Roger's Security Blog : Trends

Is the “Managed Desktop” the ultimate solution?

rhalbh — Tue, 01 Sep 2009 11:39:09 GMT

When I talk about the big trends, one of them is about the call of the younger generation for more flexibility. Flexibility in this context is about where you work, when you work and how you organize yourself. If you take this as a given, you have to wonder whether today’s IT is able to cope with that. In a lot of companies, they roll out a “one size fits all”-image to the desktop and therefore making sure everybody has the same image. This has definitely a good side as the management of it is kind of less expensive as you know how the image looks like (or should look like).

The longer the more I question that for a limited set of users. Just to be very clear: I do not say that you should change this policy completely but it might be worth considering change it for a defined set of users. Let me give you a few examples:

There was one company (a worldwide company) who decided to let you take a test (if you want) and if you prove to be able to handle your computer yourself, you get money to buy what you think you need.
I used to work for a consulting company which was running Windows XP back then. You had basically two options: You could get a standard image loaded and completely managed by IT. Or you could get a standard image loaded, get the local admin and take care of it yourself. If you had problems, they tried to help you a little bit but pretty soon decided to flatten your computer and install the standard image – that was your risk you had to deal with but it worked fairly well (except for a lot of people being local admin on their box).
Last but definitely not least – look at Microsoft. You can get the Microsoft IT image if you want (even over the network you can do it yourself) or install and join the machine to the domain yourself. This makes sense as a lot of people have a different appetite for betas and beta testing. Additionally a Country Manager might have a different need than me. The key thing in here is about policy compliance and ensuring policy compliance – this is where Network Access Protection comes into play (something I want to blog about later).

So, giving the next generation the right tools to be productive rather than limit their productivity will be a real key challenge I guess.

For quite some time I felt like being the lonely guy in the desert. I actually had a CSO once leaving the room when I said this (about 3-4 years ago). I now just stumbled across an article: Unchain the Office Computers!Why corporate IT should let us browse any way we want.

Well, I do not like the Firefox example ;-) but basically this will be the future – I am convinced. Rather than walking around and telling everybody that this is not possible due to security reasons we have to think about how to make it possible. What would this mean? E.g. persistent protection of information (Rights Management), enforcing policy compliance on the network, the perimeter will probably be between client and server (or between trusted and un-trusted systems or between complaint and non-compliant systems)…

At least there will be a lot of interesting stuff to do…

Roger

The Future of the Internet in 2020

rhalbh — Tue, 25 Aug 2009 19:58:42 GMT

This is a pretty interesting survey: Future of the Internet III: How the Experts See It

Here are the key findings:

The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.
Those working to enforce intellectual property law and copyright protection will remain in a continuing "arms race," with the "crackers" who will find ways to copy and share content without payment.
The divisions between personal time and work time and between physical and virtual reality will be further erased for everyone who is connected, and the results will be mixed in their impact on basic social relations.
"Next-generation" engineering of the network to improve the current internet architecture is more likely than an effort to rebuild the architecture from scratch.

This shows to me that our End-to-End Trust vision is more important than ever as we will be relying on a trusted stack and a strong identity.

Roger

Gazelle – the secure Web browser of the future?

rhalbh — Fri, 20 Feb 2009 11:52:02 GMT

This is an interesting paper from Microsoft Research. Now, before you read it: This is research and be no means a commitement to develop it for IE 9.

The Multi-Principal OS Construction of the Gazelle Web Browser

Roger

Important Privacy Announcement

rhalbh — Tue, 09 Dec 2008 09:54:40 GMT

I wanted to make you aware of a very important announcement we made earlier today. As you know, Trustworthy Computing is all about Security, Reliability and Business Practices. Our house has a fourth pillar - Privacy - which we view as extremely important, not only in terms of the way we manage our customers’ data, but more broadly in the way we earn and keep our customers’ trust.

You may have heard about the European Union Article 29 Working Party, which issued a statement in April to search providers concerning search anonymization policies. A major part of their focus is the length of time search companies store customer data. The Article 29 Working Party’s view is that this should be no more than six months.

Earlier today we announced that we support the Article 29 Working Party’s call for a common industry standard for search data anonymization methods and timeframes to help protect users’ privacy. We also said that whilst the timeframe is important, more important still is the adoption of strong data anonymization methods. I am glad we made this commitment and I hope that others will follow our lead and support the standard laid down by the Article 29 Working Party. To truly protect users’ privacy, it is imperative that all search companies adopt the same standard.

