In this post from the ACE Team, they show how to generate Security Code Review Checklist using patterns & practices Guidance Explorer and Outlook 2007.
Checklist documents can be generated without Outlook 2007 by only using the Guidance Explorer client that is freely available for download here. I am just a big fan of looking for new ways to utilize familiar tools.
http://blogs.msdn.com/ace_team/archive/2008/01/15/generate-your-own-security-code-review-checklist-document-using-outlook-2007.aspx
Urs
In addition to my previous blog post: http://blogs.technet.com/ms_schweiz_security_blog/archive/2008/03/29/black-hat-who-patches-security-holes-faster-microsoft-or-apple.aspx
From IBM Internet Security Systems:http://blogs.iss.net/archive/AppleCrumble.html
The highlight of the day was the presentation given by Stefan Frei and Bernard Tellenback titled “0-day Patch – Exposing Vendors (In)Security Performance” covering their analysis of several years of vulnerability disclosures and patching processes from various vendors, and a detailed dissection of Apple’s and Microsoft’s performance.
In essence, with their “0-day Patch” metrics, they managed to show just how far Apple is trailing Microsoft in security patch responsiveness – in fact, after inspecting their graphs, Apple appears to be trending entirely in the wrong direction; more vulnerabilities, longer patching times, more 0-days, etc. – not the sort of thing we expect from a well known software vendor.
Not entirely unrelated to this: Gone in 2 minutes: Mac gets hacked first in contestIt may be the quickest $10,000 Charlie Miller ever earned. He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.
Security researchers are cooking up tactics for beating phishing fraudsters at their own game.
Phishers perennially set up fraudulent sites on servers they have compromised. But due to the sheer volume of sites that need to be set up to perform a successful phishing expedition, fraudsters tend to be sloppy.
This allows those fighting phishers to easily identify compromised servers, which are easy to gain access to since fraudsters have already done the grunt work.
Once inside a compromised server, security researchers are able to follow a phisher's trail to find out what information they have extracted on prospective marks.
http://www.theregister.co.uk/2008/03/19/anti-phishing/
Security portal Zone-H, which documents attacks on and defacements of Web pages, has compiled statistics about the attacks within the last year. Apparently, Linux servers were successfully defaced twice as often as Windows servers. Apache servers were defaced three times as often as Microsoft's IIS. Zone-H registered a total of just under 500,000 defacements in 2007.
Operating system attacks in 2007:• Linux 306,076 • Windows 139,503 • FreeBSD 18,542 • Mac OS X 1,488
http://www.heise-online.co.uk/news/Linux-web-servers-broken-into-most-often--/110341
And why is that? It has nothing to do with which one is "better" that the other one! And yes, I know, it's not normalized, not in comparison to the absolute number of installationes. But does it matter? This is not my point, but how often do I hear: I do not have to patch my systems, because they are not Windows! Malware and vulnerabilities are a problem of Windows systems only...
Software updates are a fact of life! Windows administrators had to learn that the hard way. However, from a criminal's perspective, in most cases, the operating system of the compromised system doesn't matter. But, it's a lot easier to attack unpatched systems - it's about the low hanging fruits!
The Anti-Phishing Working Group (APWG) has just released their Phishing Activity Trends Report for the month of December. Overall, the report showed a decrease in activity from the previous month; however, there were a few notable exceptions.
It appears the number of unique phishing sites has increased due to attacks on miscellaneous brands and government agencies. Specifically, the APWG has noticed an increase in tax-related phishing attempts including spoofed e-mails that appear to come from the Internal Revenue Service (IRS). As always, we encourage our clients to be wary of suspicious or unsolicited messages.
http://www.antiphishing.org/reports/apwg_report_dec_2007.pdf
We just made Internet Explorer 8 Beta 1 available. This could be important if you are developing web applications or just if you are curious! :-)
http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/Install.htm
See also:http://channel9.msdn.com/showpost.aspx?postid=388331http://www.on10.net/blogs/larry/First-Look-Internet-Explorer-8/
Apparently, software updates are getting so big these days that simply downloading them from a server is becoming prohibitively time consuming, especially when the same updates need to be applied to many different machines. A Dutch university has some 6,500 desktop PCs in ten locations, which on occasion need to download 3.5GB worth of different types of updates. That's a handsome 22.2TB in total. In a traditional client-server world, that's some modest lifting.
