Re:Viewing 2005: The year in security

And businesses, large and small, were not the only ones in the firing line where spyware was concerned. Individual users also faced a major threat and will continue to do so well into 2006.

Speaking about spyware in October, Eric Chien, a senior researcher at Symantec, said: "You'd be surprised at the amount of data these things collect.

"At their most basic, they will be able to find your name, your gender, your age, the amount of time you spend online, what you search for, what you buy and what websites you visit."

Chien also highlighted the ways in which spyware is most commonly getting onto users' machines.

MessageLabs' Sunner told silicon.com: "It's incredible, when you consider viruses took 15 years to reach anywhere near this level of sophistication, that spyware has got to where it is in around two years."

Sunner said while spyware, or more accurately adware, was little more than an annoying way to launch pop-ups at the earliest point of that timeframe, the financial incentives which encourage data and identity theft mean it matured to thoroughly pernicious levels during 2005.

And if it's not worrying enough that the bad guys are coming up with ways of going undetected, Sony made very few friends for itself when it was discovered the company was installing rootkit software on encrypted Sony BMG music CDs which could play right into the hands of hackers - sparking reactions within the security industry which ranged from anger to utter disbelief.

Thomas Hesse, president of Sony's global digital business division, didn't help matters when he was reported as saying: "Most people don't even know what a rootkit is, so why should they be concerned about it?"

The notion of authenticating identity, not just protecting it, has also been key. Identity and access management has been something which vendors, end users, analysts and the media have been getting very excited about during 2005.

At the heart of needing to know 'who is doing what?' is the perennial issue of employee error and malicious staff. With this in mind device management also received a lot more attention.

And what would a year in security be without the hype?

Early in the year the widely criticised claims of one company touting the threat of terrorism in the internet age were thrown into the spotlight by an article on silicon.com.

Perhaps coincidentally the fierce criticism of such hype appeared to usher in an era of greater maturity within the security industry and the quietening down of those who would gladly predict cyber-Armageddon if they thought anybody was listening.

Vendors once known for outlandish claims about every worm that raised its head over the horizon were showing an increasing level of awareness for the need to address real problems, rather than media opportunities.

Not that the media escaped without blame.

But the security industry will continue to tread a thin line - calling some instances for tighter regulation. Finnish antivirus vendor F-Secure, for example, came in for criticism for "over-hyping" (in the words of some) the threat of mobile phone viruses.

Others, it has been suggested, have jumped the gun when going big on the potential threat posed by emerging and maturing technologies such as instant messaging (IM) and voice over IP (VoIP) - although, as with mobile phones, many concede the day will of course come when they are targeted - the tipping point being the time they reach a critical mass of community and usage. (We even saw a virus on Sony's PSP - though that's one for the interesting file at the moment rather than anything of too serious note.)

Many security experts cited the moment Yahoo! and MSN agreed to make their IM interoperable as a potential step closer to that day - though attacks over IM did become a feature of 2005 - as is the growing adoption of the Skype VoIP service.

So, with such maturity on the horizon for emerging technologies it seems very likely we will have new, credible threats in 2006 but nobody should lose sight of the fact that developments during 2005 point towards more of the same and continued development around increasingly sophisticated social engineering.