Re: [ISN] Businesses are under attack, says MS security head (Three messages)

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 23:10:59 PST

  • Next message: InfoSec News: "[ISN] Crypto stars sound off on e-voting, digital rights management"

    Forwarded from: Russell Coker <russell@private>
    Cc: scarlet_pruitt@private
    
    On Wed, 25 Feb 2004 21:10, InfoSec News <isn@private> wrote:
    > http://www.infoworld.com/article/04/02/24/HNunderattack_1.html
    >
    > By Scarlet Pruitt
    > IDG News Service
    > February 24, 2004
    >
    > Windows 95 was written without a single security feature, he said,
    > as it was designed to be totally open to let users connect to other
    > systems. Furthermore, the security kernel of the Windows NT server
    > software was written before the Internet, and the Windows Server
    > 2003 software was written before buffer overflows became a frequent
    > target of recent attacks, he said.
    
    The Internet existed long before Windows NT.  Below are URLs for the
    start of Windows NT development and the early days of the Internet.
    http://www.microsoft.com/presspass/features/1998/winntfs.asp
    http://www.isoc.org/internet/history/brief.shtml
    
    I expect that some of the first NT programmers weren't even born when
    the ARPANET was first designed!
    
    Buffer overflows have been around long before Windows Server 2003.  
    Below is a URL for an explanation of buffer overflows.  It documents
    the first wide-spread buffer-overflow based attack as occurring in
    1989, being mostly forgotten until 1995, and then becoming more widely
    known. http://en.wikipedia.org/wiki/Buffer_overflow
    
    Another of the earliest well-known buffer overflows was the "ping of
    death", which was able to kill almost every machine on the Internet
    apart from OS/2 and Macintosh systems.  Microsoft should recall this
    one well as there were two variants, the first MS patch only fixed one
    of them so there was a second round of DoS attacks on NT machines.
    http://www.insecure.org/sploits/ping-o-death.html
    
    The risks of buffer overflows were well known to NT users long before
    the development of Windows Server 2003!
    
    > "Almost all the attacks on our software are legacy attacks and the
    > points of the system that can talk to older versions of our
    > software," Aucsmith said. "If you want more secure software,
    > upgrade," he added.
    
    MS has had a long history of introducing new features that permit new
    methods of attack.  Previewing messages that have executable content
    in Outlook.  ActiveX in IE.
    
    > "These tools are so good I'm afraid we'll see more zero-day
    > attacks," Aucsmith said.
    
    Of course we will!  Until people realise that writing secure software
    is necessary the number of attacks will increase.
    
    -- 
    http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
    http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
    http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
    http://www.coker.com.au/~russell/  My home page
    
    
    
    -=-
    
    
    
    Forwarded from: Mark Hahn <MHahn@private> 
    
    At 05:10 AM 2/25/2004, InfoSec News wrote:
    > Security Architect and Chief Technology Officer of Microsoft's
    > Security Business Unit David Aucsmith [speaking at the at the
    > e-Crime Congress in London on Tuesday, Feb 24,2004] ... stressed
    > that many of the current security issues could not have been
    > foreseen.
    >
    > Windows 95 was written without a single security feature, he said,
    > as it was designed to be totally open to let users connect to other
    > systems. Furthermore, the security kernel of the Windows NT server
    > software was written before the Internet, and the Windows Server
    > 2003 software was written before buffer overflows became a frequent
    > target of recent attacks, he said.
    
    What a piece of total dreck! What a complete re-write of history!!!
    
    When Windows 95 was written there were many flavors of UNIX software
    (BSD, SunOS, early Linux, etc.) all of which were more secure than
    Windows XP is today, with full featured Internet tools (web browsers
    and servers, email clients and servers, FTP clients and servers,
    etc...) .
    
    The Microsoft operating system product line has been dragged kicking
    and screaming into all the major "innovations" that are touted as
    features of the NT-OS based product line: Multi-tasking, networking,
    disk file sharing, security, etc. These were all well developed in
    competing products prior to their introduction in a Microsoft
    operating system.
    
    I find it offensive that he claims these issues could not be foreseen
    at the time this software was written. The only people who did not
    foresee this were the boys in Redmond.
    
    (I guess I should have waited for Microsoft to release version 2.0 of
    history before I started using it, eh?)
    
    -MpH
    
       --------
    Mark P. Hahn, CISSP                 MHahn@private
    Chief Technical Officer             609 716 9320
    TCB Technologies, Inc.              Princeton Junction, New Jersey, USA
    
    
    
    -=-
    
    
    
    Forwarded from: security curmudgeon <jericho@private>
    
    I think you got the URL wrong. Shouldn't this be some tabloid, not
    Infoworld? Surely this was meant as pure humor?
    
    : http://www.infoworld.com/article/04/02/24/HNunderattack_1.html
    :
    : By Scarlet Pruitt
    : IDG News Service
    : February 24, 2004
    :   
    : LONDON -- Businesses worldwide face increasing threats from cyber
    : criminals attempting extortion and fraud because the software running
    : their systems makes them vulnerable, Microsoft Corp.'s top security
    : architect told attendees at the e-Crime Congress in London Tuesday.
    :
    : Even while still walking to the podium, Security Architect and Chief
    : Technology Officer of Microsoft's Security Business Unit David Aucsmith
    : readily admitted that he is considered a "target" for complaints against
    : his company's software, but he also stressed that many of the current
    : security issues could not have been foreseen.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:16:16 PST