Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.

When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bigger target and the one that actually made much, much more noise. Finally, we were best in class with incident and vulnerability response. This is my true belief when I look back to that time and it still is if I am looking at today's industry!

Since that time until today, I never participated in the discussion about "who is more secure? – Windows, Linux, Mac,…". Why? Well, that is pretty straight forward to tell: There is no value to this discussion from my point of view. We have to know where we stand – this helps to judge where to set the priorities but basically our customers expect us to deliver the best in class for the market – and they shall do this! This has to be our target.

Now you might ask, why I am writing this. Each time a vendor has a major security problem, the discussion starts again. This time Apple got the blame. People were talking of "Mega-Patch" and so on. There started a blog "war" on which OS is more secure. There were titles like:

• Diving back into the Mac Vs. Windows debate
• Operating systems aren't any more secure than the idiot using it

And there are people trying to do a comparison: "I don't use Windows! I'm invincible!"

Does this really add any steps towards a solution of the problem? Most people that are actually "comparing" security of the different Operating Systems are geeks and they are all assuming that everybody is a geek as well.

Instead of blaming around, I think it is time to come together and look for solutions within the industry. We are competitors in certain areas but to address the "security challenge" the companies have to come together! We support and sometimes even initiated different forums/alliances already to do exactly what I said:

• VIA (Virus Information Alliance): An alliance where all the major AV-vendors are part of to share information on malware.
• SAFECode (see my earlier blog): An alliance that helps to share best practices around building secure products
• …

So, instead of wasting time to complain and tell everybody that A is better than B or complaining that people are stupid or telling everybody that you are the one knowing how to configure a system but you do anyway not trust the vendors (typically us), I ask you for a constructive dialogue. We can start it here or you can mail me:

• Knowing what we are doing already (e.g. Security Development Lifecycle), what do we have to do to improve security for mom and dad?
• What can we do – from your point of view – to improve our communication?
• What has the industry to do to even get better?
• If you are working for a major ISV – join SAFECode to move the industry as a whole.

I am open for any constructive and open dialogue but not for blaming and bashing.

Looking forward to your feedback

Roger

David Litchfield ran a scan on the Internet for the typical SQL Server and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet – unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs.

What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ...

Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid … I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the…., the…., the…. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime – unfortunately not for security!

Do not get me wrong. I do not say that this situation is good but up to a certain point I can understand them. We tend to compare them with us, being security professionals. They are often not. Instead of blaming them, we should rather make sure that we can help them and improve the situation. Do they do it deliberately? For sure no! Calling them ignorant and dumb is unfair and the wrong approach!

Roger

You know that I rarely did trip reports in the past. I am personally convinced that you do not want to read, what I had for breakfast in Barcelona. But this trip was different. When I told the people around me that I will be travelling to Nigeria I got a lot of different reactions J.

I guess that most of these reactions are based on our constant confrontation with what we call the Nigeria scam. As you probably know there is section 419 of the Nigerian criminal code that is violated by these kinds of attacks. Therefore these scams are often called 419-scams. It is unbelievable; when you go to our search engine and search for "Nigeria scam 419" you find more than 400'000 hits! There is even a site called http://www.nigerian-scam.com/ . For a country like Nigeria, this is one of the worst possible things to happen if you want to base the growth of the economy on modern technology! Is this a Nigeria-only problem? Not by far. A lot of scams originate from Western countries, a lot of others from Eastern countries – and, there is no doubt about it, a lot from Nigeria as well.

I was told that Nigeria is serious in fighting these crimes. Additionally I knew that we have an agreement with the Nigerian government to support them in their efforts . The Nigerian subsidiary invited me to visit the country and talk to the customers and governments and I accepted.

Let me try to summarize a few of my impressions and findings:

I had the opportunity to have a roundtable discussion in Abuja with government representatives and in Lagos with executives from different companies, mainly financial services. Additionally I could collect different impressions of the cities and the country by talking to quite some people. I met a lot of people who are extremely proud of their country and are highly energetic moving the country forward. Additionally, when driving through the streets of Lagos in particular you see a people wanting to sell something all over the place. Everybody seems to want to make his or her own business. So people do not seem to wait until money comes to them but are aggressively looking for their business opportunities.

