Michael Howard did a very good analysis of the ANI vulnerability and showed what we learned and where we will improve SDL (the Security Development Lifecycle). He posted that on our new SDL bog:
http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx

Roger

Last night Vinny Gullotto made some significant announcements at RSA Japan. At least for us they are significant:

1. We published the second Security Intelligence Report. Now, you might ask, we this is significant. Think about the data sources, we build the report on: Since FY05 the Malicious Software Removal Tool was run over 5 Billion times and removed more than 27 Million of Malware. Since November 2005 when we launched the Beta, Windows Live Online Safety Scanner was downloaded more than 15 Million times. Now, we collect information about the OS we are running on, the Service Packs and the Patch Level as well as the locale. We do not collect any Personal Identifiable Information - obviously. But this gives us a pretty broad bases to look at - and there are some really interesting figures in there. If you want to have a look at it here it is.
2. We will expand our Malware Protection Center. This means we will open a branch in Japan as well as Europe (Dublin). This means that we are increasing our capabilities to produces signature and react on threats significantly. Having said this, we are not running these centers with no-names. Vinny himself has a long background with McAfee and Symantec, Dan Wolff - running the team in Japan - joined us from McAfee, and last but definitely not least Katrin Totcheva - ramping up the team in Dublin - is joining us from F-Secure. I personally think that this team definitely will rock!
3. Last but not least, we are releasing a preview of our Malware Protection Portal, which will go live this summer. You can find it here: http://www.microsoft.com/security/portal/ and feedback is definitely welcome

This is another step to show that we are serious about security. Over the years I am working in security at Microsoft, we did a lot of work to build more secure products and gain the trust of the customers. We made big steps since we started Trustworthy Computing and this is the next, serious step into the security product business.

Roger

Do you know that scenario: My wife would like to fix a meeting and should have access to my calendar. I am not available, therefore she cannot just call me but - again - she should see my availability. Not uncommon, isn't it?

A typical solution for this: I have to run two calendars, one for business purposes and one for private purposes. As I am lazy by nature, the private calendar is always outdated, causing serious complaints from my wife. How do you handle this scenario: Well, a lot of people use online calendars to sync their Outlook with and give their family access to this calendar. A scenario that keeps the Security Officers in companies awake at night: Sensitive data is leaving the company - to fulfill a valid request by the users.

Now, McKinsey just had such an incident with Google Calendar (not that this is a Google problem, this is an industry challenge): http://www.infoworld.com/article/07/04/17/HNgooglecalendardata_1.html

Roger

If I would have to nominate the number one feature of Windows Vista, it would be UAC. Not because I think that it is the most important feature (it is one important feature among a lot of others) but because UAC caused an unbelievable amount of press. The reason behind it: A lot of people seem to try to find a way to circumvent UAC in order to show that it is not worth the effort.

Well, Mark Russinovich (a Technical Fellow at Microsoft) showed at CanSecWest the limitations of UAC and he is (obviously) right. But think about it: We added a lot of technology into Vista in order to make it harder (I said harder, not impossible) to attack Vista: Address Space Layout Randomization, Service Hardening, Kernel Patch Protection, UAC, ... So UAC helps to raise the bar, not to solve all the issues. Even though is seems that there are technical limitations in UAC, I am convinced that if a social engineer wants to trick a user in accepting an elevation prompt, there will be enough users to agree on elevating.

Additionally, the user is still user: You still have the possibility to do everything a user can on a machine without even thinking about UAC as you stay with the user.

Therefore, I think we should spend more of this great brainwork in order to bring either those features forward (what Mark actually does, but there are others...) or help to educate users.

Roger

As you (hopefully) know, Windows Vista ships with a component we call Bitlocker - at least some of the Windows Vista versions do. Now, Bitlocker can be run with different way of protecting your keys: a TPM chip (basically a smartcard on your motherboard), a normal USB-stick, the TPM chip with a password and the TPM chip with a USB-stick. If we look into these options, we have certain advantages and dis-advantages:

• TPM chip: First and fore most, you need a TPM v 1.2. For example, my notebook only runs TPM 1.1, which means, even though I have a TPM chip it is useless for Bitlocker. From the risk perspective, if I protect my keys with the TPM, one can boot (if they have my machine) and my secrets are protected by my login credentials "only". What they cannot do is booting from another OS and then mounting the disk.
• USB-stick: at the first glimpse, these seems pretty attractive: You can basically more or less use any USB-stick and the computer will not boot up without the USB-stick attached to it. Cool, isn't it? The attacker would need the notebook and the USB-.stick. But let's be honest here: I used this setup over a few months and my USB-stick is in the same bag as the notebook because I am lazzy..... So, if you get my bag, you won.
• TPM and PIN: There you cannot boot until you enter the PIN. This is one of the solutions I think should be looked into as it prohibits anybody to get further than the BIOS load with this disk.
• TPM and USB stick: See above. Does not make it any better if you look at the combination of the two paragraphs.

So, out of the box, I would try to use the TPM with PIN or (if you happen not to have a TPM 1.2) use the USB-solution and try to educate the users (ever tried to do that????)

Now, I used a kind of am additional option: I am using Bitlocker with a USB-stick but I am using a USB-stick that is protected with my fingerprint. This is a pretty smart device as the fingerprint-reader is part of the USB-stick meaning that the notebook does not even see the USB-stick until I am authenticated with one of my fingerprints. If you have this, the following scenario works:

1. I attach my USB.stick to my notebook
2. I boot it up
3. As the computer close to immediately needs access to the USB-stick and does not find any (as I am not yet authenticated to it), it runs into the Bitlocker recovery screen
4. I am unlocking my USB-stick with my fingerprint
5. I am pressing "Esc" to reboot my machine
6. the Machine boots

I know that the point withthe recovery screen is not too nice but this is the only way it works. Beforehand, there is no power on the USB port and therefore the stick cannot be unlocked and then it takes only a fraction of a second until Bitlocker sees that it has no USB stick attached and this is simply not enough time for the USB stick to recognize that I have my finger on the stick. With this limitation, I think that this is a really nice setup. If you now get hold of my notebook bag, you even have the USB stick but not my finger (I hope). You will therefore not have access to my disk nor boot my machine.

Cool, isn't it?

Roger