2007 in Security

An anonymous reader wrote in to say that "Heise Security did a year end review — for the upcoming year 2007. In their crystal ball they see P2P bots, (almost) crashing stock exchanges, dropping prices for zero day exploits and private mails of gmail users published on the google search engine." Speculatory and amusing.

private mails on google search engine

[discord5]

private mails of gmail users published on the google search engine

Oh noes! Everyone can see my spam now!

Re:Even worse:

[discord5]

Everyone can read about the penis enlargement treatment you ordered.

Quartermaster Clerk: One Swedish-made penis enlarger.
Austin Powers: That's not mine.
Quartermaster Clerk: One credit card receipt for Swedish-made penis enlarger signed by Austin Powers.
Austin Powers: I'm telling ya baby, that's not mine.
Quartermaster Clerk: One warranty card for Swedish-made penis enlarger pump, filled out by Austin Powers.
Austin Powers: I don't even know what this is! This sort of thing ain't my bag, baby.
Quartermaster Clerk: One book, "Swedish-made Penis Enlargers And Me: This Sort of Thing Is My Bag Baby", by Austin Powers.

Re:

[Beryllium Sphere(tm)]

Does anyone have a cite on this one? It's the kind of thing I'd normally hear about, and the explanation

Google: Contrary to their own assertions, the data octopus had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.

doesn't make a l

So...

[Architect_sasyr]

Business as usual then? DDoS attacks, the crackers finding ways to be one step ahead of the security team, and someone reading my email...

Yep, sounds like business as usual to me...

Re:

[Anonymous Coward]

That's because the crackers are the security team, and the sh*t that pays the bills is Boring.

Pay us more to protect your crap, keep us out of meetings, don't argue with us when we tell you your code is broken, let us build stuff that isn't a patch fix to the problem. Then you'll see security that surpasses the attacks we build to keep ourselves sane on the clock and after work.

and a happy new year

[locksmith101]

2007 is gonna be about the consequences of our self destruction of earth - having our emails exposed will be the last of our problems...

Re:

[Master of Transhuman]

Terrorism IS porn - for some of us.

Vista

[RAMMS+EIN]

I think the big thing to happen to security in 2007 is Windows Vista. With increasing adoption, we will really get to see whether all the rewrites, new features, and bugfixes dramatically improve security. Holes will be found and plugged. Other operating systems will copy the good ideas and avoid the bad ones. Whenever pre-Vista Windows versions are broken into, people will say "It's your own fault; you should just have upgraded to Vista".

Other than that, I think existing trends will continue. More development will be shifted from unsafe languages like C and C++ to Java, the .NET languages, and the popular languages from the open source community. Exploits will continue to shift from buffer overflows and integer overruns to logic errors and injection vulnerabilities. More attacks will target web browsers. With increasing adoption of Unix-like OSes, perhaps we will see some exploits for these run wild, too.

Re:

[dhasenan]

Now that Java is open source, you don't have as much vendor lock-in when using it. The main issue is the ClassPath exception (which states that static and dynamic linking to their libraries forms a derivative work), and that's a big one if you don't want all your software to be GPL (and use the ClassPath exception). Of course, you could only release source code to avoid ClassPath, but other than that, you have to use the proprietary form.

I'm not sure how enforceable the ClassPath exception is with Java, tho

Re:Vista

[RAMMS+EIN]

``More unsafe developers will be shifted from languages like C and C++ to Java and the .NET languages''

Where there are fewer mistakes they can make; buffer overflows, memory leaks, and even, to some extent, injection vulnerabilities are common in C and C++ programs, but rare or absent in Java, C# and VB.NET programs.

``and continue to promote needless vendor lock-in, much to the dismay of the the open source community."

It's not as bad as it used to be. Java is being open source, and there are various implementations of .NET, at least two of them open source. Both Java and .NET are standardized. Contrast this with popular open source languages like Perl, PHP, Python, Ruby, OCaml, ... and you will generally find that they have no standard and there is generally only one real implementation. C and C++ aren't much better; although the languages are standardized and a myriad of implementations exists, a lot of code uses either Microsoft or GNU extensions, again tying the code to a single vendor.

