It’s that most un-wonderful time of the year: the time when everyone writes fluffy articles full of lists, retrospectives and look-aheads. Even we did it. Many of these lists involve some variation on the theme of most overhyped or least organic or or most awesomest or lowest fat content. This article is not those articles.
Instead, this is the article that will inform you about the stories this year that are neither overhyped nor underhyped. Not the ones that beat you over the head all year, making you long for the days of the Pony Express and six-month news cycles. Nor the ones that slipped by unnoticed and then snuck up you on a week later, which may as well be three years later at this point. No, these are the stories that neither got too much nor too little attention, but exactly the amount of hype, furor and attention that they deserved.
You could probably argue that some of the individual bugs and pieces of malware that affected Android this year were overhyped, but the overall problem of security on the Android platform is bad and not getting any better soon. Android apps have been found stealing texts and intercepting phone calls and using root exploits, researchers have found a variety of serious vulnerabilities in the operating system and Google has been mostly quiet about all of this. Expect this giant ball of twine to gather even more string in 2012 as Android continues to grow in popularity and researchers and attackers continue to hammer on it.
I could make a case that there hasn’t been a single year yet in which privacy has gotten the proper amount of attention. But this is the end of the year, so why bring down the mood? Privacy is definitely one of the topics that people are sick of hearing about and start to tune out, and that’s a big part of the problem. Look at what happened this year with Carrier IQ. Within about three hours of the first reports of the existence of the company’s software on mobile phones, a lot of people were done with it, saying that carriers had all your data anyway, so why worry. Carrier IQ certainly got beaten into the ground, the larger problem surrounding privacy got a good, solid amount of attention and careful analysis this year. Much of that can be attributed to the work done by folks such as Chris Soghoian and the EFF.
Now, given the indefensible use of the word cyber throughout the security world, it’s almost physically painful to put this on the list. But, at this point you just kind of have to go with it. Mostly, this section is reserved for Duqu, the gift that has kept on giving ever since it debuted in early fall. Duqu got a bum rap initially, because it was dubbed the son of Stuxnet and Stuxnet Jr. and whatever else headline writers could come up with to attach it to that infamous worm. And while it turns out that Duqu and Stuxnet probably were written by the same crew, they’re not much alike at all. Duqu is by far the more interesting and adaptable of the two, and researchers are still trying to decipher all of its components and capabilities lo these many months later. It’s a clever, modular tool designed to be used in a variety of different environments and situations, and researchers are pretty sure it was written by a well-funded, professional team (read: government). So, Duqu was exactly as scary as everyone said, and it may in fact be the harbinger of the Internet’s end times. Plus, it’s fun to say Duqu.
Sure, this is sort of cheating, considering the attack on RSA appeared on our year-end look at the absurdities of 2011. But it wouldn’t be a list at all without this one. RSA took a ton of heat for the attack that compromised its SecurID product line and forced the company to reissue millions of the tokens. And rightly so. It was a simple attack that led to a disastrous win for the attackers. But there were a lot of security teams at other companies looking at that incident and saying, man, that could’ve been us. If the big, sophisticated companies can lose that badly, so can anyone else. The intrusion was huge news and that’s the way it should have been. The lesson, as always, is that security is hard, and there are an infinite number of ways to get it wrong and precious few ways to get it right. That, and don’t publish explanations of an attack on April Fool’s Day.