From a technical point of view Nigeria is ramping up fast. Today they still have a bandwidth challenge. In the Western world we are used to having "unlimited" bandwidth. In Nigeria, this is not (yet) the case. However, Nigeria is in the process of solving this issue and there seems to be a good chance that enough bandwidth will be available in the future to drive growth in the economy. In my opinion this will be crucial as Nigeria and the business there more and more sees that they are part of the global village and want to be connected to it.

What does this now mean? I am convinced that the spirit in Nigeria will have an up- and a downside with regards to this development. By wanting to drive business, Nigerian people will follow all the opportunities they can to grow their economy. This is a very good thing and I am convinced that there will be good opportunities for them as they do not have to care about legacy applications. In other developing countries I have seen impressive e-government solutions as the government made it a priority and made the money available. As they did not have to link back to "old" legacy host systems, they could do very cool stuff. Similar things can happen here. So, watch out!

But, as I mentioned already, there is a downside: By going aggressively after the business opportunities on the Internet, there is a good chance that a small part of the population will go after the illegal business opportunities as well – and we have seen that already. This does by no means mean that Nigeria is the one and only source for lottery scams or even for the "Nigeria" scam but this is definitely a problem for this country. So, watch out! It happened that *.com.ng was blacklisted as a spam domain, which has an unbelievable negative impact on any country in this stage of its development.

When we are coming to the downside, there is always an enforcement piece to that. What is Law Enforcement actually doing to combat fraud and any other illegal activity within their country? I often get the impression when I talk to people in Europe that their impression is that Nigeria is doing nothing or that they are not serious about it. After the discussions with the Nigerian government I am convinced that they really want to fight against cybercrime as they have seen that this is a big image problem for Nigeria. And they are serious about that! They already had their first successes and they will improve.

We, as Microsoft, are committed to help the Nigerian government. We have the agreements in place and started already to train some Law Enforcement officers. So, together and together with additional partners from the private space there is a fair chance to go after the bad guys and help Nigeria to ramp up.

The agreements between the EFCC (Economic and Financial Crimes Commission of Nigeria) and us caught quite some attention which shows that we are on the right path:

• Spammers Beware: Microsoft and Nigeria Team up to Fight Cybercrime
• Microsoft, Nigeria Join Forces Against Cybercrime
• Microsoft aligns with Nigeria to crack down on scams
• Nigeria enlists Microsoft to fight spam scammers
• And a lot more

Obviously I know of the Nigeria scam. I am convinced that a country like Nigeria needs a fair chance and support to fix this problem and grow the economy that way.

Roger

P.S. I said that I was driving through Abuja and Lagos. Well, driving through Abuja would probably (maybe) work out. Lagos would have been a complete nightmare! I have never seen any worse traffic than that in my life J

I am in the position of the Chief Security Advisor in Europe, Middle East and Africa since February 1^st. Since then I am blogging here (before that I ran together with Urs the Swiss Security Blog). The hits per post rose over the first 6-7 months but now started to slowly drop. However, looking at the ranking of all the Technet blogs, this one is slowly on the raise. Now, I think it is time to ask you:

• Are you "just" looking at the RSS Feed or do you actually read the posts? (I have the figures of direct browser hits, which does not yet mean that you really read it).
• Are the themes I am covering the ones you are interested in or would you expect something different? If yes, what?
• Is it worth the time you invest to read the posts?
• Are there not enough or too many posts?
• What else?

I am open to any kind of feedback. Please avoid being "politically correct", you might be open and candid. You can give me the feedback directly (roger.halbheer@microsoft.com) or as comments, which I would prefer as the others could read your feedback as well.

One feedback to you: You started to comment in the last few months, and I really love that. Go on with that, even if you disagree, this is what this blog is here for

Roger

Well, slowly the year is coming to an end – 10% to go J. This is the time where everybody is looking back and – additionally – tries to look into the Crystal Ball to understand how 2008 could be.

Interestingly enough, I just had the discussion about the trends for 2008 this morning with a friend of mine and this afternoon a blog post by Symantec hit me with the title: A Look Ahead to Security Trends in 2008 which is an interesting read (pretty short, which is good).

I do not want to comment it (yet) as we are working on that as well at the moment but it seems that we are more or less on the same line. The only thing I am missing is that I think that social networks (like Xing, Facebook, Linkedin, …) have a high potential to be abused as a source for information for social engineering attacks.

What is everywhere in common is that we will see the criminals misuse the Internet to illegally (or immorally) make money

Roger