Roger's Security Blog

Talking about Transparency – Windows Azure Dashboard

rhalbh — Fri, 20 Nov 2009 08:21:00 GMT

This is a nice feature – on this page http://www.microsoft.com/windowsazure/support/status/servicedashboard.aspx we show the current state of our Azure services. This is the kind of transparency (on the operations’ side) we need. There is much more needed with regards to process transparency but this is a great first step

Roger

Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS

rhalbh — Thu, 19 Nov 2009 21:18:21 GMT

To be clear upfront: This is not a “Microsoft versus Google” post. I cannot even judge how far Google pushed security with the Chrome OS. But the following article raised quite some questions how we look at security: Inside the Google Chrome OS security model. This article, like so many when security of an Operating System is to be discussed, is completely feature driven. So, we talk about Process Sandboxing, Toolchain Hardening, Kernel Hardening etc. But how relevant is this really?

Do not get me wrong: It is. But these features have to be the result of an engineering process. These features have to be designed to reduce a certain threat vector – a possible attack scenario and they have to be laid out in a way to reduce this vector. I recently had a discussion with somebody who wanted me to convince about their security software. My very first question was: How do you develop software? The answer was: We have a great CTO and good developers which engineer our software. My next question: OK, how do you do Threat Modeling? Answer: Our CTO does this since years and knows everything in and out…

To me Threat Modeling and a transparency with regards to the development process is key! Why shall I trust features? I have to know why and how they are engineered. I need process transparency – and not necessarily code transparency. There is no way I can review code. I am not a security development specialist on the one hand side nor do I have the time to look through the code anyway. The only thing I can build my trust on is the engineering and the response processes.

So, why do we not rather raise a process discussion than a feature discussion? When we had the initial press conference about SafeCode , I was asked a pretty interesting question by an analyst: As SafeCode is about sharing best practices with regards to secure development, other vendors who do not use such processes will become a target. Yes, and now? The industry has to learn that engineering and development processes are much more important than features! We use our Security Development Lifecycle – will this lead to absolutely secure code? No, not at all but to a much, much higher bar. We have great examples where we can show that this does not only reduce the number of code defects but also to a better defense framework adopting defense in depth concepts. This is what we need. Let’s shift the discussion from features to processes!

And a final comment: This discussion is even more important in the cloud!

Roger

Why it pays to be secure – Chapter 4 – I want to learn!

rhalbh — Fri, 13 Nov 2009 14:04:33 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Use these Learning Paths to find a range of Microsoft training references and resources on security threats and appropriate countermeasures. Learning resources are organized by level (from basic to expert) and provide information on the planning, prevention, detection, and response phases of security implementation.

Threat and Vulnerability Mitigation Learning Resources:

http://technet.microsoft.com/en-gb/security/cc895218.aspx

Learn about security technologies that offer defense-in-depth protection against attacks and provide customers with central visibility and control of the security environment. These applications include defenses such as firewalls; antivirus, anti-spyware, and anti-spam software; network access protection; and others.

Security Fundamentals:

Combine Microsoft technology with tools and guidance to help build a secure foundation for your IT infrastructure. Learn about technologies intrinsic to the operating system that help make computers more resilient to attacks and provide the foundation upon which you can build your other technology investments.

http://technet.microsoft.com/en-gb/security/cc895262.aspx

Managing Updates and Safeguarding Your Systems:

The exploitation of security vulnerabilities in operating systems and application software can lead to loss of revenue and intellectual property. Having properly configured systems, using the latest software, and installing the recommended software updates can help you mitigate this threat. Use the resources in this learning path to help you manage updates and simplify the task of protecting your systems.

http://technet.microsoft.com/en-gb/security/cc513135.aspx

-----------------------------------------------------------------------------------------------------------------------------

The IT Infrastructure Threat Modelling Guide is now available.

Organizations today face an increasing number of threats to their computing environments. You need a proactive approach to assist you in your efforts to protect your organization's assets and sensitive information. This guide provides an easy-to-understand method that enables you to develop threat models for your IT environment and prioritize your investments in IT infrastructure security.

This Solution Accelerator includes a Microsoft Word document that helps IT professionals develop and implement threat models for their IT environments, and a Microsoft PowerPoint® presentation that is designed for use in a learning or lecture environment to present the concept of IT infrastructure threat modelling. These materials are designed to help IT professionals accomplish the following:

Provide use case scenarios for each component to be threat modelled.
Identify threats that could affect their organizations’ IT infrastructures.
Discover and mitigate design and implementation issues that could put IT infrastructures at risk.
Prioritize budget and planning efforts to address the most significant threats.
Conduct security efforts for both new and existing IT infrastructure components in a more proactive and cost-effective manner.

Henk and Roger

COFEE freely downloadable on the Internet?

rhalbh — Tue, 10 Nov 2009 17:44:00 GMT

You definitely have heard of COFEE (Computer Online Forensic Evidence Extractor) which we make freely available to Law Enforcement through Interpol and NW3C. Now, the probably unavoidable happened and the tool leaked to the Internet. There was actually an interesting statement by ArsTechnica yesterday: Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer.

To make our point clear, let me quote Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation:

We have confirmed that unauthorized and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorized channels – both because any unauthorized technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed.

Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field.

In cooperation with our partners, we will continue to work to mitigate unauthorized distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorized versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL at cofee@interpol.int.

So, to be clear: It is not “only” illegal but it is modified as well. Do you really want to install that?

Roger

International Collaboration on Policies for Cybersecurity and Data Protection

rhalbh — Thu, 05 Nov 2009 20:41:43 GMT

Since a few years we are working with the Council of Europe in a partnership to help to drive a Cybersecurity treaty. We realize that a problem a lot of Law Enforcement agencies have is inconsistent legislation which makes is unbelievably hard to catch the criminals. The Council of Europe treaty is a great starting point and has been ratified not only by most of the member states of the Council of Europe but by a lot of additional countries around the globe.

Now, the European Union and the United States have agreed to treat such challenges as international issues and to develop joint policies based on shared values.

Unfortunately, the agreement is not too concrete but the fact that we have an agreement in place, should let us hope: EU-US Joint Statement on "Enhancing transatlantic cooperation in the area of Justice, Freedom and Security"

Roger

Power of Knowledge: Security Intelligence Report v7

rhalbh — Mon, 02 Nov 2009 16:06:00 GMT

It is a good tradition since quite a while that we make the intelligence we have available accessible to the broad public. This will help out customers to protect themselves much better. The Security Intelligence Report (SIR) is built on a unparalleled set of sensors out there in the Internet:

Malicious Software Removal Tool (MSRT): runs on 450 million computers worldwide each month.
BING: performs billions of Web-page scans per year.
Windows Live OneCare and Windows Defender: on 100 million + computers worldwide.
Forefront Online Protection for Exchange: scanning billions of emails yearly.
Windows Live Hotmail: 30 + countries - hundreds of millions of active e-mail users.

As there is nobody in the industry who is able to match this, we are convinced that it is of outmost importance that we share our intelligence with the broad industry.

Looking at the report itself, there are a few key findings this time:

Rogue Security Software is sill one of the biggest threats for our customers. Even though we found less rogue software on computers (13.4 million computers compared to 16.8 million in H208) it is still a significant threat to the ecosystem.
Worms are back: Worms rose from the fifth place to the number 2 with a 98.4% increase. This is largely due to Conficker and Tatef.

To visualize the second point, let’s look at the computers cleaned by threat category:

This is a pretty significant spike.

There are a few diagrams I usually like to look at as well. One is the geographical distribution in order to understand my region. So, let’s look at the malware infections globally:
So, you see there is quite some room for improvement.

Now, to close this very, very short summary of the report, it is definitely worth looking at two additional graphs. One is the malware distribution per Operating System:

This supports a statement I make so often: If I would have one wish to our customers, it would be: “Always stay on the latest version of all the software you have” – not from a business perspective but from a security view. And the second wish would be, cover all your software, when you do patch management. Remember my post called Patch Management – Cover the whole 9 yards? I told you that you should take care of the whole software stack – not “just” Microsoft. And the reason for that is the following diagram:

As you can easily see, our share in the overall vulnerability landscape is very, very small. So, we need a joint effort across the whole industry to write secure software from the bottom up with processes like the Security Development Lifecycle! And guess what – your problem will not become easier to solve when you move to the cloud.

Now, if you want to read the report, here are the important links:

The Security Intelligence Report landing page
The download page for the report
And the video with Ken and Vinny

Have fun

Roger

Security Compliance Management Toolkit Series for IE 8 and Windows 7

rhalbh — Fri, 30 Oct 2009 16:09:53 GMT

Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Look at the Enhanced Mitigation Evaluation Toolkit

rhalbh — Thu, 29 Oct 2009 12:26:56 GMT

Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation Evaluation Toolkit

Roger

Secure Datacenter, Secure Cloud, Secure Government

rhalbh — Wed, 28 Oct 2009 07:06:00 GMT

At the moment I invest a lot of my time in a Whitepaper on Client and Cloud Security. There are a few fundamentals, which are already clear to me:

You will not be able to run a trusted cloud ecosystem without a trusted client and trusted interactions. So, the End to End Trust model is needed in the cloud as well.
A strong, federated identity metasystem is at the base of any cloud security
Process transparency as an absolute need if you move to the cloud. If the provider tells you “you should not care about that, we take care of your security” – walk away from the deal.

