During the last week, I have been on the Microsoft Campus in Redmond. We had the Quarterly Meeting of the worldwide Chief Security Advisors. During those meetings we usually meet with the products groups to discuss your needs and our plans.Additionally we meet with Scott Charney (Head of Trustworthy Computing) and Mike Nash (Head of the Security Technology Unit). Those are the ones really driving our strategies and technologies aroung Security.
A lot of the discussions have been internally but what I can really tell you is that I am excited about all the progress we made in the area of security in our products as well as with the security products to come.
This will actually be an exciting time from now on for the next 18 months. Watch out for the announcements to come
Roger
We just finished our CBK (Common Body of Knowledge) seminar, a one week training covering ten domains of security knowlegde:
Well, that was very intense, but we've learnt a lot! Even working in the security business for years, it's not posible to be an expert in every focus area.
More information on CBK, CISSP and (ISC)2, visit thier website: https://www.isc2.orghttps://www.isc2.org/cgi-bin/content.cgi?category=97
As the first credential accredited by ANSI to ISO Standard 17024:2003 in the field of information security, the Certified Information Systems Security Professional (CISSP®) certification provides information security professionals with not only an objective measure of competence but a globally recognized standard of achievement. The CISSP credential demonstrates competence in the 10 domains of the (ISC)² CISSP® CBK®.
The CISSP credential is ideal for mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
Urs
Asian governments have expressed security concerns about easy access to detailed satellite images on the Internet, such as those used by rescuers in New Orleans, saying the technology could endanger sensitive sites.
http://today.reuters.com/news...
The one's fun, the other's pain..Urs
Businesses could lose legal disputes and miss out on insurance claims because of their inability to collect and preserve computer and internet-based evidence, experts have warned.While firms are investing heavily in disaster recovery plans for low-probability events such as fire or terrorism, many are failing to identify and preserve important digital evidence required to tackle more frequent incidents, such as payment disputes, employment tribunals and fraud.
http://www.vnunet.com/computing/news/2142618/organisations-digital-evidence
http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/preprint.pdf
With the advent of Windows XP Service Pack 2, which enhances Microsoft's RPC security immensely, we should start to see some relief from the manifold MSRPC holes that were ubiquitous over the last several years. However, new and obscure RPC services continue to be found and exploited, on both patched and unpatched machines.
http://www.nfr.com/newsletter/June-05/BeyondBlaster.html
Google's power makes security officials nervous. Google has fast become the Internet search engine everyone clicks on to find out nearly anything about anyone, including financial, political and other presumably private data. But national security officials and others -- reportedly even Google CEO Eric Schmidt -- are getting a bit uncomfortable about Google's extraordinary reach. Schmidt was most unhappy when an Internet news reporter, writing about Google and privacy, used the search engine and quickly found and revealed Schmidt's home address!
http://www.detnews.com/2005/technology/0509/25/A25-325993.htm
Lord and master, hear my call! Ah, here comes the master! I have need of Thee! From the spirits that I called Sir, deliver me!The Sorcerer's Apprentice - Johann Wolfgang Goethe
;-)
Over the last five years, techniques for hiding information have become a rapidly growing research topic. Its better-known aspects range from inserting imperceptible copyright marks in digital audio and video, through auctions and elections, to de-identifying medical records for use in research. As we explore these applications, it becomes clear that the traditional protection goals of `confidentiality, availability and integrity' are insufficient. In this talk, I will discuss the role of anonymity in computer security. Anonymity mechanisms allow us to construct networks and file systems that are resistant to selective denial of service attacks, or which let their owners plausibly deny their existence (thus providing some protection against coercion). They can help us to meet protection goals such as personal privacy, location security and plausible deniability.
http://wean1.ulib.org/videoMain.asp?target=/Lectures/Distinguished Lectures/1999/03.0 Anderson/SLIDECENTRIC
Since quite some time we are working with Alacris on PKI projects. Alacris' idNexus was always a good and excellently integrated add-on to deliver what we are missing in our PKI, e.g. Registration Authority etc.
Now, today we announced that we bought Alacris. This is extremely good news in my opinion for our customers
Have you ever had the taks to setup a computer that is used by several "public" users? Like at schools, libariries, Internet Cafés etc. Now we have the toolkit to do this - and it is pretty cool.
We released it to web today and it can be found here: http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months!http://blogs.zdnet.com/Ou/index.php?p=103
The National Security Agency has obtained a patent on a method of figuring out an Internet user's geographic location. Patent 6,947,978, granted Tuesday, describes a way to discover someone's physical location by comparing it to a "map" of Internet addresses with known locations.
http://news.com.com/2100-7348_3-5875953.html
In today's security climate, passwords are apparently no longer enough to guarantee user authentication. We see a lot more topics arround that aerea and sometimes the conclusions are opposite to each other.
