"Stay Safe" Cyber Security Blog

PKI Certificate Renewal Strategy: A Simple Cascading Schedule

Troy Arwine — Wed, 22 Aug 2012 01:08:03 GMT

Designing a strategy for Certificate Authority (CA) certificate renewal schedule can cause some confusion if you don’t understand the relationship between CA certificate renewals to end-entity certificate renewal overlaps. However, the following these general guidelines can help CA certificate renew easily without shortening the life of the certificates.

Let’s take the example of a 3-tier CA hierarchy (Root CA, Intermediate CA and Issuing CA) with end-entity certificates valid for 2-year maximum. One approach is to have Issuing CA certificates valid for at least double the life of its issued certificates, yet scheduled renewal with at least 2 years remaining (corresponding to the max life of end-entity certificates).

For example:

In this example PKI with 2-year maximum end-entity certificate lifetimes, the green bar shows the validity period of the Issuing CA certificate while the schedule (year 3, 6, 9, etc.) to the left of the bar shows the scheduled renewal times every 3 years. (See chart below):

Since end-entity certificates in this example are available for 2 years maximum, the end-entity would be always be able to be issued for those full 2 years because the Issuing CAs would have more than 2 years left because the Issuing CA certificates here are valid for 5 years total.

The Issuing CA in this example is scheduled for renewal every 3 years. The Intermediate CA Certificates which are valid for 10 years could then be renewed prior to the 3^rd renewal of the Issuing CA certificate (every 9 years). This would then allow the Root CA Certificate which is valid for 20 years to be renewed prior to the 2^nd renewal of the Intermediate CA certificate (every 18 years).

This type of cascading schedule is just one simple strategy that allows the end-entity and CA certificates to be issued on a regular schedule in a simple and easy-to-follow while allowing full certificate lifetimes for all issued end-entity and CA certificates.

Driving Safely Online & Legislation of Technology: Mandating Hands-Free Availability Built Into All Vehicles Instead of Disabling or Banning Cell Phones

Troy Arwine — Mon, 11 Jun 2012 12:57:00 GMT

This 21^st century world with its enumerable social gadgets intertwined on the Web make driving hazardous. Our world is accustomed to life on the go via LinkedIn, blog postings, Facebook “likes”, and e-mail in our pockets. Our society is in need of status updates, real-time collaboration, video calls and electronic social gratification both at work and in our personal lives.

Online distractions like texting and driving, though, can be very dangerous and deadly as shown in the recently reported double-tragedy of a teen who was convicted of motor vehicle homicide as a result of texting while driving in an event resulting in the death of another driver. There is little doubt that the sentence imposed by the judge was strict and meant to send a message of deterrence to the public in an attempt to curb texting and driving.

What may seem surprising to some, however, is the response from the Transportation Department (DOT). I listened to a story on National Public Radio (NPR) last Thursday entitled, Texting and Driving Bans May Make Roads Less Safe by Robert Siegel and Audie Cornish. NPR reported that, “Thirty-nine states have rushed in recent years to pass bans on texting while driving like the one used to convict the Massachusetts teenager. Secretary LaHood says the remaining states should hurry up and follow suit. And he announced a $2.5 million grant to beef up enforcement”

Furthermore, Neal Conan of NPR reported the same day on “Talk of the Nation on “What'd Make You Stop Texting While Driving?” In it he reported that:

“Secretary of Transportation Ray LaHood earlier suggested technology to disable cell phones in vehicles. There's a lot of technology out there now, he said, which can disable phones. We're looking at that, he said on MSNBC, the possibility - I think it will be done, said Ray LaHood. I think the technology is there, and I think you're going to see the technology become adaptable in automobiles to disable cell phones. We do need to do this a lot more if we're going to save lives.”

Obviously there is a real threat that needs to be addressed; there is no question on the danger. However, a ban of specific types of technology or restricting driving freedom is not a real solution. Disabling cell phones in vehicles is just a bad idea and can have unintended consequences. Just briefly aftermarket hacks and scenarios where someone experiences their own tragedy because they are unable to access their cell phone to call a loved one in an emergency. Just imagine the “What if....” situations.

Still it does not really address the distraction issue. According to the NPR report, “Russ Rader is with the Insurance Institute for Highway Safety, which does research for insurers. He says laws can even backfire as drivers try to hide their phones lower down in their lap. Also, he says cellphone bans can only do so much since cellphones are only a small fraction of what distracts drivers.”

Russ goes on to say, “there is dispute about whether any law can actually get drivers to put down their phones…Distracted driving is as old as driving. And whether it's putting on lipstick, or reading the newspaper, or reaching into the backseat for the MP3 player, all those things are distracting. So focusing on phone use will have limited effect on reducing crashes.”

Furthermore according to futurist Michio Kaku, we will, in the not-so-different future, have “millions of chips in all our possessions: furniture, cars, appliances, clothes”. Today it may be a phone ban, but where does the ban stop or start for other devices? Are we going to disable all devices and gadgets going forward too? What about scenarios not involving vehicles that can be just as deadly such as pedestrians walking down a busy street while distracted while texting?

There is, however, a historically proven and practical approach to staying safe online while on the go. It’s the model that’s been used for year’s successfully with other safety technologies in vehicles. If we decide legislation of technology is required to solve the problem of the distracted driver, then let’s legislate an enabling technology solution.

There are plenty of examples of legislation enforcing the provision of a technology that will then create a safer driving environment without impeding our freedoms. Whether you like them or not, most modern cars come with seat belts and air bags as a result of mandated legislation. Though some would argue that seat belts limit freedom, a seat belt can easily be un-latched or air bags disabled as needed for required scenarios while driving or dealing with internal distractions. Furthermore, seat belts, air bags, tail lights, emergency flashers, catalytic converters, and anti-lock brakes are safety features that are built-in to the motorist’s ecosystem. All cars come with these safety features and a plethora of other technology designed to keep motorists safe and healthy while driving. The usage of the technology is enforced by laws, but the technology does not have to be purchased or installed aftermarket.

How many of us, despite the risks, would go out and buy a driver-side air bag for an older car without one and install it? If we decide legislation of technology is required, then draft a legal solution that resolves the problem. If hands-free technology solves the problem, why not make hands-free technology required components of ALL modern vehicles. Then train motorists how to use the enabling technology rather than restricting freedoms with an un-proven cell-phone disabling technology or banning cell phones in vehicles.

Combine the new technology with a strong public awareness campaign similar to the designated driver message done for DUIs that will promote change in risky behaviors. In either case, let’s take advantage of safe technology like Microsoft Sync which let you keep your eyes on the road and make hands-free technology mandatory in all cars. If we need to draft legislation to solve this difficult and epidemic problem; let’s embrace safer technology to address the real issue which are distractions as a result of the cell phone form-factor.

Once the technology is available everywhere, then we can enforce laws to mandate hands-free use as we do with seat belts and turn signals, and people will mostly comply because it’s simple-to-use, safe and readily available in every vehicle. In the meantime, check out Microsoft Sync.

Note: Just to be clear, even though I provide a link to Microsoft Sync, I am not suggesting (or implying) that Microsoft Sync (or any specific branded hands-free technology) should be the solution. I suspect there could be many types of competitive technologies available in the vehicle market.

The Value of Certificate Revocation Lists (CRLs) in a PKI

Troy Arwine — Fri, 10 Feb 2012 02:26:00 GMT

In Internet explorer, inside Tools --> Internet Options --> Advanced there are two controls for revocation checking. Check for server certificate revocation controls whether revocation checks occur for HTTPS connections. Check for publisher’s certificate revocation controls whether revocation checks occur when validating the Authenticode digital signatures on downloaded programs and ActiveX controls. Microsoft’s recommendation as noted in Security Compliance Manager for server certificate revocation checking in IE8 and IE9 is to enable this setting.

In a recent announcement by Lucian Constantin, it was noted that Google Chrome will no longer check for revoked SSL certificates online. The article begins discussing a background of how:

“Google plans to remove online certificate revocation checks from future versions of Chrome because it considers the process inefficient and slow.”

There is little doubt that in some cases revocation checking can actually be slow if it is not designed appropriately or if there are mitigating factors like large Certificate Revocation Lists (CRLs) transferred over networks lacking the bandwidth capacity for timely delivery or even too many clients checking in far too often to download full CRLs. This can be the case on Internet facing sites and could affect HTTPS site verification performance for some sites. However, lets take a look at how CRLs work, and recommended practices for ensuring optimal performance for a PKI.

Certificate Revocation List (CRL) - A CRL is really just a list of revoked certificate serial numbers that has been digitally signed by a Certificate Authority and time-stamped and placed in a public in a repository such as a web site. Applications that use certificates have the option of checking the CDP repositories for CRLs. Many applications ignore CRLs altogether while other applications check CRLs and choose what to do if the certificate has been revoked as is the case with many web browsers.

