Just recently I thought about all the solved problems in IT security, like XSS (which one can mitigate with input validation), SQL Injection (mitigated with prepared statements), etc.
Now I'm wondering, what are the biggest unsolved security problems of the year 2010? I'm wondering here if there are vulnerabilities out there for which we don't know yet a good way to mitigate them. Except how we can get everyone to use the solutions to the solved problems.
Social Engineering by far.
Humans will remain vulnerable to social engineering for a long time to come and as the saying goes, "Security is only as good as the weakest link."
So many of the answers here say that the unsolved problem is "the user" or some variant, that I'm forced to conclude the biggest unsolved problem is security practitioners who believe that the user is the enemy.
The underlying cause is security policy or procedure that has no visible benefit, i.e. it takes up user time and effort without the users being able to see what it's doing for them. Solving this problem will require combining infosec expertise with usability engineering and social science to invent new security experiences that are enabling, and allow the users to perceive their benefit.
You can't really solve the end user problem. Well, legally or ethically anyway. My vote goes toward the Home Realm Discovery problem.
EDIT: The end user problem was in reference to previously posted answers. Home Realm discovery is part of a claims based authentication model, where you can select between multiple services/organizations to provide an identity for a user, much like OpenID/OpenAuth. The problem arises when you need to figure out which provider to get info from since you don't know anything about the user yet. It's a Chicken/egg thing: how do you figure out who to have authenticate the user when you don't know who the user uses to provide their identity.
The first obvious answer is to use only one provider, but that sort of negates the benefit of the model.
The second obvious answer is to ask the user. However, this is openID's downfall. Most people have no idea who their provider is. And what happens when you can authenticate against Google and Facebook, but you don't know which one is tied to the profile of the calling application?
This is affectionately referred to as the NASCAR problem with OpenID -- the launching page for OpenID usually has a bajillion logos for providers, so you need to select which provider to use. Which breaks when you have a custom provider.
Remember CardSpace/InfoCard/Information Cards? That attempts to solve the problem. It actually does a pretty good job theoretically. Practically notsomuch.
Internet Voting from home or office computers for high-stakes elections is pretty far off the scale of "unsolved problems". It is particularly important to voters who are overseas and/or in the armed forces and have no fast, reliable way to return a voter-verified paper ballot (think submarines :). It was nominated as worthy of an X-PRIZE at DESSEC: DEsigning a Secure Systems Engineering Competition
Ron Rivest, the "R" in "RSA", gave one of several convincing talks on that in 2010 at the UOCAVA Remote Voting Systems Workshop. You can see the presentations on the "Agenda and Presentations" page here http://www.nist.gov/itl/csd/ct/uocava_workshop_aug2010.cfm
The problem is much harder than the secure e-commerce problem since votes must be anonymous, selling votes is forbidden, and the system must be highly transparent. It also involves:
In reviewing the recent crash-and-burn of an Internet Voting public test by the District of Columbia, the Washington Post got it right.
See more at
USACM Issue Brief on Internet Voting and UOCAVA - http://usacm.acm.org/usacm/PDF/IB_Internet_Voting_UOCAVA.pdf
Secure Internet Polling (IT Security question)
Smartphone Security
There are a wide number of smartphones that are targets for viruses and leaking corporate information. It's tough to find a uniform way to address these security vulnerabilities, and still provide a flexible user environment.
Currently I'm looking at Goodlink to provide email security across multiple devices. Please comment if you know of anything else
Deploy HTTPS Correctly
Always have a SSL/TLS session after authentication... for the remainder of the web session.
https://www.eff.org/pages/how-deploy-https-correctly
On a similar note, can someone tell Google AdSense/AdWords to support HTTPS?!?! Every site that requires you to login usually reverts back to HTTP because they don't want users to get the "Mixed Content" warning.
I believe a big problem currently is password reuse.
XKCD #792 illustrates the problem with a "bit" of humour.
Slightly off topic, but no-one has solved the last line of the Kryptos sculpture in front of the CIA.
Email Sender Verification
Many solutions and 3rd parties try to address the issue of "did user x actually send an email message?" or was it spoofed?
DMARC ,DomainKeys, SenderID, and SPF are all examples of technologies that address the issue in one way or another, but the adoption rate isn't close to where it needs to be. In addition, I don't think there is a complete solution when dealing with ListSrv's in this area either.
Passwords and how people think about them. Passwords should be renamed to pass phrases in my opinion. Too many accounts get hacked today because of users having a bad password policy.
For example: user picks a password less than 10 characters. It gets bruteforced easily once a site hes registered on gets hijacked and the DB drained. Unfortunately he also uses the same password for his email (ofcourse?? who doesnt?! not... stupid!). This results in him losing all his credentials and basicly his online identity. Anyone can now easily exploit this victim without him knowing much about it.
One cannot solve XSS with input validation. You are incorrect.
SQL injection is more than prepared statements. It includes topics such as SQL statements and variable binding. Hibernate has HQL injection, offset by named parameters with proper variable binding.
Huge unsolved problem - getting senior (CEO, FD etc) buy in and understanding of information security. IT management tend to understand IT security (pretty much) but senior management don't. They are focused on business, operational and financial risk so translating IS risks into an equivalent, along with relative impact so they can be discussed on a level playing field is the only consistent way to get change budgeted for, sponsored and implemented...as opposed to the current drivers for revolutionary change in information security - usually a response to a major incident, so high budget and urgency for a short while until the tabloids go onto the next target.
As far as I'm aware, there's no real solution to prevent clickjacking or scraping. For the latter, the best solutions are IP-based monitoring or a CAPTCHA on every page load. None of which are perfect.
Cloud Security is Unproven
The security of SaaS, PaaS, and IaaS solutions are not time tested, and trusted. I believe this is a problem when we have the business, and salespeople selling untrusted, unproven solutions.
With time, perhaps this will change.
Widespread adoption and use of DNSSec
Although there is the controversy regarding it exposes all your zones, and legal issues regarding it's use in some countries; overall it is a needed technology that needs to overcome the chicken and egg syndrome.
Addressing increased threats with fewer staff.
Since you asked about problems learned during 2010, I'll say that layoffs increase the risk of information theft, and unauthorized disclosure from internal staff.
If the layoffs affect the security department, then many of those previously mentioned issues may go unchecked, leaving the company at risk.
The most popular attacks are XSS and clickjacking as far as I know.
