Steve Riley on Security

Blog relocated again

TechNet Archive — Thu, 20 Aug 2009 01:02:00 GMT

Just a quick update, to make sure everyone knows. I've moved my blog from MSInfluentials to WordPress.com. Please update your aggregators/bookmarks/favorites to http://stvrly.wordpress.com. I've posted the reasoning for my move, as well as a description of my personal foray into the cloud, over there.

Good bye, and good luck

TechNet Archive — Wed, 06 May 2009 23:11:56 GMT

Friends, as a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended. While there were many rewards that came from my job, the most satisfying element was knowing that our time spent together helped improve everyone—whether at conferences or through this blog, I’ve learned as much from you as you’ve learned from me. Sharing information, debating positions, and doing the right work for the right reasons are all very important and I’m honored and humbled to have been trusted by so many of you.

I’m certainly not disappearing. While I won’t be at TechEd North America this year (yes, I’m truly sad about that), I’ll remain involved in the security industry. You can find me on LinkedIn at http://www.linkedin.com/in/steverileysea. And I’ve got a new blog at http://msinfluentials.com/blogs/steveriley/default.aspx, where I promise I’ll start writing more. Please check in there for updates, and I’ll be sure to let you all know where I land next.

If you know the Conficker dude, we've got a prize for you

TechNet Archive — Fri, 13 Feb 2009 20:39:00 GMT

Yesterday (12 February 2009) Microsoft announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”

“Microsoft’s approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Today’s spam

TechNet Archive — Wed, 21 Jan 2009 21:13:31 GMT

Here’s what’s in my junk mail folder today:

What is up with all that? Apparently I sent a payment to myself, I initiated another payment to myself, I am a user of myself who’s received exclusive offers for January, and I received a payment from myself. Wow! Furthermore, an internal discussion group (IPv6) is apparently engaging in a PayPal transaction, and M & T Bank’s mailer needs to make doubly sure that I realize I’m receiving a new message.

I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it. Spam would wither away if everyone just ignored it. But I guess enough people are lured by cheap mortgages for their penis extensions that the spammers rake in enough money to cover their costs…so sad.

Attacks against integrity

TechNet Archive — Wed, 21 Jan 2009 07:28:58 GMT

I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions, and this year summarized an accidental integrity error that created minor havoc at Veteran’s Affairs health centers. Richard’s progression nicely matches our beloved friend, the infosec triad:

First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion.
Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground.
Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.

Alas, his concluding sentence is all too true:

If we think it's tough to maintain availability and confidentiality, wait until we security people are tasked with validating the integrity of data. It will happen after a celebrity dies or a group of "normal people" do, unfortunately en masse.

Get ready to start adding integrity protection to your data and incorporating integrity protection in your applications. Also: start making noise yourself, and let your vendors know this will eventually become a business requirement for you. Please, let’s not give the folks at the Privacy Rights Clearinghouse another category to track!

I want a Model 22 HDD Hard Drive Disintegrator

TechNet Archive — Wed, 21 Jan 2009 00:43:40 GMT

Here at Microsoft we have an active internal discussion group where most security-minded folk hang out. The topic of data destruction came up recently, it’s actually a lot more difficult than most people think. CIPHER /W and SDELETE do a reasonable job, but they aren’t perfect: the paper One big file is not enough: a critical evaluation of the dominant free-space sanitization technique dives into some interesting detail. Frequently people talk about DoD (U.S. Department of Defense) compliance, but seven wipes really aren’t necessary, according to Secure deletion: a single overwrite will do it. I’ve always thought the notion that bits will somehow “soak” down into the disk and could be recovered by “shaving off” the disk’s top layer is silly—probably invented by the folks who want to sell you secure wipe utilities. If that were really true, then it would be a fairly simple operation to “wash” away encryption, no?

For thorough data destruction, I’ve been a fan of shotgun washing. But for those without shotguns at the office, a company called Security Engineered Machinery has introduced the Model 22 HDD Hard Drive Disintegrator.

This system is built specifically to destroy hard disk drives. Load up to 10 drives on to the automatically indexing conveyor and in 30 minutes you'll have nothing but a pile of metal chips. The unit comes as a complete system, including sound-dampening enclosure and HEPA vacuum to remove airborne contaminants. The disintegrator's rotating knives transform the drives into unreconstructable fragments, leaving all data unrecoverable. the bin is made of aluminum, to prevent magnetic pieces from sticking to it

Watch the video, it’s pretty cool. I love the narrator’s dead-pan delivery, but the resemblance to the Illudium Q-36 Explosive Space Modulator really made me chuckle. They should do a marketing tie-in with Marvin the Martian.

