In my last post, I briefly touched on different features of Windows Vista, which I think are important with regards to the view on Windows XP vs. Windows Vista. Let’s take a different approach now: I recently was on a panel in Eastern Europe where I was asked, which model generates more secure software: The shared source (like ours) or the Open Source. I asked back, whether they could define “more secure” for me. It turned out, that we were talking about vulnerabilities.
Let’s look at some statistics now and let’s start with vulnerabilities:
In Jeff Jones’ Desktop OS Vulnerability Report we published figures on vulnerabilities between Desktop OS Vendors and it turns out that this view already gives you a reason to migrate to Windows Vista:
But this is the view on an industry problem giving us confidence that our Security Development Lifecycle works. But how is the comparison between Widows XP and Windows Vista? He has a really interesting chart in there:
If we compare Windows XP and Windows Vista, we see different things:
So, this picture shows very well that defense in depth in Windows Vista (with technologies like ASLR, DEP, UAC etc.) actually pays off.
An other view on this is the attack/malware side. In our Security Intelligence Report v5 we talk about browser-based exploits and where the criminals attack the victims on Windows XP and Windows Vista. If you look at the XP picture you see the following:
With regards to browser-based exploits, 58% of the time, Microsoft software was attacked and 42% 3rd party. This changes drastically in Windows Vista:
Here our software drops to 6%!
In the Security Intelligence Report we have some other figures as well (like the malware infection rate on the different OS) but I want to leave it with that.
We once discussed in our community an interesting question: If we could give our customers just one advice, what would that be? I think it would be to stay on the latest versions of all your software. The reason is not license fees or anything like that. The reason is that this is the only way to cope with the changing threat landscape!
Roger
At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:
I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.
But I am more interested to hear whether you manage these risks and how?
Well, you saw my post earlier this week on the 1.96% of PCs being updated according to Secuina. Well, as time does, I decided to install this tool as well to look at it. I did an initial scan on my home PC and this was the outcome:
Outch, this hurts my soul but shows as well the problem: I definitely have all our software updated and with must of the solutions above, I have the updates switched on (except Apple, where I switched it off when they wanted to install Safari as an update :()
But honestly, the tool is pretty cool. If you switch to advanced mode, you even get pretty detailed information:
So, this makes me really think. This is a PC which I really look after and keep it updated. Nevertheless I seem to have failed.
This shows me the fundamental problem: If I am not able to keep it up to date, how shall my Mom and Dad? The Secunia Personal Software Inspector helps a little bit but I am nut sure whether my parents are able to handle it. So, what we are basically missing is a central point and mechanism to distribute security updates. But who controls this channel? Who ensures that no criminal can get access to it? That no viruses are distributed?
Still a long way to go…
P.S: Do not even try to attack my PC based on these vulns – they are closed in the meantime
You might have seen several reports that MS09-008 does not protect you from the vulnerabilities. We reviewed these claims and customers who have deployed MS09-008 are protected from the four vulnerabilities.
If you want to have the details, you should consult our Security Research & Defense Blog, where we posted MS09-008: DNS and WINS Server Security Update in More Detail as the problem is somewhat more complex than just “yes/no”
I was recently caught in a tricky problem: The clock of one of my host servers ran out of sync.. – significantly. The core problem was that my Mediacenter (which is domain integrated) started to record about 6-8 minutes too late but this is not the reason why I post.
The actual reason was that I tried to resolve this: My DCs are virtualized – one on a Hyper-V server and one on a Virtual Server. As both have the corresponding add-ins installed, by default the guest synchronizes the time with the host. If the host clock is now not accurate anymore, this is transferred to the guest (which is a DC and which then synchronizes this across the whole infrastructure). As this happens slowly, I did not realize this until my Mediacenter did not capture the whole news anymore…
Now I checked the time server settings of my DC and it synchronizes its clock with time.windows.com and NTP is open for the DC – therefore the synchronization is successful, resets the clock to the right time and then the Hyper-V Integration Services kick in and set the clock back to the time of the host (which is wrong) and the wrong time is again synchronized across the network . (I hope this was now confusing enough)
What I did now – and what I would suggest that you do that (at least with the knowledge I have today) – is disabling the time synchronization between host and guest at least for DCs as they update their time from the time server as described above. Since then, my time is correct again.