If you want to read more, read Peter Cullen’s (our Chief Privacy Strategist) blog post: Microsoft Supports Strong Industry Search Data Anonymization Standards

Roger

Security – One of the Key Reasons to Migrate to Windows Vista (part 2)

rhalbh — Sun, 16 Nov 2008 15:20:17 GMT

In my last post, I briefly touched on different features of Windows Vista, which I think are important with regards to the view on Windows XP vs. Windows Vista. Let’s take a different approach now: I recently was on a panel in Eastern Europe where I was asked, which model generates more secure software: The shared source (like ours) or the Open Source. I asked back, whether they could define “more secure” for me. It turned out, that we were talking about vulnerabilities.

Let’s look at some statistics now and let’s start with vulnerabilities:

In Jeff Jones’ Desktop OS Vulnerability Report we published figures on vulnerabilities between Desktop OS Vendors and it turns out that this view already gives you a reason to migrate to Windows Vista:

But this is the view on an industry problem giving us confidence that our Security Development Lifecycle works. But how is the comparison between Widows XP and Windows Vista? He has a really interesting chart in there:

If we compare Windows XP and Windows Vista, we see different things:

There are vulnerabilities we had to address in Windows XP which were not in Windows Vista anymore.
There are vulnerabilities which had less impact on Windows Vista compared to Windows XP. A good example for this was the latest Out of Band Security Update we had to release, called MS08-067, which was Critical for all the OSs except Windows Vista and Windows Server 2008, where we rated it Important. The reason for that is UAC – even if you would have switched off the UI!
Finally, there was one vulnerability which was introduced in new code in Windows Vista.

So, this picture shows very well that defense in depth in Windows Vista (with technologies like ASLR, DEP, UAC etc.) actually pays off.

An other view on this is the attack/malware side. In our Security Intelligence Report v5 we talk about browser-based exploits and where the criminals attack the victims on Windows XP and Windows Vista. If you look at the XP picture you see the following:

With regards to browser-based exploits, 58% of the time, Microsoft software was attacked and 42% 3rd party. This changes drastically in Windows Vista:

Here our software drops to 6%!

In the Security Intelligence Report we have some other figures as well (like the malware infection rate on the different OS) but I want to leave it with that.

We once discussed in our community an interesting question: If we could give our customers just one advice, what would that be? I think it would be to stay on the latest versions of all your software. The reason is not license fees or anything like that. The reason is that this is the only way to cope with the changing threat landscape!

Roger

H1 OS Desktop Vulnerability Report – Get It Now

rhalbh — Mon, 27 Oct 2008 16:05:00 GMT

You might know Jeff Jones' work on the different vulnerability reports comparing different products and vendors. Our goal is to understand and measure our progress and see where we stand with regards to the industry.

Today, Jeff release his OS Desktop vulnerability report for H1 2008, which shows to me some interesting results.

One is if you look at the Days of Risk – say on average after disclosure how many days did it take a vendor to fix a vulnerability. He weighted them as well based on whether they are critical or important or low:

Secondly he shows the number of vulnerabilities of all the vendors he is looking at:

And last but definitely not least he compares the different OSs:

There is one other interesting finding: 25% of the vulnerabilities are shared by more than one vendor!

So, if you want to download the report, here you find Jeff's post: http://blogs.technet.com/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx

Roger

“Stacked against hacks” in World Finance

rhalbh — Mon, 20 Oct 2008 22:44:46 GMT

I recently had the pleasure to be part of an article in World Finance called Stacked against hacks

Visit the virtual version here and go to page 60 and 61

Roger

Challenging the 10 Immutable Laws of Security

rhalbh — Fri, 10 Oct 2008 20:49:00 GMT

You probably know them: The 10 Immutable Laws of Security, we published I think around 2000 and they were often cited. They are:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Now Jesper Johansson (who formerly worked for Microsoft) started to look into them and is wondering how the changed landscape as well as the changed technology impacts these laws. He started with the first 3 and it is definitely worth to have a look at his essay:

Security Watch Revisiting the 10 Immutable Laws of Security, Part 1

Roger

Estonia’s Cyber Security Strategy

rhalbh — Wed, 08 Oct 2008 22:56:00 GMT

Following the attacks on Estonia, they published a pretty interesting paper called Cyber Security Strategy by the Ministry of Defense in Estonia. One thing which I see again and again is that most of the people looking into such strategies conclude that strong collaboration is needed between the different players as well as across country borders. I recently made the statement that the only people profiting from missing collaboration are the criminals – and I am serious about that.

