One topic that's currently being pushed to the forefront of security research, if the bugtraq mailing list is anything to go by, is Cross Site Scripting (XSS) vulnerabilities.
Cross-site scripting can often allow hackers to steal a user's session information, hence hijacking user logins. But in order to exploit these vulnerabilities, the attacker will in most cases require the victim to participate in the attack by, for example, clicking on a malicious link.
Until recently, cross-site scripting had not received a lot of attention, mostly due to the level of victim participation required. But 2002 taught the security industry that crackers and worm writers are starting to target the user, not the computer system, through "social engineering".
Social engineering is now widely regarded as a serious threat. The Klez and "Friends Greeting" worms were remarkably successful despite being quite technically unsophisticated. They didn't use any brand new software exploits, as was the case with Code Red in 2001, they exploited vulnerabilities in human nature.
The age-old human tendency to trust before becoming suspicious is causing some serious problems.
A Sydney based data security consultant recognised this issue by wryly observing that "the most secure network has no users" in an interview with ZDNet earlier this year.
Perhaps it's not the most practical idea, but his comment is indicative of the view of the wider security community. The emphasis is moving away from technological solutions and towards information management, effective policies and training, the "soft values" of security methodologies.
The Intrusion Detection System (IDS) market is likely to continue to grow in 2003, with some Intrusion Prevention Systems (IPS) becoming semi-viable propositions.
Although many vendors are falsely advertising their products as security "cure-alls", some intelligent software, and some innovative ideas, are starting to bubble to the surface.
The controversial DMCA is continuing to push a lot of security research underground. Some hackers now fear persecution from software vendors and government agencies if they publish exploits in software. The Dimitri Skylarov case made a lot of researchers very nervous, so they aren't as keen to publicise their exploits as they once were.
Underground hackers were known to have created exploits to serious vulnerabilities, like the serious flaw found in Apache earlier this year, at least weeks if not months before an advisory has been issued to the public and a patch released.
This can at least in part be attributed to Governments and large computer security agencies failing to come up with a widely recognised and respected framework for vulnerability disclosure, and it is likely to remain a burning issue for some time.
