Experts: Microsoft tweaks, new laws won't make '04 safer

Looking back at security issues of 2003 and ahead to 2004

America Online, Earthlink and others won big legal settlements against spammers. And in December, President Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The new law imposes criminal penalties of up to a year in jail for common spamming practices like hacking into someone's computer to send spam or setting up e-mail accounts using false information to send bulk spam.

But e-mail users should not expect to see a decrease in the amount of spam they receive, said Andrew Lochart , director of product marketing at Postini, in Redwood City, California.

"The nature of the Internet (e-mail) protocols, especially SMTP (Simple Mail Transfer Protocol), makes it far too easy for dedicated spammers to hide themselves, and we're seeing a lot of (spam) activity moving offshore, outside of U.S. jurisdiction," he said.

Postini estimates that 80 percent of the one billion e-mail messages it processes each week are spam. The company believes that number might go as high as 90 percent by the end of 2004, Lochart said.

Spammers are also finding new ways around laws and antispam security measures, Belthoff said. For example, as free e-mail service providers and network administrators have clamped down on accounts and insecure servers used by spammers to send mail, they turned to computer viruses to create networks of zombie home computers that distribute their e-mail, he said. Sophos estimates that 30 percent of the spam its researchers see comes from IP addresses that belong to consumer machines. Two years ago, hardly any spam came from such sources, he said.

Incidents of online identity theft will also increase in 2004, spurred by a brisk, international market for stolen credit card numbers and personal identity information, according to security experts. Organized criminal groups in Russia and South Korea are using targeted, malicious hacking and so-called "phishing" Web sites to harvest information on thousands of online users, according to Richard Stiennon, research vice president at Gartner.

But the security news in 2004 will not all be bad, experts agree. The next twelve months will find enterprises deploying more security technologies, more precisely and with fewer problems, Stiennon said. "It's getting to the point where know what we need to do and there are good solutions out there, but now we have to execute," he said.

Microsoft's efforts to strengthen its operating systems' security and products will also close a number of well-worm avenues for hackers and virus writers, Stiennon said. Those changes include a new version of the Internet Connection Firewall, now called the Windows Firewall, in Windows XP Service Pack 2 (SP2) that is on by default and changes to Windows' implementation of RPC that will make it harder for attackers to exploit that service. Recent worms such as Blaster and Nachi used a security vulnerability in RPC to infect Windows machines.

Subsequent changes to Windows will integrate antivirus and content filtering technology with the operating system, making it easier for Windows users to block attacks, Stiennon said. A default firewall for the Windows desktop will be a marked improvement for many users, allowing them to spot virus and Trojan activity that otherwise goes unnoticed, said Bruce Hughes, director of malicious code research at TruSecure's ICSA Labs