May 2008 - Posts

New Guidance on the SQL Injection Attacks
We just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it: Preventing SQL Injections in ASP SQL Injection Attack – which is a great piece of work pulling the different views of the Read More...
Posted 31 May 08 11:23 by rhalbh | 1 Comments   
Filed under ,
Microsoft Advisory for Safari Flaw
I posted yesterday on the Safari flaw ( Why Apple has to fix the Safari flaw ) as Apple did not acknowledge that this is a security vulnerability. Unfortunately we had now to release an advisory for this as we started to see that the bad guys could use Read More...
Posted 31 May 08 11:19 by rhalbh | 0 Comments   
Filed under , ,
The latest SQL Injection Attacks
Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these Read More...
Posted 30 May 08 09:39 by rhalbh | 1 Comments   
Filed under , , ,
Why Apple has to fix the Safari flaw
Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it? Now, we can debate on what a vulnerability Read More...
Posted 30 May 08 09:19 by rhalbh | 1 Comments   
Filed under , ,
How to sell security
I just read this essay by Bruce Schneier: How to Sell Security . This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the "mechanics" about it. Roger Read More...
Posted 27 May 08 11:45 by rhalbh | 1 Comments   
Filed under ,
How to Hack Windows Vista
No, no. For sure. I am not going to give you advise how to hack – but look at this video: http://www.offensive-security.com/movies/vistahack/vistahack.html . I am always amazed about these kind of videos, which still surprise people. If look years back, Read More...
Posted 27 May 08 06:45 by rhalbh | 8 Comments   
Filed under , , ,
Two Important Whitepapers on Windows Server 2008
If you are planning to implement Windows Server 2008, there are two paper recently published that could help you with it: Active Directory Certificate Services Upgrade and Migration Guide Configuring and Troubleshooting Certification Authority Clustering Read More...
Posted 26 May 08 04:52 by rhalbh | 1 Comments   
Filed under ,
Researcher at Microsoft Research wins ACM award for Privacy Protection
I just read this article on Cryptography Expert Wins ACM Award for Advances in Protecting Privacy of Information Retrieval . This is really cool to see that research with do at Microsoft Research not "only" leads to advancements in our products but to Read More...
Posted 26 May 08 08:29 by rhalbh | 0 Comments   
Filed under
SANS Commits $1 Million to Fight Cybercrime in Developing Countries
You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it. This time I have to say that I am impressed as they are helping developing countries Read More...
Posted 24 May 08 04:25 by rhalbh | 0 Comments   
Filed under , ,
Adding additional File Formats in Office 2007 SP2
We just announced that we will add support for additional file formats in Office System 2007 SP2. Just read more on Open XML, ODF, PDF, and XPS in Office Roger Read More...
Posted 22 May 08 09:31 by rhalbh | 2 Comments   
Filed under
Is Security Research Ethical?
Shoaib's blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? - Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View . Not surprisingly Bruce says "yes" and Marcus Read More...
Posted 22 May 08 03:26 by rhalbh | 1 Comments   
Filed under ,
Analysis of the Estonian Attacks
I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks Roger Read More...
Posted 21 May 08 06:25 by rhalbh | 1 Comments   
Filed under , , ,
You know about PDOS?
Well, I know DOS, I know DDOS, but I never knew PDOS until today: there seems to be a new way to attack systems using the firmware update mechanism and generating a Permanent Denial of Service (actually damaging the hardware)…. I was involved in a Ciritical Read More...
Posted 21 May 08 03:04 by rhalbh | 0 Comments   
Filed under ,
Security Risks of Virtualization
One fact strikes me pretty often: Companies have the problem that they have legacy software running on legacy operating systems (e.g. NT4) running on legacy hardware. This is a severe problem as you all know. Now, these companies look into virtualization Read More...
Posted 21 May 08 05:51 by rhalbh | 2 Comments   
Filed under ,
Learnings on Publishing SharePoint on ISA Server
Here Blogging on MOSS 2007 (SharePoint) I talked about the way I use SharePoint and a Codeplex application to build a blog. Shoaib was so kind to let me know that the links of the RSS feed point to the internal server rather than the public URL. If you Read More...
Posted 20 May 08 08:39 by rhalbh | 0 Comments   
Filed under
Storm coming back?
I just read first reports that Storm is coming back as we speak. This is frightening but shows the power and possibilities of the criminals as well. I have no information yet how bad it looks like, just read the following report: The Storm Worm would Read More...