There are different kinds of CRLs that are generally published on repositories known as CRL distribution points or CDPs:

Full CRL or Base CRL - The most common and widely supported are the full CRLs also known as base CRLs which contain serial numbers of all revoked certificates for a particular Certificate Authority (CA).
Delta CRL – Delta CRLs contain the list of serial numbers of only certificates that have been revoked since the last Base CRL was published.

One of the challenges with designing a PKI is to determine the best publication interval, and there are several factors to consider.

CRL Publishing considerations:

Publishing a base CRL more frequently, revoked certificates could be more quickly known, but the CRLs are downloaded more often, and consequently as the CRLs grow can generate more traffic for the full CRL downloading by all clients.
Publishing CRLs less often can increase the latency before a client becomes aware of a newly revoked certificate, but may reduce overall network traffic because CRLs are downloaded less often.

Care has to be taken to make sure the PKI is designed with these considerations in mind.

Delta CRLs which are much smaller than base CRLs generally are defined in RFC 2380 and allow base CRLs to be downloaded at intervals further apart with more frequent downloads of the delta CRL. This allows for more frequent updates to the known revoked certificates without the necessity to download the full CRL very often. Not all devices or applications recognize delta CRLs.

OCSP - for real-time validation, the Online Certificate Services Protocol (OCSP) is an HTTP protocol that acts as an intermediary to responder to clients that support the protocol. The OCSP response is a digitally signed response for the certificate status, but the response size does not change regardless of the number of revoked certificates. On the back end, the OCSP responder generally relies on CRLs. The advantage with OCSP over CRLs, is that in the event of a revocation that requires near immediate response a new CRL can be published and the OCSP responder can be configured to get the new CRL at a pre-determined interval (i.e. a few minutes) rather than waiting on the next update cached in the CRL.

If CDPs are highly available, distributed appropriately and publishing frequency published with careful consideration to the factors involved such as latency, network traffic, and CRL then they can be efficient at providing accurate revocation information. Further optimization can be achieve if clients support Delta CRLs, and the OCSP protocol.

The aforementioned announcement goes on to state:

If browsers were to insist on talking to the CA before accepting a certificate, all these cases would stop working. There's also the concern that the CA may experience downtime and it's bad engineering practice to build in single points of failure.

CRL Distribution Points - Recommended practices for CAs are that CDPs be placed on highly available servers that are resilient to downtime and outages. In fact an outage of a certificate authority should not affect the availability of CRLs unless the CA is down for an extended period of time extending beyond the next CRL publishing interval. Even in those cases, the CRL can be re-signed with the CA’s private key even if the CA is unavailable.

Furthermore, the discussion focuses on an attacker scenario where:

If the attacker is close to the server then online revocation checks can be effective, but an attacker close to the server can get certificates issued from many CAs and deploy different certificates as needed.

Certificate Issuance - In general, recommended practice for a PKI is to limit certificate issuance to only authorized recipient users and devices approved by the certificate manager. If the CAs are well-protected with good physical and logical security and the private keys secured and possibly protected by hardware security modules (HSM)s then the attack surface on the CAs themselves is greatly reduced as is the likelihood of CAs issuing certificates to unauthorized entities.

Most of the successful attacks on HTTPS sites require control of both the certificates and the DNS.

Examples:

http://www.symantec.com/connect/blogs/new-ssl-attack-revealed-black-hat

http://pcworld.about.net/od/securit1/Kaminsky-Many-Ways-to-Attack.htm

http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/

The assertion here also suggested that “While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks…compromise privacy.” What is the “privacy concern because the CA learns the IP address of users and which sites they're visiting?” A web browser or any application can check revocation using CRLs or OCSP from a CDP, but typically not a CA if following recommended practices for protecting CAs.

SSL Authentication - If a client visits a secure sites (https), then the browser may check revocation status of the SSL certificate on that site (server) and optionally server will do the same for the certificates on the client, but these will usually checked against different CDP altogether unless client and server were published from the same CA. In this type of scenario, two different IP addresses for client and server check revocation against two different CDP locations for the others’ certs. The general case for this does not lend itself to a loss of privacy using CRLs or OCSP for SSL communications.

While the future of PKI and certificate trust model may change in the future; for the foreseeable future, CRLs still have an important role and provide tremendous value for PKIs

Mitigating Photo GeoTagging Safety Concerns with Windows Phone 7 Privacy Settings & Pro Photo Tools

Troy Arwine — Fri, 25 Feb 2011 22:41:00 GMT

Photo GeoTagging seems to be making headlines this week and bring to our attention the potential dangers of Photo GeoTagging.

There is also popular web site ICanStalkU.com which also brings out the security and privacy issues implicated by this technology as well which states that they are raising awareness and noting that:

"After analyzing your photos, someone could find out:

Where you live
Who else lives there
Your commuting patterns
Where you go for lunch each day
Who you go to lunch with
Why you...like to visit a certain nice restaurant on a regular basis

I think that most people if they realized they were posting exactly where they were each time they clicked "send" on their phone to post a photo to Twitter they would stop doing it at all!”

How can you protect yourself and others from potential privacy threats when using Windows Phone 7 privacy settings or Microsoft tools.

If you've allowed Camera to access your location, when you capture a photo with WP7, your location will be stored as metadata of the captured photo. For photos, your location information is stored in the Exchangeable Image File Format (EXIF) tag.

There are a couple of options within WP7 to disable GeoTagging altogether or just when uploading to Facebook or Skydrive.

To disable Camera's ability to tag photos and videos you've captured with your phone's location
- Go to Settings >Applications >Pictures + camera
- Toggle the Include location (GPS) info in pictures you take
- Switch to Off
If you would like to have location information removed from the metadata of photos you upload from your phone to Facebook or SkyDrive
- Go to Settings >Applications >Pictures + camera
- Toggle the Keep location info on uploaded pictures
- Switch to Off.

Additional details on picture privacy settings can be found here: http://www.microsoft.com/windowsphone/en-us/privacy.aspx

To clean up existing GeoTags in photos already captured or posted, you can manually edit the GeoTag metadata out of photos using a free downloadable tool from Microsoft Pro Photo Tools v2.

The Pro Photo Tools allow you to add, change, and delete common metadata properties for digital photographs. You can place photos on the Live Earth map and then drag them to the right location. The GPS information will be stored back into the photos. If you have a GPS device, you can load track route files from the most popular formats (NMEA, GPX, and KML) and see them on the map. Then you can place your photos on the track route. Again, the GPS info will be stored into your file. When you have the right GPS location for your photos, you can automatically generate location info like country, state, city and even street names. Or if you know the location where a picture was taken, you can type it in and get the GPS location information automatically.

E-Gov Security Part 3 (Trusting the Cloud)

Troy Arwine — Fri, 18 Feb 2011 20:48:55 GMT

E-Government continues to grow with citizens demanding more online services daily and the consumerization of IT devices that need access to those services from anywhere in the world. Threats to these systems can outpace that growth at an even greater rate if government omits comprehensive security planning either carelessly or even willfully out of a need for quick deployment to meet citizen demands, legal obligations or to avoid losing budgeted project funds.

The foundation for e-Government Services is a Services Oriented Architecture (SOA) whereby citizens coming through any number of access channels or routed to any number of interoperability services whereby government agencies taking in, processing or distributing e-government data do not have to be the intake and exchange engine, and can instead focus on their core competency or government service.

Common E-Government Access Channels

Web	E-mail	Digital TV	Fax	Phone	In Person

Content Delivery

Search

Electronic Forms

Document Submission

Collaboration

Application Integration

Process Orchestration

Message Routing

Identity Management

Agency A

Agency B

Agency C

Shared Services

Agency D

Agency E

Agency F

Moving this model to the Microsoft cloud has tremendous benefits.

Access is virtually anywhere, anytime
Share location-independent resources and costs in an environmentally sustainable way
Allocate resources flexibly and rapidly
Only pay for what you use

See Microsoft's Government Cloud solutions and begin operating E-Government with increased security and compliance (IS027001, FISMA, SAS70).

For additional information on Microsoft soltutions for Government, check out.

E-GOV Security (Part 2–Twenty Critical Cyber Defense Controls to Secure Citizen Data & Maintain Public Trust)

Troy Arwine — Wed, 22 Dec 2010 21:50:00 GMT

The National Association of State CIO’s (NASCIO) & Deloitte released findings from “The 2010 Deloitte-NASCIO Cybersecurity Study” which found that State governments are NOT doing enough to secure citizen data and maintain public trust. In fact looking at the details of this study it’s evident that state governments have more personally identifiable information (PII) of citizens than any other organizations.

State governments fund security less than other entities and often CISO’s lack enforcement authority for broad security enforcement throughout the government. The funding problem results in shortage of IT security personnel. The study shows that only 2% of state governments have more than 50 information security FTEs compared to 48.5% for similar sized organizations.

While many state CISO’s at the state have adopted NIST standards for risk assessment, most state governments still do not adhere to enforcement mandates or audit compliance like FISMA (Federal Information Security Management Act) which is enforced at the federal government level. The irony is that adopting better security standards can actually save SLG money on IT procurement and daily management and operations.

