Department of Homeland Security did a simulation what could happen if a hacker gains access to crucial parts of an electrical grid. The video was marked "Official Use Only" but seems to have leaked to The Associated Press. They then made themselves a small video. See some articles:

• The Raw Video
• The AP Video
• The AP Article (US Improperly Releases Threat Details)
• US Video Shows Hacker Hit on Power Grid

Have "fun"

Roger

I am in Redmond at the moment for internal meetings. We have been able to align these meetings with the Fall Session of Bluehat. I already blogged about the summer sessions and would like to give you some insights and views on the Fall sessions as well. To be clear, I am "just" attending the Exec Briefing which is a short version of the complete Bluehat but it is nevertheless extremely interesting to listen to the presenters. If you want to know more about Bluehat, go to http://www.microsoft.com/technet/security/bluehat/2007fall.mspx

It is always eye-opening listening to the presenters at Bluehat. Let me share a few conclusions/thoughts with you:

• Windows Mobile Security: Even though we already came a long way, we still have a lot of things to do. To keep it easy: We have to take the technology and concepts of Windows Vista and bring it to the mobile platform! This is obvious – isn't it?
• Looking at the underground economy, it comes to an interesting discussion about ethics. We had Roberto from WasiSabiLabi at Bluehat. I blogged about them earlier this year (http://blogs.technet.com/rhalbheer/archive/2007/07/06/vulnerability-auction.aspx) and I had to realize that there are definitely different views on ethics and the way you can stretch your view based on the position you are in. Roberto is convinced that he is working ethically and legally.
• If I look at virtualization and the key summary – it is a pretty obvious one: Software offering virtualization has vulnerabilities (BTW, Virtual PC and Virtual Server are not too bad here) and where you have vulnerabilities, there will be attacks. These attacks however might cross the virtual machines and infect/attack either other VMs or the host. This is pretty obvious but this is one of the beauties of Bluehat: It makes you think and it "forces" you to look at certain threat scenarios you did not yet look into concretely. They simply show you the threats!
• We talked about fuzzing at Bluehat as well. If you want to know more about Fuzzing, look at Wikipedia. The title actually was: "Fuzzing suchks". To me it is not that fuzzing actually sucks as a methodology but much more that the tools have quite some shortcomings.
• The scary part is always if somebody who is writing exploits or IDS signatures talks to you about how they reverse-engineer security updates. People who are doing that for a living, they are really skilled in understanding the way we work and they are extremely fast. It is a real arm's race…… Finding the actual vulnerability in our code takes them just a few minutes (often less than an hour).
• Last but not least Mark Russinovich talked about real and "unreal" security boundaries in Windows. The goal here is to understand the limitations of the different technologies and solutions within Windows Vista. He is working on a Technet article addressing this as well – so watch out.

Again this was a refreshing and very interesting experience and I am looking forward to the next Bluehat

Roger

You surely know the CSI-FBI Security report. FBI now pulled off and CSI did the study themselves. If you are interested in it – it is free but you have to register: http://gocsi.com/forms/csi_survey.jhtml

Roger

I just stumbled across this interview with Scott Charney (Corporate Vice President Trustworthy Computing) which is very interesting to read: Q&A: Microsoft no longer a 'laughingstock' of security, Charney says

Roger

Have you ever struggled with the need to explain what a Bot and a Botnet is? There you go. The solution is here:

source: http://cgi.cs.indiana.edu/~markus/cartoon/comic.php?c=20070920

Roger