2010 Wrap Up – Security Highs and Lows of the Year
This year may not be remembered for any single stand-out security incident, but 2010 still had many important lessons to teach. It was the year in which mobile malware attacks became significantly more widespread, in which efforts to combat botnets appeared to have limited success and in which, consequently, the problem of distributed denial-of-service (DDoS) attacks appeared to show little abatement. It was a year that brought us some unfortunate reminders that many of cybercrime’s oldest, tried-and-tested techniques are still able to find more than their fair share of victims.
The “Here You Have” malware, which popped up in early September, showed us that a decade-old technique for compromising computers is still surprisingly effective. Here You Have relied upon old-school social engineering and a lack of user education in order to propagate – victims actually had to manually launch the malicious script, which masqueraded as a PDF when it arrived in their email in-box. Such was the Trojan’s success that it reportedly led to mail servers being shut down at major enterprises such as Disney and Comcast. There are few technological solutions here; the best way to defend against simple-but-effective attacks such as Here You Have is to make sure users are trained to be highly suspicious of unsolicited links and documents that arrive in their in-boxes.
Another valuable lesson, similarly old and well-understood, was learned just this month, when the network of popular blogs owned by Gawker was compromised, and the log-in credentials for over a million users stolen and made available via BitTorrent. While the passwords were encrypted, many were quickly cracked by the attackers and published online. Because Gawker uses e-mail addresses as user names, the need to use different passwords on different Web sites quickly became clear to hundreds of thousands of Internet users who may not have previously taken such precautions. Many other popular sites did their due diligence, discovered that their own users’ Gawker passwords had been compromised, and were forced to take security precautions of their own to ensure that their sites did not become collateral damage of the attack. Again, educating users about secure password management strategies could have prevented many of the problems that may arise following a breach.
The DDoS threat showed little sign of letting up in 2010. Despite efforts to fight back against major botnets such as Zeus, DDoS attacks launched by networks of compromised computers remained a significant problem. Most recently, the attacker group Anonymous launched “Operation Payback”, in which it flooded the sites of major payment processors with deluges of spurious traffic in revenge for their refusal to deal with controversial whistle-blower site WikiLeaks. The attack successfully knocked Mastercard’s Web site offline and caused performance problems at others including Visa and PayPal, demonstrating vividly that not even major global financial brands are not immune from the effects of a well-coordinated DDoS attack.
While many end-of-year security wrap-ups focus purely on the negative, I’d also like to look at some major, positive, proactive initiatives that the industry has undertaken over the course of the year, notably the worldwide roll-out of DNSSEC. This year was what has been called the “end of the beginning” for DNSSEC. Although the standard has been in development for nearly two decades, at the start of 2010 you could have been forgiven if you’d never heard of DNSSEC. Today, it would be surprising if you did not already have at least a basic understanding of how the technology works, what problems it solves and what benefits it will bring. By the end of 2011, if your organization does not have a DNSSEC strategy, you will be behind the curve.
DNSSEC, (DNS Security Extensions) is a security upgrade to the age-old DNS protocol. While DNS has proved itself a robust, mostly reliable technology, it was built on the assumption that the Internet and all users can be trusted to do the right thing. Because of this initial, entirely understandable design oversight, DNS has been found vulnerable to attacks such as cache poisoning – which allows attackers to hijack traffic destined for legitimate Web sites and email accounts. DNSSEC allows domain name owners to add cryptographic signatures to their zones, enabling end-to-end domain validation that a user is reaching the site they actually typed into their Internet browser.
The DNSSEC standard took an enormous step towards global adoption in the summer of 2010, when ICANN, the US National Telecommunications and Information Administration and VeriSign worked together to sign the root zone of the DNS , giving the Internet the highly secure “trust anchor” that will be the cornerstone of all future DNSSEC validation traffic. Approximately 50 top-level domains, including .info, .org, .net, .in, .uk and .us have already completed their DNSSEC roll-outs. The next big step is for VeriSign to use DNSSEC to sign the .com zone – which will push the technology over a key threshold.
Even with these important implementation initiatives, there is still much work to be done at different levels of the DNS hierarchy before DNSSEC can achieve its goal of end-to-end Internet domain validation. Domain name registrars, ISPs, application developers and Web site operators will all need to do their part. While many already are, 2011 will see the appearance of many new tools and managed DNS services that will make it even easier and more cost-effective for every domain owner to secure their DNS. Next year, the catalysts will start to fall into place that will make becoming a DNSSEC adopter a much easier decision to make for many organizations.
The last 12 months may not have seen any watershed moments in Internet security in terms of new methods of attack, hugely disruptive vulnerabilities, or a “digital Pearl Harbor” event, but levels of malicious activity remained high. At the same time, it should be seen as an encouraging sign that many of the Internet’s key infrastructure providers are quickly moving to add security to systems such as DNS, which will lead to a more trustworthy network and almost certainly will create new security services.