“Oh, recoverable data makes me very angry. Very angry indeed!” (h/t Scott Culp for the quote.)

Speaking of washers and aluminum, my six-year-old Frigidaire front-load clothes washer started making a loud thumping sound during the spin cycle. So I did a little bit of searching and found out that this particular unit, a popular model made by Electrolux and sold under the Frigidaire, Kenmore, and General Electric brands, was apparently designed by someone who lacked a high school understanding of chemistry. An aluminum spider arm is connected to the stainless steel inner basket, which of course gets wet during use. What happens when you apply water to the interface of aluminum and steel? Galvanic action! The aluminum disintegrates. Some owners have posted videos of their washers here and here.

I’ll attempt the $300 three-hour repair, and I’ll paint the new spider arm with some primer and anti-rust paint. Or maybe I’ll convert it into my very own Illudium Q-22 HDD Explosive Hard Drive Disintegrator.

Questions about virtualization and security?

TechNet Archive — Fri, 09 Jan 2009 20:46:50 GMT

Yesterday, Donnie Hamlett, a Microsoft core infrastructure optimization specialist, gave a webcast and played a video of my TechEd presentation on virtualization and security. Some of the viewers had questions, and I offered to Donnie that they could come to my blog to post them. I’ll extend that offer to all of my readers—if you’ve got a question about this topic, ask away, and I’ll answer here. Thanks!

Poll: do you use scheduled scans for malware?

TechNet Archive — Mon, 05 Jan 2009 23:03:59 GMT

An interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer.

He raises a good point, and I’m curious what all of you think? Do you use scheduled scans? If so, why? If not, is it because you’ve decided the same as Peter?

Updated Microsoft Security Assessment Tool

TechNet Archive — Tue, 02 Dec 2008 07:13:03 GMT

Greetings. In case you haven’t already read about it, we recently updated the Microsoft Security Assessment Tool (MSAT). Version 4.0 hit the web on 31 October. It’s been four years since the initial release, and two years since the prior version. Between then and now your security world has evolved a lot, and the tool now reflects that.

Download now: http://www.microsoft.com/downloads/details.aspx?FamilyId=CD057D9D-86B9-4E35-9733-7ACB0B2A3CA1&displaylang=en

Take a few moments and give yourself a security checkup. If you have any comments or feedback on the tool, feel free to leave them here on my blog—I’ll make sure the right people see it.

Update: got an email from someone with two questions:

When you install the tool, the UAC dialog shows “Microsoft Corporation (Internal Use Only).” This is the CA that signed the tool, and it’s an internal CA—thus the “internal use only” bit.
The tool fails to run on Vista x64. This is a known issue, we’re working to fix it.

From the download page:

The MSAT employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources may assist you in keeping you aware of specific tools and methods that can help change the security posture of your IT environment.

There are two assessments that define the Microsoft Security Assessment Tool:

Business Risk Profile Assessment
Defense in Depth Assessment (UPDATED)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

After completing an Assessment, you will gain access to a detailed report of your results. You may also compare your results with those of your peers (by industry and company size), provided that you upload your results anonymously to the secure MSAT Web server. When you upload your data the application will simultaneously retrieve the most recent data available. To be able to provide this comparative data, we need customers such as you to upload their information. All information is kept strictly confidential and no personally identifiable information whatsoever will be sent.

Reading list from “How IT will change in the next 10 years”

TechNet Archive — Mon, 24 Nov 2008 22:39:10 GMT

At Windows Connections two weeks ago, during my keynote speech “How IT will change in the next 10 years and why you should care,” I mentioned several books worth reading. Many of you have asked for the list; here it is:

The Cathedral and the Bazaar by Eric S. Raymond
The Wisdom of Crowds by James Surowiecki
We Are Smarter Than Me by Barry Libert, Jon Spector, Don Tapscott
The World Is Flat by Thomas L. Friedman
The Innovator's Dilemma by Clayton M. Christensen
The Long Tail by Chris Anderson
The Speed of Trust by Stephen M. R. Covey
What Got You Here Won't Get You There by Marshall Goldsmith
Outsourced (the movie)

Also remember that I mildly panned Digital Economy by Harbhajan Kehal and Varinder P. Singh; my assertion was that the next 10 years will bring about a social economy instead, one that includes the digital natives you’ll all be hiring and selling to now or very soon. They’re the ones who are building it, so you might as well adapt.

