Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Governance, Risk and Compliance, Compliance Management, Privacy, Critical Infrastructure Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

IT security reboot 2006: The year’s top news

Top 10 Most Visible Changes Since 2005

1. More for-profit attacks
The late-night hacker launching attacks to impress his friends is all grown up. Today's cybercriminals are interested in one thing above all else: money. According to a U.S. Justice Department study, the average cost of a cyberattack was more than $3 million this year, and more than $2.5 million when attackers used captured IDs and passwords.

2. An increase in targeted attacks
In 2006, cybercriminals used malware, complete with some already obtained personal information, to make attacks as customized to their targets as possible. Phishing attacks designed for the bank accounts and interests of more specific groups of home-users proved more effective than mass mailings as the year went on.

3. Mac OS X flaws appear for the first time
If home-users and businesses thought Apple had a magic wand against security threats, they were proven wrong this year. The first security vulnerability exploits for Apple's Macintosh OS X operating system were found this year, dispelling the myth that Macs are hack-proof. The exploits are proof of Mac's growing market share, some experts said.

4. Increased awareness of data breaches
Companies have a harder time keeping their breaches a secret now that some states have made it illegal to do so. Since California's SB1386 led the way, 34 other states have passed breach notification laws. And Congress could make it a federal law in its next session.

5. Rootkits through the roof
Because of their effectiveness in compromising a PC, and the toughness in detecting them, the use of rootkits is on the rise. Numerous studies have said the devices are increasing in use at an alarming rate, with as much as a 2,300 percent jump since 2001.

6. The rise of the third-party patch
Tired of waiting for Microsoft's Patch Tuesday? No problem, according to a handful of vendors and organizations. Microsoft recommended that end-users and IT administrators ignore the unofficial patches, and put out an early patch or two of its own.

7. Changing threats
Firms reported that a number of sites contain vulnerabilities that could enable cross-site scripting. Email security firms said they're seeing more image spam, the use of visual files to bypass filters.

8. Jump in federal data breaches
The Department of Veterans Affairs. The U.S. Navy. The FTC. At times the question seemed to be, "What federal department will have a data breach next?" The most notorious this year was that at the VA, which affected millions of veterans and active-duty members of the armed forces.

9. Military agencies targeted
The Pentagon may be home to the world's most powerful armed forces, but that doesn't mean it still doesn't have trouble fighting off cybercriminals. Attackers targeted both the Defense and State departments this year, meeting with some success. The attacks were blamed on hackers within the People's Republic of China, according to published reports.

9. Career changes
Different jobs were more available in 2006. The CSO gained prominence at many major firms because of growing security threats. The risk officer began employment at many firms. And the compliance officer, spurred on by the realization that SOX, HIPAA and other requirements are a full-time job, was seen more often. Whether these and other newly formed posts are helping remains to be seen.


Top 5 dumb criminals who got caught

1. Mark Hayes
Infamous as the first internet fraudster caught in New Zealand, Hayes allegedly used keylogging software to gain access to accounts from the Trade Me auction site. When he fraudulently bought tickets for a show in Auckland, he was arrested there.

2. Kenneth Kwak
A former federal auditor, Kwak allegedly monitored the email and PC use of his boss by installing software on his PC. Despite peeking at his boss's storage capacity, email and web use, there is no evidence he ever gained financially from his actions, according to the Department of Justice.

3. Daniel Lennon
This British national was sentenced to two months' curfew for allegedly launching a DoS attack on his former employer's email server. His attack shut down the server of the Domestic & General group and cost the company $30,000.

4. Christopher Maxwell
Sentenced to three years in prison, Maxwell attacked the Pentagon, Northwest Hospital in Seattle, and the Colton Unified School District. Two juvenile co-conspirators were also convicted on federal conspiracy charges.

5. Jennifer R. Clason
The 33-year-old was convicted this year for sending hundreds of thousands of obscene emails to online customers. She was also the organizer of, a resource provider for women who want to work from home.


Top 5 criminals who saw hefty sentences

1. The Fat Spaniard
Jose Manuel Garcia Rodriguez, or "el Gordo Espana," was extradited from Argentina by international authorities. He is suspected of hacking hundreds of thousands of euros from bank accounts. Garcia faces up to 40 years in prison if the charges against him are held up.

