels such as spyware. While these cases are unlikely to stop the trade altogether, they're a start, and power to Microsoft's elbow for sticking with them.