Barracuda Networks released its annual spam report, which shows between 90 to 95 percent of all e-mail sent in 2007 is spam. This is based on an analysis of more than 1 billion daily e-mail messages sent to its more than 50,000 customers worldwide.
The above figures represent an increase from the estimated 85 to 90 percent of all e-mails being spam in 2006.
http://blogs.techrepublic.com.com/tech-news/?p=1756
Urs
Jeff Jones on his blog about the Internet Explorer and Firefox Vulnerability Analysis Report:
For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.
Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.
This report documents the results of my analysis of Internet Explorer and Firefox vulnerabilities over the past few years since Internet Explorer 6 on Windows XP SP2 became available and Mozilla launched Firefox.
The report in detail examines vulnerabilities over the past 3 years, breaks them down by severity, looks at version-over-version trends for each browser and finally examines how each browser is doing in terms of unfixed vulnerabilities.
http://blogs.technet.com/security/archive/2007/11/30/download-internet-explorer-and-firefox-vulnerability-analysis.aspx
In addition, see also my previous blog:http://blogs.technet.com/ms_schweiz_security_blog/archive/2007/12/01/the-first-year-of-ie7.aspx
Consumers strongly prefer to buy from companies that have not suffered data leaks, losses or theft, according to a new survey conducted for Check Point Software Technologies Ltd. The Check Point & YouGov survey of over 2100 British consumers highlighted how consumers’ trust of a company and its brand was affected by leakage or theft of personal, confidential data. It also showed how important it is to consumers that companies secure and protect their personal data, such as credit card details, addresses and other sensitive records.
http://www.securitypark.co.uk/security_article260201.html
THE ASSOCIATED PRESS/WASHINGTON - U.S. businesses faced varied threats in 2007 - including cyberattacks in Europe, theft of intellectual property in Asia, natural disasters in Latin America, terrorism on many continents - according to a year-end analysis by the U.S. State Department's Overseas Security Advisory Council.
http://www.mytelus.com/money/news/article.do?pageID=ex_business/home&articleID=2844426
Yes, I know, another one of these posts... I'm not sure if this will be the last post of this year, but it's definitely a good moment to say thank you to all the readers, customers and colleagues and to wish you all the best! Looking back, this was a special year in many ways and my first year as the Chief Security Advisor for Microsoft Switzerland. In my new role, I have had the opportunity to do many new things, to do things different and also to learn a lot. Again, thank you for the good time!
But, what is the new year bringing? There were a lot of studies about trends for 2008, upcoming and remaining opportunities (no, I didn't say problems) and only future will show us which ones will be the true ones. However, I'm absolutely sure that security is and will be something that should stand top on our list of priorities. Yes, we still have to solve some remaining "old" stuff, but security will also help us to do our business better, to enable new businesses and flexibility in the way we do business.
And from the blog side? As this is the "Microsoft Switzerland Security Team Blog", I will re motivate the members of the team to start to blog themselves. So, I do hope that you see many blogs with different signatures than "Urs". As usual, this is also the moment to requests more feedback and comments from the readers. Statistically, I have learned, that Swiss people do not write comments to blogs, show me that this is not true! And from the readers geo map (ClustrMap), I know that there are not only Swiss readers... ;-) Did you know, that this year, the blog had more than 900'000 hits? Yes that's amazing, you are amazing - the number almost doubled since last year! So lets break the 1M next year (or will that already happen in the remaining year?).
What else?
MERRY CHRISTMAS AND A HAPPY NEW YEAR!All the best wishes to you, your family and your friends.
FRÖHLICHE WEIHNACHTEN UND EIN GUTES NEUES JAHR!Wunderschöne und besinnliche Festtage, alles Gute und "En guete Rutsch!"
