Steve Riley on Security

Blog relocated again

TechNet Archive — Thu, 20 Aug 2009 01:02:00 GMT

Just a quick update, to make sure everyone knows. I've moved my blog from MSInfluentials to WordPress.com. Please update your aggregators/bookmarks/favorites to http://stvrly.wordpress.com. I've posted the reasoning for my move, as well as a description of my personal foray into the cloud, over there.

Good bye, and good luck

TechNet Archive — Wed, 06 May 2009 23:11:56 GMT

Friends, as a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended. While there were many rewards that came from my job, the most satisfying element was knowing that our time spent together helped improve everyone—whether at conferences or through this blog, I’ve learned as much from you as you’ve learned from me. Sharing information, debating positions, and doing the right work for the right reasons are all very important and I’m honored and humbled to have been trusted by so many of you.

I’m certainly not disappearing. While I won’t be at TechEd North America this year (yes, I’m truly sad about that), I’ll remain involved in the security industry. You can find me on LinkedIn at http://www.linkedin.com/in/steverileysea. And I’ve got a new blog at http://msinfluentials.com/blogs/steveriley/default.aspx, where I promise I’ll start writing more. Please check in there for updates, and I’ll be sure to let you all know where I land next.

If you know the Conficker dude, we've got a prize for you

TechNet Archive — Fri, 13 Feb 2009 20:39:00 GMT

Yesterday (12 February 2009) Microsoft announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

“The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together,” said Greg Rattray, chief Internet security advisor at ICANN. “ICANN represents a community that’s all about coordinating those kinds of efforts to keep the Internet globally secure and stable.”

“Microsoft’s approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals,” Stathakopoulos said. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable.”

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Today’s spam

TechNet Archive — Wed, 21 Jan 2009 21:13:31 GMT

Here’s what’s in my junk mail folder today:

What is up with all that? Apparently I sent a payment to myself, I initiated another payment to myself, I am a user of myself who’s received exclusive offers for January, and I received a payment from myself. Wow! Furthermore, an internal discussion group (IPv6) is apparently engaging in a PayPal transaction, and M & T Bank’s mailer needs to make doubly sure that I realize I’m receiving a new message.

I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it. Spam would wither away if everyone just ignored it. But I guess enough people are lured by cheap mortgages for their penis extensions that the spammers rake in enough money to cover their costs…so sad.

Attacks against integrity

TechNet Archive — Wed, 21 Jan 2009 07:28:58 GMT

I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions, and this year summarized an accidental integrity error that created minor havoc at Veteran’s Affairs health centers. Richard’s progression nicely matches our beloved friend, the infosec triad:

First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion.
Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground.
Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.

Alas, his concluding sentence is all too true:

If we think it's tough to maintain availability and confidentiality, wait until we security people are tasked with validating the integrity of data. It will happen after a celebrity dies or a group of "normal people" do, unfortunately en masse.

Get ready to start adding integrity protection to your data and incorporating integrity protection in your applications. Also: start making noise yourself, and let your vendors know this will eventually become a business requirement for you. Please, let’s not give the folks at the Privacy Rights Clearinghouse another category to track!

I want a Model 22 HDD Hard Drive Disintegrator

TechNet Archive — Wed, 21 Jan 2009 00:43:40 GMT

Here at Microsoft we have an active internal discussion group where most security-minded folk hang out. The topic of data destruction came up recently, it’s actually a lot more difficult than most people think. CIPHER /W and SDELETE do a reasonable job, but they aren’t perfect: the paper One big file is not enough: a critical evaluation of the dominant free-space sanitization technique dives into some interesting detail. Frequently people talk about DoD (U.S. Department of Defense) compliance, but seven wipes really aren’t necessary, according to Secure deletion: a single overwrite will do it. I’ve always thought the notion that bits will somehow “soak” down into the disk and could be recovered by “shaving off” the disk’s top layer is silly—probably invented by the folks who want to sell you secure wipe utilities. If that were really true, then it would be a fairly simple operation to “wash” away encryption, no?

For thorough data destruction, I’ve been a fan of shotgun washing. But for those without shotguns at the office, a company called Security Engineered Machinery has introduced the Model 22 HDD Hard Drive Disintegrator.

This system is built specifically to destroy hard disk drives. Load up to 10 drives on to the automatically indexing conveyor and in 30 minutes you'll have nothing but a pile of metal chips. The unit comes as a complete system, including sound-dampening enclosure and HEPA vacuum to remove airborne contaminants. The disintegrator's rotating knives transform the drives into unreconstructable fragments, leaving all data unrecoverable. the bin is made of aluminum, to prevent magnetic pieces from sticking to it

Watch the video, it’s pretty cool. I love the narrator’s dead-pan delivery, but the resemblance to the Illudium Q-36 Explosive Space Modulator really made me chuckle. They should do a marketing tie-in with Marvin the Martian.