P.S. As you know – I am Swiss. And one of the worst thing which could happen to a Swiss is an incorrect watch
It has nothing to do with security – I know but it is very, very, very cool!!!!
We just released the new Bing Maps explorer! The first thing you will see is that we integrated Photosynth and Silverlight. So, no tiles anymore when loading a map. It just comes smoothly. And zooming in to photos is not possible as well – it rocks. But that’s just the start.
Remember the days, where you tried to understand which map version (Road, Aerial, Bird’s View) just fits best based on the data which is available? Well, when you are living outside the US, you will know what I am talking of… This time is definitely over. Bing Maps takes automatically care of this “problem” and it really works:
That’s the maps. But there is a cool API you can use to build integrated applications with Bing Maps. These are the ones for the Redmond Campus location:
So, using the Current Traffic now brings me to the well-known traffic map (in Sliverlight – of course):
And now you know the feeling. All these things work great – if you are in the US… But as soon as you are outside, the data is missing – wrong again. Let’s take the Today’s front pages as an example. I have been in Zagreb last week, so let’s see what we find there:
The front page of a local newspaper. And as this is an extensible platform, there is nothing which prohibits you from writing an additional add-in.
BTW: Did I tell you already that I think this new Bing Maps is really, really cool?
Sometimes I wonder whether I am too paranoid. I just got a call, which went like that:
She did not even say goodbye
Am I too paranoid with such things? This is my data and I was fairly surprised that she was unable (or unwilling) to answer the questions
I really love reading Kim Cameron’s Identity Weblog. Fairly often it is thought provoking…
He recently wrote about his experience with the new iPhone privacy policy: Apple giving out your iPhone fingerprints and location. He was one (probably of the very few) reading the privacy policy and found the following statement:
Collection and Use of Non-Personal Information We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it: We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
Collection and Use of Non-Personal Information
We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
So, basically this says that they might collect everything from you, link it to your device identifier and do whatever they want with it. This is called “Privacy” policy.
What strikes me is, that a lot of people do not really see the challenges and risks behind this as this story shows: Non-Personal Information - like where you live?. If I know your device ID and if I have access to the location data of your device, how hard is it to find out who your are? Not really hard. You will be in certain locations more often than in others. In my case you could at least reduce it to four people living in the same household.
So, there is no such thing like “not being able to link a device ID to a person”. This is simply the price we seem to be willing to pay for our constant eagerness to get the coolest app and the best service. Does the consumer really care about privacy when he/she has to balance privacy vs. functionality? Unfortunately I think the more the less…
If you look at current discussions between cloud providers and customers, I see it too often that the customer leaves with the impression that the Cloud fixes all their problems. In fact – it does not. Too often I see the Cloud provider telling the customer that they should not care about security anymore – they will do it for the customer. That’s only part of the truth.
In order to shed some light into this discussion, Doug Cavit (a Principal Security Strategist at Microsoft) and me published a paper a few months ago called Cloud Security Considerations, addressing the key areas to consider, when moving to the Cloud. I used this approach very often when talking to customers, regulators and government elites. It works extremely well and seems to cover the story end to end.
Now, Doug stayed busy . He just published together with Javier Salido (a program manager in Trustworthy Computing) a paper called A Guide to Data Governance for Privacy, Confidentiality, and Compliance - Part 5: Moving to Cloud Computing. Behind this long title, there is actually a lot of good content which complements the above mentioned paper.
If you know what the Cloud is, you could skip the pages following the summary. When I talk to customers, I always tell them, that there are a few fundamental things to be in place when you consider the Cloud: Compliance and Risk Management, Identity Management, Data Classification. Fairly early in the paper, Doug and Javier draw the conclusion:
Organizations should implement a data classification policy and procedures for deciding which data is ready for the cloud, under which circumstances, and using which controls.
Usually people smile if I tell them this. And at the same time, we all know that the policy is in place but it is often not really implemented nor is the user given the technologies to really easily implement it. From a technology perspective, I love Rights Management Services and especially its implementation in Office called Information Rights Management. The corresponding templates help to attach the right classification and protect the document with just a few click.
However, this is often an awareness and process problem. Much more than technology! But back to the paper. When it comes to responsibilities, the paper is fairly clear:
Delegation does not discharge the organization from managing risk and compliance, or from having to prove compliance to the appropriate authorities.
