The year 2003 marked a turning point in PC security--and not in a good direction. Users were overwhelmed by waves of e-mail worms, from Blaster to SoBig, that stole personal information, spewed spam, and conducted DDoS (distributed denial of service) attacks. Security experts expect all of these threats to increase, not diminish.
"Over the next few years, we'll see a lot more controlled zombie networks, with end-user desktops used as servers for spammers and DDoS," says Thor Larholm, senior security researcher at PivX Solutions in Newport Beach, California.
For the next two years, we'll use the same weapons to fight back: antivirus software, spam filters, personal firewalls, and Windows patches. The difference is that many of these utilities may become part of the OS and operate automatically.
For example, Microsoft has announced a scheme that would turn XP's Internet Connection Firewall on by default; the plan might also install Windows and Office patches automatically. The company has test-marketed versions of Windows containing a stronger firewall, plus antivirus and backup utilities. Given Microsoft's history of packaging watered-down utilities in its OS, experts are skeptical of this approach.
The good news is, you'll see fewer buffer overflows or software "holes" that allow malicious code to take control of a machine, says Chris Wysopal, VP of Research and Development for security consultantcy firm @stake. That improvement is due in part to new tools that find overflows before they're exploited, and partly to a shift toward "managed code," which examines each set of instructions and grants permission before the code can execute.
The bad news? "Social-engineering attacks to draw people to fake Web sites or run Trojan [horse] programs will be worse," Wysopal says. "The human will still be the weak link."
Secure--But at What Price?
Removing human error from the equation is a key part of Microsoft's Next Generation Secure Computing Base, an ambitious proposal that aims to solve myriad security problems. Formerly known as Palladium, NGSCB (pronounced "eng-scub") will be woven into Microsoft's Longhorn OS when it's released in 2006.
Among other things, this scheme will verify the identity of each application, so you'll know that the software you just downloaded isn't a Trojan horse. NGSCB will encrypt data and keystrokes so they can be read only by trusted apps. It will create a sealed memory space for each program, so viruses won't be able to affect other programs.
And it will allow companies to determine how people use their content. For example, a software firm might prevent you from using unregistered versions of its products. If you download a film, the OS might let you view it but not make copies. Or a business might allow only certain individuals to open a Word document containing sensitive information, and then make the doc delete itself after a few days.
Office 2003's Information Rights Management feature allows you to control who can read or print documents, as well as to set expiration dates. But these capabilities demand some big trade-offs: Only Office 2003 apps can open restricted documents, and your network must be running Windows Server 2003.
Critics warn that such schemes could hand control of your computer to major corporations and could have other unintended consequences. "Vanishing e-mails will be attractive to corporations terrified of legal discovery," notes Ross Anderson, reader in security engineering at Cambridge University in England.
NGSCB will require new hardware. So Intel is developing a chip architecture, code-named LaGrande, to support it. Citing privacy concerns, Intel has said it will recommend that system builders let consumers opt in to enable LaGrande functions.
Good encryption technologies already exist, but using them can be daunting for anyone other than a security geek. However, several products promise to bring encryption to the masses by implementing it automatically, with little or no work needed from end users.
PGP Corporation's new Universal software turns a server into a security box that encrypts, decrypts, and digitally signs a company's e-mail, without requiring employees to lift a finger. People outside the company can download client software that manages encrypted communication with the server.
And recently Leadtek Research started shipping motherboards with ENova's X-Wall LX-64 security chip installed. It automatically encrypts all data going into the hard drive and decrypts the data coming out, but only if users first insert a dongle containing the encryption key into the system's FireWire port.
A blue FireWire key (above) unlocks data on the hard drive encrypted by the ENova chip (below).