Comments, administrivia, and the future of the “infosec professional”

TechNet Archive — Thu, 16 Oct 2008 01:29:13 GMT

Back when the spam was spiraling out of control, I configured my blog to close comments after 90 days. I’ve removed the limitation now, for two reasons: the spam is under control, and I wanted to reply to a comment made to my post on IPsec/IPv6 direct connect.

On 13 August, jcorey asked about how to deal with those who firmly believe that the only answer to any security problem is to inspect everything at the edge. This is an important question, and I wanted to give Joe an answer. (You might have to scroll down when you click the previous link, it seems that linking to individual comments is broken.)

Today, 15 October, I wrote a little thesis as an answer to his question. I’m calling it out in a separate post because I want to make sure those of you with aggregators that don’t update when posts receive new comments still have a chance to reply with your thoughts. I’ll also repost it here:

jcorey-- You've nailed the biggest obstacle to deploying something like direct connect. Many security professionals have been taught that there simply is, and never will be, a process or technology that allows you to trust anything that originates from outside your corpnet. These professionals cling to this belief, and have been the cause that allowed the whole “detection” market to bloom.

Let me be clear: this total lack of trustworthiness is no longer absolutely true. Of course there will be times when unknown machines will be used by known and unknown people to access your information. But what about one particular subset -- known humans, with known portable computers -- can't we do something better than treat them as toxic invaders?

Indeed we can. And that's what I'm proposing with direct connect. The technology -- managed, of course, with the right processes -- exists so that you can extend the trust to known computers even though you don't trust the network they're connected to. This is because you have mechanisms that:

1. Allow you to configure the machine according to your requirements (domain join, group policy)

2. Dictate computer and user authentication requirements (IPsec policies, smart cards)

3. Limit what the users of these machines can do (UAC, non-admin, Forefront Client Security, Windows Firewall, even software restriction policies)

4. Validate the health of machines initiating incoming connections and remediate if necessary (NAP, System Center Configuration Manager)

5. Limit the threat of attacks against stolen computers (domain logon, smart cards, BitLocker with TPM)

With the robust authentication, validation, configuration, and control mechanisms available to you, I simply don't see that there's any need to fall back to “detection” now. Detection technologies were -- and remain -- necessary for the times when we have no clue about the health of client computers and when we had no way to gauge the intent of the users. But it is truly reflective of a head-in-the-sand mentality to assume that this is a complete description of what's capable today.

You know, someone once asked me what it takes to be a security professional. I answered that there are two primary elements: become a networking/packet wonk, and be willing to change your opinions when the right evidence comes along. Indeed, I suspect that many security folk have forgotten the need to keep their wonikness updated, which in turn makes them resist new ideas regardless of the strength of the evidence. I'm not very proud of what I just wrote, because I loathe generalities, but I'm not sure what else to think here. Sigh.

Joe’s question is important and strikes at the foundation of what it means to be a security professional today. I’m eager to continue this conversation, because it’s reflective of what I sense to be a radical shift in our jobs—we are, or should be, no longer the wolf-crying propeller-head who sits in the basement and twiddles with the firewall. Instead, our job should be defined as one who’s charged with protecting the organization’s information from attack, while maximizing its utility to authorized users, according to the principles of least privilege. Your thoughts?

Ethernet and WiFi and Bluetooth, oh my!

TechNet Archive — Thu, 16 Oct 2008 00:16:48 GMT

Customers have long requested a way to configure a computer to automatically disable its wireless NIC when its Ethernet is in use. Many third-party utilities can do this for you, but neither XP nor Vista have a built-in way to accomplish this, nor will Windows 7. Although having both NICs enabled first appears to cause a security issue, in reality that would be true only if both of the following were also true:

The user is logged on as a local administrator
The user, or some code the user runs, enables IP routing

By default, all forms of IP routing (including NIC bridging) are disabled. Only local administrators (or group policy) can enable them. So the risk, actually, is minimal.