Updates are available, but users haven't installed them, says Secunia. One in five applications installed on Windows PCs are missing security patches, a Copenhagen-based vulnerability tracker has reported.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9054502&source=NLT_PM&nlid=8
Windows' built-in security capabilities offer endpoint alternative to NAP/NACMicrosoft’s support of the IP Security (IPSec) standard was enhanced with the release of Windows Vista this year, and interest in the technology will likely grow with the introduction of Windows 2008. For smaller organizations, IPSec could prove to be a cheap alternative to other network access control (NAC) technologies, or a stepping stone to a full implementation of Microsoft's Network Access Protection (NAP) in large enterprises. Either way, it’s time for organizations to take a closer look at IPSec’s capabilities.
http://www.darkreading.com/document.asp?doc_id=141929
Security firm Sophos reported that 54% of wireless users interviewed have admitted to using someone else's wireless Internet access. In a report, done by the firm on behalf of The Times, many Wi-Fi users fail to properly secure their wireless connection with passwords and encryption, allowing passers-by and neighbors to steal their connection. The report also notes that many ISPs put a clause on service that wireless customers must encrypt their connections, but the report also notes that it would be very difficult to enforce this mandate.
http://www.wirelessweek.com/News-Survey-Wireless-Users-Steal-Wi-Fi.aspx Well, what would you use to do your illigeal stuff?! ;-)
The newest laptops are powerful, light, and thin enough to fit easily into the slenderest of carry-on baggage. This makes them a great accessory for flying or any other mode of travel, but also easier to lose or have stolen. It pays to be extra vigilant at airport security checkpoints where thieves know people can be flustered. You should also store your laptop in the seat in front of you, instead of in the overhead compartment when you fly.
But even if you're extra careful, it's still possible to lose your laptop. If you spend some time securing your laptop before you go on the road, you could help keep your personal or financial information from falling into the wrong hands.
http://www.microsoft.com/protect/yourself/mobile/laptop.mspx
And yes - BACKUP! How old is yours? I just hit the button... it was older than a week already! ;-)
And for the home PC:http://www.microsoft.com/athome/moredone/backupdata.mspx
This is part 3 in a series examining how Microsoft's security strategy has evolved over the past decade. Very intersting reading:http://www.news.com/The-next-generation-of-security-threats/2009-7349_3-6221150.html
Robert Hensing: "That's one thing I want you to take away from this: Applications are dangerous."
The FBI published a press release titled, "BOT ROAST II Cracking Down on Cyber Crime." This article highlights the positive new developments resulting from the FBI`s investigations including three new indictments.http://www.fbi.gov/page2/nov07/botnet112907.html
Following the announcement of Operation Bot Roast in June, eight individuals have been indicated, pled guilty or sentenced for crimes related to botnet activity. In addition, 13 search warrants were served in the U.S. and overseas. The FB I is assessing the extent of the damage, and it is anticipated that there are approximately $20.7 million in losses and more than one million victim computers.
Microsoft's emphasis on improvements to security features in Windows Vista may have undermined business adoption of the OS, as many business and enterprise customers are still holding off on upgrading to the OS nearly a year after its release to them. Microsoft spent a good deal of time and money to ensure Vista's security after Windows XP and applications running on it proved susceptible to devastating worms like Blaster, Slammer and MyDoom. Though Microsoft released Windows XP Service Pack 2 to remedy some vulnerabilities, the company decided that security would be a top priority for the next major Windows release, said George Stathakopoulos, general manager of Microsoft's Response and Product Centers.
http://www.pcworld.com/businesscenter/article/139893/did_microsofts_security_focus_hurt_vista_adoption.html
IT Security Essential Body of Knowledge (EBK)A Competency and Functional Framework for IT Security Workforce Development Overview: The IT Security EBK conceptualizes IT security skill requirements in a new way to address evolving IT security challenges. The EBK characterizes the IT security workforce and provides a national baseline representing the essential knowledge and skills that IT security practitioners should have to perform specific roles and responsibilities. As a single foundation linking competencies to security roles, the IT Security EBK will help ensure that we have the most qualified and appropriately trained IT security workforce possible.
