Roger's Security Blog : Incidents

Summary of Bitlocker Discussions

rhalbh — Fri, 11 Dec 2009 09:54:36 GMT

Last week there was quite some discussion about “successful attacks” on Bitlocker. Those discussions are often quite interesting for me as they show sometimes that people are looking for one technical solution for all the problems.

Bitlocker has a clear threat model it wants to protect you from. This is mainly the loss of your computer. If it is running and the attacker is admin – well Bitlocker cannot protect you. To quote a blog post of our Windows Security Team: Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off).

So, if you want to read the whole post, it is definitely worth it: Windows BitLocker Claims

Roger

“Black Screen of Death” Reports

rhalbh — Tue, 01 Dec 2009 20:16:00 GMT

Oh, wow – sometimes the power of social media, the blogs and the Internet can backfire. I guess in the meantime you have seen the claims by Prevx that approx. 80 Mio of PCs are affected by the Black Screen of Death problems supposedly caused by our November Security Updates. This caused (and still causes) a huge wave of reports about that and one could feel that there is a really big problem out there. On one of the blogs you see a collection of the articles about that: Latest Microsoft patches cause black screen of death, Microsoft looking into Windows 'black screen of death' problem.

Now, there are different worries for me: One is that the post by Prevx as well as the title of the above mentioned blog post state it as a fact that our Security Updates caused that. Additionally Prevx makes a statement about the supposed size of the problem – this statement is approximately as good a guess as you could do by taking any random number between 1 and 480’000’000 (the approx. hitrate on Microsoft Update). And finally – and this is the biggest concern to me – customers are now holding back the deployment of our Security Update because of this.

So, let’s get it straight: We have been looking into this problem (obviously). You can find the official statement quoted in the SeattlePI:

Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers.
Based on our investigation so far we can say that we're not seeing this as an issue from our support organization.
The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles.
As always, we encourage customers to review the security bulletin and related KB articles and test and deploy security updates.
If customers do encounter an issue with security updates, we encourage them to contact our Customer Service and Support group for no-charge assistance. Customers can contact CSS using the information at http://support.microsoft.com/security.

If we add some additional meat to this: Up to now, we have no evidence at all to validate the concerns. Currently we do not have any support volumes to either support the claims or validate the presence of a growing concern. Additionally, our investigation has shown no evidence at all that our security updates nor the Malicious Software Removal Tool nor the non-security updates make the changes as claimed by the Previx reports.

Looking at that, you should now make your risk assessment and decide which source you want to trust. For me, the ultimate source for information you should build your assessment on is neither Twitter nor your brother’s sister in law’s father's brother (unless he works for Microsoft’s security) but our website.

UPDATED WITH MSRC BLOG POST: http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx

Roger

H1N1 (Swine) Flu Preparedness - Guide for Critical Infrastructure and Key Resources

rhalbh — Wed, 16 Sep 2009 08:33:30 GMT

This morning I stumbled across a guide by the US Health & Human Services with regards to H1N1. Even though it did not catch much news lately I am not sure whether it is really over. Staying prepared it definitely not a bad thing. Even though it is US-centric, you should probably look into it: http://flu.gov/professional/pdf/cikrpandemicinfluenzaguide.pdf it gives a good insightful view of the pandemic planning.

Roger

Blaster’s Birthday

rhalbh — Wed, 12 Aug 2009 12:03:56 GMT

I guess you remember the day back in 2003: I was actually on vacation when I was called in back to the Microsoft offices as we had some strange things going on… It was the day of the Blaster breakout. The first time I personally had to deal with a very severe incident here at Microsoft. So we started to ramp up and tried to deal with what was happening out there. The biggest challenge was at the beginning to bridge the time between the beast hit our customers and everything was popping up in the press and the time we actually knew what was going on – which had to come from the Microsoft Security Response Centre back in Redmond. They did and amazing job but it took them some time as well. At the beginning we were blind and we did not have the same incident response processes back then as we have them today (and as we learned that they are necessary as a post-mortem of Blaster).