If you have a stroll through group policy, you'll discover this setting: "Prohibit installation and configuration of Network Bridge on your DNS domain network" (more here, here). This setting allows you turn a computer into a router that bridges two networks. The bridging works only when one of the interfaces is in the same DNS namespace it was in when the bridge setting was enabled, and it works only when the Windows firewall is disabled on both interfaces (never a good idea). Additionally, regardless of the group policy setting, the function doesn’t even appear as an option when the user is logged in as a non-admin. The group policy setting simply removes the option from people who are local admins of their computers. So here's a way you can remove the ability even for local admins to enable routing.

However, let me admit that I wish we did have a way to implement your request, but for an entirely different reason: IP address preservation. Consider what happens when I'm on my own corpnet in my office. I put my laptop in its dock, which is connected to the Ethernet. I never bother disabling my wireless (I'm lazy). So whenever I'm in my office I'm taking up two IP addresses: one on the Ethernet and one on the wireless. Such wasteful profligacy, I know! (Note this isn’t a problem for any Bluetooth adapter, which always uses APIPA in its default configuration; I can’t imagine a scenario where you’d want Bluetooth to use DHCP.)

If you agree with me that this is something we should address post Windows 7, not for "security" reasons but as a good general networking practice of being conservative with address allocation, please speak up. Now's the time for your input.

Passgen tool from my book

TechNet Archive — Mon, 29 Sep 2008 23:42:29 GMT

Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network. It’s still available, and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering, security dependencies, and how to think about security remains relevant. That’s because we strove to write something more lasting than a simple configuration guide.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

Update. A few readers have informed me that the SHA-1 hash printed in the README.DOC doesn’t match the actual hash of passgen.exe. Jesper made a few changes and recompiled the tool. The correct hash is now:

fa19722348e9e0603f24c0ef9fc715010403bcfa

I’ve updated the README file with the new hash. Also, passgen.exe has a digital signature, and you can check its details if you’d like.

Sao Paulo, here I come

TechNet Archive — Mon, 29 Sep 2008 20:31:02 GMT

I have a new TechEd destination this year: Brazil. It’ll be my first time to speak at our event there; indeed, even my first time to travel to South America. I’m looking forward to it.

The event runs during 14-16 October 2008. I’m delivering the same four presentations I gave at TechEd US (and have used at most other TechEds around the world, too):

Do these ten things now or else get 0wn3d!
Virtualization and security: what does it mean for me?
Privacy: the why, the what, and the how
21st century networking: throw away your medieval gateways

That’s gonna be a crazy week, because I’ll have been in Hong Kong for TechEd there the week prior. I get home from Hong Kong on Saturday, spend the night in Seattle, then on Sunday fly down to Sao Paulo! Oh well, I still love my job :)

If you’re headed to TechEd Brazil, be sure to introduce yourself to me after one of my talks. See you soon!

Internet Explorer security levels compared

TechNet Archive — Wed, 17 Sep 2008 03:19:36 GMT

A pretty good question came across the newsgroups the other day. Someone was asking what are the differences between IE's "medium" and "medium-high" security settings. I did some digging, and found only this on MSDN: About URL security zone templates. No wonder it's difficult to find -- the terminology is different, and the table is organized by URL actions, not by the text in the dialog.

Someone on the IE security team forwarded me a document that had additional details. So here, for your enjoyment, is a chart listing the default settings for each security level. To answer the newsgroup poster, "medium" and "medium-high" aren't the same.

About the formatting: to get it to fit within the width of the blog's text section, I've made some abbreviations.

Column headings

Entries

H	High	D	Disable
MH	Medium-high	E	Enable
M	Medium	P	Prompt
ML	Medium-low
L	Low

In a few cases, the table shows a number rather than D or E or P; below the table is a description of each such entry.

At the very bottom of this post I've included the settings from the privacy tab, too.

Note: these settings reflect those for Internet Explorer 7 on Vista SP1. Please see the MDSN link above for differences between IE 6 and IE 7.

