Roger's Security Blog

This is the kind of stuff I hate to see – definitely within Microsoft but to a similar extent within competitors. I think we have a joint mission: Make the Internet a safer (and more trustworthy) place.

There was quite some noise yesterday around Google Chrome. And a lot of noise about "safer browsing" and security. Now, I started to read articles that Google built its new browser on a Safari version which is outdated and not yet patched against the Carpet Bombing flaw.

This is about processes and quality assurance (and trust) and not about technology. This is about a Security Development Lifecycle with proper testing and QA. Google published a long comic on Chrome and talks extensively about testing – I think there is some real room for improvement here.

Do not get me wrong: We are far away from perfect. We will never achieve the "perfect" level. But we worked hard to implement strong processes and even share them with the industry (see SAFECode). So, why do companies like Google, Oracle, sun, etc not join such initiatives to jointly make sure we do not release products with vulnerabilities in, which are known since a long time…

Roger

We have regular ConfCalls with our security support to exchange trends and issues we see. During the last one we had an interesting discussion I would like to share with you: We seem to get a hell lot of calls mainly from the consumer segment with Virus/Trojan/Spyware infections. The way they get the malware is a pretty well known one: You go to a web page which is telling you that your PC is infected by malware and that you have to install the "protection software" immediately – which then installs the malware. That's the reason why we call this software "Scareware". There are two things which frighten me:

One is that it shows how easy social engineering works (once again).

But the second one is much more frightening: The malware installed is by far not sophisticated. It is usually pretty old and well known. Therefore every AV scanner would detect it easily and prevent it from being installed. This tells us that there is still a high percentage of people not running AV software on their PC… Since years we are telling our customers you have to do at least three things to run your system: Use a firewall, keep your software updated, run an Anti-Malware software and keep it updated. Similar things are true for ISPs. Why do people still not do it? Is it the money?

Roger

As you know, I am Swiss. Switzerland is known as being one of the most direct democracies in the world. It is not uncommon for us having (or being allowed) to vote every other month as there are a lot of ways to influence what our politicians and/or our government does. This makes the system often pretty slow but I really, really like it.

When I was working for PricewaterhouseCoopers years ago (I think it is around 10 year ago now), the discussions around e-Voting started to come up. People loved it – and I hated it. Let me tell you why: We have (here in Switzerland) several options to vote: We can go to the local community early during the week before a voting and hand our votes in. We can send it via Post (which I use most often) or hand the vote in on the voting weekend. There is a lot of effort then going on to count the votes and we usually have the results ready on the voting weekend around 5pm or 6pm. So, the system works well but there is significant manual work involved, I know. The key thing here is that this process is in the heart of our democracy. If this process is broken (or just not THAT trusted anymore) this would be a significant problem for our country.

Now there were a lot of politicians would loved to talk about e-Voting (without really knowing the consequences in my opinion) as it gave them the touch of being modern, technology aware etc. and there were trials in different states here in Switzerland which were pretty successful.

Why am I still against it? Well, I am convinced that these systems can be built in a more secure way than the old process. Manually counting votes is flawed, we know that. But guess what: We learned to live with that since a long time and trust this system. Do we trust a computer counting the votes? I do not think so. Do we trust a computer not losing votes if we have to do a re-counting (which happens from time to time here of the result is close) – hmm, I guess not.

And looking at recent articles, I think we are right: Diebold comes clean, admits that its e-voting machines are faulty, Mom, Can My Voting Machine Spend the Night? (people taking voting machines home), Why Election Technology is Hard (Bruce Schneier)

So, it is by far not a technology problem but a trust problem. And guess what: I am a geek and I love technology – I will still use paper to vote!

