[ISN] At Microsoft, Interlopers Sound Off on Security

[InfoSec News]

http://www.nytimes.com/2005/10/17/technology/17hackers.html

By JOHN MARKOFF
October 17, 2005

REDMOND, Wash., Oct. 14 - In a windowless war room where Microsoft
manages worldwide computer security crises, George Stathakopoulos, the
general manager for security, opened a small refrigerator, revealing
three bottles of Champagne.

"These are for the arrests," he said, with a brief smile.

Locked in a struggle with a shadowy "black hat" computer underground
that exploits any flaw in its software, Microsoft has spent three and
a half years trying to transform its engineering culture to make
security the company's priority.

Recently there have indeed been some arrests for computer attacks that
capitalized on Microsoft software flaws. But more important, during
the last year the company has made measurable progress in improving
the quality of its software code, according to many computer security
specialists and customers.

That has in effect raised the bar for the computer outlaws seeking to
exploit the company's software for data theft, extortion or simple
mischief. It now appears that Microsoft can begin to celebrate - a
little.

Last Thursday and Friday, the company held its second Blue Hat
briefing, a meeting with a small group of about a dozen independent
computer security specialists invited to the company's headquarters
here to share detailed research on vulnerabilities in Windows
software.

Microsoft managers chose the term blue hat to distinguish their
outreach campaign from the usual division in the computer security
world between warring communities of white hats and black hats.  
Whatever their hats, those invited here were a group not generally
inclined to think highly of Microsoft.

On the first day of the meeting, the visitors made presentations to
some of the company's top executives. The sessions were repeated on
Friday for more than 500 of the company's approximately 9,000
programmers.

David Maynor, an intrusion detection expert at Internet Security
Systems, based in Atlanta, began by giving Microsoft good marks for
addressing conventional computer threats.

But Mr. Maynor cited a fundamental design error in the way Windows
operating systems handle peripherals, making it theoretically possible
for an attacker to insert a malicious program into a personal computer
by attaching a hand-held device to a computer port.

"You trust stuff way too much," he said.

Microsoft had also erred in public assertions about the security of
its coming Xbox 360 game console, he said, adding, "You're a huge
target, and when you challenge people, they will prove you wrong."

It was clear from the presentations that Microsoft still has work to
do to secure its programs, which are the most widely used on the
Internet. But it was also the consensus of those attending that the
company might have made progress in slowing the deluge of viruses,
worms, spam and spyware that plagues its customers.

"It's not perfect, but compared to the competition, they've made
significant progress," said Dan Kaminsky, a prominent independent
computer security researcher who attended the meeting.

For the first time, Microsoft executives allowed a reporter to attend
the meeting, although one research group making a presentation was
unwilling to speak publicly.

Microsoft's decision to reach out to critics it would once have
shunned shows its change in attitude about computer security. The
effort began four years ago when Mr. Stathakopoulos, a veteran
Microsoft security executive, attended Black Hat, an annual computer
security conference focused on software vulnerabilities, in Las Vegas.

Although he found that Microsoft was broadly attacked at the meetings,
Mr. Stathakopoulos returned the next year and even sponsored a party
for the researchers to begin to build bridges.

He said he had second thoughts after scheduling the event. "I turned
to another Microsoft executive and said: 'What did we do? This is
going to be a disaster,' " he said.

In the end, disaster was averted. The Microsoft executives and the
Black Hat researchers talked until 7 the next morning.

This year Microsoft has gone further. In March and again last week, it
invited the outside specialists to its campus in an effort to learn
more from an insular community that studies the company's software for
chinks in its armor.

Microsoft had previously resisted efforts to open a dialogue even with
"white hat" hackers like those in attendance here - computer security
researchers who expose vulnerabilities but do not exploit them, and
who have frequently been bitterly critical of Microsoft as indifferent
to security.

Microsoft's stance changed in 2002 and 2003 when computer worms like
Blaster and Slammer, preying on flaws in Microsoft software, spread
worldwide and began to threaten the company's relations with consumers
and corporate customers alike.

The situation became so grave that in 2002 Microsoft suspended its
programming development for more than two months and sent all of its
programmers to remedial security classes.

The wrenching change the company has gone through was an absolute
necessity, said Mr. Kaminsky, the security researcher. "Security
issues can kill Windows; you can't say it any other way," he said.

And Microsoft's willingness to engage its security critics directly
has made a significant impression on many of them.

"The battleship is starting to turn," said George Spillman, a computer
security researcher who calls himself Geo and whose card describes him
as the minister of propaganda for the Toorcon Computer Security
Conference. "The fact that I am here is a good indication of how much
Microsoft has changed. They are starting to understand that our
community cares as much about security as they do."

But Mr. Maynor cautioned that the company was on the brink of an era
of threats that would prove far more vexing. He pointed to a world of
mobile devices that make today's defense concepts obsolete. Such
devices would allow remote attackers to leap past firewalls guarding
corporate borders and jump from one network to another to get access
to corporate networks.

The nature of attacks, he said, will also shift away from global
Internet worms such as Blaster because of the increasing profitability
of computer crime. A single bug can now bring as much as $50,000 in
the computer underground and is likely to be used for data theft or
extortion, not unleashed simply for widespread chaos.

"We're seeing the rise of designer malware," or malicious software, he
said. "There will be a shift toward targeted attacks."

Another attendee, Brett Moore, chief technology officer of Security
Assessment, a consulting firm in Auckland, New Zealand, said he had
success in finding undiscovered vulnerabilities in some versions of
Windows by looking for known bugs in different parts of programs or in
other applications.

"In a couple of hours I found four vulnerabilities," he said.

Microsoft executives responded that they were trying to improve their
code by using a similar technique in their development process. Known
as fuzzing, it involves automatically testing tens of thousands of
combinations in programs to hunt for flaws.

Microsoft executives and the independent researchers said that the
company had bolstered security significantly with the release of
Windows XP Service Pack 2 in 2004. The update, a free download, made
the operating system much less vulnerable.

Microsoft executives also cite a decline in the number of security
bulletins issued for major products like Windows Server and Office as
evidence that the new engineering discipline is having an impact.

There were 69 such bulletins issued for Windows 2000 Server in two and
a half years and only 41 for Windows Server 2003 in a comparable
period, the company said.

Eleven bulletins were issued for the 2001 version of Office XP during
the first 594 days after its introduction; for Office 2003, there were
six bulletins in the same period. For the last two Windows XP updates,
35 bulletins were issued for Service Pack 1 in the year ended last
June but only 18 for Service Pack 2.

Mr. Stathakopoulos takes pride in the achievement, as when he notes
that he has been involved in shipping more compact discs - Windows
software - than the Beatles, Rolling Stones and Madonna combined.