2. The Russian blackmail gang
Ivan Maksakov, Alexander Petro and Denis Stepanov were each sentenced to eight years in prison after Russian authorities worked with the U.K. National High Tech Crime Unit, the FBI and Interpol to catch them after they were accused of blackmailing British and Irish online casinos. The group threatened to crash the casinos' websites using DDoS attacks.

3. The Botmaster
Jeanson James Ancheta received the longest sentence ever imposed on a malware distributor, 57 months in prison. A resident of California, Ancheta rented out zombie PCs to send spam and unleash DoS attacks. He also profited by installing adware on a network of compromised computers.

4.The hospital hacker
Christopher Maxwell was sentenced to three years in jail and three years of supervised release after pleading guilty to federal conspiracy charges. He was accused of using botnet attacks to install adware at the Pentagon, Northwest Hospital in Seattle and the Colton Unified School District in California.

5.The Zotob pair
Farid Essebar and Archaf Bahloul both got jail time in Morocco for their role in the creation of the Zotob worm, the malware that disrupted media outlets in 2005. Essebar received two years in prison and Bahloul received a year for exploiting a Microsoft flaw that caused widespread destruction at CNN and other media outlets.


Top 5 Up and Coming Security Threats

1. Cross-site scripting flaws
These topped the Common Vulnerabilities and Exposures list for the first time this year, but most, located on prominent websites, remained unpatched by web developers. Look for the threat to become more notorious in coming years as Web 2.0 sites become more popular.

2. RFID threats
Of course, the potential is there for hackers to steal credit card information en masse from grocery stores and gas stations with check-outs using this technology. But is it an immediate threat to consumers getting milk or chips or gasoline? Not at the moment.

3. Man in the middle attacks
They're dangerous, but new technology that authenticates information from both ends renders the threat useless. The warning advises PC users to beware of a new hoax spreading across the internet, claiming that emails containing the subject line "Invitation" were armed with the most destructive virus ever. One problem: it was just a hoax.

4. Wireless card attacks
Shown off at this year's Black Hat conference, two researchers demonstrated how hackers could target wireless cards and ultimately take over a PC. But what one researcher calls only a "James Bond" scenario is only useful to hackers looking for an extreme challenge.

5. VoIP threats
Voice over internet protocol threats could certainly be a bane to IT professionals in the future, but at this minute, how many home users or employees have actually been affected by exploits for VoIP vulnerabilities?


Top 5 Dumb Things Said by Sen. Ted Stevens, R.-Alaska, about the internet while speaking on net neutrality

1. "It's a series of tubes."

2. "They want to deliver vast amounts of information over the internet. And again, the internet is not something you just dump something on."

3. "It's not a truck."

4. "I, just the other day, got an internet, was sent by my staff at 10 o'clock in the morning on Friday and I just got it yesterday. Why? Because it got tangled up with all these things going on the internet commercially."

5. "And if you don't understand those tubes can be filled, and if they are filled, when you put your message in, it gets in line, and its going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material."


Top 5 federal IT security-related legislation

1. Cyber-Security Enhancement and Consumer Data Protection Act of 2006
Sponsored by Rep. Jim Sensenbrenner Jr., R-Wis., this would make it a crime to knowingly fail to report a security breach to the FBI or Secret Service that affects at least 10,000 consumers. Sent to the Judiciary Committee.

2. Federal Agency Data Breach Protection Act
Sponsored by Rep. Tom Davis, R-Va., the act would require federal agencies to inform the public in the event of a data breach. Referred to the House Government Reform Committee.

3. Data Theft Prevention Act of 2006
Sponsored by Sen. Daniel K. Akaka, D-Hawaii, it establishes federal penalties for anyone who views health information within a federal database. Last referred to the Judiciary Committee.

4. Data Security Act of 2006
Sponsored by Sen. Robert Bennet, R-Utah, the act requires notice of security breaches referring to organizations that engage in financial activities under section four of the Bank Holding Company Act and financial institutions. Referred to the Banking, Housing and Urban Affairs Committee.

