Security Watch

Security Change From the Top

MSRC gets new leader, while old leader moves up; IE8 stems clickjacking; Conficker continues to confound; payment cards -- now, more vulnerable.

• By Jabulani Leffall
• 01/26/2009

Reavey's predecessor, Cushman, will stay on at Microsoft to focus on developing ideas and strategies for Microsoft's larger, more collaborative security initiatives. Both Cushman and Reavey will continue to report to George Stathakopoulos, Microsoft's general manager of security engineering and communications.

Conficker Confounds
One of Mike Reavey's challenges in running the MSRC will be combating the Conficker worm as it spreads across millions of computer networks using a self-replicated remote code execution exploit. Many businesses apparently have yet to patch up the exploit, despite Redmond having issued a patch for this very worm last October.

While there haven't been many high-profile instances of the Conficker showing up on networks at enterprises in North America, the worm is ravaging Europe. More than 3,000 British organizations, including hospitals and the Ministry of Defense, have been hit. Reasons for the return of the worm as a technological pandemic after a few. quieter years is anybody's guess. Worms are complex programs that are hard to write, but the Conficker poses one of the greatest challenges to date. According to security advisory firm F-Secure, the worm appears to have been written by a shrewd professional or group of hackers rather than a mischievous hobbyist.
 
IE8 RC Stops Clickjackers
Microsoft introduced a release candidate version of Internet Explorer 8 and, as it has before, is touting new security bells and whistles. The latest, noteworthy improvement is a feature that prevents clickjacking attacks. First outlined last year by security researchers such as Jeremiah Grossman and Robert Hansen, clickjacking involves guiding an unsuspecting user to a malicious web site, at which time an exploit would deploy a mechanism that takes control of the user's browser session. In theory, the user's browser is then in the hands of a hacker who can steal information or purposely download malware.

Microsoft sees the new security feature as an improvement -- when clickjacking first became prevalent last year, most browsers on the market, including IE7, were vulnerable to such attacks.

Hacked at the Heartland
With an estimated 100 million records snatched last week from the large payment-processing company Heartland Payment Systems, the electronic and credit card transacation processor has become yet another company that met Payment Card Industry security standards and still got robbed.

Like grocery store operator Hannaford Bros., which was also deemed compliant and got hit last year for hundreds of thousands of customer records, Heartland's clean bill of security health did nothing to stop the incursion. Criminals still installed spy software to steal credit card details as millions of transactions were processed for a period beginning in May 2008.

The non-profit PCI Security Standards Council -- with the blessing of credit card companies -- sets security standards for the industry. Even so, critics of the current informal regulatory structure have suggested that the burden placed on merchants to retain customer data is what's making them prime targets for hackers. If high-profile data breaches of companies that have followed all the rules keeps happening, stakeholders from government, enterprise and IT circles may take a second look at the status quo.

After Heartland's troubles, it's becoming increasingly apparent that the enterprise IT data protection ecosystem could use clearer rules and better safeguards against attacks that are embarrassing at best and a blight on businesses at worst.