“Microsoft Sheds Reputation As an Easy Mark for Hackers”, 2015-11-18 (; backlinks; similar):
Microsoft was once the epitome of everything wrong with security in technology. Its products were so infested with vulnerabilities that the company’s co-founder, Bill Gates, once ordered all of Microsoft engineers to stop writing new code for a month and focus on fixing the bugs in software they had already built.
But in recent years, Microsoft has cleaned up its act, even impressing security specialists like Mikko Hypponen, the chief research officer for F-Secure, a Finnish security company, who used to cringe at Microsoft’s practices. “They’ve changed themselves from worst in class to the best in class”, Mr. Hypponen said. “The change is complete. They started taking security very seriously.”
…Microsoft estimates that it now spends more than $1.3$12015 billion a year on security-related initiatives, including acquisitions. It acquired three security start-ups in the last year alone, and the number of security employees at the company increased 20% during that time. Soon after he became Microsoft’s chief executive in February 2014, Mr. Nadella instituted a monthly meeting with security leaders from across the company. They meet to discuss industry trends and analyze threats. He also altered how Microsoft watched the Internet for hacker attacks, an effort that had been splintered among different product groups and other divisions within the company. Microsoft now pays hackers more when they find and turn over a security hole.
…Plenty of bugs are still being discovered in Microsoft’s code. But fears about the security of Microsoft’s programs have gradually abated. In a couple of recent widespread attacks, hackers exploited weaknesses in Adobe and the Java programming platform, not Microsoft software.
Once an attempt on one customer is detected—say, a phishing scheme, in which hackers try to steal passwords, credit card numbers and other private data through legitimate-looking emails—Microsoft says it can quickly deploy a solution that prevents all other customers on its corporate email services from falling prey to the ruse. Microsoft carried out one such fix to its cloud customers early last year after the Syrian Electronic Army, a group of hackers who support President Bashar al-Assad of Syria, began a phishing attack on Microsoft’s own employees.
…There is no doubt, though, that Microsoft has made thwarting hackers a priority. Microsoft’s latest version of its operating system, Windows 10, has a feature called Windows Hello that allows people to log in to a PC with a scan of their finger, iris or face instead of using a password—weak versions of which are a common cause of data breaches. “My goal inside the company is to get rid of passwords”, said Bret Arsenault, Microsoft’s chief information security officer.