September 29, 2005

Microsoft, Office SP2, anti-phishing, security patches, the real situation, and the arms race.

In security pennies, Microsoft released SP2 for Office with some attention to phishing:

The most noteworthy enhancement is the addition of a new Phishing Protection feature to Outlook 2003's Junk E-mail Filter. This feature will be turned on by default for users who have Office 2003 SP2 and the latest Outlook 2003 Junk E-mail Filter Update, the company said.

To which I say the most noteworthy thing is that either the press or Microsoft thought that anti-phishing is the most important thing. Yet, to me, a Junk email filter improvement that picks up phishing emails is so underwhelming that I hesitate with embarressment to ask this question: why is it that big browser companies like Mozilla and Microsoft think that they can address phishing at the email level by expanding their bayesian filters?

Any comments out there? What am I missing?

There are security enhancements in the SP2 pack, but as one wit had it: "Cool! Now ... will it work?" The security disaster continues:

A new report from the Information Security Forum (ISF) warns that Trojan-based attacks are becoming more sophisticated and harder to stop. The ISF - a not-for-profit organisation with 260 members including half of the Fortune 100 - believes this sophisication will see Trojans soon take over from email phishing. But, it warns, phishing is still big business - more than a third of ISF members have been affected by phishing attacks.

Yes, this is the well known conclusion. Trojans can take over the Microsoft Windows computer and do the lifting of account information without the user having to do *anything*. Once there was enough finance developed in the early clumsy email phishing model to invest in virus/trojan based attacks, this move was inevitable.

What does this mean? The underground shift that the press dare not speak of will firm up, and the decade(s) long domination of Microsoft Windows will end, I predict. People never had a real reason to shift from Microsoft computers before, but nobody was stealing their money before. Long term view: sell Microsoft, buy Apple.

Jean sends this snippet entitled An 'arms race' no one can stop, and it speaks to the general security view:

Periodic attacks against computers by vandals, terrorists, and allegedly by governments such as that of China, have raised cyber-security to the top of the computer community's agenda.

Computer experts warn. National security officials sound alarm. Banks clamor. The press writes sensational stories. And the public seems fascinated by the exotically named and poorly understood threats. Everybody, it seems, agrees that cyber security needs to be beefed up.

Today indeed there may be a deficit of computer security. But it seems inevitable that tomorrow we will have too much of it. How can there be too much security? Security tends to prevent bad things from happening. But it also prevents some good things from emerging.

Some cyber-security makes private and societal sense, of course. Backup file systems, decentralisation, firewalls, password, all of these are reasonable measures. But since they do not stop determined intruders, the tendency is for increased security measures.

How much should a company spend for its computer security? Total security is neither achievable nor affordable. Instead, a company would engage in some form of cost-benefit analysis, in which it compares the cost of harm avoidance with the benefit of such reduced harm.

But in the real world, the data for such calculation is systematically skewed in the direction of exaggerated harm and understated cost of prevention. Take the cost of harm.
...

So more than a few people have recognised that we've been spending big and talking big on security for the last decade or so and it's now getting worse. What's the misconnection here? That is indeed a topic of current research, but at least it has started to enter the radar screens of security thinkers.

Posted by iang at September 29, 2005 06:01 AM | TrackBack
Comments

>What does this mean? The underground shift that the press dare
> not speak of will firm up, and the decade(s) long domination of
> Microsoft Windows will end, I predict. People never had a real
> reason to shift from Microsoft computers before, but nobody was
> stealing their money before.
> Long term view: sell Microsoft, buy Apple.

The big question is: how much of Apple's apparent immunity to cyber attacks are based on being a less interesting rather than a harder target?

Steve

Posted by: Steve at September 29, 2005 11:47 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.