- Children – A Threat For Corporate Security?
-
I read this article this morning: Safer Internet Day: How children can undermine corporate security and it actually reminds me of all the PCs I looked at in my private environment. When I see a heavily infected PC, the parents always keep telling me that the Peer-to-Peer network software on the PC was installed by the kids and that they are downloading software. This is a problem at home – but definitely a bigger one on your corporate notebook.
What can you do against it? Well, you could lock down the notebooks – and make it impossible for people to work anymore.I think much more it is about awareness as well as enforcing policy compliance. It is pretty obvious that if somebody runs illegal copies of software on a corporate asset, this puts you as a company at legal risks. Therefore it might make sense to run a Software Inventory and check regularly for such software – an then kick off the corresponding administrative processes.
Roger
- Use Music to Fight Cybercrime: ‘Maga No Need Pay’
-
When I travel through Africa, the high piracy rate is often something we address. Not necessarily from a commercial perspective but much more from a security angle. We know that pirated software is often infected with malware and therefore used for criminal activities. However, the discussion is a difficult one as a lot of people do not really see the value of software as you cannot touch it. I sometime face discussions like a customer telling me that they hired a consulting company to assess their security and now they want Microsoft’s help to fix the problems. We we talk about Microsoft Consulting Services, the customer tells me: “I am paying so much for your software, why do I have to pay for consultants as well?”. It is often clear for them that consulting has a price but the value of software is what we have to “sell” there.
Now, the government of Nigeria and Microsoft started to use music to fight Cybercrime (not only piracy). This is a thrilling way to spread the word and to address the target audience – something I think you should look at.
Here you find the press release by the Nigerian government: EFCC, Microsoft, Employ Music To Fight Cybercrime
The music clip can be found here.
And finally, a blog post but Tim Cranton, an Associate General Counsel at Microsoft: ‘Maga No Need Pay’: Nigeria Gets Creative to Fight Cyber Scams
Have a lot of fun
Roger
- Targeted Attacks – the “Real” Problem
-
When I talk to customers, the different attacks are often something we discuss (obviously). I often mention that Virus and Worm attacks on a broad scale (like Conficker etc.) are a serious problem but at least one we see, one we understand and one we can fight (because we see and understand it).
However, my real concern are targeted attacks on governments and companies as they are incredibly hard to detect. In the last few months, every once in a while we read in the press about an attack on a government and sometimes they went undetected for months until either something happened like a server crashed or law enforcement found out somehow.
This morning I read an article which actually claims that the problem is even bigger than I thought: Report Details Hacks Targeting Google, Others – actually the article just uses the Google attacks to attract the readers as it does not really talk about it but the content is interesting nevertheless
Roger
- Cloud Security Paper: Looking for Feedback
-
As most of you as well, I was looking for information and opinions on Cloud Security over the last year. I found a lot of papers but when I talk to our customers I realize that they think about the Cloud but Cloud Security is mainly something for the specialists – which it is not for me. Therefore I was looking into preparing something on a management level which is easy to read and understand and finally makes more appetite to look deeper into the subject.
Probably the biggest challenge we had was to make sure that we do not oversimplify. Finally, we did not want re-invent the wheel. There is very good material out there e.g. from the Cloud Security Alliance and ENISA which I rather reference than do something similar.
At the end we came up with two new papers. One is written by our Trustworthy Computing organization and is a high-level overview of the Cloud and the corresponding security opportunities and challenges. You can find it here: Security in Cloud Computing Overview.
Additionally Doug Cavit – a Principal Security Strategist at Microsoft – and me were working on core considerations you have to make when you include the Cloud into you IT strategy. The paper is located here: Cloud Computing Security Considerations. This is the paper I would like to get your feedback on. Please keep the target audience in mind. In other words, if you give this paper to your CIO or even your CEO, if you would give it to a government elite in your country or a journalist – what is your view on it? What are you missing? What is good?
To set your expectations: I will answer all mails with constructive feedback but as I am heavily on the road over the next few months, give me a little bit more than 24 hours (which I try to have normally) – but I will come back to you, promised! If you think that a call might be more accurate as you have so much to say, we might be able to do that – depending on the number of requests. What I cannot promise is that we include all the feedback into a next version – if a next version is needed. My experience shows that feedback is sometimes contradicting each other and sometimes I will disagree – and we might to have to sort that out.
So, you are definitely free to use the documents and if you would even be willing to take the time to give us feedback, I would highly appreciate. My mail is roger.halbheer@microsoft.com – looking forward to a lot of mails!
Roger
- Data Protection Day: An Interesting Study
-
As you might know, it was time for the Data Protection Day in Europe again. Unfortunately I did not find the videos from this year’s competition yet but I guess we will find them later on the page and on YouTube.
