Microsoft security boss tackles product problems, phishing

Q&A Microsoft's global head of product security, George Stathakopoulos, is leading the company's efforts to dam the rising tide of security problems confronting it. Over the past few months, Stathakopoulos has visited Australia twice to participate in a series of summits designed to boost the education and awareness of security issues within its client base.

Q&A Microsoft's global head of product security, George Stathakopoulos, is leading the company's efforts to dam the rising tide of security problems confronting it.

Over the past few months, Stathakopoulos has visited Australia twice to participate in a series of summits designed to boost the education and awareness of security issues within its client base.

On a recent visit he spoke with ZDNet Australia   about some of the critical security issues facing Microsoft, and how the company is working with law enforcement agencies to help pass legislation that will protect users against phishing scams.

Q: In Australia, Microsoft has identified around 40 "at-risk" large customers in security terms and will be looking to work with them to reinforce their systems. What is the situation across other countries?
A: There is a worldwide program where large enterprises are nominated by their technical account manager and appropriate steps are undertaken in order to assess this. We also work in a partnership model, so there, if you look around, a lot of our partners are offering discount services for mid-market and small businesses.

What has changed in the security environment -- in people's perceptions of security -- since you were last here in February?
There's been a huge increase in the [concern] about security over the last three years. There's a lot more attention from organisations -- there's a lot more interest in how you take and deploy security updates.

So, people understand security well. We have a lot of big enterprises that have deployed solid strategies about how to deploy the security updates. They also have a lot more personnel that are trained and well-educated in how to protect the enterprise.

In the consumer space, we've seen a lot more consumers follow advice like the Protect your PC&nbsp campaign. We've also seen a lot more people buying anti-virus software, setting up personal firewalls, taking the extra step to keep machines up to date.

So, in a way, we see that the targets of viruses and worms are getting a little bit more educated and ready.

And Sasser is actually a good example, where the spread was actually not that significant as opposed to Blaster and the cases before. So, with XP SP2 [Service Pack 2], I hope that you'll see a decline -- not in the spread of outbreaks, but the effect of outbreaks.

I think right now the new arena and [the area that a] lot of attention is being paid to is phishing scams. Basically, this is an area where e-mail or different techniques are used and social engineering is used to probe people for money and identities.

Microsoft has to go and build better education and be able to disseminate this information quickly to consumers, and at the same time we have to do platform investments and technology investments to reduce the scams.

It's a really tricky part because, [if] you receive an e-mail and that e-mail has an executable -- how many people will double-click on the executable? Eventually people learn about this and they won't do this again, right? So then, the virus authors put the executable in a zip file and send you the zip file ... how many people click on that, right? Then people get smarter and they say well, ok, the virus software switches this to send a zip file with a password.

So it's a constant education against the evolving threat. There are things you could do with the platform, with XP SP2, in terms of figuring out the attachment and the threat that it could pose. At the same time, the industry position has to be to enforce laws about phishing, because, I mean, those guys are criminals, everybody knows that.

Law enforcement is going to be a fairly difficult thing, a lot of these things reportedly originate in Russia and places where the rule of law might be a little less rigorous than in other countries.
There's no question that it will be difficult. The question is will it be possible and I think one of the things that we have to do is figure out is how we will be able to protect the Internet from people who are willing to exploit consumers.

I think there're a couple of things. There is a lot of training that law enforcement has to undergo, they have to change their tactics a little bit, legislation has to come in to their support and I think as an industry we have an obligation to help law enforcement whenever we can to provide them with training and the tools to be able to do this better.

How are you doing that?
In certain cases, we develop technologies, we understand how products work, we understand how the threat is exploited and in individual cases we can help law enforcement understand that process. In that case, we can actually help them train, [and] in the case of asking our support, we can provide it for them. This is a case where Microsoft has to form a strong partnership with law enforcement, help pass legislation that will protect people. It's a combination of things that will make people's lives a lot easier.

