Marc Maiffret--the quick rise of a teen hacker (Q&A) - Insecurity Complex blog post by Elinor Mills 4/15/10

Of course, I’ve done more than a few posts over the last couple of years around security in my continuing quest to help our partner readers overcome some of the antiquated misconceptions around Microsoft and security that they might have to deal with from customer and/or consumers.  And also promote and support the fact that a bet on Microsoft security is a good bet in today’s, and tomorrow’s increasingly dangerously computing environments.

This post is around a somewhat recent article (April 2010) on the CNET News blog Insecurity Complex by Elinor Mills (linked above) that I found extremely interesting and informative – I hope you’ll read the whole post.  But, I wanted to call out several pertinent excerpts that should help to undergird the concept of the superiority of Microsoft security that I’ve been promoting and provide with more evidence for your customer conversations around the critical area of security in business computing.

It’s a rather long interview, so I’m really only going to pull out a few key thoughts and hope you’ll invest the time to read the whole post. Plus please read my thoughts at the very end if you have customers still on XP.

the excerpts below are directly quoted from the article linked above but as the term excerpt denotes, I have deleted a significant portion of the article content, where appropriate I have used … to indicate where material has been purged in the middle of a section.

[Background on Marc Maiffret] A runaway and high school dropout… Young, articulate, and outspoken, Maiffret went on to become a celebrity hacker wunderkind, testifying before Congress on security issues, featured in cover stories in numerous magazines and newspapers, appearing in MTV's "True Life: I'm a Hacker," and being named one of People Magazine's 30 People Under 30.  He is also a co-founder of eEye Digital Security, where he has been somewhat of a thorn in the side of Microsoft, finding vulnerabilities in its products, including the hole that the Code Red worm used to wriggle its way onto thousands of servers in 2001. Today, Maiffret is with the anti-malware firm FireEye as chief security architect. In a recent interview with CNET, Maiffret talked about how he stays ahead of the game…

At eEye you caused quite a stir over at Microsoft. Tell me about that.
Maiffret: Yeah. First and foremost, we [eEye] were building a vulnerability assessment product that could scan your company network and tell you here's all the ways a hacker could break in and here's how to fix it. I was focused on Windows and Microsoft platforms in the beginning. I had been interested in vulnerability research since 1997and more serious stuff in 1998 and 1999. I started to discover some of the more critical remote Microsoft vulnerabilities where you could compromise any Microsoft Web server. That kicked off some of the first real intense looks at Microsoft from a security perspective.

How would you characterize the state of security at Microsoft products at the time [1998-1999]?
Maiffret: At that time they didn't even have a dedicated security team...[but product security] started mattering to them as a company when Bill Gates released his Trustworthy Computing memo [in January 2002]. He stated this was the No. 1 objective of the company, to have the software become secure to the point where people actually trust it. There was a lack of faith in Microsoft and security, especially after all the computer worms like Code Red and Slammer. Banks were talking to Microsoft about switching. Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say.

Are they the model that other companies are following?
Maiffret: From an internal process in how they go about auditing their code and securing software from a technical perspective, they do have one of the best models. The area they still have room for improvement is around time lines of how long it takes for them to fix things... [however] Should there be some new zero day critical emergency, we see they are able to get something out within a couple of weeks. You look at companies like Adobe and they are where Microsoft was 10 years ago.

[Apple has] really only begun in the last six months or so taking security seriously and understanding that it impacts their business in a serious way.

In what way exactly?
Maiffret: Adobe, and even Apple, is a good example. They are starting to get black eyes with people saying Adobe is a bigger worry than Microsoft is at the moment, which I agree with. As those things are happening, Adobe and Apple and other companies are starting to pay attention and care more…They didn't have good technical structures behind the scenes. Now they are staffing up and hiring industry notables like Window Snyder [ex-Microsoft security employee recently hired by Apple]. They've really only begun in the last six months or so taking security seriously and understanding that it impacts their business in a serious way.

And you think Apple is taking it seriously too now?
Maiffret: Oh yeah. It's even a little scarier with them because they try to market themselves as more secure than the PC, that you don't have to worry about viruses, etc. Anytime there's been a hacking contest, within a few hours someone's found a new Apple vulnerability. If they were taking it seriously, they wouldn't claim to be more secure than Microsoft because they are very much not. And the Apple community is pretty ignorant to the risks that are out there as it relates to Apple. The reason we don't see more attacks out there compared to Microsoft is because their market share isn't near what Microsoft's is.