5. Small Business Information Security Act of 2006
Sponsored by Sen. Olympia Snowe, R-Maine, the bill would create the Small Business Information Security Task Force within the Small Business Administration to help enhance IT security in small businesses.


10 breaches that made you twinge

1. Veterans Affairs laptop theft
When two Maryland men broke into a VA employee's home and made off with a laptop, probably the last thing the crooks expected was for their score to contain the PII of some 26.5 million veterans and active duty military personnel. The burglars eventually got caught, the employee was fired, and the laptop was turned in to police. Authorities soon determined the private data was never accessed, but for a nation that prides itself on its veterans' accomplishments, no slap on the wrist would do. All VA computers are now encrypted and all federal agencies soon will be required to institute policies for dealing with lost or stolen personal information.

2. Red Cross disaster relief call center
eaders at the organization responsible for providing half of the nation's blood supply might want to have their blood pressure checked after a small group of insiders parlayed their access privileges into huge paydays. Third-party hires at a Hurricane Katrina emergency assistance call center in California created false "cases for assistance" that allowed local friends to cash in on hundreds of thousands of dollars in disaster aid. The charity caught on when people starting showing up in Bakersfield, Calif., claiming to be Katrina victims. The IT department has since significantly tightened controls on accessing critical applications. The Red Cross sustained another blow when a donor recruiter with access to about a million SSNs opened up credits cards in the names of three victims, prompting the organization to abandon SSNs as donor identifiers.

3. Ernst & Young laptops
Executives at the leading accounting firm might be longing for the days when laptops didn't exist after a number of portable PCs were either lost or stolen as employees traveled. In one instance, a laptop containing the personal information of about 240,000 customers was stolen from the car of an E&Y employee who was auditing the data. And just when you think breaches don't affect the well-to-do, think again: A stolen E&Y laptop in Florida contained the SSNs of some high-level IT executives, including former Sun Microsystems CEO Scott McNealy. All company laptops now require encryption.

4. AT&T online store
The telecom giant was the victim of an old-school hack, when attackers hijacked the company's computer system to gain access to the online store. More than 19,000 customers who had purchased high-speed DSL internet connection equipment had their names and credit card information stolen. The break-in was followed by attempts to inflict even more damage when the thieves incorporated the stolen PII into elaborate phishing schemes that sought to pilfer even more information that could be used for identity theft.

5. AOL search data
Privacy advocates were up in arms after the internet giant committed a major faux pas when it published the search queries of some 650,000 subscribers on its research website. "Transfer money to China," "fear that spouse contemplated cheating," "dog that urinates on everything," and "how to kill oneself by natural gas," were just some of the bizarre search requests. While the site only identified users by number, thoroughly studying all of their search inquiries sometimes could lead to the user. (Not to mention, many queries listed actual names and bank account and SSNs.) CTO Maureen Govern left as a result of the incident.

6. Ohio University/University of Texas
Don't tell already broke college students that hackers are after their money, too. Ohio University became one of the latest academia victims when attackers compromised a server containing the PII of more than 300,000 alumni and faculty. The incident followed a similar event a month earlier at the McCombs School of Business at the University of Texas when hackers exposed the private data of 197,000 students, alumni, staff and admissions applicants.

7. AIG server
Sure, they were upset about having a file server stolen that contained the PII of nearly one million potential customers, but what must have particularly irked executives was that the insurance provider didn't even need to be storing the private data in the first place. "One of the things we would say is that brokers were bringing us information that we didn't need to provide a quote," a spokesman told us back in June. "We don't need names and Social Security numbers. We just needed statistical information about claims [history within the company]."

8. U.S. Navy
AOL must have taken its cue from the Naval Department, which was forced to report two instances in which private data about sailors and aviators was posted to a public website. One breach, which exposed the PII of 100,000 Navy and Marine Corps members, was caused by a glitch in a program on the Naval Safety Center site that reports aviator mishaps. How the data of 28,000 Navy members and their families appeared on another undisclosed website was a mystery.

9. Pick a federal agency
Never mind the VA and U.S. Navy, but the Federal Trade Commission, Department of Agriculture, Department of Energy, and Department of Education all experienced instances in which personal information was compromised through errantly posted information, misplaced laptops and hacker attacks. Even the Department of Commerce, which didn't report an official breach, announced that 1,138 agency laptops have either been lost or stolen since 2001. The agency conducted the review in response to widespread inquiries.

