Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information
Tags

Browse by Tags

TechNet Blogs » Roger's Security Blog » All Tags » incidents
Related Posts

  • Blog Post: Summary of Bitlocker Discussions

    rhalbheer
    Last week there was quite some discussion about “successful attacks” on Bitlocker. Those discussions are often quite interesting for me as they show sometimes that people are looking for one technical solution for all the problems. Bitlocker has a clear threat model it wants to protect you from. This...
    on 11 Dec 2009

  • Blog Post: Would a properly managed IT have withstood Conficker?

    rhalbheer
    Before I start here: Let’s be clear that I will not say (and will never say) that if a customer was infected with Conficker he had a poorly managed network! I had a lot of discussions over the course of time about the reasons for customers being infected. We all know the attack vectors of Conficker but...
    on 4 Mar 2009

  • Blog Post: A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

    rhalbheer
    I recently came across a paper called Shadows in the Cloud , which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network , an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the...
    on 21 Apr 2010

  • Blog Post: Additional Conficker Guidance

    rhalbheer
    Yes, Conficker is far from being over. We still see a lot of infections. Therefore we decided to publish additional guidance for Conficker: Microsoft Conficker guidance page for IT Professionals and those focused on security in the enterprise: http://technet.microsoft.com/en-us/security/dd452420.aspx...
    on 7 Feb 2009

  • Blog Post: Paper on the Root DNS Attacks

    rhalbheer
    You remeber for sure the Root DNS Attacks earlier this year, where a DDoS attacked different root servers. There is a pretty good analysis paper by ICANN published now: http://www.icann.org/announcements/factsheet-dns-attack-08mar07.pdf Gives some insights Roger
    on 9 Mar 2007

  • Blog Post: Emerging Malware Threat on Exchange

    rhalbheer
    If you have not seen it, you should probably have a brief look at it. We are seeing a new worm spreading on Exchange. This worm is not exploiting a vulnerability but uses social engineering to spread. Please read our MMPC blog at Emerging Malware Issue: Visal.B or look it up in our malware encyclopedia...
    on 10 Sep 2010

  • Blog Post: The DigiNor Story–So Far

    rhalbheer
    I just read an article on SANS: DigiNotar breach - the story so far . To be clear: This is not a Microsoft analysis nor any official statement from us. What we have to say is in the advisory: Microsoft Security Advisory (2607712) - Fraudulent Digital Certificates Could Allow Spoofing . It just gives...
    on 2 Sep 2011

  • Blog Post: Centralized Information About The Conficker Worm

    rhalbheer
    Since I enabled Live chatting on my blog I got several questions about Conficker already, which I am happy to answer. However, Ziv from our Malware Protection Center now published an excellent blog post summarizing all the information about Conficker – how you can get infected, what you can do to protect...
    on 23 Jan 2009

  • Blog Post: Attacks on MS08-067

    rhalbheer
    As we were pushing on our Out-of-Band release earlier this month we tried to make you understand that immediate deployment is needed as the vulnerability is high risk. Otherwise we would not have gone out of band… Interestingly enough, we have not seen widespread attacks since now. Earlier today now...
    on 26 Nov 2008

  • Blog Post: Hackers using QR Codes to Push Malware

    rhalbheer
    Always something new… As these kinds of codes are mainly used on mobile phones (or only used on mobile phones) the malware actually addresses smartphones “only” – in this case Android: Hackers using QR codes to push Android malware . If you use a code such as this (source: ZDnet Article referenced):...
    on 3 Oct 2011

  • Blog Post: Stuxnet talks – do we listen?

    rhalbheer
    Stuxnet is a severe threat – that’s something we know for sure. But if we look at it – what do we really know? What can we learn? Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and...
    on 12 Oct 2010

  • Blog Post: A few comments to yesterday’s Out of Band

    rhalbheer
    It is pretty typical – these things often happen, when I have a really bad Internet connection ;-). However, I am back home and the connection is kind of better now… I guess you have seen and heard about the two out of band updates we shipped yesterday. They are kind of special and I would like to...
    on 29 Jul 2009

  • Blog Post: Comments on US-CERTs Advisory on Auto-Run

    rhalbheer
    You might have seen the advisory of the US-CERT titled Microsoft Windows Does Not Disable AutoRun Properly – if not, you will definitely have seen one of the articles covering this issue and telling you that our advice on how to prevent Conficker is flawed. This statement is not quite true the way it...
    on 22 Jan 2009

  • Blog Post: Leveraging Data Execution Prevention (DEP)

    rhalbheer
    The recent IE attacks have show again that the current technology built in Windows Vista and Windows 7 could at least help to mitigate the attacks. One of these technologies which could be used more broadly is Data Execution Prevention (DEP). Here is how to switch DEP on (it is fairly well hidden). First...
    on 15 Jan 2010

  • Blog Post: Advisory for the ASP.NET Vulnerability

    rhalbheer
    We are basically asking the industry to follow a Coordinated Vulnerability Disclosure and are therefore not in favor of public vulnerability disclosure as it puts the industry unnecessarily at risk. Recently there was a vulnerability in ASP.NET publically disclosed. We released an advisory and you...
    on 19 Sep 2010

  • Blog Post: Security Intelligence Report v5 Live!

    rhalbheer
    As you are probably used from us, we are issuing our Security Intelligence Report twice an year. It is by far the most comprehensive report across the industry. This report helps us to understand the threat landscape and will help you to do the same as we believe that the more we share this knowledge...
    on 3 Nov 2008

  • Blog Post: Using the Microsoft Diagnostics and Recovery Toolset (DaRT) for Incident Response

    rhalbheer
    A few years ago I posted on DaRT after having seen it: Microsoft Diagnostics and Recovery Toolset . It is a really good an interesting tool for a lot of problems, one of them being incident response. I just stumbled across one article describing this: Using the Microsoft Diagnostics and Recovery Toolset...
    on 19 Oct 2011

  • Blog Post: Finjan reports world's largest Botnet

    rhalbheer
    I guess you have read it in the meantime: There are a lot of reports out there, that Finjan found a Botnet affecting 1.9 Million computers. This is really bad – obviously. The press now started to cover this and I think we are already losing a little bit of focus in the discussion. I tried to understand...
    on 24 Apr 2009

  • Blog Post: New Guidance on the SQL Injection Attacks

    rhalbheer
    We just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it: Preventing SQL Injections in ASP SQL Injection Attack – which is a great piece of work pulling the different views of the latest attacks together Roger
    on 31 May 2008

  • Blog Post: Distributed Denial of Service – and how it works

    rhalbheer
    I often get asked about Distributed Denial of Service (DDoS) attacks, how it works and what role we can play to prevent them. So, let me start with the first part of it: Our Security Intelligence Report version 5 talked about the underground economy and actually explained what is happening before a DDoS...
    on 8 Jul 2009

  • Blog Post: 10 of the Top Data Breaches of the Decade

    rhalbheer
    You might have read that I ranted a little bit about the iPad data breach: Who needs a (vulnerable) iPad if you can get an nPad? and some people pushed back – which I can understand. So, to put it into perspective, I read this article this morning on the worst data breaches of the decade. An interesting...
    on 18 Jun 2010

  • Blog Post: H1N1 (Swine) Flu Preparedness - Guide for Critical Infrastructure and Key Resources

    rhalbheer
    This morning I stumbled across a guide by the US Health & Human Services with regards to H1N1. Even though it did not catch much news lately I am not sure whether it is really over. Staying prepared it definitely not a bad thing. Even though it is US-centric, you should probably look into it: http...
    on 16 Sep 2009

  • Blog Post: What happens with Conficker on April 1st?

    rhalbheer
    I would love to know… You probably saw a lot of blog posts recently about “Conficker to strike back on April 1st” or similar. If you are interested in what is know about Conficker and April 1st, read our encyclopedia entry on Conficker.D and you should choose the “Analysis” tab there, which gives you...
    on 18 Mar 2009

  • Blog Post: After Estonia now Kyrgyzstan

    rhalbheer
    There is definitely proof that during war times, armies add a virtual component to the “real life” war. Additionally we have seen the attacks to Estonia, where nobody really knew where they originated from (I do not mean the country but whether a government was behind them of just a group of hackers...
    on 30 Jan 2009

  • Blog Post: When Security Essentials are not Microsoft Security Essentials

    rhalbheer
    It is so old: Software telling you that you are infected and that you have to install this latest security software immediately. You can bet that this then installs malware on your PC instead of cleaning it. We mentioned this problem already in the first chapters of our Security Intelligence Report v7...
    on 1 Mar 2010