When Microsoft announced in March 2006 that it would add code-scrambling diversity to make Windows Vista more resilient to virus and worm attacks, you could almost visualize a wry smile from Dan Geer.
Geer, a computer security guru with a doctorate in biostatistics from Harvard University, lost his job as chief technology officer of consulting company @Stake in 2003 after co-authoring a report that blamed Microsofts operating system monopoly and complex code base for the frailty of the Internet.
Exactly three years later this month, Geer insists that the risks associated with Microsofts virtual monoculture remain the same, but a quick glance at the future direction of the worlds largest software maker gives Geer a sense of “total vindication.”
Indeed, three years ago on Sept. 24, Geer penned “CyberInsecurity: The Cost of Monopoly,” a 25-page report he co-authored with a whos who of computer security experts, including celebrated cryptographer Bruce Schneier and intrusion detection systems specialist Rebecca Bace.
The crux of the report was that software diversity was core to securing the Internet.
The group cautioned that the only way to prevent “massive, cascading failures” was to avoid the Windows monoculture.
“Because Microsofts near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor,” the report said.
In many ways, Geers report was prescient, as Microsoft has become a huge target for hackers. Meanwhile, Microsoft has adopted some of the tactics recommended to diversify code.
“In just under three years, the idea went from something you can get fired for to a research priority for [the U.S. government] and a product plan at Microsoft,” Geer, of Cambridge, Mass., said in an interview with eWeek.
“You look at what theyre doing with randomizing Vista and all the signs around virtualization, [and] its real vindication for us.”
He was referring to the addition of ASLR (Address Space Layout Randomization) to Windows Vista, a security feature that randomly arranges the positions of key data areas to prevent malicious hackers from predicting target addresses.
The technique, known as memory-space randomization, will block the majority of buffer overflow tricks used in about two-thirds of all worm attacks and, even more importantly, will effectively create software diversity within a single operating system.
Despite wide recognition that software diversity is important, progress is slower than expected.
Ten days after the Geer report garnered publicity, the U.S. House of Repre-sentatives held a hearing that included an interrogation of the Department of Homeland Security on the subject of monoculture, and the National Science Foundation, an independent federal agency, pumped $750,000 into a study on cyber-diversity for computer systems as a way to fend off malicious viruses, worms and other cyber-attacks.
The result? Despite all that talk, the DHS remains a Windows shop and Microsofts flagship operating system still commands a whopping 97 percent share of the desktop security market. Businesses dabble with alternatives such as Linux but remain tethered to Windows. Why?
Despite the initial hubbub over the report, businesses are betting that the costs associated with diversification are greater than the returns from implementing technology that could be more secure yet potentially harder to manage.
“We havent changed much. Id argue that were at even more risk today than we were in 2003,” said Schneier, chief technology officer and founder of Counterpane Internet Security, in Mountain View, Calif. “We have a culture of ignoring serious warnings until its way too late.”
Schneier, who did stints at the Department of Defense and Bell Labs, said the monoculture risk exists beyond the desktop. “Windows has pushed into mobile devices, into embedded systems, into noncomputer CPUs. The threat of that cascading failure is even truer today,” he said.
Even though the argument made in the report remains as valid as ever, diversity has been elusive because, as Schneier put it, “monoculture is attractive because it is cheaper.”
“Its hard and its expensive [to diversify]. Yes, its less secure, but you only have to support one thing when you embrace monoculture. It always boils down to economics,” he said.
Geer said there are two options available to government and enterprise security systems: Embrace monoculture and get consistent risk management because everything is the same, or run from monoculture in the name of survivability.
“Today, were relying on picking up the pieces,” Geer said, adding that its much cheaper for a CEO to invest in anti-virus, anti-spyware, anti-spam and patch management solutions.
“Weve committed all our eggs to a basket named patch management, or were looking to virtualization to help wipe and reinstall after [malware] infection,” he said.
For Andre Gold, director of information security at Continental Airlines, monoculture and security became a hot topic in 2003 after the SQL Slammer worm disrupted operations at the Houston air carrier.
“From a pure-play security perspective, we had to answer that question. Do we want to diversify to keep things running when another attack came along or stay with the monoculture and invest in securing it,” Gold said in an interview with eWeek.
“It came down to economics. Its not easy to click your fingers and say, Windows is a liability; lets just switch. You soon realize you have to spend even more to get specialized staff for each computing environment,” Gold said.
Several CISOs (chief information security officers) interviewed by eWeek echoed Golds sentiments, stressing that budgeting considerations always play into security decision making.
“I cant spend my entire budget trying to diversify and not have resources to secure them all. Thats not practical,” said one security executive affiliated with a high-profile financial institution.
Golds situation rings true for John Pescatore, an analyst at Gartner, in Stamford, Conn. “The cost of ownership skyrockets because of diversity,” Pescatore said. “The economics says to standardize, standardize, standardize.”