Posted 20 May 08 02:17 by rhalbh | 1 Comments   
Filed under ,
Selling Vulnerabilities and Ethics
Shoaib just blogged on Hacking & Security Community - Ethical or Unethical? . To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things. I blogged on this theme several Read More...
Posted 18 May 08 09:19 by rhalbh | 1 Comments   
Filed under , ,
The Best Security Blogs on the Web
Well, this is not what I am claiming to have…. This is what I am looking for. At the moment, I am monitoring/reading the following security-related blogs (sorted alphabetically): Microsoft BitLocker™ Drive Encryption Team Blog Chief Security Advisor Finland Read More...
Posted 17 May 08 09:25 by rhalbh | 1 Comments   
Filed under
Schneier on US Customs Notebook Searches: Do not follow the rules
I just read this article by Bruce Schneier on what to do about US Customs searches: Taking your laptop into the US? Be sure to hide all your data first So, if you look at part of his recommendations, they are: You're going to have to hide your data. Set Read More...
Posted 16 May 08 08:34 by rhalbh | 0 Comments   
Filed under ,
Support for Law Enforcement and COFEE
Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor. Let me give you some information on COFEE and put it into the proper context. Read More...
Posted 14 May 08 04:00 by rhalbh | 0 Comments   
Filed under , , , , ,
Bug Hidden for more than 25 Years
Wow, this was impressive: A Swiss Developer posted on Saturday a blog that he found a bug which remained hidden for more than 25 years: When seekdir() Won't Seek to the Right Position . BTW: It is in BSD, where the code is available to everyone and as Read More...
Posted 14 May 08 09:25 by rhalbh | 0 Comments   
Filed under ,
More of a third of software is stolen
BSA just released today a new piracy study and there are some remarkable facts in there: The worldwide weighted average of piracy rate is 38% The median piracy rate in 2007 is 61% Think about the second point for a second: This means that in half of the Read More...
Posted 14 May 08 08:36 by rhalbh | 1 Comments   
Filed under ,
Opening a File (Dilbert)
Ever tried to open a file? Roger Read More...
Posted 12 May 08 05:49 by rhalbh | 0 Comments   
Filed under
How a Botnet looks like
If you would like to know a little bit more on botnets and how they actually look like, there is a researcher who actually draw a map of one: What a Botnet Looks Like Roger Read More...
Posted 09 May 08 10:04 by rhalbh | 0 Comments   
Filed under ,
The Debate on Security Metrics
Recently I was sitting on a panel which was pretty heterogeneous: There was a representative from IBM (actually from former ISS), customers, a representative from the Open Source community (who actually, during his presentation always said how bad our Read More...
Posted 09 May 08 09:58 by rhalbh | 0 Comments   
Filed under , ,
Microsoft is winning the NAC war
I just read an interesting chat with Joel Snyder from Opus One who did Interop testing on the different NAC solutions. I think he makes some statements which are worth to read (from my perspective anyway J ): He also says that those who are anti-NAC simply Read More...
Posted 08 May 08 11:48 by rhalbh | 0 Comments   
Filed under ,
Testing our Security Technology
Quite a while ago, I blogged on Virtual Labs, an offering we are making to you to get your hands dirty with our products and give you the opportunity to work with different hands-on labs. There is the VirtualLabs offering, containing MSDN and TechNet Read More...
Posted 05 May 08 06:05 by rhalbh | 1 Comments   
Filed under , ,
How Microsoft IT does Threat Analysis
I wrote on that already earlier. We make processes and tools available how we internally do Threat Modeling. To make it clear: this has nothing to do with the Security Development Lifecycle but much more with Microsoft's own IT department. The reason Read More...
Posted 05 May 08 05:49 by rhalbh | 0 Comments   
Filed under , ,
8 Dirty Secrets Of The Security Industry
I just read this article called 8 Dirty Secrets Of The Security Industry , which seems pretty nasty. Let's briefly have a look at them: Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer : Wow, this is a bad statement Read More...
Posted 03 May 08 10:17 by rhalbh | 1 Comments   
Filed under , ,
The Dumbest Thief of the Month
If there would be a price for the "Dumbest Thief of the Month", this guy deserves #1: Texan tries to cash $360bn cheque Roger Read More...
Posted 03 May 08 09:48 by rhalbh | 0 Comments   
Filed under ,

Search

This Blog

Chat directly with me if you want. Go to my About page to find a web messenger!

Visit ourPhoto Gallery

Locations of visitors to this page

Rogers Security Blog at Blogged Add to Technorati Favorites

Syndication

Page view tracker