Roger's Security Blog : Trustworthy Computing

Some Thoughts on UAC

rhalbh — Mon, 06 Oct 2008 12:27:39 GMT

I blogged several times already on UAC as this has been (and partly still is) a very disputed security feature in Windows Vista (which I still support!). I just found today a not really new blog post on UAC, which I think is worth reading. It is from April this year and is called UAC: Desert Topping, or Floor Wax?

Even though we could disputed whether UAC in some forms is a security boundary or not (this is addressed in the post), I think it gives some very interesting views on the debate about UAC

Roger

Internet Explorer 8 Beta 2 – New Features

rhalbh — Thu, 03 Jul 2008 10:13:39 GMT

We announced yesterday some additional features in Internet Explorer 8, which will be part of Beta 2. They are way cool and will help to do some additional significant steps towards a more trustworthy browsing experience. Yesterday we mainly talked about two features:

The XSS Filter, which helps to protect from cross-site scripting attacks
SmartScreen® Filter: This is the follow-up of the well-known phishing filter in Internet Explorer 7

If you want to get an overview of the comprehensive protection, you should read the overview on the IE blog

Roger

Support for Law Enforcement and COFEE

rhalbh — Wed, 14 May 2008 17:00:00 GMT

Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor.

Let me give you some information on COFEE and put it into the proper context.

I am personally convinced that every company has its obligation to work towards making the Internet a safer place. Amongst other things, this means a close collaboration with Law Enforcement.

Let's face it: Most of security is about crime prevention!

Now, Microsoft has a team internally working with Law Enforcement running different programs:

Anti-Phishing Efforts: You know of the Internet Explorer 7 Phishing Filter. Additionally we are founding member of the Digital Phishnet.
Anti-Spam Efforts: Again, besides technology we have been a leader in promoting Signal Spam, a unique public/private partnership in Europe and probably in the world.
Legislative Efforts: One of the key challenges in fighting cybercime is that most of the cases are international but the law internationally is not harmonized. Therefore we joined together with other industry partners the Council of Europe to support their efforts on harmonization of legislation.
CETS (Child Exploitation Tracking System): CETS is actually a tool we developed jointly with the Canadian police to help to track child exploitation cases across a country. From our perspective, we give the software itself away for free and the police has only to pay for the basic implementation cost.
Training: All across the globe we are training Law Enforcement Officers in different technological themes. We do this either in a partnership with the local or national Law Enforcement agency or Interpol and Europol. We do this for free. Similar trainings we do for judges and prosecutors.
LE Tech: Approximately once every other year we hold a conference in Redmond called LE Tech. This is a technical conference completely shaped to the needs of Law Enforcement Officers.
And a lot more.

Let's come back to COFEE: During LE Tech, a conference in Redmond we organized for Law Enforcement organizations from around the world, we invited a few journalists to some of the sessions. As a result a story appeared in The Seattle Times called Microsoft device helps police pluck evidence from cyberscene of crime. In my opinion, there was a very good quote, attributed to Brad Smith, (Microsoft Senior Vice President and General Counse) on the programs above: "These are things that we invest substantial resources in, but not from the perspective of selling to make money," Smith said in an interview. "We're doing this to help ensure that the Internet stays safe."

The target audience for COFEE is a forensic investigator with very limited knowledge of IT forensics. There are many standard forensic tools that law enforcement officers routinely use to capture information from a computer for analysis. In most investigation scenarios these tools have to be used to extract information at the scene of an investigation as powering down the computer could lead to loss of data and potential evidence.

The COFEE tool automates many of these existing tools and delivers them via a thumb drive making it quick and easy to use in an investigation scenario – as stated above – for the investigator with very limited knowledge on IT forensics.

I have seen and heard a lot of inaccurate information about what COFEE is and does, so wanted to spend some time addressing these misconceptions:

COFEE is in Beta stage today
Use of COFEE is strictly restricted to law enforcement organisations who can only use it within the parameters of national legal frameworks, such as a search warrant or any other valid judicial order.
COFEE can only be used with physical access to a machine! No, absolutely, no, remote capabilities
COFEE does not do anything that cannot already be done by using a range of tools already available to law enforcement. The only difference is that it automates those tools making them quicker and easier to use in an investigation scenario There is no magic. COFEE does not access a "secret backdoor into Windows" (because such a thing does not exist), and it does not circumvent Bitlocker. It automates standard forensic tools via a USB storage device to enable law enforcement to s to access information on a live Windows system.

The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

So I hope I have been able to show that Microsoft is committed to helping address cybercrime and that our collaboration with law enforcement organisations is an important element of that.

