Businesses are under attack, says MS security head

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/article/04/02/24/HNunderattack_1.html

By Scarlet Pruitt
IDG News Service
February 24, 2004   
  
LONDON -- Businesses worldwide face increasing threats from cyber
criminals attempting extortion and fraud because the software running
their systems makes them vulnerable, Microsoft Corp.'s top security
architect told attendees at the e-Crime Congress in London Tuesday.

Even while still walking to the podium, Security Architect and Chief
Technology Officer of Microsoft's Security Business Unit David
Aucsmith readily admitted that he is considered a "target" for
complaints against his company's software, but he also stressed that
many of the current security issues could not have been foreseen.

Windows 95 was written without a single security feature, he said, as
it was designed to be totally open to let users connect to other
systems. Furthermore, the security kernel of the Windows NT server
software was written before the Internet, and the Windows Server 2003
software was written before buffer overflows became a frequent target
of recent attacks, he said.

"Almost all the attacks on our software are legacy attacks and the
points of the system that can talk to older versions of our software,"  
Aucsmith said. "If you want more secure software, upgrade," he added.

While this advice might seem like cold comfort to users, Aucsmith
couched the current security threats as a consequence of the changing
software industry, and more sophisticated cyber criminals, than of
particular neglect by vendors.

Aucsmith said that Microsoft is working diligently to address security
issues, by working closely with law enforcement authorities and
changing its patching procedures, for example, and that much of the
threat comes from criminals who are making a career from high-tech
crimes such as hacking, extortion and fraud.

"We are under attack," increasingly from criminals seeking personal
gain, he said.

"Since the Sobig virus hit in October of last year, we have yet to see
a virus or variant without an element of financial gain," he said,
such as bugs that seek users credit card information.

What's more, cyber criminals are becoming increasingly efficient at
reverse-engineering software patches to discover and then exploit
vulnerabilities, he said.

The time between the release of a patch and the creation of an exploit
has dwindled dramatically. The Nimda virus, which was discovered in
September of 2001, surfaced 331 days after a patch was released, while
the latest exploit of a Windows component called the ASN.1 Library was
created within three days of the patch being released, Aucsmith said.

Hackers have the advantage of not having to test their exploits, which
allows them to move faster than vendors who must perform rigorous
testing to ensure that their patches don't break users' systems, he
said.

Still, Aucsmith said that despite the flood of attacks against
Microsoft's software only once has it suffered a so-called "zero-day"  
attack, in which an unknown and unpatched vulnerability is exploited.

"The vast majority of attacks occur after the patch is available," he
said.

However, vendors and users' headaches are being worsened by new tools
created by sophisticated hackers and made available on the Internet.

One such tool available now automatically reverse-engineers patches,
creates an exploit and launches attacks, he said, allowing any
non-tech savvy user to become a potential cyber criminal.

"These tools are so good I'm afraid we'll see more zero-day attacks,"  
Aucsmith said.

For users, already tormented by a string of high-profile viruses
threatening to compromise their systems, this could be chilling news.

According to a survey released Tuesday by the U.K.'s National Hi-Tech
Crime Unit, U.K. businesses are estimated to have lost billions of
pounds last year due to computer crimes, and they are not alone.  
Businesses worldwide are grappling with increasingly sophisticated
cyber threats.

While law enforcement officials are encouraging users to report cyber
crime and do what they can to shore up their systems, vendors say that
they are doing their parts to make their products more secure.

Besides encouraging users to upgrade to more secure versions of its
software, Microsoft is working on improving its patching procedures,
Aucsmith said.

The company already switched from a weekly to a monthly patch release
cycle to reduce user work, but is also working on delivering a regular
Microsoft Update that includes fixes to all its software instead of
the current Windows Update patch.

Additionally, Microsoft plans to make all of its patches reversible,
in case users want to unapply them, and patches that can be applied
without having to reboot systems, he said.

The company is trying to move away from patching as a tactical
defense, Aucsmith said, and Microsoft Chairman Bill Gates is expected
to make an announcement at the RSA Conference in San Francisco this
week that will move users in this direction.

Although Aucsmith declined to give details of the announcement he said
that it would entail a more targeted use of antivirus and firewall
products.

The e-Crime Congress runs through Wednesday.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.