Vishfull thinking ..

[rs232]

"I think the big thing to happen to security in 2007 is Windows Vista"

It's a tribute to the MS marketing department that the emergence of Vista is seen as a big security event. All the security features in Vista have already been inplimented in the other Operating Systems. The signed drivers feeture has already been hacked [com.com].

User Account Control: aka as SuDO under nix.

Protected mode Internet Explorer: on nix the browser runs as standard user and can only access the users home directory.

Windows De

Re:

[RAMMS+EIN]

``"I think the big thing to happen to security in 2007 is Windows Vista"

It's a tribute to the MS marketing department that the emergence of Vista is seen as a big security event. All the security features in Vista have already been inplimented in the other Operating Systems.''

That's irrelevant in this case; what matters is that, in 2007, many more systems will have these features than in 2006.

``User Account Control: aka as SuDO under nix.'' ...with some anti-phishing features. Although I doubt their

Re:

[strider44]

Just a note, address randomisation is in Linux kernel 2.6.x (just look up "linux address randomization" on google). I hate to break it to you mate though - all your features sound pretty but I seriously doubt that they will make the huge difference you're hoping for.

Re:

[Threni]

> It's a tribute to the MS marketing department that the emergence of Vista is seen as a big security
> event. All the security features in Vista have already been inplimented in the other Operating
> Systems.

The difference is that people actually use Windows, which means that making it more secure would mean a decrease in the number of security problems. You'll probably see the next year or so featuring more attacks on the less popular OSs.

Re:

[Beryllium Sphere(tm)]

It's a big thing in security news when a mass market operating system picks up features that used to exist only in a few specialty Linux distros and in OpenBSD. It's not a matter of invention, but it is a change, and if attackers always had to use the same attacks then the world would get quieter as a result of Vista getting deployed. But of course the attackers will just depend more on Trojan Horses and on privilege escalation bugs.

Re:

[A_Non_Moose]

Given the number of non-Windows servers out there why aren't we seeing the equivalent number of breeches. Where are all the Mac viruses. Where are all the cross platform viruses.

Don't get your knickers in a twist, but most other platforms haven't been caught with their pants down so readily.

Most notable is SlackSware Linux. ;)

Sorry, I'll keep it shorts: I could not resist after seeing FTFA: ...resulting in automated control programs loosing control.

The brain was primed after that.

I know Brits spell things f

Re:

[canuck57]

Other than that, I think existing trends will continue. More development will be shifted from unsafe languages like C and C++ to Java, the .NET languages, and the popular languages from the open source community. Exploits will continue to shift from buffer overflows and integer overruns to logic errors and injection vulnerabilities. More attacks will target web browsers. With increasing adoption of Unix-like OSes, perhaps we will see some exploits for these run wild, too.

Saying a language used to program

Re:

[Niten]

Saying a language used to program a computer causes security issues is like saying that cars kill people.

Like cars, programming languages will perform just like they are driven. PCs too, it they are driven carelessly then there will be security accidents.

And like cars, some programming languages / runtime environments have better security features than others.

You are correct in that any errors in my code are, at the core, my fault, and not the fault of my development environment. But so what? Back her

Re:

[canuck57]

I agree with everything you said. I too used to be quite the coder in C/C++, some big projects too. It comes down to having the time, the focus the management support but most errors can be removed. Not all mind you, just most. But many software coding places are slam it out, damn the torpedoes and make $$$ as fast as possible. Patch later... customers don't care they get a product that is full of holes...

