Top 10 Security Stories of 2000

By Jim Reavis (jreavis@securityportal.com) for SecurityPortal

Subscribe to get FREE security news, commentary, and articles.

January 01, 2001 - If 1999 was the year that Information Security began creeping into our collective consciousness like a dripping faucet, the year 2000 was when the water main burst. While the year began with a collective sigh of relief with the Y2K non-event, it was quickly followed by a yearlong procession of security headlines. I have a feeling that some people have kept their emergency shelters well stocked, lest some hacker figures out how to manipulate the power grid and their bank account. As with Y2K, the mainstream press has missed some of the real significance of 2000's information security news, so the staff at SecurityPortal has selected our top 10 list of security stories to further enlighten the masses and help you lead a better life.

10. "Yahoo!, We Have a Problem"

The February distributed denial of service attacks that first hit Yahoo!, then eBay, CNN and others was the first big security story of the year, and for many remains the most prominent security glitch to ever occur over the Internet. The attacks, allegedly carried out by a single Canadian teenager with the handle of "mafiaboy," shut down some of the Internet's biggest sites for hours at a time and caused a general media feeding frenzy. "How could a single person cause such destruction?" was a common question. The Internet's fragility was routinely questioned, and some even gave the attacks partial credit for the massive deflation of Internet economy stocks. Why didn't we rate this story higher? The capability for individuals to cause massive damage, destroy buildings, blow up dams and cause other mayhem has always been a reality, and when all was said and done, the sites were able to immediately return online with no lingering effects. No data was stolen, no planes fell out of the sky, and the demise of several Internet companies seems more likely related to having business plans based on sock puppets than anything else.

Denial of Service (DoS) FAQ
http://securityportal.com/research/ddosfaq.html

9. "Security for Inspector Gadget"

Wireless and other types of portable computing devices have exploded in popularity as many of us search for productivity when disconnected from our corporate network. This freedom can have its downsides, as Qualcomm chairman Irwin Jacobs could attest to when his laptop was stolen. Tiny computers can easily be misplaced or stolen, and many wireless transmissions have little or no encryption capabilities. In addition, we saw our first viruses for the PalmPilot in 2000. "Timofonica" sent rude messages to certain Spanish cell phones and various vulnerabilities have been discovered in WAP-enabled smart phones. If you were afraid that the global slowdown in personal computer sales was going to put some hackers out of work, don't worry — there are new mountains for them to climb.

Security Threats from the Gadgets
http://securityportal.com/cover/coverstory20000703.html

8. "Help Wanted"

The demand for qualified information security professionals continues to outstrip the supply. We are now seeing a hemorrhaging within the US Government, as federal employees with security skills leave for the private sector. Meanwhile, several companies report the anomaly of paying security professionals more than they pay their managers. The necessary solutions are twofold — more programs to train and develop security professionals, and outsourced managed security providers to meet the demand.

Careers in Information Security
http://securityportal.com/kfiles/files/careersinis.html

Career Center
http://securityportal.com/career/

7. "My PC, My Firewall"

Many security experts believe that over half of the new computers that get connected to the Internet will get scanned for exploitable security vulnerabilities within 24 hours. The advent of high-speed, always-on Internet connections in the home like DSL and cable modems have only exacerbated this problem. The rise of the Home PC security market has led to numerous product offerings aimed at turning your PC into a firewall or intrusion detection system similar to what the corporate networks have.

Personal Firewalls/Intrusion Detection Systems
http://securityportal.com/articles/pf_main20001023.html

6. Privacy

We rated privacy as number 3 on our 1999 list, and it has again been a significant issue. One of the most significant happenings was the EU-US Safe Harbor Arrangement, providing a way for US companies to comply with the European Commission Directive on Data Protection. It is likely that many US companies will adopt these standards worldwide. The news media has overall been fairly diligent about exposing major privacy violators, and companies like DoubleClick have been in full retreat all year long. In general, Websites have much more prominent privacy policies, and many companies have created Chief Privacy Officer positions to promote consumer-friendly practices. Despite all of the privacy activity within corporations and government over the past year, the public remains largely apathetic to it. Zero Knowledge, the much-heralded Montreal startup that has developed a state-of-the-art "identity scrubber" solution, has found slow sales and is trying to branch out into privacy consulting. Unlike the case with viruses, we still have not had our "Melissa" or "Loveletter" privacy incident to mobilize the masses.

Anonymity and Pseudonymity in Cyberspace
http://securityportal.com/kfiles/files/anonymity.html

What are Employees' Privacy Rights?
http://securityportal.com/topnews/employeeprivacy20000628.html

Content and Privacy Online
http://securityportal.com/closet/closet20000809.html

5. "Man Your Battle Stations"

The use of hacking tools as a part of various cyberwar strategies continued unabated in 2000. The Middle East conflict had hactivists for both sides seeking to disrupt Internet activity, and hacking even spilled over to American companies such as Lucent (if only that conflict could be limited to hacking). The Pentagon has been quietly tapping America's civilian hacking expertise via the National Guard for information warfare units. 2000 will be looked at mostly as a year of "gearing up" for cyberwars, which are yet to come.

