Security matters: Into the fourth age of hacking

Security matters: Into the fourth age of hacking
By Danny Bradbury

Published: May 14 2008 04:18 | Last updated: May 14 2008 04:18

George Stathakopoulos, director of security at Microsoft, believes computer security has been through four main eras – and that it was not until the second that Microsoft began to address the problem with real vigour.

“The first era was the era of vandals and defacements, and it lasted from 1998 to 2001,” he says. Crackers – those hacking websites with malicious intent – would launch high profile attacks, leaving a public mark to show they had compromised the site’s defences.

Then, a new type of attack began to exploit the increasing numbers of computers that were connected to each other via e-mail and broadband connections. “In July 2001, we had the first real vulnerability-based attacks,” he says. The Code Red worm emerged that July; then the Nimda worm hit. The era of mass attacks using internet worms, in which large numbers of computers around the world were infected in minutes, lasted until 2004.

“That’s when the security team in Microsoft was forged,” he says. “We had to make a major change in our thinking and formalise a lot of our processes.”

In 2002, Bill Gates, fed up with the mounting security problems, issued a now-famous memo promoting a concept called trustworthy computing. “Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony,” he wrote.

Shortly afterwards, Microsoft implemented what Steve Lipner, director of security engineering strategy, calls a Windows security stand-down. “We took the Windows division and said ‘how would you feel about stopping all work and just focusing on security?’” he says. The company planned a one-month stand-down that ended up lasting two months. The process eventually hardened the security of products including Windows Server 2003, and Office 2003.

However, this was a short-term solution. The company needed a methodology to enable its developers to create code securely, to avoid the mistakes of the past. It built on work begun around the time of the Windows 2000 release with its Secure Windows Initiative, and created the Security Development Lifecycle.

“We took the requirements that we created to help us build more secure software, and integrated them into the normal activities that the engineering team uses when it builds the products”, says Mr Lipner. Through SDL, best practices in program design could be documented, for example, and it includes an element of threat modelling, so that developers can understand new threats the software needs protecting against.

The SDL also forces product teams to use specific, approved versions of certain programming and analysis tools, and makes them exploit specific features in Windows that help to make it difficult for hackers to attack specific areas of the computer’s memory, for example.

The team also uses a relatively new technique called “fuzzing”, in which random sets of data are thrown at programs to see if the software can be made to fail. “We fuzzed the living daylights out of Office 2007 and Vista,” says Mr Lipner.

This meant new code could be made secure, but Vista contains much legacy code that had not been tested to the same extent. “We took dynamic analysis tools and ran them on the legacy code ourselves,” says Chris Peterson, director of security engineering in Trustworthy Computing at Microsoft. “There were literally thousands of those issues that were resolved as part of the Vista release cycle.”

Weaknesses still make it through the system, however. Windows Mobile 5.0, released in 2005, encrypted data stored directly on mobile phones – but it did not encrypt the data that those phones stored on removable storage cards, meaning that thieves could easily steal data from unattended handsets by taking the cards.

Dan Kaminsky, a code tester brought in to find security flaws in Microsoft products as part of the secure computing push, winced when he heard of that flaw.

There will always be mistakes, he suggests – and that issue was thankfully fixed in Windows Mobile 6.0.

The bigger problem in trying to design a secure operating system today is that developers of malware (software that attacks PCs and mobile phones) are now driven by profit, forcing security researchers to rethink the rules.

Mr Stathakopoulos’s third era of security, which lasted from 2004-06, was the era of the botnet. Criminals used infected computers to perform tasks remotely, and built software to infect machines covertly. They could then manipulate them to send spam, harvest victims’ passwords, and even attack websites by relentlessly sending them messages, flooding their connections so that legitimate traffic could not get through.

The era of the botnet is now moving to an era in which information is crucial, argues Mr Stathakopoulos. Targeted attacks focus on individuals, often rich, using “social engineering” to dupe them into giving up their data.

One attack last year targeted board-level staff, who were sent e-mails supposedly from the Better Business Bureau, complaining about their company.

When opened, a document installed a key logger program that recorded every keystroke made, including user names and passwords for online accounts, and relayed it to crooks. The information was later found for sale on a Russian server.

Mr Stathakopoulos believes the next era of attacks will focus more on information warfare. He says that rather than stealing information, criminals may find it more profitable simply to influence people with disinformation.

“Different opinions are relayed to people, and those opinions have an effect on companies’ fortunes,” he says, arguing that difficulties in confirming online identities could create weaknesses that information warriors could exploit.

“As our lives become entrenched in the internet, we will get to the point where you can’t easily validate that information,” he says.

There have already been primitive examples of information warfare: “pump and dump” spammers have for some time been manipulating stock markets by using disinformation.

How will Microsoft solve such problems? Mr Stathakopoulos says the broader community needs to work together on tools and techniques that make it possible to repel disinformation, he says.

From ID cards through to biometric identificiation, the issue of privacy and security is already politically charged.

If the next generation of internet security plays out as he expects, then it will become even more sensitive.

Navigating that landscape could present companies such as Microsoft – which is no stranger to political tensions – with the greatest challenge of all.
Copyright The Financial Times Limited 2008