[ISN] Microsoft's hacker bounty is wasted money

From: InfoSec News (isn@private)
Date: Tue Nov 11 2003 - 04:45:52 PST

  • Next message: InfoSec News: "[ISN] The Mind Of A Hacker"

    http://asia.cnet.com/newstech/perspectives/0,39001148,39157414,00.htm
    
    By Robert Vamosi, Special to CNETAsia
    Tuesday, November 11 2003 8:24 AM 
     
    commentary: Last Wednesday, Microsoft, the FBI, the U.S. Secret
    Service, and Interpol, an international law enforcement organization,
    announced a US$5 million reward system for information leading to the
    arrest of individuals who write computer viruses.
    
    In particular, Microsoft is offering a quarter of a million dollars to
    apprehend the authors of last August's MSBlast and Sobig.f worms.
    
    What a brilliant PR move--something to distract the media from the
    latest Windows-based virus, MiMail.c, that's currently loose on the
    Internet. Instead of using that same US$5 million to secure the
    Windows code you and I use every day, and admitting that it's partly
    responsible for the problem, Microsoft has decided to point the finger
    elsewhere.
    
    Deja vu
    
    This situation reminds me of the current U.S. anti-drug strategy, in
    which the government spends billions of dollars on drug interdiction
    and user arrests. While it's important to reduce the flow of illegal
    substances on our streets (and I'm not suggesting we legalize all
    drugs), such arrests alone are not enough. We also need programs that
    address the addictive behavior that creates demand for drugs. By not
    focusing on the underlying causes of drug use, we are consequently
    losing the war on drugs.
    
    In the same way, Microsoft is taking the wrong approach. Arrests won't
    stop viruses from being created, just as they won't stop drugs from
    being sold. Microsoft and others could spend US$50 million on rewards,
    and we would still have sophisticated Internet worms like SQLSlammer
    and MSBlast. The way to stop viruses is to develop secure software.  
    Yet, while every operating system is probably vulnerable to some sort
    of attack, it's well known that Windows is particularly poor with
    respect to security.
    
    Windows XP Home Edition, for instance, ships with its built-in
    firewall (which many users don't even know about) disabled by default
    and with all its Internet ports open. By comparison, while Mac OS X
    doesn't have a built-in firewall, at least it arrives on your computer
    with all unnecessary Internet ports closed. The same goes for the
    various Linux distributions.
    
    Microsoft, to save time and money, designed Windows XP to be adaptable
    for different types of users. But the company should be more cautious
    about which features are turned on when the OS ships.
    
    After all, do home users really need all their Remote Procedure Call
    (RPC) ports open by default? Do they need network printer and file
    sharing enabled? Or for that matter, do they need the Microsoft
    Messenger Service turned on? No, they don't. Yet these are the
    features by which several recent viruses have infected many home
    computers.
    
    How useful?
    
    Lookng forward, I see the same sort of thing happening with the new
    Microsoft Office System. Many of the new rights-management features
    found within Word, Excel, and Outlook are designed to work with an
    external server--functionality that most home users, and even many
    business users, won't ever use. Nonetheless, Microsoft enabled all its
    programs to be open to communications from outside servers, leaving
    them vulnerable to attacks.
    
    This blanket policy regarding program functionality is what
    contributed to the overnight success of the MSBlast worm last August.  
    Most people had never heard of DCOM RPC, nor knew that it should be
    disabled for increased security, until MSBlast infected almost every
    Windows 2000 and Windows XP user not protected by a firewall.
    
    Microsoft could better use its US$5 million bounty to improve security
    on its software. And it wouldn't cost the company anything to, by
    default, enable XP's firewall, close all unnecessary ports open to the
    Internet, and remove services that the average home user doesn't need.
    
    While they're at it, Microsoft should send its customers CDs every
    month with the latest Windows and Office patches and program upgrades
    to install at our leisure (if AOL can do it, Microsoft can too). These
    changes would be expensive for Microsoft, but could make a real
    difference to end users--which the US$5 million bounty most likely
    never will.
    
    Robert Vamosi is senior associate editor, ZDNet Reviews.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 11 2003 - 07:30:30 PST