2007: How was it for security?

Security researchers worked overtime in 2007, which turned out to be a nightmare for software vendors from day one.

Security researchers worked overtime in 2007, which turned out to be a nightmare for software vendors from day one. In January alone, Apple, Google, Microsoft and Adobe were just some of the household names embarrassed for leaving gaping holes in their products.

For Apple, 2007 must feel like a slap in the face when it comes to security. The year kicked off with a month of Apple bugs; saw the company release more than 100 patches by June and finish the year with multiple variants of a nasty OS X trojan on its tail.

On top of this, users of its iPhone and recently launched iPod Touch were desperate to free themselves from the shackles of having a platform that was closed to third party applications. They gained their freedom by visiting Web sites that exploited a vulnerability in Safari to gain root access to their device. It's exactly the same way millions of Windows-based users become infected with malware on a regular basis, so the fact that Apple customers are doing this voluntarily seems less than intelligent.

As the year begun, Microsoft was again being criticised by security researchers after ignoring a known vulnerability in Word in its first Patch Tuesday of the year. It turns out that Word had numerous holes and attackers were exploiting them faster than the Redmond security people could fix them.

Google didn't escape the vulnerability overload either -- it had to fix a cross site scripting flaw that was letting attackers compromise other users' privacy.

Security researchers also warned that users of Adobe's PDF format -- just about everyone then -- were far more vulnerable to attack than previously thought: a fact proven later in the year.

Still in January, the Storm worm started brewing and was still blowing at the end of the year -- and it's likely to continue causing trouble during 2008.

With all these security issues on the horizon, it was a surprise that there were so few high-profile victims: unless you want to count Swedish bank Nordea which admitted to losing around AU$1.5 million in an online attack.

The month finished with both good and bad news. The good news was that viruses were no longer the biggest threat to security. The bad news was that, according to Messagelabs, they had been replaced by phishing, which now accounted for around one percent of all e-mails.

Ex-Prime minister John Howard's health was the focus of attention in February when phishers decided that he was close to death after suffering from a heart attack. Having captured the hopes of a nation, it turned out the rumours were just a silly hoax.

Symantec, which continues to claim it is the most "trusted name in security", decided that 2007 was the year to release what it had been promising for years -- a lightweight security solution that didn't suck up resources and was a pleasure to use. At ZDNet Australia we remained sceptical of the company's ability to create such a product.

As it turns out, by the end of the year, our readers confirmed our worst fears. It seems that Norton 360 is no better than the dreaded yellow boxes of death, which contain others products from Symantec's Norton security product range. Readers wrote to us in droves to complain about the product, with one labelling it: "The absolute worst experience of my life".

And as if to add fuel to the fire, Symantec customers in March found they couldn't access Yahoo Mail because the yellow beast managed to flag the popular mail program as a virus.

Microsoft once again proved that instead of making a security product to protect its flawed software, it should concentrate on creating flawless software: in mid-March, the software giant was in trouble with some of its customers who claimed that OneCare had conveniently deleted or quarantined their .pst or .dbx files. Microsoft responded in its usual caring fashion by blaming its customers -- despite one of its security managers admitting that the product should never have been released because it was missing "bits and pieces".

Soon after, Redmond apologised for its cock-up and tried to distract customers by selling the security benefits of Vista. Unfortunately this coincided with attackers exploiting a feature vital to all large companies -- the ability to animate the Windows cursor.

As administrators around the world spent sleepless nights wondering how their employees would manage without a cursor that changes shapes and leaves trails across the screen, Microsoft stepped in and fixed the problem with a patch outside of its monthly cycle. Phew!

Then came May and AusCERT 2007with the southern hemisphere's largest security conference hitting Queensland's Gold Coast.

The AusCERT conference kicked off with a keynote from Ivan Krstić, director of security architecture for the One Laptop Per Child project, who stunned the delegates by announcing that the IT industry had failed when it comes to desktop security.

It finished off with Richard Thieme warning delegates that they should consider everything -- including Alien invasion and God -- when planning their security budget.

Westpac, Australia's fourth largest bank, kicked off the second half of 2007 with deathly silence as the company's ATMs, online banking and EFTPOS services were knocked offline.