I could not agree more! You have to manage your data – it is your data, even if you move to the Cloud! Therefore:
Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency on the part of the cloud service provider.
Make sure you have the team in place and then ask your Cloud provider (make sure you follow this sequence ).
There is a lot of additional content in there to consider. But then they move to the point of recommending what you could do or as they call it: Elements to Consider When Moving to the Cloud:
And finally, they help to bring the Cloud related issues into the context of the Data Governance for Privacy, Confidentiality, and Compliance framework, something which can give you real hands-on tools and techniques to make it happen.
From my point of view, this is a really good paper, where you can take the parts you need at the moment: Being it a high-level understanding of the problem space or more hands-on tools. Is it simple? No, not really as the problem by itself is complex but it helps you to understand much better, how to approach it
In Off to See the World I told you that we are growing the Chief Security Advisor Community and then I updated you on the UK and Sweden.
Now it is time to update you again. Just before the summer vacation, we could hire the Chief Security Advisor in South Africa who is Khomotso Kganyago. Khomotso started already and I am looking forward to do a week of customer meetings with him soon in Johannesburg and Pretoria.
And last but definitely not least, we were able to fill the first of the three time zone positions: Monika Josi will join us from Novartis for the EMEA Chief Security Advisor position starting January 1st. This is the third time in our career we will be working together and I am definitely looking forward working with Monika again as she will be a great addition to our team
I guess you still know the discussions a while ago where it was made public that notebooks can be searched without suspicion when you cross the border to the US. Actually the truth is, that this can happen everywhere as far as I understand. To be clear: I am not a lawyer, I am an engineer. However, when I discussed this with a lawyer, he explained to me that anything I carry with me when I cross a border can be searched – something we got used to, no? The notebook is just part of the “anything” in the statement above.
So, the nervousness is really about the customs officer keeping a notebook and getting access to the data, which is scary but again, is this any different to carrying paper across the border – except for the sheer volume but basically if you carry confidential documents across any country’s border the customs officer can search you and have a look at your paper.
So far so good but it seems that some customs officers took their time when they actually wanted to search a notebook – a few months until an year. They simply kept it. Now a court in the US ruled that this is illegal: Judge limits DHS laptop border searches
So, while the search at entry is still acceptable due to the points I made above, the confiscation of a computer for a longer period of time seems to be illegal. Will be interesting to see how this will develop.
You know that we have Tablet PCs since Windows XP and I think I did not have many PCs at Microsoft which were not tablets. How often do I use them as a tablet? Not too often but when I am in a customer meeting and do not use my notebook to present, I use it to take notes. That’s basically to me the application I use it and it does good service.
The question often is, why did Tablet PCs not really take off as they did not broadly – and I do not know. Now, Apple launched the iPad and before it was on the market, tablets are hype – great marketing I have to admit. And then, finally, I read this article today: Tablets to outsell netbooks by 2012, report says – wow. The interesting part of the article is Consumers “didn’t ask” for tablets. Apple is successfully teaching consumers to want the iPad – as I said: Great marketing, great demand generation
Let’s see whether this really happens the way Forester predicts.
Today we were adding 17 additional markets to our Microsoft Security Essentials offering. I am really excited about that as all these markets are in EMEA: Algeria, Bahrain, Egypt, India, Jordan, Kuwait, Lebanon, Morocco, Oman, Pakistan, Qatar, Romania, Russia, Saudi Arabia, South Africa, Tunisia, and the United Arab Emirates. Additionally we added Russian an Romanian as languages. This is really exciting stuff – and the tool is a anti-malware solution for free!
If you want to see all the countries we make it available, look here: http://www.bing.com/maps/explore/#/f5n3nlg6vryj0282
As you know, this is a professional, free anti-malware solution and I guess that requirement that you need a genuine copy of Windows is not a limitation for you as you do not run a pirated copy anyway – right?
Get it and download it and run it – it got great feedback!
When I tweeted last week that I am on my way to Algeria, I got quite some reactions and questions that I shall report how it was. So, let me try to briefly summarize my impressions.
I was invited to speak at a conference on certification in Algiers. Well, initially I pushed back as I did not understand how you can have a good conference during two days on certifications like Common Criteria etc – and it is not my core competence anyway. After discussions with our Country Manager, I realized that we were talking about certificates and eID – which made me change my mind.