However, we released a study on Privacy which is pretty interesting. Find the summary here Microsoft Releases a Study on Data Privacy Day
And there you can see a video as well which summarizes the results of the study:
Roger
- IE Vulnerability: Going Out of Band
-
Just to make sure you have seen that: We just released a blog Security Advisory 979352 – Going out of Band
Quoting the blog:
Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.
[…]
Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
The release-time will be communicated tomorrow.
So, from my point of view, you should do two things now:
- Deploy the Security Update as soon as it is out
- Upgrade to Internet Explorer 8 if you have not done so yet
Roger
- Update on the Internet Explorer Vulnerability
-
There was and still is a lot of noise regarding the Internet Explorer vulnerability reported in Microsoft Security Advisory 979352 – including the normal discussion about which browser is most secure. A discussion I do not want to get into here but I think it is necessary to lay out the facts instead of all the rumors out there. George Stathakopoulos, General Manager in Trustworthy Computing and overall responsible for our response processes, published a blog tonight: Further Insight into Security Advisory 979352 and the Threat Landscape which is definitely worth reading for all of you.
I think the most important statements in there are:
The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time.
So, if it really happens that you still run Internet Explorer 6, get off of it – as soon as possible. This basically has nothing to do with the vulnerability in discussion. This is a general security-related activity.
and finally:
Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible.
Roger
- Security Advisory on the recent Internet Explorer Vulnerability
-
I guess you might have seen it by now but if not, please make sure you read and understand the material available:
This night we released a Security Advisory on a Vulnerability in Internet Explorer Could Allow Remote Code Execution. The reason for that is that our investigations have shown that this vulnerability was one of the attack vectors used in the recent attacks against Google. So, please read the blog post of our Microsoft Security Response Center on the release of the advisory.
I just want to quote some of the key elements in there:
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.
[…]
Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
[…]
Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
There are some additional mitigations shown in the advisory. However, a few things from my side:
- Yes, it is a vulnerability and we do everything to fix it in time without breaking your systems. So, even though we all understand the urgency of an update, it has to be tested. There is a good chance that soon somebody will release an update for this vulnerability not coming from us. The past experience has shown that those updates usually are not tested thoroughly and that there is a good chance that it will break certain systems. Often this risk is higher than the risk of being attacked in my opinion.
- Make sure that you are watching our internet sites in case we go out of band.
- Use the protections built in to the Operating System and the browser. E.g. Data Execution Prevention as mentioned above. Yes, it breaks certain applications. On my system, where I switched DEP completely on, I had to exclude my Sony Reader software as it did not work – it was terminated and it took me a while to figure out why. But this is the only application which had to be excluded. Switch that on (use Group Policies) in Internet Explorer as well.
I realized that it might be necessary to give an introduction in how to switch DEP on and I therefore wrote a post on that as well today: Leveraging Data Execution Prevention (DEP)
Roger
- Leveraging Data Execution Prevention (DEP)
-
The recent IE attacks have show again that the current technology built in Windows Vista and Windows 7 could at least help to mitigate the attacks. One of these technologies which could be used more broadly is Data Execution Prevention (DEP). Here is how to switch DEP on (it is fairly well hidden).
- First, enable it in your BIOS. It might have different names in your system. Basically it enables the use of the NX flag in the processor. Most systems I know of today, have switched it on by default.
- Boot your OS and go to the System settings (right-click on Computer – Properties).
- On the following screen, choose System Protection
-
In the System Properties dialogue which follows, you have to select the Advanced tab and there in Performance click on Settings as shown here:
![original[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_thumb.png "original[1]")
- And then choose Data Execution Prevention. The default is on Turn on DEP for essential Windows programs and services only which is good enough for most environments. I increased the security of my machine, but I have to manage it as well as I have to exclude (or de-install) applications which do not comply:
![original[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_thumb_1.png "original[1]")
Now, this is on an OS-level for your applications in general. In IE, it is in the Internet Options:
![original[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_thumb_2.png "original[1]")
This option is switched on by default in Internet Explorer 8 (in my case re-enforced through Group Policies and therefore gray). This might have an impact on usability as certain poorly written plug-ins will crash – something I can definitely live with. On the IE blogs, there is a post describing DEP in IE8: IE8 Security Part I: DEP/NX Memory Protection
Just use it!
Roger
- HP and Microsoft Partnership: That’s What You Need in the Cloud
-
Often when I talk to our customers and they ask me about the cloud, a lot of questions come up. Most of them are security related (obviously) but some of them are more management focused. For example the question about how to manage a hybrid environment, where part of your business is run on premise, part of it in the cloud (being it private, community, public)? Whom do I call if things go wrong?