Times will change though. Companies that don't write securable code and designs will eventually f

Re:

[finity]

I don't know about the "Other operating systems" copying ideas, but I think an improvement in Windows security is great too. It's great because everyone uses Windows, though, not because the security is better than anything existing products offer. Actually, many of the ideas that make computer security great have already been thought of back in the 70s, 80s and earlier. Why hasn't Windows already implemented things like this, well I think it's partially their fault and partially the hardware vendor's fa

Re:

[vtcodger]

***I think the big thing to happen to security in 2007 is Windows Vista. With increasing adoption, we will really get to see whether all the rewrites, new features, and bugfixes dramatically improve security.***

I'd like to think that Vista does dramatically improve security. Lord knows, there is room for dramatic improvements. But Microsoft is not loudly trumpeting improved Vista security as they (mistakenly) did Windows XP security. That leads me to believe that their own assessment might well be that

Re:

[OriginalArlen]

I think the big thing to happen to security in 2007 is Windows Vista. With increasing adoption, we will really get to see whether all the rewrites, new features, and bugfixes dramatically improve security...

(Emphasis added)

You must have missed the memo. Gates' pet "rewrite the kernel as managed code" project lunacy was written off after three years' work back in 04. (the reset [google.co.uk].) Mini-Microsoft said it was 12,000 man-years of work that was simply written off. I suppose it's a good thing (for Microsoft) that they retain the ability to recognise the writing on the wall and not subject the OS group devs to the deathmarch to end all deathmarches...

The Vista kernel currently pouring down the channel from Redm

This is great news!

[Overzeetop]

There wasn't a single mention of an increase in penny-stock pumping emails.

Screw the rest of the world, if those would go away I'd consider 2007 a success.

Specula...

[virgil_disgr4ce]

Isn't the word "Speculative," not "Speculatory?"

Re:

[rucs_hack]

Speculiation?

SFTI

[petergunn666]

At least on the East Coast a DDOS attack on the stock market's internet connection isn't going to make much of a difference. Both market data and B2B order flow typically go across the SFTI network which was created after 9/11 and has no public access. See https://sfti.siac.com/ [siac.com] (warning may not be firefox friendly! *sigh*)

re: 2007 in Security

[rs232]

What is never mentioned is that these bots are run on masses of compromised home and business desktops. The ISPs should be doing more to close them down.

Re:

[shrtckt]

True, most ISPs don't care what transmits on the end-user's bandwidth. Why should they? A user pays for a service which an ISP provides. What a user transmits should be his choice. Educating these users of what their Windows boxes may be barfing out 24/7 is they key to correcting the problem. In reality, most people don't know or care - until performance issues are apparent.

Re:

[rs232]

"Educating these users of what their Windows boxes may be barfing out 24/7 is they key to correcting the problem"

No, the key is to make the ISPs legally liable for preventing the viruses getting on/off your desktop and making an OS that don't get viruses from clicking on a URL or opening an attachment.

Re:

[shrtckt]

"Educating these users of what their Windows boxes may be barfing out 24/7 is they key to correcting the problem"

No, the key is to make the ISPs legally liable for preventing the viruses getting on/off your desktop and making an OS that don't get viruses from clicking on a URL or opening an attachment.

Making ISPs legally liable for viruses and regulating a users software is just one step closer to having "Big Brother" control our lives (this is one of MS's favorite games). I don't want my bandwidth throttled for packet inspection due to legalities caused by some other idiot surfing a pron site and blaming his ISP for the resulting problems. BTW, that OS you are talking about (that don't get viruses from clicking a URL...) is called Unix.

Re:

[rs232]

"one step closer to having "Big Brother" control our lives"

It isn't as if Big Brother isn't already reading out e-mails is it.

"I don't want my bandwidth throttled for packet inspection due to legalities caused by some other idiot surfing a pron site and blaming his ISP for the resulting problems"

Don't need to inspect your packets. Set up an organization that monitors the sources of spam and then informs the ISP. If the ISP takes no action then they can be fined or disconnected until they do take

Re:

[shrtckt]

Don't need to inspect your packets. Set up an organization that monitors the sources of spam and then informs the ISP. If the ISP takes no action then they can be fined or disconnected until they do take action. That would enthuse them greatly to take action against spam.

Yes, that would probably get the ISPs attention. As for the monitoring agency - that would be a full-time job requiring endless resources and storage databases, possibly equivalent to the CIA.

one of the simplest solutions is to block outgoing on port 25.