According to Gartner's, 2008 "Case Study: Air Force Commodity Councils Take Aim at Mission Effectiveness": The U.S. Air Force adopted new security standards including the Federal Desktop Core Configuration (FDCC) & utilization of a Microsoft support agreement which helped

Speed up implementation of critical enterprise wide security standards
Save approximately $156 million in hardware costs
Enforce enterprise-level cybersecurity policies
Timely distribution of software updates & configuration management
Save $100+ million in software licenses & other life cycle costs

In all the USAF achieved better security and saved more than $256 million in 4 years by simply implementing stricter security standards and reining in spending for procurements and excessive IT staff by reducing the number of required systems administrators required to manage systems.

SLG needs to first improve security by implementing the Twenty Critical Controls for Effective Cyber Defense. Few SLG agencies have adopted ALL of these safeguards and as a result we are losing the “Cyber War” in state and local government and subject to threats and data loss potential that could dwarf by magnitudes that which was released by Wikileaks.org.

Automation and software can be mapped to the controls as well in order to combat back and gain the tactical advantage in cyberspace while implementing these controls. In an effort to simplify adoption, SANS has mapped a list of generically user-vetted tools here, however there are a number of Microsoft Cloud & On-Premise technologies that map to each of these 20 Critical Controls:

1. Inventory of Authorized and Unauthorized Devices

Microsoft System Center Configuration Manager (SCCM)- Hardware Inventory
System Center Online Asset Inventory Service (AIS)
Windows Intune (In the Cloud)
Microsoft Assessment and Planning (MAP) Toolkit

Inventory of Authorized and Unauthorized Software

Microsoft System Center Configuration Manager (SCCM)- Software Inventory
Windows 7 AppLocker
Software Restriction Policies (Active Directory GPO)
Microsoft Software Inventory Analyzer (MSIA) – Free Tool

2. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Federal Desktop Core Configuration (FDCC) Image
Microsoft Active Directory GPOs & Security Guidance
Microsoft Security Compliance Manager(Central Security Baseline Management)
Microsoft System Center Configuration Manager (SCCM)| Desired Configuration Manager

3. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

802.1X Wired Authentication
802.1X Wireless Authentication
Network Access Protection (NAP) | Cisco Network Access Control (NAC)

4. Boundary Defense

Microsoft Threat Management Gateway (TMG)
Microsoft Unified Access Gateway (UAG)

5. Maintenance, Monitoring, and Analysis of Security Audit Logs

Microsoft System Center Operations Manager (SCOM)
Audit Collection Services

6. Application Software Security

Microsoft Security Development Lifecycle (SDL)
SDL Threat Modeling Tool
Banned.h (Header file to sanitize code listing banned APIs)
FxCop (Static code analysis of .NET)
Code Analysis for C/C++
Anti-XSS Library (Mitigates Cross Site Scripting)
BinScope Binary Analyzer (Free Tool)
MiniFuzz (Free Tool)
SDL Regex Fuzzer (Free Too)
AppVerifier (Free Tool)
Visual Studio 2010
Microsoft Threat Management Gateway (TMG)
Microsoft Unified Access Gateway (UAG)

7. Controlled Use of Administrative Privileges

Microsoft Active Directory
Microsoft System Center Configuration Manager

8. Controlled Access Based on Need to Know

Windows Server 2008 R2 File Classification Infrastructure (FCI)
AD Rights Management Services (RMS)
Microsoft Active Directory

9. Continuous Vulnerability Assessment and Remediation

System Center Configuration Manager (SCCM) – Software Update Management
Microsoft Software Update Services (WSUS)
Shavlik (SCUPdates) – System Center (SCCM) deployment of updates for both Microsoft & 3^rd party applications
Eminentware – Simplify 3^rd party patch management via WSUS and SCCM
Secunia (Corporate Software Inspector - CSI) integrates with WSUS and SCCM for 3^rd party patch management
Forefront Endpoint Protection 2010 (FEP)

10. Account Monitoring and Control

Microsoft System Center Operations Manager (SCOM)
Audit Collection Services
Microsoft Windows Event Log

11. Malware Defenses

12. Limitation and Control of Network Ports, Protocols, and Services

Forefront Endpoint Protection 2010 (FEP)
System Center Configuration Manager (SCCM) – Desired Configuration Management
Windows Firewall
Microsoft Forefront Threat Management Gateway (TMG)
Microsoft Forefront Unified Access Gateway (UAG)

13. Wireless Device Control

14. Data Loss Prevention

AD Rights Management Services (RMS)
RSA Data Loss Prevention (integrates with RMS)
Microsoft Forefront Unified Access Gateway (UAG)- HTTP redaction & Attachment Wiper
BitLocker Drive Encryption

15. Secure Network Engineering

Microsoft Consulting Services (MCS)

16. Penetration Tests and Red Team Exercises

Microsoft IT Attack & Penetration Testing Case Study

17. Incident Response Capability

18. Data Recovery Capability

Microsoft System Center Data Protection Manager (DPM)
Volume Shadow Copy Service (VSCS)
Windows System Restore

19. Security Skills Assessment and Appropriate Training to Fill Gaps

Microsoft Security Guidance on TechNet
Microsoft Security Development Lifecycle (SDL)
Microsoft E-Learning

Microsoft has solutions, products and technologies that map into each of these weak control areas identified by the NSA & NIST, and many of them are already licensed by SLG agencies or free downloads but many controls still have yet to be deployed. State and local governments agencies may drastically improve security while saving money by implementing these security controls holistically rather than piecemeal as historically has been the case.

E-GOV Security (Part 1–Data Loss Prevention)

Troy Arwine — Sat, 23 Oct 2010 06:00:20 GMT

State & Local Government (SLG) is quickly adopting to demands of 21st century U.S. citizens demanding e-government (E-GOV) services. With E-GOV comes both the convenience of Internet services necessary to support tech-savvy Cyber Citizens along with the not-so-convenient threat of transactional man-in-the-middle attacks or data theft / loss to profit-seeking malevolent cyber squatters or foreign governments bent on sacking the little guys. Little guys here in the sense that without structured CIA assurance models adopted by the U.S. military or OMB-supervised Federal agencies which have significant budgeting and training strategic IT security defenses.

U.S. SLG agencies on the other hand, not so much sometimes. Consider for example some of the crown jewels and adjoining vulnerabilities at State & Local government cities and counties that make SLG such coveted targets of these profiteering cyber crooks and hacking ne’er do wells.

Public Safety & Environmental Security Risks: SLG agencies manage supervisory control and data acquisition (SCADA) and industrial control systems (ICS) controlling critical energy (gas & electric),water supply, and waste management systems. These systems are distributed across much of the U.S.. In fact, much of our nation’s critical infrastructure is managed not by large highly organized and regulated agencies of the U.S. federal government or Defense Department, but by smaller often disjointed entities operating independently on a shared interagency computing infrastructure or network.

Take these risks and compound them with the nearly endless array of personally identifiable information (PII) data stores available on these computer systems, and it becomes even more compelling for those interested in selling data on the black market to the highest bidder. This highly sensitive data is found typically unclassified (i.e. no designation for public, private, personal data etc.…) and unencrypted on file shares, USB drives, electronic databases, optical media and on laptops/PCs usually without even basic rights management or file auditing enabled to track access by authorized users.

National & Homeland Security Secrets: SLG maintains control of valuable and often unique electronic data including PII in the form of

Legal, criminal, and health records
Juror names & Judges information
Juvenile Criminal Records (under 18 files protected by law from public disclosure)
Domestic Assault & Rape Victims Names and Addresses
Police & Sheriff Fingerprint Databases
County Hospital & Health Department Medical Records
Registered Voters‘ Social Security Numbers
Etc.…

Finally, the perfect storm emerges once the weaknesses in many SLG communities are exposed by the weak IT security standards or enforcement mechanisms which result out of low budgeting constraints, political boundaries to security enforcement authority, and limited availability of security-trained application developers or security personnel to address detected problems.

Organizational Weaknesses: SLG agencies are fundamentally organized differently than federal agencies or businesses which often creates a potentially high risk operational environment.

Counties run hosted revenue system for the states, but are often left to manage their own security standards.
Complex disjointed departments without a unified top down management or security enforcement ability are still typically interconnected on the same networks to other agencies without clear security protocols or defined encryption methods or interagency firewalls
Many cities and counties have low or zero funds for developer security training or dedicated security staff
Local Election Commissions manage voting at local, state, and federal levels

Data Breaches in State & Local Government affect our personal privacy, financial information or federal constitutional rights

E-Voting machines affect outcome of city, county, state, and federal elections and eventually the laws of our land
Stolen Social Security numbers from laptops affects identity’s security
Tax systems affect personal finances and legal/criminal accountabilities
Legal & justice system databases affects us legally and possibly our privacy
SCADA & ICS systems affects the environment and our personal safety as utility consumers

Data Loss Prevention technologies comes in many forms from Microsoft, but there are a few technologies at different defense-in-depth layers that stick out to help SLG prevent loss of this sensitive data in government.

