An interesting thing happened this year: It appears that 2005 wasn’t worse securitywise than the previous years. Sure, malware and hackers were as crazy as ever, but when I asked many of my computer security friends if 2005 was better or worse than previous years, every one of them said it was better. Granted, our survey is far from a scientific poll, but the collective responses were surprising nonetheless.
So, in a year when Windows rootkits went mainstream and malware went criminal, what’s to brag about?
Probably the most significant event was the lack of a global crisis -- you know, a Slammer- or Blaster-style worm that infects the world in eight minutes. There was no malware with a replication magnitude on the order of Code Red, Slammer, Nimda, or the Iloveyou virus. With the notable exception of PHP worms, even the Linux side had fewer popular viruses and worms this year.
This was also the year when patching got easier. Not only did more and more sophisticated patch management tools arrive from every sector, but there were fewer patches to deploy. 2005 is Microsoft’s best year since the days of Windows 3.1, with fewer Windows patches compared with the past four years. And when Microsoft patches did come out, they came out on a single day each month, so IT teams everywhere could breathe a little easier the other 29 days of the month. More Linux distros got automated patching tools, and it seemed nearly every miscellaneous program had an auto-updating mechanism.
Administrators got better at blocking hackers and malware -- not yet perfect, but overall there was improvement. And it seems that end-users have finally got it: I actually know end-users who don’t click on every file attachment they receive.
Security tools got better, too. IPSes are finally going inline real-time and beating the first generation issue of false-positives. Network access control and quarantining methods are becoming more commonplace, and even anti-virus software seems to getting more accurate.
What went bad in 2005? The stuff that is getting by our defenses is more dangerous: Malware went criminal. Most of today's malware exists to steal confidential information, send spam, or steal identities. Now, malware is getting harder to remove, hiding better, and contains more tricks and exploits than ever. I used to be in the camp that if you found malware, just remove it, accept the risk, and get back on with real life. Now, I recommend formatting the machine and restoring clean data from a clean backup. Oh, yeah, and change all your passwords and watch your monthly statements.
Spam and spyware seem worse than ever, despite the FTC's December announcement that the CAN-SPAM Act is actually decreasing spam. That’s like saying budget deficits are decreasing this year when you’re responsible for sending them sky-high in the first place. Read next week’s column for more of my thoughts on how CAN-SPAM is really doing.
Just as depressing is the fact that our security software continues to get buffer-overflowed on a regular basis. Hey security vendors: Stop adding new features and review your frigging code! Send your programmers to secure programming classes, have independent reviews, offer incentives for bug free code, and give cash awards for any employee who finds a bug.
I do have a list of questions for 2006, ones that I hope we'll finally get an answer for. For example, will the Code Red and Slammer worms ever die? They are still among the most common worms on the Internet. Can there possibly be people who haven’t patched their servers for more than two years? (Apparently, yes.)
Will Microsoft ever speed up Internet Explorer patching? Averaging more than a dozen unpatched vulnerabilities at any one time isn’t a track record to be proud of. What’s the holdup, Microsoft? Not enough hands to patch faster, or just inconvenient priorities? IE 7 looks like the most secure browser I’ve seen to date, but why leave the IE 6 people hanging in the wind for so long and so often? The IE team should talk to the Windows Server 2003 and IIS teams more regularly.
Will trusted computing actually improve security? The Sony DRM debacle showed that our trusted vendors can’t be trusted; is there any hope that other companies will learn from that lesson?
Will vendors stop writing insane EULA clauses that can’t possibly be enforced in court?
Will PKI and digital certificates actually help security when widely deployed?
Will two-factor authentication improve banking security, or will the hackers and malware just move to other vectors, as I think they will?
What am I doing in 2006, you ask? First, I’m going to start playing more with my Ubuntu Linux install. Ubuntu is a user-friendly Linux distro based on Debian, and comes with a superb GUI, Firefox, and Open Office preloaded. It’s often described as the Linux for the Windows crowd. Now comes the tough decision: Do I blow away my Knoppix, FreeBSD, or Fedora partition to make room?