Memex 1.1

Further to that earlier post, Jim Allchin has been, er, clarifying his remarks about Vista and anti-virus software.

During a recent discussion with journalists about the release to manufacturing for Windows Vista, I made a comment about how attacks on the Internet are getting more and more sophisticated, and some of the security features in Windows Vista really help our customers. This somehow morphed into people thinking I said customers shouldn’t use antivirus software with Windows Vista.

When the articles and blogs started appearing, I asked the PR folks to send me a copy of the transcript of the call so I could read it over and see if I said something I didn’t mean. After reading the transcript, I could certainly see that what I said wasn’t as clear as it could have been, and I’m sorry for that. However, it is also clear from the transcript that I didn’t say that users shouldn’t run antivirus software with Windows Vista! In fact, later in the call, I explicitly made this point again, because I had realized I wasn’t as clear as I should have been. It’s important for me that our customers are using the appropriate security solutions for the right situations, whether that’s security functionality integrated in the operating systems, or add-on products.

The point I had been trying to make (albeit unclearly) is that Windows Vista includes new security features that can dramatically help improve our customers’ security for certain situations. I was asked a question about how I rated the protection provided by Windows XP with Service Pack 2 and whether or not it was still effective. I ended up telling a story about how the machine my seven-year-old son uses has no antivirus software installed because it runs in a very locked down configuration, which includes only being able to visit websites on an approved list (approved through the parental controls feature in Windows Vista). He also has no access to email or instant messaging and he doesn’t run as an administrator of the machine. In fact, parental controls in Windows Vista requires that the user you apply controls to is not running as an administrator. Email, phishing, and other social engineering attacks are definitely among the most prevalent attacks that home users experience today, and his machine has been locked down in these regards.

My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista—both the number of defenses and their combined effectiveness.

Now, the comments have unfortunately been cited out of context implying that I said Windows Vista users shouldn’t use antivirus. I want to be clear, most users will use some form of antivirus software, and that will be appropriate for their scenarios. In fact, Windows Security Center, a great feature in Windows Vista, specifically encourages the use of antivirus software.

Jim Allchin, Microsoft VP, quoted on Good Morning Silicon Valley, talking about Vista.

In my opinion, it is the most secure system that’s available, and it’s certainly the most secure system that we’ve shipped. So I feel very confident that customers are far better off by using Windows Vista than they are with anything that we’ve released before.”

Earlier, he had said that he was so confident in the operating system’s security measures that he believes there’s no need for Vista users to run any third-party antivirus software.

Stay tuned.

LATER… Bill Thompson has written an insightful column about this. Excerpt:

Vista will ship with Kernel Patch Protection - also called PatchGuard - which checks to see if the core has been altered in any way. This should make it a lot harder for viruses, trojans, rootkits and other types of malicious software, or malware, to install.

PatchGuard will be backed up by support for the Trusted Platform Module, a hardware component built into many new computers that gives the operating system a way to store and use secured information.

The new approach should make life more difficult for malware writers, but it is also going to get in the way of legitimate security software vendors such as Symantec, which has already pointed out that its anti-virus programs rely on being able to modify the Windows kernel, something which will no longer be allowed.

Microsoft’s response is to argue that “kernel patching”, as the process is called, is not needed and that the standard security tools are all that are required.

It may be right, but it’s hard to tell because we don’t actually know much about what is going on inside the Vista kernel. Microsoft, like many other commercial software developers, prefers to keep such details secret.

“If severe flaws are discovered in Vista”, Bill concludes, “and there already signs that the lockdown is far from perfect, then users may well wonder why they have put their faith in the ‘benign dictator’ approach to security.”

This morning’s Observer column — on the profitability of spam.

So who were the schmucks buying this stuff? It seems that among those who responded to Amazing’s spam - under the subject line, ‘Make your penis HUGE’ - was the manager of a $6bn mutual fund, who ordered two bottles of Pinacle to be shipped to his Park Avenue office in New York. A restaurateur in Boulder, Colorado requested four bottles. The president of a California firm that sells aeroplane parts and is active in the local Rotary Club gave out his American Express card number to pay for six bottles. And so on.

So pharmaceutical spamming is profitable. What then of the ‘pump and dump’ variety? A new study by Jonathan Zittrain of the Oxford Internet Institute and Laura Frieder of Purdue University in Indiana provides persuasive evidence that it, too, is profitable - though probably less so than penis-enlargement spams…

Sophos, a Massachusetts-based supplier of software for protecting companies and consumers from online threats, reported in July that 15 percent of all junk e-mail messages are now stock spam, up dramatically from less than 1 percent 18 months ago. Here’s a Technology Revew piece about some interesting research conducted by Jonathan Zittrain and a colleague. Excerpt:

Stock spam uses the classic “pump-and-dump” scheme. A spammer sends out a mass e-mail message touting a penny stock with low trading volume in hopes of convincing a handful of people to buy shares of it. If the spammer succeeds, the limited buying activity boosts the stock’s price and liquidity just long enough for the spammer to sell his own shares (or the shares of his client) at a profit. The stock subsequently plunges and those who bought it are usually hit with a loss.

In their study, Zittrain and co-author Laura Frieder, an assistant professor of finance at Purdue University in Indiana, sought to quantify the effectiveness of such campaigns. To do so, they analyzed more than 75,000 stock “touts” appearing in Zittrain’s e-mail inbox and a Usenet spam-sighting newsgroup between January 2004 and July 2005. The date and estimated size of each spam campaign was compared with the price and trading volume of the company shares being promoted over several days, including the day immediately preceding the campaign.

The researchers discovered that if a spammer bought a stock a day before beginning heavy touting, then sold the morning after the first day of touting, the average return on investment was 4.9 percent. And more effective spammers saw a 6 percent return.

On the other hand, if a victim were to invest $1,000 in a stock on the day of heaviest touting, that investment would be worth, on average, $947.50 in the two days following the spamming campaign. For the most heavily touted stocks, the same investment would fall by 7 percent, to $930. The study also confirmed that the volume of touted stocks responded “positively and significantly” to touting campaigns, meaning that trading activity increased.

“Our analysis shows that [stock] spam works,” wrote Zittrain and Frieder. “Among its millions of recipients are not only those who read it, but who also act upon it, suggesting a value to spamming that will create a powerful counterbalance to regulatory and technical efforts to contain it.”

A new use for VoIP. From Internet News…

Just as Internet surfers have gotten wise to the fine art of phishing, along comes a new scam utilizing a new technology.

Creative thieves are now switching their efforts to “vishing,” which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information.

Phishing (define) is the sneaky art of sending an e-mail to people pretending to be from a bank or major online merchant, such as Amazon (Quote, Chart)or EBay (Quote, Chart), asking them to click on a link and verify their account information.

The user is then directed to a fake site that collects the login and password information.

Repeated efforts on the part of security firms have educated users to be cautious about clicking on links from unknown senders.

But now, the criminal element has shifted from asking people to click on links to placing a phone call instead. Only the number isn’t to a bank or credit card, it’s to a VoIP phone that can recognize telephone keystrokes.

The thieves don’t even use an e-mail blast, they use a war dial over a VoIP system to blanket an area. A recorded message tells the person receiving the call that their credit card has been breached and to “call the following (regional) phone number immediately.”

When the user calls the number, another message is played stating “this is account verification please enter your 16 digit account number.” The rest is academic.

Secure Computing, which specializes in secure connections over networks, sent up the red flag over this new method. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups discussing vishing.

“This is just a natural evolution of phishing itself,” said Paul Henry, vice president of strategic accounts for Secure Computing….

Thanks to Kevin Cryer for the link.