Microsoft Switzerland Security Blog

Last week Microsoft released IE8 Beta2, the faster, easier and safer successor of the existing Internet Explorer. As there are a lot of changes (new default settings, new support for standards, new features), it's definitely woth to try and test IE8. It's probably a good idea to start testing the own (internal) web applications as well.

Internet Explorer 8 Home Page: http://www.microsoft.com/windows/internet-explorer/beta/default.aspx
Internet Explorer 8 on Technet: http://technet.microsoft.com/en-us/ie/default.aspx
Internet Explorer 8 on MSDN: http://msdn.microsoft.com/en-us/ie/default.aspx
Internet Explorer 8 Readiness Toolkit: http://www.microsoft.com/windows/internet-explorer/beta/readiness/developers.aspx

1. InPrivate Browsing – When activated, InPrivate Browsing gives users the option of keeping their browsing history private on shared computers such as in the home, Internet café or public kiosk.  InPrivate is an opt-in feature, which must be turned on for each browsing session. It works by deleting history data that is accumulated while browsing the web (e.g., temporary internet files, web address history, cookies), at the end of each browsing session.  Scenarios include shopping for a spouse's birthday gift on a home machine , or doing online banking from a public kiosk.
2. InPrivate Blocking – InPrivate Blocking helps protect privacy by offering the user choices in how they block content from third-party websites - particularly those that track and aggregate online behavior.  Examples of third party content on websites may include maps, stock tickers and advertisements.  InPrivate Blocking gives users notice, choice and control over this content by providing them with the ability to choose which third party content to block and which to allow.  
3. Implementation of Internet Standards - Consistent with Microsoft's efforts to promote interoperability on the Web, IE 8 beta 2 is standards-compliant by default.  Giving top priority to Web standards interoperability allows us to help web developers and designers drive toward the ideal of “write once, run anywhere” - freeing up more time to innovate rather than modify content for different browsers.  This means, however, that browsing with this default setting may cause website content written for previous versions of Internet Explorer to display differently than intended.  To help with this issue, the browser also includes a Compatibility View button that displays those pages as they were designed to be viewed. To help with this issue, the Internet Explorer 8 browser also includes a Compatibility View button that displays those pages as they were designed to be viewed. Click here to learn more about the Compatibility View button.  
4. SmartScreen Filter – A security enhancement innovation, SmartScreen Filter builds on the success of Microsoft Phishing Filter in IE7, which helps protect users against phishing sites by warning them before they access websites that Microsoft knows to be problematic or display suspicious characteristics.  SmartScreen Filter expands this protection against a broader set of phishing threats and adds protection from some websites that attempt to download malicious software.   To warn users against a wider array of problematic websites, SmartScreen Filter now collects additional information from the user, but none of it is used to identify, contact or advertise to the customer. 

Urs

The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.

http://ocfa.sourceforge.net/

Urs

A group of software and online payment companies are teaming up to find a better way than passwords to protect, and prove, your identity online.

Problems with passwords are well known - people require ever more passwords which means they either get forgotten, or people use the same word for several different services which is a security risk. The new group will seek to find open standards to make it easier to prove your identity online without using dozens of passwords and usernames.

Equifax, Google, Microsoft, Novell, Oracle and PayPal will work together to create "Information Cards" - online cards like those in your wallet. Different cards can contain different levels of information and can be used to log in to different websites instead of using a username and password. Some may contain just a user name and password, others address information.

http://informationcard.net/
http://msdn.microsoft.com/en-us/library/aa480189.aspx

Urs

The Microsoft Forefront Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access Protection (NAP). Forefront Client Security is comprehensive anti-malware software from Microsoft that provides unified protection from viruses, spyware, and other current and emerging threats. NAP is a new feature in Windows Server® 2008 that can control network access based on a computer’s compliance with an organization's health policy. NAP uses system health validators (SHVs) to configure the policies that are used to determine if network access is granted. System health agents (SHAs) provide the information needed to make this determination.

http://technet.microsoft.com/en-us/library/cc512112.aspx

Urs

From time to time, I have discussions about Microsoft Internet Acceleration Server (ISA) with people questioning if ISA is a real Firewall product. Many companies use ISA server, but as a proxy server or to protect their Windows servers (publishing exchange, etc.) only. In this cases, they put another (a real) firewall in front of ISA.

