Sectors
Companies
About
Subscribe

2001: A security odyssey

By Ian Melamed, ,
Johannesburg, 02 Jan 2001

Top of the new year to you, and may it be a gentler and kinder 12 months than 2000 was! I thought I`d kick off this year`s columns with a preview of what we`re likely to see occur in the domain of information , unless we apply the lessons we learnt in 2000.

  1. Continued website attacks and defacements, including the use of these attacks as a major international terrorist and military weapon. We saw the first flexing of muscles late last year during the Israel-Palestine conflict. At this stage it`s little more than an irritation, but surely the time cannot be far off when cyberwar begins to exact a real and heavy toll on countries, with today`s skirmishes serving as a learning curve. If we can penetrate and deface each other`s websites and disable e-commerce servers, surely it`s not that tough to access any system? And that could mean the compromising of military back-end systems, which are the hearts and lungs of modern warfare.
  1. Concerted denial of attacks. There is every reason to believe that huge numbers of Unix servers were compromised in the second half of 2000 with the express purpose of being able to beam vast amounts of bogus traffic at targeted websites and e-businesses. Businesses and governments around the world are collaborating to try and prevent what looks to be an inevitable attack.
  1. With this in mind, several major online companies will be held ransom by extortioners. With the ability now to take e-businesses down at will, there can no longer be any doubt that this will become one of the most popular and widespread forms of cybercrime. Towards the end of 2000, cyber-extortion had cracked the Top 10 list, with a new attack being reported each day.
  1. Massive credit card fraud. If we think we`ve seen the worst, think again. Just before Christmas, Internet retailer Egghead.com was hacked and details of some 3,7 million credit card were exposed. How can any credit card vendor recall that volume of credit cards? It`s only a matter of time until serious loss to credit card-holders results from such violations.
  1. Cybertheft, with direct loss of revenue, as opposed to indirect loss which occurs through negative PR. It`s very clear that hackers waltz in and out of corporate systems very much as they choose. What`s to stop them from transferring large amounts of cash from one account to another, especially with Switzerland and BVI countries asking no questions?
  1. A monumental virus crisis arising from the launching into the wild of a particularly clever virus, using a combination of pervasive technology and ingenious psychology. Microsoft`s Visual Basic scripting has been the method most frequently used; tricks like 'I Love You` were employed to get users to open e-mails. Should some bright new virus writer hit on new techniques, we could be in real trouble ...
  1. As a corollary, so many over-the-top cry-wolf press releases regarding new viruses that people cease to believe them, leaving themselves open to attack from a truly malevolent virus. The over-reaction surrounding the hyped Kriz, which failed to materialise as a real threat, is a good case in point. In the domain of viruses, sometimes vendors should appreciate that less equals mor.
  1. Discovery of security loopholes in Microsoft and open source products, especially those in the Unix world. Remember the rule: when vendors come to a tossup between functionality and security, functionality wins every time. This is unlikely to change in the near future unless there is consumer pressure, and I don`t see that happening. So it`s up to the vendors to acknowledge the problem and start factoring in security from the ground up.
  1. Major attacks from within: while companies protect themselves from the attack from without, they often leave their internal systems wide open. Current and former disgruntled employees are the people most likely to initiate these attacks. The enemy within needs to be acknowledged, managed and denied with the same vigour as the enemy without.
  1. The first significant malware appearing that has been written especially for PDAs and cellphones. Conventional wisdom that PDA and cellphone operating systems aren`t complex or powerful enough to carry viruses, Trojan Horses or other forms of malware do not take into consideration the simple fact that a large installed base of devices makes a compelling, even mandatory target for malware creators. The installed base of Windows and Word made it an easy target, and the malware community will apply similar energies at the new mobile world to achieve their effect. Of this, be certain.

Several major online companies will be held ransom by extortionist

Ian Melamed, chief technology officer of SatelliteSafe

As always, I implore all involved with information security - the boardroom, users, vendors, system managers, analysts, consultants - to approach the topic this year with the life-or-death importance it needs and demands.

Otherwise, I`m afraid, we`re going to face an endless, risk-fraught and precarious Odyssey throughout 2001.

Remember: Trust = Speed + Security.

Share