There has been some suggestion at seminars such as AusCERT that Microsoft is too focused on patching as a means of securing an organisation. What is your reaction to that? One of the things that I hope did come through is that there's many mechanisms that an organisation has to employ when figuring out their comprehensive strategy for security.

Keeping your software up to date is definitely something you have to go do. Running older software or an unpatched system is a bet and if you lose this bet, it's pretty devastating.

So, in my mind, having this comprehensive strategy where you have really solid policy to protect your edge -- where you have a good policy and a good mechanism to protect your actual network, and a policy and a plan to protect your host and your data -- is firmly important. And part of that policy is keeping yourself up to date with the latest in software security.

Patching is one thing. Trying to improve the complexity, the size, the quality of the patches ... we're trying to improve the updating technologies. That's just one part. We're also trying to protect the edge.

We have partnerships with many [anti-virus] vendors to provide a firewall plan, doing things to protect the network like quarantining and all the work we're trying to do there to make sure that clients don't [get infected].

The Microsoft summit has been a lot about how you manage your deployment.

This is not just about updating -- this is about planning the machines you have and how you manage the whole thing. Then there's the host ... we're doing things like XP SP2, we're putting resilient technologies in there and hopefully in the future we'll have the active protection technologies.

Then, we'll increase the resilience of the client and finally data -- which is a very important thing. It's the thing you need to protect the most and with RMS [Rights Management Services (RMS), an add-on to Windows Server 2003 meant to handle access restrictions for a wide range of corporate data] coming out and the continuing investment in Next Generation [next-generation secure computing base, or NG-SCB] -- this provides a holistic view of security and shows how we can protect the consumer.

Updating gets a lot more attention because it's something very current and very immediate but if you look at our Web sites, if you look at our guidance centres, most of the time there's a comprehensive view of your whole deployment and how you're meant to protect it better.

The view I heard from attendees at AusCERT was that perceptions of Microsoft have not really changed much since last year. What is your view on that?
First thing is about a message. Security is not something that is flashy or exciting, security's something that is steady, it's always there.

Even reinforcing the message about the things we're doing is the perfect message to give out. For fear of plagiarising, if you think about Volvo, one of the things that Volvo has done for the last 10 years is talk about safety, safety, safety, and security's about the same thing.

You talk about the basic things you need to do and the advanced things you need to do to protect your deployment. It won't be like the jazzy cool new demos about new products, it will be about the core fundamentals of security.

When it comes to customer perception, I don't expect someone to say you guys are great overnight.

It takes some time for people to build trust, to see those efforts, to materialise them, feel the benefits.

If you're a customer, the minute you have a flawless security update deployment you say 'Hey, those guys are doing a great job'. So you take some time to do this.

The feedback so far is that Microsoft is getting it, yes, Microsoft is thinking security, you guys are applying a lot of resources to this ... we're seeing some benefits and we're waiting to see more.

What are your internal goals in terms of minimising flaws in Microsoft products?
We do not have an absolute number.

There's always the goal of zero, anything less is unacceptable, but, internally, we do track how products that have gone through a more rigorous process -- through the Trustworthy Computing process -- perform after they ship.

One of the things we did see was that Windows Server 2003 achieved a significant improvement. It's not zero yet, but it's definitely improved over its predecessors. Similar things are being [reported] from the Exchange Server that came out, I don't know if I'll jinx it here, but it didn't have any security bugs reported against it. After SQL Server SP3 we did not see any activity there. The products look a lot more solid when it comes to security.

Over what period of time?
About a year, year and a half now.

One of the interesting things ... we try to combine -- when we can -- a lot of vulnerabilities into one patch so people don't have the burden of installing again and again.

In most cases this is a good thing and we really hope to do it whenever we have the chance.

If you look at the MS04-11 [patch], you'll see there's a list of vulnerabilities that were fixed. If you look in there and see the effect they have on Server, in most cases, you will see a vulnerability that was found against Windows 2000 that was very critical or important, drops in severity to moderate or low or not at all in Server 2003.

