A lot of media attention was on the Black Hat Conference in Las Vegas this year. Michael Lynn, a researcher working for ISS, did a presentation on a security hole in Cisco's IOS. Since Cisco threatened to shut down the conference Lynn first resigned from his position at Internet Security Systems but wouldn't back down from the presentation. What was a sad example of bad PR is everything that Cisco did. They instructed the people behind the conference to get the promotional material and rip out the pages containing the slides of Lynn's presentation. So 1984 of them.
Cisco claims the presentation was dangerous since it contains information on IOS and that the information was obtained illegally. Lynn found the problem while working for ISS under specific instructions to reverse-engineer the Cisco operating system. He noted that the release of information was necessary since the IOS source code was already stolen earlier and it was only a matter of time before someone decided to engage in some illegal activity. To get his perspective on things I suggest you read this interview. As regards a discussion on whether he should have gone on with full disclosure or not check out this page at Slashdot.
I'm positive that if they hadn't made all this noise, much less interest would have surrounded this presentation. Immediately after the conference Cisco released a patch for the IOS vulnerability. Lynn was hired by Juniper Networks in November.
Common Vulnerability Scoring System (CVSS)
The issues surrounding the scoring of vulnerabilities got a possible solution this year with the creation of the CVSS. Gerhard Eschelbeck said: "CVSS allows IT managers to create a single standardized and prioritized ranking of security vulnerabilities across multiple vendors and platforms. CVSS is relevant in all stages of the vulnerability lifecycle, from the time a vulnerability is identified by a researcher to the time a vulnerability needs patching within an enterprise. For computing the vulnerability score, CVSS considers not only the technical aspects of a vulnerability, but also how widely a vulnerable technology is deployed within an enterprise. A multitude of vendors have indicated their commitment to support CVSS in their products, and enterprises are currently introducing CVSS into their environments. By utilizing this scoring system, organizations can patch critical issues quicker, spending less resources on low priority issues."
This is the year when phishing stopped being confused with fishing and basically everyone knows what it means. Howard Schmidt comments: "I agree that the number of phishing scams is on the increase all indications are that LESS people are falling for the scams. In some cases the international law enforcement have made arrests of people who are running these scams which has proven that people can be caught and will be prosecuted. Also, MANY technology steps have been taken to reduce the likelihood one will even see the phishing emails. There was a period of time where some people were scared away from online commerce because of phishing but all indications that there is limited "if any" impact at all."
Opinions on top problems in 2005
The security related event that defined 2005