So, there are five policies identified by Estonia to work on:

The development and large-scale implementation of a system of security measures
Increasing competence in cyber security
Improvement of the legal framework for supporting cyber security
Bolstering international co-operation
Raising awareness on cyber security

You will find the whole report here.

Roger

SAFECode released „Fundamental Practices for Secure Software Development”

rhalbh — Wed, 08 Oct 2008 22:35:55 GMT

SAFECode just released a new paper called Fundamental Practices for Secure Software Development. This is a collaboration of different people from different companies (SAP, EMC, Symantec, Juniper, Nokia and Microsoft).

As you probably know, SAFECode is a Forum to share good practices around development of secure software. It is about learning from each other but about sharing knowledge with the outside world as well.

Roger

Some Thoughts on UAC

rhalbh — Mon, 06 Oct 2008 12:27:39 GMT

I blogged several times already on UAC as this has been (and partly still is) a very disputed security feature in Windows Vista (which I still support!). I just found today a not really new blog post on UAC, which I think is worth reading. It is from April this year and is called UAC: Desert Topping, or Floor Wax?

Even though we could disputed whether UAC in some forms is a security boundary or not (this is addressed in the post), I think it gives some very interesting views on the debate about UAC

Roger

Why you should move to IPv6 – NOW!

rhalbh — Fri, 26 Sep 2008 21:55:00 GMT

Honestly, if you are not living in China it might not be that urgent but read yourself: China running out of IP addresses

Roger

Information Accountability

rhalbh — Wed, 24 Sep 2008 21:05:18 GMT

I just read a pretty interesting paper; you should have a look at. The interesting thing is – from my point of view – the paper is close to your End to End Trust paper we published in March. What I want to say with that is, that it seems that several forces in the security ecosystem are moving in the same direction.

I definitely think that this paper from MIT is worth reading: Information Accountability

Roger

Renting a Botnet on eBay

rhalbh — Thu, 11 Sep 2008 19:13:40 GMT

It is getting better over time: Now you can rent a Botnet on eBay to increase your hitrate on YouTube (By the way: Free shipping is included):

http://cgi.ebay.com/Guaranteed-100-000-views-for-your-YouTube-video_W0QQitemZ220279609299QQcmdZViewItem?hash=item220279609299&_trkparms=72%3A1163|39%3A1|66%3A2|65%3A12|240%3A1318&_trksid=p3286.c0.m14

Roger

Announcing the Exploitability Index

rhalbh — Wed, 06 Aug 2008 19:23:00 GMT

At Blackhat we announced an important change to our Security Bulletins becoming effective during the October release.

One of the requests we often heard talking to our customers is, that they would like to get better information on how hard it is to exploit a vulnerability. We will introduce an Exploitability Index by October. Basically we will give you three values on each vulnerability addressed:

Consistent Exploit Code Likely. This means analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability. This would make the vulnerability an attractive target for attackers; therefore, it is more likely that exploit code would be created. As such, customers who have reviewed the security bulletin and have determined its applicability within their environment might treat a vulnerability with this value as a higher priority.
Inconsistent Exploit Code Likely. This means analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, even when targeting the affected product. While an attacker may be able to increase the consistency of results by having better understanding and control of the target environment, the unreliable nature of this attack makes it a less attractive target for attackers. As such, customers who have reviewed the security bulletin and determined its applicability within their environment might treat a vulnerability with this value as an important update; however, if prioritizing against other highly exploitable vulnerabilities, they could choose to rank this lower in their deployment priority.
Functioning Exploit Code Unlikely. This means analysis has shown that exploit code which functions successfully is unlikely to be released. While an attacker could create exploit code that could trigger the vulnerability and cause abnormal behavior, it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability. Therefore, once customers have reviewed the security bulletin to determine its applicability within their environment, they might prioritize this update below other vulnerabilities within a release.

I hope that this makes live for you easier when assessing our updates.

If you would like to get more information, read the fact sheet.

As always, your feedback is very welcome

Roger