Brain. No, it’s not some Skynet AI drone, nor is it the blob that was always out to get the Teenage Mutant Hero Turtles.
It is the name of the first PC virus, dating back to 1986. The two Pakistani brothers, Basit and Amjad Farooq Alvi, who wrote it did not have malicious intentions: they simply wanted to scare people running pirated versions of the software they were pushing out of their shop in Lahore.
But their creation, which infected the boot sector of hundreds of thousands of floppy disks with the Brain code, was pernicious.
Malware was not designed to steal data back in the 1980s. Much of it was the work of hobbyists. The first conviction under the US Computer Fraud and Abuse Act concerned was that of Robert Tappan Morris in 1989 for the spread of the Morris worm, which he had cooked up the year before.
Morris said he simply wanted to test the security of systems attached to the embryonic internet. Again, there was little malicious intent but the fallout was nasty.
Since then, the proliferation of viruses, worms and Trojans has been inexorable. Many viruses that emerged in the 1990s were MS-DOS visual malware. The Walker, for example, created the image of a gentleman ambling across the infected machine’s screen, and the V-Sign drew a "V" in the command-line interface.
The Concept malware which infected Word files was a game-changer. Discovered in 1997, it was one of the first macro viruses that could appear on any system running Word, regardless of the underlying operating system.
Then there was Happy99, the first email worm, forerunner of further famous worms such as Anna Kournikova and iloveyou, which infected millions of machines after the turn of the millennium.
Code Red would redefine how people considered security, as it infected Windows web servers, not PC clients.
SQL Slammer, a worm that exploited a flaw in Microsoft SQL Server and caused denial-of-service incidents across the internet, was another evolution of the threat. Malware had become seriously noxious.
Stealing from the thieves
Since 2000, malware has increasingly focused on financial gain rather than just disruption. Combined with social engineering tricks perpetrated through phishing emails and social network posts, malware such as Zeus has been used to pilfer vast sums from people’s bank accounts, while other malicious software has picked up sensitive data on an epic scale.
Giant spamming botnets, from Storm to Conficker, have also caused carnage. Ransomware, such as the particularly aggressive Cryptolocker variant, has become prevalent, encrypting files and demanding payment for decryption from the infected user.
The criminal malware zenith was reached last year, with the epic point-of-sale attack on US retail giant Target, leaking data on more than 40 million credit cards.
“The most important attack [in the history of security] was the one on Target,” says Alan Woodward from the Department of Computing at the University of Surrey.
“It showed for the first time the scale that organised hacking can reach when going for direct financial gain.”
Nation states have also adopted and developed malware to steal other countries’ secrets.
The most notorious example was Stuxnet. Believed to have been created by the US and Israel the virus disrupted centrifuges at an Iranian nuclear plant by exploiting a record four zero-day vulnerabilities.
Cyber espionage has become increasingly sophisticated too, reaching its apparent apex with the Red October campaign in early 2013. Over five years, PCs, mobiles and network equipment were infected at government agencies, research organisations and nuclear groups, scooping up geopolitical intelligence and critical credentials.
“Stuxnet showed that cyber security can impinge on the real world, and suddenly the general public realised that everything from power stations to transportation was potentially vulnerable,” says Woodward.
“Red October showed that stealing information might be a motive, that it can go on unnoticed for years and that criminals might not be the only ones interested.”
While malware and the exploits delivering it have been developing apace, other kinds of attack have been proliferating too as crooks take advantage of age-old problems.
Dodgy password management was the catalyst for the introduction of the UK’s Computer Misuse Act.
Back in 1985, Robert Schifreen and Stephen Gold were arrested, having acquired the login details to Prince Phillip’s BT Prestel Mailbox, but they were acquitted because no computer crime law then existed.
Schifreen, now a well-regarded author and security consultant, thinks login snafus are still a major issue.
“We need to find a solution to the problem of people having to remember loads of different passwords,” he says.
“The fact that ‘123456’ is still the world's most popular password is astonishing.”
Application-layer attacks, in particular SQL injection and cross-site scripting (XSS), remain problematic, given the ease with which they can be used to force websites into dumping data.
WhiteHat Security’s 2014 Statistics Report showed XSS was the most common vulnerability class, causing problems regardless of what languages were being used.
Among the Perl sites reviewed by WhiteHat, there was a 67 per cent chance of at least one XSS vulnerability, over 11 per cent more than any other language, while as many as 10.6 per cent of ColdFusion sites had at least one SQL injection flaw.
Worries about access to applications have also intensified. In a Barracuda-sponsored survey of 400 Register readers carried out by analyst firm Freeform Dynamics, two-thirds said mobile and remote access were increasing the challenge associated with application access security.
The rise of cloud-based services and the quality of mobile attacks has made security leaders anxious about employees using tools without involving the CIO, known as shadow IT.
“Companies wanting to ensure malicious parties aren't gaining access to applications should be educating employees, partners and customers,” says Klaus Gheri, vice-president of network security at Barracuda Networks.
“The banks enforced this from an early stage with online banking and it has worked very well. The banks have learned that access controls via two-factor authentication are most effective against account theft. Technology is a backup to education.”
Problems surrounding legacy apps, including heightened complexity combined with poor service, remain. More than 60 per cent of respondents to the Freeform Dynamics survey said they were experiencing poor or unpredictable app performance.
"It is commonplace for companies to put up with poor service from legacy security providers. The reason that we see over and over is that human beings are risk adverse,” says Gheri.
“They don’t like change, especially when it could open them up to criticism. IT security is a risky business. Nobody notices when it works well but everyone from the CEO down to the call-centre staff notices when it doesn’t.
"The consequences of a poor security decision are far greater than any other in IT management.
“There are, however, risks involved in putting up with poor service. The longer you stay with an incumbent provider because of fear of change, the older your features get and the less compliant with industry standards. Often apathy leads to out-of-date technology and not getting the attention or price points you should be due.”
The network is not immune from attacks either. Thanks to hacktivists, extortionists and nation-state attackers, distributed denial of service (DDoS) attacks have grown to epic proportions. One example was a huge hit that took out internet infrastructure in Estonia in 2007.
“The DDoS on Estonia highlighted the fragility of the internet, even at a national level," says Brian Honan, CEO of BH Consulting and founder of the Irish Reporting and Information Security Service, Ireland's first computer emergency response team.
DDoS is now an everyday attack tool for criminals and others
"Using simple scripts attackers were able to force Estonia off the internet for days. Until then DDoS was not considered a major threat but it is now an everyday attack tool for criminals and others."
This year saw a new peak, with a 325Gbps DDoS on an unnamed French organisation. By spoofing IP addresses and using huge botnets, attackers were able to exploit protocols such as the Network Time Protocol (NTP) that allow for epic DDoS amplification.
One small request to a vulnerable NTP server can send back large volumes of traffic back to targets, knocking them offline. The problem is so severe that DDoS attacks are predicted to exceed 500Gbps this year.