A friend of mine (Ole Tom Seierstad, the Norwegian CSA) just published a very interesting article on Microsoft Windows CardSpace and the Identity Metasystem. So, have a look. Happy reading
Roger
Looking at Jacks comment to my initial post this morning (Securing My Infrastructure: Introduction) it seems that I have to give you some additional information:
So let me start with the goal of this network:
Basically I started to build it on one server to play around with our technology. Soon I had to realize that unless I am running it in a "production-like" style, I will not learn the daily problems and challenges with a certain setup. It is one thing to make an environment to work and another to keep it running. Since then I connected my home PCs to the lab and run it 24*7 – and learned a lot!
Second point is about the physical setup of the servers:
I am actually running three physical servers at the moment running Windows Server 2003 R2 at the moment:
So there are two questions open that come to my mind – probably more, let me know
Does that make sense?
If there is any question you would like to me address, drop me a mail or a comment.
Looking forward to your feedback
At the moment we are tracking a Trojan that is spreading through Messenger and AIM. It is called Win32/Pushbot.BD and you can find additional information on our Malware Protection Center.
This just give me the opportunity to remind you that you definitely should make sure that files that are downloaded via IM are scanned by your AV-engine. How to do that? Well, it is described here.
As you probably know, some time ago, I asked for feedback and themes you are interested in. Some of you replied to me privately, some with comments and I would like to thank you for the constructive feedback. One of the inputs I got several times is that you would like to get more information how to secure and run an infrastructure – the usual ask for "best practices".
Well, there are a lot of best practices out there. Be it from us on the Microsoft website or from third parties. However, they seem not to fit the need directly for you. So, what can I do? Give you some additional best practice? Well, this will not fulfill your need neither – most probably. And what is the reason for that? Well, you are unique! Your situation is unique, your assets are unique and your risk appetite is unique.
I tried to think of what could be valuable for you and am thinking that I could tell you, how I secure my environment at home in my lab. You will wonder what this has in common with the environment you have in your company. This is a valid question. Let me give you some ideas about the infrastructure I am running in the lab:
The following server roles are on place:
And, yes – there are a few clients as well J. So, I am running an IT of the size of a small and medium business – not completely with the same requirements but this is the environment I am trying to collect as much experience as possible and implement a lot of "best practices".
So, I will start to give you some insights into how you could use or technology (did I tell you already that everything is on Microsoft technology?) to secure and operate such an infrastructure. I will do it as long as…
Microsoft Customer Service Calls Back 10 Years Later
In Wall Street Journal there is a preview on Bill's speech today at World Economic Forum (they are actually flying over my house going to Davos – I hear them all the time J). It is a pretty interesting reading on new ways how capitalism could work not only for the rich but also for the poor. What I like – the longer the more – is the idea not only of charity but of making money AND helping the poor. Impossible? I do not think so. When I was in South Africa recently I visited a customer of us being a bank and their business model is exactly that: They are handling the transaction (pretty small ones) for people not having a lot of money. Actually they have branch offices in the middle of the slums. They use high-tech solutions to keep their cost to a minimum but with that, these people all of a sudden can save money to buy things later on or can get micro-loans to invest in their businesses. And the cool thing: They are actually really profitable. It works at least for them.
Read the WSJ-article yourself – it is worth it: Bill Gates Issues Call For Kinder Capitalism
If Al Qaida really has these capabilities, I am starting to get scared when I have to fly (which happens to me pretty often): There are reports that the plan crash last week could be caused by hackers attacking the plane before take-off in Beijing…. Al-Qaida ties to British crash probed
Something that might be worth looking at: Carnegie Mellon's CERT just published two Secure Coding Standards: One for C++ and one for C. I had no chance to look into this and understand how this compares to our Writing Secure Code but it is definitely worth mentioning.
Jeff released another report: He is looking back into one year of Windows Vista. We had the discussion about the value of vulnerability comparison and I do not want to open another discussion thread about that. But as long as we hear that our products are less secure than others because we have sooo much vulnerabilities, these reports are important for us internally (we know where we stand) and externally to communicate our findings – and they are pretty interesting.
Have a look at the report at Download: Windows Vista One Year Vulnerability Report
Last but not least it was interesting to see that readers of my blog are looking into these things as well: Vista logged fewer vulnerabilities in its first year than XP, Red Hat, Ubuntu, and Apple Mac OS X did in their first years
I think that there is a very good example of how a platform could be offered for victims of cyber crime. There are often questions around: What are my rights? What can I do if something bad happens? Who is here to help?...
www.e-victims-org offers answers to a lot of questions like those and offers help. Ed Gibson, my CSA mate in the UK, is actually on the Advisory Council.
This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore… What do you do now? Well, the Data Protection Officers actually had to give in.
So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have – we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for.
If you look at this article US spy chief puts security over privacy compared to the comment I made in 2-year old terrorist, it really scares me. I see the dilemma we are in – no doubt. And to be completely honest: I am not sure how far I want to let my privacy go for the sake of my security. I am living in a very safe and secure country – in Switzerland. However I know that the National Police has to work hard to keep it that way. So probably it is as always: As long as nothing happens to me personally, I fight for Privacy. As soon as something happens, I want as much Security as possible.