So, in a way, it's an encouraging metric. I can't really pat myself on back because it's not zero, but it's definitely encouraging.

Still keen to proceed with the bounty program?
Oh yeah. We will do whatever it takes to protect our customers and, in this case when we have all those viruses and security updates and all those things, you miss the message that the people who write the viruses and worms are actually criminals.

We need to continue to invest -- us and the industry in general -- in trying to make sure that those people get apprehended and face charges.

There's only a payment when there's actually a conviction of a suspect. Furthermore, you want to make sure there's no cooperation -- "I wrote the virus, my buddy turns me in", you know.

Who determines whether there is a legitimate interaction?
It's all part of the law enforcement investigation.

Do you consider that program to be a success to this point?
I'm very happy that a person was caught. I mean, happy someone who created a lot of pain for our customers was arrested. When I start seeing a lot more activity, a lot more people -- when you talk about the general criminal element that exists in the field of security -- I would be happier when I see more and more arrests and a lot more people being apprehended. And I don't think it's a reflection [on Microsoft], it's a reflection in general to the industry.

Where do you sit on the controversy over turnaround times for Microsoft patches?
If you look at the factors that it takes to actually create a security update, to the extent you can actually control it, one of the things you really need to invest in is making sure the quality of the patch is appropriate to customer deployment. The worst thing you can do is release a patch, have someone reverse-engineer it and produce a worm while people are still trying to deploy it and they're facing quality issues.

So, nothing would make me happier than to turn around a security update 24 hours after I get a disclosure of a vulnerability. But at the same time, we are obliged to make sure the patch is of the highest quality at the time at which we send it out. Some patches will take shorter, some will take longer.

This issue of the level of maturity of those in the security community who do find flaws -- are you finding your relations improving?
First of all, I consider Microsoft to be part of the security community.

I have different roles there. I have a role as a trainer, as an educator, and at the same time I have the role of interacting with people who find security vulnerabilities all the time.

Some of the people I meet are some of the most intelligent, and most exceptional around -- one-of-a-kind people. They have a lot of maturity, they understand why they do what they're doing and we have a great relationship with them.

A lot of the security vendors also have a business to run and protecting their customers is their main task, so they will not do anything to put customers in jeopardy.

There are cases I've seen where certain security vendors disappoint me, they will go and post the security vulnerabilities on the Web directly and put customers at risk and Microsoft encourages them not to do this, we try to create an open dialogue, and build bridges.

I think the majority of finders -- who are responsible for reporting a very high number of the vulnerabilities in our products -- are using responsible disclosure. If not 80s [percent], it's probably higher than that.

The size of SP2 is said to range between 80MB and 250MB. Has it been set?
It is a big update. There's a couple of ways we can actually work on this. First, we can do whatever appropriate compression [we can] in order to make the size as small as possible. It varies depending your system (Pro vs Home, RTM versus SP1) but roughly about 80MB for express install.

We will [also] provide CDs that will be available for people to take and install. Between the Windows Update offering and the CD offering I think we'll be able to cover most of our customers. But it's really guided by security, it's the number one thought so we'll do whatever is necessary to improve security.

What about dial-up Internet users?
Again the CDs will be another medium for you to get it if you have dial-up. We also work with the retail manufacturers and the retail vendors to be able to pre-bundle the CDs in the retail stores.

What is the reality of SP2 working with illegal copies of Windows XP?
At the moment our policy is that XP SP2 will not be offered to pirated versions of Windows XP.

You mentioned last time you were out here you were looking to deliver mobile phone text-message alerts for high-level security threats to customers in the US. What is happening there?
A couple of things are happening. Firstly, in the United States, text-message capture is not very high -- there aren't a lot of people using [text-messaging]. Secondly, a lot of people would actually have to pay to receive an alert, which creates a very interesting problem. You don't want to have to charge your customers for actually giving them information. We're experimenting right now with MSN alerts, but [as this stands] this is something our customers would also have to pay for.

We may decide to go to a model where each decides how best to serve the customers in their region.