(continued from previous page)
Securing Microsoft: A long road
TalkBack
E-mail
del.icio.us
Digg this(continued from previous page)
In many ways, the deck is stacked against those trying to keep users safe. Whether it is fixing a bug or persuading users not to fall for a new social-engineering attack, defenders need to protect everyone, whereas success for attackers might mean finding only a tiny percentage of people to make its prey.
"We need to (protect people) at scale and an attacker doesn't need to do it at scale," Thomlinson said.
Window Snyder, a former Microsoft security team leader now at Mozilla, said that one way to combat the scale problem, is by ramping up on the defensive side as well. For example, she said, some 20,000 people are testing nightly builds of Firefox, offering the ability to see code--and security patches--in real-world use far sooner.
"I think there is a real opportunity to improve how quickly fixes are available and how easy it is for users to deploy them," Snyder said. One example she pointed to is the feature in Firefox that saves exactly where a user is before an update is installed. Because they get taken right back where they were, she said, users are willing to install updates more quickly, decreasing the time that there are vulnerable systems for attackers to target.
Microsoft and others have also tried to do that, particularly in the anti-malware arena. Both the phishing filter in Internet Explorer and the Windows Defender antispyware program built into Vista are based on the real-world experiences of millions of users.
Another challenge for Microsoft and others tackling software security stems from the basic design of the Internet, Chairman Bill Gates told CNET News.com. The Internet, he said, was designed with its primary goal being to ensure resiliency and redundancy, not security. The network's openness and assumption that routers are who they say they are mean that security must be added as a separate layer.
"Of course, the early years, when it was used primarily in universities or small scale, those issues didn't come up because it was mostly people with good intent," Gates said. "Now that it's the way we do commerce and everything is there, that assumption no longer holds."
And, it is not just the attacks themselves that are changing, though. It's also the business.
A decade ago, many security attacks were launched by skilled programmers looking to see if they could poke holes in software and garner some notoriety.
Paul Wood, a security analyst for MessageLabs, said the structure of the "shadow" economy has changed. At one time, lone hackers created an exploit, developed malicious software, and then launched an attack. Now, there is segmentation. There might be one organization with a botnet of zombie computers that rents itself out, while another organization specializes in the actual writing of malicious software, as yet another group collects the credit card or other personal information.
One clear example of the economy that has sprung up around security threats is WabiSabiLabi, an outfit that has set up an eBay-style auction for software vulnerabilities. If it takes off, it means that software vendors may find themselves having to outbid hackers to get a hold of newly discovered flaws.
Risks versus economic opportunity
Part of the reason such a large economy has sprouted up is that the economic opportunity is huge and the risks of getting caught have actually gone down--particularly because law enforcement operates along geographic lines, while the Internet knows no such boundaries.
That places a huge burden on preventing a machine from being taken over in the first place, Kaminsky said. "You are not going to be able to find the guy," he said.
It's also because of new opportunities, such as creating botnets that then perpetrate click fraud, for example, and generate revenue from companies like Google.
"You have evolved financial models that are insanely low-risk with shockingly high return," Kaminsky said. "It's not a recipe for goodness."
The profit motive isn't all bad news for defenders. Flake notes that hackers are now keenly aware of the cost of attacking a system relative to the amount of value that can be attracted. That means they are often looking for the cheapest attack, rather than the most technically sophisticated one. In the early days, you had government spies or skilled hackers looking to make their mark who were willing to pour "ludicrous amounts of time" into crafting an attack.
"Attackers are now operating under economic restrictions," he said. That often means that a defense can make would-be crooks go after someone else instead.
That portends good news for Microsoft, Flake said.
"The threats are currently moving away from Microsoft because Microsoft has outspent everyone," he said.
Mobile devices are one area where attacks may increase, Flake said, while predicting that Apple will also face a few rough years now that its market share has grown and more targeted attacks have become the norm. "Apple is where Microsoft was a few years ago. Apple, he said, still has to look forward to the experience of getting "owned"--that is, taken over by hackers--"repeatedly and being made fun of." 
Stories
Day 1: From pain to progress
Remond's security practices have been transformed since
threats like Slammer and Blaster first wormed their way onto the
scene.
Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a
distance.
Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail
attacks are causing the most concern.
Beyond Binary Blog
Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.
Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.
Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.
Related special reports
Microsoft's lessons from the desktop
'MSBlast' echoes across the Net
Related stories
Microsoft gathers hackers in Redmond
Microsoft puts key security under Windows umbrella
Microsoft gets good reception at Black Hat
Gates: End to passwords in sight
Bug hunters, software firms in uneasy alliance
Microsoft wants to meet more hackers
Is there method in Microsoft's security buys?
Microsoft's blast from the past
Gates: Security is top priority
Photo galleries
Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007
The bug hunters
Just who are the people charged with the task of keeping code secure at
Microsoft? They're risk takers, whether donning silly costumes or swimming with
sharks. December 5, 2007
Credits
Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds
I worked on a womens Vista laptop over the weekend and she was almost in tears because she could not write her articles like she could on XP. She was upset for being forced to buy Vista.
I think she reflects the feelings of a lot of people out there.
My complaint about Vista is its crappy file management system. I cannot believe how hard it is compared to XP in the downloading moving and saving files.
I believe Microsoft has not a clue of what is really going on out there in the real world.
I am a Microsoft user and will be for a period of time to come. I do hope the hackers will come and fix the file management problem in Vista since microsoft can't seem to do things right.
I understand that Apples Lepherds software has problems like vista, but their Tiger is great. I also have a collection of various Linux distros and they are also very good. I think PCLInux and Ubuntu are excellant. So you advocates please don't bother us!
Yes, [i]applications[/i] are dangerous... it's part and parcel of
security on any computer.
However, how come data files (e.g. powerpoint files) have to be
so dangerous (to a Windows user) as well?
Family photos, important documents, music... those things
shouldn't present any danger at all to a user (and on Mac and
Linux, they don't). Yet even the [i]screen saver[/i] (*.scr) on a
Windows box could hide potentially nasty bugs.
***? covering up poor programming practices and bad design
with 'oh, apps are dangerous - we got your money, so deal with
it'
Increasing numbers of us have found a better way, thanks much.
And as a bonus, I don't have to live in fear of my applications,
either.
/P
Many of them contain escape mechanisms that permit the object being interpreted to invoke the execution of programs. These programs my be external to or included in the object itself. MS Word was so bad about this for so long that Word objects are now generally feared.
While this capability is useful its utility does not justify the risk.
Until recently pdfs were preferred to docs because Adobe controlled the specification of the object and the interpreters (Adobe Reader and Acrobat.)
The original intent of pdf appears to have been to encapsulate a printable document. However, many pdfs are only, or preferably, viewed rather than printed. (I try never to print.) Adobe, which now also owns MacroMedia Flash, says wouldn't it be nice if an object could also contain moving graphics. Oops there went the attack surface.
When an object type is very popular, new interpreters emerge. I now have a number of programs on my computer, including, for example, the FoxIt viewer that will interpret pdfs. Oops. There it goes again. To get an idea of how bad the problem is, look at the size of the latest version of the Reader. The bigger and more complex the program, the greater the opportunity for error.
Remember the idea of Object Oriented Programming, in which the object would encapsulte both the data and all of the methods and procedures that could operate on it. The market preferred the traditional model, in part so that the common methods would not have to be replicated for each object.
Now the methods are proliferating and becoming more complex. Part of the problem is that the decisions about the functionality of the program and the risk associated with it are separated from one another and made by different people.
All that said, everyone should have seen this coming. We fixed the transport layer and attacks moved to the server. We fixed the servers and attacks moved to the client. We fix the OS and attacks move to the applications. First they moved to the browsers. Now they are moving to "plug-ins" and helper applications. Where is the surprise.
- New Threat Smet!
- by Schratboy December 5, 2007 9:02 PM PST
- Crikie! Most IT managers don't even have a freaking handle on the basics let alone worrying about all the so-called new threats. None of the hype matters as long as owners and administrators continue to "Fly Blind" and don't know how their network is being used. Fundamental knowledge is the best defense and doesn't require excessive instrumentation, expensive or technical skill. A little bit of knowledge and policy goes a long way to keeping data and assets safe and risk-free.
- Like this Reply to this comment
-
(11 Comments)