Roger's Security Blog : Industry Associations

Get Safe Online: Don’t be a Money Mule

rhalbh — Fri, 04 Dec 2009 11:53:19 GMT

You know, there are people who blog late, there are people who blog very late and then there is me…

I actually missed that one even though I was triggered: Mid November there was the Get Safe Online Week 2009 in the UK. Usually they do really good stuff and this is the reason I usually blog on it.

As I said, this time I missed it. However, there is an awful lot of good content on their website, especially about Money Mules. I think that it is worth spending some time and looking at the video on Money Mules and their webpage on the same subject or directly:

Roger

Scam Awareness Month in the UK

rhalbh — Mon, 16 Feb 2009 13:03:31 GMT

I guess you know Get Safe Online in the meantime. They are publishing a lot of good and insightful information. Now, they collaborate with the Office of Fair Trading in the UK for a Scam Awareness Month.

Again, there is a log of excellent information on the web for you to look at:

Get Safe Online Blog on the Scam Awareness Month
A Consumer Site from the Office of Fair Trading with

Games
Information “Before You Buy”
Information “After you Buy”
and a lot more

Something you could definitely use to drive awareness with the average user.

Roger

Common Criteria and answering the “real” questions

rhalbh — Fri, 28 Dec 2007 14:08:16 GMT

It seems that I am not yet gone J. Eric Bidstrup, a colleague of mine, wrote a great blog post about Common Criteria, where it does a pretty good job and where it fails. Basically he claims – and I could not agree more – that the customer "only" wants to know whether the operating system "is safe". I quote:

In terms of software security, all of the following most people would think of as being "bad": Viruses, worms, malware, hackers, criminals, and espionage. These items listed have one thing in common – all of those bad things require a weakness (a "vulnerability") in the software used, and finding a way to exploit that vulnerability for a nefarious purpose.

I slightly disagree as we have seen a lot of attacks to perfectly patched systems without exploiting a software vulnerability but the user. However, as we will never be able to "Common Criteria Certify" the user, the definition definitely works for the Common Criteria discussion. He writes another pretty remarkable statement:

It has been our experience that customers typically don't care whether they are exposed to risk from a design vulnerability or an implementation vulnerability, they care that they are exposed to risk. Period. When customers ask "Is it Safe?" they expect software that can be deployed and maintained to operate securely in the face of adversarial activity.

Well, it is clear that this is true. His final conclusion is:

If customers expect a real-world answer to the question "Is it Safe?" to be answered by Common Criteria, then Common Criteria must change.

You can read the full post here: Common Criteria and answering the question 'Is it Safe'

Now, I expect that this raises again the same discussion as I had on my post with regards to The Value of Operating System Comparisons. With this post I commented several posts on the value of using vulnerabilities to compare operating systems. One of the post was called Operating systems aren't any more secure than the idiot using it and in a comment there, dre suggested a five-star rating system for software. It is an interesting concept but does – in my opinion – not scale. And this is part of the CC problem as well: It takes much too long to certify a piece of software.

However, I think that public debates about certifications of software as well as about what it needs to have the best possible security and at the same time ensuring the necessary level of backward compatibility is needed.

Roger

The Value of Operating System Comparisons

rhalbh — Sat, 17 Nov 2007 00:05:46 GMT

Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.

When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bigger target and the one that actually made much, much more noise. Finally, we were best in class with incident and vulnerability response. This is my true belief when I look back to that time and it still is if I am looking at today's industry!

Since that time until today, I never participated in the discussion about "who is more secure? – Windows, Linux, Mac,…". Why? Well, that is pretty straight forward to tell: There is no value to this discussion from my point of view. We have to know where we stand – this helps to judge where to set the priorities but basically our customers expect us to deliver the best in class for the market – and they shall do this! This has to be our target.

Now you might ask, why I am writing this. Each time a vendor has a major security problem, the discussion starts again. This time Apple got the blame. People were talking of "Mega-Patch" and so on. There started a blog "war" on which OS is more secure. There were titles like:

And there are people trying to do a comparison: "I don't use Windows! I'm invincible!"

Does this really add any steps towards a solution of the problem? Most people that are actually "comparing" security of the different Operating Systems are geeks and they are all assuming that everybody is a geek as well.

Instead of blaming around, I think it is time to come together and look for solutions within the industry. We are competitors in certain areas but to address the "security challenge" the companies have to come together! We support and sometimes even initiated different forums/alliances already to do exactly what I said:

VIA (Virus Information Alliance): An alliance where all the major AV-vendors are part of to share information on malware.
SAFECode (see my earlier blog): An alliance that helps to share best practices around building secure products
…

So, instead of wasting time to complain and tell everybody that A is better than B or complaining that people are stupid or telling everybody that you are the one knowing how to configure a system but you do anyway not trust the vendors (typically us), I ask you for a constructive dialogue. We can start it here or you can mail me:

Knowing what we are doing already (e.g. Security Development Lifecycle), what do we have to do to improve security for mom and dad?
What can we do – from your point of view – to improve our communication?
What has the industry to do to even get better?
If you are working for a major ISV – join SAFECode to move the industry as a whole.

