As you (hopefully) know, Windows Vista ships with a component we call Bitlocker - at least some of the Windows Vista versions do. Now, Bitlocker can be run with different way of protecting your keys: a TPM chip (basically a smartcard on your motherboard), a normal USB-stick, the TPM chip with a password and the TPM chip with a USB-stick. If we look into these options, we have certain advantages and dis-advantages:

• TPM chip: First and fore most, you need a TPM v 1.2. For example, my notebook only runs TPM 1.1, which means, even though I have a TPM chip it is useless for Bitlocker. From the risk perspective, if I protect my keys with the TPM, one can boot (if they have my machine) and my secrets are protected by my login credentials "only". What they cannot do is booting from another OS and then mounting the disk.
• USB-stick: at the first glimpse, these seems pretty attractive: You can basically more or less use any USB-stick and the computer will not boot up without the USB-stick attached to it. Cool, isn't it? The attacker would need the notebook and the USB-.stick. But let's be honest here: I used this setup over a few months and my USB-stick is in the same bag as the notebook because I am lazzy..... So, if you get my bag, you won.
• TPM and PIN: There you cannot boot until you enter the PIN. This is one of the solutions I think should be looked into as it prohibits anybody to get further than the BIOS load with this disk.
• TPM and USB stick: See above. Does not make it any better if you look at the combination of the two paragraphs.

So, out of the box, I would try to use the TPM with PIN or (if you happen not to have a TPM 1.2) use the USB-solution and try to educate the users (ever tried to do that????)

Now, I used a kind of am additional option: I am using Bitlocker with a USB-stick but I am using a USB-stick that is protected with my fingerprint. This is a pretty smart device as the fingerprint-reader is part of the USB-stick meaning that the notebook does not even see the USB-stick until I am authenticated with one of my fingerprints. If you have this, the following scenario works:

1. I attach my USB.stick to my notebook
2. I boot it up
3. As the computer close to immediately needs access to the USB-stick and does not find any (as I am not yet authenticated to it), it runs into the Bitlocker recovery screen
4. I am unlocking my USB-stick with my fingerprint
5. I am pressing "Esc" to reboot my machine
6. the Machine boots

I know that the point withthe recovery screen is not too nice but this is the only way it works. Beforehand, there is no power on the USB port and therefore the stick cannot be unlocked and then it takes only a fraction of a second until Bitlocker sees that it has no USB stick attached and this is simply not enough time for the USB stick to recognize that I have my finger on the stick. With this limitation, I think that this is a really nice setup. If you now get hold of my notebook bag, you even have the USB stick but not my finger (I hope). You will therefore not have access to my disk nor boot my machine.

Cool, isn't it?

Roger

McAfee SiteAdvisor did an interesting study about the number of malicious sites per domain on the web: http://www.siteadvisor.com/studies/map_malweb_mar2007.html

They have an interactive map that helps you to get an overview of the different threats per domain.

Finally it made me think whether it was a wise decision to register halbheer.info........

Roger

Last night Vinny Gullotto made some significant announcements at RSA Japan. At least for us they are significant:

1. We published the second Security Intelligence Report. Now, you might ask, we this is significant. Think about the data sources, we build the report on: Since FY05 the Malicious Software Removal Tool was run over 5 Billion times and removed more than 27 Million of Malware. Since November 2005 when we launched the Beta, Windows Live Online Safety Scanner was downloaded more than 15 Million times. Now, we collect information about the OS we are running on, the Service Packs and the Patch Level as well as the locale. We do not collect any Personal Identifiable Information - obviously. But this gives us a pretty broad bases to look at - and there are some really interesting figures in there. If you want to have a look at it here it is.
2. We will expand our Malware Protection Center. This means we will open a branch in Japan as well as Europe (Dublin). This means that we are increasing our capabilities to produces signature and react on threats significantly. Having said this, we are not running these centers with no-names. Vinny himself has a long background with McAfee and Symantec, Dan Wolff - running the team in Japan - joined us from McAfee, and last but definitely not least Katrin Totcheva - ramping up the team in Dublin - is joining us from F-Secure. I personally think that this team definitely will rock!
3. Last but not least, we are releasing a preview of our Malware Protection Portal, which will go live this summer. You can find it here: http://www.microsoft.com/security/portal/ and feedback is definitely welcome

This is another step to show that we are serious about security. Over the years I am working in security at Microsoft, we did a lot of work to build more secure products and gain the trust of the customers. We made big steps since we started Trustworthy Computing and this is the next, serious step into the security product business.

Roger

Michael Howard did a very good analysis of the ANI vulnerability and showed what we learned and where we will improve SDL (the Security Development Lifecycle). He posted that on our new SDL bog:
http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx

Roger

Well, we all know that we shall not click on links in mails and stuff like that. Marc Russinovich did an interesting analysis of a pretty simple bot: http://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx

What I like as well is that is shows pretty well how the Vista features would have blocked this attack 

Roger