Roger's Security Blog : Consumer

Security and Usability

rhalbh — Thu, 26 Nov 2009 21:04:39 GMT

It is not a new concept: The secure way is only secure if it is the easiest way. I have seen a lot of solutions which are extremely secure – in the eyes of the security people. However, the users find a lot of ways to circumvent the security measures because they are too complex to fulfill the business needs or it is simply not possible to run a business within the limits of the security policies. Do not get me wrong: Security always comes with a certain level of inconvenience – but the question is always whether we are able to find the balance between usability, the business needs and the risk management of a company.

Butler Lampson, a Technical Fellow with Microsoft Research, wrote an article on ACM called Usable Security: How to Get It which is definitely worth reading.

Roger

The Africa Cable – A Chance for Africa! – A Threat for the Internet?

rhalbh — Wed, 07 Oct 2009 17:10:00 GMT

The development in Africa especially with the new broadband services to me is a huge chance for the whole continent.

I just found this map on the next two years:

source: IntelFusion

Even though I have not been in Africa over the last few months, I heard that in different cities fiber is brought directly to the household, which brings technology and opportunities I would love to see here in Western Europe, where we still have to rely on copper. So, if the governments in Africa are serious with this, I think this is an outstanding growth opportunities for those markets.

On the other hand, when I talk to customers and governments in Western Europe, there is a lot of dis-trust as well. Can we trust the governments? How much malware will be spread coming from this continent? Actually, the kick for this post was the following article just outlining this: Africa - home of the world’s largest cyber pandemic – which makes me think.

If I look at our Security Intelligence Report back in April (the new one will be coming soon) and look at the malware infection rate we see, it is not worse nor better than any other region:

However, the data we have available from Africa might not be as broad as in other regions.

Another thing came to my mind. I was in Kenya two years ago on a business trip and I learned one thing – the idea of shipping outdated PCs to Africa to help people there does not work as it requires them to run old and outdated software which makes them open for attacks. Simple, isn’t it?

Looking at my figures, it is a problem but not smaller or bigger than any other region on this globe. Additionally, one of the reasons, why our teams work so hard to get Microsoft Security Essentials out of the door for all countries is just to reduce this threat. Make a professional Anti-Malware solution available to people who cannot afford one free of charge.

Rather than being threatened, let’s welcome this continent on the “broadband Internet” and help them now to learn from our challenges and failures in the past.

Roger

Physical Security: ATMs equipped with Pepper Spray

rhalbh — Fri, 10 Jul 2009 15:36:15 GMT

This is “real” hard-core security. If the ATM feels that it is tempered with, it releases pepper spray. It is kind of a “self-defense” mechanism. I just hope it never thinks that I am tempering with the machine when I just want to get money…

ATMs fitted with pepper spray

Roger

Test Microsoft Security Essentials

rhalbh — Wed, 24 Jun 2009 11:52:03 GMT

I am running Microsoft Security Essentials (called “Morro”) since quite a while on my Mediacenter and I am definitely convinced of it. So, go ahead and test it: http://www.microsoft.com/security_essentials/resources.aspx – it will be our free Anti-Malware solution

Roger

SafeSearch in Bing

rhalbh — Sat, 13 Jun 2009 22:56:11 GMT

One more proof that we listen to you: We made certain changes to Bing in order rot help you to protect from sexual explicit content. Please read the corresponding blog post Safe Search Update.

Even though this is very good news, it does not change my view that education of parents and children is at the foundation of the safe use of the Internet: Bing and the Video Preview (and Family Safety Settings)

Roger

Thought of buying a Wii? Think again

rhalbh — Wed, 03 Jun 2009 17:37:14 GMT

I have to admit: Not really security related but really, really, really cool. Look at this Xbox trailer: http://www.gametrailers.com/video/e3-09-project-natal/50017?type=wmv

Roger

Security Intelligence Report: “Scareware” on the Raise

rhalbh — Wed, 08 Apr 2009 09:50:58 GMT

You know that we release our Security Intelligence Report twice an year: Today Version 6 is due.

Let me try to give you an overview of the “highlights” of the report from my point of view:

As I wrote in the title and as I blogged about this summer („Scareware“ on the Raise) one if the biggest growing threats we see is what I call “Scareware” or what we call in the report “Rogue Security Software”. I guess you know the feeling of visiting a website which then tells you that you are infected by malware and you should download a piece of software to protect you (or to clean your PC). Here you see a screenshot of how this can look like:

So, we have seen this growing over the last three periods and therefore we decided to feature a focus section on this growing threat.