But there are others as well, that protect their companies borders only with ISA server, that use all functionality of ISA server, including VPN and Firewall functionality. Crazy people?

Let's start with the (long) history of ISA server, and probably the main source of their concerns, that started with a product called Proxy Server, which was - exactly as the name tells - a proxy server! Since then, a lot of IT Pros still believe, that this is all what ISA server is doing (well). However, since then, a lot changed and ISA server has nothing in common with the initial product.

If you are interested in the technical details of the ISA architecture, please have a look at the following document:
http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx

And, in addition, some facts around ISA Server:

• No documented instance of a properly configured ISA Server ever being hacked
• No vulnerabilities for ISA Server 2006 (http://secunia.com/product/12468)
• ISA Server 2006 is near completion of the EAL4+ assurance level from Common Criteria
  http://www.microsoft.com/isaserver/commoncriteria/default.mspx
• The product is being evaluated by the German BSI (http://www.bsi.de/zertifiz/zert/aktuell.htm)
  (and the BSI puts ISA into the category Firewall…) ;-)

Interestingly, Tom Shinder has a similar article on his website:
http://blogs.isaserver.org/shinder/2008/07/06/auditors-you-do-not-need-to-put-a-firewall-in-front-of-the-isa-firewall/

See also my last blog post:Microsoft ISA Server 2006 SP1 released:
http://blogs.technet.com/ms_schweiz_security_blog/archive/2008/07/07/microsoft-isa-server-service-pack-1-sp1-released.aspx
(Product updates yes, but no security updates)

Now, I hear some voices: Yes, probably ISA is doing well, but it's on Windows! True, but interestingly, ISA properly configured, is protecting the OS as well (of corse, software updates are still a must!). Remember, no hacked ISA server so far.

[Thanks also to Sasa, which helped to put this together.]

Urs

List of problems that are fixed in Internet Security and Acceleration Server 2006 Service Pack 1:
http://support.microsoft.com/kb/943462 

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1 document
http://download.microsoft.com/download/6/6/6/6662d14d-52c3-445d-b9d1-6e373171f769/SP1_Feature_Doc_RTM.doc

Download the Internet Security and Acceleration (ISA) Server 2006 Standard Edition Service Pack 1 package now:
http://download.microsoft.com/download/6/6/6/6662d14d-52c3-445d-b9d1-6e373171f769/ISA2006-KB943462-X86-ENU.msp

Download the Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition Service Pack 1 package now:
http://download.microsoft.com/download/6/6/6/6662d14d-52c3-445d-b9d1-6e373171f769/ISA2006-KB943462-X86-ENU.msp

Urs

Microsoft's Malicious Software Removal Tool - a program that removes malware from Windows machines - detected password-stealing software from more than 2 million PCs in the first week after it was updated.

One password stealer, called Taterf, alone was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

http://www.techworld.com/security/news/index.cfm?newsID=101983

Urs

US-CERT has received reports of new phishing activity, some of which has been linked to Storm Worm. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that, when opened, may run the executable file "beijing.exe" to infect the user's system with malicious code.

http://www.us-cert.gov/current/#new_storm_worm_variant_spreads2

Us

A variant of the Zlob virus has emerged that can tweak DNS entries on standard commercial routers from an infected Windows PC. It uses a built-in list of standard router usernames and passwords. Successful attacks have already been observed on Linksys BEFSX41 routers and a Buffalo router using DD-WRT open source firmware.

