http://www.infoworld.com/article/04/02/24/HNunderattack_1.html By Scarlet Pruitt IDG News Service February 24, 2004 LONDON -- Businesses worldwide face increasing threats from cyber criminals attempting extortion and fraud because the software running their systems makes them vulnerable, Microsoft Corp.'s top security architect told attendees at the e-Crime Congress in London Tuesday. Even while still walking to the podium, Security Architect and Chief Technology Officer of Microsoft's Security Business Unit David Aucsmith readily admitted that he is considered a "target" for complaints against his company's software, but he also stressed that many of the current security issues could not have been foreseen. Windows 95 was written without a single security feature, he said, as it was designed to be totally open to let users connect to other systems. Furthermore, the security kernel of the Windows NT server software was written before the Internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks, he said. "Almost all the attacks on our software are legacy attacks and the points of the system that can talk to older versions of our software," Aucsmith said. "If you want more secure software, upgrade," he added. While this advice might seem like cold comfort to users, Aucsmith couched the current security threats as a consequence of the changing software industry, and more sophisticated cyber criminals, than of particular neglect by vendors. Aucsmith said that Microsoft is working diligently to address security issues, by working closely with law enforcement authorities and changing its patching procedures, for example, and that much of the threat comes from criminals who are making a career from high-tech crimes such as hacking, extortion and fraud. "We are under attack," increasingly from criminals seeking personal gain, he said. "Since the Sobig virus hit in October of last year, we have yet to see a virus or variant without an element of financial gain," he said, such as bugs that seek users credit card information. What's more, cyber criminals are becoming increasingly efficient at reverse-engineering software patches to discover and then exploit vulnerabilities, he said. The time between the release of a patch and the creation of an exploit has dwindled dramatically. The Nimda virus, which was discovered in September of 2001, surfaced 331 days after a patch was released, while the latest exploit of a Windows component called the ASN.1 Library was created within three days of the patch being released, Aucsmith said. Hackers have the advantage of not having to test their exploits, which allows them to move faster than vendors who must perform rigorous testing to ensure that their patches don't break users' systems, he said. Still, Aucsmith said that despite the flood of attacks against Microsoft's software only once has it suffered a so-called "zero-day" attack, in which an unknown and unpatched vulnerability is exploited. "The vast majority of attacks occur after the patch is available," he said. However, vendors and users' headaches are being worsened by new tools created by sophisticated hackers and made available on the Internet. One such tool available now automatically reverse-engineers patches, creates an exploit and launches attacks, he said, allowing any non-tech savvy user to become a potential cyber criminal. "These tools are so good I'm afraid we'll see more zero-day attacks," Aucsmith said. For users, already tormented by a string of high-profile viruses threatening to compromise their systems, this could be chilling news. According to a survey released Tuesday by the U.K.'s National Hi-Tech Crime Unit, U.K. businesses are estimated to have lost billions of pounds last year due to computer crimes, and they are not alone. Businesses worldwide are grappling with increasingly sophisticated cyber threats. While law enforcement officials are encouraging users to report cyber crime and do what they can to shore up their systems, vendors say that they are doing their parts to make their products more secure. Besides encouraging users to upgrade to more secure versions of its software, Microsoft is working on improving its patching procedures, Aucsmith said. The company already switched from a weekly to a monthly patch release cycle to reduce user work, but is also working on delivering a regular Microsoft Update that includes fixes to all its software instead of the current Windows Update patch. Additionally, Microsoft plans to make all of its patches reversible, in case users want to unapply them, and patches that can be applied without having to reboot systems, he said. The company is trying to move away from patching as a tactical defense, Aucsmith said, and Microsoft Chairman Bill Gates is expected to make an announcement at the RSA Conference in San Francisco this week that will move users in this direction. Although Aucsmith declined to give details of the announcement he said that it would entail a more targeted use of antivirus and firewall products. The e-Crime Congress runs through Wednesday. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 25 2004 - 05:21:22 PST