[ISN] IT Wrestles with Microsoft Monoculture Myopia

From: InfoSec News (alerts@private)
Date: Tue Sep 12 2006 - 22:47:54 PDT


http://www.eweek.com/article2/0,1895,2014205,00.asp

By Ryan Naraine
September 10, 2006

When Microsoft announced in March 2006 that it would add code-scrambling 
diversity to make Windows Vista more resilient to virus and worm 
attacks, you could almost visualize a wry smile from Dan Geer.

Geer, a computer security guru with a doctorate in biostatistics from 
Harvard University, lost his job as chief technology officer of 
consulting company @Stake in 2003 after co-authoring a report that 
blamed Microsoft's operating system monopoly and complex code base for 
the frailty of the Internet.

Exactly three years later this month, Geer insists that the risks 
associated with Microsoft's virtual monoculture remain the same, but a 
quick glance at the future direction of the world's largest software 
maker gives Geer a sense of "total vindication."

Indeed, three years ago on Sept. 24, Geer penned "CyberInsecurity: The 
Cost of Monopoly," a 25-page report he co-authored with a who's who of 
computer security experts, including celebrated cryptographer Bruce 
Schneier and intrusion detection systems specialist Rebecca Bace.

The crux of the report was that software diversity was core to securing 
the Internet.

The group cautioned that the only way to prevent "massive, cascading 
failures" was to avoid the Windows monoculture.

"Because Microsoft's near-monopoly status itself magnifies security 
risk, it is essential that society become less dependent on a single 
operating system from a single vendor," the report said.

In many ways, Geer's report was prescient, as Microsoft has become a 
huge target for hackers. Meanwhile, Microsoft has adopted some of the 
tactics recommended to diversify code.

"In just under three years, the idea went from something you can get 
fired for to a research priority for [the U.S. government] and a product 
plan at Microsoft," Geer, of Cambridge, Mass., said in an interview with 
eWeek.

"You look at what they're doing with randomizing Vista and all the signs 
around virtualization, [and] it's real vindication for us."

He was referring to the addition of ASLR (Address Space Layout 
Randomization) to Windows Vista, a security feature that randomly 
arranges the positions of key data areas to prevent malicious hackers 
from predicting target addresses.

The technique, known as memory-space randomization, will block the 
majority of buffer overflow tricks used in about two-thirds of all worm 
attacks and, even more importantly, will effectively create software 
diversity within a single operating system.

Despite wide recognition that software diversity is important, progress 
is slower than expected.

Ten days after the Geer report garnered publicity, the U.S. House of 
Repre-sentatives held a hearing that included an interrogation of the 
Department of Homeland Security on the subject of monoculture, and the 
National Science Foundation, an independent federal agency, pumped 
$750,000 into a study on cyber-diversity for computer systems as a way 
to fend off malicious viruses, worms and other cyber-attacks.

The result? Despite all that talk, the DHS remains a Windows shop and 
Microsoft's flagship operating system still commands a whopping 97 
percent share of the desktop security market. Businesses dabble with 
alternatives such as Linux but remain tethered to Windows. Why?

Despite the initial hubbub over the report, businesses are betting that 
the costs associated with diversification are greater than the returns 
from implementing technology that could be more secure yet potentially 
harder to manage.

"We haven't changed much. I'd argue that we're at even more risk today 
than we were in 2003," said Schneier, chief technology officer and 
founder of Counterpane Internet Security, in Mountain View, Calif. "We 
have a culture of ignoring serious warnings until it's way too late."

Schneier, who did stints at the Department of Defense and Bell Labs, 
said the monoculture risk exists beyond the desktop. "Windows has pushed 
into mobile devices, into embedded systems, into noncomputer CPUs. The 
threat of that cascading failure is even truer today," he said.

Even though the argument made in the report remains as valid as ever, 
diversity has been elusive because, as Schneier put it, "monoculture is 
attractive because it is cheaper."

"It's hard and it's expensive [to diversify]. Yes, it's less secure, but 
you only have to support one thing when you embrace monoculture.  It 
always boils down to economics," he said.

Geer said there are two options available to government and enterprise 
security systems: Embrace monoculture and get consistent risk management 
because everything is the same, or run from monoculture in the name of 
survivability.

"Today, we're relying on picking up the pieces," Geer said, adding that 
it's much cheaper for a CEO to invest in anti-virus, anti-spyware, 
anti-spam and patch management solutions.

"We've committed all our eggs to a basket named 'patch management,' or 
we're looking to virtualization to help wipe and reinstall after 
[malware] infection," he said.

For Andre Gold, director of information security at Continental 
Airlines, monoculture and security became a hot topic in 2003 after the 
SQL Slammer worm disrupted operations at the Houston air carrier.

"From a pure-play security perspective, we had to answer that question. 
Do we want to diversify to keep things running when another attack came 
along or stay with the monoculture and invest in securing it," Gold said 
in an interview with eWeek.

"It came down to economics. It's not easy to click your fingers and say, 
'Windows is a liability; let's just switch.' You soon realize you have 
to spend even more to get specialized staff for each computing 
environment," Gold said.

Several CISOs (chief information security officers) interviewed by eWeek 
echoed Gold's sentiments, stressing that budgeting considerations always 
play into security decision making.

"I can't spend my entire budget trying to diversify and not have 
resources to secure them all. That's not practical," said one security 
executive affiliated with a high-profile financial institution.

Gold's situation rings true for John Pescatore, an analyst at Gartner, 
in Stamford, Conn. "The cost of ownership skyrockets because of 
diversity," Pescatore said. "The economics says to standardize, 
standardize, standardize."