“Oh, recoverable data makes me very angry. Very angry indeed!” (h/t Scott Culp for the quote.)

Speaking of washers and aluminum, my six-year-old Frigidaire front-load clothes washer started making a loud thumping sound during the spin cycle. So I did a little bit of searching and found out that this particular unit, a popular model made by Electrolux and sold under the Frigidaire, Kenmore, and General Electric brands, was apparently designed by someone who lacked a high school understanding of chemistry. An aluminum spider arm is connected to the stainless steel inner basket, which of course gets wet during use. What happens when you apply water to the interface of aluminum and steel? Galvanic action! The aluminum disintegrates. Some owners have posted videos of their washers here and here.

I’ll attempt the $300 three-hour repair, and I’ll paint the new spider arm with some primer and anti-rust paint. Or maybe I’ll convert it into my very own Illudium Q-22 HDD Explosive Hard Drive Disintegrator.

Questions about virtualization and security?

TechNet Archive — Fri, 09 Jan 2009 20:46:50 GMT

Yesterday, Donnie Hamlett, a Microsoft core infrastructure optimization specialist, gave a webcast and played a video of my TechEd presentation on virtualization and security. Some of the viewers had questions, and I offered to Donnie that they could come to my blog to post them. I’ll extend that offer to all of my readers—if you’ve got a question about this topic, ask away, and I’ll answer here. Thanks!

Poll: do you use scheduled scans for malware?

TechNet Archive — Mon, 05 Jan 2009 23:03:59 GMT

An interesting comment recently appeared on my older post about whether or not to use antimalware software. Peter van Dam wondered whether scheduled scans are really necessary, given that anti-malware products scan files as they enter (and sometimes exit) a computer.

He raises a good point, and I’m curious what all of you think? Do you use scheduled scans? If so, why? If not, is it because you’ve decided the same as Peter?

Updated Microsoft Security Assessment Tool

TechNet Archive — Tue, 02 Dec 2008 07:13:03 GMT

Greetings. In case you haven’t already read about it, we recently updated the Microsoft Security Assessment Tool (MSAT). Version 4.0 hit the web on 31 October. It’s been four years since the initial release, and two years since the prior version. Between then and now your security world has evolved a lot, and the tool now reflects that.

Download now: http://www.microsoft.com/downloads/details.aspx?FamilyId=CD057D9D-86B9-4E35-9733-7ACB0B2A3CA1&displaylang=en

Take a few moments and give yourself a security checkup. If you have any comments or feedback on the tool, feel free to leave them here on my blog—I’ll make sure the right people see it.

Update: got an email from someone with two questions:

When you install the tool, the UAC dialog shows “Microsoft Corporation (Internal Use Only).” This is the CA that signed the tool, and it’s an internal CA—thus the “internal use only” bit.
The tool fails to run on Vista x64. This is a known issue, we’re working to fix it.

From the download page:

The MSAT employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources may assist you in keeping you aware of specific tools and methods that can help change the security posture of your IT environment.

There are two assessments that define the Microsoft Security Assessment Tool:

Business Risk Profile Assessment
Defense in Depth Assessment (UPDATED)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

After completing an Assessment, you will gain access to a detailed report of your results. You may also compare your results with those of your peers (by industry and company size), provided that you upload your results anonymously to the secure MSAT Web server. When you upload your data the application will simultaneously retrieve the most recent data available. To be able to provide this comparative data, we need customers such as you to upload their information. All information is kept strictly confidential and no personally identifiable information whatsoever will be sent.

Reading list from “How IT will change in the next 10 years”

TechNet Archive — Mon, 24 Nov 2008 22:39:10 GMT

At Windows Connections two weeks ago, during my keynote speech “How IT will change in the next 10 years and why you should care,” I mentioned several books worth reading. Many of you have asked for the list; here it is:

The Cathedral and the Bazaar by Eric S. Raymond
The Wisdom of Crowds by James Surowiecki
We Are Smarter Than Me by Barry Libert, Jon Spector, Don Tapscott
The World Is Flat by Thomas L. Friedman
The Innovator's Dilemma by Clayton M. Christensen
The Long Tail by Chris Anderson
The Speed of Trust by Stephen M. R. Covey
What Got You Here Won't Get You There by Marshall Goldsmith
Outsourced (the movie)

Also remember that I mildly panned Digital Economy by Harbhajan Kehal and Varinder P. Singh; my assertion was that the next 10 years will bring about a social economy instead, one that includes the digital natives you’ll all be hiring and selling to now or very soon. They’re the ones who are building it, so you might as well adapt.