Table of Contents
BRIAN Valentine says he’s not proud
by Matt Berger1)
giovedì 5 settembre 2002
SEATTLE - The senior vice president in charge of Microsoft's Windows development team has reason not to be. One of his most notable works, the Windows 2000 operating system, has a security record that is nothing to boast about. In fact, it's downright dismal, many experts say.
Security bulletins warning of holes and vulnerabilities in Microsoft operating systems are a regular occurrence. Late Wednesday, the company released a bulletin warning of a flaw in its digital certificate technology that could allow attackers to steal a user's credit card information. It is the second security bulletin to be issued this month. ⇒
In August, Microsoft warned in one of eight security bulletins issued that month, that many of its customers have experienced “an increased amount of hacking,” in their various Windows systems. The Redmond, Wash., company has yet to identify the root of the problem, only saying that it has noticed some major similarities between the string of hack attacks.
“As of August 2002, the PSS [Product Support Services] Security Team has not been able to determine the technique that is being used to gain access to the computer,” the company wrote in its security bulletin posted on August 30.
In short, Microsoft is stumped.
It is a case in point of the problems that the company is currently facing as it struggles to release more secure code around its new generation of .Net software and win redemption from customers who have been burned by buggy products. Its latest attempt to fight the problem is embodied in a company-wide effort called the Trustworthy Computing Initiative. As that effort lumbers to show results, the company is filling in the gaps with apologies.
“I'm not proud,” Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. “We really haven't done everything we could to protect our customers … Our products just aren't engineered for security.”
The Windows 2000 operating system has been pummeled by continual security holes, some so widespread that they have resulted in major damage to computer systems around the world. Most notable are the Code Red and Nimda worms, which exploit a vulnerability in the operating system.
Customers seem to agree that Microsoft's spotty record with security has been a detriment to their own development of computer systems. One Windows systems consultant here, who wished to remain anonymous, said that security issues with Microsoft's IIS (Internet information Server) Web server have left a bad taste in many customers' mouths.
“Some of the customers I've worked with simply won't use IIS,” the systems consultant said. “That's bad for us. We're losing business because of it.”
Microsoft's Trustworthy Computing Initiative, which was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, has become the blanket program that resulted from Microsoft's revelations. With the launch of the initiative, Microsoft halted production on new code in all of its products and charged employees with scanning through every line of existing code in search of vulnerabilities.
“We realized that we couldn't continue with the way we were building software and expect to deliver secure products,” Valentine said.
But the company is dealing with a problem that isn't going away anytime soon. Valentine noted here that as the company works to shore up its products, the security dilemma will evolve with more sophisticated hackers.
“It's impossible to solve the problem completely,” Valentine said. “As we solve these problems there are hackers who are going to come up with new ones.
“There's no end to this,” he said.
During Microsoft's early years, security didn't drive the way the company built its software, said Michael Cherry, lead systems analyst at independent research company Directions on Microsoft.
“If you go back a few years, unless you were working on login at Microsoft, you really didn't worry about security. The risk wasn't worth the effort,” Cherry said.
One reason is because many of the early hackers who drilled into Windows didn't disrupt business with their hack attacks, Valentine noted. Rather they were just out for glory. But in the past year, many of the hacks launched against Microsoft software, most notably the Code Red and Nimda worms, have been malicious, going after business processes, and in many cases shutting those processes down.
“They went from glory hackers to what I call digital terrorists,” Valentine said.
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
Adam Kolawa, CEO of ParaSoft, a company that makes error-prevention tools used by IBM, said Microsoft has long ignored the problem of fixing code when it is being produced. “Microsoft is paying a lip service to this problem,” Kolawa said.
It is not only Microsoft that is to blame for the creation of faulty software, said Chandra Mugunda, a software consultant with Dell Computer in Round Rock, Texas, who attended Valentine's presentation here.
“It's an industry-wide problem, it's not just a Microsoft problem,” he said. “But they're the leaders, and they should take the lead to solve these problems”
Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.
“Every operating system out there is about equal in the number of vulnerabilities reported,” he said. “We all suck.”
di Bruce Schneier
lunedì 13 dicembre 2004
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing–you're screwed.”
But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security. ⇒
General: Turn off the computer when you're not using it, especially if you have an “always on” Internet connection.
Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data - including passwords and PINs - on PDAs than they do on laptops.
Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.
Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files “command.com” and “cmd.exe.”
Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.
Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.
Think before you do business with a Web site. Limit the financial and personal data you send to Web sites - don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.
Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.
Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.
Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
E-mail : Turn off HTML e-mail. Don't automatically assume that any e-mail is from the “From” address.
Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar “good for a laugh” files forwarded by your well-meaning friends; again, immediately delete them.
Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to “high” and don't trust any received files unless you have to. If you're using Windows, turn off the “hide file extensions for known file types” option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.
Antivirus and anti-spyware software : Use it - either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to “daily.”
Firewall : Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.
Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.
None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.
I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.
I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.
That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.
By Jonathan Krim, Washington Post Staff Writer
venerdì 26 settembre 2003
A technology executive whose company does business with Microsoft Corp. has been forced out of his job after he helped write a cybersecurity report critical of the software giant, according to sources with knowledge of the situation.
Massachusetts-based AtStakeInc., a computer security firm, said yesterday that chief technology officer Daniel R. Geer Jr. is “no longer associated” with the firm. A company statement added that Geer's participation in preparation of the report was not sanctioned by the firm, and that “the values and opinions of the report are not in line with [AtStake's] views.” ⇒
Reached at home, Geer said he could not comment on his departure.
