• On BNET: 9 ways to make the most of Chrome
advertisementAT&T Tech Support 360

(continued from previous page)

News.com special report:

Securing Microsoft: A long road

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

(continued from previous page)

In many ways, the deck is stacked against those trying to keep users safe. Whether it is fixing a bug or persuading users not to fall for a new social-engineering attack, defenders need to protect everyone, whereas success for attackers might mean finding only a tiny percentage of people to make its prey.

"We need to (protect people) at scale and an attacker doesn't need to do it at scale," Thomlinson said.

Window Snyder, a former Microsoft security team leader now at Mozilla, said that one way to combat the scale problem, is by ramping up on the defensive side as well. For example, she said, some 20,000 people are testing nightly builds of Firefox, offering the ability to see code--and security patches--in real-world use far sooner.

"I think there is a real opportunity to improve how quickly fixes are available and how easy it is for users to deploy them," Snyder said. One example she pointed to is the feature in Firefox that saves exactly where a user is before an update is installed. Because they get taken right back where they were, she said, users are willing to install updates more quickly, decreasing the time that there are vulnerable systems for attackers to target.

"I think there is a real opportunity to improve how quickly fixes are available and how easy it is for users to deploy them."
--Window Snyder, Mozilla

Microsoft and others have also tried to do that, particularly in the anti-malware arena. Both the phishing filter in Internet Explorer and the Windows Defender antispyware program built into Vista are based on the real-world experiences of millions of users.

Another challenge for Microsoft and others tackling software security stems from the basic design of the Internet, Chairman Bill Gates told CNET News.com. The Internet, he said, was designed with its primary goal being to ensure resiliency and redundancy, not security. The network's openness and assumption that routers are who they say they are mean that security must be added as a separate layer.

"Of course, the early years, when it was used primarily in universities or small scale, those issues didn't come up because it was mostly people with good intent," Gates said. "Now that it's the way we do commerce and everything is there, that assumption no longer holds."

And, it is not just the attacks themselves that are changing, though. It's also the business.

A decade ago, many security attacks were launched by skilled programmers looking to see if they could poke holes in software and garner some notoriety.

Paul Wood, a security analyst for MessageLabs, said the structure of the "shadow" economy has changed. At one time, lone hackers created an exploit, developed malicious software, and then launched an attack. Now, there is segmentation. There might be one organization with a botnet of zombie computers that rents itself out, while another organization specializes in the actual writing of malicious software, as yet another group collects the credit card or other personal information.

One clear example of the economy that has sprung up around security threats is WabiSabiLabi, an outfit that has set up an eBay-style auction for software vulnerabilities. If it takes off, it means that software vendors may find themselves having to outbid hackers to get a hold of newly discovered flaws.

Risks versus economic opportunity
Part of the reason such a large economy has sprouted up is that the economic opportunity is huge and the risks of getting caught have actually gone down--particularly because law enforcement operates along geographic lines, while the Internet knows no such boundaries.

That places a huge burden on preventing a machine from being taken over in the first place, Kaminsky said. "You are not going to be able to find the guy," he said.

It's also because of new opportunities, such as creating botnets that then perpetrate click fraud, for example, and generate revenue from companies like Google.

"The threats are currently moving away from Microsoft because Microsoft has outspent everyone."
--Halvar Flake, CEO, Zynamics

"You have evolved financial models that are insanely low-risk with shockingly high return," Kaminsky said. "It's not a recipe for goodness."

The profit motive isn't all bad news for defenders. Flake notes that hackers are now keenly aware of the cost of attacking a system relative to the amount of value that can be attracted. That means they are often looking for the cheapest attack, rather than the most technically sophisticated one. In the early days, you had government spies or skilled hackers looking to make their mark who were willing to pour "ludicrous amounts of time" into crafting an attack.

"Attackers are now operating under economic restrictions," he said. That often means that a defense can make would-be crooks go after someone else instead.

That portends good news for Microsoft, Flake said.

"The threats are currently moving away from Microsoft because Microsoft has outspent everyone," he said.

Mobile devices are one area where attacks may increase, Flake said, while predicting that Apple will also face a few rough years now that its market share has grown and more targeted attacks have become the norm. "Apple is where Microsoft was a few years ago. Apple, he said, still has to look forward to the experience of getting "owned"--that is, taken over by hackers--"repeatedly and being made fun of."


Previous page
Page 1 | 2
advertisement
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET