Roger's Security Blog : Security

Summary of Bitlocker Discussions

rhalbh — Fri, 11 Dec 2009 09:54:36 GMT

Last week there was quite some discussion about “successful attacks” on Bitlocker. Those discussions are often quite interesting for me as they show sometimes that people are looking for one technical solution for all the problems.

Bitlocker has a clear threat model it wants to protect you from. This is mainly the loss of your computer. If it is running and the attacker is admin – well Bitlocker cannot protect you. To quote a blog post of our Windows Security Team: Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off).

So, if you want to read the whole post, it is definitely worth it: Windows BitLocker Claims

Roger

Get Safe Online: Don’t be a Money Mule

rhalbh — Fri, 04 Dec 2009 11:53:19 GMT

You know, there are people who blog late, there are people who blog very late and then there is me…

I actually missed that one even though I was triggered: Mid November there was the Get Safe Online Week 2009 in the UK. Usually they do really good stuff and this is the reason I usually blog on it.

As I said, this time I missed it. However, there is an awful lot of good content on their website, especially about Money Mules. I think that it is worth spending some time and looking at the video on Money Mules and their webpage on the same subject or directly:

Roger

Questions to Ask your (Security) Vendor

rhalbh — Tue, 01 Dec 2009 10:02:26 GMT

You know that I am a big fan of Security Development Lifecycles as we run it internally to build code which is more resilient against attacks. And I recently blogged on Security - A Feature Discussion? Some Thoughts on Google's Chrome OS as I am convinced that it is much more important to look into the process how software is engineered rather than the features of the products – they come second in my opinion.

This morning I read an article called Questions to Ask Your Security Vendor. Well, I am not clear why you should only ask the questions to your security vendor as they are completely process related – ask them to all your vendors and think about the answers when you use publically available code as well to run your business on.

I think the questions in the article are great and absolutely to the point! Read them and ask them

Roger

Security and Usability

rhalbh — Thu, 26 Nov 2009 21:04:39 GMT

It is not a new concept: The secure way is only secure if it is the easiest way. I have seen a lot of solutions which are extremely secure – in the eyes of the security people. However, the users find a lot of ways to circumvent the security measures because they are too complex to fulfill the business needs or it is simply not possible to run a business within the limits of the security policies. Do not get me wrong: Security always comes with a certain level of inconvenience – but the question is always whether we are able to find the balance between usability, the business needs and the risk management of a company.

Butler Lampson, a Technical Fellow with Microsoft Research, wrote an article on ACM called Usable Security: How to Get It which is definitely worth reading.

Roger

Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS

rhalbh — Thu, 19 Nov 2009 21:18:21 GMT

To be clear upfront: This is not a “Microsoft versus Google” post. I cannot even judge how far Google pushed security with the Chrome OS. But the following article raised quite some questions how we look at security: Inside the Google Chrome OS security model. This article, like so many when security of an Operating System is to be discussed, is completely feature driven. So, we talk about Process Sandboxing, Toolchain Hardening, Kernel Hardening etc. But how relevant is this really?

Do not get me wrong: It is. But these features have to be the result of an engineering process. These features have to be designed to reduce a certain threat vector – a possible attack scenario and they have to be laid out in a way to reduce this vector. I recently had a discussion with somebody who wanted me to convince about their security software. My very first question was: How do you develop software? The answer was: We have a great CTO and good developers which engineer our software. My next question: OK, how do you do Threat Modeling? Answer: Our CTO does this since years and knows everything in and out…

To me Threat Modeling and a transparency with regards to the development process is key! Why shall I trust features? I have to know why and how they are engineered. I need process transparency – and not necessarily code transparency. There is no way I can review code. I am not a security development specialist on the one hand side nor do I have the time to look through the code anyway. The only thing I can build my trust on is the engineering and the response processes.

So, why do we not rather raise a process discussion than a feature discussion? When we had the initial press conference about SafeCode , I was asked a pretty interesting question by an analyst: As SafeCode is about sharing best practices with regards to secure development, other vendors who do not use such processes will become a target. Yes, and now? The industry has to learn that engineering and development processes are much more important than features! We use our Security Development Lifecycle – will this lead to absolutely secure code? No, not at all but to a much, much higher bar. We have great examples where we can show that this does not only reduce the number of code defects but also to a better defense framework adopting defense in depth concepts. This is what we need. Let’s shift the discussion from features to processes!

And a final comment: This discussion is even more important in the cloud!

Roger

Power of Knowledge: Security Intelligence Report v7

rhalbh — Mon, 02 Nov 2009 16:06:00 GMT

It is a good tradition since quite a while that we make the intelligence we have available accessible to the broad public. This will help out customers to protect themselves much better. The Security Intelligence Report (SIR) is built on a unparalleled set of sensors out there in the Internet:

Malicious Software Removal Tool (MSRT): runs on 450 million computers worldwide each month.
BING: performs billions of Web-page scans per year.
Windows Live OneCare and Windows Defender: on 100 million + computers worldwide.
Forefront Online Protection for Exchange: scanning billions of emails yearly.
Windows Live Hotmail: 30 + countries - hundreds of millions of active e-mail users.

As there is nobody in the industry who is able to match this, we are convinced that it is of outmost importance that we share our intelligence with the broad industry.

Looking at the report itself, there are a few key findings this time:

Rogue Security Software is sill one of the biggest threats for our customers. Even though we found less rogue software on computers (13.4 million computers compared to 16.8 million in H208) it is still a significant threat to the ecosystem.
Worms are back: Worms rose from the fifth place to the number 2 with a 98.4% increase. This is largely due to Conficker and Tatef.

To visualize the second point, let’s look at the computers cleaned by threat category:

This is a pretty significant spike.