Its Getting Cheaper to
Deal with a Single Platform”>
Pescatore said that the debilitating network worm attacks of 2003 and 2004—Slammer, Blaster and Sasser—forced businesses to think seriously about the monoculture risk but that the combination of Microsoft security improvements, a predictable update release cycle and patch management tools makes it “much cheaper to deal with a single platform.”
Richard Stiennon, founder and chief research analyst at IT-Harvest, of Birmingham, Mich., said the monoculture issue remains a front-burner topic in his discussions with clients. “I always recommend different platforms for different purposes, even with all the economic considerations associated with that,” Stiennon said.
“We have not done much to heed [Geers] warning other than spend a lot of money to protect the monoculture,” he said.
However, there are signs of progress. Even today, beyond the desktop operating system, Gartners Pescatore said that there is more heterogeneity in Internet-facing applications.
“Firefox continues to gain market share, and the Apache Web server has higher market [share] than [Microsofts] IIS,” Pescatore said, arguing that the threat landscape has changed significantly from the days when malicious attackers were launching disruptive network worms.
As network administrators ponder the end of the worm era, for-profit malware attacks have grown dramatically. According to information culled from Microsofts MSRT (Malicious Software Removal Tool), the biggest threat on the desktop comes from bots and Trojans that hijack computers for use in botnets.
David Cole, a senior director in Symantecs security response unit, in Santa Monica, Calif., said his units virus hunters are seeing about 800 botnet command-and-controls daily, each commandeering as many as 25,000 infected machines. “The order of magnitude of the botnet problem is immeasurable,” Cole said in an interview.
Using Symantecs numbers, Geer estimated that more than 15 percent of all desktop computers are controlled by malicious hackers.
“You can look at it two ways. Were not seeing worms because the protections are getting better. Or, the people who were writing worms have figured out they can own the machine forever and make money from it,” Geer said. “I think the botnet operators already have all they can eat.”
Given that businesses have been slow to diversify, security fully rests with Microsofts ability to secure Vista, and the early signs are promising.
As part of an ambitious mission to make Vista the “most secure operating system ever,” Microsoft made a series of significant tweaks to help thwart the spread of malware.
The most important change, called UAC (User Account Control), is a default setting that separates standard user privileges and activities from those that require administrator access, making it nearly impossible for virus writers to execute harmful code in sensitive parts of the operating system.
Microsoft also summoned the crème de la crème of the hacking community to its Redmond, Wash., campus to launch simulated attacks against Vista and implemented a new strategy called Windows Service Hardening that aims to reduce the risk of wormable flaws through improved testing and development processes.
Independent security researchers—including some of Microsofts harshest critics—have given Vistas security makeover a big thumbs up. “Theres no doubt that Microsoft is trying to step up to the plate,” said Rick Fleming, chief technology officer at San Antonio-based security company Digital Defense.
“They made huge strides with [Windows XP] SP2, and I think Vista will push the envelope even more.”
Dave Aitel, a staunch open-source advocate and vulnerability researcher at penetration-testing company Immunity, of Miami, said he believes the most vital security upgrades will come from advancements in computer hardware.
Aitel cited the NX (No eXecute) technology being built into chips from Intel and Advanced Micro Devices that will effectively prevent code execution within data pages such as default heaps, stacks and memory pools.
John Quarterman, a risk management expert at InternetPerils who co-wrote the report with Geer in 2003, was dismissive of any suggestion that the Internet has become safer because of Microsofts software security improvements.
“We have criminal entrepreneurs doing big, big business on the Internet, using computers that are not secure. This is not rocket science; this is an effect of the monoculture,” said Quarterman in Austin, Texas.
Rebecca Bace, another co-author of the monoculture warning, said she sees Microsofts aggressive push into virtualization technology and gets the feeling that the company “is coming around.”
Citing a recent Gartner report that predicted Vista will be the final version of Windows in the current, monolithic form, Bace said its clear that Microsoft understands that virtualization can help to break the monoculture.
“Theyre now saying, Perhaps this is a way we can defend ourselves,” said Bace in Scotts Valley, Calif.
Cyber-insecurity: Then and now
Three years ago, a report, “CyberInsecurity: The Cost of Monopoly,” was released. Heres a look at what the report concluded and what has changed since.
- Then “Most of the worlds computers run Microsofts operating systems, thus most of the worlds computers are vulnerable to the same viruses and worms at the same time.”
- Status No progress. The world still runs Microsoft, and the malware keeps coming.
- Then “Because Microsofts near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture.”
- Status Slow going. Technology executives are dabbling with Linux, but the monoculture is here to stay.
- Then “A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks.”
- Status Status quo. That convenience of one platform means less management expense. So far, companies are going with lower costs over susceptibility.
- Then “Governments must set an example with their own internal policies and with the regulations they impose on industries critical to their societies. They must confront the security effects of monopoly.”
- Status Little progress. Capitol Hill hearings and studies into “cyber-diversity” havent prodded the government to change its reliance on Windows.
Source: “CyberInsecurity: The Cost of Monopoly”; eWEEK reporting