http://www.us-cert.gov/ITSecurityEBK/
Malvertising (malicious advertising) is a reasonably fresh take on an online criminal methodology that appears focused on the installation of unwanted or outright malicious software through the use of internet advertising media networks, exchanges and other user supplied content publishing services common to the Social Networking space. The most popular Malvertising vector active "in the wild" is a result of the client rendering of Adobe Flash SWF files that contain maliciously coded Flash ActionScript.
http://isc.sans.org/diary.html?storyid=3727
I have already written about that, but now, Part 3 is available as well:http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html
Group Policy related changes in Windows Server 2008 WindowsSecurity.com article from Jakob H. Heidelberg on GPO stuff in Windows Server 2008:
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.htmlhttp://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part2.html
Ever since Microsoft released Windows 2000 way back when, the options for delegating certain tasks have been available. The concepts of delegation can be a bit confusing, but in the core of what the delegation provides is essential to an efficient network. Without the use of delegations, you are stuck with only default groups that grant administrative privileges over certain tasks and objects. For example, without delegation over user and group accounts, a user must be placed in the Account Operators group to be given the ability to just manage users, groups, and computers in the domain. Of course, a user could also be placed in the Domain Admins or Enterprise Admins groups, but this would grant them far too many privileges than just managing accounts. In a similar manner, placing users in the Account Operators group also grants them too many privileges, such as modifying not only user accounts, but all administrative accounts. Delegation solves this issue, by allowing very granular delegations to objects and tasks throughout the enterprise.
http://www.windowsecurity.com/articles/Windows-Administrative-Delegation-Techniques.html
With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse. One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit? With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
Separate studies show many users understand rules, but they break them anyway. According to the RSA study, about 35 percent of workers routinely make a conscious decision to break enterprise security policy because they want to expedite their work or increase their own productivity. Such users may choose to export sensitive data to their personal devices or access the company network via a poorly-secured public wireless hotspot, Curry observes. "They're just trying to get their work done -- in their minds, the importance of the work outweighs the security concern," Curry says. "But the compromises that occur as a result can be just as damaging as if they didn't know the policy at all."
http://www.darkreading.com/document.asp?doc_id=141002&WT.svl=news1_2%20
Those entering online dating forums risk having more than their hearts stolen. A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums, according to security software firm PC Tools. Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow.
http://www.news.com/8301-13860_3-9831133-56.html
The 2007 Microsoft Office suite Service Pack 1 delivers important customer-requested stability and performance improvements, while incorporating further enhancements to user security. This service pack also includes all of the updates released for the 2007 Office suite prior to December of 2007. You can get a more complete description of SP1, including a list of issues that were fixed, in the Microsoft Knowledge Base article 936982: Description of the 2007 Microsoft Office suite Service Pack 1.
Office 2007 SP1 Download:http://www.microsoft.com/downloads/details.aspx?FamilyId=9EC51594-992C-4165-A997-25DA01F388F5&displaylang=en
Microsoft has released the Microsoft Security Assessment Tool (MSAT) Version 3.5 is released on the Microsoft Download Center. http://www.microsoft.com/downloads/details.aspx?FamilyId=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en.
MSAT is targeted for small to mid-sized companies to help them discover areas of security risk in their IT infrastructure through three assessments with over 240 questions. From the detailed assessment reports, guidance and best practice is provided to help companies prioritize and mitigate identified security risks.