.NET Framework

	H	MH	M	ML	L
Loose XAML	D	E	E	E	E
XAML browser applications	D	E	E	E	E
XPS documents	D	E	E	E	E

.NET Framework-reliant components

	H	MH	M	ML	L
Permissions for components with manifests	D	1	1	1	1
Run components not signed with Authenticode	D	E	E	E	E
Run components signed with Authenticode	D	E	E	E	E

1 = High safety

ActiveX controls and plug-ins

	H	MH	M	ML	L
Allow previously unused ActiveX controls to run without prompt	D	D	E	E	E
Allow scriptlets	D	D	D	E	E
Automatic prompting for ActiveX controls	D	D	D	E	E
Binary and script behaviors	D	E	E	E	E
Display video and animation on a Web page that doesn't use an external media player	D	D	D	D	D
Download signed ActiveX controls	D	P	P	P	E
Download unsigned ActiveX controls	D	D	D	D	P
Initialize and script ActiveX controls not marked as safe for scripting	D	D	D	D	P
Run ActiveX controls and plug-ins	D	E	E	E	E
Script ActiveX controls marked as safe for scripting	D	E	E	E	E

Downloads

	H	MH	M	ML	L
Automatic prompting for file downloads	D	E	E	E	E
File download	D	E	E	E	E
Font download	P	E	E	E	E

Enable .NET Framework setup

	H	MH	M	ML	L
Enable .NET Framework setup	D	E	E	E	E

Miscellaneous

	H	MH	M	ML	L
Access data sources across domains	D	D	D	P	E
Allow META REFRESH	D	E	E	E	E
Allow scripting of Internet Explorer Web browser control	D	D	D	E	E
Allow script-initiated windows without size or position constraints	D	D	D	E	E
Allow web pages to use restricted protocols for active content	D	P	P	P	P
Allow web sites to open windows without address or status bars	D	D	D	E	E
Display mixed content	P	P	P	P	P
Don't prompt for client certificate selection when no certificates or only one certificate exists	D	D	D	E	E
Drag and drop or copy and paste files	P	E	E	E	E
Include local directory path when uploading files to a server	D	E	E	E	E
Installation of desktop items	D	P	P	P	E
Launching applications and unsafe files	D	P	P	E	E
Launching programs and files in an IFRAME	D	P	P	P	E
Navigate sub-frames across different domains	D	D	D	E	E
Open files based on content, not file extension	D	E	E	E	E
Software channel permissions	1	2	2	2	3
Submit non-encrypted form data	P	E	E	E	E
Use phishing filter	E	E	E	D	D
Use pop-up blocker	E	E	E	D	D
Userdata persistence	D	E	E	E	E
Web sites in less privileged content zone can navigate into this zone	D	E	E	E	P

     1 = Prohibit downloads from software update channels
     2 = Cache content downloaded from software update channels
     3 = Automatically install software updates

Scripting

	H	MH	M	ML	L
Active scripting	D	E	E	E	E
Allow programmatic clipboard access	D	P	P	P	E
Allow status bar updates via script	D	D	D	E	E
Allow Web sites to prompt for information using scripted windows	D	D	E	E	E
Scripting of Java applets	D	E	E	E	E

User authentication

	H	MH	M	ML	L
Logon	1	2	2	2	3

     1 = Prompt the user for name and password
     2 = Automatic logon only in intranet zone
     3 = Automatic logon with current user name and password

Privacy settings (on the "Privacy" tab)

	H	MH	M	ML	L
Allow persistent cookies	D	E	E	E	E
Allow per-session cookies	D	E	E	E	E
Allow third-party persistent cookies	D	P	P	E	E
Allow third-party session cookies	D	E	E	E	E

The opt-out from hell

TechNet Archive — Tue, 16 Sep 2008 22:22:03 GMT

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...? <g>
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID: <a818b044.724694.236c8ee748f7dd97.1.n.4.2971370188@pp.techtargetmail.com>
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya <a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com>
From: Avaya <Avaya@pp.techtargetmail.com>
To: Steve Riley <steriley@microsoft.com>
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

Blamestorming

TechNet Archive — Fri, 12 Sep 2008 09:03:42 GMT

So, let's recap the sequence of events:

The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

Who is "dodacrazy" and what is a "montize buddy"?

TechNet Archive — Fri, 12 Sep 2008 01:53:55 GMT

Check this out:

http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx#3122377

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

Normally I delete spam from my comments, and have occasionally deleted mindless ranting criticism (I encourage vigorous discussion of ideas, but won't allow personal attacks). However, this guy's comment is just...weird.

What's a "montize buddy Scott"? I know lots of Scotts, and once even admired a particular "Montgomery Scot." But "montize"? Maybe it's a new kind of malt.
I don't believe I'm perpetuating any data scams, none that I know of, anyway. If any of you, my readers, feel that I'm scamming your data, I guess I haven't concealed that fact well enough. Oops, sorry! We'll have to add another item to the constantly-growing list of data breaches.
While it's true that some of my conference appearances aren't free, no one is certainly forced to buy any of my "educational acts." A lot of my presentations you can download for free!
I never look in tunnels for my supplies, they're too dark and you can never be totally certain of what you're getting.

