FTR (2)! iang
(((((( Financial Cryptography Update: 2005 - The Year of the Snail ))))))
December 01, 2004
------------------------------------------------------------------------
http://www.financialcryptography.com/mt/archives/000263.html
------------------------------------------------------------------------
So if 2004 depressingly swims past us as the year of the Phish, what
then will 2005 bring?
Worse, much worse. The issue is this: during the last 12 months, the
Internet security landscape changed dramatically. A number of known,
theoretical threats surfaced, became real, and became
institutionalised. Here's a quick summary:
1. Viruses started to do more than just replicate and destroy: they
started to steal. The first viruses that scanned for valuable
information surfaced, and the first that installed keyloggers that
targetted specific websites and banking passwords. Just this week, the
first attack on the root list of SSL browsers was being tracked by
security firms.
2. Money started to be made in serious amounts in phishing. This then
fed into other areas, as phishers *invested* their ill gotten gains,
which led to the next development:
3. Phishers started to use other techniques to gather their victims:
viruses were used to harvest nodes for spam that were used to launch
phishing attacks. Integration across all the potential threats was now
a reality.
4. DDOS, which seemed to seriously take off in 2002, became a serious
*extortion* threat to larger companies in 2004. Companies that had
something to lose, lost.
5. In 2004, it now became clear that we were no longer dealing with a
bunch of isolated hackers who were doing the crack as much to impress
each other as to exercise their own skills. There is now a market
phase for every conceivable tool out there, and mere hackers do not
purchase the factors of their production.
6. Malware, spyware, and any other sort of ware turned up as infesting
average PCs with Windows at numbers quoted as 30 per machine. And this
was just the mild and benign stuff that reported your every browse for
marketing purposes.
7. Microsoft were shown to be powerless to stem the tide. Their SP2
mid-life update caused as many problems as it might have solved. No
progress was discernable overall, and 2004 might be marked as the year
when even the bubble headed IT media started questioning the emporer's
nakedness.
How can I summarise the summary in one pithy aphorism? For most
intents and purposes, the Internet was secure for Windows users until
about 2004. From 2005 onwards, the Internet is not secure for Windows
users. Are you depressed, yet?
2005 will be the Year of the Snail. Your machine will move slowly and
slipperily to a fate that you can't avoid. The security of the Windows
system on which the vast majority of the net depends for its leaf nodes
will repeat the imagery of a snail's house. Ever toiling, slithering
slowly across the garden with an immense burden on its back, and ever
fearful of approaching predator. The snail is quick to retreat into
its house, but all to no avail, as that crunching sound announces that
your machine just got turned into more phish compost.
I had hoped - foolish, I know - that Firefox and the like would have at
least addressed the phishing threat by now. But now we are fighting a
two fronts war: phishing attacks the browser's security model and UI,
while all the rest attacks the Windows platform.
It's really easy to offer a solution: download Firefox, and buy a Mac.
But this is like asking a snail to become a hedgehog; it is simply
out of the budget of way too many users to rush out and buy a Mac.
Those that can do so, do so!
Those that cannot, prepare for the Year of the Snail. And check in
with us in a year's time to see how the two fronts war is going. The
good news is that statistically, a few snails always survive to
populate the garden for the next year. The bad news is that it will
decidedly take more than a year for your house to evolve away from the
sound of the crunch.
--
Powered by Movable Type
Version 2.64
http://www.movabletype.org/
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
