• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K. Raghavan

Microsoft's stand on the security features of the Vista has drawn criticism from Symantec and McAfee.

Microsoft (MS) and controversy are nearly synonymous. The software giant is so sensitive to criticism that its response to any slight of its products or way of doing business is invariably strident. Naturally, its rivals are delighted at needling it; if only to get some inexpensive publicity!

There is now a fierce attack on MS's new Operating System (OS), Vista, which will hit the market on January 30, 2007. Critics say that this software, which will replace Windows XP, is far from secure against an intruder determined to break in. We know well that such adventurous and occasionally unscrupulous characters are not uncommon these days.

My readers may recall how during the last August Black Hat conference in Las Vegas, a security researcher, Joanna Rutkowska, demonstrated two methods by which an aggressive explorer could bypass Vista's security features. The flaws pointed out by her, it is believed, would permit an aggressor to execute an arbitrary code at will.

In a rebuff to Vista detractors, the Microsoft Co-President, Jim Allchin, said recently: "My seven year-old runs Windows Vista and, honestly, he doesn't have an anti-virus system on his machine." I will not be surprised if Microsoft baiters take on Allchin to say that, in such a case, the OS is a better fit for amateurs rather than mature computer professionals! The war of words should go on for quite some time till Vista establishes itself as a secure and invulnerable product that is superior to XP.

Symantec, McAfee stand

The avalanche against Vista has been launched mainly by Symantec and McAfee. The latter went to the extent of taking a whole page of advertisement in Financial Times to lambast MS's approach to the whole problem of security. Both Symantec and McAfee are likely to be affected by the MS stand that Vista is so secure that it does not need an anti-virus software.

The MS stance has, however, been countered by some experts who believe that in spite of the former's claims, the new OS does need protection. Only time will tell who is speaking the truth!

Interestingly, rivals have also raised regulatory issues to hit at MS, especially in Europe, where the EU frequently invokes rules rather rigidly. Two years ago, it had slapped a $634.4-million fine on MS for several reasons, such as including Windows Media Player as a core component of the OS.

In the present case, MS is offering Windows Defender as a component of Vista or as a download at no additional cost. This will be supplemented by a few other security improvements such as BitLocker Drive Encryption and anti-phishing technology in the new IE7.

Generally speaking, the MS stand is that it has a sound Kernel Patch Protection (Patchguard) as a safeguard against root kits, and that it will not countenance any attempt by anti-virus software producers to bypass it, something that could considerably reduce Vista security.

Incidentally, this feature was carried by both Windows 2003 and later by XP, and had led to criticism by security vendors that the MS's Kernel Protection did not allow plugging in of other anti-malware and intrusion prevention technologies.

Sharp division

It is not as if MS finds itself alone in the battle with Symantec and McAfee. Heartwarming to it has been the sharp division within the anti-virus software vendor community. For instance, a Russian company, Kaspersky Lab, has gone on record to say that it has had no problem with MS operating systems.

Support has also come from the UK-based Sophos, which has been carping on those who are hypercritical of Patchguard. On its part, MS convened a meeting of vendors last month to allay their misgivings where it assured it would share as much information as possible to facilitate inter-operability of other security products. This has not exactly appeased leading companies such as Symantec and McAfee who still feel either the information offered by MS is too late in the day or is inadequate.

Cardspace

Amidst all this wrangling and poor publicity, MS wants to prove that it is second to none in battling cyber crime. Its focus now seems to be on online fraud. The company is well on its way to producing Cardspace, a system that aims at protecting financial data of individuals so greatly imperilled by the ingenious crime of Phishing.

This MS proposal was rightly revealed in London recently because, according to Privacy International (a human rights group), the UK record in protecting financial data is appalling, as compared to that of Germany and Canada with low data theft. Incidentally, MS wants us to believe that its new OS, Vista, will greatly aid those accessing Web sites that hold vital personal data such as banks. We will have to wait and see whether this is more than a marketing gimmick.

As if to demonstrate its determination to fight Phishing, the company launched in 2005 a Global Phishing Enforcement Initiative (GPEI) to bring a certain sense of direction to efforts in many countries by private and law enforcement partners. This is a gargantuan effort if one considers that at any time, nearly 5,000 Phishing sites are operating across the globe. One outcome of GPEI is the relationship that has come about between MS and the Lyon-based Interpol. MS claims it has initiated action, both civil suits and criminal action, in more than 100 cases of suspected online fraud in Europe, West Asia and Africa. All this when Phishing is becoming more and more daring and ingenious. Recent reports are that it is not banks alone that are targets of Phishing. Even a government agency that holds sensitive personal information can be a victim.

According to a report from the US, ID thieves made recent attempts to steal Social Security (SS) numbers of gullible individuals. The modus operandus here is to intimidate the latter with a warning that unless they updated their personal data, their accounts were liable to be suspended.

SS holders are thereafter encouraged to key in such data on a bogus Web site that, for all purposes, appears very authentic. Such a trick is often accompanied by a genuine e-mail that announces changes in social security rules that are to come into force in the near future.The objective here is to obtain crucial information such as name, date of birth, social security and bank account numbers and credit card details. It is not known how many have fallen victim to this ruse. I will not be surprised if the number is substantial!

(The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.)

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Mobile & me

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line