Initially, it blamed "human error" but a source within Westpac's IT team explained that the bank was the victim of a DDoS attack. Westpac spokesperson David Lording, who in the past boasted about the company's "backup systems on backup systems", eventually admitted there had been an attack.

A couple of months later, criminals sent phishing e-mails claiming that "hardware failures" meant that Westpac customers should "review" their account details. To top things off, Westpac had another failure in early September when a systems failure locked around 200,000 customers out of their accounts.

Westpac wasn't alone in making headlines when it comes to security issues: in October, National Australia Bank also admitted being hit by a massive DDoS attack. In November, the Commonwealth Bank's customers were targeted by a very fussy trojan.

Back to June and OpenOffice -- the ugly sister of Microsoft's Office productivity suite -- was targeted by BadBunny -- a worm capable of infecting Windows, Mac and Linux systems.

The cross-platform application was exploited again in September -- this time because of a TIFF-based buffer overflow issue.

Java, which also runs on numerous platforms, was the subject of a massive security alert in July when engineers from Google discovered a vulnerability in the Sun Java Runtime Environment, which the search giant said threatened the security of all platforms, browsers and even mobile devices.

Sun sent out patches for the hole a few days later but the company's updating schedule was criticised at the time by security firm eEye for "putting millions at risk".

Around the same time, BlackBerry maker RIM seemed worryingly unmoved that a spyware application called FlexiSpy was able to monitor e-mails, text messages and even record voice conversations and send them to a third party.

The same software can also keep tabs on anyone using a Symbian-based phone. Later in the year, Finnish firm F-Secure had a go at software developer Retina-X Studios for releasing a dodgy mobile phone spying application -- which was full of bugs!

With all these trojans and hackers around, you would think that users were making it easy for criminals -- but then social networking exploded, which most likely had identity thieves dancing for joy.

Before Facebook, LinkedIn and MySpace, ID thieves had to work hard in order to discover personal information about individuals. According to AusCERT's general manager Graham Ingram, people's addiction to social networks have become a real danger.

MessageLabs' co-founder Mark Sunner agreed. In a video interview, he said that these sites are "a goldmine of data for the bad guy community". Apart from encouraging everyone to volunteer their private information, Facebook users got more than a poke when the site's banner adverts started threatening Internet Explorer.

If it isn't enough that dodgy Eastern European criminals are trying to plant malware on our computers, this year we discovered that our governments -- or specifically the American and German governments -- have created "official" malware and tried to force security companies turn a blind eye.

One of the biggest security jokes of the year was the Howard government's ultimately stupid idea to spend AU$189 million on making the Internet safer for children by providing all families with a free porn filter.

Before the ink had even dried on the NetAlert cheque, 16-year-old Tom Wood had managed to bypass the filter. So what did the government do to punish this young cracker? He was hired to fix the system. By doing so he also helped the government reduce the national skills shortage -- by one. "It seems to be working just the way we planned," said Helen Coonan, who has a little more time on her hands after Labor won the election in November.

Speaking of the election, another hot topic was the dreaded national ID card. I mean the Australia card. Err. No, I mean the Access Card. I think.

Whatever you want to call it, it was a stupid, unpopular idea and is hopefully dead and buried. Unfortunately, this may not be the case.

2007 was the year that politicians finally realised that this new interweb tubes thingy was not just a fad and it may even help them get a few more votes. Unfortunately for ex-Prime Minister John Howard, his Web site was vulnerable to cross-site scripting vulnerabilities, which was (ab)used to made it seem that the PM wanted to "suck your blood".

Computer enthusiast Brett Soric said he was just having a bit of fun and luckily for him, the AFP agreed and let him off the hook.

As the year drew to a close, Apple's Steve Jobs admitted that the company had kept its iPhone platform closed to third party applications because of security concerns. This is rather ironic as it was the hunger for such applications that caused so many iPhone owners to have their phones hacked on purpose.

One of the last stories before the Christmas break pretty much summed up 2007 for Apple: it seems that this year there were 234 highly critical vulnerabilities in Mac OS X or, more than 10 times the number discovered in Windows XP and Vista combined.

Was 2007 the year that Mac security died? The editor of ZDNet Australia has already covered his MacBook's iSight camera with electrical tape -- just in case.