Warning: Microsoft 'Monoculture'  Associated Press

Wired

CAMBRIDGE, Mass. -- Dan Geer lost his job, but gained his audience. The very idea that got the computer security expert fired has sparked serious debate in information technology. The idea, borrowed from biology, is that Microsoft has nurtured a software "monoculture" that threatens global computer security.

Geer and others believe Microsoft's software is so dangerously pervasive that a virus capable of exploiting even a single flaw in its operating systems could wreak havoc

Just this past week, Microsoft warned customers about security problems that independent experts called among the most serious yet disclosed. Network administrators could only hope users would download the latest patch. More.... 

Internet pioneer BBN independent after sale by Verizon
By Peter J. Howe, Globe Staff, 2/7/2004

BBN Technologies Inc., the storied Cambridge technology firm that built a precursor to today's Internet and invented the @ sign in e-mail addresses, has been reincarnated at age 56 as a newly independent company.

Seven years after a deal that led to the former Bolt, Beranek & Newman becoming part of Bell System giant Verizon Communications Inc., Verizon said yesterday it has agreed to sell BBN to a pair of private equity firms and top BBN executives and investors for an undisclosed price.
While praising Verizon as a good custodian, BBN executives and investors said they are excited about emerging from the shadow of one of the nation's 10 largest corporations and unleashing the creative energies of BBN's 500 engineers and technical staff. Besides its deep roots in telecommunications and network security, including major US government contracts, BBN also has extensive operations in speech recognition, artificial intelligence, and wireless devices that organize their own networks. The staff includes about 150 people with doctoral degrees. More.... 

Open Source Is Fertile Ground for Foul Play

DEVx
The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.  by A. Russell Jones

An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. More....

Is Open Source Secure?
O'Reilly, Mark Stone
Feb. 13, 2004 03:15 PM
 
DevX's Executive Editor A. Russell Jones suggests that governments avoid jumping on the Open Source bandwagon because Open Source software, by its very openness, is more vulnerable to exploitation. This attitude reflects a deep misunderstanding about how both security procedures work, and about how Open Source projects work. His argument rests on three ideas: 
Someone who is part of a project can place an exploit within the code: "the security breach will be placed into the open source software from inside, by someone working on the project." 
While there is sufficient scrutiny on major projects to prevent this kind of exploit, since Open Source permits anyone to create their own distribution, a smaller, less scrutinized spin-off can easily have this kind of exploit: "distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart." More....  

Gartner Casts Doubt on MS Security Commitment

By Robyn Weisman
www.EcommerceTimes.com, 
February 13, 2004 
Noting that personal firewalls did a good job of thwarting worms like MS Blast, Gartner vice president Richard Stiennon told the E-Commerce Times that Gartner is recommending firewalls for all computers, including desktops. 

In response to Microsoft's latest vulnerability announcement, a group of security analysts at Gartner has released a research note that advises enterprises against using Windows Server 2003 in mission-critical applications exposed to the Internet before the second quarter of 2004. "We may have to revise this cautious position if Microsoft (Nasdaq: MSFT) fails to commit publicly to extraordinary efforts to eliminate glaring holes in its operating system," the research note said. 
The note also recommends that enterprises install the latest Microsoft patch on all PCs and servers, block vulnerable ports as they are identified, correctly configure enterprise firewalls, and install personal firewalls on all PCs and intrusion prevention software on all business-critical Windows servers. The goal: "to avoid the mass attacks that will almost inevitably attempt to exploit this vulnerability within the next few weeks." More....    

Outlook: Security breaches threaten Microsoft monopoly
Jeremy Warner Independent.co.uk
14 February 2004

By any standards, Microsoft has had a terrible week. In what has become a regular occurrence, the company has been forced to issue yet another critical update to repair a flaw in its Windows operating system. Left unaddressed, the flaw might have enabled hackers to breach security and gain access to company and personal computer systems across the world.
The latest patching exercise is only the most high profile in a long line of similar updates, which is forcing Microsoft to repair its operating system on a sometimes weekly basis. As if this were not bad enough, Microsoft yesterday announced that portions of its Windows 2000 and NT 4.0 code have been made available on the internet illegally.
All this may seem to belong more to the annual convention of geeks and nerds anonymous than the business pages, yet their significance is hard to overestimate. Only a tiny fraction of the source code has been revealed, but if Microsoft cannot protect its core intellectual property, then it lowers public trust in the security of its software, and may in the long run further undermine the supposed advantages of Microsoft over alternative, open source operating systems. More....

200 days to fix a broken Windows

Security researchers are both criticizing and empathizing with Microsoft for the 200 days the company needed to create its latest critical software patch. 
The six-plus months is the longest the software giant has taken to release a fix since it started its Trustworthy Computing initiative, a companywide mandate to make security a top priority. Taking so long to fix a serious issue cast doubts on how much progress Microsoft has made in the two-year effort, said Marc Maiffret, chief hacking officer for security research firm eEye Digital Security.  More....  

Doomjuice, Deadhat feed on MyDoom infections
Robert Lemos, Special to ZDNet
February 10, 2004
Two worms that take advantage of computers whose security has already been compromised started spreading on Monday, antivirus software companies warned. 
The two opportunistic programs--dubbed Doomjuice and Deadhat--threatened only those users still infected with a version of the MyDoom virus, and didn't pose a major problem for businesses, which had previously cleaned systems infected with the virus, the companies said. 
"There are only about 50,000 or 75,000 machines left that are infected," said Vincent Gullotto, vice president for antivirus and vulnerability emergency response team at Network Associates.More....  

Nachi variant wipes MyDoom from PCs
By John Leyden The Register
Posted: 12/02/2004 at 12:14 GMT
Stay up to date wherever you are, with The Register Mobile
A new variant of the Nachi worm which attempts to cleanse computers infected by MyDoom and download Microsoft security patches to unprotected computers has careened onto the Net this morning. 
Nachi-B (AKA Welchi) uses the same security vulnerability exploited by the Blaster worm to spread. Once it infects target machines the worm attempts to search and destroy any traces of MyDoom infection - before downloading patches for the Microsoft vulnerability it used to infect the system in the first place. More....

Vulnerabilities

Advisories