AD Rights Management Services (File layer)
RSA Data Loss Prevention Suite (File, app & network layers) - integrates with RMS
Forefront Unified Access Gateway (App layer)

HTTP redaction to remove PII in web apps
Attachment wiper

BitLocker (Drive/volume layer)

Technology alone will not make SLG data secure, but if SLG combines these technologies with a good security policies, a security development lifecycle (SDL), encrypted connections (SSL/IPsec) using the doctrine of least privileges access and a top-down security management approach that’s enforceable; then these technologies from Microsoft can assist government is securing its data on premise, in transit and in the cloud.,

Free Microsoft Security Tools

Troy Arwine — Mon, 30 Nov 2009 19:06:59 GMT

I often get asked where someone can find a comprehensive list of Security tools from Microsoft. Many tools which may be used by an administrator are not the same set of tools used by a developer or a consumer, but its nice to have a comprehensive list.

There are four sites that a good landing points:

Security Tools on TechNet
Sysinternals
Codeplex (Microsoft's open source project hosting web site)
Microsoft’s Security Portal

All of these are good starting points to learn about these tools and how to use them to tackle IT security. I have compiled a summary of some of the most useful security tools below.

Virus and Malware Protection and Removal

Microsoft Security Essentials

Real-time protection for your home PC that guards against viruses, spyware, and other malicious software. (For Commercial Antimalware see: www.microsoft.com/forefront)

Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents.

Windows Defender

This free program helps protect PCs from pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

Windows Live OneCare Safety Scanner

This free service scans PCs for viruses, spyware, and potentially unwanted software.

Microsoft Security Intelligence Report (SIR)

Provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software

System & Network Utilities that can be used to troubleshoot security & malware

Process Explorer

Shows you information about which handles and DLLs processes have opened or loaded. See: Advanced Malware Cleaning - Mark Russinovich

AutoRuns

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them

Process Monitor

Advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity

PsTools

A number of command-line tools that allow you to manage remote systems as well as the local one

RootkitRevealer

RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit

TcpView

A Windows program that will show you detailed listings of all TCP and UDP endpoints on your system

Network Monitor 3.3

A protocol analyzer. It enables you to capture, to view, and to analyze network data. You can use it to help troubleshoot problems with applications on the network. See: https://connect.microsoft.com/site/sitehome.aspx?SiteID=216 for release notes and information.

Developer Tools & Threat Modeling:

Microsoft Application Verifier

Runtime Verification tool for unmanaged code

Microsoft FxCOP

Checks .NET managed code assemblies

Microsoft Code Analysis Tool

Code analysis tool that helps identify common variants of certain prevailing vulnerabilities

Microsoft Threat Analysis & Modeling

Threat modeling to empower application risk management

Microsoft SDL Threat Modeling Tool 3.1

Helps engineers analyze security & address design issues early in the software lifecycle

Microsoft PREfast Analysis Tool

Identifies defects in C/C++ Programs

Security Update Management

Microsoft Update

Microsoft Update consolidates updates provided by Windows Update and Office Update into one location and enables you to choose automatic delivery and installation of high-priority updates. See: The Microsoft Security Update Guide

Windows Server Update Services (WSUS)

WSUS simplifies the process of keeping Windows-based systems current with the latest updates, with minimal administrative intervention.

System Center Configuration Manager

System Center Configuration Manager 2007 enables operating system and application deployment and configuration management, enhancing system security and providing comprehensive asset management of servers, desktops, and mobile devices.

Systems Management Server 2003 Inventory Tool for Microsoft Updates

Systems Management Server administrators can use the Inventory Tool for Microsoft Updates (ITMU) to determine the update compliance of managed systems.

Security Update Detection

Microsoft Baseline Security Analyzer (MBSA)

MBSA scans for missing security updates and common security misconfigurations. It can be used in conjunction with Microsoft Update and Windows Server Update Services.

Microsoft Office Visio 2007 Connector for the Microsoft Baseline Security Analyzer

This connector lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram.

Extended Security Update Inventory Tool

The Extended Security Update Inventory Tool is used to detect security bulletins not covered by MBSA including MS04-028, February 2005 bulletins, and future security bulletins that are exceptions to MBSA.

Security Assessment

Microsoft Assessment and Planning (MAP) Toolkit for PC Security Assessment

This free toolkit assesses your entire IT environment for desktop and laptop vulnerabilities to viruses and malware, to determine your PC readiness for Forefront Client Security.

Microsoft Security Assessment Tool (MSAT)

MSAT provides information and recommendations to help enhance security within your information technology infrastructure.

Lockdown, Auditing, and Intrusion Detection and Remediation

Account Lockout and Management Tools

These tools can help you manage accounts and troubleshoot account lockouts.

BitLocker Active Directory Recovery Password Viewer

This tool helps to locate BitLocker Drive Encryption recovery passwords for Windows Vista- or Windows Server 2008- based computers in Active Directory Domain Services.

BitLocker Drive Preparation Tool

This tool configures the hard disk drives in your computer properly to support enabling BitLocker.

Bitlocker Repair Tool

This tool can help recover data from a corrupted or damaged disk volume that was encrypted with BitLocker.

EventCombMT

Available as part of the Security Guide Scripts Download, this is a multi-threaded tool that will parse event logs from many servers at the same time.

File Checksum Integrity Verifier

This command-line tool computes and verifies MD5 or SHA-1 cryptographic hash values of files. These values can be displayed on the screen or saved in an XML file database for later use and verification.

IIS Lockdown Tool

This tool reduces the attack surface of earlier versions of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers. (All of the default security-related configuration settings in IIS versions 6.0 and 7.0 meet or exceed the security configuration settings made by the IIS Lockdown tool.)

Port Reporter

This tool runs as a service on computers running Windows Server 2003, Windows XP, or Windows 2000, and logs TCP and UDP port activity.

Port Reporter Parser (PR-Parser)

This tool that parses the logs that the Port Reporter service generates. The PR-Parser tool has many advanced features that can help you analyze the Port Reporter service log files. You can use the PR-Parser with the Port Reporter tool in a number of scenarios, including troubleshooting and security-related scenarios.

PortQry

This command-line utility helps you troubleshoot TCP/IP connectivity issues on Windows Server 2003, Windows XP, or Windows 2000.

PromQry

Promqry and PromqryUI allow you to detect network sniffers on computers that are running Windows Server 2003, Windows XP, and Windows 2000.

SubInACL

This command-line tool enables you to obtain security information about files, registry keys, and services. It also lets you transfer this information from user to user, from local or global group to group, and from domain to domain.

UrlScan Security Tool 3.0

This tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers. UrlScan 3.0 includes new features to help protect against SQL injection attacks, and can be used with IIS 5.1 and later.

UrlScan Security Tool 2.5

This tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers. UrlScan 2.5 can be used with IIS 4.0 and later. (Users running IIS 6.0 and later will most likely want to use UrlScan 3.0.)

Windows SteadyState

Whether you manage computers in a school computer lab or an Internet cafe, a library, or even in your home, Windows SteadyState helps make it easy for you to keep your computers running the way you want them to.

There are many more useful tools on Microsoft's TechNet Security Center and Codeplex.

Flying Pigs at the Turn of the Tide: Microsoft is finally emerging as a leader the cyber security industry

Troy Arwine — Tue, 23 Jun 2009 18:31:00 GMT

Microsoft has been dealing with cyber treats for years both internally and with our customers, but just in case you haven’t noticed; there has been a significant change in the tide from both in the focus of such malevolent attacks and public perception of Microsoft ability to deal with those threats effectively.

To see the trends in Cyber Warfare, one needs to just read some of the headlines in The Latest Microsoft Security Intelligence Report or News articles and the focus of recent attacks now on the rise.

Just take a look at some recent news articles:

February 24^th 2009 – SQL Attacks - Half a Million Sites Already Owned -”Current epidemic of online SQL injection attacks maintains that over a half million sites were victimized by the threats during 2008 alone”

April 3^rd 2009 – VMware exploits - just how bad is it? - “When Tony reported on the release of new VMware patches on April 4th, we didn't immediately spot that the same day there was also a release of a for-pay exploit against CVE-2009-1244 (announced in VMSA-2009-0006). Seems a few days later, there is also a white paper available -for pay as well-, and now also a flash video of the alleged exploit showing a XP client OS exploiting a Vista host OS (launching calc.exe). The video also comments that they get a data leak back from the host to the client”

April 14th 2009 - Attack Sneaks Rootkits Into Linux Kernel - “A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux “. “One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says”

April 16^th 2009 - iBotnet: Researchers find signs of zombie Macs – “Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine”

Contrast this with the trend of positive security reports from Gartner, Av-Comparatives and other Security experts raving about Microsoft’s SDL, security software and best practice guidance.

