Top 10 security stories of 2000
In 1999, two viruses rocked the Internet: Melissa and CIH. This year, the theft of credit-card databases was commonplace. A distributed attack that camouflaged its source drowned e-commerce sites in a deluge of data, and the first real media hack hit the wires.
Add to that a flurry of mass defacements seemingly in reaction to the Israeli-Palestinian conflict, and the year 2000 became a network security manager's nightmare.
Not many have heard of it. But the computer worm known as VBS/Kakworm--at-large for more than a year--has resulted in more tech-support calls than the LoveLetter virus, according to security software provider Sophos Anti-Virus.
"Love Bug was a shooting star--lots of action and noise and fury for a relatively short time." said Graham Cluley, senior technology consultant for the Abingdon, U.K., firm, in a statement issued at the end of November. "Meanwhile, Kakworm has crept stealthily to the top of the charts."
The worm infects computers by exploiting a flaw in Microsoft's Internet Explorer, Outlook and Outlook Express, but only spreads from computers with Outlook Express installed. Kakworm will copy itself to a computer when the e-mail message that contains it is viewed or opened. On the first of every month after 5 p.m., the virus will display a dialog box with the message "Kagou Anti-Kro$oft says not today!" before shutting down the user's infected computer.
For the year to November, Kakworm accounted for 17.0 percent of the calls to Sophos, while LoveLetter was the cause of 14.5 percent.
Another anti-virus software maker, Trend Micro Inc., ranked Kakworm in its worldwide top-10 for much of the year. The worm ended the year at No. 6 for the number of computers infected in the last 30 days.
While Israeli and Palestinian aggression escalated in the West Bank, the dispute took another--non-lethal--form on the Internet: Hacktivism.
On Nov. 6, pro-Palestinian vandals broke into the Web site of the American Israeli Public Affairs Committee, stealing the records of 700 Israeli supporters and defacing the site.
More than 50 other Israel-affiliated sites have been hit by vandals claiming to support the Palestinians, according to defacement tracking site Attrition.org. An unknown number of Palestinian-related sites have been hit by those claiming to support Israel.
"This is no different than in the real world, where activists have gone into terrorism," said Paul Robertson, a senior analyst with security services provider TruSecure Inc., formerly ICSA.net, in a November interview. "The big issue now is how are we going to defend against it."
Unlike the real world, hacktivism does not cost lives. As of Dec. 18, CNN placed the death toll in the 12 weeks of conflict at 363 people: 312 Palestinians, 38 Israeli Jews and 13 Israeli Arabs.
As technology continued its steady advance in the online world, computer viruses advanced as well.
The culmination of programming technique in 2000 resulted in the Hybris virus, which uses up to 32 swappable modules to modify and add functions, including how it spreads, what it does and its characteristics. Each module used industrial-strength encryption to hide its code from prying eyes.
While virus guru Eugene Kaspersky of Kaspersky Lab labeled the virus as "perhaps the most complex and refined malicious code in the history of virus writing," another expert downplayed the technological Frankenstein.
"We have seen some technically good viruses that don't become successful and poorly written ones that do become successful," said Vincent Gullotto, director of Network Associates Inc.'s anti-virus emergency response team.
"Technology itself won't make the difference between a huge outbreak like Melissa (and a dud)--social engineering will make the difference."
By the end of the year, many anti-virus software makers upgraded the threat of the virus, as it continued to morph into new forms and continued to spread, albeit slowly and without much harm, across the Internet.
Law enforcement officials pressed harder for laws that would grant them more powers with which to pursue cybercriminals. Others looked for ways to update current legislation to adequately cover the gamut of possible crimes in cyberspace.
Following the distributed denial of service attacks in February, the National Infrastructure Protection Center along with the FBI urged legislators to create more wide-ranging powers for investigation and prosecution.
Granted, there is some need.
A report released in December by McConnell International, a technology policy thinktank, found that 33 of 52 nations surveyed had not yet updated their criminal codes to deal with the broad range of computer crimes, from data interception to network interference, and from virus dissemination to computer-related forgery.
"Organizations must rely on their own defenses for now," said Bruce W. McConnell, the firm's president in a statement released in December.
Governments, industry and civil society must work together to develop consistent and enforceable national laws to deter future crime in cyberspace.
Ten countries had enacted laws to address five or fewer of the 10 critical areas of cybercrime, while only nine countries said they were prepared to prosecute six or more types of offenses.
United States law handled nine of the 10 crimes, and only the Philippines, where the LoveLetter virus originated, covered all 10 areas of offenses.
Despite warnings to better guard their customers' data, companies managed to lose a lot more personal records this year.
The year kicked off with a self-proclaimed 18-year-old Russian hacking into online music seller CD Universe and stealing customer records. When the e-tailer refused to pay a $100,000 ransom to the thief, he posted the customers' credit-card numbers online. While only 25,000 credit-card numbers from the files ended up on the Internet, the thief--who goes by the handle Maxus--claimed he had another 300,000.