Roger

I just read an article this morning on Linux servers under the Phalanx gun: A problem with people, not code. There were quite some things which made me think when I read it:

There was a statement in there, which I – obviously – did not like at all: Linux may be inherently more secure as a system, which is always an interesting discussion. The guy writing the blog post claims that Linux is easier to secure than Windows, which I completely disagree with. If you know what you do you can secure each and every system. However, we do a great deal of work to make sure that our systems are as secure as possible by default and additional provide you with tools (like the Security Configuration Wizard) to make sure you can secure the system as far as possible and additionally run as secure as possible. We know and proved it with a lot of figures that our systems have by far less vulnerabilities than others (e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx) and third-party research showed clearly that our systems are less at risk than others.

But as I commented several times already, this discussion does not really lead to more secure systems but just some entertainment for people who like these debates.

Coming back to the article above: One of the conclusions in the article is, that patching is often a people and process problem, rather than a technology problem. This is not new either. The question to me is, why do people not deploy? We do customer surveys about their satisfaction with Microsoft every now and then. People are still not too satisfied with the security of our products. So, there is still a lot of work to do. However, if we ask then whether our updates are easy to deploy, we get a very, very high rating all across the segments and audiences. So, why do they not deploy? Is it because they are afraid of the downtime? Could be, so we have to work harder to reduce the number of reboots (is this different in other OS? I do not know but I doubt). Is it the tools? Is it lack of knowledge? Is it ignorance?

I do not know but would love to understand

Roger

As you (hopefully) know, the release of Internet Explorer 8 is coming closer. One thing we always look at is how to make surfing more secure and more private. The IE team just launched a blog post on the InPrivate features of IE 8 which is definitely worth looking at: IE8 and Privacy

Roger

Yes, it is true: There is somebody who publically put known PINs on the Internet. I bet yours is there too: http://www.positiveatheism.org/crt/pin.htm

Roger

As you all know, most jurisdictions allow individuals to ask for data collected by an organization (being it a company or a governmental organization). A lot of countries have Data Protection Commissioners that look into what companies and more often governments do with regards to PII (Personal Identifiable Information). After 9/11 the United States forced airlines to violate the local Privacy Legislation as the airlines had – if they wanted to fly to the US – deliver PII to the US (mainly information in the Passenger Name Record), which then had to be accepted by the Data Protection Commissioners as they would kill the airline business if the airlines would not be allowed to do so. So, the US seems to have the power to make companies violate the laws – the background is the fight against terrorism.

Now they even go a step further by circumventing their own legislation: According to Federal Computer Week (Analysis tool exempt from some privacy laws) the DHS developed a system to collect and analyze data collected by immigration and customs. Even worse, they seem to correlate data from different sources: DHS-internal sources as well as commercial databases. The key point is that they decided to exclude this system from several Privacy Acts. Therefore you will not be able to look into the data they collect and make sure it is accurate. If the article mentioned above is correct, it really scares me. Look at that:

The information contained by ICEPIC can include names, dates of birth, phone numbers, addresses, nationalities, fingerprints, photographs, a person's immigration history and alien registration information, according to DHS. Agents and analysts can also use commercial databases to verify or resolve any gaps in ICEPIC data.

So, they start to analyze and if some data points are inaccurate there is no way for you to know and most probably no way for you to make them correct it – scary, isn't it?

Roger

Are you interested to learn how Windows 7 (next version of Windows) is engineered? Are you willing to get in touch with the engineering team? Then read their blog: Engineering Windows 7

Roger

I just read an interesting post by Michael Howard (Security is bigger than finding and fixing bugs). He refers to a statement Google seem to have made on its development practices (Google shares its security secrets):

In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value'. The programme includes mandatory security training for developers, a set of in-house security libraries, and code reviews both by Google developers and outside security researchers.

This reminds me of the days back at University: I learned a hell lot about Software Engineering, Data Modeling and stuff like that. Well, I learned about programming as well (up until I was able to look at Niklaus Wirth's Modula-2 compiler – but this is a different story). And then I started my first job in the industry – and all of a sudden I had to learn that there nobody actually cared about a design. Just write the code! Nobody "had time to do a design on paper, this is just a waste of time". Did it work? Not really.