Thanks, dodacrazy, for a good Thursday morning laugh!

TechEd 2009: Never too early to start planning

TechNet Archive — Mon, 25 Aug 2008 21:25:45 GMT

What's on your mind? What do you want to learn more about? Tell me, tell me...

Oh, and for 2009 I plan to stay at TechEd US for both weeks. I want to start spending more time with developers -- they need some security love too :)

[OT rant] Are there any home WiFi routers that DON'T SUCK?

TechNet Archive — Sat, 23 Aug 2008 03:12:38 GMT

Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

Tweet!

TechNet Archive — Fri, 27 Jun 2008 08:52:18 GMT

The other day an office mate asked, "Do you twitter?" Sorting through the various snarky remarks that immediately popped to mind, I replied that I didn't think anyone would find my routine bits all that interesting. He suggested otherwise: that it would be a convenient place to record quick ideas. So I am now indeed twittering. Check out the link on the right of this blog. For those using an RSS/ATOM aggravator, you'll want http://twitter.com/statuses/user_timeline/15237105.rss.

Directly connect to your corpnet with IPsec and IPv6

TechNet Archive — Wed, 25 Jun 2008 23:55:00 GMT

Contrary to popular belief, the rumors of my demise have been greatly exaggerated. Well, ok, no actual rumors, but hey, one can dream, huh? My spring calendar was full of events in Asia and Australia, then TechEd US seemed to suddenly appear out of nowhere! So I've been kinda swamped. I've missed writing here; it's good to get back into the swing.

At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

Windows Vista Enterprise or Ultimate editions (those with Business edition and Software Assurance can upgrade to Enterprise)
That are domain-joined
Users run as non-admin
Group policy applies numerous settings
UAC is enabled
BitLocker is configured to protect confidential information stored offline
The Windows Firewall is enabled
NAP is used for checking health
Forefront Client Security for keeping malware off the box
Smart cards for strong authentication of users
IPsec is required for connection authentication and traffic encryption
IPv6 is required for worldwide Internet connectivity
A DNS suffix search list represents the data center name space
Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Do you need RMS/IRM in Office for Macintosh?

TechNet Archive — Thu, 24 Apr 2008 01:34:16 GMT

Please let me know if this is a feature you'd be interested in. We're looking to build the business case to develop it, and the best way to do that is for you, our customers, to let us know.

Also, if any of you want to deploy RMS now but can't because there's currently no Mac support, I especially need to know. Thanks!

Throw away your digital picture frames

TechNet Archive — Tue, 19 Feb 2008 06:36:00 GMT

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.
There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.
Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

Supporting your family, friends, and neighbors

TechNet Archive — Wed, 13 Feb 2008 20:45:40 GMT

By Steve Riley
Senior Security Strategist
Trustworthy Computing Group, Microsoft Corporation
(originally published at http://www.microsoft.com/technet/community/columns/secmgmt/sm0208.mspx)

I’ve met thousands of IT pros during my years speaking at conferences around the world. And if there’s one thing that’s true for all of us it’s that all IT pros become support professionals for their family, their friends, and their neighbors—your “FFN” base, as I call it. And, like doctors, we’re expected to provide this kind of support for free!

Once upon a less-demanding time, these questions were rare and usually involved things like setting up Windows, configuring printers, snarfing from the free wireless network across the street—the sorts of things that normal people don’t do when going about their daily lives (face it, we IT pros aren’t normal). So the monthly late-evening phone call usually wasn’t a burden. Alas, those days are now nothing more than wistful memories.

You see, the bad guys (and, increasingly, girls) who lurk in the Internet’s dark alleys and secret passages have discovered that those who constitute your FFN are prime targets for their reprehensible ways. The millions of home computers squatting on kitchen counters and in bedrooms don’t enjoy the protection that corporate PCs do—no fortified network, no centralized administration and updating, no traffic inspection, no security policies. Rarely do the people in our FFNs possess detailed security knowledge, so home computers are ripe targets for attack. The bad guys know this, and they’re rapidly taking over as many machines as they can get their grubby little hands on.

