2006: The year in security

A look at the Top 5 security stories of the year, including cybercrime, phishing, and spam

By Jeremy Kirk and Robert McMillan, IDG News Service
December 07, 2006

Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cybercriminals has emerged as enemy No. 1.

Microsoft patched more bugs than ever and whole new classes of flaws were discovered in kernel-level drivers, office suites, and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.

And, oh yes, spam is back.

Following are five of the top computer security stories in 2006.

Cybercrime dividends

Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit. Much of the trouble centered on phishing, a type of attack where fake Web pages are constructed to harvest log-in details, credit card numbers, or other personal information. Credit card numbers are often sold online to others for illicit gain.

In May, 20,000 phishing complaints were reported, a 34 percent increase over the previous year, according to U.S. Department of Justice report. The U.S. hosts the largest percentage of phishing sites, it said.

But law enforcement agencies are getting more organized and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have a contact available 24 hours a day to aid in quickly securing electronic evidence for trans-border cybercrime investigations.

The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East, and the United States against alleged phishers throughout 2006.

It's a brand new 0day

With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006 they turned to zero-day attacks as never before.

These attacks take advantage of previously unreported flaws in software, and in 2006 they became a top concern, according to the SANS Institute. In fact, hackers kicked off the new year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled WMF (Windows Meta File) documents.

This was followed, later in the year, by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack -- this one targeting a flaw in Word -- just this Tuesday.

To underline the scope of the zero-day problem, security researchers launched widely publicized "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.

Spam avalanche

Microsoft's Chief Software Architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.

Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90 percent of all e-mail was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.

Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition (OCR) techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.

Web 2.0 gets Hacked 1.0

MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty. That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the Web site. And this was not even the first worm to hit MySpace. In October another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors profiles, quickly making him appear to be the most popular member of the MySpace community.

Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other Web sites or send e-mail.

Vista lockout irks vendors

Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.

Vendors, led by Symantec and McAfee, argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the OS. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make APIs (application programming interfaces) available.

The APIs will allow host intrusion prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.