[ISN] Gates pledges better software security

From: InfoSec News (isnat_private)
Date: Fri Jan 24 2003 - 02:26:15 PST

  • Next message: InfoSec News: "[ISN] IT terrorism threat grows"

    [Ten weeks of security training for employees is commendable, but
    security is always evolving; this is akin to the state driving school
    you take so that speeding ticket isn't on your record. You watch a
    couple gory traffic movies, a few lectures from the police on the
    dangers of speeding and sure enough after the course you're driving
    around town like a total saint. It's only a matter of time before you
    start falling back into your old habits, and then you're back driving
    around like Emerson Fittipaldi.
    If these lessons are going to stick, the security classes have to be
    held on a regular basis, otherwise there's bound to be another one of
    those massive pileups and traffic will be backed up for miles.  - WK]
    By TED BRIDIS, Associated Press 
    WASHINGTON (January 23, 2003 9:11 p.m. EST) - Microsoft Chairman Bill 
    Gates promised that his software company will continue improving 
    security in its products, part of a campaign to convince large 
    customers that the Windows operating system is safe for even sensitive 
    "New security risks have emerged on a scale that few in our industry 
    fully anticipated," Gates wrote in a 1,500-word e-mail distributed 
    late Thursday to about 1 million people. He cited figures showing 
    corporate losses to hackers and other types of electronic attacks 
    exceeded $455 million in 2001. 
    Gates said Microsoft will improve support for "smart cards," devices 
    that can replace or augment computer passwords. 
    A single computer user may need dozens of passwords for e-mail, Web 
    sites and connecting to office systems. Most passwords are easy to 
    guess or difficult to remember. 
    In his e-mail, Gates called passwords "the weak link." 
    Smart cards carried by employees can help authenticate a person's 
    identity when plugged into a computer slot or swiped through an 
    attached reader device. Some cards flash random numbers that an 
    employee must type accurately to access a system. 
    Gates said Microsoft now requires that all its employees use smart 
    cards to access the company's computers from home or while traveling. 
    That policy went into effect after a break-in into Microsoft's 
    internal systems in October 2000. Investigators believe it happened 
    after hackers hijacked an employee's unprotected home computer. 
    Gates did not mention improving support in Microsoft's products for 
    fingerprint or retinal-scan technology. "Over time we expect that most 
    businesses will go to smart card ID systems," he wrote. 
    Gates acknowledged that the technology industry must make significant 
    improvements, adding that, "Microsoft has a responsibility to help its 
    customers address these concerns, so they no longer have to choose 
    between security and usability." 
    Microsoft's products, especially earlier versions of its Windows 
    operating system and Internet server software, have been long derided 
    by experts for problems that put consumers' information at risk from 
    hackers and viruses. 
    As sensitive transactions - from banking to medical filings - 
    increasingly take place online, there has been a new focus on such 
    risks. The Bush administration also has raised concerns that 
    terrorists or foreign governments could launch cyber-attacks against 
    the private networks that operate U.S. water and power systems. 
    Last year, in response to rising concerns, Gates announced a 
    "trustworthy computing" drive at Microsoft and shut down software 
    development for 10 weeks of security training for employees. 
    Gates wrote in his e-mail that the training "taught program managers, 
    architects and testers to think like attackers," and that it helped 
    identify an unspecified number of vulnerabilities in Windows software. 
    Gates also pledged that an upcoming version of Microsoft's flagship 
    server software, called Windows Server 2003, will have many advanced 
    features turned off automatically to improve security. Such features, 
    if used improperly, could make computers vulnerable. 
    Businesses can use the server software to operate their internal 
    company networks and to publish Web sites. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 04:32:36 PST