It's been a long year for many of us. I can't be the only person who feels like they've squeezed 18 months of work into a 12-month time frame. Whew!
Looking back over 1999, it's easy to see that a lot of activity occurred in the security world-—much more than in 1998. If I had to pick one security-related event during the last 12 months that affected me more than any other event in that time frame, I'd have to say that it was learning how China decided to deal with a couple of relatively small-time computer crackers.
In March of this year, China reported that it had arrested and convicted two brothers of embezzling approximately $87,000 (US) from a Chinese bank. The brothers cracked a bank's computer security and transferred the funds to their own account. And for that act, China sentenced the two men to death. But even while setting such a hard precedent for thieves—especially cyber-thieves—China wasted no time in displaying its bigotry by assuming that it's OK to steal super-sensitive nuclear secrets from the United States. Oh, you didn't hear about that theft? Check your favorite world news source for details.
Another set of hacking events occurred that truly gained and held my attention for most of 1999, and I see no sign of that attraction letting up soon. The events to which I refer are the seemingly never-ending security risks that Georgio Guninski discovered in Internet Explorer (IE).
In my opinion, Georgio has done more for the overall security of IE, and the security of Windows desktops in general, than any other hacker on the planet. Georgio has discovered more than a dozen security risks in IE 5.x. Look at his IE Web page sometime, and you'll see why I feel that Georgio deserves a gigantic pat on the back for his tireless efforts.
Looking ahead to 2000, I predict that by year's end, we'll find that the biggest security events of 2000 took place during the first quarter. In January and February of 2000, we'll be fighting Y2K problems relentlessly. And in February, Microsoft will ship Windows 2000 (Win2K), which will open the flood gates for officially reporting any security risks the new OS might contain.
As with any new OS, it's safe to assume that it's not perfect, and thus, we'll see more than a few risks surface in the new platform. In fact, I bet hackers are already sitting on Win2K risk information, waiting for the most inconvenient time to release that information. My guess is that the time will come after the official release of the new OS in February.
But even so, I doubt that we'll see any risks as serious as the ones discovered in Windows NT 4.0 over the last 24 months. Between finding several ways to gain Administrator access and finding ways to subvert Microsoft's encryption technology, hackers have given the company a fairly serious beating over the security technology used in NT 4.0. I think Microsoft has learned valuable lessons from these discoveries, but I also know that no one is perfect and, therefore, we can assume that Win2K has bugs. What are these bugs, and how will they impact your network? Only time will tell. Nonetheless, I'm looking forward to the year 2000 and the new OS from Microsoft.
If you're among those people who have to work on New Year's Eve, stop by and hang out with BindView at its online Web party on December 31. See the details.