A problem we all know, don't we: Nobody wants to pay for security but as soon as something happens…
Your view?
Well, this is not new: Government agencies with insecure websites. Actually I did not want to blog on this (you find the article about an insecure TSA-website here) but then I drilled into the comments and there is one that actually shocked me (well, no, this is wrong it did not even surprise me but it shows the success of the fight against terror of the US):
My two-year-old is on the list (this is the no-fly-list we are talking of here). After I found that out on a family trip, I lost the last ounce of faith I had in the system. The ticketing agent said he will always be on the list and will always be flagged for secondary screening for the rest of his life. I just laughed since I am pretty sure this security won't last too long.
It is amazing: DHS is able to tell that you are becoming a terrorist even at the age of 2!
I guess, you have seen this but I just want to make sure: Vulnerability in Microsoft Excel Could Allow Remote Code Execution.
I would like to quote two things:
Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.
<…>
So, there are two things that are important in general from my point of view:
Wow, this is scary: A company called Sentrigo just published a study about how DBAs patch Oracle databases. Even though you could challenge their findings (they asked only 305 people) and therefore only shows half the truth, it is really scary (I quote):
Where does this come from? I am no Oracle specialist (I just to work on this DB decades ago) this is worrying me from two perspectives: It is a significant risk to the industry and I am worrying whether this is the same with SQL Server (even though our figures show a different picture). Is this because people are afraid of the downtime because of the reboots? Are they afraid that their application could break? Is it ignorance? Is it lack of tools? A really interesting question.
We just started the Beta program for the Windows Server 2008 Security Guide. So, if you plan to roll out Windows Server 2008 soon, participate and have a look at it:
Here is the Technet Executive overview.
To join the Beta program, click here.
You remember my post on The Economy of Cyber-Crime? One of my claims was, that you need to work with Law Enforcement in order to increase the cost for the criminals – and here we have one of the outcomes: Norcross hacker sent to prison
I quote:
William Bryant, 38, was sentenced Thursday, Jan. 10 by U.S. District Judge Thomas W. Thrash on a charge of hacking-knowingly causing the transmission of information to a computer used in interstate commerce, and, as a result, intentionally and without authorization causing damage to that computer.
In addition to his prison term and home confinement, Bryant must spend two years in supervised release, perform 200 hours of community service and pay restitution of $15,470.
I like that
No comment: FBI wiretaps dropped due to unpaid bills
I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair:
There is an article out there called 11 open-source projects certified as secure. I quote from there "Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects." This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say "the software is secure" (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system.
So, I tried to confirm the above statement on the websites of Coverty: http://www.coverity.com/index.html and http://scan.coverity.com/index.html and could not find the same statement, which I think is not bad – otherwise I would have doubted their capacity.
Actually, Michael Howard commented on that as well: "Open-source projects certified as secure" – huh?
So, to summarize: I am not in the position to assess the quality of Coverty's capabilities and the quality of their tools and processes. The only think I know for sure is that this article is crap
BTW: Stop looking for the Security Silver Bullet – I do not want to lose my job J J
Watch this: http://video.msn.com/video.aspx?mkt=en-us&vid=be9075bb-df0a-41c9-8d86-7ded46627e26
If you want to see the whole CES keynote: http://istream.edgeboss.net/wmedia-live/istream/30743/750_istream-ces2008_080102.asx
A guy in the UK wanted to prove that the loss of two CDs is not really serious and published his bank account details – and lost £500 to a charity J
Clarkson stung after bank prank
It seems that the new dreamliner has a serious security vulnerability: FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack
Working together within different organizations and companies is always a big challenge. How can you work within different workspaces and share documents etc.? Usually you use E-Mail is the core infrastructure to share information. We just released a beta version of a Solution Accelerator we call "Extranet Collaboration Toolkit for SharePoint". Just have a look and subscribe.
I am one of the security guys saying that the likelihood for us seeing events like Blaster or Slammer again is very, very low (this shall not be a "call to action" for the criminals…). I think that the measures the whole industry took as well as the increased awareness with the consumer made it very hard to write a highly automated, aggressive worm again.
Well, I just read about a new threat: We have seen more and more cities starting to offer free WiFi for anybody being nearby. The village I was in for my skiing vacation in Switzerland actually offered a free service as well for 30 minutes. Then you had to sign in again. If you did not want to do that, you might pay. It seems, however, that the WiFi routers are open for wormable attacks as well: WiFi flu: viral router attack could hit whole cities
Michael Howard just wrote a post about recent vulnerabilities of third-party applications he looked into. This is pretty interesting as it shows certain challenges of current processes (e.g. what do you do with third-party software you rely on?): Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL
Based on my post about IPSec, Steve Lamb posted about IPSec Interoperability and has an interesting follow-up link: How to implement IPSec between LINUX and Windows Vista: Why use IPSec network security?