10. Providence Home Services stolen back-ups
Certainly not the most well-known name on this list, but significant because justice prevailed. After the SSNs of some 365,000 people were compromised through stolen back-up tapes and disks, the health system and the state of Oregon reached a settlement that requires Providence to offer free credit monitoring and restoration. Some patients actually had their financial data misused.


Top 10 bizarre news

1. Anti-spam company surrenders
Anti-spam vendor Blue Security learned it couldn't beat the bad guys at their own game. The Israel-based company closed its doors following relentless DoS attacks launched against Blue Security as retaliation for its aggressive anti-spam business model. Blue Security's solution worked by sending mass unsubscribe messages to the websites advertised in spam emails.

2. Homeless data exposed
Fighting identity theft surely is the last thing a person struggling to find shelter and a warm meal is thinking about. But that became a real possibility when an unnamed New York City Department of Homeless Services employee accidentally emailed an attachment containing the names and SSNs of 8,400 homeless parents. The email landed in the inboxes of an unknown number of homeless advocates and city officials.

3. Ernesto domain names
A Portland (Ore.) State University graduate student claimed he was trying to be a good journalist, not a fraudster, when he registered 17 Ernesto-related domain names as the hurricane was approaching the United States. While Julian Luby, 29, wanted to write about the storm -- he was born in a Mississippi city ravaged by Hurricane Katrina -- he also admitted he might profit through the sale of the domain names. But when Ernesto fizzled out before striking land, so did his plan.

4. Arrest at hacker conference
Moments before he was to take the stage to show Hackers on Planet Earth (HOPE) audience members how he discovered more than 500 pages worth of personal data on a conference attendee in 4.5 hours, Steven Rambam was arrested. And not for anything related to hacking, mind you. The private detective was charged with posing as a law enforcement officer so he could question the family of an informant who helped police in a money laundering case.

5. Hotel mini-bar key opens voting machines
Next time you're drinking in a hotel room, just think: That key you're holding to unlock the mini-bar might just work on a voting machine. The oft-criticized Diebold e-voting machines, said to be vulnerable to viruses that can install malicious software, apparently have another fault going for them: They can be physically unlocked by common keys widely available on the internet that are used to open some office furniture, jukeboxes and hotel mini-bars. If only we could return to the days of hanging chads.

6. A bug a day keeps danger away?
Some people spend July on the beach or the golf course, but famed white hat hacker H.D. Moore spent the summer months posting one browser bug a day on his blog. Moore said he wanted to spread awareness about the number of flaws out there and offer ways to catch the vulnerabilities before the bad guys do. Moore was careful not to list the path toward remote code execution, likely little consolation to security teams at Microsoft.

7. The joke is on Mozilla
One of two men who claimed at a hacker conference that a Mozilla flaw could allow for remote code execution admitted a couple days later that he was just kidding around. The folks at the open-source web browser weren't laughing, especially when several researchers had to pull themselves off the couch on Sunday to come work on the non-existent critical bug. One of the speakers, Mischa Spiegelmock, said he and his buddy's talk was meant to be humorous. They also apparently made up that they knew of 30 undisclosed Firefox vulnerabilities.

8. Hewlett-Packard boardroom scandal
Trying to learn who was leaking company secrets to the press, HP Chairwoman Patricia Dunn -- who has since resigned -- enlisted a team of security experts to spy on board members and journalists. Dunn claims she did not know the private eyes used a social engineering technique called pretexting, in which they pretended to be the board members and journalists to gain access to phone records.

9. Lieberman campaign site hacked
Never mind negative television ads, dirty politics took a cutting-edge twist when U.S. Sen. Joseph I. Lieberman's campaign website sustained a DoS attack just before his Democratic primary loss to challenger Ned Lamont. The campaign manager for Lieberman, a former vice presidential candidate, claimed the site was hacked by political opponents.

10. Mac hack challenges
A University of Wisconsin professor, set on proving the security of Apple computers, challenged anyone to hack into a web page hosted by a Mini Mac. Nobody was able to do it during the 38-hour time period allotted despite the site being accessed 500,000 times. Professor Dave Schroeder was unimpressed by an overseas hacking challenge that gave participants local client access and was intruded in less than 30 minutes.


