Reflecting on the past year in Information Security, it seems we are heading down a dark and dangerous path. The numbers are against us, on one hand, massive malware outbreaks like Slammer, Blaster, and Loveletter have disappeared, but the replacement is worse. Criminals are using targeted malware in small numbers to steal, and they are generating huge numbers of variants to slip past scanners. We used to face polymorphic viruses, where the virus would modify itself on each infection, the response was to analyse the polymorphic engine so that the scanner could detect all possible outputs; now the malware creators are keeping the variant generator to themselves, frustrating analysis.
Numbers are against us in spam too, again, the profit motive is driving our opponents, and we have to run as fast as we can just to stay where we are. The draft law currently passing through the committee stage in Hong Kong’s Legislature is too weak to have an effect. However, one interesting effect of the Taiwan earthquake is a reduction in spam: at my mail gateway, incoming spam has dropped about 50%, but legitimate messages are normal. Unfortunately, slashing bandwidth cannot be considered as a simple, long–term solution to spam.
Numbers are overwhelming us in terms of vulnerabilities, too. New, critical vulnerability announcements are no longer news, and we will soon have to cope with a huge, new operating system, packed with an unknown number of new vulnerabilities: Vista. The more complex a system is, the more likely it is there are flaws, and Vista is Microsoft’s most complex operating system to date.
Numbers are making our job of protecting information more difficult, too, because of the continual increase in data storage capacity and accessibility. We are storing more data than ever before, and we often have little idea of what it is we are keeping, where we are keeping it, or who can access it. The data leakage from the Independent Police Complaints Commission (IPCC) earlier this year was just one example, the Privacy Commissioner’s report is now available: .
Is there a bright side? Information Security issues do seem to be getting more coverage and discussion than previously, now we need to face the difficult questions and take action. Have a Healthy, Prosperous and Secure New Year, and remember, Information Security is Everyone’s Business.