Last Security Week in Review articles
Microsoft bungle every opportunity to win hearts and minds
It’s taken a while, but MS has finally nailed it’s stripes to the wall and entered the security space, with the release of new anti-virus and anti-spyware tools, available free (for now) off their website. The latter was fully expected, as MS bought Giant Company Software – a newbie anti-spyware company last month, and promised a beta version of the software within a month.
Clearly there was insufficient time for branding, as the new product is dubbed, ‘Microsoft Windows AntiSpyware’. It comes with the worldwide ‘SpyNet’ community (note: poor branding is worse than none at all) – a voluntary network of users that will help identify emerging threats and improve the overall utility of the product. Or so the story goes. Any Windows user, however lowly, can choose to join the community and rat out the bad guys to Microsoft.
Win. 98 and Millennium users out in the cold
Except for those loyal Windows users running Windows 98 or Windows Millennium (probably the worst dog of an OS ever written) that is. Alas, the new malware fighting tools are only available to Windows XP and Win. 2000 users.
There is a decent (in every sense of the word) argument to be made by any Win. Me. user who bought a new and expensive PC in 2000, in good faith from Dell (for instance), that they were entitled to a product fit for the purpose provided, and at the very least one that was not so buggy and defective it could cause them to conceivably become the victim of identity theft.
And there is no credible argument to be made that in 2000 such threats were not eminently foreseeable. We are not talking the advent of the Internet here, back in the annals of time when no one saw the need for security to be bolted in. This is recent - not medieval history. But the folks at MS do not seem to care about such small and insignificant niceties. You bought a lemon. And apparently that is your problem. Unless you upgrade of course.
Imagine- you buy a lemon car. Your only redress is to buy another car (at a discount) from the same dealer. Indeed, this is a truly spectacular business model for MS.
When software bites
MS released two “critical” security bulletins last week (Jan 11) to address security holes an attacker could use to take over your computer, change and delete data, and install malicious programs. The first flaw affects Windows Server 2003, Windows 98, ME, 2000 and XP, including the much- hyped Service Pack 2. Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed. The second flaw affects Windows 98, ME, NT, 2000, XP and Server 2003.
In a MS Advisory on these threats, it reminds us that Microsoft will only release security updates for ‘critical’ security issues for Windows 98, Windows 98 Second Edition, and Windows Me until June 30, 2006. ‘Non-critical security issues are not offered during this support period’.
However, ‘customers may request non-critical security fixes for Windows 98, Windows 98 Second Edition, Windows Me, and the most current version of their components until June 30, 2006 through typical assisted-support channels’.
Now let us speculate. What is the likelihood that the average home user will have any clue what ‘through typical assisted-support channels’ means? Will they instead (to the extent they even know) feel they have been sold a lemon and royally shafted? The bets are on.
As for security flaws in notoriously buggy Windows Internet Explorer (IE), and Media Player (that came bundled with Win 98 and Win. Me). – the same (no) support deal applies.
Little wonder poor Walter gets mad
But does anyone care about the little guy? At least the CIOs at major corporations can screech so loudly they have a hope at getting some form of redress- even MS can’t blatantly ignore them. But does the average person have a clue why their computer seems to crash constantly running Win. Me? Or that they are only covered to 2006 for ‘critical’ security flaws in this software - as determined by MS? Me think not.
And this is the scenario that MS would like to see migrate into our living rooms, and onto our error free zone - the much loved TV set. I shudder with apprehension.
If MS ever have a hope of countering a reputation for arrogance and high-handedness, they must imbue everything they do with a new radical consciousness – the customer comes first. Alas, although it is early days, things are not looking good.
Walter Mossberg, the highly influential Wall Street Journal technology guru, and long term MS critic, reviewed the new MS anti- spyware product last week, and found it lacking (WSJ- ‘Personal Technology’ – Jan. 13, 2005).
It was not so much that there were any gaping technical flaws as such (although he prefers the Spysweeper product from Webroot Software Inc). Rather, he concluded that MS may be using ‘security software to promote it's other products at the expense of the competition’.
Walter was unimpressed and suspicious of the way the MS tool deals with hijacked web home pages (where your choices are hijacked by an evil programme). Most anti -spyware programmes try to restore the users preferences. However, the MS tool tries to replace the bad pages with home and search pages from MSN - the MS service. To Walter, this smacks of “the same type of coercion that spyware authors are using”.
In other words, instead of getting back your original home page selections, the links to the Russian Mob home page are replaced by the MS tool with: pages selected for you from MSN. The lesser of two evils one might argue, but a poor conclusion from the perspective of respecting the users right to choose.
While this tool is free, there may be few dissenters- except Walter. But will the masses pay for something that removes one evil, but then tries to manipulate them to it's own corporate ends? Especially when freeware products are available to do the job- with no hidden agendas?
Walter also found the MS tool only protects IE users from page jacking- and not rival browsers such as the Mozilla Foundation web browser - Firefox (recently getting cosy with Google - an MS arch rival).
Even if what Walter found is not confirmation of some devious plot at MS, they should remember that perception is nine tenths reality and that consistently is key to any effort at re-branding.
You can’t whistle dandy out of both sides of your mouth and expect to be found credible.
And why is that so very hard? E-Banking in Korea less risky for consumers?
The Korean government recently adopted a financial e-transaction bill. The bill must still be discussed at a Cabinet meeting scheduled for Jan. 4, and than submitted to the National Assembly.
A report in Chosen.com states that the bill provides protection for consumers who incur loss or damage while conducting e-banking - where the loss results from an external event such a hacking attack, or computer malfunction. It apparently will make financial institutions/ e-banking service providers liable in such instances.
However, if consumers cause the problem deliberately or through negligence, they will be held accountable. In addition, the report states that 'consumers' identification number, secret code and certified document, all of which are essential prerequisites for e-banking, should be issued only when consumers apply for them and after their identity has been confirmed'. more on this story
Thief who stole cancer patient's identity convicted under US HIPPA law
This story is actually old news, but we haven't run it before, and worth a gander as it sets a useful precedent, and proves that the US HIPPA law (the Health Insurance Portability and Accountability Act of 1996) has teeth. It marks the first HIPAA criminal penalty imposed by a US court.
In November 2004 in Seattle, a District Court Judge sentenced 42-year-old Richard Gibson to 16 months in jail, plus a substantial fine - four months longer than prosecutors had sought in this sorry case.
The 37 year-old victim was a mortgage banker from the Silicon Valley area. When he was in hospital at the Seattle Cancer Care Alliance receiving chemotherapy treatment, he started to receive mail regarding new credit card accounts he had not opened. He had to spend a lot of time and money (when he presumably should have been recovering) putting his financial house and life back in order.
Gibson worked at the alliance as a phlebotomist and laboratory technician from November 2001 until he was fired in February 2003. He stole information about his victim from his employer, and used it to falsely obtain credit cards. He charged more than $9,000 on four credit cards to the patient's name.
Prosecutors could have elected to use identity theft laws to prosecute Gibson, but opted to take the newly minted criminal law provisions under HIPPA out for a successful spin. They also succeeded in getting a conviction despite the fact that Gibson was not a "covered entity" under HIPAA, but rather the employee of such an entity.
This case can serve as a warning to all US health care workers that stealing and abusing sensitive medical data for personal gain will not sit well with the courts, and will likely result in time behind bars.
|
