[ISN] Security is not a PR problem

InfoSec News isn at c4i.org
Fri Oct 21 16:07:47 EDT 2005 

http://www.theage.com.au/news/soapbox/security-is-not-a-pr-problem/2005/10/21/1129775950797.html

By Sam Varghese
Comment
October 22, 2005

(Microsoft general manager for security George) Stathakopoulos takes 
pride in the achievement (number of security bulletins issued), as 
when he notes that he has been involved in shipping more compact discs 
- Windows software - than the Beatles, Rolling Stones and Madonna 
combined. - The New York Times

-=-

Initially, one could well be forgiven for thinking that the sentence 
above was drafted by some spinmeister. It is the last bit in a tale 
about a meeting Microsoft held recently with independent security 
researchers, most of them former black hats. The meeting is called a 
Blue Hat briefing.

This is the second such publicised meeting, part of a media offensive 
to spread the idea that Microsoft is taking security seriously. The 
reality is different.

In January 2002, Microsoft announced what it called a Trustworthy 
Computing Initiative. The term was trademarked, a paper published and 
everyone was made to feel that the company would be taking steps to 
improve the abysmal security of its products. The years 2000 and 2001 
were horror years for Microsoft, with one worm after another affecting 
one product or the other and users taking a beating as the malware 
wreaked havoc.

Three years on, it doesn't look like too much has changed. There is, 
and has, been a lot of talk but the company still appears to treat 
security as a PR issue, much the same way that it did before the 
trademarking of TCI.

Security holes continue to appear as frequently - or sometimes even 
more frequently - as before in Microsoft's products and the only 
reason large-scale disruption doesn't become visible is because those 
who exploit the flaws are nowadays geared towards making money. The 
trend now is more or less uniformly towards using vulnerabilities for 
pecuniary gain - for example, by creating zombies that can be used to 
attack targets.

It is relatively safe to do this: no company which has been held 
ransom in this manner is going to complain. Once a company that does 
business of any kind online is known to have poor security, the 
chances of improving its business prospects often lessen dramatically. 
One of the more recent examples is that of Cardsystems, a US company 
handling credit card validation. A leak of card numbers earlier this 
year has hit the company badly and it is now about to be taken over. 
The company was running its databases on Microsoft's operating 
systems.

Thus the extent of electronic fraud remains largely unknown. And 
companies such as Microsoft are able to boldly claim that flaws in 
their products are not known to have been exploited. Yet it is easy to 
find on the web - at times in password-protected sites - and in 
chatrooms, exploit after exploit for common vulnerabilities that have 
yet to be patched.

eEye Digital Security has for years been informing the public [1]
about holes in Microsoft's products. Right now, there are many in that
list, some pending for nearly seven months. That the company will not
patch these flaws is not surprising; after all, the security advisory
site Secunia estimates that fully 30 per cent of 70 Internet Explorer
flaws posted since 2003 remain unpatched. Security through obscurity
is not possible these days so security through denial is practised
instead.

One way of avoiding the obvious is meeting people from the black hat 
community who have now gone into business for themselves and are no 
longer crackers - these meetings are apparently meant to indicate that 
Microsoft takes security seriously. The Blue Hat briefings have got 
their requisite publicity through largely unquestioning media outlets 
- but whether anything positive actually happens as a result is 
largely unknown. It looks like a means of getting people who could be 
a problem on-side.

And there is of course the positive spin that publications, often 
so-called reputable outlets such as the New York Times (which firmly 
believed in the existence of WMD in Iraq) provide. The quote at the 
start of this piece is one such an example - it's cute. It fudges the 
fact - that security is precisely where it was in 2002 and, in fact, 
is much worse.

The future direction that Microsoft will take has been indicated by 
its choosing executives with strong business and marketing backgrounds 
to head the three divisions of the company, following a reorganisation 
last month. The last genuine techie among the crowd, Jim Allchin, will 
retire next year. And the goal of the restructuring? To get products 
faster to market. Not better products, just those that can come off 
the conveyor belt faster.

The next version of Windows will surely be more secure than its 
predecessors. And I believe strongly that Santa Claus will bring me 
that new laptop for Christmas.

[1] http://www.eeye.com/html/research/upcoming/index.html

More information about the ISN mailing list