Security 2004: Darker Days Ahead?

While the technology industry as a whole is beginning to rebound, the outlook for security in 2004 is not so bright: Security experts in fact believe that with the increase in the number of people writing viruses and the rise of a global market for exploi

The outlook for 2004 for the technology industry may be bright, as many experts say we are in the beginning stages of a rebound, but there are more dark days ahead for the security community.

Using the spate of DDoS (distributed denial of service) attacks against a handful of high-profile Web sites in early 2000 as a starting point, the last three years have been marked by a steady parade of increasingly malicious viruses, denial-of-service attacks, network worms, and attacks on businesses and home users. Code Red, Blaster, SoBig, Slammer, Bugbear, Nimda, Love Bug, Mimail—these are just a sampling of the digital detritus that users have had to wade through since then.

Hard as it is to believe, things may in fact get worse next year, security experts say.

"Theres no reason to think theyll slow down significantly. Weve been seeing on average 50 new vulnerabilities a week, and 80 percent of those are remotely exploitable," said Vincent Weafer, senior director of security response at Symantec Corp., based in Cupertino, Calif. "And thats what hackers are looking for. Its harder for companies to respond because of the complexity of corporate environments."

Weafer said a couple of the main drivers behind the increase in attacks and malware lately are more people writing viruses and attacking systems, and the rise of a global market for exploit code and compromised machines. PCs that have been compromised and loaded with a Trojan or IRC bot are hot commodities in the security underground, and crackers often trade or sell these machines to each other. There is anecdotal evidence of some individuals amassing networks of several thousand compromised PCs.


Check out eWEEK Labs Director Jim Rapozas security predictions for 2004.

"The general level of knowledge is up, and the barrier to entry is going down," Weafer said. "There are more people doing attacks, and the prize is you want to do it on a global basis. Its a numbers game. Even if half of [your zombies] get discovered, who cares? You have 5,000 more."

Building up a network of that many zombies is also the cracker equivalent of athletes who are already filthy rich signing massive endorsement contracts: Its a way to keep score. If you have 10,000 compromised PCs under your control, then you can go on your favorite IRC channel and brag that youre the baddest kid on the block. But you can also make a nice return on your "investment" if you have the right contacts.

"Ownership of these machines is worth money because people use them as proxies for spam," Weafer said. "The genesis of all of this is all of the remotely exploitable vulnerabilities."


See what Security Center Editor Larry Seltzer predicts for the coming year.

Weafer said he believes there will be more zero-day attacks next year, but probably not the massive, crippling event that some experts have been predicting. "It takes a great deal of luck for something like that to happen," he said. "Even if people dont have a patch to apply, there are usually other mitigation techniques they can use. But well almost certainly see more zero-day attacks."

Check back on tomorrow for our predictions on storage and servers, followed by mobile computing and open source on Friday, collaboration and Web services on Saturday, and networking on Sunday.

Discuss this in the eWEEK forum.