I am open for any constructive and open dialogue but not for blaming and bashing.

Looking forward to your feedback

Roger

SAFECode: Writing Secure Code – learning from each other

rhalbh — Fri, 02 Nov 2007 13:30:41 GMT

During RSA Europe an industry forum called SAFECode (Software Assurance Forum for Excellence in Code) was announced "to identify and share software assurance best practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks". I was really excited that I had to opportunity to represent Microsoft during the press conference at RSA as this is – from my point of view – a significant move for the industry. SAFECode was founded by some heavyweights in the software development industry: EMC², Juniper, Symantec, SAP, and Microsoft.

Over the last few years we invested significantly into our Security Development Lifecycle (SDL). We make the experience we made available in different forms:

We wrote books like Security Development Lifecycle, Writing Secure Code, Hunting Security Bugs, Threat Modeling, …
We integrate tools and technology we initially developed for our own use into Visual Studio
We make tools like the Threat Modeling Tool available for anybody as a free download
We use SDL for Microsoft IT to have a special version to be adapted to third-party applications. Even the tools we use internally like the Microsoft Threat Analysis & Modeling is available for free download.
We run a blog on it: The Security Development Lifecycle

But this is different. Key people from Microsoft and other companies are coming together to share the best practices and learn from what worked and what did not. From our side, there are people involved like Steve Lipner (one of the "fathers" of SDL) and Michael Howard (Writing Secure Code). The outcome should be better processes as well as a way on how to integrate this kind of process into education and training. This is really great and I am excited to see this moving forward.

The press coverage was already pretty significant and positive:

darkReading: Major Vendors Form SAFECode
SearchSecurity.com: Tech vendors team up for secure software development
Vnunet.com: Tech industry launches initiative to boost software security
eWeek.com: Tech Foes Join Forces for Secure Code
Computerworld UK: RSA 2007: Software firms to share security best practice
Federal News Radio: An interview with Paul Kurtz, Executive Director of SAFECode

SAFECode is neither a standards body nor a lobbying association. Instead it has been formed as a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.

As a collaborative effort of leading technology companies committed to software assurance excellence, SAFECode provides a forum for subject matter experts to come together to work on some of the most challenging issues faced by the industry. There is no single solution or "right way" to address software assurance. Indeed, there are many different ways to succeed. SAFECode provides an opportunity to bring the best methods together in a manner that helps vendors, governments and critical infrastructures better manage risk.

Every technology vendor has a stake in the global effort to improve the security and reliability of the greater cyber ecosystem. If you are a vendor committed to driving security, privacy and integrity in software, hardware and services, then you belong in SAFECode. We are looking for hands-on members who want to benefit from the experiences of others and actively contribute to advancing the art of software assurance.

Roger

Digital Phishnet Conference 2007

rhalbh — Sun, 17 Jun 2007 21:36:30 GMT

Last week the first Digital Phishnet Conference in Europe took place in Berlin. Basically Digital Phishnet is an initiative to help to exchange information about Phishing-Sites in order to help enforcement. This is the core mission: Supporting Law Enforcement with information. So the participants are basically able to enter URLs where they are phished on and the system them collects additional information about it and makes it ready for Law Enforcement, where all the participants can add additional information where applicable.

To me the conference showed different things:

Phishing attacks are getting more and more sophisticated: Malware is involved into almost every attack; we see attacks where the site is downloaded locally, unpacked and displayed locally – thus circumventing most of the countermeasures against Phishing (especially site-takedowns). We just rarely see the classical phishing attack anymore in Europe.
The most pressing thing to make all the players collaborate. This is easier said as done as groups that historically are not too good in collaborating would have to: Law Enforcement, Banks, Vendors, ISPs, … Even worse: It means sharing of information and trusting each other.
This directly leads to networks: It is of outmost importance that we immediately start to build international networks. Key players have to know each other and have to want to collaborate.
There are technical means that are important: Things like Anti-Virus/Anti-Spyware and Phishing-Filters in one way or another. Unfortunately the bad guys learn how to circumvent there as well and hence, they become less efficient:
- URL-Filters lose their importance if the attackers start to use malware and/or local webpages. Having this said, it is important to stress that there are still a lot of attacks using classical webpages and therefore the Phishing Filter has to stay but most probably additional functionality has to be built in. The question is: The more we build in there, how do we distinguish between malware-sites and the censoring of the Internet?
- We see targeted attacks. How do the AV-vendors react on this?

This actually leads me to some conclusive statements:

No one can solve this problem alone: The bad guys are working together as well – so will we!
Therefore there is a huge need for personal networks! We have to know each other and trust each other. This is the only way to achieve the collaboration
New approaches are needed. Most often, targeted malware does not make the cut for AV-vendors to include them into their signatures quickly – but this is what we need. If there is malware been built to target one single bank, this bank has to be able to let the AV-vendors include this malware into their signatures fast.

Finally, let's just do it

Roger