So, the teams ramped up and we tried out best to have an incident response team together locally: Support, PR, Sales, me, and whoever we could draw from any not absolutely critical activity. We did our best to keep the hotlines up but this was a mission impossible. Within hours we were flooded… So, we developed some written guidance what to do (and had to translate that into three languages as I was working in Switzerland back then) but still this only helped partially. People started to call our offices in order to get help and we had an overflow to handle there. And last but not least we had consumers walking into our buildings telling the receptionist that they have this thing they heard in the news and that we have to help them to get rid of it – NOW!

And then, after the first few days the customer visits started. I never experienced something like that. Customers were literally screaming at me, telling me what they think about Microsoft and that we did all wrong.

Well, the whole industry came a long way – didn’t it? Trustworthy Computing had a big effect on how software is developed, Security Development Lifecycle has an industry-wide impact, the products themselves grew tremendously looking at how we defend them today… and the industry starts to understand that Patch Management is an important part of the Risk Management processes. Yes, I said deliberately “starts to understand” – there is still an amazing number of customers who still do not even think about patching.

Looking back to 2003:

Virus alert about the Blaster worm and its variants on microsoft.com
Worm exploits a widespread Windows vulnerability

and a lot more

Roger

A few comments to yesterday’s Out of Band

rhalbh — Wed, 29 Jul 2009 14:50:00 GMT

It is pretty typical – these things often happen, when I have a really bad Internet connection ;-). However, I am back home and the connection is kind of better now…

I guess you have seen and heard about the two out of band updates we shipped yesterday. They are kind of special and I would like to make sure you are doing everything necessary to protect you and your customers. Therefore – even before you read the bulletins – read the Advisory which goes with the updates from yesterday called Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. Once you understand the problem space, get familiar with the two bulletins:

Now, the real problem is with the applications and controls developed by you. If you are a developer, make definitely sure, you read the corresponding article on MSDN: Active Template Library Security Update for Developers. In there you have a very good flowchart helping you to understand whether your component might be vulnerable.

Last but definitely not least, ICASI was collaborating with Verizon Business to provide a free of charge scanning service to help you figuring out, whether your component is vulnerable. you find the information here:

I hope this helps

Roger

SANS: Recent attacks and a false sense of security

rhalbh — Thu, 16 Jul 2009 22:47:35 GMT

Well, as I am not really working, just a quick one: http://isc.sans.org/diary.html?storyid=6787&rss

Roger

Distributed Denial of Service – and how it works

rhalbh — Wed, 08 Jul 2009 14:30:43 GMT

I often get asked about Distributed Denial of Service (DDoS) attacks, how it works and what role we can play to prevent them.

So, let me start with the first part of it: Our Security Intelligence Report version 5 talked about the underground economy and actually explained what is happening before a DDoS takes place. Let’s recap this:

Often it starts with the plan of a criminal to build a botnet. So, this malicious person goes to an underground marketplace, buys a piece of malware, a bot and a control server software. In addition, he/she might even be able to buy an initial distribution of the bot by letting somebody infect a webpage (which might be unpatched or have a weak password or somehow else being unsecured) or any other distribution channel for malware you might know of (e.g. social engineering):

Now, the criminal is ready to go. He/she might own a certain number of PCs called Zombies. He can now offer his “services” on the same online black market, he initially purchased the malware from and might find “customers” like spammers, phishers, blackmailers or any other criminals:

Here you see the reason why we leverage our Malicious Software Removal Tool to go after the largest botnets. It is all about protecting the ecosystem.

So, I could basically rent a botnet to flood a web server with any kind of junk in order to take it offline – this is called a Distributed Denial of Service attack. I often compare this with spam – not for your Inbox but for your web server. The server is still up and running but kept busy sorting junk from legitimate traffic.