A standard topic in the report is about vulnerability disclosures. Here you find the chart you are used to if you read our Security Intelligence Report, my blog or heard me talking recently:

So, looking at the chart there is good and bad news:

The good news is that vulnerability disclosures (industry-wide) is decreasing.
However, there are still more than 2500 vulnerabilities per 6 months (to be clear again: this is the whole industry, not us)
And, roughly 52% of all the vulnerabilities where high severity ones!

Looking at Microsoft’s vulnerabilities, this is the picture:

One thing I always mention, when I talk about this: If you are planning your Patch Management processes and you look at the figures above, make sure you cover your whole IT and not “just” Microsoft. In H2 2008 we had roughly 100 vulnerabilities out of 2500! So, think about patching the others as well (see 98% unpatched – and I am one of them :()

There are a few other charts in the report like the percentage of vulnerabilities responsibly disclosed or attacks on applications which I do not want to put in there (there has to be a reason you read the report J). But one thing I want to take up here as it was so important in H2, which is the PDF attacks as this underlines the statement I made above about Patch Management. Look at the exploits by months targeting Adobe Acrobat Reader:

To be crystal clear with the graph above: This is not finger-pointing at Adobe. We were working closely together to address this and for both vulnerabilities there are updates available today. What I wanted to show you is that you have to extend your risk management to applications outside Microsoft.

Another standing set of graphs are world heatmaps. There are three of them in this Security Intelligence Report:

The “classic” malware infection rate based on the Malicious Software Removal Tool:

Even though we changed the way to determine where a computer is based (and therefore last report’s map cannot be compared with this one), EMEA does not look that bad. We have some challenges in the Middle East, Russias and – surprisingly to me – in Spain but the rest looks not great but ok.

But there is more. This time we look at the source of the malware based on infected websites and where they are hosted:

Here we have quite some green spots – which is good. It is interesting to see that Russia and Spain are red again here…

And last but not least the heatmap on where phishing sites are hosted:

If you take a different angle and look at it from a Windows perspective with regards to malware infection, it once more shows the progress we made with the different OSs:

This re-enforces the message I am delivering as often as possible: If I could give you one single advice from security person to security person (I am not measured on quota), this would be “stay on the latest version of your software – everywhere”. This includes Patch Management as well as Lifecycle management. Jus think about every piece of software you have (including embedded systems), think about when it was designed and then think about the threat landscape back then… Do you really have to think twice then?

If you want to hear Vinny Gullotto (General Manager, Microsoft Malware Protection Center) talk about the Security Intelligence Report, you can look at and interview he did with Tim Rains: Vinny and Tim show - SIR Volume 6 .

So, this and much more you can find in our Security Intelligence Report. Download it and have fun!

Roger

Qtel’s Guide to a Faster Internet Experience

rhalbh — Mon, 09 Mar 2009 11:33:23 GMT

I like that: As you probably know, I did a tour through the Gulf when we launched the Security Intelligence Report last year. One of the reasons was that we know that the Gulf has a pretty high malware infection rate. You can read this in the corresponding blog post: Security Intelligence Report v5 Live!

Now, QTEL (the ISP in Qatar) released an interesting document called Qtel’s Guide to a Faster Internet Experience. What I like about it is that most of it is about security but it actually addresses the user where it “really hurts”: Internet performance.

You can read it yourself at the link above

Roger

Scam Awareness Month in the UK

rhalbh — Mon, 16 Feb 2009 13:03:31 GMT

I guess you know Get Safe Online in the meantime. They are publishing a lot of good and insightful information. Now, they collaborate with the Office of Fair Trading in the UK for a Scam Awareness Month.

Again, there is a log of excellent information on the web for you to look at:

Get Safe Online Blog on the Scam Awareness Month
A Consumer Site from the Office of Fair Trading with

Games
Information “Before You Buy”
Information “After you Buy”
and a lot more

Something you could definitely use to drive awareness with the average user.