March 25^th 2009 - Gartner: No need to wait for Windows 7 SP1 - A Gartner analysis report recommends IT departments to depart from the usual SP1 milestone when deciding to deploy Windows 7

"Conventional wisdom has been that organizations need to wait for the first Service Pack to ship before they deploy a new client OS. This used to be a necessity. The availability of beta software to test the new product was not as broad as it is today, and people expected the initial release to be buggy and unstable. The first Service Pack usually would ship approximately nine to 12 months after the initial OS shipment, and would usually represent a marked improvement in stability. Today, SP1 does not represent the milestone it used to"

May 20^th 2009 - Adobe to release security updates a la Patch Tuesday - “Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat. “

“All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft's much-touted Security Development Lifecycle.”

June 10^th 2009 - Microsoft Ranks First in AV-Comparatives May Edition for Proactive Detection Testing! – “We are #1 this time! And it is our first time scoring Advanced+ in AV-comparatives testing. We scored very well on both ends: second best in detection rate and we had the fewest false positives. AV-Comparatives.org published the May edition of the proactive/retrospective testing of the May Edition….Our detection rate was…the second best among the participants, and we had the fewest false positive samples.

For details, please check AV-comparatives May edition published below: http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf”

June 29^th 2009 - Pigs fly! Microsoft leads in security – “Microsoft's success with Security Development Lifecycle has security experts buzzing and offers lessons…Many of the world's most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.

"Microsoft becomes high priest of secure software development." - CNET

“As an industry we should recognize the sea change in Microsoft's approach to security… and encourage other vendors to follow Microsoft's lead." - SANS NewsBites

“In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.... That's not so much the case today." -- Computerworld

"As repugnant as it sounds, Apple will need to take a page from Microsoft's book in this area. Years of combating viral threats, malware, and so on - CrunchGear

“It isn't just press talk alone. Every common security and vulnerability metric shows Microsoft's software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling going from dozens of exploits a year to barely a handful over five years.”

“Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.”

“I challenge you to find anywhere near the amount of free resources on improving your software security from any other source.”

Summary:

Microsoft has made contributions with The Microsoft Security Development Lifecycle (SDL). This SDL framework along with Microsoft’s free security tools, patch Tuesday example, and Microsoft’s Forefront Security products, have forced the trend of attacks to shift to 3^rd party and applications and low hanging fruit, and simultaneously bolstered Microsoft reputation as not only a security player, but a leader in the industry.

Look for more to come with the Forefront “Stirling” wave and Windows 7

Secure Applications - Part Deux

Troy Arwine — Fri, 10 Oct 2008 21:33:00 GMT

According to a study done by the Computer Security Institute and the FBI,

97% of interviewed companies and administrations were using antivirus
98% have a network firewall
Yet, 15% have reported suffering from network intrusions

Almost every business and government is going to have ports 80/443 through their firewall, so that is where the bad guys are attacking us. We need to change the focus of our thinking from Network & Operating System Security to Application Security. Attackers are still using Buffer Overflows, SQL Injection and Cross Site Scripting attacks successfully and how many years have we known about these types of attacks as in IT, yet we still seem defenseless against them.

In just about every IT security conference I speak, most of the IT people in the room cannot explain what XSS or SQL Injection attack is or how to prevent such an attack. We tend to think that since we have up-to-date antivirus, perimeter network firewalls, IDS and patched servers that we are fairly safe, and that's simply not true especially if our applications are not secure. Our own applications if not coded securely nor published with a secure application firewall such as Microsoft Intelligent Application Gateway to protect the applications; the apps themselves become the portals into our internal data and the technology albatross around our necks as it were that give the bad guys money in their pockets and our agencies front page stories in the newspapers.

This week SAFECode.org released an excellent application security guide entitled "Fundamental Practices for Secure Software Development" which includes updated information from Michael Howard, a simple security guy from Microsoft and 15 other co-authors on how to write applications securely. This is an excellent security guide not just for developers, but also for IT Management to review and understand at least the basic concepts to enable and empower our developers with the security training and tools needed to ensure that our applications are strategic assets for our businesses and governments. Developers are usually great at what they code, but many do not necessarily understand security unless it's been part of their training curriculum or job functions, so IT as a whole needs to ensure we have security awareness, training, and tools for testing security for our developers as we do for our network engineers and firewall administrators.

The guide covers many aspects of Application Development that I did not address in my previous post Secure Applications - The Microsoft Way and is so well written and comprehensive, that I will not blog in detail on its contents here, but will instead encourage you to download it and read it for yourself and make sure you make this part of your security library: Fundamental Practices for Secure Software Development.

Great Job SAFECode!!!

Defense-in-Depth vs. BitUnlocker: How to defeat Cold DRAM attacks using BitLocker, Power Options, and Physical Security

Troy Arwine — Sun, 24 Feb 2008 20:42:00 GMT

Princeton University published a paper this week entitled: Lest We Remember: Cold Boot Attacks on Encryption Keys which shows how an attacker can extract the contents of DRAM from a computer that is powered off and retrieve the encryption keys from memory offline and decrypt disks that were encrypted by many popular disk encryption software such as Microsoft BitLocker, FileVault, dm-crypt, and TrueCrypt on Linux, Vista and Mac OS 10 — using no special devices or materials.

They also published a video which includes a special form of this attack on BitLocker which they dubbed "BitUnlocker" which demonstrates the attack using the following method:

1. The machine is powered on and locked

2. They attach a USB disk

3. They cut power by removing the battery

4. They quickly replace the battery and restart the laptop

5. The computer boots to the external drive which copies everything in memory capturing most of the data still in DRAM.

6. The program then looks for the encryption keys offline.

The attack vectors are for computers using BitUnlocker that are machines that are sleeping, locked or in the case of BitLocker if there is no required PIN or USB Key. Here is Microsoft's official response:

The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.

How do you defeat such an attack practically? - the answer is simply that you follow Microsoft's recommended best practice security and "Defense in Depth" Here are my recommendations in order to Defeat BitUnlocker with BitLocker, Power Options, and Physical Security Best Practices:

You must have TPM 1.2, “TPM+PIN” (or “TPM+USB”) configured, and machine must be in Hibernate or Powered Off state when not in use or when attacked by BitUnlocker.

Note: If machine is still running and locked or only been shut off for a few seconds and attacked it is still vulnerable to this attack. (This is where physical security is key).

The main attack vector is that non physically secured machines (i.e. laptops, PCs in unlocked buildings) that are not in use (in the hotel room or at the desk when you are at lunch), are still running (i.e. sleeping or active/locked).

The following will show you how to configure Bitlocker 1.2 with TPM + PIN configuration and to configure your Laptop to Hibernate or Shutdown (not Sleep) so that you will not be easily defeated by this attack.

1. Use Bitlocker with a TPM 1.2 with “TPM + PIN” configuration – This is Microsoft’s recommended most secure BitLocker option anyway, it basically requires a pin on boot and anytime it wakes up from Hibernation or started. You can back up your recovery key to a network share – In my case, My Documents is mapped to a network server, so I can get to the recover the Key from another machine if I forget my pin. Caution: If you save your recovery key to a USB drive or print it and that USB drive or printed document is stolen with your laptop or lost, then you are at risk or even unable to recover your pin which I why I prefer a network drive that’s secured and backed up.

2. Configure BitLocker: Pre-Requisites & Step-by-Step Guide - For BitLocker to work, you must be running Vista Ultimate or Vista Enterprise edition and have at least two partitions on your hard disk. Review http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b-8e855d549154/BitLocker_StepByStep.doc for minimum system requirements and disk partitioning information and basic BitLocker setup configuration, then proceeded to Step 3 to configure TPM+PIN.

3. Configure TPM+PIN (or TPM+USB)

To turn on BitLocker Drive Encryption with a TPM plus a PIN or with a TPM plus a startup key on a USB flash drive

1. Click Start, type gpedit.msc in the Start Search box, and then press ENTER.

2. If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

3. In the Group Policy Object Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then double-click BitLocker Drive Encryption.

4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options. The Control Panel Setup: Enable Advanced Startup Options dialog box appears.

5. Select the Enabled option. For TPM plus a PIN or startup key configurations, you do not need to change any further settings, but you can choose to require or disallow users to create a startup key or PIN. Click OK.

6. Click Start, type gpupdate.exe /force in the Search box, and then press ENTER.Wait for the process to finish.

7. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

8. If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

9. On the BitLocker Drive Encryption page, click Turn On BitLocker on the system volume.

10. On the Set BitLocker startup preferences page, select the startup option you want. You can choose only one of these options:

· Require PIN at every startup. You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.

· Require Startup USB key at every startup. You will see the Save your Startup Key page. Insert your USB flash drive, choose the drive location, and then click Save.

11. On the Save the recovery password page, you will see the following options:

· Save the password on a USB drive. Saves the password to a USB flash drive.

· Save the password in a folder. Saves the password to a network drive or other location.

· Print the password. Prints the password.