There are often different motivations behind this:

Remember the times of Al Capone? Where the criminals attacked shops and then offered them a service to protect them? The same can happen here: A criminal runs a DDoS against your website and takes it down for a few minutes. Then he lets it come up again and tells you that he can protect you from these attacks – I would call this blackmailing.
We often see such attacks with a political background. You see a conflict happening somewhere and one party (or both) is trying to take down the website of the other.
Sometimes it is more a “I do not like you” background. Microsoft has been attacked as well from time to time….

So, if you want to know more about DDoS, I can recommend you two sites:

On our Technet site, there is an article called Distributed Denial-of-Service Attacks and You, which is worthwhile reading and shows you some basic protection as well. This article is not too new but it even gives you some advice on how to protect yourself.
Wikipedia has a site, which can give you some history on it and shows you different types of the attacks: Denial-of-service attack

I hope this helps and clarifies some questions. Otherwise, do not hesitate to get in touch with me

Roger

CDC and the Way They Communicate about the Swine Flu

rhalbh — Fri, 01 May 2009 21:41:00 GMT

This is impressive to me: I was looking at the website of the Centers for Disease Control and Prevention and the way they use the Internet and social media to communicate about the Swine Flu. They use all the latest media like Widgets, websites for mobile browsers, buttons to add to your website, online videos, podcasts, eCards, RSS Feeds, Twitter etc…

Read yourself: Social Media Tools for Consumers and Partners

I think this is really impressive and innovative!

Roger

Why you should not use P2P Windows 7 Builds

rhalbh — Thu, 30 Apr 2009 15:36:38 GMT

This is not about piracy and not about leaks and not about…

I am waiting for the new RC build as you are. I am running an intermediate build between Beta and RC and would love to upgrade all my machines (including my MediaCenter) to RC. However, I refrain from downloading it from any of the untrusted sources. The reason for this is pretty simple: You never know (and it is illegal).

Years back (and I have told this story over and over again) we ran an event where we fixed PCs of consumers for free for a whole week. Pretty often, when we found an infected machine, we found P2P software on it. When we talked to the person owning the PC he/she usually told us the “my son/daughter installed that and uses it”. We know that P2P is one of the most dangerous source of malware.

Read now, what happens with Windows 7: Leaked Windows 7 RC torrents infected with trojan

So, rather wait until you get access to the RC of Windows 7 – and so do I

Roger

The Potential of Misinformation on the Web

rhalbh — Wed, 29 Apr 2009 14:55:12 GMT

I am blogging, I am on Twitter, I have a Facebook-Account and many others. I am not always completely clear what the real business model and value of all the tools are but basically there is a lot of fun in it. Additionally information flows much faster and everybody has the possibility to express himself/herself the way he/she wants. However, there is a huge problem connected as well, which is misinformation and panic on the web.

It can easily be that a theme becomes an “own-runner” (at least that’s the way we call it in German if something kind of gets a life on its own) and a lot of misinformation is spread via uncontrolled channels and this can lead to irresponsible behavior.

I just read some articles about this when it comes to the Swine Flu. It does seem to be very serious (even though I am not a doctor) but we have to be very careful what we spread and how. It seems that the US Centers for Disease Control and Prevention has its own Twitter account and they distribute information through this channel. Let’s just for a second put the question aside whether it is really the CDC… they have authoritative information about the flu.

If you search in Twitter for “swine flu” you find a lot of entries – can you trust them? I think that we need some normal vigilance if we deal with such information and be careful what we trust. These media have a huge potential to cause a panic because everybody trusts and copies from everybody.

