It is interesting to see, how the threats and problems move over time - but basically the core problems remain the same: Standard passwords that have not been changed, poorly configured systems, unpatched computers, and - last but not least - no "Secure by Default". And all of a sudden you do not own your router anymore and you router is used for a pharming attack.

If you ready the following article, take a special look at the end: Do not use Windows 95, 98 or Windows XP SP1 anymore! Upgrade to supported versions of Windows in order to make sure that the Operating System is able to defend attacks that are common today (and were not, when the OS was developed).

http://www.itwire.com.au/content/view/9803/1103/

Roger

Well, a lot of time when I talk to people about Windows Vista, two things pop up: User Account Control and Digital Rights Management. I will save DRM for an other post but I think that there are two blog posts you could read with regards to UAC:

Jeff Jones wrote an excellent article about how he uses it: http://blogs.technet.com/security/archive/2007/02/12/the-value-of-uac-in-windows-vista.aspx

And then, if you want to get technical, it is (once more) Mark's blog that is worth reading. http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx

For me it comes down to the number of pop-ups with UAC and this really has to be put into perspective: I am working as a standard user on my Vista box and rarely need any elevation at all - unless I have to install stuff (and then I want UAC to ask me for elevation). The challenge with UAC is, to survive the first few days - the time during the setup of the machine. There you get a certain amount of prompts (obviously). Once, your machine is set-up and running, well there is barley any need for elevation.

Roger

You know that feeling, don't you: Your neighbor has set up a wireless network, you switch on your PC and see it. It is completely open and unsecured - as they are out of the box. Now you have two options: Ignore it and leave your neighbor vulnerable or give him/her a call - and loose one of your precious evenings to configure yet another wireless LAN.

Well, there is a pretty good article on how to secure a wireless LAN, you could point your neighbors or friends to: http://www.dailywireless.com/features/secure-wireless-lan-021507/

Roger

In my last post, I wrote about the risk of not changing the router passwords. Well, if you need one, Bruce Schneier just posted a link to an extensive list of default passwords: http://www.schneier.com/blog/

I think that it would be time that router and access point manufacturers think about "secure by default" and start to use settings that make their users secure rather than just make it work... I think a can remember a time, where we had to learn that the hard way. Remember, when our servers (IIS) have been attacked by Code Red and all the servers (webserver or print server or file server or...) was successfully infected....

Roger

One of the problems I often face is, that in order to play with technology, I need to spend quite some time to set up a basic environment to then, finally, install the software on I want to test.

I then started to have a test environment with several VMs containing a DC, Exchange, CA,... If I did not use it for a while, well it takes quite some time to update all of them and finally it is pretty clear, that the configuration I need for the scenario cannot be reflected with the setup I have - quite a frustrating experience.

The other option is my home environment. I am running two DCs, an Exchange Server, MOM, WSUS, ISA Server,... I authenticate my wireless with 802.1x and use WPA etc. There is a little room to do this tests - but my family has a pretty tight SLA and is not really happy if the environment fails, just because daddy started to play with some Beta software - or imagine, my Mediacenter fails, when "24" should be recorded......

You can imagine that I am not telling you this story without a solution:

• Since quite some time we are offering "Virtual Labs". This is a great thing in my opinion: Choose the technology, you would like to test, sign-in with your WindowsLive-account and in the background we are compiling Virtual Machines and a Demo script for you to use through the browser. You have 90 minutes to use it, then we will sign you out. There are labs at Technet as well as at MSDN. Check them out: http://www.microsoft.com/events/vlabs/default.mspx
• Additionally a few months ago we shipped a CD with VMs to show the different mobile security scenarios. Now we make them available with quite some enhanced technology: Intelligent Application Gateway 2007 (the Whale acquisition), ISA Server 2006, Forefront for Exchange, Forefront for Sharepoint, Rights Management Services, ... You can download these labs (up to 1 GB) from the download center: http://www.microsoft.com/downloads/details.aspx?familyid=ec908733-d480-46c1-bcba-2b75219e2a28&displaylang=en&tm

Have fun

Roger