Jeff's InfoSec Blog

Thoughts about information security, privacy, and regulatory compliance. Brought to you by Jeff Newfeld, the product unit manager for security solutions in Microsoft's Core Infrastructure Solutions group.

Jeff's InfoSec Blog

  • OK, passwords are so 20th century and have to go!

    This article ( Protect passwords? Not if latte is free ) was passed on to me from a colleague who also saw the irony in this. I would say that we're 3 years too late in making 2-factor auth a base part of computing. This makes identity theft almost too...
  • 7 computer security tips for students

    My group didn't write this... that is, I don't think we did, although this may have come out of our Consumer team. But it is pretty good, basic advice for students that are heading off to school with their new laptops. School is in: 7 computer security...
  • Microsoft buys email managed-services company

    Link . Microsoft Q&A . They provide email customers with security and compliance services (retention, etc.). As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure. THis...
  • Internet fraud -- who's fault is it?

    Awareness is our biggest challenge, but we've been doing a lot to make this happen. At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune. I like this...
  • Here's a list of Security Solutions

    Tony Bailey, the Senior Product Manager on the Microsoft Solutions for Secrity & Compliance team, has put together a list of all of our security solutions. You can find it here: http://www.microsoft.com/technet/community/columns/sectip/default.mspx
  • Credit Bureaus adopt data protection standard... so what?

    So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" ( link ). Great. Except that data encryption...
  • Trapping passwords by listening to typing

    An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords...
  • DNS Poisoning attacks... will this never end?

    TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here . The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests...
  • British Gov't validating security tools - "CSIA CT Mark"

    The CSIA is sort of the British version of NIST, with respect to IT. They've invented their own accreditation for security tools ( link ), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark"). This is a very different...
  • Is finding security holes a good idea?

    Some interesting papers came out of the third annual Workshop on Economics and Information Security. If you're an IEE Computer Society member you can read the full text. Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical...
  • Regulatory Compliance: Yet another regulation to follow

    The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments. The regs are pretty good -- a 12-point checklist of areas that need to...
  • Cool stuff - Microsoft MAX

    If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/ . It's the Codename Avalon user interface used for photo browsing. Not only is it really pretty, but it also shows some great ideas around how a UI...
  • First go for people with no armor; then look for chinks in the armor

    If researchers are pointing out the issues, the bad guys will not be far behind. Start checking to make sure that your AV software is up to date! Link.
  • Child Exploitation Tracking System developed by Microsoft

    This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide. Link.
  • Strong Passwords = Weak Security

    An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company). I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users...
  • Spyware (I mean potentially unwanted software) and the law

    You know that a concept has truly entered the mainstream when it spawns politically correct euphemisms. Potentially unwanted software is the latest safe and approved term for what most people think of as spyware and adware. So the House has just approved...
  • Vulnerability analysis using search tools

    Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.
  • Microsoft Solutions for Security team at TechEd

    I was going to post on this but Tony Bailey beat me to it ( link ). We have several sessions at TechEd, and 6 program managers and subject matter experts from my team will be in the Security Cabanas. I can't make it down this year but I have reviewed...
  • What happened to IT journalism?

    Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies? While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them...
  • How do we fight spyware when no one can agree what it is?

    Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss...
  • A National Database of Vulnerabilities

    NIST has opened up a National Vulnerabillity Database, also available as an XML feed. I love the fact that all of the available info will be in one place, although I do fear that it will re-open the "what's more secure" arguments that have been running...
  • Oh great -- now spyware is disguised as antispyware!

    This is classic -- you get infected with spyware that masquerades as antispyware. It pops up an alert that you're infected, and directs you to a web site to buy a licensed version of a disinfection program. InformationWeek called it "ransom-ware" and...
  • What is Spyware (again)

    More progress being made on the anti-spyware front: http://www.eweek.com/article2/0,1759,1788844,00.asp . Industry players are banding together to try and define this. I'm not sure that this is a good idea -- while I agree that the term "spyware" has...
  • New day, new blog

    I am switching from MSN Spaces to TechNet over the next couple of weeks. Until I get my old stuff migrated over, if you're interested you can see my old posts here .
  • First open O/S, now open BIOS?

    Sorry, I just can't get behind this: Battle brews over unlocking PC secrets . The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's...