Top 10 new industry buzzwords

The hottest word in Web 2.0 development. Asynchronous JavaScript and XML describes a technique used to create interactive web applications, such as Gmail and Google Maps. What the user sees is a faster, more usable website that requires only light communication with the server. It also opens the doors for malicious content to be loaded to popular sites.

2. Fuzzing
Surprise, surprise. The art of testing for faulty designs in software is now being used by hackers to discover unknown vulnerabilities. Fuzzing is a methodology in which artificial intelligence tools are designed to mimic human intelligence by trying to force abnormal responses in applications to determine if bugs are present.

3. ILM Information lifecycle management.
With security no longer just a perimeter issue and compliance becoming an ever-important factor, professionals are being forced to watch data throughout its lifecycle, from creation to storage to retrieval. No wonder they feel underpaid.

4. Pod slurping
You can certainly rock out to your iPod, but you can also walk out of any office with many gigabytes of company data saved on the tiny music player from Apple. iPods and other removable storage devices that contain vast memory space are becoming growing concerns for companies looking to protect intellectual property from going out and dangerous malware from coming in.

5. Vishing
It's a combination of "voice" and "phishing" and occurs when victims receive phishing emails or telephone calls over VoIP software, asking them to call back a number to provide their personal information. Vishing is not to be confused with SPIT, which stands for spam over internet telephony -- a threat experts say is just around the corner.


Top 5 hectic days for IT security pros

1. The second Tuesday of every month
You have to feel pity when the alarm rings on Microsoft's monthly Patch Tuesdays. That is the day when network administrators must come to work to grapple with the software giant's security fixes for the latest zero-day vulnerabilities affecting Windows, Office and Internet Explorer. With double-digit patches being the norm, not the exception in recent months, Wednesday can't come soon enough.

2. Jan. 5/Sept. 26
Microsoft first releases a rare out-of-cycle patch to hole up the Windows metafile vulnerability. Malicious users had set up attack websites to exploit the image flaw, from which they could execute code, cause DoS conditions or take complete control of an infected PC. Months later, Microsoft again issues an out-of-cycle fix, this time to repair an IE flaw related to the processing of vector markup language.

3. The week of Feb. 13
Organizations running Apple systems got a rude awakening when experts discovered the first virus engineered to attack the Mac OS X platform. The virus, named Leap-A, spread via the iChat instant messaging system. Administrators also have dealt with several security updates this year correcting Mac vulnerabilities, including in the Safari browser.

4. Jan. 17, April 18, July 18 and Oct. 17
Four times a year might seem better than monthly, but tell that to IT security pros who were forced to oversee the patching of scores of flaws related to Oracle products. The database giant -- which fixed 101 bugs in its latest release -- drew criticism from analysts who began questioning Oracle's long-standing security reputation.

5. Feb. 3
This was supposed to be the day when the file-destroying "Kama Sutra Worm" was activated. The malware scored high marks on foreplay, but never materialized into the widespread attack many feared. Many credited the media's extensive coverage of the outbreak, which spreads through promises of pornographic pictures and video, with encouraging users to disinfect their machines and update to the latest anti-virus software.


Top 5 IT security observations about Firewall

1. Access controls didn't quite have the same ring
What's up with the movie's title? The group of criminals wants Harrison Ford's character (Jack Stanfield) to break into the bank server using his high-level internal access privileges to wire $100 million to an offshore account, thus guaranteeing the safe return of his family. What good is a firewall?

2. IPS signatures can only go so far
The film ends in true Ford style with broken windows, a fiery car crash and the lead villain Bill Cox (Paul Bettany) finished off with a pickaxe. The writers had considered having Ford implement a new endpoint security strategy at the bank to save his family, but decided that a good, old-fashioned melee in which Indiana Jones finishes off the bad guy himself would serve audience members -- and ticket sales -- better.

3. The downside of convergence
Figures the minute the bank's information security guy (Ford) and the physical security head get hooked up, one of them gets whacked. In this case, poor Harry (Robert Forster) takes a bullet to the back of the head as part of a set-up to frame Ford. Doesn't bode well for the whole convergence idea.

