Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Top information security stories (and nonstories) of 1999

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

By Jim Reavis
Network World Security Newsletter, 01/10/00

It was a very entertaining year of information security news, full of implications for the future.

  1. Viruses. Melissa, ExploreZip and a host of lesser-known players rapidly spread from company to company, flooding mail servers, disrupting systems and causing the deletion of data or the unintentional release of sensitive documents. Although most companies were able to recover fully from these viruses in a day or two, these virus attacks are our top story for several reasons.

    They showed that a single person, or a small group, could use the Internet to rapidly attack thousands and even millions of computers and disrupt business operations. Most importantly, they raised the public awareness of the dangers of computer viruses and brought the issue of information security home to the masses. While many long-time security veterans complained about the publicity and significance given to the viruses that preyed upon a user's lack of common sense, Melissa was able to provide something these experts had in prior years unsuccessfully fought for - an increase in security budgets.

    These viruses also, unfortunately, taught us that protective software has a long way to go; many IT managers also learned the first countermeasure to future attacks - unplug and shut down.

  2. Government-sponsored Internet Hacking. East Timor vs. Indonesia, the U.S. vs. Serbia and China apparently vs. everyone. Whether every rumored report is true, and regardless of if there were other attacks that have gone unreported, it is clear that the Rubicon has been crossed, and that the Internet is now an important element of many governments' information warfare strategies.

    At the beginning of World War I, the airplane was a novelty and the generals used it for reconnaissance only. Initially, enemy pilots would even salute each other as they crossed paths. At some point, one of those pilots took a shot at his counterpart, and by the end of the war, the skies were heavily armed. The Internet is well past the novelty stage, and with government, education, military and private industry all heavily dependent on it, there is no escaping being in a combat zone.

  3. Privacy. The issue of personal privacy greatly heated up in 1999. Publicity surrounding numerous practices that have been ongoing for some time, such as the selling of mailing lists, a few online gaffes and more vigorous opposition by watchdog groups, has led to a much greater awareness of the issues of Internet privacy. Prior to 1999 most people would have related privacy to obvious things like the protection of credit card numbers. However, we are now seeing a bigger picture emerge: tracking when you surf, where you surf from, every place you go online, building a personality profile and possibly relating it to real personal data is enough to send chills down anyone's spine. From Intel's Pentium III serial number to Real Network's surreptitious data collecting to even Amazon's seemingly innocuous purchase circles, companies are getting rulers on their knuckles from increasingly vocal privacy advocates.

    Privacy in the workplace may even become the biggest labor rights issue in the next decade as companies search for more electronic means of protecting intellectual property. Meanwhile, an Internet start-up such as Zero Knowledge Systems, which promises completely anonymous surfing, deserves close attention. What was the most surprising part of the whole Melissa virus episode? That they caught the guy so quickly - David Smith did not have very good privacy.

  4. Open Source, general public licensing and Linux. Besides impacting every other part of the computer industry, Open Source software and Linux are heavily influencing the information security industry, and most of the issues in the rest of our top stories of the year. The Open Source movement has led to the creation of alternative security software that can bypass U.S. regulations and compete against commercial software vendors. From open versions of pretty good privacy (PGP) and IP Security to high-quality intrusion detection systems, it seems that there is no limit to what can be accomplished using this collaborative software development methodology. Linux is appealing to many as a more secure and manageable alternative to Microsoft operating systems. Many in the security industry philosophically believe that widely published source code is the only way to give the Microsoft operating systems a vigorous review and improve their security.

    Open Source has a darker side as well; freely published security exploits and viruses rapidly increase the tools of the bad guys. However, this barn door is well past closing, and not only are the cows gone, but they now have stock options.

  5. Encryption export policy. The regulations governing the exporting of strong encryption products from the U.S. have long been the most draconian among industrialized nations. The encryption policy was seen by some as necessary to prevent criminals from hiding their activities. Others have seen these policies as harmful to individual liberties, damaging to the U.S. software industry and stunting the growth of e-commerce worldwide. These regulations came into 1999 looking as tough as ever, but have been under relentless attack on several different fronts, and the writing is clearly on the wall that there will be significant changes.

    From court cases to intense lobbying to the German government sponsoring the development of unrestricted alternatives to PGP, the attacks seem to be having the desired effect. Every proposed revision to the existing policy that has been offered as a trial balloon by the Clinton Administration has been shot down as not going far enough, and the release of new regulations has been delayed until January. The lifting of all export restrictions for PGP seems to indicate that a real liberalization is coming. Freeing PGP - the same software, for which its author Phil Zimmerman was under criminal investigation for three years by the U.S. government, is both a substantive and symbolic act demonstrating how much the world has changed.

    Whether or not the January 2000 policies meet the expectations of those fighting for export policy relief, the government no longer has the upper hand in this battle - and never will again.

  6. Microsoft battles security problems. It was a year of record profits and record turmoil for the folks in Redmond. In addition to finally meeting its match with the Department of Justice, Microsoft was saddled with a number of security problems. The number of security advisories released by Microsoft in 1999 doubled the releases of 1998. The warnings ran the gamut from browsers surrendering personal information to Web servers that can be hijacked to bypassing the security of Windows NT.

