(continued from previous page)
(continued from previous page)
In many ways, the deck is stacked against those trying to keep users safe. Whether it is fixing a bug or persuading users not to fall for a new social-engineering attack, defenders need to protect everyone, whereas success for attackers might mean finding only a tiny percentage of people to make its prey.
"We need to (protect people) at scale and an attacker doesn't need to do it at scale," Thomlinson said.
Window Snyder, a former Microsoft security team leader now at Mozilla, said that one way to combat the scale problem, is by ramping up on the defensive side as well. For example, she said, some 20,000 people are testing nightly builds of Firefox, offering the ability to see code--and security patches--in real-world use far sooner.
"I think there is a real opportunity to improve how quickly fixes are available and how easy it is for users to deploy them," Snyder said. One example she pointed to is the feature in Firefox that saves exactly where a user is before an update is installed. Because they get taken right back where they were, she said, users are willing to install updates more quickly, decreasing the time that there are vulnerable systems for attackers to target.
Microsoft and others have also tried to do that, particularly in the anti-malware arena. Both the phishing filter in Internet Explorer and the Windows Defender antispyware program built into Vista are based on the real-world experiences of millions of users.
Another challenge for Microsoft and others tackling software security stems from the basic design of the Internet, Chairman Bill Gates told CNET News.com. The Internet, he said, was designed with its primary goal being to ensure resiliency and redundancy, not security. The network's openness and assumption that routers are who they say they are mean that security must be added as a separate layer.
"Of course, the early years, when it was used primarily in universities or small scale, those issues didn't come up because it was mostly people with good intent," Gates said. "Now that it's the way we do commerce and everything is there, that assumption no longer holds."
And, it is not just the attacks themselves that are changing, though. It's also the business.
A decade ago, many security attacks were launched by skilled programmers looking to see if they could poke holes in software and garner some notoriety.
Paul Wood, a security analyst for MessageLabs, said the structure of the "shadow" economy has changed. At one time, lone hackers created an exploit, developed malicious software, and then launched an attack. Now, there is segmentation. There might be one organization with a botnet of zombie computers that rents itself out, while another organization specializes in the actual writing of malicious software, as yet another group collects the credit card or other personal information.
One clear example of the economy that has sprung up around security threats is WabiSabiLabi, an outfit that has set up an eBay-style auction for software vulnerabilities. If it takes off, it means that software vendors may find themselves having to outbid hackers to get a hold of newly discovered flaws.
Risks versus economic opportunity
Part of the reason such a large economy has sprouted up is that the economic opportunity is huge and the risks of getting caught have actually gone down--particularly because law enforcement operates along geographic lines, while the Internet knows no such boundaries.
That places a huge burden on preventing a machine from being taken over in the first place, Kaminsky said. "You are not going to be able to find the guy," he said.
It's also because of new opportunities, such as creating botnets that then perpetrate click fraud, for example, and generate revenue from companies like Google.
"You have evolved financial models that are insanely low-risk with shockingly high return," Kaminsky said. "It's not a recipe for goodness."
The profit motive isn't all bad news for defenders. Flake notes that hackers are now keenly aware of the cost of attacking a system relative to the amount of value that can be attracted. That means they are often looking for the cheapest attack, rather than the most technically sophisticated one. In the early days, you had government spies or skilled hackers looking to make their mark who were willing to pour "ludicrous amounts of time" into crafting an attack.
"Attackers are now operating under economic restrictions," he said. That often means that a defense can make would-be crooks go after someone else instead.
That portends good news for Microsoft, Flake said.
"The threats are currently moving away from Microsoft because Microsoft has outspent everyone," he said.
Mobile devices are one area where attacks may increase, Flake said, while predicting that Apple will also face a few rough years now that its market share has grown and more targeted attacks have become the norm. "Apple is where Microsoft was a few years ago. Apple, he said, still has to look forward to the experience of getting "owned"--that is, taken over by hackers--"repeatedly and being made fun of."
Day 1: From pain to progress
Remond's security practices have been transformed since threats like Slammer and Blaster first wormed their way onto the scene.
Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a distance.
Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail attacks are causing the most concern.
Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.
Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.
Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.
Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007
The bug hunters
Just who are the people charged with the task of keeping code secure at Microsoft? They're risk takers, whether donning silly costumes or swimming with sharks. December 5, 2007
Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds
11 commentsJoin the conversation! Add your comment