In fact, INHOLLAND University's IT department used to have almost two dozen servers distributed over the university's locations to serve up these downloads. The school was able to retire 20 of them after adopting a new way to distribute updates: BitTorrent.
http://arstechnica.com/news.ars/post/20080309-dropping-22tb-of-patches-on-6500-pcs-in-4-hours-bittorrentdropping-22tb-of-patches-on-6500-pcs-in-4-hours-bittorrent.html
Of course, Microsoft researchers are working also on the "perfect worm" - a piece of software that can distribute patches without the need for centralized servers while minimizing bandwidth.
http://blogs.ittoolbox.com/security/adventures/archives/microsoft-tries-to-create-the-perfect-worm-for-patch-distribution-22554
or
http://technology.newscientist.com/channel/tech/electronic-threats/dn13318-friendly-worms-could-spread-software-fixes.html
Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.
Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or external ones. Otherwise the vendor has to hurry to create a patch, but that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.
Apple only started patching 0-day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.
Curiously, both vendors' abilities to have 0-day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.
Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.
However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"
"This is independent academic research," Frei replied...
See the full study: http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf
The commercial use of biometrics will become widespread in five years, but is not without security risks
The growing use of biometrics by businesses to identify individuals is insecure and in need of serious attention, according to one IT systems company.
Fujitsu Siemens said that biometrics are being used to identify individuals in the business world, which makes it possible to find out whether they are the true holder of the identity they are presenting.
http://www.itpro.co.uk/news/178899/business-biometrics-raises-id-theft-risk.html
If you travel across national borders, it's time to customs-proof your laptop.
Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. Laptops and other electronic devices can be seized without reason, their contents copied, and the hardware returned hours or even weeks later.
http://www.news.com/8301-13578_3-9892897-38.html?tag=nefd.lede
"Across the globe, Windows Internet Explorer 7 has more than 100 million users seeing green," VeriSign said in a press release about Extended Validation SSL technology earlier this month. About 5,000 sites are using the new technology, which gives users a "green bar" in their browsers when they prepare to click on a legitimate link. (See Nearly 5,000 Sites Now Using EV SSL.)
There's just one problem, according to a report issued yesterday: About 70 percent of consumers either don't use the green bar or don't know what they're looking at.
http://www.darkreading.com/document.asp?doc_id=147140&WT.svl=news1_3
At a closed-door security summit hosted on Yahoo’s Sunnyvale campus last week, a researcher demonstrated a new technique to more easily identify phishing and other malicious Websites.
Dan Hubbard, vice president of security research for Websense, showed a tool Websense researchers have built that detects domains that were automatically registered by machines rather than humans -- a method increasingly being used by the bad guys, he says. “[Automation] is being used more and more,” Hubbard says.
http://www.darkreading.com/document.asp?doc_id=147581&WT.svl=news1_2
The start-up's rootkit detection technology will be added into Microsoft's Windows Live OneCare and Forefront security products.
http://www.news.com/8301-13860_3-9899808-56.html?part=rss&subj=news&tag=2547-1_3-0-5
A majority of government IT organizations say identity management is very important to securing their networks and will become even more so over the next five years, but that funding to keep pace is a major impediment to growth.
The respondents also said they think identity management is relevant to national security, critical public infrastructure, and personal security; and given the gravity of those issues, that personal privacy could suffer. (Learn more in our Identity Management Buyer’s Guide.)
http://www.networkworld.com/news/2008/030308-identity-management-critical-for-security.html
Microsoft Corp. hopes to beef up online privacy with the acquisition of the U-Prove technology, the company announced on Thursday.
U-Prove was developed by Stefan Brands at Credentica Inc. to allow Internet users to disclose only the minimum amount of personal information when conducting electronic transactions as a way to reduce the likelihood of privacy violations. U-Prove also employs cryptography to prevent systems from pulling together information about users from various sources.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9067042&taxonomyId=16&source=NLT_NET&nlid=27
These are really interesting solutions, especially with the integration/combination of Windows Cardspace!