Another 15,700 credit-card numbers were stolen from Western Union in September, after the company launched its MoneyZap service. Its parent company, First Data, provides much of the financial services backbone used to secure electronic-funds transfers to 75 percent of the world and provides card-issuer services for 1,400 financial institutions and 343 million consumers worldwide.
In early December, a cyberthief thought to be from Russia stole 55,000 credit cards from CreditCards.com, a processor of credit cards for small Internet businesses. Two days later, another vandal electronically snuck into University of Washington Hospital's record database and made off with the medical records of almost 5,000 patients, including their medical histories and social security numbers.
The situation is ripe for a lawsuit, said a senior Clinton Administration official at SafeNet 2000, a Microsoft-sponsored security and privacy symposium held in December.
"Companies are going to have to be taught that they are liable for such damages," he said. "In the next two years, I would say a major lawsuit will do that."
In August, the first major media hack hit the wires as well. A false press release distributed via news service Internet Wire announced that Emulex Corp., a network equipment maker, would restate its earnings and fire the CEO. The trumped-up news caused the company's stock to plummet almost $70 to near $40 a share, before rising back to near its former level the following trading day.
The FBI quickly apprehended suspect Mark Simeon Jakob, a 23-year-old college student and ex-Internet Wire employee. Prosecutors claimed the college student made nearly $250,000 by trading Emulex's volatile stock. In October, Jakobs pleaded innocent to the crime of securities fraud and $428,000 in his trading account was frozen.
Lax system administrators brought a great deal of woe on themselves this year.
Two flaws kept script kids in business in 2000. The remote data services (RDS) flaw in Microsoft's Internet Information Services software allows an attacker to change Web pages, while a flaw in wu-FTP, popular file-transfer protocol server for Unix and Linux, allows would-be intruders to gain root access.
While the RDS flaw--which topped this list in 1999--has kept Microsoft's IIS at the top of the defacement charts run by security site Attrition.org, the wu-FTP server flaw boosted Apache/Linux defacements to the top of the chart between August and October of this year. The software vendors--or in the case of Linux, the open software community--are not to blame. Both have had patches for the flaws out for some time.
Microsoft has released the original bulletin on the RDS flaw in July 1998, and has re-released the bulletin annually since the initial posting. It's not just an issue of increasing the diligence of system administrators, said Steve Lipner, manager of Microsoft's Security Response Center. Instead, the solution is "a combination of more awareness and making patching more painless," he said.
To that end, Microsoft intends to continue work on automated updating.
In May, lightening struck for the second time.
Mimicking many aspects of the year-old Melissa virus, a new worm panicked corporations and spammed users with infected the e-mail. The LoveLetter virus, also known as the ILOVEYOU worm and the Love Bug, swept through corporations in a surge of e-mail, leaving behind overwritten files and chaos.
Due to the practice lent by the Melissa virus a year before, most companies were able to get the LoveLetter virus quickly under control. And, with help, the FBI tracked the creator--one Onel de Guzman, a 22-year-old computer science student--back to a suburb of Manila in the Philippines.
While the Philippines had no law to deal with the crime, the government intended to charge the suspect with credit card fraud. By late summer, the island nation had fixed their laws and now, according to the McConnell International study, is the only country with full legal coverage of 10 critical areas.
Special: Love Bug Bites
In February, e-commerce sites got their Christmas "goose: a little late. Starting with Yahoo! Inc. on February 7, major Internet sites found themselves the target of massive streams of data inundating servers and slowing bandwidth to a crawl. By the end of the week, eight major sites--including CNN, eBay and ZDNet--had seen traffic slow or halt for anywhere from a few hours to an entire day.
In April, after several false alerts, the Royal Canadian Mounted Police and the FBI arreste d a 15-year-old Montreal-area boy who used the name "Mafiaboy" online and charged him with the attack on CNN.com. Authorities later charged him in the other February attacks as well. The incidents highlighted the continuing vulnerability of the Internet and e-commerce sites to individual attackers. The distributed denial-of-service attacks cost millions of dollars in potential revenue, according to several accounts.
However, despite an increased push towards information sharing, little else resulted from the attacks, said Eugene Spafford, professor of computer science for Purdue University.
"There's still a lot of infighting going on," he said.
Special: Web Under Attack
The Internet may be of mythical proportions, but most people didn't expect the myth to be that of Achilles, with the home user playing the role of the heel.
That's exactly what happened in 2000, however.
Starting with the denial-of-service attacks, security experts began to identify home PCs as a major vulnerability in the Internet infrastructure.
Home users click on e-mail attachments regularly, even when those attachments are likely to be computer worms or viruses. Home users leave shared disk drive open to the Net, allowing attackers to take over the computer and use it as a launch pad from which to compromise other servers.
And, while the February denial-of-service attacks were mainly launched from academic and small-business computers, home users did play a part.
The situation is getting better, said Steve Lipner, manager of Microsoft's Security Response Center. "User education is always hard," said Lipner.
"The average user doesn't want to be a security officer. You don't really want to expect that every user is going to be constantly focused on security." Compared to two years ago, users are becoming much more informed, he said.