Attackers can then redirect all internet traffic to their own servers. For the criminals, the advantage to manipulating a router is that it is more difficult for normal users to detect than an attack against a PC. The virus makes its way onto the computer by posing as a video codec, palmed off on users by malicious web sites.

http://www.heise-online.co.uk/security/New-Zlob-variant-reconfigures-routers--/news/110928

Urs

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations like yours assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your computing environment and your busi-ness. Begin the process by taking a snapshot of your current security state, and then use MSAT to continuously monitor your infrastructure’s ability to respond to security threats.
At Microsoft, the security of our customers’ networks, business servers, end-user computers, mobile devices, and data assets are a top priority. We are committed to providing security tools like MSAT to help you improve the security state of your busi-ness.
MSAT is designed to help you identify and address security risks in your IT environment. The tool employs a holistic ap-proach to measuring your security posture and covers topics including people, process, and technology.
MSAT provides:

• Easy to use, comprehensive, and continuous security awareness
• A defense-in-depth framework with industry comparative analysis
• A defense-in-depth framework with industry comparative analysis
• Proven recommendations and prioritized activities to improve security
• Structured Microsoft and industry guidance

http://www.microsoft.com/downloads/details.aspx?FamilyId=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en

Urs

Many small- and medium-sized organizations use antivirus software, and yet new viruses, worms, and
other forms of malicious software (malware) continue to infect large numbers of computers in these
Organizations. Malware proliferates at alarming speed and in many different ways, which makes it
Particularly widespread today. This guide is intended for IT Generalists who want information and
recommendations that they can use to effectively address and limit malware that infects computers
In small- and medium-sized organizations.

Using the Windows Pre-installation Environment (Windows PE), the Malware Removal Starter Kit gives
Customers the ability to discover malware by performing a thorough offline scan of their computers.
Once malware is located and identified, administrators can quickly remove it from infected PCs with
A number of free anti-malware tools, like the Malicious Software Removal Tool from Microsoft.

Read more about it: http://www.microsoft.com/technet/security/guidance/disasterrecovery/malware/default.mspx#EHD

Urs

You know you're a computer security professional when:

• Although you have no ill intent, you spend no small amount of your downtime in airports thinking of ways to circumvent TSA security -- and you've come up with several can't-miss terrorist ideas that even Jack Bauer couldn't stop.

• You lock your screensaver with twice as much insistence when security friends are around than when strangers are, because you're not nearly as worried about a stranger's intentions.

• You secretly hope you don't miss a big virus outbreak while you are out on vacation.

Read the rest…   ;-)

http://weblog.infoworld.com/securityadviser/archives/2008/06/are_you_a_compu.html

"You secretly hope you don't miss a big virus outbreak while you are out on vacation." Thats the one I currently like the most! Tomorrow I will leave for vacation! :-) So have a good time!

Urs

Excerpt: The spread of wide-scale Internet surveillance has spurred interest in anonymity systems that protect users’ privacy by restricting unauthorized access to their identity. This requirement can be considered as a flow control policy in the well established field of multilevel secure systems. I apply previous research on covert channels (unintended means to communicate in violation of a security policy) to analyze several anonymity systems in an innovative way.

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf

Urs

Excerpt: This report, developed in collaboration with experts, aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyze some of the main issues associated with malware and to explore how the international community can better work together to address the problem.
Malicious Software (Malware): A Security Threat to the Internet Economy

http://www.oecd.org/dataoecd/53/34/40724457.pdf

Urs

Today at the annual AusCERT Asia Pacific Information Technology Security Conference, Microsoft Corp. announced the extension of the Microsoft Security Cooperation Program (SCP) to include computer emergency response teams (CERTs), computer security incident response teams (CSIRTS), and other response and guidance organizations that represent a nation, region or population.

http://www.pressroom2.com/2008/05/20/microsoft-expands-security-information-sharing-program-to-certs/

Urs