Zero-Day Attacks French GIFAS and US VFW

b2ap3_thumbnail_BugIE.jpg

Old IE Too Risky for GIFAS and VFW

 

The French military defense contractor GIFAS and the US veterans organization VFW learned the hard way why updating Microsoft software such as Internet Explorer makes a big difference. These two organizations received the same treatment a Japanese financial company took on the chin recently, which some security investigators from Symantec Corp blamed on a Chinese conspiracy. The Chinese government has firmly denied all Chinese involvement, of course. http://www.reuters.com/article/2014/02/15/us-hacking-microsoft-idUSBREA1D02220140215

 

The attack depends on old versions of the Microsoft browser Internet Explorer (IE). Specifically, versions 9 and 10 of IE were attacked through ‘zero day vulnerabilities.’ The most obvious and cheapest preventative, short of avoiding IE and other Microsoft software (which has become a routine choice among many experienced professional software developers), requires upgrading to IE version 11. http://www.pctools.com/security-news/zero-day-vulnerability/

 

A simple portrait of how Microsoft makes software has helped me for the past several decades, so I will pass it along to those who might be able to use it themselves. When in the 1970’s Microsoft was starting up, it won a huge gamble that made all the difference in its profitability. Beating its CPM competitor by sheer luck to obtain a contract with IBM, the planet’s largest computer maker then and still a force with which to be reckoned, Bill Gates and his buddies decided to put out whatever software they could cobble together quickly to meet contract deadlines. http://en.wikipedia.org/wiki/History_of_Microsoft

 

They pushed junk software onto a hungry, naïve market and as quickly as they could they upgraded that junk piece by piece. In terms of management theory, they turned the old professionals’ model of Administration-Service-Sales (where a business sets up a shop or an office, hones its skills and builds its inventory to offer great services or products, and then sells its very best to a small market that recognizes value; http://www.sba.gov/content/marketing-sales-management) to the new model Sales-Service-Admin (where the business promises to sell whatever customers say they want despite not currently having it, then cobbling together something close to what was promised and servicing it to patch unavoidable glitches, and finally handling paperwork admin as an afterthought). The result made Microsoft a financial success very quickly, although insiders who knew how the magic had been made vowed to do something different and better.

 

The same model, SAA, has been adopted repeatedly in markets where customers don’t recognize value because the standards have shifted and the sophistication needed to apply those standards to evaluate a service or product has become too advanced. Microsoft did not invent the SAA management model but Microsoft mastered it.

 

Today Microsoft software seems ubiquitous; avoiding it requires real effort. Further, competitors who saw how profitable Microsoft became almost overnight couldn’t beat that profitability so they joined in, leaving consumers adrift in a violent SAA sea.

 

Enter the hackers who know the weaknesses of early products well enough to take advantage. That’s how the zero-day vulnerabilities get in the door. No one sees them enter until their damage is done. Ongoing security investigators suspect that the same holes now being patched at the VFW and GIFAS may have been embedded in software for some extended time before discovery.

 

The old professional model that combined a hard won set of specialized knowledge with age old moral codes has given way in this age of information to ever improving knowledge without the morality. The role of security investigators, both governmental and private, will have a long and profitable future in this environment, as analysts at http://HamiltonFinanceServices.com see it. What do you think?