Important:

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker Drive Encryption enters a locked state (see Scenario 4: Recovering Data Protected by BitLocker Drive Encryption). This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

Choose any of these options to preserve the recovery password. Store recovery passwords apart from the computer for maximum security. To choose more than one recovery password storage method, select one, follow the wizard to determine the location for saving or printing, and then click Next. You can then repeat this step to choose additional recovery password storage methods.

12. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.

Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.

13. If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen or clicking on the Encryption balloon.

By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time you turn your computer on, the USB flash drive must be plugged into a USB port on the computer or you must enter your PIN. If you do not, you will not be able to access data on your encrypted volume. Store the startup key away from the computer to increase security. Without the startup key, or your PIN, you will need to go to recovery mode and supply the recovery password to access your data.

4. Choose a PIN with at least 7 numbers of which at least 4 digits are unique - For additional information please review: MSDN Blog - Finding a Secure Pin

5. If your machine is sufficiently fast, while you are in GPEDIT.MSC, I would recommend changing the “Configure Encryption Method” policy to “AES 256 bit with Diffuser” to reduce the chance of a Brute Force attack being successful. More information on differences between 128-bit and 256-bit drive encryption are found at: http://windowshelp.microsoft.com/Windows/en-US/Help/c4500bf7-8392-4c38-a56e-d018a2438aa21033.mspx. The default is 128 bit with Diffuser, but I am using 256 with no performance degradation.

6. From Control Panel->Power Options, Change the “Choose what the power buttons do” options from Sleep to Shutdown or Hibernate. In my example below, I changed from Sleep to Hibernate. The effect of this is that you will have a minute delay on shutting down and powering up your Laptop and you will be required to Enter a Pin

7. Once you have configured your power options, any time you start your machine, you will be required to enter your pin number, but the advantage here against the attack’s shown in the video are that the memory is written to disk which is protected by BitLocker in Hibernate mode.

8. Please remember that the most dangerous automated attack vector here from the paper was using BitUnlocker to attack a machine that was “Sleeping” because the machine is still running memory is still active. That gives a thief ample time to get access to the memory and cool it or launch the automated BitUnlocker attack at anytime.

When shutting off your Laptop or go into “Hibernate” all memory is written to disk which is now protected by BitLocker, however remember that there is still a few seconds to a couple of minutes where you need to watch your laptop after it shuts down while the DRAM diffuses its memory.

Once it’s shutdown or in hibernate mode and memory is diffused, BitUnlocker cannot access the key in memory if TPM+PIN is configured. They will have to resort to Brute Force attack on the PIN which is very difficult because of built-in anti-hammering technology.

Home Router Hacks, VOIP Phishing & Driveby Pharming

Troy Arwine — Fri, 25 Jan 2008 00:45:13 GMT

A new era is dawning in mainstream hacking techniques that target devices that are not very well defended in most homes: The routers that you get at your local retailer to protect your high-speed DSL or Cable connected PC from malevolent hackers is now the very platform that malefactors are using to steal your information, redirect your phone calls and to send you to data harvesting illegitimate banking web sites.

Drive-by Pharming: Check out this article "Drive-by Pharming in the Wild" on Symantec's web site. The basic form of attack was one in which the hack "modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site." Many of the common home routers from D-Link, Linksys, and Netgear can be vulnerable to this attack not because of a vulnerability, but because the DEFAULT PASSWORD WAS NOT CHANGED on the router. This type of attack will be less common in the business world assuming that the routers are well managed, but home users are slow to adopt security when they don't understand the risks or if its inconvenient or difficult to change. How many home users even know how to login to their home router once its initially setup and configured? This type of attack was only a theory last year, but now its REAL!

VOIP Call Jacking: The next big wave that's coming in telephony is a new type of VOIP attack called "Call Jacking" which can be used both as a classic phishing attack to harvest information, but also as a toll fraud mechanism. As with any technology that's widely adopted, Voice over IP telephone has grown tremendously in the past few years because of its low cost alternative to traditional telephone lines. With this technology come new security challenges. VOIP may turn out to be more costly than we initially thought.

Home Router Hacks: There is not currently a good way to get home users to update their routers with security patches and firmware upgrades. Most users don't know they are vulnerable or how to fix a vulnerable home router, but Secunia lists at least 19 Linksys devices with 1 or more vulnerabilities, 24 D-link devices, and 11 Netgear devices. The number of vulnerabilities and models listed do not really matter for how secure a home router may be in relation to the others - they are all state-of-the-art routers and firewalls that are being probed continually for weaknesses to exploit. The manufacturers do issue advisories and patches for these devices, but home users rarely get the updates or even know they are at risk much of the time.

So what do we do about these new types of attacks?

Short term - we need to understand the changing landscape and educate users about these risks - chances are if you are reading this blog you are already concerned about security - go tell your friends, families and co-workers about security best practices and what to watch for. Have them read good article on DNS spoofing and change default passwords on their Home Routers. There are always going to be risks when online, we just need to minimize those risks when possible and changing the default password is a good start.

Long term - there needs to be a shift in how home devices are designed so that non-technical users be sure to use best practices and notified if their devices are not secured or configured properly. Perhaps anti-phishing & malware technology should be built into the routers themselves.

Summary: Attackers are creative and will continue to get more sophisticated & go after the targets that are least likely to be detected and hardest to recover. Some of these new kinds of attacks will never go through an anti-virus filter on a PC. Because of that, I believe that Home Routers are a low hanging fruit for the next few years and will be one are that is targeted more and more.

Secure Web Applications - The Microsoft Way

Troy Arwine — Thu, 29 Nov 2007 19:15:00 GMT

A question came up this week on how to Secure Web Applications the Microsoft way.

Microsoft has extensive prescriptive guidance that applies to secure online applications.

Defense in Depth

1. Start by building on a Secure Platform:

· Windows Server 2003 with latest Service Pack - http://www.microsoft.com/windowsserver2003/default.mspx

· Windows SQL Server 2005 with Latest Service Pack http://www.microsoft.com/sql/default.mspx

· Implement Microsoft Best Practice Security Guidance for Servers - http://www.microsoft.com/technet/security/guidance/serversecurity.mspx

2. Build the application using best practice Secure Coding techniques

· Secure Coding Guidelines - http://msdn2.microsoft.com/en-us/library/d55zzx87.aspx

· Writing Secure Code - http://msdn2.microsoft.com/en-us/security/aa570401.aspx

3. Be aware of common threats to Applications and avoid SQL Injection & Cross Site Scripting attacks:

· “Stop SQL Injection Attacks Before They Stop You” - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection

· “How To: Protect From SQL Injection in ASP.NET” - http://msdn2.microsoft.com/en-us/library/ms998271.aspx

· “How to Prevent Cross Site Scripting” - http://support.microsoft.com/kb/252985

· “Anti-Cross Site Scripting Library” - http://msdn2.microsoft.com/en-us/security/aa973814.aspx

4. Use Network based Firewall at the perimeter –Forefront Edge: ISA 2006

· Secure remote access - http://www.microsoft.com/forefront/edgesecurity/sra.mspx

· Network protection against Floods & Attacks - http://www.microsoft.com/technet/isa/2006/flood_resiliency.mspx

5. Access the Application securely by Publishing through the Firewall & using appropriate security

· Publish Site using Forefront Edge Internet Application Gateway (IAG) with Application Layer Firewall - http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx

· IAG Secure Remote Access White Papers - http://www.microsoft.com/forefront/edgesecurity/iag/whitepapers.mspx

· Use the practice of Least Privilege account access - http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

6. Audit your Firewall, Application and Operating System Logs

· Audit Active Directory - http://support.microsoft.com/kb/814595

· Audit Policy - http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx

· Audit ISA - http://www.microsoft.com/technet/isa/2006/security_guide.mspx

7. Use Secure Authentication Mechanisms (IAG can use AD, Kerberos, RADIUS, LDAP etc…)

· IIS Authentication - http://support.microsoft.com/kb/324274

· Kerberos Authentication in Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

8. Use Host based Antivirus & Antimalware protection on Clients and Servers

· Forefront Client Security - http://www.microsoft.com/forefront/clientsecurity/default.mspx

9. Keep all systems patched with latest Security Patches using Microsoft Update or WSUS

· Microsoft Windows Server Update Services (WSUS) - http://technet.microsoft.com/en-us/wsus/default.aspx

· How to keep your Windows up-to-date - http://support.microsoft.com/kb/311047

· Patch 3^rd party products that are not managed by Microsoft

o Backup Software

o Zip or Compression Utilities

o Antivirus

o IE Plug-ins

o Management Software

o etc….

Note: A System that is Fully Patched with Microsoft Updates can be vulnerable by un-patched vulnerable software with a driver or running with administrator privileges.

