I recently had the pleasure to be part of an article in World Finance called Stacked against hacks
Visit the virtual version here and go to page 60 and 61
Roger
I recently had the pleasure to be part of an article in World Finance called Stacked against hacks
Visit the virtual version here and go to page 60 and 61
Roger
You might know Jeff Jones' work on the different vulnerability reports comparing different products and vendors. Our goal is to understand and measure our progress and see where we stand with regards to the industry.
Today, Jeff release his OS Desktop vulnerability report for H1 2008, which shows to me some interesting results.
One is if you look at the Days of Risk – say on average after disclosure how many days did it take a vendor to fix a vulnerability. He weighted them as well based on whether they are critical or important or low:
Secondly he shows the number of vulnerabilities of all the vendors he is looking at:
And last but definitely not least he compares the different OSs:
There is one other interesting finding: 25% of the vulnerabilities are shared by more than one vendor!
So, if you want to download the report, here you find Jeff's post: http://blogs.technet.com/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx
Roger
It is as so often, autumn is the time when all the big events are happening in EMEA. This week was RSA Europe (or I think still is) and next week I am looking forward to TechEd EMEA in Barcelona.
So, I worked at RSA Europe on Monday and Tuesday on the two stories with went live with (the Desktop OS Vulnerability Report and the Lottery Scam Announcement) and now I am preparing for TechEd EMEA. Next week, there will be a very interesting week in Barcelona. There a people coming over from the Forefront team (I have seen screenshots of beta 2 of Forefront – join these sessions, it is worth it), from the Malware Protection Center (we will launch the Security Intelligence Report) and so on. So, watch my blog, I will do my best to give you the news here.
Yes, and last but definitely not least, I will run a session on Wednesday:
SEC203: End-to-End Trust: The Internet - a safer place to work, play, learn and do business (10:45 - 12:00)
Threats change, criminals evolve new ways of stealing money, and valuable data and trust in the Internet continues to come under attack. It's a classic tale of good versus evil with the future of the Internet at stake. The industry is faced with a challenge - either secure the Internet and gain users' trust or lose control to the bad guys and see the value of one of man's greatest inventions dwindle. This session will give you insight into next generation security and Trustworthy Computing's vision for creating an Internet we can trust from end-to-end.
and immediately after I will be in the Ask the Expert’s area. So if you want to know about End to End Trust or just want to come by for a chat, you know where to find me.
One question to you: IN order to keep my blog updated during TechEd EMEA, does anybody know a good Blog Writer for Windows Mobile 6? I was not able to find something which is really worth the installation…
Roger
I am often asked about the risks of outsourcing (we often talk about processes, legal risks (e.g. Data Protection), etc.) – the list is very long. Today I read an article which touches a completely different issue: It is all about the security processes and the turnover within the outsourcing company.
The story is about identity theft and the way people at the phone act: [Company] is a revolving door. If you work there longer than a year, you're considered to have seniority. The few of us who knew this account was being raped could do nothing to protect it. Some newbie wouldn't know about the situation and would let the thief have his way with the account.
If you are thinking about outsourcing your call center, read this story: How Outsourced Call Centers Are Costing Millions In Identity Theft
Roger
It will be interesting how you see it. When I blogged on Suspended Jail for Hacking Tutorial in France, I got quite some negative feedback like “do you have nothing better to do than to go after these guys”, “why should it be illegal to publish such a tutorial” etc. So, where do you draw the line? I think I was clear about that in my last post and here again: If you have a clear tutorial to commit a criminal activity, this should be punished.
Now, a Turkish hacker was arrested because he published a video with a lot of tips how to skim ATMs: Turkish hacker arrested by FBI made video giving tips for installing ATM skimmers – is this now going too far as well for you? What about your bank account :-) ?
Roger