There is actually good articles on the web on this: Swine flu: Twitter's power to misinform and One swine flu over the cuckoo's nest

Roger

How much does a lost Laptop cost?

rhalbh — Mon, 27 Apr 2009 15:14:25 GMT

I stumbled upon this study today commissioned by Intel and executed by Ponemon. They key findings were:

The average value of a lost laptop is $49,246. This value is based on seven cost components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.
What makes a lost laptop costly to a company is the potential for a data breach to occur. In the cases we studied, the occurrence of a data breach represents 80% of the cost.
The second highest cost component is attributed to intellectual property loss. When the cost of a data breach is removed, intellectual property loss represents 59% of the total cost.
The faster the company learns that a laptop is lost, the lower the average cost. If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.
Lost productivity is not a significant cost to companies. When employees have down time due to losing their laptops, it represents only 1% of the total cost.
While lost laptop costs appear to be correlated to position in an organization, the most senior level respondents do not experience the highest average cost. The average cost of a lost laptop for a senior executive is $28,449 and the highest average costs are for manager and director, $60,781 and $61,040 respectively.

So, protecting the information on your Laptop is fundamental and could significantly reduce the cost of a stolen Laptop – say: Switch on Bitlocker…

The whole study can be found here: Cost of a Lost Laptop: A Study Conducted by the Ponemon Institute

Roger

Finjan reports world's largest Botnet

rhalbh — Fri, 24 Apr 2009 12:45:44 GMT

I guess you have read it in the meantime: There are a lot of reports out there, that Finjan found a Botnet affecting 1.9 Million computers. This is really bad – obviously. The press now started to cover this and I think we are already losing a little bit of focus in the discussion. I tried to understand what was going on based on the publically available information.

To me it seems like the Botnet was leveraging known vulnerabilities in browsers to download malicious Javascript. It then started to spread on the infected machines and downloaded a Trojan called Win32/Procesemes.A (The link leads you to our encyclopedia on this Trojan). We added the detection for this Trojan to our signature version 1.57.181.0 (so, since quite a while) and with that to all our products like Windows Live OneCare, Microsoft Forefront Client Security and Windows Live OneCare Safety Scanner.

What does this tell us? Well, is it not the same story as always? There are three things that went wrong here:

Machines were unpatched (and not only IE)
People are running as Admins
The AV-signature was/is not up-to-date. We even remove the Trojan if you are infected…

So, the Botnet is huge and therefore dangerous and it is definitely a criminal activity to infect people’s machines. But there are ways to protect…

As always, if you think that you are infected, report it to your local Law Enforcement. You may contact our support (free of charge for security incidents) on http://support.microsoft.com/security. And then follow the standard steps of the “Protect Your PC” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.

Roger

Security Intelligence Report: “Scareware” on the Raise

rhalbh — Wed, 08 Apr 2009 09:50:58 GMT

You know that we release our Security Intelligence Report twice an year: Today Version 6 is due.

Let me try to give you an overview of the “highlights” of the report from my point of view:

As I wrote in the title and as I blogged about this summer („Scareware“ on the Raise) one if the biggest growing threats we see is what I call “Scareware” or what we call in the report “Rogue Security Software”. I guess you know the feeling of visiting a website which then tells you that you are infected by malware and you should download a piece of software to protect you (or to clean your PC). Here you see a screenshot of how this can look like:

So, we have seen this growing over the last three periods and therefore we decided to feature a focus section on this growing threat.

A standard topic in the report is about vulnerability disclosures. Here you find the chart you are used to if you read our Security Intelligence Report, my blog or heard me talking recently:

So, looking at the chart there is good and bad news:

The good news is that vulnerability disclosures (industry-wide) is decreasing.
However, there are still more than 2500 vulnerabilities per 6 months (to be clear again: this is the whole industry, not us)
And, roughly 52% of all the vulnerabilities where high severity ones!

