[ISN] Vista Aims to Stop Hackers' Social Engineering Ploys

From: InfoSec News (alerts@private)
Date: Wed Jan 17 2007 - 22:07:21 PST


By Matt Hines
January 16, 2007

News Analysis: Microsoft maintains that by addressing the social aspect 
of IT attacks, the portion that can dupe even the smartest users into 
launching malware-laden attachments or clicking unknown URLs, Vista will 
improve PC security significantly.

Microsoft says the Windows operating system software is not the weakest 
link in desktop security, and contends that Windows Vista will help 
limit the greatest vulnerability of allusers' bad decision-making.

While previous iterations of Microsoft's dominant operating system hit 
the market with an abundance of security loopholes that left users open 
to many different forms of attack, Microsoft officials said new features 
offered in Vista will not only make it harder for malware writers attack 
the OS, but will also make it more difficult for users to hang 
themselves out to dry.

Executives pointed to Microsoft's SDL (Security Development Lifecycle) 
program as an attempt to root out many of the coding flaws that have 
left gaping security holes in previous versions of Windows during 
development, and said the primary thrust of the security tools added in 
Vista has been to help customers help themselves.

>From its UAC (User Account Control) feature, which is meant to limit the 
ability of viruses to gain access to administrator status on desktops, 
to the anti-phishing filters built into the newly released Internet 
Explorer 7 browser, Microsoft has attempted to give users the mechanisms 
they need to do a better job of watching their own backs, said Ben 
Fathi, the Redmond, Wash., company's vice president for the Windows core 
operating system.

Microsoft doesn't expect that Vista will be tight enough to evade all 
forms of malware, despite all the work done to shut holes via the SDL 
program, Fathi said, but it does believe it has given users the right 
set of warnings and tools to help better police their own habits.

"The weakest link in the security of any system is the end user. It 
seems like we're putting them down, but, realistically, there's a lot we 
can do in technology to secure our products, but as long as user can be 
tricked into clicking a link or going to an unknown Web site, we're at 
risk," Fathi said. "We think that by helping users protect themselves 
better, we can make a big dent in the current methods of attacks being 
used by hackers."

Zero-day exploits and self-cloaking rootkits may be all the rage at the 
most complex end of the malware spectrum, but most users encounter PC 
security issues because they fall for social engineering tactics and 
make mistakes such as opening malware e-mails sent from spoofed domains 
of familiar sources and following links to Web pages that offer viruses 
and other attacks along with their advertised content, Fathi said.

UAC promises to help users prevent viruses from spreading within a 
machine by prompting the user to approve nearly every change to the 
system such a program might try to make. Whereas programs that tap into 
a machine's administrative controls to advance their reach largely 
operated in secret before Vista, users will now have the ability to shut 
the attacks down as they try to proliferate, Microsoft claims.

The anti-phishing technologies in IE 7 utilize onboard heuristics, as 
well as site-blocking capabilities based on traditional black- and 
whitelists, to give users an idea of the security status of every site 
they attempt to access. Known malware and phishing sites are 
automatically blocked, whereas every other site gets a red, yellow or 
green rating, based on the characteristics it exhibits to the browser.

Other security features integrated into Vista include Microsoft's 
Windows Defender spyware scanning and removal tool, and its BitDefender 
drive encryption system, which aims to help protect data in the case of 
stolen devices.

In the past, even users with great technical expertise or aggressive IT 
administrators looking out for them still often ended up falling for the 
most convincing forms of online fraud, but the additional layer of 
protection will stop most criminal efforts before malware can land on 
the desktop, according to Microsoft.

If users allow themselves to be drawn into a phishing site that has the 
browser flashing red around the edges, they should place much of the 
blame on themselves, not the operating system, Fathi said.

Some security vendors are already criticizing Vista's onboard security 
components, with anti-virus market leader Symantec calling UAC too 
chatty to have a significant impact on safety, predicting that users 
will come to ignore the many warnings the system produces. Since the 
volume and complexity of the UAC security warnings will overwhelm most 
users, and potentially leave enterprise IT administrators drowning in a 
sea of related help tickets, many users will simply opt to run with the 
system off, Symantec officials said.

In order to maximize the usefulness of UAC, Symantec said it is 
currently developing products that will manage UAC and the other Vista 
security tools to make them less obtrusive.

However, some experts say they believe the attempt to limit the social 
aspect of IT threats will strike many people as positive, useful and 
adequate. Lee Nicholls, global solutions director for consultant firm 
Getronics, said he believes that all but the most demanding customers 
will be encouraged by the work that Microsoft has done.

Part of Nicholls' job is helping to select the products that Getronics 
recommends to its customers, and he said the firm will encourage 
businesses to utilize Vista's onboard protections. Nicholls works at 
Microsoft's Redmond, Wash., campus, where he studies all of the software 
maker's latest technologies.

"We've seen all this technology provided for Windows before by 
third-party vendors, but customers were forced to figure out numerous 
processes for troubleshooting between applications, which created some 
additional security issues," Nicholls said. "Now all the management is 
there in the product, which makes it easier for end users, and for us, 
to try to solve problems as they arise."

While Getronics will continue to work with aftermarket security vendors 
and consider products such as Symantec's that promise to improve Vista's 
protections, he said that most users will be satisfied with the onboard 
tools, and that this may shift buying patterns when companies formulate 
their future IT security budgets.

"At the client security level, I honestly believe that Vista will 
probably provide enough protection for most companies to feel 
sufficiently safe, and move away from traditional third-party tools," 
Nicholls said. "This will encourage companies to spend more money on 
their perimeter solutions as client security becomes less of an issue; 
whereas before companies spent a lot of time and money integrating 
anti-virus, with Vista they can shift their focus to adding security 
services at the edge of their operations."

Even analysts who have been critical of Vista's security features during 
their development said the IT market landscape will change as a result 
of all the work Microsoft has done.

Andrew Jaquith, an analyst for Yankee Group Research, said UAC and other 
features may be seen as an obstruction by some users, but he believes 
that anti-virus software makers and other vendors will need to rethink 
their own product strategies as a result of Vista.

"Obviously there will still be a lot of opportunities for third-party 
companies to make improvements to the security capabilities in Vista, 
and to lend additional tools that Microsoft hasn't yet included in the 
OS," he said. "But I think these third parties should focus on building 
those products that help, instead of nitpicking what Microsoft has 
already done; the Vista world will be very different for Windows users 
and for the security industry, it's new footing for everyone."

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:27:13 PST