Blocking outgoing on port 25 is fine for the average home user (zombie bot central), but for us others it would cause unacceptable problems.

Re:

[rs232]

"Yes, that would probably get the ISPs attention. As for the monitoring agency - that would be a full-time job requiring endless resources and storage databases, possibly equivalent to the CIA"

Not requiring endless resources, something like Spamhaus running in a number of centers. It would have real powers to deal with the worst offenders. Don't you think we need one by now. For me e-mail is becoming almost unusable, I have to selectively browse the subject line in each msg to make sure I don't miss any

Re:

[shrtckt]

Sounds good to me. Could you possibly get a grant to start the project? Could be worth millions is successful. :)

Amusing? Try ridiculous.

[ninja_assault_kitten]

First of all, who the hell are Heise Security in the first place? They come across as a group of firewall admins turned security 'experts'. The statements in the article are ridiculous. "For the first time, underground prices for such zero-day exploits dropped in 2007, compared to the previous year. Insiders think this drop in prices was caused by a glut of such exploits, mainly due to the broad usage of simpler fuzzing tools. Bit by bit, these half-automated vulnerability scanners are uncovering the (sec

Re:

[cyb97]

If you didn't get the tongue-in-cheek here, consider yourself trolled. :-)

Re:

[ninja_assault_kitten]

I hope you're right. I'd rather have been trolled than have to live with the idea that these guys believe what they've writen.

& UNIX is BAD because it is OLD

[BoRegardless]

And everyone knows that older versions of Windows are bad...

So why is it that with security issues of all types, I do NOT see articles about why "UNIX is BAD".

Why is not the computer media in general noting more of the reason why choices involving UNIX variants are good.

We have had some very smart, very well thought out programming and systems which went into and then advanced UNIX, and it has now stood the test of time very very well, but a supermajority of mainstream PC press is simply a fan club for the

Re:

[TheSpinningBrain]

Nobody should ever say that an OS is bad because it's old. Different operating systems are meant to be applied differently. Windows (and I mean all versions) are all good in their own respects, even the older ones (think Windows 1.0 commercial with Steve Ballmer), if only as a negative reference. One of the reasons that Unix-type systems are growing in number is that some people took an operating system and actually put some care into it. They stuck to it and keep evolving it, which can definitely not be sa

Far Fetched

[scarolan]

Some of this stuff seems a bit far-fetched:

While in 2006, DDoS attacks with botnets were mainly targeted at unwanted competitors, online betting offices and consumer protection sites, 2007 also saw large attacks launched on critical infrastructures. In April, the stock exchange nearly crashed, when a DDoS attack on the electronic trading system disconnected it from the Internet for several days, resulting in automated control programs loosing control and attempting to divest shares in a panic reaction.

Re:

[juct]

Of course some of the stuff is far fetched -- that's where the fun is ...

But while I agree that the number of zombies may decline, I don't think the number of attacks will do so. This only means, that an infected PC is "worth" more and the bad guys will put more effort into staying unnoticed and keeping control. We already see that trend in the latest botnet clients like Spamthru: decentralized control infrastructure is beeing built, rootkits are used, rivals are removed and so on ...

bye, ju

And yes -- I am

Amazing

[madsheep]

What a clever posting and crystal ball! I am just amazed anyone even came across the website. Heise Security? It's good to see they repost stuff that can be found on other sites people do read. What a waste of time. This crystal ball posting is a [humorless] joke.

Google, security, data, 2007 and beyond

[jfranks]

Google seems to be interested in collecting tons of data to secure a position in the data world of tomorrow. From: http://www.oreillynet.com/pub/a/oreilly/tim/news/2 005/09/30/what-is-web-20.html?page=3 [oreillynet.com] "The race is on to own certain classes of core data: location, identity, calendaring of public events, product identifiers and namespaces." In 2007 I expect to see increased jockying in data related powerhouse players like Google, Oracle, etc... If I were to speculate beyond 2007 I would say that as far as