There are a few diagrams I usually like to look at as well. One is the geographical distribution in order to understand my region. So, let’s look at the malware infections globally:
So, you see there is quite some room for improvement.

Now, to close this very, very short summary of the report, it is definitely worth looking at two additional graphs. One is the malware distribution per Operating System:

This supports a statement I make so often: If I would have one wish to our customers, it would be: “Always stay on the latest version of all the software you have” – not from a business perspective but from a security view. And the second wish would be, cover all your software, when you do patch management. Remember my post called Patch Management – Cover the whole 9 yards? I told you that you should take care of the whole software stack – not “just” Microsoft. And the reason for that is the following diagram:

As you can easily see, our share in the overall vulnerability landscape is very, very small. So, we need a joint effort across the whole industry to write secure software from the bottom up with processes like the Security Development Lifecycle! And guess what – your problem will not become easier to solve when you move to the cloud.

Now, if you want to read the report, here are the important links:

The Security Intelligence Report landing page
The download page for the report
And the video with Ken and Vinny

Have fun

Roger

Security Compliance Management Toolkit Series for IE 8 and Windows 7

rhalbh — Fri, 30 Oct 2009 16:09:53 GMT

Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Look at the Enhanced Mitigation Evaluation Toolkit

rhalbh — Thu, 29 Oct 2009 12:26:56 GMT

Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation Evaluation Toolkit

Roger

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

The Africa Cable – A Chance for Africa! – A Threat for the Internet?

rhalbh — Wed, 07 Oct 2009 17:10:00 GMT

The development in Africa especially with the new broadband services to me is a huge chance for the whole continent.

I just found this map on the next two years:

source: IntelFusion

Even though I have not been in Africa over the last few months, I heard that in different cities fiber is brought directly to the household, which brings technology and opportunities I would love to see here in Western Europe, where we still have to rely on copper. So, if the governments in Africa are serious with this, I think this is an outstanding growth opportunities for those markets.

On the other hand, when I talk to customers and governments in Western Europe, there is a lot of dis-trust as well. Can we trust the governments? How much malware will be spread coming from this continent? Actually, the kick for this post was the following article just outlining this: Africa - home of the world’s largest cyber pandemic – which makes me think.

If I look at our Security Intelligence Report back in April (the new one will be coming soon) and look at the malware infection rate we see, it is not worse nor better than any other region:

However, the data we have available from Africa might not be as broad as in other regions.

Another thing came to my mind. I was in Kenya two years ago on a business trip and I learned one thing – the idea of shipping outdated PCs to Africa to help people there does not work as it requires them to run old and outdated software which makes them open for attacks. Simple, isn’t it?

Looking at my figures, it is a problem but not smaller or bigger than any other region on this globe. Additionally, one of the reasons, why our teams work so hard to get Microsoft Security Essentials out of the door for all countries is just to reduce this threat. Make a professional Anti-Malware solution available to people who cannot afford one free of charge.

Rather than being threatened, let’s welcome this continent on the “broadband Internet” and help them now to learn from our challenges and failures in the past.

Roger

Thoughts on the Registered Traveler Programs at Airports

rhalbh — Wed, 30 Sep 2009 19:03:56 GMT

When I entered the US this time, I got a brochure on how I could avoid the line at immigration and just get a fast track by registering with the Global Entry Program, a program, which would pre-screen me and then I just have to register with a machine by entering the US. As I understand, this is a re-start of the Clear program TSA had a few years back. I looked at it and as waiting time in the lines in Seattle (where I enter the US in 95% of the cases) is shorter than the waiting time for the luggage, there is no real benefit for me opposed to the privacy and security questions (yes, I am paranoid).

This morning then, I read an interesting blog post by Bill Nagel, a Forrester analyst, called It’s The Database, Stupid, covering some of the worries linked to those programs. It is a really good – not emotional – read.

Roger

Microsoft Security Essentials – Ready to download

rhalbh — Tue, 29 Sep 2009 19:20:03 GMT

Why pay for a Anti-Malware solution if you can get one of the best solutions in the world for free – go and download it! It is there: http://www.microsoft.com/security_essentials/

And now, the disclaimer: It runs only on genuine Windows!

Have fun, enjoy. I am running it since quite a while with my friends and families and they all love it as they do not see and feel it at all – unless something bad happens. It is great!

Interesting Cyber Security Challenge

rhalbh — Tue, 29 Sep 2009 18:40:33 GMT

I read an article on Cyber Security Challenge Brings Out the Best about a “defend your system” challenge by the USENIX Security Conference in Montreal, Canada. I like the approach: Find and fix common vulnerabilities on a web server.

Roger

Hey, You, Get Off of My Cloud

rhalbh — Sun, 27 Sep 2009 02:47:47 GMT

I recently had different discussions with different customers and we were looking into the key questions to ask, when you plan to move to the cloud (yes, I am working on a corresponding blog post). I was then asked whether we have an answer to these questions – well no. For sure not for all of them and I stated that I am not only sure whether we know all the questions yet…

I then stumbled across the following article Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. A very interesting approach to attack a virtual machine in the cloud if you use Infrastructure as a Service – they used Amazon EC2 as an example.

This definitely introduces new ways of attacking an infrastructure – and therefore new questions and risk. So, make sure you have the proper risk management processes in place

Roger

When it comes to security, who do you trust more - Microsoft or Google?

rhalbh — Sat, 26 Sep 2009 05:18:00 GMT

I started to read the article and actually just wanted to Tweet about it but then I voted and had to publish at least the current state:

When it comes to security, who do you trust more?

Microsoft (44%)
Google (32%)
Neither (22%)
Both (3%)

Total Votes: 716

This is just now – might change but it is very good to see.

Take your vote (if you need help where to click, let me know…)

Roger