10. Remember the CIA Triad of security of Confidentiality, Integrity, and Availability

There are a number of other considerations to consider as well focusing on these 3

· Backups of Server 2003 & SQL 2005 Database

a. http://www.microsoft.com/technet/prodtechnol/sql/2005/bkupssas.mspx

b. http://technet.microsoft.com/en-us/library/aa998799.aspx

c. http://technet.microsoft.com/en-us/library/ms175477.aspx

· Load Balancing & Clustering

a. http://technet2.microsoft.com/WindowsServer/en/Library/1611cae3-5865-4897-a186-7e6ebd8855cb1033.mspx?mfr=true

b. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2d5977cf-06b7-4d4b-8e8c-ce083ac8a6ee.mspx?mfr=true

· High Availability & Disaster Recovery

a. http://www.microsoft.com/technet/security/guidance/disasterrecovery.mspx

b. http://www.microsoft.com/technet/windowsserver/sharepoint/V2/reskit/c2861881x.mspx

c. http://technet.microsoft.com/en-us/sqlserver/bb331801.aspx

· File Encryption (EFS & BitLocker)

a. http://www.microsoft.com/technet/security/guidance/cryptographyetc/efs.mspx

b. http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

Note: BitLocker will be available in Windows Server 2008 http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true

· Rights Management Services (RMS)

a. http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

b. http://www.microsoft.com/windowsserver2003/techinfo/overview/rm.mspx

Case Study

The Infrastructure of www.microsoft.com, Microsoft Update, and the Download Center

http://download.microsoft.com/download/6/2/b/62bae197-0d3d-4dbb-913a-acd21c57a2c7/DRJ_MSCom_Design_for_Resilience_FINAL.ppt

Conclusion

These are a few things to consider, but the key is to thinking about Defense in Depth and end-to-end security of the Data, Systems, Network Infrastructure, and Application.

You need to know first how to secure the application, but then you need to know how to identify threats when security is being tested and/or compromised and how to respond to those threats.

Why Social Engineering always works :(

Troy Arwine — Wed, 08 Aug 2007 03:09:00 GMT

What is Social Engineering & why should you care?

Social engineering (security) - a definition from Wikipedia:

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

Basically it’s applied Used Car Sales tactics to the workplace in order to trick people giving out computer passwords and security codes over the phone, by mail or in person.

Kevin Mitnik who was arguably the most infamous hacker in U.S. history wrote a book called “The Art of Deception” in which he exposes the weakness in human security when people are deceived. The book described on Mitnik’s website state: “he [Mitnik] illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent”

It’s really quite easy to bypass security rules, firewalls and policies if a user is authorized to do so as part of their daily job. That’s why we don’t give out passwords. But really all you have to do is ask for a password and people will give it to you if they think you are trying to help them.

How it works: If you want to gain illegal unauthorized access to a computer system, just call up the company in the phone directory, press zero for the operator, and ask for the department of your choice. You then simply ask an employee who answers to give you their user Employee ID, Username and Password using what every angle fits your style. Help Desk & HR are usually often good choices to impersonate.

Why use the phone? It’s easier to conceal our nervous expressions when we lie. We can disguise our voice much easier than we can our countenance. We can do it anonymously without recognition of our true self. And using the phone is much easier than hacking into a network using traditional technological means and methods.

The attacked employee when called will be busy most of the time doing their job and would rather not think about why they are getting a call from you as the supposed Help Desk technician or the local Human Resources Representative, they just want to get back to work. In fact if you like to talk, you can ask about their pets, favorite ball team, and their kids, and see if they don’t open up to you and spill the beans to just about any question you want.

Why? It’s probably because, we naturally trust people on the phone at work. At home we feel someone is always trying to sell us something and are a little more cautious especially with all the news stories on identity theft and phishing scams via email. We have caller block and do not call lists in our house, and we have antivirus, firewall, and phishing filters in our browsers, but there is something magical about a corporate office that gives us a sense of security that our employer screens our calls for us. We don’t feel threatened and we genuinely want to help people in need and especially want to cooperate with those individuals trying to solve a problem for us at work.

So what can you do?

1. ASK QUESTIONS?

If someone phones or appears and asks you for information that you know is confidential company, client or personal information, don’t be afraid to ask them a few questions yourself.

By phone	In Person
Ask for the correct spelling of the caller's name. Ask for a number where you can return the call. Ask why the information is needed. Ask who has authorized the request and let the caller know that you will verify the authorization.	Ask for some identification. Ask who has authorized this request so you may verify the authorization. If you are not authorized to provide that information, offer to locate the correct person. Seek assistance if you are unsure.

Sample questions taken from http://www.nd.gov/itd/security/start/soceng4.htm

2. RECOGNIZE SUSPICIOUS BEHAVIOR

· If you hold a clipboard while talking on a cell phone, people will hold the company doors open for you and let you in almost any building. Remember that Uniforms and Clipboards are cheap.

· Passwords are Personal – Helpdesk should never ask you to give them your password, and if you reset a password with one provided by the helpdesk, change it immediately.

· If you didn’t ask for help – be surprised when someone offers to fix something.

3. RESPOND TO SOCIAL ENGINEERING ATTACKS

Report questionable behavior to Security or Management

Additional Resources:

How to Protect Insiders from Social Engineering Threats (Microsoft)

A Multi-Level Defense Against Social Engineering (SANS)

Other links are available from:

http://www.securityfocus.com/infocus/1527

Online Internet Safety Resources

Troy Arwine — Mon, 30 Jul 2007 08:00:00 GMT

Here are some resources from the Microsoft' Internet Safety Toolkit below to help keep you kids and family safe online:

• StaySafe.org (http://www.staysafe.org) - Educational site intended to help consumers understand both the positive aspects of the Internet as well as how to manage a variety of safety and security issues that exist online

• Be Web Aware (http://www.bewebaware.org) - National, bilingual public education program on Internet safety designed to ensure that young Canadians benefit from the Internet, while being safe and responsible in their online activities

• Safe Kids Worldwide (http://www.safekids.org) - Global network of organizations whose mission is to prevent accidental childhood injury, a leading killer of children 14 and under

• WebSafe Crackerz (http://www.websafecrackerz.com) - Interactive games and puzzles designed to help teenagers and offer strategies for dealing with different situations online including spam, phishing, and scams

• GetNetWise (http://www.getnetwise.org) - Public service offered by a coalition of Internet industry corporations and public interest organizations that want Internet users to be only "one click away" from the resources they need to make informed decisions about their and their family's use of the Internet

• iSafe (http://www.isafe.org) - Worldwide leader in Internet safety education; incorporates classroom curriculum with dynamic community outreach to empower students, teachers, parents, law enforcement, and concerned adults to make the Internet a safer place

• International Centre for Missing & Exploited Children (http://www.icmec.org) – Global agency that promotes the safety and well-being of children through activism, policy development and multinational coordination

• Interpol (http://www.interpol.int) - International police organization that facilitates crossborder police cooperation, and supports and assists all organizations, authorities, and services whose mission is to prevent or combat international crime

• UNICEF (http://www.unicef.org) – Global advocate for the protection of children's rights dedicated to providing long-term humanitarian and developmental assistance to children and parents in developing countries

• ECPAT (http://www.ecpat.net) - Network of organizations and individuals working together to eliminate the commercial sexual exploitation of children

• INHOPE (http://inhope.org) - International association that supports Internet hotlines in their aim to respond to reports of illegal content to make the Internet safer

• Childnet International (http://www.childnet-int.org) - Non-profit organization that works in partnership with others around the world to help make the Internet a great and safe place for children

• SafeKids.com (http://www.safekids.com) – Resources to help families make the Internet and technology fun, safe, and productive

• Net Family News (http://netfamilynews.org) – Non-profit public service providing a forum and "kid-tech news" for parents and educators in more than 50 countries

• Microsoft Security At Home (http://www.microsoft.com/protect) – Information and resources to help the public protect their computers, protect themselves, and protect their families

• Center for Safe and Responsible Internet Use (http://csriu.org) – Organization providing provide outreach services addressing the issues of the safe and responsible use of the Internet Microsoft Internet Safety Toolkit | 21

• WiredSafety (http://www.wiredsafety.org) – Online safety, education, and help group that offers help for online victims of cyber-crime and harassment, assistance to law enforcement worldwide on preventing and investigating cyber-crimes, and information on all aspects of online safety, privacy and security.

