Re: Businesses are under attack, says MS security head (Three messages)

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>
Cc: scarlet_pruitt () idg com

On Wed, 25 Feb 2004 21:10, InfoSec News <isn () c4i org> wrote:
> http://www.infoworld.com/article/04/02/24/HNunderattack_1.html
>
> By Scarlet Pruitt
> IDG News Service
> February 24, 2004
>
> Windows 95 was written without a single security feature, he said,
> as it was designed to be totally open to let users connect to other
> systems. Furthermore, the security kernel of the Windows NT server
> software was written before the Internet, and the Windows Server
> 2003 software was written before buffer overflows became a frequent
> target of recent attacks, he said.

The Internet existed long before Windows NT.  Below are URLs for the
start of Windows NT development and the early days of the Internet.
http://www.microsoft.com/presspass/features/1998/winntfs.asp
http://www.isoc.org/internet/history/brief.shtml

I expect that some of the first NT programmers weren't even born when
the ARPANET was first designed!

Buffer overflows have been around long before Windows Server 2003.  
Below is a URL for an explanation of buffer overflows.  It documents
the first wide-spread buffer-overflow based attack as occurring in
1989, being mostly forgotten until 1995, and then becoming more widely
known. http://en.wikipedia.org/wiki/Buffer_overflow

Another of the earliest well-known buffer overflows was the "ping of
death", which was able to kill almost every machine on the Internet
apart from OS/2 and Macintosh systems.  Microsoft should recall this
one well as there were two variants, the first MS patch only fixed one
of them so there was a second round of DoS attacks on NT machines.
http://www.insecure.org/sploits/ping-o-death.html

The risks of buffer overflows were well known to NT users long before
the development of Windows Server 2003!

> "Almost all the attacks on our software are legacy attacks and the
> points of the system that can talk to older versions of our
> software," Aucsmith said. "If you want more secure software,
> upgrade," he added.

MS has had a long history of introducing new features that permit new
methods of attack.  Previewing messages that have executable content
in Outlook.  ActiveX in IE.

> "These tools are so good I'm afraid we'll see more zero-day
> attacks," Aucsmith said.

Of course we will!  Until people realise that writing secure software
is necessary the number of attacks will increase.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-=-



Forwarded from: Mark Hahn <MHahn () TCBTech com> 

At 05:10 AM 2/25/2004, InfoSec News wrote:
> Security Architect and Chief Technology Officer of Microsoft's
> Security Business Unit David Aucsmith [speaking at the at the
> e-Crime Congress in London on Tuesday, Feb 24,2004] ... stressed
> that many of the current security issues could not have been
> foreseen.
>
> Windows 95 was written without a single security feature, he said,
> as it was designed to be totally open to let users connect to other
> systems. Furthermore, the security kernel of the Windows NT server
> software was written before the Internet, and the Windows Server
> 2003 software was written before buffer overflows became a frequent
> target of recent attacks, he said.

What a piece of total dreck! What a complete re-write of history!!!

When Windows 95 was written there were many flavors of UNIX software
(BSD, SunOS, early Linux, etc.) all of which were more secure than
Windows XP is today, with full featured Internet tools (web browsers
and servers, email clients and servers, FTP clients and servers,
etc...) .

The Microsoft operating system product line has been dragged kicking
and screaming into all the major "innovations" that are touted as
features of the NT-OS based product line: Multi-tasking, networking,
disk file sharing, security, etc. These were all well developed in
competing products prior to their introduction in a Microsoft
operating system.

I find it offensive that he claims these issues could not be foreseen
at the time this software was written. The only people who did not
foresee this were the boys in Redmond.

(I guess I should have waited for Microsoft to release version 2.0 of
history before I started using it, eh?)

-MpH

   --------
Mark P. Hahn, CISSP                 MHahn () TCBTech com
Chief Technical Officer             609 716 9320
TCB Technologies, Inc.              Princeton Junction, New Jersey, USA



-=-



Forwarded from: security curmudgeon <jericho () attrition org>

I think you got the URL wrong. Shouldn't this be some tabloid, not
Infoworld? Surely this was meant as pure humor?

: http://www.infoworld.com/article/04/02/24/HNunderattack_1.html
:
: By Scarlet Pruitt
: IDG News Service
: February 24, 2004
:   
: LONDON -- Businesses worldwide face increasing threats from cyber
: criminals attempting extortion and fraud because the software running
: their systems makes them vulnerable, Microsoft Corp.'s top security
: architect told attendees at the e-Crime Congress in London Tuesday.
:
: Even while still walking to the podium, Security Architect and Chief
: Technology Officer of Microsoft's Security Business Unit David Aucsmith
: readily admitted that he is considered a "target" for complaints against
: his company's software, but he also stressed that many of the current
: security issues could not have been foreseen.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.