Pescatore said that the debilitating network worm attacks of 2003 and 
2004—Slammer, Blaster and Sasser—forced businesses to think seriously 
about the monoculture risk but that the combination of Microsoft 
security improvements, a predictable update release cycle and patch 
management tools makes it "much cheaper to deal with a single platform."

Richard Stiennon, founder and chief research analyst at IT-Harvest, of 
Birmingham, Mich., said the monoculture issue remains a front-burner 
topic in his discussions with clients. "I always recommend different 
platforms for different purposes, even with all the economic 
considerations associated with that," Stiennon said.

"We have not done much to heed [Geer's] warning other than spend a lot 
of money to protect the monoculture," he said.

However, there are signs of progress. Even today, beyond the desktop 
operating system, Gartner's Pescatore said that there is more 
heterogeneity in Internet-facing applications.

"Firefox continues to gain market share, and the Apache Web server has 
higher market [share] than [Microsoft's] IIS," Pescatore said, arguing 
that the threat landscape has changed significantly from the days when 
malicious attackers were launching disruptive network worms.

As network administrators ponder the end of the worm era, for-profit 
malware attacks have grown dramatically. According to information culled 
from Microsoft's MSRT (Malicious Software Removal Tool), the biggest 
threat on the desktop comes from bots and Trojans that hijack computers 
for use in botnets.

David Cole, a senior director in Symantec's security response unit, in 
Santa Monica, Calif., said his unit's virus hunters are seeing about 800 
botnet command-and-controls daily, each commandeering as many as 25,000 
infected machines. "The order of magnitude of the botnet problem is 
immeasurable," Cole said in an interview.

Using Symantec's numbers, Geer estimated that more than 15 percent of 
all desktop computers are controlled by malicious hackers.

"You can look at it two ways. We're not seeing worms because the 
protections are getting better. Or, the people who were writing worms 
have figured out they can own the machine forever and make money from 
it," Geer said. "I think the botnet operators already have all they can 
eat."

Given that businesses have been slow to diversify, security fully rests 
with Microsoft's ability to secure Vista, and the early signs are 
promising.

As part of an ambitious mission to make Vista the "most secure operating 
system ever," Microsoft made a series of significant tweaks to help 
thwart the spread of malware.

The most important change, called UAC (User Account Control), is a 
default setting that separates standard user privileges and activities 
from those that require administrator access, making it nearly 
impossible for virus writers to execute harmful code in sensitive parts 
of the operating system.

Microsoft also summoned the crème de la crème of the hacking community 
to its Redmond, Wash., campus to launch simulated attacks against Vista 
and implemented a new strategy called Windows Service Hardening that 
aims to reduce the risk of wormable flaws through improved testing and 
development processes.

Independent security researchers—including some of Microsoft's harshest 
critics—have given Vista's security makeover a big thumbs up.  "There's 
no doubt that Microsoft is trying to step up to the plate,"  said Rick 
Fleming, chief technology officer at San Antonio-based security company 
Digital Defense.

"They made huge strides with [Windows XP] SP2, and I think Vista will 
push the envelope even more."

Dave Aitel, a staunch open-source advocate and vulnerability researcher 
at penetration-testing company Immunity, of Miami, said he believes the 
most vital security upgrades will come from advancements in computer 
hardware.

Aitel cited the NX (No eXecute) technology being built into chips from 
Intel and Advanced Micro Devices that will effectively prevent code 
execution within data pages such as default heaps, stacks and memory 
pools.

John Quarterman, a risk management expert at InternetPerils who co-wrote 
the report with Geer in 2003, was dismissive of any suggestion that the 
Internet has become safer because of Microsoft's software security 
improvements.

"We have criminal entrepreneurs doing big, big business on the Internet, 
using computers that are not secure. This is not rocket science; this is 
an effect of the monoculture," said Quarterman in Austin, Texas.

Rebecca Bace, another co-author of the monoculture warning, said she 
sees Microsoft's aggressive push into virtualization technology and gets 
the feeling that the company "is coming around."

Citing a recent Gartner report that predicted Vista will be the final 
version of Windows in the current, monolithic form, Bace said it's clear 
that Microsoft understands that virtualization can help to break the 
monoculture.

"They're now saying, 'Perhaps this is a way we can defend ourselves,'"  
said Bace in Scotts Valley, Calif.

-=-

Cyber-insecurity: Then and now

Three years ago, a report, "CyberInsecurity: The Cost of Monopoly,"  
was released. Here's a look at what the report concluded and what has 
changed since.

* Then "Most of the world's computers run Microsoft's operating systems, 
  thus most of the world's computers are vulnerable to the same viruses 
  and worms at the same time."

* Status No progress. The world still runs Microsoft, and the malware 
  keeps coming.

* Then "Because Microsoft's near-monopoly status itself magnifies 
  security risk, it is essential that society become less dependent on a 
  single operating system from a single vendor if our critical 
  infrastructure is not to be disrupted in a single blow. The goal must 
  be to break the monoculture."

* Status Slow going. Technology executives are dabbling with Linux, but 
  the monoculture is here to stay.

* Then "A monoculture of networked computers is a convenient and 
  susceptible reservoir of platforms from which to launch attacks."

* Status Status quo. That convenience of one platform means less 
  management expense. So far, companies are going with lower costs over 
  susceptibility.

* Then "Governments must set an example with their own internal policies 
  and with the regulations they impose on industries critical to their 
  societies. They must confront the security effects of monopoly."

* Status Little progress. Capitol Hill hearings and studies into 
  "cyber-diversity" haven't prodded the government to change its 
  reliance on Windows.

Source: "CyberInsecurity: The Cost of Monopoly"; eWEEK reporting



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 12 2006 - 22:58:02 PDT