I was cleaning up some old notebooks (paper, not digital) this weekend, and found this diagram from a 1997 Powerpoint presentation (if you look carefully, you can see my ‘Excite’ starting page):
Even before the generic term ‘firewall’ was consistently applied to apply to network perimeter security devices (which happened after 1994), military researchers had already figured out how to circumvent the things by using a combination of email and malware–essentially, a phishing attack, functionally identically to the sorts of directed attacks that are becoming increasingly common both at the workplace, and on the home desktop. Firewall-circumventing malware, capable of replicating itself (like the diagram above), was appearing on the Internet at least as early as 1999, and data-stealing malware, such as the Caligula Word Macro (which stole PGP keyrings, ftping them to a codebreaker site), was circulating in the wild at least as early as 1997.
Wikipedia has an interesting entry on phishing, alluding to social engineering attacks from 1987 that we might now describe as phishing, and documenting use of the term as early as 1996 (April 22, 1996 discussion). In retrospect, its almost surprising that it took the criminal exploit community so long to start directing malware against institutions and credit cards.
We did spend a lot of time in the 90s worrying about hostile web sites. This turned out to be a valid risk, and my initial skepticism was eventually proven wrong, although it took about a decade. My same dusty binder from 2001 includes a series of printouts of hacked web pages. I did a presentation at a Swiss private bank in the Spring of 2001, unfurling a 10 meter long list of hacked websites on stage, and the cigar-smoking executives were fascinated by the hacktivism, digital spray paint, and mild porn that was typical of website exploits a decade ago. It was web 2.0, and the mashup, which finally created a rich environment suitable for HTTP-based malware. If you can easily mash to it, then someone will add some sour mash.
The history lesson I take is the more things change, the more they stay the same. Software subversion has long been recognized as a significant technical threat, and this will continue as long as we rely on software. A variety of infection vectors have been used to transmit malware, such as floppy disks, word macros, email, IM, and web links, and the most effective way to deliver sophisticated password slurping, data stealing, or sabotage code is to exploit personal trust relationships. The nature of the attack stays much the same, but the significance of phishing continues to grow as increasingly sophisticated code is inserted through a complex set of interpersonal trust relationships. The model is the same–what has changed is the impact.