Roger

98% unpatched – and I am one of them :(

rhalbh — Fri, 05 Dec 2008 17:57:09 GMT

Well, you saw my post earlier this week on the 1.96% of PCs being updated according to Secuina. Well, as time does, I decided to install this tool as well to look at it. I did an initial scan on my home PC and this was the outcome:

Outch, this hurts my soul but shows as well the problem: I definitely have all our software updated and with must of the solutions above, I have the updates switched on (except Apple, where I switched it off when they wanted to install Safari as an update :()

But honestly, the tool is pretty cool. If you switch to advanced mode, you even get pretty detailed information:

So, this makes me really think. This is a PC which I really look after and keep it updated. Nevertheless I seem to have failed.

This shows me the fundamental problem: If I am not able to keep it up to date, how shall my Mom and Dad? The Secunia Personal Software Inspector helps a little bit but I am nut sure whether my parents are able to handle it. So, what we are basically missing is a central point and mechanism to distribute security updates. But who controls this channel? Who ensures that no criminal can get access to it? That no viruses are distributed?

Still a long way to go…

Roger

P.S: Do not even try to attack my PC based on these vulns – they are closed in the meantime

Get Safe Online – This Week

rhalbh — Tue, 18 Nov 2008 16:00:17 GMT

We see this concept all over Europe: There are National Security Awareness Days (or how ever they are called) in a lot of European countries. During these events, the industry (from software to banking to government to …) gets together to raise awareness on the most important trends, criminals explore attacking their victims.

This week in the UK there is the Get Safe Online Week, which is a very good example for me how this can work out. A lot of partners come together this week to drive awareness around different themes in the area of Online Safety.

I quote from their press release:

Today (which was actually yesterday) the UK’s fourth annual Get Safe Online kicks off, a weeklong internet safety awareness campaign encouraging UK computer users to take steps to ensure that they and their machines are protected.

In a time of economic uncertainty, online security is becoming even more important as the growth of the ‘shadow economy’ in stolen identities can mean a person’s assets such as savings accounts can be stolen and emptied faster than ever.

Particularly, the use of ‘phishing attacks’ is rapidly on the rise – where criminals send fraudulent emails designed to trick internet users into submitting their financial or other confidential details. 23% of UK internet users surveyed said that they or someone they knew fell victim to such an attack this year, compared to just eight per cent in 2007.

The image of the geeky hacker is inaccurate: the vast majority of computer crime in the UK is highly organized, with criminals dealing in the buying and selling of personal information used to defraud targets such as full name, address, passport details, driver's license number, date of birth, bank account details and sort codes, plus credit card numbers and security codes.

Get Safe Online Week aims to give everyone the tools and confidence to enjoy and use the internet safely. In the span of a couple of hours, anyone can learn a few simple steps to remain up-to-date and aware about online safety – a small investment compared to the potential loss and inconvenience if they are instead victims of identity theft.

I think that this is a great initiative, which needs our broad support:

Roger

Safe Social Networking

rhalbh — Mon, 10 Nov 2008 00:32:23 GMT

I am often asked by a lot of people what my view is on the social networks like Facebook and what I think about it. Well, the most important points first: I am using social networks myself as I like them to keep an eye on people I might lose otherwise. However, I am really careful putting too much information on these networks (like pictures) as I want to keep my privacy.

We now released 10 tips for social networking safety which I think are pretty good and might even be used by your teen kids as well.

Roger

„Scareware“ on the Raise

rhalbh — Sun, 31 Aug 2008 18:31:00 GMT

We have regular ConfCalls with our security support to exchange trends and issues we see. During the last one we had an interesting discussion I would like to share with you: We seem to get a hell lot of calls mainly from the consumer segment with Virus/Trojan/Spyware infections. The way they get the malware is a pretty well known one: You go to a web page which is telling you that your PC is infected by malware and that you have to install the "protection software" immediately – which then installs the malware. That's the reason why we call this software "Scareware". There are two things which frighten me:

One is that it shows how easy social engineering works (once again).

But the second one is much more frightening: The malware installed is by far not sophisticated. It is usually pretty old and well known. Therefore every AV scanner would detect it easily and prevent it from being installed. This tells us that there is still a high percentage of people not running AV software on their PC… Since years we are telling our customers you have to do at least three things to run your system: Use a firewall, keep your software updated, run an Anti-Malware software and keep it updated. Similar things are true for ISPs. Why do people still not do it? Is it the money?

Roger