As far as I am concerned, security concerns dominated the high-tech world in 2011. The past year has seen the first documented attacks on American utilities, a probably act of cyber-war against an Iranian nuclear-processing target, fearless (and effective) attacks by the hacker collective known as Anonymous, and the emergence of cellular phones as malware targets.

There is no reason to believe these concerns will be any less urgent in 2012.

As snow falls over much of the U.S. and partiers around the globe prepare to celebrate New Year's Eve, security stories continue to dominate the headlines.

• Under the headline “A cyber-remedy for poison,” the Economist took a break from its in-depth coverage of political and economic policy to bring its stodgy readers up-to-speed on the vulnerability of DNS servers to “poison” redirection. The Economist's article is basically a sales pitch for OpenDNS and its DNSCrypt privacy tool.
• Another general-interest news organization, the Huffington Post, has published a report about the vulnerability of train systems to DDoS attacks. “Hackers could shut down train lines with DDoS attack: expert” is an in-depth evaluation of the vulnerability of train control systems that are increasingly interconnected via the Internet. The report is a bit breathless, but it brings a serious vulnerability to the attention of HuffPo readers.
• Reuters has published a summary of research to be published by Karsten Nohl, head of Germany's Security Research Labs. “GSM phones vulnerable to hijack scams: researcher” is a preview of findings that Nohl will present at an upcoming hacking convention in Berlin. Nohn says virtually any of the world's billions of GSM phones could be subverted by hackers and instructed to send text messages or make calls to expensive premium services.
• Identity Finder LLC has released details of its analysis of the recent Anonymous attack on Strategic Forecasting Inc., commonly known as Stratfor. The summary shows that activist hackers raided Stratfor's servers and emerged with more than 50,000 unique credit-card numbers, 86,000 e-mail addresses, 27,000 phone numbers, 44,000 passwords, and more. Hackers behind the break-in claim to have downloaded 2.7 million e-mail messages. The hackers have already used stolen credit-card numbers to make donations to charity.

Best wishes for a happy – and secure – 2012.

Web recommendation: Hey, this is fun: Odd technology job interview questions revealed. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks most cheesecake is too sweet – it ought to be creamy and rich, but not sweet. A thin layer of sour cream on top is a good sign.

Here are updates on some of the issues I've been following for the past few weeks.

Infrastructure attack a false alarm – for now. In a series of posts, I have made clear my concern about the ongoing effort to computerize utilities and municipal-infrastructure control systems. While intelligent systems can help us conserve resources and use energy more efficiently, computerization also leaves critical systems vulnerable to hack attacks. A data-point supporting my argument was November 8's widely reported cyber attack against an Illinois water utility's SCADA system. The Illinois Statewide Terrorism and Intelligence Center reported that a hacker with a Russian IP address had caused a pump to burn out. The cyber war had begun! Or maybe not. It turns out the SCADA system was accessed by a utility contractor, Jim Mimlitz, who was on vacation in Russia. While everyone is breathing a little easier, the fact remains that these systems are still vulnerable. It's only a matter of time until they are really hit.

Microsoft bullish on Kinect 2: Microsoft has realized that its Kinect game controller for the Xbox platform is potentially a good solution for a huge range of problems. Beta 2 of the Kinect SDK is available now, and Microsoft promises that a commercialized SDK will be available in early 2012. In the meantime, the Kinect hacker community is running full-tilt at every offbeat and potentially useful application it can imagine. Meanwhile, the Kinect 2 will reported greatly extend the Kinect's abilities. The new device may be able to read lips and even to detect users' emotional states with its facial-recognition algorithms. (If hackers were to install a back door into Kinect-enabled systems, they would essentially have around-the-clock video access to user sites, and the Kinect's voice-recognition routines could monitor speech for key words. What if the government were to install such software?) Check out Kinect Hacks. And if you haven't seen it yet, you might as well look at Microsoft's Kinect Effect video.

Software detects lies with voice analysis. Researchers are using a variety of methods to analyze speech and detect whether speakers are telling the truth. The New York Times has an informative article here: Software that listens for lies. It must be a lot of fun working on applications like these.

Pentagon sponsors hacking contest. A determined team of programmers has won $50,000 in a contest sponsored by the U.S. Department of Defense's Defense Advanced Research Projects Agency, or DARPA. The eight-member team successfully retrieved the contents of seven pages of documents that had been shredded into more than 10,000 fragments. The Pentagon is quite open about its motivation for the contest: “The goal was to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.” We already knew the government could intercept anything on the Internet. Now it turns out that they're looking to read our shredded documents. Congratulations, in any case, to the winners.

Web recommendation: Perhaps you have noticed that many programmers are also serious about cooking. You may be a good cook yourself, in which case you have no doubt already discovered the new Developer Cookbook section of sdtimes.com. Those recipes look good, but they're positively primitive compared to the cooking-as-rocket-science entries in Modernist Cuisine, a six-volume encyclopedia of cooking ingredients, methods, and technologies dreamed up by former Microsoft CTO Nathan Myhrvold. This lavishly illustrated tome has 2,438 pages and weighs more than 50 pounds. Your status as an amateur cook may not justify the book's $625 purchase price, but you should at least take a look via the authors' beautiful Web site. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He likes raisins and walnuts in his oatmeal cookies.

It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?

The microprocessor has done much more than fuel IT installations, PCs and laptops, smartphones and tablets. It's also allowed designers to build intelligence into a wide range of brute-force hardware devices. Modern refrigerators, automobiles, and home thermostats routinely have more MIPS and RAM than my first PC. Microprocessors allow utilities, manufacturers, and municipalities to control networks of smart machines. Factories, power-generation stations, water infrastructures, streetlights, hospitals, airports, and urban-transit networks are all increasingly monitored and controlled by dedicated computer systems. And those systems rely on the Internet for the flow of information and control.

