Twenty years after the first PC virus, the application and practice of Information Security is still lagging the threats dangerously. Possible attacks, that were originally dismissed as speculation and hysterical fear mongering, have not only occurred but become commonplace. Time and again, we have seen viruses developed for new platforms, then become widespread, and the MMS platform is simply the most recent to fall victim.
Developers have a wide range of reactions to flaws in their products: Oracle is, perhaps, among the worst, with a head-in-the-sand, “security through obscurity” approach: blaming the messenger. For problems they have failed to fix. Microsoft has greatly improved its approach to security, but it still seems to have left technical decisions about the severity of problems and how to describe them in the hands of its marketing department, only breaking its monthly patch cycle after considerable pressure. The spin-doctoring can also be seen in Microsoft’s Security Bulletin, under Mitigating Factors we are reassured, “…an attacker would have to persuade users to visit the Web site…”. That’s OK then, it is not as if our users visit web sites frequently. F-Secure also reminds us with their archive handling vulnerability that no developer, not even a security developer, is immune to security flaws.
Meanwhile, the attackers are becoming more professional, and more focused on profit, the case of the Zombie Merchant is just the tip of the iceberg of an underground economy. Worse, in some cases connectivity is so taken for granted that protective measures can cause significant loss, as in the Writs by Email case.
In the Chinese Calendar, we are now starting the year of the Fire Dog. This is linked to optimism, openness, social rights and wrongs, and defence. Therefore, I hope we can work for and see improvements in responsible disclosure, computer crime legislation and our systems defences.
Kung Hey Fat Choi
Allan Dyer