For a while now, Microsoft has provided easy-to-follow guidance for home users at our Security at Home site. This is an excellent resource, with information on how to protect your computer, yourself, and your family. However, we can’t do it alone—we need your help! Maybe it’s already happened to many of you; if not, it’ll happen soon: you’ll become a security consultant for your FFN. That’s right, you. Stop glancing around the room, don’t slink down in your chair and hope I won’t see you. Your FFN is having security problems right now, and they need your help.

What to say, you ask? Where to go for guidance on how to talk to your FFN? It’s the same place: Security at Home. I’ll review some of the most important steps you can take.

Four steps to protect your computer

These aren’t optional; they aren’t open for debate. At the very minimum, all computers connected to the Internet should follow these steps.

Keep your firewall switched on.
Keep Windows up to date.
Use updated antivirus software.
Use updated antispyware software.

Computers running Windows Vista or Windows XP Service Pack 2 (SP2) already have firewalls that are enabled by default. Leave them running. I've yet to see any example of applications typically run on home computers that would break because the firewall is running. There’s simply no excuse for running a PC connected to the Internet without a firewall. Computers running anything older than Windows XP SP2 should be upgraded immediately—and this is again where you can help. Visit your FFN and ensure that everyone has installed the service pack.

Make a habit of ensuring that the automatic update client is running whenever you visit your FFN. This feature exists for them and minimizes the amount of work you need to do. Let Microsoft take care of patch management for your FFN—outsource it to us by making sure that all computers are downloading and installing updates automatically.

Simply using a firewall and installing updates can be enough to protect a computer from most attacks. But as we security consultants (stop looking around the room again!) know, attackers don’t target only computers. They target people, often by concealing malicious software inside tempting packages delivered by e-mail or Web sites. We call this the “dancing pig” phenomenon—no amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! So to add to a home computer’s defense, we need utilities that detect and remove malicious software. Antivirus and antispyware tools can take care of this for you. (Yes, you need both; they detect different kinds of attacks.)

The case could be made that antivirus and antispyware tools aren’t necessary for computers whose users are highly skilled, security savvy, and have an experienced feel for recognizing malware before it strikes. Indeed, I’ve written about this before ("Antivirus softwre—who needs it"? and "More on the necessity of antivirus software"). However, for my FFN, antivirus and antispyware are requirements. They should be for your FFN, too.

The Malicious Software Removal Tool also helps to eliminate malware. It’s updated each month through the automatic update client and runs the next time a computer boots. It scans for and removes common malware like certain prevalent worms and rootkits. Since the tool’s introduction, millions of computers have been cleaned of billions of pieces of malware.

If you need to quickly scan a computer for malware, try the Windows Live OneCare safety scanner. It’s free, and it might be a useful habit for you to develop every so often when you get a call from an FFN. There are two versions of the scanner. One is for Windows XP, the other is a beta for Windows Vista.

What about ensuring that your FFN runs as non-admin? That would be an excellent step, but a lot of software written for the home market still requires being an admin to install and run (yeah, not everyone realizes the Earth is round). Such software should be tossed in the junk bin—yet if you need to manage some knitting projects, and there’s only one program you can find that works for you, sigh… Non-admin is a tough call. Perhaps you can enforce it on the home network in your own house, since you’re right there. Enforcing it on the computers in your FFN, though, might end up creating more work for you.

Keep your information more secure

Spam and scams are the techniques most bad guys use to steal your information to try to assume your identity. I don’t like the common term “identity theft”—how can you really steal someone’s identity? You can steal a purse, thus denying the purse’s benefit to its original owner. But you simply can’t take away someone’s identity. Think of identity theft as a form of impersonation attack (it’s like spoofing a human, I suppose). To impersonate you, the bad guy needs to obtain information about you. Phishing scams and spam lure millions of unsuspecting folk (these would be your FFN) into divulging secret details they’d never tell their pastors or principals or parents.

To reduce the likelihood of having your identity impersonated, teach your FFN to follow a few simple steps.

Use the phishing filter that’s built into Internet Explorer 7.
Reduce the amount of spam in your e-mail.
Use good passwords online.

The phishing filter in Internet Explorer 7 includes a long list of known phishing sites, and it warns users if a site they’re visiting is on the list or exhibits characteristics typical of phishing sites. The filter can communicate with an online service to keep itself updated—and this is important, since phishing sites often disappear after just a couple days.