This is all part of a vision that is sometimes called “the Internet of things.” The idea is that we can embed and distribute a little bit of intelligence into each of the myriad objects that surround us. Intelligent systems will prevent supermarkets from running out of popular items, or from ordering too much fresh produce, resulting in spoilage.

The good news is that computers can make processes and networks run more efficiently. They can help us save materials and energy. And of course, where there are microprocessors, there are employment opportunities for programmers.

But there's a downside, too. This year has seen the first major outbreaks of malware against the Internet of things. For example, the Stuxnet trojan was apparently an attack against Iran's nuclear program. It infected the computers that controlled five uranium enrichment plants, damaging their centrifuges by causing them to spin out of control. Hackers have published security holes in widely used supervisory control and data acquisition (SCADA) systems from Siemens. The U.S. Department of Homeland Security reports that the hacker group Anonymous has shown interest in hacking industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities.

Many things must change before we can address this vulnerability in essential infrastructure. Most importantly, those responsible for running industrial and government installations must acknowledge that the threat against them is real. Until now, they have believed themselves to be safe because they run custom hardware, their systems are not well-known to the general public, and they are not connected to the Internet in the same way offices, individuals, and IT departments are. But none of this constitutes real protection. Real progress toward securing these installations will not be made until we acknowledge our vulnerability.

The potential for hackers to disrupt essential services – and even cause loss of life – is imminent and dire.

Web recommendation: It's not just nuclear waste recycling stations that face the threat of malware. Research shows that smartphones are starting to show up on the radar screens of the hacker community – and not in a good way. The researchers at Juniper Network have completed a report showing a 472 percent increase in malware infection on the Android platform since July 2011. The figures are a little misleading – the infection rate for phones is much lower than for Windows PCs, even after a half-year of explosive growth. But it's certain that smart phones in general – and Android devices in particular – are now subject to infectious malware. Juniper summarizes its report here. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks marrying sauces to the right kind of pasta is a subtle and demanding artistic specialty

Computer warfare has been a constant theme in science-fiction stories for decades. Now it appears that reality has once again caught up with fiction.

You probably remember reading about the Stuxnet worm when it was uncovered in June 2010. This extremely sophisticated package of malware was hosted on Windows PCs, but remained inactive unless the PCs were used for controlling industrial processes via connection to a device using a distinct Siemens programmable logic controller. Experts say the software then tested the PLC environment, seeking a particular site. Once the site was found, Stuxnet would replace certain command codes on the PLC, presumably sabotaging the process the PLC controlled. This process might be a city's electrical grid, an industrial manufacturing process or, more ominously, a nuclear facility.

It was discovered that Stuxnet infections clustered in Iran. This led pundits to speculate that the malware was intended to subvert Iran's nuclear-weapons research and production efforts, and that the worm was created by another country, perhaps the United States or Israel. The New York Times has concluded that the U.S. and Israel collaborated on Stuxnet after reporters learned that Israel tested the software on its own nuclear centrifuge-control systems.

Stuxnet was apparently at least partially successful. Hundreds of Iran's nuclear centrifuges were taken offline after the malware hit.

This month, a successor to Stuxnet has been identified. Duqu was written by someone with access to Stuxnet source code, analysts say, probably the original authors of Stuxnet. Unlike Stuxnet, which was deployed in attack mode, Duqu is apparently intended to collect information on potential targets. This information could help cyber-warriors craft a new version of Stuxnet to target individual industrial, information processing, or government targets.

PC security is a multibillion-dollar business, with many tools available and evolving standards for maintaining protection levels. Industrial-control computers, on the other hand, enjoy limited protection at best. Because embedded computer systems have not been targeted, and because they are not widely covered in the media, they have not benefited from the attention of software-security experts. Yet it is these systems that would most likely serve as targets in a cyberwar.

The computers that run our transportation systems, our utilities, our factories, our hospitals, and our hazardous-materials processing sites are virtually unprotected.

Sleep well, my friends.

Web recommendation: I don't think most Web comics are funny, but this one actually made me laugh out loud: xkcd: The Important Field. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He passed away several years ago; subsequent articles have been composed by a random text generator running on an ancient Commodore-64.

Michael Swindell, VP of products at Embarcadero, had this to say in response to reports about a virus that seeks out the Delphi IDE that infects programs as they are compiled:

"It's an interesting attack vector. But this isn't any more or less dangerous to a developer than other viruses and trojans. If a developer acquires a virus on his dev machine, it can easily affect apps the developer is compiling without having anything to do with the compiler or tools he's using. This is just another way for a virus to infect executable code. It makes it sound like Delphi or IDEs are now "vulnerable," but they are no more or less vulnerable than any other of the thousands of EXEs and DLLs on every developers machine, and no more or less than they have been since viruses and trojans were first created. This is a clever trick, but it's nothing to be more worried about than all of the other ways your dev machine can be attacked. Use virus scanners and keep them up to date."

CNET's Elinor Mills made a good catch today, reporting on a virus that was written to infect applications that are developed with Embarcadero's Delphi tool suite. The virus, called Win32.Induc, infects any software that is compiled on an infected machine. It does not cause any damage other than causing infected applications to be blocked by anti-virus software, researchers noted. Programs including Any TV Free 2.41 and Tidy Favorites 4.1 have already been infected, and as many as 30% of Delphi developers may be infected, according to the report.