Cyber-terrorism
http://securityportal.com/articles/cyberterrorism20001128.html

4. "Why Is My Accountant Sending Me a Loveletter?"

On the morning of May 4th, my inbox was filled with messages with the instruction to "kindly check the attached LOVELETTER coming from me." Even though it was close to my birthday, these were people I only vaguely knew and included a few married men, so I opted not to get involved. Sure enough, this was the infamous "Lovebug" virus launched by Onel de Guzman, which circled the globe that day, causing billions of dollars of damage due to downtime and wasted productivity. Coming a year after Melissa, it seems that at least a few people forgot about the lessons of suspicious attachments. We have since seen a lot more viruses with potentially much more dangerous payloads, yet there has not been a repeat of the Lovebug fiasco. Could it be that we have learned our lesson? Could it be that email users are now a skeptical bunch of people, who update their antivirus software daily and never open attached files that seem suspicious? Naaah?

3. "I Don't Remember Ordering a Pair of Socks From Moscow"

According to Visa, half of its credit card fraud is from Internet transactions, even though that only comprises 2% of its total transaction volume. Certainly the bad guy is emboldened by the anonymity of the Internet, and this will be an ongoing issue. Some criminals will seek to make a quick hit and max out the credit card; others will seek to bury small charges on a card indefinitely. For those of us who love to shop online, it is probably only a matter of time before we all find some strange charges on our monthly statement. Eternal vigilance is the price for the liberty of Internet commerce.

Storing Credit Card Numbers Securely
http://www.securityportal.com/topnews/ccnum20000811.html

Financial Crimes and the Internet
http://securityportal.com/articles/financial20001109.html

2. "Encrypt This!"

Encryption, the core technology for protecting information from prying eyes, got a significant boost in 2000. One key event was the expiration of RSA's patent on its widely used encryption algorithm — allowing the free use of this code has significantly lowered the costs to develop and sell security solutions. Another significant news story was the selection of the Advanced Encryption Standard (AES) by NIST. This encryption algorithm will provide a foundation for the security technology we will use to conduct business and protect our privacy for many years to come. While the finalists for the standard included some heavy hitters like IBM and RSA, the winner was an algorithm named "Rijndael," developed by two researchers from Belgium. An important policy announcement from the US Government lifted many restrictions on the export of encryption technology, another move that should aid the goal of making encryption more commonly used. However, not all encryption news was good — the discovery in August of a serious bug in the common Pretty Good Privacy (PGP) software meant that millions of PGP users had to upgrade their software or else face the risk of having their secret messages fall into the wrong hands. Hopefully, if you are a PGP user, this is not the first you have heard of this issue.

Pretty Good Privacy and the ADK Bug
http://securityportal.com/topnews/pgpadk20000828.html

RSA Algorithm Released
http://securityportal.com/topnews/rsa20000906.html

Advanced Encryption Standard Released
http://securityportal.com/articles/aes20001003.html

1. "Corporate Cracks"

SecurityPortal has selected the various stories of corporate security breaches as our most significant security event for 2000. While all of our top 10 security stories are significant, there is an increasing realization within the criminal hacker element that corporate networks are where the money is and that is where they need to be. Many people were shocked by the October revelation that hackers using a Russian server had gained access to Microsoft's internal network, and had in fact downloaded source code for future products. Just within the last month, hackers made off with large quantities of credit card numbers at CreditCards.com and possibly at Egghead as well. Also, it was recently reported that patient records were stolen from the University of Washington's medical center. It is an absolute certainty that the publicized security glitches pale in comparison to the hack attacks that were covered up by the victims. Intellectual property, business plans, customer databases, hospital patient records, credit card numbers — this is the lifeblood of our global economy. If you get the feeling that we can't stop the bad guys from successfully hacking into our corporations and public institutions, you are right. Perhaps admitting this is part of the solution — instead of merely focusing on preventing cybercrime, we need to assume it will happen and have comprehensive risk management and insurance strategies in place.

Microsoft Gets Hacked - What Can We Learn?
http://securityportal.com/articles/mshacked20001029.html

RSA Web Site Redirected by Hackers
http://securityportal.com/topnews/rsa20000213.html

On behalf of our staff, I would like to thank you for your support of SecurityPortal for yet another year. Please remember to tell us what you like and don't like about our site — we exist solely to please our readership and to provide some knowledge you can put to use on a daily basis. Best wishes for 2001 from SecurityPortal!