I just read this article called 8 Dirty Secrets Of The Security Industry, which seems pretty nasty. Let's briefly have a look at them:

• Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer: Wow, this is a bad statement – but how true is it? It might be true. Something I see from time to time: Companies that are making money with the bad things happening tend to reveal the threads and offer immediately the vaccination. So, how true is this statement?
• Antivirus certifications do not require or test for Trojans: I am not an AV specialist but to me these certifications are similar to the crash tests with cars: The vendors exactly know how the crash test is done, therefore the car can be prepared accordingly. Unfortunately the real accident does not follow the rules of the crash test… Does this mean they are useless? No, I think there is a certain value in these test but it shall be looked at with care.
• There is no perimeter: Wow, what news J - if you read my blog over the last few months, you realized that this is one of the themes I am promoting since quite some time. Just as an example: Are you ready for your users of the (near) future?
• Risk assessment threatens vendors: This is similar to a statement like "a knowledgeable buyer threatens the vendor". I think that if you have a vendor that wants to partner with you instead of just looking for the immediate gain, this should not be a problem for the vendor. I am always claiming that you should do your homework and do risk management.
• There's more to risk than weak software: This is clear as well and we are often talking of the Layer 8-problem: the user!
• Compliance threatens security: This is an interesting statement as a lot of companies think that if they are compliant to xyz they are secure! Nonsense. If you are compliant, you are compliant – that's it (you might quote me on this J). It reminds me of the ISO 9000 wave a few years ago where every software development department wanted to become ISO 9000 compliant. What I sometimes saw was just a better documented mess and not really a streamlined process. Once they cleaned up AND documented, ISO 9000 made a hell lot of sense. So, it might help to show you the way but it is not the ultimate goal.
• Vendor blind spots allowed for the "Storm" botnet
• Security has grown well past the "do it yourself" stage: Not everybody understood that yet when I look to a lot of customers. Somebody is just doing security as a side-job and this will not work! It is a job for a Subject Matter Expert (might be one with a certification – what about compliance?) – unless you have nothing to protect J

To me, these 8 points are neither dirty nor secrets but definitely interesting to look at.

Roger

I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks

Roger

No, no. For sure. I am not going to give you advise how to hack – but look at this video: http://www.offensive-security.com/movies/vistahack/vistahack.html. I am always amazed about these kind of videos, which still surprise people. If look years back, we published the 10 Immutable Laws of Security, which contains Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. The hack shown above needs physical access….

But if you want to protect Windows Vista from these kind of physical attacks, why do you not just switch on Bitlocker (and here on Technet)? If you switch it on, these problems are gone and this attack would fail – and it is part of the OS, no additional fees, nothing…

Roger

Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did not really start with this at the beginning.

Just as an example, The Washington Post published an article called: Hundreds of Thousands of Microsoft Web Servers Hacked and said Hundreds of thousands of Web sites […]have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Whereas the first part was true ("just" giving a wrong impression) the content in the article was definitely wrong as it was (and still is) no Windows or IIS vulnerability but just bad programming.

What we see are tools that use Google to find web application with potential SQL Injection vulnerabilities and then try to attack them. From there on, they are trying to use the SQL Injection flaw to exploit vulnerabilities in Flash or other software.

So, what can you do about it?

Understand the current threat and read SQL Injection Attacks on IIS Web Servers on our IIS Blog and Questions about Web Server Attacks on the Microsoft Security Response Center Blog. Once you have done that I think (if you are not already) you should familiarize yourself with these kind of attacks and there are some very good resources and engineer at Microsoft compiled for you:

General Guidance on SQL Injection:

• Giving SQL Injection the Respect it Deserves (from Michael Howard)
• SQL Injection Mitigation: Using Parameterized Queries (from Neil Carpenter)

Incident Response with focus on SQL Injection:

• Anatomy of a SQL Injection Incident (from Neil Carpenter)
• Anatomy of a SQL Injection Incident, Part 2: Meat (Neil again)

And last but not least some MSDN guidance:

• Explained – SQL Injection
• SQL Injection
• How To: Protect From SQL Injection in ASP.NET

Roger

I just read this article by Bruce Schneier on what to do about US Customs searches: Taking your laptop into the US? Be sure to hide all your data first

So, if you look at part of his recommendations, they are:

• You're going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there.
• […]consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it's easy to lose something that small. Slip it in your pocket, and it's likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office." If you've chosen a strong encryption password, you won't care if he confiscates it.

So, if you look at the two recommendations above, he actually tells you to lie at the customs control and try to hide data away from the officials… So, he suggests that you are committing a crime. Pretty risky game, isn't it.

Well, to be fair: He gives another advice as well, which is using a forensically clean notebook and download the data from you corporate network once you crossed the border. This is a legal and safe practice.

Do not get me wrong: I do not like the rules of the US customs at all – not that they are alone, other countries do the same – as they simply are not on the standard for a developed country with a sound legal system. I do not have a problem if they search a notebook based on a court ruling with reasonable suspicion. But to do it just because the officer at customs had a bad night and does not feel well is not up to the standard the US measures the rest of the world.

This is no reason however, to become commit a criminal activity.

Roger