    Microsoft has always had a contentious relationship with hackers, the hackers claiming Microsoft ignores warnings about security vulnerabilities in their products, and Microsoft claiming that hackers publicize bugs before they can fix them. However, after a public battle over the publicity given to a Web server buffer overflow bug discovered in June by a group called eEye, Microsoft has accelerated its propensity for issuing bulletins. Besides problems with shrink-wrapped software, Microsoft had to endure an extremely embarrassing situation with its free Web e-mail service, Hotmail. It was discovered this past summer that Hotmail's lack of security let anyone retrieve a Hotmail user's e-mail messages without any special software. By simply knowing a Hotmail address and typing in a special URL address, you were in. We can count at least one ex-Hotmail user as a result of this episode: a Swedish businessman who was caught contacting a prostitute. Add these problems to the fact that all of the high-profile viruses target Microsoft platforms only, and it seems that the public would be up in arms with Bill and company. However, despite the troubles, the Microsoft profit machine continues to roll along, as the general public has not decided if security vulnerabilities are hitting Microsoft because the company is so big, or if it truly has a unique internal problem.

  7. Department of Energy giving China nuclear secrets. Oops, this was an area that the government was actually supposed to be encouraging high security, but an employee at Los Alamos allegedly downloaded classified U.S. nuclear weapons information onto his own computer and shipped off the data to China. Officials first learned of the breach in 1995, but the problems, many related to weak computer security tools and policies, are only now being addressed. From now on, the FBI will conduct extensive background checks before you are allowed to steal nuclear secrets.

  8. The National Security Agency has something called Echelon. It is sometimes hard to know what to make of the contradictory news stories about the NSA and its unacknowledged electronic eavesdropping system known as Echelon, but there definitely are a lot of them.

    A report to the European Parliament claimed the massive system is monitoring all satellite, cellular, microwave, fiber-optic and other forms of communication for information detrimental to the U.S. The same report further claimed that the NSA is using the sophisticated system to assist U.S. companies in competing with European counterparts. Groups as diverse as the ACLU and conservative congressmen want to investigate Echelon for spying on individuals and invading personal privacy.

    Then we see other news reports claiming that the NSA is dangerously behind the times with its technology. So what do we know about Echelon? It's big, it's out there and some folks at the NSA are probably having a pretty good laugh.

  9. Advanced Encryption Standard finalists selected. The Advanced Encryption Standard is to be selected next year by the National Institute of Standards and Technology (NIST). From an initial list of 21 candidates, the five finalists have been selected: MARS, RC6, Rijndael, Serpent and Twofish. Three are from the U.S. (IBM, RSA and Counterpane), one is from Belgium, and one has team members from several countries. These developers are primarily competing for the glory of being selected - NIST is requiring that the selected entry agrees to forgo any royalties from the algorithm.

    What is the significance of the new algorithm? When selected, the U.S. government will use the AES algorithm for encrypting all sensitive, nonclassified information as soon as possible. Because the federal government has basically migrated from being a developer of computer technologies to a massive consumer, AES will be integrated into commercial products being sold to the public and private sector alike. This will likely give AES the critical mass it needs to be the encryption technology integrated into computers large and small to secure e-commerce and financial transactions, as well as protecting the privacy of individual communications. The idea is that AES will be the core algorithm securing your data well into the next century.

  10. Is it a hacker's tool or legitimate software? When the hacker group Cult of the Dead Cow released Back Orifice 2000 software to great fanfare at DefCon, the antivirus software companies immediately labeled it as malicious code. Why single out BO2K, which provides stealthy remote control, when several "legitimate" software packages such as Microsoft's own Systems Management Server perform the same functionality, the hacker group's supporters asked.

    Some hackers went as far as to claim that labeling their software as malicious constituted restraint of trade, and unfairly benefited the competition. AV companies responded that despite claims of legitimacy, this software was intended for illegitimate purposes, and the target audience was likely to use it maliciously.

    Interestingly, the AV companies were split on a similar tool called Netbus. Ultimately, any politicization of what goes into a virus definition file will not go far in solving our security problems - software needs to be blocked based on what it is trying to do, not based on what its signature looks like. In the meantime, you can count on hackers working harder to get around traditional virus definition technology and needing to update your virus signature files with near real time frequency.

What didn't make the list?

Public-key infrastructure - judging by the way the industry hyped PKI at the RSA conference last January, by now you would think we would be using it to hand out hall passes to third graders. It actually seems to be making more progress now that it is out of the glare of the spotlight.

Web Site A, B, C, D ... getting hacked. Yes, these hackers are talented; if caught they should be punished; and yes, the systems administrators need to be doing a better job. But nearly all of the reports the media latch onto are the equivalent of graffiti on a billboard.

RELATED LINKS

Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon.

M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

Privacy pointers
Network World, 12/27/99.

What made news in 1999: The top stories
Network World, 12/22/99.

Are Feds funding electronic surveillance net?
Federal Computer Week, 11/19/99.

U.S. government okays export of Triple-DES gear
Network World, 11/15/99.

Advanced Encryption Standard - crypto for the next century
Network World on Security, 09/27/99.

Microsoft: Bad security, or bad press?
Network World, 09/27/99.

Back Orifice is back and it's badder than ever
Network World, 08/02/99.

Kosovo cyber-war intensifies
Network World, 05/12/99.

CERT's Melissa Advisory

Open source software braces for another big year
Network World, 03/08/99.

Network World Fusion's Security alerts page

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.