Mikko Hypponen is one of the best known names in the anti-virus industry.
In this article he describes how the last decade has completely changed who we are fighting, and how 2003 was turning point in the history of computer security.
If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
So, if you were running Windows, you weren’t running a firewall and you had to patch your system manually – by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America’s ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.
We’ve seen other companies do similar turn-arounds.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found inm Adobe products, and most users were running badly outdated products as updating wasn’t straightforward. Eventually Adobe got their act together.
Today, the security level of, say, Adobe Reader, is so much ahead of older versions of the PDF readers you can’t even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet. And maybe don’t even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end users’ systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we’re fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
As an end result, we’re still not safe with our computers, even with all the great improvements.
But at least we don’t see flights grounded and trains stopped by malware every other week, like we did in 2003.