Looking at Microsoft’s vulnerabilities, this is the picture:

One thing I always mention, when I talk about this: If you are planning your Patch Management processes and you look at the figures above, make sure you cover your whole IT and not “just” Microsoft. In H2 2008 we had roughly 100 vulnerabilities out of 2500! So, think about patching the others as well (see 98% unpatched – and I am one of them :()

There are a few other charts in the report like the percentage of vulnerabilities responsibly disclosed or attacks on applications which I do not want to put in there (there has to be a reason you read the report J). But one thing I want to take up here as it was so important in H2, which is the PDF attacks as this underlines the statement I made above about Patch Management. Look at the exploits by months targeting Adobe Acrobat Reader:

To be crystal clear with the graph above: This is not finger-pointing at Adobe. We were working closely together to address this and for both vulnerabilities there are updates available today. What I wanted to show you is that you have to extend your risk management to applications outside Microsoft.

Another standing set of graphs are world heatmaps. There are three of them in this Security Intelligence Report:

The “classic” malware infection rate based on the Malicious Software Removal Tool:

Even though we changed the way to determine where a computer is based (and therefore last report’s map cannot be compared with this one), EMEA does not look that bad. We have some challenges in the Middle East, Russias and – surprisingly to me – in Spain but the rest looks not great but ok.

But there is more. This time we look at the source of the malware based on infected websites and where they are hosted:

Here we have quite some green spots – which is good. It is interesting to see that Russia and Spain are red again here…

And last but not least the heatmap on where phishing sites are hosted:

If you take a different angle and look at it from a Windows perspective with regards to malware infection, it once more shows the progress we made with the different OSs:

This re-enforces the message I am delivering as often as possible: If I could give you one single advice from security person to security person (I am not measured on quota), this would be “stay on the latest version of your software – everywhere”. This includes Patch Management as well as Lifecycle management. Jus think about every piece of software you have (including embedded systems), think about when it was designed and then think about the threat landscape back then… Do you really have to think twice then?

If you want to hear Vinny Gullotto (General Manager, Microsoft Malware Protection Center) talk about the Security Intelligence Report, you can look at and interview he did with Tim Rains: Vinny and Tim show - SIR Volume 6 .

So, this and much more you can find in our Security Intelligence Report. Download it and have fun!

Roger

Conficker – Are you infected?

rhalbh — Fri, 03 Apr 2009 16:00:00 GMT

I just found this pretty clever website which bases its statement with regards to your possible Conficker infection on the information whether you are able to access certain websites:

http://www.joestewart.org/cfeyechart.html

Pretty clever

Roger

Conficker.D and April 1st

rhalbh — Sat, 28 Mar 2009 11:59:39 GMT

Will the Internet world end on April 1st? This is at least the impression I got from reading the press in the last couple of days. It seems that some story spun off and started to develop a life of its own.

What is really going to happen on April 1st? I quote the blog of our colleagues over at the Microsoft Malware Protection Center:

So what can we expect on April 1, 2009? Based on the relatively small number of Conficker.D-infected machines, we believe it’s doubtful that we might experience anything out of the ordinary on April 1. We will however, just as we normally do, take action on anything unusual that might arise from this. To remain protected, please ensure that your systems are patched with MS08-067, keep your security software signatures updated, and clean any systems you identify that are infected with any variant of Conficker.

As I wrote earlier in my blog: Your focus should be deploy MS08-067 (if you have not done so yet) and clean your systems (if they are infected by Conficker) and, please, do not focus on any “end of the world” theories at the moment.

If you need additional information, please consult our different websites:

Microsoft Conficker guidance page for IT Professionals and those focused on security in the enterprise: http://www.microsoft.com/conficker.
Microsoft Conficker guidance page for consumers and home users: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx.
The Microsoft Malware Protection Center (MMPC) encyclopedia page for the Conficker family of malware: http://www.microsoft.com/security/portal/Entry.aspx?name=Win32/Conficker (especially focus on the “Analysis” section).
The Microsoft Malware Protection Center blog: http://blogs.technet.com/mmpc/.
The Microsoft Security Response Center Blog: http://blogs.technet.com/msrc/.

Enjoy the weekend

Roger