The government of Algeria decided to invest in eID technology to help them to move one step towards a digital economy. So, there is definitely a lot of great intention, motivation and energy behind this idea and behind this project. To help them to learn from the breadth of industry experts and from other countries, the government decided, together with ITU, to invite for this conference. The importance of the initiative can be seen by the presence of the senior government elites as well: Out of 35 ministers Algeria three were present to open the conference – this showed commitment. And all of them stressed the importance of such an initiative.
Looking at the different presentations I have seen (I was not present during the whole conference, so this might not completely reflect everything), there were two main streams: Speakers (mainly vendors and consultants) explaining the technology and how good it is and that you are then able to link an identity “securely” to a person. Others (and all the Microsoft speakers were in this category) laid out that it is at least as important to understand what you are going to do with the eID to make it successful. So, the applications which consume the identity are very important to make an eID-project successful – this is pretty obvious but often forgotten in these projects. We have seen very good examples from developed countries being successful as the government as a whole moved to eGovernment and – in certain areas– only to eGovernment. This is probably the most common denominator amongst the speakers who did not “just push technology”.
So, there was this warning but then there were presentations as well, like the one from Kim Cameron (one of our identity gurus) actually showing how you can make this happen.
Overall, this was a very good conference. To close here, I would like to give you an anecdote which happened to me: After my presentation I left the podium and then one of the organizers from the government approached me and said “you scared us”. Well I immediately mapped that to my statements on the threat landscape. So, I answered like “well, this was not my intention but I thought that the threats are important to understand as well”. She looked at me and then said “no, I did not mean the threats but you raised so many valid questions we do not have an answer to yet. This scared us”.
Looking at this, it means to me that I probably accomplished my goal. Not to scare the Algerian government but to make them ask the right questions and start to look for an answer to them. To help there – I am looking forward to going back to Algeria (hoping that the Visa process and immigration is faster next time ;-) )
This morning I read the following article: Microsoft can help kill fake antivirus threat. And interesting approach. The proposal is that we could white-list all the legitimate security software within the OS in order to make it harder to trick the user. Well, would this work? I am not so sure:
To me, the problem is wider spread than “just” fake anti-malware solutions. I understand that this is a problem – definitely and I understand that the thoughts of white-listing security software is attractive. But the problem is malware in general and how the criminals trick the user into installing something they do not want. This leads back to the question of the trusted stack which we address in our End to End Trust vision. To me, that’s the only approach which can be successful
You definitely have heard of COFEE (Computer Online Forensic Evidence Extractor) which we make freely available to Law Enforcement through Interpol and NW3C. Now, the probably unavoidable happened and the tool leaked to the Internet. There was actually an interesting statement by ArsTechnica yesterday: Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer.
To make our point clear, let me quote Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation:
We have confirmed that unauthorized and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorized channels – both because any unauthorized technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed.
Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field.
In cooperation with our partners, we will continue to work to mitigate unauthorized distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorized versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL at cofee@interpol.int.
So, to be clear: It is not “only” illegal but it is modified as well. Do you really want to install that?
When the industry prepared for the Year 2000, I was working in a consulting company living good from doing reviews on Y2k-projects. Then the year 2000 came and nothing happened (besides a big party).
Then year 2010 came – and the bug actually got hold of us. Initially I thought that I was reading a joke but it seems to be true. The German Sparkassen (a banking brand) had a problem with their ATM cards: The Gemalto chip on the card was unable to process the year correctly and failed to give you money.
I do not know how you handle your daily money consumption but here in Switzerland you are able to pay almost everywhere with your debit (say ATM) card. So, the cash I have with me is very limited and I run into a serious problem if I cannot pay with plastic. Additionally to get to money – you need the card again. And finally I often rely on the fact that I can get local currency in a lot of countries with my debit card.
This really causes some serious troubles and – at the end of the day – affects the critical infrastructure of a country – all of a sudden and without pre-warning.
If you are able to read German, here are two articles about it. Unfortunately I did not find anything in English:
I guess you might have seen it by now but if not, please make sure you read and understand the material available:
This night we released a Security Advisory on a Vulnerability in Internet Explorer Could Allow Remote Code Execution. The reason for that is that our investigations have shown that this vulnerability was one of the attack vectors used in the recent attacks against Google. So, please read the blog post of our Microsoft Security Response Center on the release of the advisory.
