Cybersecurity

SPOTLIGHT ON SECURITY

Opening Windows Source Code Could Improve Security

Microsoft Technical Fellow Mark Russinovich raised a few eyebrows at ChefCon earlier this month, when he aired the possibility of Windows becoming an open source program.

Sure, Microsoft’s attitude toward the open source movement has mellowed over the years, but the prospect of the company rubbing elbows with the likes of Linux overloads the imagination.

Still, there could be real benefits to making Windows an open source operating system — among them, better security.

“If they’re talking about open sourcing the modern version, or pieces of it, it would help security tremendously, because people could look at it and find vulnerabilities,” said Morey Haber, vice president of technology for BeyondTrust.

There initially would be a spike in vulnerabilities, he said, but they would be patched quickly and the code would get better.

Chances are Microsoft won’t open source the latest version of the operating system, but “I wouldn’t put it past them to put out an older version or a core version as open source,” Haber told TechNewsWorld.

Balancing Act

How Windows is open sourced will determine how beneficial the move will be to the software’s security, said Mike Taylor, lead developer for Rook Security.

“There would be a benefit if the entire stack were released, because that would allow people to more clearly examine the code and look for insecurities,” he told TechNewsWorld.

“The downside to that is you’re creating an uncounted number of Zero Day vulnerabilities. Having more eyes on the code will help to address those vulnerabilities, especially since researchers could contribute code that would fix those vulnerabilities,” Taylor pointed out.

“So yes, more vulnerabilities may be discovered,” he said, “but they could potentially be addressed more quickly.”

That could help avoid situations where zealous bug hunters disclose security holes before they’re patched by a vendor, as Google researchers did earlier this year.

More Good Eyes Than Bad

Google gives software vendors 90 days to fix a flaw after reporting it to them. It recently notified Microsoft of a vulnerability in Windows 8.1 and began the countdown. Microsoft came up with a fix for the problem before the end of the 90-day period, but it wanted to release it on the next Patch Tuesday, which fell after the arbitrary 90-day deadline. Google refused to delay action and released information on the flaw two days before its fix was released.

“In an open source environment you don’t have that kind of structure,” Taylor said. “When someone finds a vulnerability, the code to fix that can be pushed immediately into the quality assurance process.”

That can be done only if an open source community has an unobstructed view into Windows, however.

“If you get a full view of the source code of something that’s open source, you’re going to have a higher likelihood of finding vulnerabilities because you can see what’s going on under the hood,” said Matt Johansen, senior manager for the Threat Research Center at WhiteHat Security.

Without a clear view into a program’s code, researchers are forced to use techniques like “fuzz testing,” he explained.

Fuzz testing involves injecting junk inputs into software to see what happens.

“It involves a whole lot of guessing and takes up a whole lot of time,” Johansen told TechNewsWorld.

“Open source really opens up the number of people who have the resources and know-how who can find vulnerabilities,” he added, “but the real added benefit is that there are more good guys with their eyes on the code than there would be if it weren’t open source.”

Not a Security Blanket

An open source version of Windows also could create security problems. For example, various distros of Windows could pop up.

“We would probably end up with problems similar to Linux and Android, where we’d have fragmentation and then unique vulnerabilities based on that,” BeyondTrust’s Haber said.

In addition, while the “many eyes” approach can catch vulnerabilities before they become hacker havens, “we’ve seen recently in the case of OpenSSL and other open source software, this doesn’t always work,” RedSeal Chief Evangelist Steve Hultquist pointed out.

“Furthermore, in the case of Windows, it is unlikely to be under active development by the community. As a result, I would expect to see targeted attacks as the result of weaknesses discovered by the release of the code,” he told TechNewsWorld.

“There’s not always a positive correlation between having a project be open source and increasing its security,” Rook’s Taylor added.

Breach Diary

  • April 7. University of California, Riverside, informs some 8,000 graduate students that their personal information, including Social Security numbers, is at risk because of theft of desktop containing unencrypted data from a campus office March 13.
  • April 7. Human Rights Watch files lawsuit against U.S. Drug Enforcement Agency for illegally collecting records of organization’s telephone calls to foreign countries as part of a government bulk surveillance program.
  • April 8. U.S. Federal Communications Commmission fines AT&T US$25 million for series of data breaches in 2013 and 2014 at its call centers in Mexico, Colombia and the Philipines, which exposed names and full or partial Security Numbers of some 280,000 U.S. customers. The fine is the largest data security enforcement action by the agency to date.
  • April 8. Cyberattackers supporting ISIS take 11 stations of the French television network TV5Monde off air and hijack its website and Facebook page for two hours.
  • April 8. Global law firm Mayer Brown releases study of executives and corporate counsels in 15 industries in which nearly two-thirds of them (63 percent) said their biggest concern about a data breach was the exposure of their personal information. Only 10 percent said the theft of trade secrets was the most serious threat to their businesses.
  • April 9. White Lodging reports point-of-sale systems in bars and restaurants in 10 of its hotels suffered a data breach from July 3 to Feb. 6, and credit card information for an undetermined number of patrons was compromised.
  • April 9. Auburn University confirms server configuration error that exposed on the public Internet personal information of some 364,012 students, including Social Security numbers of non-applicants to the institution who had taken standardized tests prior to 2007.
  • April 9. Anti-Phishing Work Group releases trends report showing 27 percent of all phishing attacks in the third quarter of 2014 were on financial institutions, and 13.1 percent were on ISPs.
  • April 10. Researchers at the University of California, Berkeley, and the University of Toronto reveal new offensive cyberweapon they call the “Great Cannon” was used in DDoS attacks on GitHub and GreatFire.org.
  • April 10. Nautilus Insurance Group announces an addition to its general liability insurance policy for businesses to cover costs related to data breaches.

Upcoming Security Events

  • April 16. Enterprise Defense and Why You’re Most Likely Doing It All Wrong. 2 p.m. ET. Black Hat webcast. Free with registration.
  • April 16. The Dangers of Phishing: Avoid the Lure of Cybercrime. 2 p.m. ET. Webinar sponsored by Kaspersky Lab. Free with registration.
  • April 17-18. B-Sides Algiers. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers, Algeria. Free.
  • April 18. B-Sides Oklahoma. Hard Rock Casino, 777 W. Cherokee St., Catoosa, Oklahoma. Free.
  • April 19-20. B-Sides San Francisco. 135 Bluxome St., San Francisco. Registration: $20, plus $2.09 fee.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • April 25. B-Sides Rochester. German House, 315 Gregory St., Rochester, New York. Free.
  • April 29. Best Practices for DDos Protection. 9 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. SDN and NFV: Protecting the Next Wave Infrastructure. 11 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. Dark Reading’s Security Crash Course. Mandalay Bay Convention Center. Las Vegas, Nevada. Registration: through March 20, $899; March 21-April 24, $999; April 25-29, $1,099.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • May 2. B-Sides San Antonio. Texas A&M, Brooks City Base, San Antonio, Texas. Fee: $10.
  • May 9. B-Sides Boston. Microsoft 1 Cambridge Center, Cambridge, Massachusetts. Fee: $20.
  • May 13. SecureWorld Houston. Norris Conference Center, Houston, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • May 27-28. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), 2 Galleria Parkway Southeast, Atlanta. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels