Windows

Five security news items that should get your attention

A mix of good and bad news caught Chad Perrin's eye in the second half of 2009. These are the five that he thinks you shouldn't miss.

  1. Microsoft got the NSA's help with Win7 security. Many are concerned with the potential for "backdoors" inserted into the code at the NSA's insistence. Some believe that Microsoft would never knowingly consent to such violations of user privacy, though that does not address the possibility of the NSA just ensuring it gets to harvest whatever data Microsoft already collects through use of functionality like WGA and Windows Updates, or that of the NSA finding a way to ensure a "backdoor" vulnerability is slipped into the code that Microsoft doesn't even know is there. Given its closed source development, the pool of people in a position to notice such a hypothetical subtle security flaw would be fairly limited. While many might believe that Microsoft is above such behavior, few would argue that the NSA is as well, given the recent illegal wiretapping scandal.
  2. The NSA Website was compromised. Yes, these are the same people who helped Microsoft develop stronger security for Windows 7. I, for one, am not encouraged.
  3. IBM announced a means of using encrypted data without decrypting it. This concept may seem contradictory at first glance, but a new algorithm developed for IBM by researcher Craig Gentry could allow an accountant to prepare tax returns without ever having to see the encrypted data. The concept, called "homomorphic encryption", is predicated upon the ability to specify particular types of modifications that should be allowable for your encrypted data in a clear manner, so that mathematical transformations can be applied to the encrypted data "blindly", but still correctly.
  4. Takoma Park, MD debuted an MIT cryptographic voting system. While everybody else was arguing about whether Diebold was doing electronic voting "correctly", MIT developed a cryptographic voting system that allows voters to verify that their votes were correctly counted without ever tying the vote to the voter anywhere but in the voter's own notes and mind. If at least two percent of voters verify their votes, the system -- called "Scantegrity II" -- makes it almost impossible for vote tampering to go undetected. The use of the system in the Takoma Park election "went very well" according to the city clerk, Jessie Carpenter.
  5. September saw the debut of the first ever reddit worm. Some bugs in reddit's implementation of its Markdown formatting language allowed an infectious worm to make its way through the site. It was not capable of infecting visitors' computers; it only spread itself from one user's reddit account to another, and caused garbage comments to be posted in reddit discussions under their account names. The reddit team's response time was admirably quick, but the speed with which the worm spread meant it was still a very big deal for the site.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
don.gulledge
don.gulledge

There are many vectors for attack, the internet being just one and the most important right now because the world wants to move into internet based processing which exposes data to the world. The risk has always been prioritized and it seems data processes via the web are starting to get the attention finally. Now, protecting SSNs has been the big stick in the stack and they're way behind the curve on it. Credit card use over the internet is most likely the biggest risk vector for the individual, especially where identity theft seems to fall totally back on the individual as well as responsibility for the debt. It's kind of like buying a car where your responsible for all the things that go wrong from the start. Take Tmobile selling phone list of subscribers out to other companies. Until resposibility is put where it belongs on the companies that operate systems that are insecure, nothing will change except when the governments do it. I like the idea of the austrailian invention of an id card when placed over the screen shows a unique ID number the user would type in to pass the security. Haven't really had any real proof of it working, or if its infallable, but if it was it would resolve most the security issues of access. Then, all that's needed is a strong encryption system for the internet. Then, everyone would get an electronic ID based on the austrailian's invention and transmissions through the internet would be secure for a limited amount of time based on how strong the encryption is done. I think the tools are there, but no one wants to take responsibility and pay for it. They're all waiting for goverment to force them. Meanwhile, the end user promotes themselves into the world with every logon at their own risk. This would resolve a lot of the issues of security and most likely, the crooks would resort to the more tradition methods of attach prior to the advent of the internet.

JCitizen
JCitizen

I think the realization that definition type AV/AS scanning is definitely obsolete(OUT), and HIPS or something like it or superior to it is IN, for security applications. Quite frankly I think they need to switch to the same tech the crackers do, and use kernel mode root-kits to control the local machine security. I'm sure in the enterprise Win 7 AD and local policy can go a long way here, but I'm talking about Joe and Jill sixpack on Vista/Win 7 Home or equivalent.

JCitizen
JCitizen

If it ever got out that NSA was actually spying on everone through a back door; we would never forgive that corporation, and the name Microsoft would be MUDD throughout the rest of this nations history. It just gives everyone more impetus to at minimum maintain another open source operating system. This is not good for MS; I wonder if chair throwing monkey boy has figured that out yet?

apotheon
apotheon

I suspect Ballmer's entirely focused on "(anti-)competitive advantage" factors when it comes to Microsoft's relationship with the market at large. He probably lets underlings handle the "trivialities" like the potential for future public backlash as a response to policy decisions -- and probably overrides those underlings regularly when he thinks some anti-competitive advantage measure could prove useful.

JCitizen
JCitizen

just another CEO robber baron - didn't start the company doesn't care about it; just his golden parachute. How could I be so amiss? ;)

apotheon
apotheon

What can we learn from these security news items? What other security news caught your eye in the second half of 2009?

seanferd
seanferd

That is really good news, which I had not heard before. Thanks for that. One thing I think we can learn from some of these is this: http://blogs.techrepublic.com.com/itdojo/?p=1259&tag=content;leftCol Otherwise, some classics (note the dates): http://articles.techrepublic.com.com/5100-10878_11-5135185.html http://articles.techrepublic.com.com/5100-10878_11-5952648.html?tag=content%3bleftCol http://articles.techrepublic.com.com/5100-10878_11-5054473.html Still not getting it, are we?

shardeth-15902278
shardeth-15902278

Regarding #1. Cause if they did in fact install a back door, they probably did it wrong, so it won't work anyway. ;) On a serious note. I read about # 3 a while ago, and at the time found my self wondering if this puts us any nearer to (or further from) the conjecture that one way functions exist. Afraid I don't understand the guts well enough to make any conclusion... Hadn't heard #4 yet. Very interesting. Thanks for bringing it to my attention.

Sterling chip Camden
Sterling chip Camden

... that even though NSA favors Windows and IIS because they're closed-source, that doesn't make those platforms more secure.

apotheon
apotheon

I'm not sure I'd say that the NSA actually favors it. I suspect part of the reason the NSA is helping out is because of some governmental IT security mandate based on the fact that a lot of government entities use a lot of MS Windows systems, and that another part of the reason is the fact that lots of home users and other governments around the world use it as well. Take from that what you will. Of course, the NSA also contributed to the development of SELinux, which amounts to an advanced ACL system for Linux-based OSes similar in practical effect to the ACL systems available for BSD Unix and commercial UNIX OSes.

Editor's Picks