Welcome to 2011. Usually around this time of year, pundits guess what we'll be seeing in the year ahead. On the computer security front, we're hearing that 2011 will be the year of mobile malware, that criminals will take to the cloud, and that social network security is destined to become a bigger and bigger problem.
But if the past is any guide, nobody will see the top 2011 security stories coming. A look at the top news stories of 2010 shows that the incidents that really captured the public's attention were the ones that nobody predicted. Here are a five of the top, unpredicted stories from the past year.
1. Google gets hacked
In January, Google surprised everyone by admitting that it had been hit with a targeted cyber attack, now known as [Aurora]. Security insiders know that cleaning up hacked computers is just a cost of doing business today, but nobody predicted that a company like Google would voluntarily come forward and admit that it had been breached.
The Aurora incident wasn't a simple drive-by download. According to people familiar with the incident, hackers got deep inside Google's IT and were able to get control of critical internal systems. Nobody knows who pulled off the attack, but Google and the U.S. Department of State [seem to think that it came from China.]
The Aurora hackers had also targeted at least 30 other major companies, and Google's public admission put the cyber-espionage problem squarely on the corporate agenda.
2. A worm targets critical industrial systems
Security consultants had been warning about vulnerabilities in critical infrastructure systems for years now, but real-world bad guys have been too busy making money from hacked Windows desktops to pay much attention.
All of that changed in July 2010, when a little known Belarus company called VirusBlockAda [discovered a strange and very sophisticated worm on computers in Iran]. The more we learned about Stuxnet, the more incredible it seemed: a piece of malware that was written by people who could master both zero-day Windows vulnerabilities and obscure SCADA programming techniques, that sought out very specific industrial systems and then tried to destroy them.
There's a growing consensus that Stuxnet was [built by a nation-state attacker aiming to damage Iran's nuclear program.]
3. Russia busts hackers
Computer crime is a semi-legitimate business in countries like Russia and Ukraine. So long as the criminals don't harm locals, they've generally been allowed to operate with impunity, bringing millions of western dollars into local economies.
This year, though, Russian authorities took a few actions against a few high-profile criminals, [busting the people responsible for a wildly successful Royal Bank of Scotland heist] and [charging the man thought to be responsible for a large chunk of the world's pharmaceutical spam].
Even the Ukraine, long considered one of the safest havens for computer criminals, [rounded up some of the alleged leaders of one of the worst Zeus crimeware gangs.]
4. And the hackers get off with a slap on the wrist
Unfortunately, Russia and Ukraine's actions are symbolic, rather than punitive. The mastermind behind one of the most lucrative computer attacks in history, [Victor Pleshchuk, got off with probation]. Sure, he had to pay back the stolen money, but if you don't even get jail time for an US$8.9 million heist, is there really any reason for criminals to think twice about hacking into a bank? In Ukraine and Russia, the masterminds behind Zeus are still on the loose, despite the fact that about a hundred low-level operatives were rounded up in the U.K. And the alleged pharma-spammer, Igor Gusev, apparently fled the country before he could be brought into custody.
5. Anonymous gets taken seriously
If you're an angry teenager with some free time on a Saturday night, and you're mad at Visa or MasterCard because they won't process payments for WikiLeaks, there's something you can do to pass the time. You can call yourself Anonymous and get some free publicity for your cause by downloading some DDoS software. [It's completely illegal], but effective. It only took a few thousand people to give these financial services companies a run for their money, in a series of DDoS attacks in early December. And thanks to reporters who can't distinguish between a minor Web site outage and catastrophe, they got to be known as the ["computer hackers" who "have sent two of the world's biggest credit card companies into meltdown."]