Microsoft chairman Bill Gates delivered

his first keynote to security experts in

San Francisco at RSA Security's thirteenth

annual conference in February. He chose the

conference to confirm the contents of Service

Pack 2 for Windows XP and to reveal Windows

Security Center, a new site for checking

security settings.

Looking nervous, Gates first launched details

of the security measures in SP2. Microsoft is

increasing the functions and features of its

firewall and its anti-spam controls in Outlook.

Gates also showed how malware could be

controlled using behaviour blocking.

Active Protection Technology (APT) will be

an addition to the Internet Security and

Acceleration Server and is designed to prevent

malicious activity arising from malware. APT

will examine the Windows environment to find

traces of unusual activity and use behaviour

blocking to stop it happening. For example, an

emailing virus or worm that spews out a slew

of messages will be shut down, or a Windows

service trying to open a back door will be

prevented from doing so.

The main revelation was a detailed

presentation of the Windows Security Center,

where security settings for Windows features,

such as the new firewall, can be checked. This

was announced by Microsoft marketing

manager, Zachary Gutt who joined Gates on

stage to demonstrate the SP2 features.

Gutt ran the Windows Firewall through its

paces, showing how calls to external sites and

services will be queried through a dialog box.

He also showed how an enterprise can centrally

manage the desktop firewalls and set different

profiles for mobile computers: one for

corporate network protection and one for when

the laptop is disconnected from the LAN.

To turn up the heat on spammers, Gates

plans to form a cross-industry alliance with

Internet Service Providers (ISPs) to make email

more trackable. Microsoft's Caller ID will use

the Internet's domain name system (DNS) to

verify the originating domain for any email.

This will require email messages to include the

IP address of their mail server, this will allow

the receiver to verify that the address is real.

Unverified email will be treated as spam and

either quarantined or deleted according to the

administrator's settings.

Microsoft is starting to test Caller ID on its

Hotmail service and has already implemented

the inclusion of IP addresses in outbound

emails. Inbound addresses will start to be

checked around the middle of this year. The

measures will help to reduce spam but relies on

help from the ISP community. Rogue ISPs will

still allow spamming and may find ways to

circumnavigate Caller ID.

Gates concluded, "We think this [SP2] will be

a very important release and we will ask people

to install broadly."

At the end of his keynote Gates was greeted

with polite applause. Bruce Schneier, founder

and chief technology officer of Counterpane

Internet Security, echoed the feelings of many

delegates. "Was it just me or was he just not

excited? I expected more excitement," he said.

"When he talks about [Windows] features and

cool things, he gets animated. He had an

opportunity to wow us. I wanted to be

wowed. I didn't want to hear about cool

dialog boxes."

ne

ws

4In

fosecu

rity Tod

ayM

arch/April 2004

Bill Gates centres on Windows security at RSAEric Doyle, reporting on RSA in San Francisco

Anti-virus software fails to protect UK businessBrian McKenna

Network worms like Blaster significantly

damaged UK companies in 2003, despite

near-complete anti-virus software protection

and the easy availability of patches.

The Department of Trade and Industry's

seventh biennial information security breaches

survey, which a Pricewaterhouse Coopers-led

consortium carried out from October 2003 to

January 2004, has revealed that malware is

bigger threat to business than it was in 2002.

Around half of UK businesses suffered from

virus infection or denial of services attacks

during the last year, the survey shows.

This has risen from 41% in 2002 and just

16% in 2000. These are among the initial

findings from the survey; the full results will be

launched at InfoSecurity Europe in London,

April 27-29.

The Belfast-based research team interviewed

the main infosec owner in 1000 companies. They

discovered that 93% of those surveyed, and 99%

of large companies, deploy antivirus software.

Despite this, 50% of UK businesses, and 68% of

large companies, suffered from virus infection or

denial of services attacks in 2003.

MS Blaster was by far the biggest culprit,

causing a third of all infections — and over

half of those in large companies.

Damage from virus incidents varied from

less than a day's disruption and no cost to

major disruption to services for a month or

more.

Chris Potter, the partner at Pricewaterhouse

Coopers who spearheaded the research, said

that "anti-virus software is not useless. The

problem is that while businesses do have AV,

it's not necessarily up to date. We found that

41% of companies don't update

automatically. Also the nature of the threat is

evolving; viruses are becoming more

sophisticated, with blended threats evading

AV scanning.

"Large companies were caught out more by

Blaster than they were by viruses like Klez. In

the Blaster case you had a known network

security vulnerability for which the patch

wasn't installed quickly enough".

"Large businesses have sorted out the

perimeter, but it's things like infected laptops

coming into the network are the problem".

He reported that there are signs of more

proactive approaches being adopted — such as

heuristics — “especially in companies where

there are lots of transactions or a lot of

connectivity, like telcos and ISPs”.

And the big picture is that "five years ago

accidental damage was the biggest problem but

now it's malicious and premeditated activity".

Potter concluded that we "need to be

cautious about extrapolations from this kind

of survey, but we are talking about a big

number in terms of commercial damage from

malware — bigger than two years ago".

Gerhard Eschelbeck, chief technology officer

of Qualys, who were drafted in to analyse the

AV and malcode piece of the survey's final

data, said that "the most telling thing was that

while 93% of small companies and 99% of

large companies have AV technology, they are

still getting hit. It is clear that one-dimensional

AV will not cut it anymore".

He added that companies need "to do a

better job in prioritising their efforts and the

current average patching period of 30-60 days

is just too large a window of exposure”.