4. Can someone write "multifactor authentication" into the script?
About halfway through, you start wondering: How does Ford have time to save his kidnapped family with FFIEC deadlines looming?

5. I want be a VP of security.
Let's see: Perfect family. Married to Virginia Madsen. Luxury car. Wood-and-glass house on the Puget Sound. Oh, the imagination of Hollywood.


Top 10 most significant acquisitions/mergers

1. IBM buys ISS
The balance of the managed service practice and the intrusion prevention technology owned by ISS made it an attractive pick-up for Big Blue. The intention is to further flesh out IBM's security technology while bolstering its security services offerings.

2.EMC buys RSA
After a year of successful acquisitions, RSA was the fish that swallowed the fishhook and got swallowed itself. EMC hopes to be a pioneer in secure data lifecycle management with this big buy.

3. Failed Check Point/Sourcefire
The one that got away. The feds put the kibosh on this international merger, citing national security concerns about turning over open source SNORT technology to an Israeli company. Many experts agreed that this deal probably would have gone through had there been no fallout from the U.S. ports acquisition debacle.

4. Secure Computing and CipherTrust
Executives at both companies said the fit between these two companies was like hand in glove. Some industry insiders did wonder, though, whether that glove could have been bought more cheaply.

5. BT Group PLC/Counterpane Internet Security
After a year of shopping itself around the market, Counterpane finally found a taker. This deal is a good indication that many telecoms like BT hope to make a bigger splash in the services market with security services they can bundle.

6. LURHQ/SecureWorks
The union between these two mid-sized service providers has created a new firm that will be a more substantial force in the MSSP market.

7. Novell buys e-Security
Novell is wrapping log management into its security offerings now that it has picked up e-Security's Sentinel technology. Experts expect more event management acquisitions as automated compliance gets rolled into overall security and risk management.

8. RSA Security buys PassMark Security
RSA followed up its late 2004 play for Cyota with the acquisition of PassMark to fully round out its identity management capabilities. Both purchases made it a powerhouse provider of solutions for this year's FFIEC two-factor authentication deadline. It also made the company too enticing to be passed up by EMC.

9. SurfControl and BlackSpider
Web filtering company SurfControl nabbed BlackSpider to expand into the email filtering market. With each company located on opposite ends of the Atlantic, the newly joined organization also hopes this marriage will help it expand its sales reach geographically.

10. Attachmate/NetIQ
This one left some scratching their heads, as both companies were in technology sectors that had little in common. Don't be surprised to see more deals like this in the future, though. It portends the fact that the security market has matured enough that some companies are willing to take a gamble on it for diversity's sake.


Top 5 clever IT security traps

1. IM worm that disguises itself as Windows Genuine Advantage
CueBot took advantage of users' implicit trust in all of Microsoft's pop-up messages. Posing as a part of Microsoft's Windows Genuine Advantage service, the trojan managed to trick plenty of users who just thought Microsoft was asking if they were dirty thieves again.

2. Zippo trojan
Users unlucky enough to get hit by Zippo found their TPS reports, baby pictures and whatever else was on their hard drives locked in an encrypted Zip file with demands from their attacker to pay $300 ransom or risk the chance of never accessing those files again. Security firms cracked the encryption password, but not before the bad guys collected a lot of E-Gold from innocent users.

3. IRS scam mail
Hackers made the auditors look like good guys with these nefarious little phishing scams. Posing as the IRS, phishers managed to steal a lot of personal identifying information from people who thought they were just being good citizens by answering the tax man.

4. Anti-phishing trojan
Some supervillain surely twirled his mustache when he unleashed this one. Australian users were mailed a message that explicitly warned them not to update their bank information, but claimed that all Australian banks would be closed in the coming week. They were pointed to a URL that directed them to a fake Australian news site that kindly downloaded a keylogger trojan on their machines.

5. Anti-virus trojan
Every bad guy loves posing as his nemesis at least once in his life. The coder who developed Stinx-U did just this when he spammed out messages claiming to come from the anti-virus developers at F-Secure. The goal was to entice users into opening a screenshot of a problem that the hacker was helpful enough to find for them in their Internet browser.


