WikiLeaks story underscores year in security

5 Jan 2011

Security became very prominent in 2010 on several fronts but we don’t have to look too far back to find one of the year’s biggest stories. The furore around the latest set of WikiLeaks revelations – and the subsequent online backlash against its opponents – gave a fresh angle to the story that had already been dominating the headlines.

In late November, WikiLeaks released its latest slew of confidential documents which shed light on activities many governments would prefer remained hidden. Many leading companies subsequently moved to distance themselves from the whistle-blowing organisation. Payments firms like MasterCard and PayPal publicly refused to process donations from supporters of the WikiLeaks project and were then subjected to distributed denial of service (DDoS) attacks as part of a concerted effort dubbed ‘operation payback’. As a demonstration of what a concerted cyber attack looks like, it was impressive stuff.

DDoS attacks

Denial of service attacks have been a well established part of the security threat landscape and are often used by criminals against websites as a way to extort money – ‘pay up or we keep your website offline’. That probably wasn’t the motive behind the CAO website crashing in August, however. The CAO blamed a malicious attack but a more likely explanation was that its web server couldn’t handle the demand – which results in the same effect as a DDoS. The Irish Reporting and Information Security Service (IRISS) says it sees attacks against Irish sites on an almost daily basis, so it behoves businesses and public sector organisations to defend themselves accordingly.

Security experts have been saying for years that wide-scale DDoS attacks are possible because of the large number of PCs with outdated security protection – or none at all. Unwary users can easily have their machines infected with malware which can make them part of a botnet, ready to send masses of spam or be directed to attack a target, often without the user even knowing. In October, a senior Microsoft staffer suggested banning virus-infected PCs from the internet. That’s draconian, and very possibly unworkable, but as long as people don’t keep their machines updated with the latest security software, this quarantine-inspired idea will continue to have its supporters.

Data breaches

Data breaches also made the news in 2010; the most recent involved unauthorised access into a database of 500,000 GAA members. In April, the annual Data Protection Commissioner’s report unveiled more than 900 data breaches in the public sector – an increase of 50pc over the previous year. However, Brian Honan, founder of IRISS and a regular contributor to Siliconrepublic, blogged that overreaction would be a mistake and the increase is probably due to guidance from the Department of Finance urging more proactive reporting of breaches. That culture is likely to become more widespread, as the DP followed up in June with a draft code of practice for reporting breaches.

Cloud computing concern

Meanwhile, the ongoing progress of cloud computing into the mainstream has been kept in check by continued concern over whether information is really secure in that environment. Surveys regularly put security as the main barrier to adoption. To some degree, this is a perception problem: information stored in the cloud is no longer within easy reach on a company’s own systems but out there somewhere in the ether.

At the Cloud Computing Summit in Dublin last September, Giles Hogben of the EU’s cyber security agency ENISA added some welcome perspective to the debate: “The question is not ‘what are the risks and benefits of going into the cloud?’. It’s ‘what are the risks and benefits of going into the cloud compared to what you have already?’,” he said – possibly the most sensible thing we heard about cloud security all year.

Another cloud service, the work avoidance time-sponge that is Facebook, was constantly under the security spotlight. Most of all for playing fast and loose with the privacy of its users’ information, but also because its massive popularity makes it a target for scammers.

Stuxnet worm

The appearance of the Stuxnet computer worm in July caused an initial panic when it seemed that it could attack power plants around the world. However, it soon became clear that the highly complex worm in fact had a very specific target in mind and appears to have been written primarily to attack an Iranian nuclear facility.

This led to suggestions that it could represent the first government-sponsored act of cyber war, although security expert Bruce Schneier has warned against using such terms loosely.

Speculation as to who coded Stuxnet centres naturally on countries that are hostile to Iran – we’ll leave educated readers to guess which ones – but crucially, there is no definitive proof pointing to those responsible. That holds true for most cyber attacks. As Schneier put it, “cyber attacks don’t come with a return address … I can trace attacks back to computers, but the link from computer to chair is very difficult.”

On the business side of things, security companies continue to make attractive acquisition targets as IT firms boost their own credentials in this area. Intel’s biggest acquisition to date was the deal signed in August to buy McAfee for US$7.68bn. Earlier in the year, Symantec landed two companies – the long-established email security player PGP and the encryption firm GuardianEdge. In other noteworthy deals, HP added the risk management and compliance vendor Fortify to its stable, while CA landed the fraud prevention specialist Arcot.

2011 technology

Forecasting the future in technology can be a fool’s errand, so I’ll leave it at this: 2011 could turn out to be an interesting year from an Irish perspective. Moves are afoot to create a cyber crime taskforce here, and further developments are also expected at InfoSecurity Ireland, a group looking to position Ireland as an international centre of excellence in IT security.

There’s more substance to this claim than the usual woolly rhetoric about the ‘knowledge economy’: a cluster of indigenous companies is already doing interesting work across the entire spectrum of security, including Norkom, Vordel, Daon, Vigitrust, NetFort, PixAlert and MXSweep, and some of them are well connected internationally. Add to that mix the multinationals like McAfee, Symantec and Trend Micro which all have significant operations here (and the latter two carry out security research and monitoring).

What’s more, UCD’s school of computing is highly regarded in European policing circles for its digital forensics courses. As we look for ways that Ireland can pull itself out of the economic mire, here’s hoping security will have a part to play. Here’s to safer computing in 2011.

Gordon Smith was a contributor to Silicon Republic