Though internet-crippling virus attacks now seem to be a thing of the past, PC users didn't have reason to feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cyber criminals has emerged as enemy number one.
Microsoft patched more bugs than ever and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used websites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.
And, oh yes, spam is back.
Following are five of the top computer security stories in 2006.
Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit.
Much of the trouble centred on phishing, a type of attack where fake web pages are constructed or email are sent to harvest log-in details, credit card numbers or other personal information. Credit card numbers are often sold online to others for illicit gain.
In May, 20,000 phishing complaints were reported, a 34% increase over the previous year, according to US Department of Justice report. It said the US hosts the largest percentage of phishing sites. And in the UK payments association, APACS reported last month this type of fraud led to an online banking loss of £22.5m or an increase of 55% year-on-year during the first six months.
But law enforcement agencies are getting more organised and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have a contact available 24 hours a day to aid in quickly securing electronic evidence for trans-border cybercrime investigations.
The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East and US against alleged phishers throughout 2006.
It's a brand new zero-day
With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006 they turned to zero-day attacks as never before.
These attacks take advantage of previously unreported flaws in software, and in 2006 they became a top concern, according to the SANS Institute. In fact, hackers kicked off the New Year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled Windows Meta File documents.
This was followed, later in the year, by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack – targeting a flaw in Word – just this Tuesday.
To underline the scope of the zero-day problem, security researchers launched widely publicised "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.
Microsoft's chief software architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.
Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90% of all email was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.
Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition (OCR) techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.
Web 2.0 gets hacked 1.0
MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty.
That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the website. And this was not even the first worm to hit MySpace. In October another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors profiles, quickly making him appear to be the most popular member of the MySpace community.
Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other websites or send email.
Vista lockout irks vendors
Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.
Vendors, led by Symantec and McAfee, argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the operating system. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make application programming interfaces (APIs) available.
The APIs will allow host intrusion prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.