You surely know the CSI-FBI Security report. FBI now pulled off and CSI did the study themselves. If you are interested in it – it is free but you have to register: http://gocsi.com/forms/csi_survey.jhtml

Roger

I am in Redmond at the moment for internal meetings. We have been able to align these meetings with the Fall Session of Bluehat. I already blogged about the summer sessions and would like to give you some insights and views on the Fall sessions as well. To be clear, I am "just" attending the Exec Briefing which is a short version of the complete Bluehat but it is nevertheless extremely interesting to listen to the presenters. If you want to know more about Bluehat, go to http://www.microsoft.com/technet/security/bluehat/2007fall.mspx

It is always eye-opening listening to the presenters at Bluehat. Let me share a few conclusions/thoughts with you:

• Windows Mobile Security: Even though we already came a long way, we still have a lot of things to do. To keep it easy: We have to take the technology and concepts of Windows Vista and bring it to the mobile platform! This is obvious – isn't it?
• Looking at the underground economy, it comes to an interesting discussion about ethics. We had Roberto from WasiSabiLabi at Bluehat. I blogged about them earlier this year (http://blogs.technet.com/rhalbheer/archive/2007/07/06/vulnerability-auction.aspx) and I had to realize that there are definitely different views on ethics and the way you can stretch your view based on the position you are in. Roberto is convinced that he is working ethically and legally.
• If I look at virtualization and the key summary – it is a pretty obvious one: Software offering virtualization has vulnerabilities (BTW, Virtual PC and Virtual Server are not too bad here) and where you have vulnerabilities, there will be attacks. These attacks however might cross the virtual machines and infect/attack either other VMs or the host. This is pretty obvious but this is one of the beauties of Bluehat: It makes you think and it "forces" you to look at certain threat scenarios you did not yet look into concretely. They simply show you the threats!
• We talked about fuzzing at Bluehat as well. If you want to know more about Fuzzing, look at Wikipedia. The title actually was: "Fuzzing suchks". To me it is not that fuzzing actually sucks as a methodology but much more that the tools have quite some shortcomings.
• The scary part is always if somebody who is writing exploits or IDS signatures talks to you about how they reverse-engineer security updates. People who are doing that for a living, they are really skilled in understanding the way we work and they are extremely fast. It is a real arm's race…… Finding the actual vulnerability in our code takes them just a few minutes (often less than an hour).
• Last but not least Mark Russinovich talked about real and "unreal" security boundaries in Windows. The goal here is to understand the limitations of the different technologies and solutions within Windows Vista. He is working on a Technet article addressing this as well – so watch out.

Again this was a refreshing and very interesting experience and I am looking forward to the next Bluehat

Roger

Department of Homeland Security did a simulation what could happen if a hacker gains access to crucial parts of an electrical grid. The video was marked "Official Use Only" but seems to have leaked to The Associated Press. They then made themselves a small video. See some articles:

• The Raw Video
• The AP Video
• The AP Article (US Improperly Releases Threat Details)
• US Video Shows Hacker Hit on Power Grid

Have "fun"

Roger

This is a pretty difficult question to answer, isn't it? Let's just think of a few events that happened in the last few months, according to the press:

• December, 2006: China suspected to hack Navy site (fcw.com)
• May 2007: Denial of Service Attacks on Estonia (News.com, Computerworld, …)
• June 2007: America getting ready for Cyberwar (Telegraph)
• September 2007: Pentagon hacked by Chinese hackers (Guardian, ZDNet, Times)
• September 2007: Alleged attacks from China on Germany (Golem)
• ... only the tip of the iceberg?
• …more to come?

Is this now the start of Cyberwar?

I do not think that this is the start. This is probably just the first time we see that in press and the first time, it catches broad attention in mass media. But we had these kinds of attacks since quite some time. We have publically seen these attacks to commit industrial espionage – why shall the countries behave differently? (Remember the UK company that was hacked over a long period of time by an Israeli group – Washington Post?).

Is this a problem coming only "from the east"?

I do not believe so. I would be more than surprised if other intelligence agencies would not have the similar capabilities. This is their job, isn't it? So it is to be expected that we see – at the moment – just the tip of the iceberg.

What does this mean for the government and enterprises?

Now, this is probably the key question. Let's accept a fact: If somebody is ready to invest a lot of time and money to get access to information, he/she will get it – for sure. The groups we are talking of, we have to expect having excellent skills, money, and very good connections. Do we have to give in? Surely not! The most important thing we can do is raise the bar. And this can be done! By properly managing your risks, following some basic processes and then maintaining and monitoring your environment you are already upper-class.

On our side we are working hard to get complexity out of security and security products. It has to be easy to configure these products and you need a central point to manage them. If this is not the case, you will most probably not even see whether you are attacked or not. Last but not least, we might see "odd" behavior only if we can correlate events across different products and platforms. This has to be our mission and vision. We will definitely not be there by the end of the year but this is the road we are going.

Comments? Your views?

From the airport in Johannesburg
Roger

It is pretty well-known that there is a high risk of keystroke loggers in Cyber Cafés. That they are declared mandatory in a country however is pretty tough stuff: http://yro.slashdot.org/firehose.pl?id=281251&op=view

Roger