Top 5 seemingly smart criminals who got caught

1. Michael Haephrati and Ruth Brier-Haephrati
This spy couple developed a special trojan to assist them run their Israeli-based private investigation service. They were able to make a tidy profit by selling their services to businesses engaging in corporate espionage. They would charge their clients to place the trojan on the systems of those being spied on and then earn a monthly fee for collecting data. Now they face jail time and nearly half a million dollars in fines.

2. Jose Manuel Garcia Rodriguez
After allegedly stealing thousands of euros by hacking into bank accounts, the so-called "Fat Spaniard" eluded the police by skipping the country two years ago. Now that he's been extradited he faces an involuntary 40-year diet as a guest in the Spanish prison system.

3. Edwin Pena
Pena enlisted the help of a hacker to illegally route internet phone calls from more than 15 VoIP companies so that he could sell unsuspecting customers VoIP at cut-rate prices. Pena stole more than 10 million minutes of service and made $1 million before the feds caught on to him.

4. Jeffrey and Janette Stone
This duo used the wonders of spam to hype a penny stock in a classic pump-and-dump scam that netted them over $1 million. We're not surprised the SEC charged the Stones, but we do wonder why people take investment advice via email.

5. Ryan Pitylak
By day this kid went to college. By night he built a spam empire. A 24-year-old collegiate with a home in the swanky part of town and fancy cars in the driveway? Nope, not suspicious at all. Now that he's faced legal settlements with Microsoft and the government for undisclosed amounts, he's hoping to make a living as a security consultant.


Top 5 most destructive malware

1. Blended attacks
Now that hacking is a full-on enterprise, malicious coders are getting more ingenious in the way they're designing attacks. This year we saw many more attacks that used one vulnerability to get into systems to take advantage of other vulnerabilities or to plant bits of nasty code.

2. Rootkits
This year saw explosive growth in rootkitting. As computer criminals get sneakier, this mode of attack will only continue. And while Microsoft has made attempts to prevent future undermining of the root, PatchGuard can only do so much -- there have already been demonstrations on how to subvert the Vista kernel, after all.

3. Web application attacks
As perimeter and network security grows more robust, hackers are looking for lower-hanging fruit. Fortunately for them there is a golden apple dangling right at eye-level: thousands of insecurely coded web applications just waiting to be exploited.

4. Keylogger trojans
Keyloggers are on the rise as organized crime's favorite identity theft cash cow. They have been placing them quietly so that most users don't even have a clue that their passwords are being harvested daily.

5. Ransomware
Unsuspecting users are increasingly being held hostage by hackers who might lock down their computers, place porno on their hard drive, and threaten to tell the boss or do any other number of nefarious things in order to cajole a bribe to "just go away."


Top 5 threats to personal privacy

1. Government wiretapping
Privacy advocates are up-in-arms about the government's secret wiretapping program. Rightfully so -- there's only so much that Uncle Sam deserves to know about its citizens. And besides, if 2006 has taught us anything, it's that the government doesn't even know how to protect the information it's gained legally.

2. Data breaches
Since the ChoicePoint debacle in 2005, Privacy Rights Clearinghouse has reported over 97,084,516 records containing personal information have been compromised. Breach notification laws have helped the public see just how irresponsible corporate America is with its private information. Will the backlash have an effect on personal privacy at the end of the day? For the sake of our identities, we hope so.

3. Search terms AOL's giveaway of member searches proved how much can be learned about a person just by scanning what they type into that little search query box. The question is whether the public will remember this only as a funny news story or as a potential threat to personal privacy.

4. Social networking sites
Just as users are getting savvier about protecting their personal information from phishers, they are giving up the farm in new and exciting ways. Most notable is the posting of personal details on sites such as MySpace and Facebook. Add the vulnerabilities that have plagued these sites and the attacks that have been made by hackers and you've got a privacy disaster on your hands.

5. Pretexting
HP's boardroom scandal was not an anomaly. The practice of pretexting -- calling an organization and pretending to be someone else to gain personal information -- is illegal. But that doesn't stop corporate America from benefitting from it. Instead, executives just hire a middleman, either a PI or a data broker, to do the dirty work for them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.