Public information on the tool is available through the Microsoft TechNet Security Center:http://www.microsoft.com/technet/security/tools/msat/default.mspx
Windows Vista Service Pack 1 (Generic Overview and entry point)http://technet2.microsoft.com/WindowsVista/en/library/90a564b9-34af-4a6b-937f-324e1862244b1033.mspx?mfr=true
Some interesting topics out of the hole documentation:
Overview of Windows Vista Service Pack 1When developing Windows Vista, Microsoft set out to provide higher levels of productivity, mobility, and security, with lower costs. After more than six months of broad availability and usage, it’s evident that these investments are improving the Windows computing experience.In addition to regular Windows Vista updates, application compatibility improvements, and device driver improvements, Windows Vista Service Pack 1 (SP1) is another way Microsoft will deliver improvements to the Windows Vista customer experience.The goal of Windows Vista SP1 is to address key feedback Microsoft has received from its customers without regressing application compatibility. Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features. For example, the service pack improves the performance of the desktop shell, but it does not provide a new search user interface or a new version of Windows® Media Center.http://technet2.microsoft.com/WindowsVista/en/library/90a564b9-34af-4a6b-937f-324e1862244b1033.mspx?mfr=trueHotfixes and Security Updates included in Windows Vista Service Pack 1Windows Vista Service Pack 1 includes all previously released updates for Windows Vista. Many of these updates are available to the public on the Microsoft Download Center and Windows Update, while others are only available to specific customers or partners. It is standard practice to include all of these updates in a Service Pack and as such they are included in Windows Vista SP1.http://technet2.microsoft.com/WindowsVista/en/library/90a564b9-34af-4a6b-937f-324e1862244b1033.mspx?mfr=true
Notable Changes in Windows Vista Service Pack 1Microsoft continuously improves the Windows Vista Operating System by providing ongoing updates while working with software and hardware vendors to help them to deliver improved compatibility, reliability and performance. These updates are provided to customers directly by our hardware and software partners, as well as from Microsoft in the form of hotfixes distributed on a regular basis using Windows Update. Updates to Windows are also delivered directly to some affected customers and preinstalled by PC manufacturers.http://technet2.microsoft.com/WindowsVista/en/library/90a564b9-34af-4a6b-937f-324e1862244b1033.mspx?mfr=true
Reportable and multiple privacy breaches rising at alarming rate! Personally identifiable information of customers and employees is being exposed – frequently and repeatedly – potentially putting hundreds of thousands of individuals at risk and exposing organizations to increased liability, according to a new survey report by Deloitte & Touche LLP (Deloitte & Touche) and the Ponemon Institute LLC. In the survey, a shocking 85 percent of privacy and security professionals in North America acknowledge that a reportable data breach occurred within their organization in the last year.
More than 800 North American privacy and security professionals responded to the online survey by Deloitte & Touche and the Ponemon Institute LLC, which was conducted to better understand the emerging privacy function. The survey analyzes the roles, activities and time allocation preferences of these professionals, as well as their organizational status and relationships.
Among the survey’s key findings:
http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D182733%2C00.html
It’s been a little over a year since Microsoft released IE7 on Windows XP and for Windows Vista. According to internal Microsoft research based on data from Visual Sciences Corporation, there are over 300 million users are experiencing the web with IE7. This makes IE7 the second most popular browser after IE6. IE7 is already #1 in the US and UK, and we expect IE7 to surpass IE6 worldwide shortly.
Perhaps more important than the overall numbers is the positive impact IE7 has made for the users. As you know, we focused a lot on improving security in IE7. We believe IE 7 is the safest Microsoft browser released to date. According to a vulnerability report published today, IE7 has fewer vulnerabilities than previous versions of IE over the same time period. What’s more, the report showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared.
In addition to having fewer vulnerabilities, as we previously mentioned, IE 7’s Phishing Filter stops more than 900,000 phishing attempts per week, stopping crimes-in-progress before users give up their personal information. On top of that, more sites are adopting Extended Validation Certificates as a way to help protect their users from fraud, and people are noticing. A recent USA Today article noted that “for the ultimate peace of mind, look for the address bar to turn green in IE7” in the context of securely connecting with your broker.
Finally, we’ve seen a decrease of 10-20% in the support call volume for IE compared with a year ago, before the release of IE7. This is typically a sign that the product is more stable and has fewer issues than the previous release.
http://blogs.msdn.com/ie/archive/2007/11/30/the-first-year-of-ie7.aspx
Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.
We have published new information as wellas mitigation factors:http://www.microsoft.com/technet/security/advisory/945713.mspx
See also the MSRC blog entry: http://blogs.technet.com/msrc/