Microsoft's hacker bounty is wasted money

[InfoSec News <isn () c4i org>]

http://asia.cnet.com/newstech/perspectives/0,39001148,39157414,00.htm

By Robert Vamosi, Special to CNETAsia
Tuesday, November 11 2003 8:24 AM 
 
commentary: Last Wednesday, Microsoft, the FBI, the U.S. Secret
Service, and Interpol, an international law enforcement organization,
announced a US$5 million reward system for information leading to the
arrest of individuals who write computer viruses.

In particular, Microsoft is offering a quarter of a million dollars to
apprehend the authors of last August's MSBlast and Sobig.f worms.

What a brilliant PR move--something to distract the media from the
latest Windows-based virus, MiMail.c, that's currently loose on the
Internet. Instead of using that same US$5 million to secure the
Windows code you and I use every day, and admitting that it's partly
responsible for the problem, Microsoft has decided to point the finger
elsewhere.

Deja vu

This situation reminds me of the current U.S. anti-drug strategy, in
which the government spends billions of dollars on drug interdiction
and user arrests. While it's important to reduce the flow of illegal
substances on our streets (and I'm not suggesting we legalize all
drugs), such arrests alone are not enough. We also need programs that
address the addictive behavior that creates demand for drugs. By not
focusing on the underlying causes of drug use, we are consequently
losing the war on drugs.

In the same way, Microsoft is taking the wrong approach. Arrests won't
stop viruses from being created, just as they won't stop drugs from
being sold. Microsoft and others could spend US$50 million on rewards,
and we would still have sophisticated Internet worms like SQLSlammer
and MSBlast. The way to stop viruses is to develop secure software.  
Yet, while every operating system is probably vulnerable to some sort
of attack, it's well known that Windows is particularly poor with
respect to security.

Windows XP Home Edition, for instance, ships with its built-in
firewall (which many users don't even know about) disabled by default
and with all its Internet ports open. By comparison, while Mac OS X
doesn't have a built-in firewall, at least it arrives on your computer
with all unnecessary Internet ports closed. The same goes for the
various Linux distributions.

Microsoft, to save time and money, designed Windows XP to be adaptable
for different types of users. But the company should be more cautious
about which features are turned on when the OS ships.

After all, do home users really need all their Remote Procedure Call
(RPC) ports open by default? Do they need network printer and file
sharing enabled? Or for that matter, do they need the Microsoft
Messenger Service turned on? No, they don't. Yet these are the
features by which several recent viruses have infected many home
computers.

How useful?

Lookng forward, I see the same sort of thing happening with the new
Microsoft Office System. Many of the new rights-management features
found within Word, Excel, and Outlook are designed to work with an
external server--functionality that most home users, and even many
business users, won't ever use. Nonetheless, Microsoft enabled all its
programs to be open to communications from outside servers, leaving
them vulnerable to attacks.

This blanket policy regarding program functionality is what
contributed to the overnight success of the MSBlast worm last August.  
Most people had never heard of DCOM RPC, nor knew that it should be
disabled for increased security, until MSBlast infected almost every
Windows 2000 and Windows XP user not protected by a firewall.

Microsoft could better use its US$5 million bounty to improve security
on its software. And it wouldn't cost the company anything to, by
default, enable XP's firewall, close all unnecessary ports open to the
Internet, and remove services that the average home user doesn't need.

While they're at it, Microsoft should send its customers CDs every
month with the latest Windows and Office patches and program upgrades
to install at our leisure (if AOL can do it, Microsoft can too). These
changes would be expensive for Microsoft, but could make a real
difference to end users--which the US$5 million bounty most likely
never will.

Robert Vamosi is senior associate editor, ZDNet Reviews.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.