Microsoft Security Update: No Malware—No Government Spying

Microsoft fights cyber crime

Microsoft may have just lumped the government in with hackers as a threat to their customers. They may not just be saying “no” to hackers and their malware anymore, but “no” to government spying as well.

Microsoft recently participated with “Europol, the FBI, and industry leaders such as A10 Networks” in what it is calling a disruption of the notorious ZeroAccess botnet. The message to malware designers? “No cyber hacking.” Microsoft is improving its security for its customers, but they’re not just coming down on hackers; they are also saying “no” to government snooping.

What did Microsoft do with the botnet?

Microsoft says that it has “taken action” against a proliferative Sirefef network of “bots”—computers that have been infected with malware that operate together targeting advertisers and search engines—that is believed to cost advertisers $2.7 million monthly.

This botnet action is the company’s first since the 14 November announcement of its newly formed Cybercrime Center. This “center of excellence for advancing the global fight against cybercrime,” and was the focus of their December 5th press release which states that the operation marked an important step in the “coordinated actions that are initiated by private companies” and law enforcement agencies to investigate “criminal organizations” behind botnets and that use malware to profit illicitly.

ZeroAccess was designed with durability in mind, however. Whoever is behind the botnet’s construction anticipated an organized response.

The Microsoft News Center says that it was built to last. “[R]elying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers,” meaning that the ZeroAccess botnet is not gone, just “interrupted.”

In his statement to the press, FBI Executive Assistant Director Richard McFeely stated that the ZeroAccess crimes include, “search hijacking, which ‘hijacks’ people’s search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks.”

He said that click fraud takes place when advertisers pay for fraudulent clicks–clicks not obtained by the actions of “legitimate, interested human users’s clicks, but are the result of automated Web traffic.”

What were Microsoft’s results?

David Finn, the executive director and associate general counsel Microsoft’s Digital Crimes Unit qualified their success.

The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop [some] victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection.

Microsoft has a clear message for the hacker community: We will work with the government to stop your violations of privacy and commerce.

This “public-private partnership” was lauded by Assistant Director McFeely who said that this partnership should act as a warning to cyber-criminals.

“It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyber-attacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”

Microsoft seems to place serious constraints on what it will do with/for the government, however.

Will Microsoft continue to work with the government in the future?

They say Microsoft’s new push for updated security will treat government spying like any other security threat. Microsoft is saying “no” to hackers and it is also saying “no” to letter-agency snooping.

Microsoft does, however, intend to work with the government in the future. They say that they are committed to online privacy rights and they are committed to helping the government prosecute violators. They will not, however, allow the government to circumvent online security protocols in an attempt to gather “intelligence” without a fight.

On the official Microsoft Blog, in a post titled, “Protecting customer data from government snooping,” Microsoft had addressed its customer base with, “[m]any of our customers have serious concerns about government surveillance of the Internet.”

Their answer to customer concerns about government spying?

“We are taking steps to ensure governments use legal process rather than technological brute force to access customer data.”

They are especially worried by recent press coverage of the alleged “concerted effort” by government agencies to work around online security measures in their attempts to collect private data. In Microsoft’s view, that is a violation of the legal process and its protections.

Specifically, recent news stories have suggested government interception of private data, without the use of appropriate subpoenas or warrants. Microsoft is quick to state that they have no black-and-white evidence, but they are not going to wait for any before upping their systems’ security.

“If true,” says Microsoft, “these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” just like malware and cyberattacks.

[emphasis added]

How will Microsoft achieve this unprecedented closed-door policy?

Expanding encryption—Microsoft says that they will “pursue a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.”

They will provide protection of customers for the life of their content suggesting no “statute of limitations” on protections of privacy.

Qualification:

  • Microsoft will encrypt all customer-owned content moving between the source and  Microsoft automatically.
  • All productivity and communications services will encrypt content as it moves to and from Microsoft servers.
  • Industry’s top cryptographic protections of customer data channels.
  • All of this in place by 2014, and as much as possible to be in effect immediately.
  • And more-they’re even going to make sure that data travelling between Outlook users and other email providers will be encrypted as well.

Reinforcing legal protections—Microsoft’s blog also states that they are taking steps to strengthen legal protections for their users.

Microsoft says that they are committed to notifying business customers and government customers if they receive orders related to the customer’s data. And if the government tries to prevent that disclosure via a gag order to attempt to stop them from notifying their customers they will go to court and challenge it.

“We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data.”

Microsoft believes that government agencies can go directly to business or government customers about information regarding one of their employees, just like they used to do before businesses moved to their cloud.

Microsoft’s track record isn’t “customer privacy” spotless though, is it?

Not completely, no.

The Prism private data leak took its toll on Microsoft’s “customer-privacy-first” image. Amid the whirlwind of “disclosures,” accusations and self-defense press releases, Microsoft—along with Google and other organizations—were cast in a gloomy light.

Microsoft is fighting that black-mark energetically now, though.

Their Scroogled campaign has been designed to contrast the software dynasty to their arch rival, Google. Scroogled focuses on Google’s inherently ad-centric marketing. Microsoft says of the Google Shopping service that, “simply put, all of their shopping results are now paid ads.”

The criticism doesn’t stop at shopping though. Google is being accused of reading Gmail users’ emails to better target their advertising.

There’s even a Scroogled merchandise shop where you can purchase anti-Google mugs and t-shirts.

The Scroogled campaign along with the recent press releases and blog posts emphasizing that Microsoft will fight what it considers to be illegal snooping is having an effect.

Whether or not it is enough to distance itself from its nemesis, Google, and set itself up as “the people’s secure software solution” is a question that only time will answer.

Market share, public dichotomy of opinion, and the corporate fan-bases that fuel them will keep opinions divided for and against Microsoft for some time to come, but their effort to update security and tell hackers and the government “no malware, no spying!” has some people putting a check in the “Microsoft is good” box.

By Matt Darjany

Sources:

Microsoft Blog

Microsoft News Center

Slashdot

Leave a Reply

Your email address will not be published.