• National Council for Motherhood and Childhood (http://www.nccm.org.eg) – Egyptian organization dedicated to supporting childhood and motherhood from a rights-based approach

• NetAlert Limited (http://netalert.net.au) – Non-profit community organization established by the Australian government

In addition to these education resources above, I have also provided a list of Family Protection Software reviewed on:

http://www.filterguide.com/ratings.htm

Best Parental Control Software Review - "Editor's Choice"

http://www.filterguide.com/ratings.htm

Safe Eyes InternetSafety.com	Parental Control – SafeEyes Platinum content filter and parental control filter monitoring software will allow you to block porn, popups and more. *"Editor's Choice"*
NetNanny NetNanny.com	Content Filtering – Net Nanny internet filtering software was produced to filter, stop, and monitor internet porn sites. *"Editor's Choice"*
ContentPrtoect ContentWatch.com	Content Filtering – ContentPrtotect is now combined with the Net Nanny web filter and is listed as one of our top filters. *"Editor's Choice"*
BSafeOnline BSafeHome.com	Parental Control Software – Use the BsafeHome parental controls for internet blocking of porn and sits that are objectionable. *"Editor's Choice"*
Cybersitter CyberSitter.com	Cybersitter content filter software stops profanity, sex, nudity and pornography internet web sites from your computer.
Actmon ActMon.com	Internet Blocking Software – Act Mon Computer Control internet filtering software will keep an eye on and filter computer and PC workstations.
CyberPatrol CyberPatrol.com	Internet Filter Software Review – CyberPatrol 7 will watch who is permitted admittance to the internet, and filter everyplace those users surf on the internet.
Guardian Monitor GuardianSoftware.com	Internet Filters Software – Guardian Monitor monitors Peer to Peer, instant messaging, chat rooms, emails and websites.
ChildwebGuardian ChildWebGuardian.com	Internet Parental Software – Childwebguardian blocks profanity, sex, nudity, violence, adult websites, pornography, and more.
ComputerCop ComputerCop.com	Parental Controls Filters – ComputerCOP scans and views a computer, allowing parents a easy way to locate if the computer system has been incorrectly used.
SOS KidProof	Parental Control Internet Filter – SOS KidProof is the most far-reaching, well-featured software program offered for protecting and viewing your children’s website activity.

While I cannot guarantee the reliability of these 3^rd party sites and services, I do hope these resources are a helpful start in educating yourself and others about online cyber threats and responsible ways to deal with those threats.

Espionage & Counter Intelligence for the "Average Joe"

Troy Arwine — Thu, 19 Jul 2007 22:21:00 GMT

Today in the news there was a story of a major security breach where nuclear secrets were stolen from Oak Ridge National Laboratory. A contract employee allegedly obtained highly classified information on uranium enrichment to be sold to a foreign country. See the news article on MSNBC: National lab worker accused of stealing secrets. It’s a stark reminder again that information is both valuable and important, and people who want said information and are willing to sacrifice and go to great extents to obtain it.

It reminded me that I recently had the opportunity to attend the “Five Pillars of Executive Leadership in a Non Secure World Conference” in Research Triangle Park, NC sponsored by the North Carolina Technology Association (NCTA). The conference focused on corporate security as a business ethic, and was discussed in light of potential criminal & terrorist attacks against U.S. citizens.

The 5 pillars referenced in the seminar’s name were:

1. Protecting People

2. Physical Security

3. Intellectual Property Protection

4. Cyber Security

5. Business Continuity Planning

The conference which targeted business leaders addressed identity theft, terrorism and natural disasters, but what I was most intrigued by was threat of Industrial Espionage especially when travelling and Counter Intelligence efforts that can be conducted by everyday Average Joe’s carrying laptops & cell phones. It suddenly occurred to me: I am that “Average Joe” and so are you!!!

Definitions: from Wikipedia

Counter Intelligence – Efforts designed to prevent enemy intelligence organizations & competitors from successfully gathering and collecting intelligence.

Espionage – The practice of obtaining information about an organization that is considered secret or confidential without the permission of the holder of the information.

What can we do?

Armed with just a little bit of knowledge, we can stay alert and use security best practice when travelling to minimize risk to our physical safety and the intellectual property stored digitally in our bags and pockets. We need to take responsibility to protect ourselves, our businesses & effectively the U.S. government from losing sensitive information or secrets including intellectual property, financials, or secret formulas that would give competitors a competitive business or military advantage.

Some examples of Espionage:

• A foreign airport official confiscates your corporate laptop to “Check it” – after duplicating your drive, it is returned to you apparently undamaged.

• Your cell phone is used as a bug to eavesdrop on your “private” business conversation

• A foreign government gives or sells your business data to your foreign competitor.

• A contract worker at a nuclear lab obtains classified secrets with intent to sell them.

Some useful travel tips:

1. Never let a laptop out of your sight in an airport & use encrypted drives (i.e. BitLocker Drive Encryption) so that only a piece of hardware, but no data is stolen with the computer.

2. Never, ever, check your laptop (or other valuables) with your luggage.

3. Assume any conversation on phones to be public & do not disclose business confidential data on phones in foreign country

4. Assume any Internet activity to be public, so be sure to encrypt any communication that need to be private. For example do not send sensitive work-related e-mail from a public hotspot.

5. When overseas, contact the U.S. Embassy and let them know where you are staying & when traveling away from your hotel.

6. Stay in hotel floors between 2^nd and 6^th floors. Avoid first floor rooms especially if it faces a parking lot as theft is most convenient for criminals to easily reach. Avoid rooms above the 6^th floor as many fire departments are unable to reach rooms higher than 6^th floor with a ladder.

7. In regions highly susceptible to terrorism, you may want to consider using a local hotel instead of a mainstream hotel chains that may be targeted simply because of its affiliation with a country.

8. Never leave valuables in a hotel with business sensitive information. If you use a room safe, it may protect against a curious maid, but will not keep out trained professionals who want your data.

9. Don’t leave passwords or dial-in remote access numbers attached to labels on your computer or in your laptop case

10. Espionage is theft of information not hardware, so someone may just want a copy of your drive. The airport official may bring your laptop back and nothing may be missing from your room when you noticed it looks like someone had been in your stuff – but that doesn’t mean nothing was taken.

Further Reading & Useful Travel Safety Links:

http://travel.state.gov

http://www.state.gov/travelandbusiness

“Theft While Traveling” on the U.S. Department of Energy website

Industrial Espionage ‘Real and out there’ – by Will Smale – BBC News

You don't have to be a Rocket Scientist to stay safe online.

Troy Arwine — Wed, 18 Jul 2007 00:03:00 GMT

Simply following a few basic safety tips can minimize your risk of being hacked; having your identity stolen; or accidently exposing your children to adult content on the Web.

How? Take the time to understand the threats and how to respond to them. Realize that the Internet is a dangerous place with people you have never met who want your stuff, time, money, kids affection & ideas. There is lots of good stuff online, but we need to responsible, educated & wise in cyberspace as we are in the real world.

If I've heard it once, I've heard it a dozen times: "I don't really have anything important on my computer" - That's simply not true! It's like leaving the keys in your car ignition with the windows rolled down. The thief is likely to use your auto as a getaway car in a bank robbery.

Do you bank online? Your passwords can be stolen!

Do you send email to friends & family? Your addresses can be harvested for spam!

Do you have family photos? Your pictures can be posted online for strangers to view!

Almost any data can be exploited or sold, and even if you really have nothing but an empty PC connected to the Internet, it's important to the bad guys who can use it as a Botnet weapon of mass disruption (a zombie as it were) without your permission or knowledge. Your compromised machine can be used to attack innocent victims & the FBI will track the attack to your house, not the attacker’s.

In fact many of the problems with cyberthreats to families are not the result of a sophisticated hacker attack or advanced targeted viruses. They are the result of home users not taking the time to follow basic online safety rules that can protect their family.

What can you do?

1. Understand the 10 Immutable Laws of Security:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

2. Discover more safety information online:

Read the FBI's: "A Parent's Guide to Internet Safety"

http://www.fbi.gov/publications/pguide/pguidee.htm

Visit Microsoft's "Protect Your Family" site:

http://www.microsoft.com/protect/family/default.mspx

Review online safety tips from StaySafe.org:

http://staysafe.org

4. Use Parental Controls & Internet filters to protect your kids from potentially harmful or unwanted Internet content.

-Use built-in Windows Vista Parental Controls

-Use 3rd party filters such as InternetSafety.com, CyberPatrol.com or NetNanny

5. Don't talk to strangers or give out personally identifiable information to anyone you don't trust:

-Parents often teach their kids to not talk to strangers in real life, and cyberspace should be no different!

7. Patch! Patch! Patch! Microsoft makes it easy to keep security patches up-to-date with Automatic Updates, WSUS or Microsoft Updates

-But don't forget to keep all your 3rd party applications, antivirus and backup software up-to-date as well

-An un-patched app gives the bad guys an open door into your computer regardless of you antivirus solution or Windows updates.

8. Backup your important files on a regular basis and keep those files in a separate location than your computer (in the car, at work etc...)

-You can burn important files to CD, use the built-in backup software, 3rd party backup software or use an online file service that you trust.

-Windows Live Folders lets you have password protected storage on the Internet that you can secure or share with others.

-Check it out - it’s FREE! - http://folders.live.com/

9. Keep your antivirus signatures up-to-date.

-but don't expect antivirus to protect you if you don't follow these other recommendations

10. Don't click on e-mail attachments even from people you trust until you verify that the attachment is trustworthy and the user meant to send it.

-Remember though, just because your friend clicked on the "Flying Pig" and laughed doesn't mean they were not secretly infected with a virus.

-Verify the source of the attachment - where did they get it? If you don't know the original source or author, please be careful.

Many of these processes are automatic and easy, or can be with a little time invested up-front, but the return on investment is peace of mind.

Be responsible & take the time to protect your family & stay safe online!