FTR (2)! iang
(((((( Financial Cryptography Update: 2005 - The Year of the Snail )))))) December 01, 2004 ------------------------------------------------------------------------ http://www.financialcryptography.com/mt/archives/000263.html ------------------------------------------------------------------------ So if 2004 depressingly swims past us as the year of the Phish, what then will 2005 bring? Worse, much worse. The issue is this: during the last 12 months, the Internet security landscape changed dramatically. A number of known, theoretical threats surfaced, became real, and became institutionalised. Here's a quick summary: 1. Viruses started to do more than just replicate and destroy: they started to steal. The first viruses that scanned for valuable information surfaced, and the first that installed keyloggers that targetted specific websites and banking passwords. Just this week, the first attack on the root list of SSL browsers was being tracked by security firms. 2. Money started to be made in serious amounts in phishing. This then fed into other areas, as phishers *invested* their ill gotten gains, which led to the next development: 3. Phishers started to use other techniques to gather their victims: viruses were used to harvest nodes for spam that were used to launch phishing attacks. Integration across all the potential threats was now a reality. 4. DDOS, which seemed to seriously take off in 2002, became a serious *extortion* threat to larger companies in 2004. Companies that had something to lose, lost. 5. In 2004, it now became clear that we were no longer dealing with a bunch of isolated hackers who were doing the crack as much to impress each other as to exercise their own skills. There is now a market phase for every conceivable tool out there, and mere hackers do not purchase the factors of their production. 6. Malware, spyware, and any other sort of ware turned up as infesting average PCs with Windows at numbers quoted as 30 per machine. And this was just the mild and benign stuff that reported your every browse for marketing purposes. 7. Microsoft were shown to be powerless to stem the tide. Their SP2 mid-life update caused as many problems as it might have solved. No progress was discernable overall, and 2004 might be marked as the year when even the bubble headed IT media started questioning the emporer's nakedness. How can I summarise the summary in one pithy aphorism? For most intents and purposes, the Internet was secure for Windows users until about 2004. From 2005 onwards, the Internet is not secure for Windows users. Are you depressed, yet? 2005 will be the Year of the Snail. Your machine will move slowly and slipperily to a fate that you can't avoid. The security of the Windows system on which the vast majority of the net depends for its leaf nodes will repeat the imagery of a snail's house. Ever toiling, slithering slowly across the garden with an immense burden on its back, and ever fearful of approaching predator. The snail is quick to retreat into its house, but all to no avail, as that crunching sound announces that your machine just got turned into more phish compost. I had hoped - foolish, I know - that Firefox and the like would have at least addressed the phishing threat by now. But now we are fighting a two fronts war: phishing attacks the browser's security model and UI, while all the rest attacks the Windows platform. It's really easy to offer a solution: download Firefox, and buy a Mac. But this is like asking a snail to become a hedgehog; it is simply out of the budget of way too many users to rush out and buy a Mac. Those that can do so, do so! Those that cannot, prepare for the Year of the Snail. And check in with us in a year's time to see how the two fronts war is going. The good news is that statistically, a few snails always survive to populate the garden for the next year. The bad news is that it will decidedly take more than a year for your house to evolve away from the sound of the crunch. -- Powered by Movable Type Version 2.64 http://www.movabletype.org/ _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security