I just want to quote some of the key elements in there:
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.
[…]
Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
There are some additional mitigations shown in the advisory. However, a few things from my side:
I realized that it might be necessary to give an introduction in how to switch DEP on and I therefore wrote a post on that as well today: Leveraging Data Execution Prevention (DEP)
When I talk to customers, the different attacks are often something we discuss (obviously). I often mention that Virus and Worm attacks on a broad scale (like Conficker etc.) are a serious problem but at least one we see, one we understand and one we can fight (because we see and understand it).
However, my real concern are targeted attacks on governments and companies as they are incredibly hard to detect. In the last few months, every once in a while we read in the press about an attack on a government and sometimes they went undetected for months until either something happened like a server crashed or law enforcement found out somehow.
This morning I read an article which actually claims that the problem is even bigger than I thought: Report Details Hacks Targeting Google, Others – actually the article just uses the Google attacks to attract the readers as it does not really talk about it but the content is interesting nevertheless
This is a nice feature – on this page http://www.microsoft.com/windowsazure/support/status/servicedashboard.aspx we show the current state of our Azure services. This is the kind of transparency (on the operations’ side) we need. There is much more needed with regards to process transparency but this is a great first step
I am really against banning social media – especially with the reasoning of the work performance. To me, this is a management job, not a technology job and by banning social media to make people more productive – I doubt that this is really successful.
Now, I read this article: Why Banning Social Media Often Backfires which is definitely worth reading! as it goes down the road I just mentioned above. Roger
If you are running a blog, you might most probably use one of the websites which show where your user come from – no? Like Clustrmaps, which I used for a few years. Then I found a new one, which I like much more as it gives me more information. If is called WorldMaps and the best thing is, it is based on Bing maps :-) and delivers fairly cool pictures (read until the end. The real cool thing is at the very end of the post :-)):
Additionally, it delivers the statistics I need with regards to hit rates over the month, browser hits etc:
and a few more. But the real reason, why I am blogging this is the live view on the traffic. If you go to the Stumbler, you get a live Silverlight view of where the hits are coming from. The only drawback I found is that the selection of the web pages you want to see live is not saved. So, e.g. if you want to see the Live hits for my blog (a slow one – so help me to increase), you click on Maps on the top right, click Uncheck All, in the filter box enter Halbheer and click on both blogs shown, close the window – and then just watch. Unfortunately I was unable to embed it into this page but it looks like this (click on it to see it live):
When I access the blog, I am shown in the far west of Switzerland - so, at least the country is right :-)
I would love to know… You probably saw a lot of blog posts recently about “Conficker to strike back on April 1st” or similar.
If you are interested in what is know about Conficker and April 1st, read our encyclopedia entry on Conficker.D and you should choose the “Analysis” tab there, which gives you the details.
To be clear from my side: Please, concentrate on deploying the Security Update and cleaning Conficker (if you are infected) much more than being sidetracked by that.
Interesting: Bill would give Obama power to shut down Internet, networks during cyber attacks
This is a question I often get asked: What is the impact of the economic downturn on security? I am convinced that three things will happen:
So, to me compliance is the key theme for the next few years. Additionally companies will have to move away from the “best of breed” to the *"best of need” as budgets get tighter. Last but definitely not least, in order to address the compliance needs, you will have to go for an integrated solution of your products. There is no way you will be able to address the challenges with point solutions (and I guess I do not have to say here that we are best suited to help you with the best of need integrated platform).
The actual reason why I write this post is two-fold: I had the honor this week to hold a keynote to open the CoE – OAS/CICTE Conference on Terrorism and Cyber Security in Madrid. I had to opportunity to talk to some journalists as well during the conference and one of the articles covers point 1 form above (the raising Cybercrime challenge): Economic crisis tempts tech experts into cyber crime. And then I stumbled across an article called Fired Employees Can Still Access Co Systems, Survey Finds. So, if you bring those two challenges together, you can easily derive what you have to do – things which are not new but more important (and sometimes urgent) than ever:
To me, those are the key starting points: Address your Patch Management, Identity Management and enforce policy compliance on your network with technologies like Domain Isolation using IPSec and Network Access Protection.