Jeff's InfoSec Blog : Information Security

Vulnerability analysis using search tools

jeffnew — Thu, 07 Apr 2005 02:52:51 GMT

Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.

First open O/S, now open BIOS?

jeffnew — Thu, 07 Apr 2005 00:54:00 GMT

Sorry, I just can't get behind this: Battle brews over unlocking PC secrets. The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's point. Then I read his manifesto and I really don't get it. GNU has come up with some good stuff in the past, and in a previous life I used to use and contribute to that effort. But this seems to be ideology taken to the extreme. Since the typical modern mobo allows users to flash their BIOS rather than remove and replace the chip, suddenly it should be treated differently? Presumably this includes video cards as well, that have extensive (and flash-able) code on the card.

It's not really a battle, more of a tempest in a teapot.

How do we fight spyware when no one can agree what it is?

jeffnew — Mon, 04 Apr 2005 19:49:00 GMT

Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss issues that CA has with companies that are fighting being labeled as spyware. In Big Security Guns Should Aim Carefully at Adware, Spyware there's a discussion of Symantec's scoring system versus Microsoft's behavior-based approach documented in a recent white paper.

There is money to be made in spyware and the bottom-feeders that are using spyware and "adware" are going to be very aggressive at resisting being labeled as such. You can see this in the Microsoft white paper, where the targets are labeled "potentially unwanted software" rather than spyware.

It's all just semantics. When you install something on my PC that I don't explicitly want and ask for, you're a bad person and need to be dealt with harshly.

7 computer security tips for students

jeffnew — Wed, 30 Mar 2005 04:02:00 GMT

My group didn't write this... that is, I don't think we did, although this may have come out of our Consumer team. But it is pretty good, basic advice for students that are heading off to school with their new laptops.

School is in: 7 computer security tips for students

New! IPSec Guidance from Microsoft

jeffnew — Mon, 28 Mar 2005 18:43:00 GMT

My team just released a new security guide: Server & Domain Isolation Using IPSec and Group Policy. This soluton, aimed at enterprise IT Pros, is focused on how you can use IPSec and Group Policy to secure the data connections between systems. One of the key threats that this can mitigate is the rogue computer, infected with a worm, that gets connected to a corporate wired network and, even without authentication, receives an IP address and attempts to find an infect other systems.

Please let me know what you think!

The Trustworthy Computing Security Development Lifecycle

jeffnew — Mon, 28 Mar 2005 18:31:00 GMT

If you're wondering how Microsoft bakes security into its software development practices, this paper (by one of the co-authors of "Writing Secure Code") takes you through the process. This is far more than a guide for individual developers; it goes through the organization stucture and processes necessary to make this work for large software development projects.

Link: MSDN Security Developer Center: The Trustworthy Computing Security Development Lifecycle

Automagically isolating Internet worms

jeffnew — Mon, 07 Mar 2005 19:53:00 GMT

A paper from Microsoft Research (MSR), first published last summer, is getting new interest after MSR's internal TechFest last week. The idea is that hosts would analyze traffic hitting them and automatically broadcast alerts. While false negatives can mean that many hosts will not detect the worm, doing this across a large group of machines means that some hosts will detect it and start broadcasting the self-certifying alerts. Of course there are a ton of issues with this approach but the authors have done a good job of going through the threats and countermeasures. It's a really interesting idea and I hope that they continue with the research.

Is finding security holes a good idea?

jeffnew — Wed, 16 Feb 2005 20:04:00 GMT

Some interesting papers came out of the third annual Workshop on Economics and Information Security. If you're an IEE Computer Society member you can read the full text. Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical analysis of a point I have long held: that disclosure of holes is the prime driver for exploits, and that holding off on disclosure (which also means holding off on the fix) can in many cases reduce costs and improve security. That may be counter-intuitive, but read Rescorla's paper and judge it for yourself.

S&P: Economics of Information Security

Hey, Mom finally gets security!

jeffnew — Tue, 08 Feb 2005 06:57:00 GMT

Interesting -- According to a UK study, demograpghics are skewing for home users, with older people buying a larger percentage of home infosec products (AV, etc.) and younger people being the ones that naively assume they're OK. Without the data it's hard to analyze further. I hope that the shift is due to more existing home PC users taking security seriously, as opposed to merely a shift in who is buying PCs.

"It is thought that 40% of those buying home net security programs are retired. For the last three years, that has gone up by an average of 13.2%. But more retired women (53%) were buying security software than retired men."

BBC NEWS | Technology | More women turn to net security

Former AOL employee pleads guilty in spam case

jeffnew — Mon, 07 Feb 2005 19:00:00 GMT

Ouch -- 92 million screen names and email addresses stolen from AOL. The guy netted $28k, and will have to pay $200-400k in restitution. Not exactly a lucrative business, was it?

Once again we see privacy compromised from the inside -- nothing that the individual account holder could have done would have prevented this.

MSNBC - Former AOL employee pleads guilty in spam case

Microsoft's Security Cooperation Program

jeffnew — Wed, 02 Feb 2005 19:15:00 GMT

I love how news reporting can subtly (or not so subtly) slant interpretations while professing to still be reporting facts. CNet's reporting of the Microsoft Security Cooperation Program is a great example. When I heard about this program I thought it was great -- a mechanism for getting governments the security info that they need for national security, but with less stringent retrictions than the existing Government Security Program.

Of course, I am probably biased as well...

Microsoft to confide security woes to governments | CNET News.com