This morning I read a blog post by Theresa Carlson. She is a Vice President in the Public Sector at Microsoft Us and blogged about Secure the Datacenter, Secure the Cloud. She raises the issue of process transparency as well and it is a post which is definitely worth readying.

Roger

Pandemic Planning (Dilbert)

rhalbh — Mon, 26 Oct 2009 16:44:46 GMT

Get ready for the swineflu:

Roger

Could Microsoft solve the scareware problem?

rhalbh — Thu, 22 Oct 2009 06:55:33 GMT

This morning I read the following article: Microsoft can help kill fake antivirus threat. And interesting approach. The proposal is that we could white-list all the legitimate security software within the OS in order to make it harder to trick the user. Well, would this work? I am not so sure:

First of all, what is Security Software and how do you find out? All the the security vendors can play by the rules and make sure it is detectable. But sacreware (fake anti-malware software) will probably not – or will for sure not. So, what is the difference between any legitimate application, any application which interacts with the desktop and presents a GUI vs. scareware? Scareware just show scary windows and makes you install their software – which is typically malware.
The base technology is in Windows but it would have to be applied to security software only.
What is legitimate security software? There are obvious ones like Symantec’s, McAfee’s, TrendMicros’, F-Secure’s, Microsoft's solutions. That’s easy. But I am sure (just an experience from the past) that there will be a pretty big gray zone which makes it very hard to decide and who decides then – us?
Last but not least, let’s talk about the regulators. Do they (and does the market) really want us to take this decision and “certify” anti-malware solutions? This would come with a price – and reading the comments in the article below, this is one of the issues.

To me, the problem is wider spread than “just” fake anti-malware solutions. I understand that this is a problem – definitely and I understand that the thoughts of white-listing security software is attractive. But the problem is malware in general and how the criminals trick the user into installing something they do not want. This leads back to the question of the trusted stack which we address in our End to End Trust vision. To me, that’s the only approach which can be successful

Roger

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

COFEE now distributed via a NW3C as well

rhalbh — Fri, 16 Oct 2009 09:15:00 GMT

COFEE is a tool available to Law Enforcement only to capture online evidence with a little training as possible. The idea behind the tool is, that there is little need for high-trained staff to be available during e.g. house searches and that a normal, much less trained officer can capture all the data. Until today, Interpol was the only channel for distribution. Now, the US National White Collar Crime Center is the second organization being able to distribute it.

If you are a Law Enforcement Agency/Officer and want access to the tool, you may contact Interpol or NW3C

Roger

Software Piracy – A Threat to Security!

rhalbh — Wed, 14 Oct 2009 12:08:57 GMT

Beginning of this year, I tried to understand, whether we can show a collaboration between Piracy (stolen software) and Malware Infections. I played a little bit with the data I had available and came to the conclusion, that there most probably is: Is there a Correlation between Stolen Software (Piracy) and Security/Patching?

Now, the Business Software Alliance recently published their annual report for 2008 with regards to pirated software again. So, this is the summary of the study:

2008 was another year of mixed progress in the fight against PC software piracy. The good news is that the rate of PC software piracy dropped in 57 (52 percent) of the 110 countries studied and remained stable in another 39 countries (35 percent).

The bad news is that despite the drop in piracy in many countries, the global PC software piracy rate went up. This was the mathematical outcome of rapid growth of PC markets in high-piracy countries. emerging markets saw PC shipments grow 33 percent faster than mature markets. Even if piracy were to go down in every high-piracy country, their growing market share for PCs will continue to drive the global average up until piracy is cut more deeply.

What really shocks me is when I look at the “best” countries. United States is the best with 20% (!) stolen software. I am living in Switzerland and here (place 6) there is a 25% piracy rate. So, think about that. In one of the wealthiest country, 1/4 of the software is stolen. This is like you get only paid for 6 hours a day if you work 8 (at best!).

We can now debate about Open Source and free software. I am still convinced that personally I want to get paid for my intellectual property and that protection of IP is the foundation of any growth or recovery. However, I did not want to elaborate on this.

In addition to this interesting report, the Business Software Alliance published another one called: Software Piracy on the Internet: A Threat To Your Security. The conclusion of this report is that Individuals who, mistakenly or otherwise, turn to auction sites and peer-to-peer networks to acquire or transfer illegal software expose themselves to everything from malware and identity theft to criminal prosecution.

Worth reading it!

Roger

SharePoint External Collaboration Toolkit moved to Codeplex

rhalbh — Wed, 14 Oct 2009 11:20:59 GMT

Quite a while ago I blogged about the SharePoint External Collaboration Toolkit. I just wanted to make you aware that this toolkit is now moved to Codeplex and can be found here: http://cks.codeplex.com/

Roger