computerwoche.de

Archiv

IT security got better in 2005

30.12.2005

What went bad in 2005? The stuff that is getting by our defenses is more dangerous: Malware went criminal. Most of today's malware exists to steal confidential information, send spam, or steal identities. Now, malware is getting harder to remove, hiding better, and contains more tricks and exploits than ever. I used to be in the camp that if you found malware, just remove it, accept the risk, and get back on with real life. Now, I recommend formatting the machine and restoring clean data from a clean backup. Oh, yeah, and change all your passwords and watch your monthly statements.

Spam and spyware seem worse than ever, despite the FTC's December announcement that the CAN-SPAM Act is actually decreasing spam. That's like saying budget deficits are decreasing this year when you're responsible for sending them sky-high in the first place. Read next week's column for more of my thoughts on how CAN-SPAM is really doing.

Just as depressing is the fact that our security software continues to get buffer-overflowed on a regular basis. Hey security vendors: Stop adding new features and review your frigging code! Send your programmers to secure programming classes, have independent reviews, offer incentives for bug free code, and give cash awards for any employee who finds a bug.

I do have a list of questions for 2006, ones that I hope we'll finally get an answer for. For example, will the Code Red and Slammer worms ever die? They are still among the most common worms on the Internet. Can there possibly be people who haven't patched their servers for more than two years? (Apparently, yes.)

Will Microsoft ever speed up Internet Explorer patching? Averaging more than a dozen unpatched vulnerabilities at any one time isn't a track record to be proud of. What's the holdup, Microsoft? Not enough hands to patch faster, or just inconvenient priorities? IE 7 looks like the most secure browser I've seen to date, but why leave the IE 6 people hanging in the wind for so long and so often? The IE team should talk to the Windows Server 2003 and IIS teams more regularly.