Security Watch

Windows 7: The Gift that Keeps on Rebooting

For some, the move to the new OS from Vista is taking a little longer than expected. Plus: Microsoft reaches for cloud compliance; lazy hackers hit clickjackpot.

• By Jabulani Leffall
• 10/26/2009

What's the downside of being the world's largest software company with the most anticipated software release of the year, and of having the kind of information apparatus needed to hock said product? Bad news can travel fast.

Apparently, some users have had trouble upgrading from Vista to Windows 7, saying that doing so causes their systems to reboot constantly. In some cases, systems wouldn't revert back to Vista but rather freeze.

The complaints started on Friday, one day after Windows 7's official launch. Most of the snafus happened with downloads from Digitalriver.com, an e-commerce and software-on-demand site. Overall, these incidents seem isolated. However, given that Windows 7 was affected by five of the 13 security advisories that Microsoft published in October's historic Patch Tuesday, operational effectiveness as it relates to security will continue to be an issue.

From Qualys CTO Wolfgang Kandek's perspective, it's too early to make any decisions regarding the new OS given that one can never rule out a system crash. This is what Kandek told me in an e-mail late last week.

"Windows 7 approaches things differently than Windows XP," Kandek said. "Windows 7 is like a safer car that has added ABS and airbags to the already existing security mechanism of seatbelts. However, it is still possible to have a crash. The car does its best to prevent a crash happening, while at the same time providing additional protection."

Microsoft Reaching for Cloud Compliance
Passing regulatory muster is important for a software company looking for enterprise adoption. And, of course, information security compliance is important for an enterprise looking for public investors.

Microsoft has gotten preemptive and is looking for security certification for its hosted messaging and collaboration products, which will be integral parts of its cloud service rollout.

Redmond particularly wants its cloud products to fall under ISO 27001, the international internal security control standard which is part of the framework of many international IT compliance audits (think SOX 404 and HIPAA). Specifically, ISO 27001 establishes a framework for a processing environment with internationally recognized security standards, such as access control, firewall protection and sign-on parameters.

How will this work for Microsoft? Organizations rubber-stamped for ISO 27001 can be evaluated in IT audits and application controls testing to ensure enterprise customers and, ultimately, regulators that the enterprise network environment is secure.

This move seems to be less about getting Microsoft's products certified and more about being one of the first large tech companies pursuing a cloud strategy to integrate a still-untested paradigm into an existing security evaluation process. There are doubts, after all, that cloud service vendors will be any safer than their mortar, firewall, wire-and-workstation computing counterparts. And most IT auditors literally "walk through" a physical location to evaluate a processing environment's security. Is there such thing as walking though clouds?

Time will tell whether those doubts will, in fact, hold true.

Lazy Hackers: You, Too, Can Be a Clickjacker
The practice of clickjacking -- in which a hacker commandeers a workstation and clicks on malicious links or creates false browsing sessions and cookie signatures for profit -- started to become increasingly prominent about this time last year. At that time, leading browser application writers like Microsoft, Google and Mozilla were still scrambling to find the antidote.

What has made the problem worse this fall, according to Web traffic and security research firm Click Forensics, is that hackers are now kicking their feet up and letting automated programs like botnets do the clickjacking for them.

According to an October report by Click Forensics, botnets accounted for 42.6 percent of all "click fraud" in the third-quarter of 2009. That percentage is "significant," according to the company, as it is more than double 2007's rates. And last year, botnets accounted for only 27.5 percent of click fraud instances.  

What's alarming here is that hackers don't need to access trusted Web sites to roll out a clickjack; they just need to manipulate search criteria for better rankings and wait for unsuspecting users to click on a malicious link. Also, if a hacker has gained entrance to a workstation through a traditional remote code execution incursion, he or she can just send out little botnet "pretties" to turn a network into a perilous digital "land of OZ," where clickjacking trumps heel-clicking.