The same is true for partners who want to build solutions on our technology like Windows Azure.
I am convinced that the announcement you heard yesterday is a step in the very right direction. If you want to know more about it, you should read New HP and Microsoft Agreement to Simplify Technology Environments.
There is a video section showing how our Execs see the agreement:
Steve Ballmer, Microsoft
Mark Hurd, HP
And there are a lot of other voices there.
It is all about your choice how to embrace the cloud - nobody else's!
Roger
- Un-Google Yourself: Remove your Web Content
-
A few days ago, I blogged on Tired of Web 2.0? Kill your Online Identities – an automated way to “disappear” from Web 2.0 (actually Facebook has banned the tool since…).
Today, I was reading an article called Un-Google Yourself. Trust me, I am not explicitly looking for such approaches but seem to find them at the moment…
I am not sure whether the un-googling really works but if you want to give it a try, let me know how it turned out. If When Goog becomes your Roommate is true, this is something we should consider – BTW if you have not seen those videos yet, you should definitely take the time to do.
Roger
- Tired of Web 2.0? Kill your Online Identities
-
No, this is not a joke. If you are tired of all the discussions about Web 2.0, the privacy breaches and the related problems, you can commit Web 2.0 Suicide. There is a Web 2.0 Suicide Machine – but we warned before you do it – this process seems to work and is not reversible. There is no “undo”! Here is the link: http://suicidemachine.org/
Just provide it with all your credentials and it will unfollow all you followers, “unfriend” all your friends and reset all your passwords so that you cannot log back in to your social networks…
This is the promotional video:
web 2.0 suicide machine promotion from moddr_ on Vimeo.
So, be careful but it is interesting. From the FAQ:
If I kill my online friends, does it mean they're also dead in real life?
No!
What do I need to commit suicide with the Web 2.0 Suicide Machine?
A standard webbrowser with Adobe flashplugin and javascript enabled. So, it runs on Windows, Linux and Mac with most of browsers available.
If I start killing my 2.0-self, can I stop the process?
No!
If I start killing my 2.0-self, can YOU stop the process?
No!
The name is pretty harsh but the idea shows that there are some limits for people who far they want to be publically exposed. But it seems to be very successful: At the moment, Facebook blocked the service…
Roger
- The “Year-2010” Problem: Failure of ATM cards!
-
When the industry prepared for the Year 2000, I was working in a consulting company living good from doing reviews on Y2k-projects. Then the year 2000 came and nothing happened (besides a big party).
Then year 2010 came – and the bug actually got hold of us. Initially I thought that I was reading a joke but it seems to be true. The German Sparkassen (a banking brand) had a problem with their ATM cards: The Gemalto chip on the card was unable to process the year correctly and failed to give you money.
I do not know how you handle your daily money consumption but here in Switzerland you are able to pay almost everywhere with your debit (say ATM) card. So, the cash I have with me is very limited and I run into a serious problem if I cannot pay with plastic. Additionally to get to money – you need the card again. And finally I often rely on the fact that I can get local currency in a lot of countries with my debit card.
This really causes some serious troubles and – at the end of the day – affects the critical infrastructure of a country – all of a sudden and without pre-warning.
If you are able to read German, here are two articles about it. Unfortunately I did not find anything in English:
Roger
- MTaS: Malware Testing as a Service
-
Well, in my last post I wrote about the prices for malware. Today I read the next evolution of this: The possibility to have malware tested against anti-malware tools – not to make sure malware is really recognized, no, the other way round: To make sure it is not recognized.
I read this article on wired.com: Underground Services Let Virus Writers Check Their Work and you get a good report:
![virtest[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/MTaSMalwareTestingasaService_13779/virtest%5B1%5D_thumb.jpg "virtest[1]")
It is getting worse and I am not sure that we as an industry move fast enough – especially I feel that the criminals have the better collaboration than the good guys. I do not mean the vendors only, I mean the vendors, customers, governments. That’s needed!
Roger
- The Cybercriminal’s Wish List
-
I know that Christmas is over and I know how my kids actually compile a Wish List: They take most of the ads (which are targeted to them) and glue them onto a piece of paper for Mom and Dad to make sure that everything can be found under the Christmas tree… I guess you know the drill.
If you look at cybercriminals, the whole thing is much simpler as the prices are lower than the expectations of my kids. I just read a blog post called Cybercriminals go shopping, where they show a list of prices for Trojan installations:
![208188000[1]](http://blogs.technet.com/blogfiles/rhalbheer/WindowsLiveWriter/TheCybercriminalsWishList_B42B/208188000%5B1%5D_thumb.png "208188000[1]")
This is targeted marketing, isn’t it?
Roger