Roger

End-To-End Trust: We want your Feedback

rhalbh — Tue, 08 Apr 2008 20:10:00 GMT

You probably saw my blog post on End-To-End Trust last week. This week at RSA Craig Mundie, Microsoft's Chief Research and Strategy Officer, talked about our ideas and views on this topic. In parallel, we announced the availability of a Whitepaper on End-To-End Trust by Scott Charney, our Vice President Trustworthy Computing. This whitepaper sets out a framework for industry discussion.

Why is trust on the Internet a challenge?

Well, the Internet has certain attributes criminals love:

It is global
It is more or less anonymous
It is extremely hard to trace somebody back to the individual
There are valuable targets

So, it is clear that crime will stay in this extremely valuable environment.

What is the new challenge?

When we started Trustworthy Computing, the attacks were on the lower layers of the stack. They were against the Operating System. Fixing the problems in the different Operating Systems requires working with a few selected vendors as there are not too many in this field. If you look at the effort it took to get where we are today and you multiply this by the number of application vendors, you will see the complexity of making the applications secure – not even talking of the user!

As the OS has become harder, and as attackers' motivation shifted from a desire to show off and prove themselves more clever than the Operating System provider to a desire to steal instead, the attacks moved up the stack. Today the Operating System is not the key target anymore; it is the applications and the users. So, we need not only a trusted Operating System but a trusted stack from the hardware to the user.

This is actually not new but – to my knowledge – nobody ever tried to frame that concretely.

What is needed?

In our opinion a public dialogue as cybercrime is an issue that affects all of us. The challenge with the problems stated above is that these are not engineering problems only. We, being an engineering company, tend to throw technology at a problem until it is solved. But this problem is not solely about technology. It is much, much more. It is about social, political, economical, and technological issues. Better engineering can address vulnerabilities in software code, but it can't do much about vulnerabilities in human nature which criminals exploit to propagate lottey scams for example nor can it address challenges in policy ad legislation. Personally I am convinced that we need to look at this much more broadly. This is proven by the fact that a lot of discussions I have with analysts, journalists, and customers often end up in a pretty high-level discussion about what the society wants and needs.

To be clear: This is a public debate which is needed. We can kick it off. We can provide technology, guidance, and architecture on how to solve engineering problems. We can implement certain processes decided upon. But we cannot do it alone.

Take a look at the whitepaper Scott published at RSA. It lays out five areas of discussion:

Identifiers
Authentication
Authorization Policies
Access Control Mechanisms
Audit

Pretty straight forward, isn't it. The key challenge in my opinion is, that different companies work on point solutions and we (the industry) need an encompassing approach – including the society, the policy, and the customers.

Finally, I stated that we need a trusted stack from the hardware to the people to the data – mainly:

Trusted Devices: It is clear that the trust has to be bound to hardware!
Trusted OS
Trusted Applications
Trusted People
Trusted Data

The details are in the paper.

So, what is new?

New are the framework and the overarching approach covering all the aspects. We do not provide the silver bullet and the final solution. But the paper raises questions and options. One of the things I keep telling my customers is that the worst thing they can do is not taking a decision. If you have two options and you do not decide directly, the decision is taken for you – by the system. But you do not really have control over it.

If we are not having this public debate, this is going to happen with us. Therefore, it might not be all new but very important!

What do we want?

Your time (to read the paper), your feedback. As I said: It is not us telling the industry what you all have to do but we want to open the debate and give it a framework. On our website there is an option to give us feedback or you can add a comment here.

I am looking forward to this debate

Roger

Where next? – Watch out for RSA

rhalbh — Thu, 03 Apr 2008 18:13:51 GMT

We are six years into Trustworthy Computing (TwC). When we launched it, we said a number of things:

"It is a 10-year vision". Well, that's something we have had to update. As long as there are criminals out there using the Internet to steal, Trustworthy Computing will be around.
"It is an industry initiative" – well, when I did my first keynote on TwC in 2002 (I am getting old J) and I said this (just after Nimda, Code Red and Slammer) people laughed at me and said that we better fix the problem within Microsoft. To an extent they had a point, and we've come a long way since then though we know there is still much to do. But today few would disagree that security and cybercrime is anything less than an industry challenge that we all have a responsibility to address.
• The nature of the security threat has evolved, as has the industry's and our own approach. Notoriety used to be the name of the game, now it's often nothing more than a base desire to steal. Threats have become more stealthy and targeted, and criminals are as likely to target vulnerabilities in human nature as they are in software.

So the big question is "where next?" – not only for Microsoft but for the industry as a whole. This is exactly the question we would like to address: What is next? Where shall the industry move?

If you are interested in these themes, I would like you to watch out for two things:

Craig Mundie's keynote at RSA next Monday on Enabling End-To-End Trust
An additional post here during next week

Roger