See also: http://news.zdnet.co.uk/internet/0,39020369,39218136,00.htm
However, I cannot completely agree with the statement, that if a user writes down his password, this is always a bad idea! What's the better way: A single, simple to remember password for all acocunts, or multiple complex passwords, but somewhere (perhaps coded) written down? Doesen't it depend on where the attack comes from? Doesen't it depend on the risk of exposure of the writen down password? Of course, a two factor authentication is normally stronger than a username/password combination, but is it not possible to have strong AND usable passwords?
Well, a good chance to hear or discuss about such topics is visiting us at Security-Zone at the Password Session! Hope you will be there!http://www.security-zone.info/php/congresso/products.php?pos=30b01
Security-Zone (Switzerland)http://www.security-zone.info/
Psssst! Wanna know a secret? How about a whole bunch of them? Insider tips will help you cut through hype when you shop, save money when you buy, and get the most out of products you already own.
http://pcworld.com/howto/article/0,aid,122094,pg,1,00.asp
[ptorr] Why not use hashes for the Anti-Phishing Filter? Several people have asked why Internet Explorer 7 will send "real" URLs instead of hashes to the AP (Anti-Phishing) server. That's a good question, and I know it's a good question because it's the same thing just about everybody at Microsoft (including me) says the first time they hear about the feature :-). Nevertheless, a fairly quick investigation into the issue shows that it buys very little in terms of privacy but comes at significant cost. First we need to figure out what threats are mitigated by sending hashes instead of URLs. Next we need to figure out what additional threats surface if we send hashes instead of URLs. Finally we determine which is "better" using some subjective measurement.
http://blogs.msdn.com/ptorr/archive/2005/09/13/464376.aspx
A very good article and reference about the new anti-fishing server feature of IE7!
Welcome to the patterns & practices Security Wiki! This is where we put our latest thoughts and discoveries in application security. We are constantly talking to customers, industry experts, and security experts inside Microsoft to bring you the latest and greatest. Here you’ll find emerging practices, guidance for application scenarios, security engineering, threat modeling, technical guidance and more.Author: Microsoft patterns & practices security team.
http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.HomePage
Thats by the way a good moment to link to the Patterns And Practices Security Guidance page on MSDN:http://channel9.msdn.com/wiki/default.aspx/ SecurityWiki.PatternsAndPracticesSecurityGuidanceOnMSDN
Urs seems to be so fast, that I have no way in catching up with his blogging. Anyway, there is something I would like to give you some insights in.
I assume that you know about MELANI (www.melani.admin.ch) the "Melde- und Analysestelle Internet" - basically the CERT of the Swiss Government. Whenever we have a broad incident in Switzerland the needs involvement of the Swiss Federal Council (Bundesrat) SONIA (Sonderstab Information Assurance) will be mobilized. SONIA's goal is to be an information pool for the Federal Council helping them to understand the situation and helping us to co-ordinate within the different sectors.
Tuesday/Wednesday we had an incident simulation with companies running the critical infrastructure and different providers. Those kind of simulation helps to get a clear and common understanding of the different needs and processes and helps to improve them. Additionally they help to start to build trust between the people that have to provide (sometimes highly confidential information) to this team and have to take joint decisions.
In any case it was a great experience
Vendors Claim Mobile Viruses Worsening. Two vendors of mobile anti-virus products made separate claims this week that attacks on mobile devices are becoming more serious. F-Secure said earlier this week that the Commwarrior B virus has made its first appearance in devices used by a company. The vendor did not name the company that was struck, but claimed that "several dozens of employees" of the company received infected Bluetooth or MMS transmissions of the virus. Another vendor, Trend Micro, claimed there was a spike in Bluetooth-borne mobile viruses during July. It claimed that three new viruses and five new variants of existing appeared. One of the new viruses, SYMBOS_DOOMED, is particularly pernicious because it makes no change to the phone's display as it infects the device, according to Trend Micro.
http://www.securitypipeline.com
This will be a pretty low-blog week as Urs and myself are attending a CISSP training....
Nevertheless, one thing is happening over and over again: Whenever people are hit by a catastrophy we see the spam and fraud to rise around this. How ruthless has somebody to be to do something like that?
One of the comments you find at SANS: http://isc.sans.org/diary.php?date=2005-09-04
We know since quite a long time that often virus/trojan-infected files are distributed via Peer-Neworks as Kazaa and that this poses severe security risks.
Now, a court in Austria decided that its users are breaching copyright laws as well: http://today.reuters.com/news/newsArticle.aspx?type=internetNews&storyID=2005-09-05T152751Z_01_FOR523610_RTRIDST_0_NET-MUSIC-KAZAA-DC.XML
Facing the difficult task of securing systems, experts offer their advice. Given the increasing importance of the data stored on agency computer networks, perhaps one of the most important chapters in Federal Computer Week's Survivors Guide is on securing those networks.We decided to go to the experts. FCW editors recently met with seven information technology security officials from government and industry to discuss what they are doing to help their agencies and customers secure their networks. Those experts said they are focused on the most cost-effective ways to protect government and business data.
http://fcw.com/article90656-09-05-05-Print