Predictions for 2005
Security will finally make inroads into the minds of average consumers.
Well, another year is upon us, and the obvious question is, "What will
2005 will be the year of the home computer.
It's been more than 10 years since the introduction of the first Microsoft home
computing platform, Windows 95. Windows
98 was introduced three years later and Windows ME
two-and-a-half years after that. None of these home platforms had any concept
of security included. Passwords were stored in a file, and the only difference
between one user and another was that password file. Outlook
Express, with its Preview pane enabled to allow HTML-based e-mail, including
scripting, to run, was embedded in the operating system and fought hard to handle
all mail or Usenet. Although a version of Internet Explorer (IE) with Security
Zones was introduced together with Windows 98, the default configuration basically
allowed everything to run. Office products that ran on these OSs were no better.
The first significant change in stance by Microsoft came in February 2001 with
the introduction of the Outlook E-mail Security Update.
Sure, lots of fixes had come along for IE and Outlook Express, and of course
the OS, but none were as proactive as the Outlook Update. Unfortunately, this
feature set was primarily for business users, as few home users were (or are)
The Outlook Update demonstrated why Windows platforms had been such a lucrative
target for e-mail virus writers. It described myriad ways code could execute
within e-mail, and how difficult it was to prevent that.
Windows XP, released in October 2001, finally brought
all the security features businesses had been using in Windows 2000 to the home
market—assuming, of course, that the home market was going to purchase
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
It didn't. OEMs shipped Windows XP Home on their
new systems, and consumers upgraded to that OS since it was significantly cheaper
than XP Pro. So while there were significant security features included, every
consumer was still his system's Administrator, and the default installation
introduced numerous exploit opportunities—Universal Plug and Play (UPnP),
Distributed Common Object Model (DCOM), and Remote Procedure Call (RPC), just
to name a few. HTML-based e-mail became even more popular, and was exploited
more often via scripting, yet neither IE nor Outlook Express even acknowledged
the problem, let alone addressed it.
Meanwhile, media-sharing services, also known as peer-to-peer
networks, had become commonplace. The days of connecting to an FTP server and
performing painful searches for shareware had been replaced with virtual drives
containing thousands or millions of easily-discoverable choices for the consumer.
To the home consumer, the Internet was fulfilling the promise of free everything,
be it music, movies, porn or whatever the heart desired.
This was good news for malware miscreants, who were pleased to learn that human
beings are basically naive and easily fooled. HTML
is the perfect medium for such tactics as it's designed to hide the underlying
details. With everything now easily available in an HTML format, and consumers
desiring things that way, the stage was set for scams on a massive scale. Forget
the eons-old Nigerian 419 scam: just put up a spoofed banking Web site and get
a target to type in his critical information himself.
For home consumers, the time savings and legitimate value of Internet banking,
coupled with the legal—and illegal—availability of porn and digital
music, meant that now every home had to have a computer or two. Dropping hardware
prices, cheaper broadband access and the shorter learning curve of XP dramatically
increased the home computing population.
With so many more targets, bots, the logical malicious
extension of viruses, hit the scene. Why just muck up someone's computer when
you can use it yourself? Online gaming played a role in this, enticing socially
inept, yet computer-adept, individuals to look for better ways to defeat opponents.
If you can't shoot him before he shoots you, slow him down with a Denial-of-Service
attack so you can shoot him; if all else fails, just knock him off the Net.
Bots facilitate this behavior.
Scroll forward to today. AOL, MSN,
EarthLink and NetZero, just
to name a few, are all running ads describing their security features. Some
sort of enabling technology would appear to have come along in the interim to
make this possible, yet I can't think of what that might be. Certainly MessageLabs
and others have been proving for several years that it's possible to scan massive
amounts of e-mail for known viruses, and firewalls have been protecting huge
numbers of client systems for far longer. No, I don't think it's been an enabling
technology that has brought about this change; instead, I attribute it to corporations
finally recognizing that consumers won't change their ways to add security,
and that they'll always blame the providers for their woes.
Consider smoke or carbon-monoxide alarms in the physical world. These are sensible
safety devices that everyone should have, but few people actually install them
unless they'd had a previous negative experience. And now, at least where I
live, both are now mandatory for any new home. The same is true of personal
firewalls and anti-virus products.
Within the first six months of 2005 I expect the same to be true of ISPs. I
predict they'll all offer, without additional charge, basic firewalling and
constant anti-virus scanning for both network and e-mail.
I further expect to see full "Default Deny"
implemented. Default Deny is the practice of blocking all inbound and outbound
traffic unless explicitly permitted. It wouldn't surprise me to see Internet
access pricing based on what consumers want permitted in terms of traffic. The
more ports and services to which you demand access, the higher the price for
your connection time. This is, to some extent, the way it is today; business
accounts are permitted to have any type of traffic, whereas many ISPs block
home consumers from hosting Web or mail servers.
I expect to see Microsoft provide something for free
to consumers running XP SP2 that will ensure their
systems are free from existing bots, Trojans and worms. It's unfortunate that
this will likely be limited to XP SP2, as there are millions of systems not
running that platform that are infected and being used to attack other computers
and networks today. But it's at least a step in the right direction.
I expect to see more of the decent anti-spyware vendors
to be bought out by anti-virus vendors, but it will be 2006 before anti-spyware
becomes usable by the average home consumer.
I expect anti-virus vendors to become, even more than they are, inline anti-malware
vendors. Content filtering of HTML will become the darling of the security product
market. HTTP, the transport protocol for HTML, is
already heavily abused for traffic other than HTML. It's open at most corporations,
and is the single most-desired protocol for home consumers. Blocking it blocks
the Internet. There will be a tightening, though, in what's allowed via HTTP,
and I expect to see anti-virus vendors tap into this desire. Why disable scripting
on the browser when you can, if desired, disable it at your Internet connection
point? And if you can do that, why not disable scripting in HTML Web pages,
as well as in HTML-based e-mail?
As security-minded ISPs realize the limitations of the methods they currently
use and their customers complain that they thought they were protected but weren't,
content filtering will play an important role in living up to consumer expectations.
I believe the consumer desire to reduce the volume of e-mail garbage far outweighs
their expectations of unfettered surfing. There's a vocal minority that strongly
disagrees with "censorship," but the vast majority don't want a fake
Rolex or the drugs constantly offered.
ISPs should continue to restrict the data received or sent by the average home
consumer, and I believe they will—to the betterment of their customers
first, and the rest of us ultimately.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.