Review of 2008

Swiss cheese and spam

April is the traditional month for foolishness the world over, and it didn’t disappoint because “foolish” is the only possible description for the idiots who took part in one of those pre-InfoSecurity show surveys that amuse and dismay industry watchers at this time of year. How else could you describe the 75% of companies questioned by researchers that admitted they believed the applications they employ every day contain large security holes? The researchers weren’t altogether surprised by this figure, having already noticed that when any organisation develops and deploys an application, security takes a lower priority than perceived quality, as measured by functionality and performance. Unfortunately, cybercriminals are all too capable of pinpointing the vulnerabilities within such in-house applications, just as they do with shop-bought software. I remember thinking at the time that until the good guys start taking security as seriously as the bad guys we’re on a losing wicket, and not a great deal has happened in the intervening months to make me change my mind.

Indeed, if you consider the history of spam then the future doesn’t exactly look bright. On 2 May 2008, spam celebrated an important birthday: yes, it really was 30 years since the very first spam message was sent by a chap called Gary Thuerk. Employed at the time in the marketing department of Digital Equipment Corporation, Thuerk combined two relatively new technologies – email and the Arpanet (forerunner of the internet as we know it – to spam all 393 users of a DEC minicomputer with the same advertising message. Fast-forward 30 years and Gary’s little brainwave has a life of its own, with the volume of spam topping 120 billion messages every single day across the whole world. Here’s to the next 30 years, and the perhaps-forlorn hope that by 1 January 2039 we’ll have banished spam for good.

I doubt that, just as I doubt we’ll have learned an equally important lesson that the UK Government is useless at data privacy. The news came in May that the very same bunch of buffoons who a few short months earlier had “lost” discs containing the personal data of 25 million people, now proposed to build a “big brother” database to record our every email, text message and mobile telephone conversation. I found myself nodding vigorously in agreement with Jonathan Bamford, assistant information commissioner in the UK, when he referred to these proposals as “sleepwalking into a surveillance society”, not least because the announcements came just two months after a joint select committee had criticised the Government’s poor record regarding data leaks.

Dan is the Man

June proved to be the month of the black hat geek, heralded by the return of the infamous Gpcode blackmail virus. Not only was the threat of this “your files are encrypted, pay us for the unlock key” malware back in town, but according to Kaspersky Lab researchers it was a nastier strain than ever. The white hat geeks warned that the latest variant was equipped with 1,024-bit RSA encryption, the work of two years of tweaking by Gpcode’s author. The only hope for anyone infected by this thing would be for Kaspersky, or some other research good guys, to find a flaw in the encryption code that would allow them to apply cryptographic analysis to the RSA algorithm implementation and crack the keys.

Things got worse, much worse, in July. To illustrate just how much importance we attach to our data security, news was announced that some 12,000 laptops were being lost or stolen at airports in the US every day. Multiply that up to cover the whole globe, then factor in how many of these people would have taken any serious measures to protect the data they were holding (encryption, for example), and it’s a bloody miracle we don’t have a thousand times more identity theft than we actually do. Hot on the heels of this bombshell came the discovery of a particular black-market website selling a trojan for more than £600. The reason for the high cost of the Limbo 2 trojan was that, according to PrevX’s researchers who tracked it down, it came with a guarantee of invisibility. Indeed, it came with a “warranty” that it could evade detection by all the top ten antivirus programs on the market at that time, offering money back if proved wrong. The cloaking was achieved by a dynamically morphing “shell” that continually changed to prevent AV detection, while allowing the financial data stealing payload to remain constant. Personally, I’d treat such money-back offers with a pinch of salt considering the type of people doing the selling. Anyway, while signature-based protection software may not be able to spot such an ever-changing trojan, heuristic techniques and behaviour-based detection technologies almost certainly will.