[Ron’s note: you’ve heard the above from me on many posts, but I would call this about as close to the proverbial “horse’s mouth” as one can get. And that’s why I thought it was a good idea to do this posting, so now you have another reliable source – besides me <grin>]

Are they on par as far as code?
Maiffret: I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them…

What are the big threats now?
Maiffret: The desktop apps are now the biggest targets. Adobe is a great example of that. People don't have patch processes in place for Adobe and other applications like they do for Microsoft software. The Web-based applications are also big targets--companies putting Web apps online and weird uses of Facebook…

Do users need to do something different with the attack vector shifting?
Maiffret: A few years ago, the types of attacks were e-mails that appeared to come from your bank. You could just log into your bank and see if there was a notice for customers. It was old-style phishing. It's easier to look for that and avoid those things. Nowadays, when attacks are increasingly being leveraged from legitimate Web sites, it's harder…I don't even know of a way right now, with the various types of attacks, how to explain to my mom what not to click on and what not to do because just through the normal browsing attacks are going to be coming at her. It's so low-level and behind the scenes. You just happen to click on a news link and a flash link off to the side that you're not even interacting with compromises you. The potential of educating users is going away quickly. It means we have to be better as technology people and security companies at preventing these things.

What do you think about Google's news that it was attacked late last year?
Maiffret: …Breaches happen all the time. The attacks like Google reported are very commonplace, but unless it's a significant enough breach to require some sort of disclosure, there's not any motivation for companies to talk about it…But the actual piece of malware and exploit used to break in was more simplistic than what we see in everyday cybercrime data thefts…

…[several sections ommitted]

The news has brought increased attention to espionage and cybersecurity. How much is legitimate and how much is hype?
Maiffret: There has always been espionage. If you look at all the data online, it's on computers and it makes sense that espionage would follow with it. It's easier to have people on computers trying to steal secrets from another country or company than it would be to physically try to get into the companies or meet people in a back alley hand-off of documents. Now you can be sitting on laptop anywhere in the world. Aspects of espionage and cyberwar can be hyped up, but at the end of the day I don't know if it's been hyped enough in the sense that I don't think people understand how big of a problem it actually is.

[Another Ron’s note: if you read this closely and between the lines this should have been very interesting to you, what he’s saying is that the current and future security environment is increasingly more challenging – in light of this, would you want to trust your company, or personal, data assets to the folks who now represent “the model for how to do it [security]” or the folks who try to market themselves as more secure.  food for thought.]

End of excerpts…as I mentioned this was a rather long interview so and most of the rest of it focused on Marc himself and how he got into hacking and things like the safety of online banking and I’ve not included any of that.

I wanted to close by just reminding you that Security really is “job 1” at Microsoft and has been for some years now, but I still see so many folks offering outdated (and uninformed) opinions that cast aspersions on our platform from a security perspective.  It’s all the more ironic that many of them are obviously Apple fanboys who typically don’t “get” security beyond the PC level as they enjoy the security by obscurity advantage that that platform has had in the past, but I’m thinking that won’t continue forever, so I still maintain, and PWN2OWN tends to prove, that Microsoft is the best overall platform for security not only now, but moving into the future.  Which brings me to the last point about XP.  Even though XP seems reasonably secure, it’s now old technology and was not designed to meet the ever more demanding security needs of modern computing.  Vista/Windows 7 codebase, however, was the first one that was fully developed under the SDL/Trustworthy Computing paradigm at Microsoft and that’s why, of all the bad you’ve heard abour Vista, you have not heard of any significant security issues.  Of course, as Marc states, no code base will ever probably be perfect, but our platform is good enough for him to consider it a “model”.  For all your customers still clinging to XP, this should be some be some serious food for thought for them, and a discussion you, as a technology advisor, should have with them if you have not already.  Hopefully, this post will give you some more “ammo” to use to help your clients understand the implications of staying of XP as it starts to go into end of life.

UPDATE: In case you haven’t seen this -- Microsoft: 10,000 PCs hit with new Windows XP zero-day attackIf this doesn’t get your XP customer’s attention and drive home the points I was just making above, then I guess you can thank them because they’ll be paying you (partner) a LOT more for the cure than they would have for the prevention.