From Roger's blog post:http://blogs.technet.com/rhalbheer/archive/2008/03/19/sun-and-apple-update-a-sheer-nuisance.aspxhttp://blogs.technet.com/rhalbheer/archive/2008/03/25/sun-and-apple-updates-a-sheer-nuisance-part-2.aspx
Well, a little bit in the same direction as my previus post:http://blogs.technet.com/ms_schweiz_security_blog/archive/2008/03/26/linux-web-servers-broken-into-most-often.aspx
Bruce Schneier: "Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: "What's really interesting is that these people will send a tube of live ants to anyone you tell them to."
Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice.
They just can't help it.
SmartWater is a liquid with a unique identifier linked to a particular owner. "The idea is for me to paint this stuff on my valuables as proof of ownership," I wrote when I first learned about the idea. "I think a better idea would be for me to paint it on your valuables, and then call the police."
Really, we can't help it."
http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320
;-) Yes, but... ;-)
Blog Posting from Neil Carpenter: "A number of people are reporting that 10K+ Web sites have been hacked via a SQL injection attack that injected a link to a malicious .js file into text fields in their database.
Since the CSS Security team here at Microsoft worked with several of these incidents, I was able to look at multiple sets of data and the work that my colleagues had already done. The first thing I noticed was that the attacks looked, with a few exceptions, identical."
http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx
See also: XSS Detect Beta Code Analysis ToolMicrosoft Anti-Cross Site Scripting Library V1.5
Cisco has taken a leaf out of Microsoft's book by adopting a regular patch release cycle. However, the change will apply only to security bugs involving its core IOS software and not all its products.
Starting on 26 March, Cisco will release bundles of IOS security advisories on the fourth Wednesday of March and September in each calendar year.
http://www.theregister.co.uk/2008/03/06/cisco_patch_cycle/
:-)
Spyware authors are offering financial rewards to botnet operators and other cyber-criminals who covertly install their spyware, security experts warned today.
http://www.vnunet.com/vnunet/news/2212403/spyware-authors-offer-dollars
While some investigations rely on highly trained professionals using expensive tools and complex techniques, there are easier, cheaper methods you can use for basic investigation and analysis. In this article, we will focus on computer forensic techniques that are readily accessible to you as a mainstream administrator.
http://download.microsoft.com/documents/uk/technet/downloads/technetmagazine/CompForensicsUKdesFIN2.pdf
New Book: The New School of Information Security by Adam Shostack and Andrew Stewart
About the Author: Adam Shostack is part of Microsoft’s Security Development Lifecycle strategy team, where he is responsible for security design analysis techniques.
“It is about time that a book like The New School came along. The age of security as pure technology is long past, and modern practitioners need to understand the social and cognitive aspects of security if they are to be successful. Shostack and Stewart teach readers exactly what they need to know--I just wish I could have had it when I first started out.”--David Mortman, CSO-in-Residence Echelon One, former CSO Seibel Systems
Book Description:Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.
The rise of PCs, graphical user interfaces, the Internet, and Web 2.0 technologies have obviously had major impacts on the IT industry, but according to Microsoft (NSDQ:MSFT) CEO Steve Ballmer, the computing revolution that's about to take place will tie up all the loose ends from previous ones.
In a keynote speech Monday evening at the CeBIT trade show, Ballmer identified five trends that Microsoft sees as key drivers of future computing efficiency. For starters, hardware advances are not only putting more processing power in the hands of more users, they're also enabling more functionality to be added to smaller devices, said Ballmer.
http://www.crn.com/software/206901374
Researchers from a German university have developed a model to predict programming errors in applications.
The method has the potential to save software companies money by allowing them to isolate parts of their code that need more rigorous testing, said Kim Herzig, a researcher at the Universität des Saarlandes in Saarbrücken, who wrote his master's thesis on the project.
"We try to find which aspects of code correlate to defects in the past," Herzig said.
http://www.infoworld.com/article/08/03/06/Model-predicts-chance-of-software-flaws_1.html?source=NLC-APPDEV&cgd=2008-03-06