Zero Day Threat

How Microsoft missed the boat on cybercrime

On Jan. 15, 2002, Microsoft Corp. Chairman Bill Gates issued a jaw-dropping memo with the subject line "Trustworthy Computing." To stem rising hacker attacks, Gates ordered all Windows development halted and directed his company's full attention to shoring up security.

Microsoft has since poured vast resources into making Windows PCs more secure. And yet the risk of having your PC compromised and your sensitive data used in scams has never been greater, according to a new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity (Sterling Publishing, 2008), by USA Today technology reporters Byron Acohido and Jon Swartz. The authors point to a confluence of factors increasing the danger: a banking system built for speed; a tech industry enamored with commercializing the Internet; consumers hooked on convenience. In these edited excerpts, Acohido and Swartz convey Gates' acknowledgment of the problem.

Command Performance

Bill Gates seemed weary and disengaged. He had just co-delivered a keynote address to about 3,000 tech-security executives, analysts and researchers at San Francisco's Moscone Center and was sitting in a vast room behind the stage waiting to do a requisite one-on-one interview with one of the authors.

The Feb. 6, 2007, speech was billed as Gates's final command performance at the giant RSA Conference, the tech-security industry's premier convention, held early each year. At his first RSA keynote, delivered in 2004, Gates had a good story to tell. It had been two years since he had issued his Trustworthy Computing edict, ordering his troops to alter their features-first worldview and make security their new religion. Microsoft developers at the time were in the home stretch of hammering together Windows XP Service Pack 2, which would make the use of personal firewalls and automatic patching standard practice for most home computer users.

Now here he was, five years into Trustworthy Computing, with Windows Vista, the first Microsoft desktop operating system with security accounted for in every major component, freshly delivered to store shelves. Evangelizing Security

Text about this image
How Microsoft missed the boat on zero-day threats

Microsoft now had a more well-rounded security story to tell. And tell the story it did. Beginning in the summer of 2006, a crack team of Vista "evangelists" -- the product managers and marketing specialists assigned to wine and dine researchers, analysts and reporters at conferences and other events -- began spreading the SDL gospel. SDL stood for Security Development Lifecycle, a process for meticulously rooting out coding errors and security holes throughout the development of a new software product.

Given the timing of his swan-song appearance at RSA, Gates had the perfect pulpit to drive home the message his SDL disciples had delivered to many of the people seated in Moscone Center's main hall. But Gates' focus appeared to be elsewhere. Several months earlier, he had announced his intent to retire in mid-2008 to turn his attention to eradicating disease in Third World nations.

Before he could reinvent himself as a full-time philanthropist, he was obligated to sign off on Trustworthy Computing as a success -- at least on his watch -- and formally turn over the security reins to Craig Mundie, Microsoft's chief research and strategy officer.

For his final RSA keynote, Gates chose to share the stage with Mundie, crediting him as "the one who motivated me to send that memo around."

Sitting on a couch backstage after the keynote, Gates looked haggard. The reporter gave him another chance to hype Vista: "Bill, the rate of threat mutation has never been higher, and cyberintruders are more organized than ever, using ever-more stealthy, targeted attacks. That said, how far can Microsoft's SDL products go toward stemming the wider security problem?"

Band-Aid Solution

Gates looked up, glared angrily at the reporter and said he didn't understand the question. After a few more awkward exchanges, Gates took a swig from the can of Diet Coke his handlers invariably kept within his reach. The jolt of caffeine appeared to fire his synapses and perk him up.

During the 45-minute interview that ensued, Gates pointed out breakthrough security features in Vista. Warming to the interview, Gates opined that "computer security is 100 times better today than in 2002. But there has been an evolution in spam and phishing, and you can't apply Band-Aids to the problem."

SDL, Microsoft's blueprint for developing more-secure software, was a lot more than a Band-Aid, of course. SDL forced Microsoft's designers and developers to address the reality that any software program touching the Internet can be attacked through the Internet. Still, SDL was no panacea.

John Pescatore, longtime tech-security analyst at Gartner, singled out a major shortcoming: Microsoft designed SDL to strengthen old-style software programs sold in shrink-wrapped boxes, programs that typically spent years in the development lab. It did very little to improve security of Web 2.0 software typically developed on the fly and deployed quickly as a service over the Internet.

Extreme Caution

By the close of 2006 and the start of 2007, a select group of cybercriminals had begun sending out e-mail messages to workers at certain government agencies and large corporations. The e-mails contained corrupted Word, Excel, PowerPoint and Outlook files as attachments. These were zero-day attacks. No patches were on Microsoft's radar.

The e-mail messages were carefully crafted to look like they came from a co-worker or an acquaintance. Once the recipient clicked on the corrupted Office file, a back door loaded onto the machine. The intruder now had access to install a rootkit cloaking mechanism, along with tools to monitor traffic for clues on the best ways to drill deeper and stealthily infect other PCs inside the organization's intranet. The ultimate goal: harvest sensitive data.

Five years into Trustworthy Computing, with Office zero-day attacks on the rise, Microsoft was compelled to issue Security Advisory 933052 notifying its customers that even documents appearing to arrive from trusted contacts may not be entirely trustworthy:

"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."

Superior Weaponry

With attacks multiplying, Russian cybercrime lords enriching themselves, and Chinese cyberspies roaming wild, Gates unburdened himself of a heavy load at RSA 2007. Compared to trying to put the cybercrime genie back into the bottle, stamping out major diseases in Third World nations might seem a snap.

The fight to keep cyberthieves and cyberspies from rendering Microsoft's products untrustworthy now fell to Craig Mundie. Internet security, Mundie observed, was based on a fortress mentality. Defense systems protecting key parts of the Internet were akin to moated castles from which valuable assets could evaporate into the air or seep out through tunnels under the walls. And to make matters worse, these castles had come under siege by an enemy with superior weaponry.

"It's sort of like we've been in the medieval age of computer networking and access. And we say, you know, we just have to build more and more fortress- like protections," says Mundie. "So we build thicker walls, higher turrets, put moats out in front, bigger drawbridges. And what we didn't really see coming yet is essentially the airplane and the air-to-surface missile."

Adapted with permission of Sterling Publishing Co., from Zero Day Threat, by Byron Acohido and Jon Swartz. Copyright © 2008 by Byron Acohido and Jon Swartz.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon