Worms cost business millions a day

Microsoft platforms lost Australian businesses at least $40 million due to the recent Blaster and Sobig worm attacks, open source advocates claim.

Open source business focus group Open Source Victoria has seized on recent malware threats to highlight its case for a heterogeneous operating system environment - that combines open source platforms with proprietary brands such as Microsoft - in business computing.

Steven D'Aprano, an Open Source Victoria member and operations manager at Cybersource, a Melbourne-based Linux, Unix, TCP/IP and Windows IT services vendor, said the lobby group's figures suggest that at least 100,000 businesses in Australia lost a whole day of productivity due to Windows downtime caused by the mid-August Blaster or Sobig infestations.

Calculating that at an 'average' wage of $40,000 to $45,000 a year, the lobby group estimates the cost to Australian business at more than $40 million, D'Aprano said.

The group claimed in a statement that the true cost could be much higher as some 200,000 Windows systems may have been struck by one or other of the worms. 'As the MSBlast [sic] will likely continue to wreak havoc over the coming months, this figure could mushroom to cost Australia hundreds of millions of dollars,' it said.

D'Aprano said that maintaining a multi-vendor operating system environment could ensure that if one gets taken out, the other part of the system survives. However, he conceded that many businesses may not have the technical knowledge required to handle the added complexity.

However, D'Aprano said that too many businesses still file calculating the true cost of ownership (TCO) in the 'too-hard' basket and as a result frequently made the wrong choice when it comes to IT.

TCO calculations should include the cost of the risks to which they were exposed t by over-reliance on a single operating system such as Microsoft Windows, he said.

'They never do, which is ridiculous,' D'Aprano said.

Further, D'Aprano said US insurance companies were appearing that charged companies more if they had a homogeneous operating system environment.

'Some insurance companies charge higher premiums for 'hacker insurance' depending on the platform. One example is insurance broker JS Wurzler Underwriting Managers, for clients using Microsoft's IIS and Windows NT. I believe they charge between five percent and 15 percent higher,' he said.

Conceivably, it was only a matter of time before insurance firms started to do the same thing in Australia, D'Aprano said.

D'Aprano also said that Microsoft, despite its recent claims for Windows that it is now secure by design and default, had always been behind the times with its security and was likely to remain so for at least another five to ten years.

'In the mid to late 80s, [the industry] pretty much solved the bulk of these problems from a design perspective ... that Microsoft is having,' D'Aprano said.

Con Zymaris, Open Source Victoria's convenor and CEO of Cybersource, said that Outlook, for example, still had design vulnerabilities, including autoexecution of macro code.

'You can switch it off, but there's no reason why it should be there in the first place,' Zymaris said.

D'Aprano and Zymaris claimed businesses cannot afford to wait for Microsoft to catch up with its security program, and thus should include open source to some extent in their operating system environments. This was already happening in some enterprises, they said.

While Microsoft had undoubtedly improved its attitude to malware threats and security risks, historically it has had a 'blame the victim' mentality which still persists when the rebuke 'you should have applied your patches' is trotted out, they said.

'We are looking at a systemic problem of stuff that's been happening the past five years. Nothing else even comes close. If it happens so often, so many times, people have said in the past that it's because Microsoft has the greatest number of platforms,' D'Aprano said.

'But if you look at infrastructure where Linux is the most popular platform in the environment, we have to ask ourselves why that is the case,' he said.

D'Aprano conceded no system was immune from malware. However, open source platforms had a 'far lower' risk profile which was not related to its market penetration, he claimed.

Zymaris said that Netcraft figures showed that the Apache Web server had a three times higher penetration worldwide than Microsoft competitor IIS, it remained less threatened by malware in the wild.

Conversely, proponents of Microsoft often argued that Microsoft applications have such vast penetration that crackers prefer to target Windows.

D'Aprano and Zymaris maintained that human nature is such that we cannot create secure operating systems or platforms that rely on human beings altering their behaviour.

Microsoft was contacted for comment on the claims but advised that no one would be available by press time.