Now, we are coming to security and what do we do: Look at the code. Look for security vulnerabilities in the code. What about the design? What about the threat models? This drives me nuts: Why are we not ready to learn from…

1. … the past
2. … the learning others went through?

I know that our Security Development Lifecycle is pretty successful which can be shown by a lot of different metrics – Michael gives a few in his blog. Additionally, we are working with SafeCode to share the experience and learn from others. Why do other companies not join in?

Roger

We all know that crime is global and that they are doing their best to leverage the legal shortcomings and the limitations of the cooperation between Law Enforcement agencies. There is a good article about one case in the New York Times which is definitely worth reading:

Global Trail of an Online Crime Ring

Roger

At Blackhat we announced an important change to our Security Bulletins becoming effective during the October release.

One of the requests we often heard talking to our customers is, that they would like to get better information on how hard it is to exploit a vulnerability. We will introduce an Exploitability Index by October. Basically we will give you three values on each vulnerability addressed:

• Consistent Exploit Code Likely. This means analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability. This would make the vulnerability an attractive target for attackers; therefore, it is more likely that exploit code would be created. As such, customers who have reviewed the security bulletin and have determined its applicability within their environment might treat a vulnerability with this value as a higher priority.
• Inconsistent Exploit Code Likely. This means analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product. While an attacker may be able to increase the consistency of results by having better understanding and control of the target environment, the unreliable nature of this attack makes it a less attractive target for attackers. As such, customers who have reviewed the security bulletin and determined its applicability within their environment might treat a vulnerability with this value as an important update; however, if prioritizing against other highly exploitable vulnerabilities, they could choose to rank this lower in their deployment priority.
• Functioning Exploit Code Unlikely. This means analysis has shown that exploit code which functions successfully is unlikely to be released. While an attacker could create exploit code that could trigger the vulnerability and cause abnormal behavior, it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability. Therefore, once customers have reviewed the security bulletin to determine its applicability within their environment, they might prioritize this update below other vulnerabilities within a release.

I hope that this makes live for you easier when assessing our updates.

If you would like to get more information, read the fact sheet.

As always, your feedback is very welcome

Roger

If you ever heard me keynote an event you know that one of the key messages I have is, that partnerships are necessary in order to be able to protect against today's threats.

At Black Hat USA we just announced a new program called Microsoft Active Protections Program. The program is designed to give security vendors advance notification of our security bulletin release. This will help our partners to be able to protect our joint customers against the vulnerabilities we are fixing. The reason why we decided to launch this program is that exploits are developed much faster than they were in the past and security vendors have to act very fast – so let's give them some additional time and try to get ahead of the curve.

The key question will definitely be, who is eligible to join this program. The fact sheet gives you the answer:

• Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
• Members must provide protection features to a large number of customers.
• Members may not sell attack-oriented tools.
• Protection features provided by members must detect, deter or defer attacks.

Roger

Our teams around the Microsoft Security Response Center recently launched a new blog called MSRC Ecosystem Strategy Team Blog. The blog is thought to give more insights into the work we do with the security ecosystem knowing that vulnerabilities and attacks today not "only" affect Microsoft products but very often the Internet as such – just look at the DNS vulnerability.

Something that would definitely be worth looking at: http://blogs.technet.com/ecostrat/default.aspx

Roger

It is not really news anymore as it broke during my vacation. However, it is important from my point of view:

We are a proud sponsor (and not for the first time) of the Privacy Enhancing Technology Awards, which recognizes the work of researchers in the area of Privacy Enhancing Technologies. There was a press article published on that: Privacy to the Test - Exploring the Limits of Online Anonymity and Accountability

Roger    

Yes, I am back. I was on vacation and therefore did not take the time to blog.

Just briefly: IBM published a pretty good article on the latest DNS attacks. You can read it here: Responding to the DNS vulnerability and attacks

Roger