Windows Live Hotmail, Windows Live Mail, and Windows Mail—probably the most common mail programs in your FFN—include technology to reduce spam. Their spam filters are updated regularly through Microsoft Update, which is yet another excellent reason for keeping the automatic update client enabled. Also be sure that you configure them to block images in HTML mail, which are often used for secretly tracking whether someone’s read a message.

Don’t forget to teach your FFN about basic techniques they can learn to become more security savvy. Common practices like disguising your e-mail address on discussion boards (me AT example DOT com), using a separate e-mail address for newsletters and online transactions (yes, you can have more than one Hotmail account), and being aware of prechecked boxes on Web forms that will result in things you didn’t want—for example, various toolbars, sharing your e-mail address with “partners,” or signing you up for newsletters that you can’t unsubscribe from.

Similarly, spam becomes easy to spot once you get in tune with its characteristics. Don’t reply to any message that wants personal details. It’s highly unusual; legitimate sites will use Web pages to sign up for services or maintain accounts. If you get an e-mail message that appears to come from your bank, don’t read it—delete it. Then call your bank; if they need something from you, their customer service department can handle it. Legitimate businesses simply don’t use e-mail to conduct account maintenance transactions, because e-mail itself is insecure. Never click on links to any kind of online payment service you use; instead, type the address directly into the browser’s address bar. If you hover your mouse over a link, the real URL appears in a small box—and if they don’t match, then yep, the e-mail message is definitely fraudulent.

While working with your FFN, make the link between online safety and personal safety. Most of us wouldn’t wander down random smelly alleys in isolated parts of the city during the middle of the night. It’s the same with your e-mail. Ignore attachments you don’t expect, avoid pleas for giving to “charities,” dismiss any messages that promise easy money, and don’t reply to any spam—all this does is confirm that your e-mail address is legitimate, guaranteeing that you’ll get more. Teach your FFN to make regular use of Snopes.com, one of the best sites on the Internet for learning whether something is legitimate or a scam. Type a few words from the suspicious e-mail message into the site’s search box and see what the results are.

Web sites often require you to log on. This means you need to create a user ID and password for every site you might visit. There’s a lot of discussion about what constitutes a “good” password; personally, I’m a fan of length rather than complexity. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

Web mail: "my dog and i got the mail"
Shopping: "my dog and i bought some stuff"
Office: "my dog and i went to work"

If you don’t follow this kind of system, eventually you’ll start to forget which password you used on which Web site. Ugh, how can you manage it all? How can you have strong and unique passwords on the 60 different sites you visit every day? If the site uses basic authentication, you can instruct Internet Explorer to remember its password—however, few sites use this method. Instead, forms-based authentication is far more common, and Internet Explorer can’t remember these. Some sites have “Remember my password” checkboxes on the logon forms, which causes the site to store your password in an encrypted cookie (this is fine). There are many third-party programs you can use to manage passwords; one popular and well-regarded one is the free Password Safe.

Won’t all this just overwhelm my FFN?

Not really. Ordinary people subconsciously make security and safety decisions every day—going to the same hot dog vendor you’ve always trusted, changing lanes after verifying the target lane is unoccupied, walking along known streets with good lighting. Being safe online is really no different than being safe in the real world. Yet, online, people have a tendency to move toward one of two extremes—trusting everything they read and receive or becoming suspicious and essentially refusing to engage in anything online. Maybe it’s because online threats use scary language (like “identity theft”) and receive attention that far outweighs the risks (like child predators).

The threats we all face daily online are really no different than the threats we’ve all faced ever since we came down from the trees. This doesn’t mean we should ignore them or become too agitated. It means that we can apply the common sense most of us already have, aided with numerous tools and bits of good advice from software vendors, and—most importantly—a cadre of IT pros who can help their FFNs become savvy enough to protect their computers, themselves, and their families so that they can integrate the vast power of the Internet into their normal routines and enjoy everything it has to offer.

This article gave you some starting points for conversations with your FFN. There’s far more to explore. Spend an evening perusing the resources we’ve provided for you at Security at Home. We’re regularly updating the pages here to ensure that the information is current and relevant for home users. We’ve also created a newsletter specifically for home computer security, an online safety and security magazine, and several videos that cover a variety of security topics.

One more thing: accept our humble thanks for your help. We believe that you, our IT pros, can become the most valuable element in spreading the message of how to be safe and secure online. Thank you!