Geer was one of several corporate and academic security experts who wrote the report, which argues that Microsoft's dominance over personal-computer operating systems and other software programs makes it easier for malicious hackers to attack millions of machines and networks at once.
The authors made it clear when the report was released Wednesday that they were speaking for themselves, not the companies or organizations they are affiliated with. They challenged policymakers to evaluate Microsoft's monopoly, and its efforts to “lock in” users to its programs by bundling them together, as the world grapples with an alarming rise of crippling computer worms and viruses.
The report also suggests that governments and companies diversify their software and use their purchasing power to force Microsoft to makes its programs work better with competing products.
Some of the report's authors are longtime Microsoft critics, as is the Computer and Communications Industry Association (CCIA), a trade group that has been arranging publicity for the study but did not commission it.
But those efforts were somewhat thwarted yesterday when a national technology magazine rejected the group's request to distribute copies of the report to its subscribers.
The magazine, CIO (short for chief information officers), routinely “rents” its subscriber lists – for a fee – to firms wanting to distribute targeted advertising and marketing messages to its audience of executives responsible for running corporate and government computer systems.
After receiving the report so that it could be e-mailed to the subscriber list, the magazine informed CCIA representatives that the paper was “too sensitive” and turned away the business.
Karen Fogarty, a CIO spokeswoman, said the magazine always reviews material that clients want distributed, and reserves the right to reject it. She said the report “seemed to be too one-sided” for a publication that prides itself on balanced reporting.
At the same time, the editor for the magazine's Web site posted a poll asking readers what they thought of the report, which he linked to through the CCIA Web site.
Microsoft advertises extensively in CIO, although Fogarty said she could not specify how much the company spends with the magazine. She said the decision not to distribute the report had nothing to do with advertising concerns.
Microsoft spokesman Sean Sundwall said he could not comment on whether the company had discussed the issue with CIO until he received further information.
Microsoft has paid AtStake for software evaluation research, but Sundwall said that “to the best of our knowledge, no one from Microsoft contacted [AtStake] or Dan Geer regarding this report.”
Lona Therrien, an AtStake spokeswoman, declined to discuss Geer's sudden departure. She said the company had no conversations with Microsoft about Geer or the report.
But Sundwall said that on Tuesday night, when notice of the report's pending release was circulated, “Microsoft was contacted by [AtStake] officials . . . expressing their disappointment in the report and saying that Dan Geer's opinion did not reflect the position of [AtStake] and its commitment to an ongoing relationship with Microsoft.”
Another AtStake official did television interviews yesterday to express disagreement with the report.
Microsoft has said it disagrees with the substance of the report, noting that the CCIA supports antitrust actions against the company in the United States and Europe. And trade groups funded by Microsoft swung quickly into action to denounce it.
In a statement, the Computing Technology Industry Association said the report is flawed by “myopically looking to technology (i.e., 'bad' software OS) instead of addressing the underlying cause – human behavior – for cyber breaches.”
Edward J. Black, president of CCIA, responded that Microsoft's reaction “if anything, underlines the importance and credibility of the report and its authors.”
One of the report's authors, John S. Quarterman, founder of Matrix NetSystems Inc., called Geer's departure unfortunate, but said it does not alter the substance or impact of the report.
“On the Internet, worms and viruses can do more harm in a monoculture,” he said. “This is not theoretical.”
Here is the report: Cyberinsecurity: The Cost of Monopoly.
venerdì 22 novembre 2002
La piattaforma Windows 2000 ha ottenuto una certificazione Common Criteria certification di grado EAL 4 riguardo la sicurezza informatica. Understanding the Windows EAL4 Evaluation è un autorevole commento da parte di Jonathan S. Shapiro. In breve: da anni gli esperti di sicurezza dicono che la famiglia dei prodotti Windows ha un livello di sicurezza definitivamente inadeguato. Adesso esiste una rigorosa certificazione del governo che lo conferma. Sono disponibili anche due documenti necessari a comprendere il significato di tale certificazione: Controlled Access Protection Profile 1.d è il profilo di sicurezza rispetto al quale è stata ottenuta la certificazione. Documento abbastanza complesso, ma è qui che si specifica quanto e per cosa è sicuro il sistema certificato. The Common Criteria ISO/IEC 15408 spiega invece cosa significa ottenere il livello 4 (in una scala da 1 a 7) rispetto al profilo di sicurezza scelto.
How the Dominance of Microsoft’s Products Poses a Risk to Security
mercoledì 24 settembre 2003
Un rapporto sulla sicurezza informatica centrato sui rischi che la monocoltura Microsoft impone all’intera società. Analisi del rischio e proposte per fronteggiare il problema. Uno degli autori, Dan Geer, ha perso il posto di lavoro il giorno dopo la pubblicazione dell’articolo: era impiegato presso @Stake, una ditta che riceve ingenti commesse da Microsoft. La Computer & Communications Industry Association, che aveva sponsorizzato il rapporto, intendeva distribuirlo tramite e-mail agli abbonati della rivista Chief Information Officers. Quest’ultima - solita “noleggiare” l’elenco dei propri abbonati ad aziende del settore informatico, Microsoft compresa - si è rifiutata di cedere l’elenco.
Un articolo del Washington Post riguardo la vicenda: Microsoft Critic Forced Out.