Security Watch

Predictions for 2005

Security will finally make inroads into the minds of average consumers.

• By Russ Cooper
• 01/03/2005

2005 will be the year of the home computer.

It's been more than 10 years since the introduction of the first Microsoft home computing platform, Windows 95. Windows 98 was introduced three years later and Windows ME two-and-a-half years after that. None of these home platforms had any concept of security included. Passwords were stored in a file, and the only difference between one user and another was that password file. Outlook Express, with its Preview pane enabled to allow HTML-based e-mail, including scripting, to run, was embedded in the operating system and fought hard to handle all mail or Usenet. Although a version of Internet Explorer (IE) with Security Zones was introduced together with Windows 98, the default configuration basically allowed everything to run. Office products that ran on these OSs were no better.

The first significant change in stance by Microsoft came in February 2001 with the introduction of the Outlook E-mail Security Update. Sure, lots of fixes had come along for IE and Outlook Express, and of course the OS, but none were as proactive as the Outlook Update. Unfortunately, this feature set was primarily for business users, as few home users were (or are) running Outlook.

The Outlook Update demonstrated why Windows platforms had been such a lucrative target for e-mail virus writers. It described myriad ways code could execute within e-mail, and how difficult it was to prevent that.

Windows XP, released in October 2001, finally brought all the security features businesses had been using in Windows 2000 to the home market—assuming, of course, that the home market was going to purchase XP Professional.

It didn't. OEMs shipped Windows XP Home on their new systems, and consumers upgraded to that OS since it was significantly cheaper than XP Pro. So while there were significant security features included, every consumer was still his system's Administrator, and the default installation introduced numerous exploit opportunities—Universal Plug and Play (UPnP), Distributed Common Object Model (DCOM), and Remote Procedure Call (RPC), just to name a few. HTML-based e-mail became even more popular, and was exploited more often via scripting, yet neither IE nor Outlook Express even acknowledged the problem, let alone addressed it.

Meanwhile, media-sharing services, also known as peer-to-peer networks, had become commonplace. The days of connecting to an FTP server and performing painful searches for shareware had been replaced with virtual drives containing thousands or millions of easily-discoverable choices for the consumer. To the home consumer, the Internet was fulfilling the promise of free everything, be it music, movies, porn or whatever the heart desired.

This was good news for malware miscreants, who were pleased to learn that human beings are basically naive and easily fooled. HTML is the perfect medium for such tactics as it's designed to hide the underlying details. With everything now easily available in an HTML format, and consumers desiring things that way, the stage was set for scams on a massive scale. Forget the eons-old Nigerian 419 scam: just put up a spoofed banking Web site and get a target to type in his critical information himself.

For home consumers, the time savings and legitimate value of Internet banking, coupled with the legal—and illegal—availability of porn and digital music, meant that now every home had to have a computer or two. Dropping hardware prices, cheaper broadband access and the shorter learning curve of XP dramatically increased the home computing population.

With so many more targets, bots, the logical malicious extension of viruses, hit the scene. Why just muck up someone's computer when you can use it yourself? Online gaming played a role in this, enticing socially inept, yet computer-adept, individuals to look for better ways to defeat opponents. If you can't shoot him before he shoots you, slow him down with a Denial-of-Service attack so you can shoot him; if all else fails, just knock him off the Net. Bots facilitate this behavior.

Scroll forward to today. AOL, MSN, EarthLink and NetZero, just to name a few, are all running ads describing their security features. Some sort of enabling technology would appear to have come along in the interim to make this possible, yet I can't think of what that might be. Certainly MessageLabs and others have been proving for several years that it's possible to scan massive amounts of e-mail for known viruses, and firewalls have been protecting huge numbers of client systems for far longer. No, I don't think it's been an enabling technology that has brought about this change; instead, I attribute it to corporations finally recognizing that consumers won't change their ways to add security, and that they'll always blame the providers for their woes.

Consider smoke or carbon-monoxide alarms in the physical world. These are sensible safety devices that everyone should have, but few people actually install them unless they'd had a previous negative experience. And now, at least where I live, both are now mandatory for any new home. The same is true of personal firewalls and anti-virus products.

Within the first six months of 2005 I expect the same to be true of ISPs. I predict they'll all offer, without additional charge, basic firewalling and constant anti-virus scanning for both network and e-mail.

I further expect to see full "Default Deny" implemented. Default Deny is the practice of blocking all inbound and outbound traffic unless explicitly permitted. It wouldn't surprise me to see Internet access pricing based on what consumers want permitted in terms of traffic. The more ports and services to which you demand access, the higher the price for your connection time. This is, to some extent, the way it is today; business accounts are permitted to have any type of traffic, whereas many ISPs block home consumers from hosting Web or mail servers.

I expect to see Microsoft provide something for free to consumers running XP SP2 that will ensure their systems are free from existing bots, Trojans and worms. It's unfortunate that this will likely be limited to XP SP2, as there are millions of systems not running that platform that are infected and being used to attack other computers and networks today. But it's at least a step in the right direction.

I expect to see more of the decent anti-spyware vendors to be bought out by anti-virus vendors, but it will be 2006 before anti-spyware becomes usable by the average home consumer.

I expect anti-virus vendors to become, even more than they are, inline anti-malware vendors. Content filtering of HTML will become the darling of the security product market. HTTP, the transport protocol for HTML, is already heavily abused for traffic other than HTML. It's open at most corporations, and is the single most-desired protocol for home consumers. Blocking it blocks the Internet. There will be a tightening, though, in what's allowed via HTTP, and I expect to see anti-virus vendors tap into this desire. Why disable scripting on the browser when you can, if desired, disable it at your Internet connection point? And if you can do that, why not disable scripting in HTML Web pages, as well as in HTML-based e-mail?

As security-minded ISPs realize the limitations of the methods they currently use and their customers complain that they thought they were protected but weren't, content filtering will play an important role in living up to consumer expectations. I believe the consumer desire to reduce the volume of e-mail garbage far outweighs their expectations of unfettered surfing. There's a vocal minority that strongly disagrees with "censorship," but the vast majority don't want a fake Rolex or the drugs constantly offered.

ISPs should continue to restrict the data received or sent by the average home consumer, and I believe they will—to the betterment of their customers first, and the rest of us ultimately.