I  wanted to make you aware of a very important announcement we made earlier today. As you know, Trustworthy Computing is all about Security,  Reliability and Business Practices. Our house has a fourth pillar -  Privacy - which we view as extremely  important, not only in terms of the way we manage our customers’ data, but more broadly in the way we earn and keep our customers’ trust.

You may have heard  about the European Union Article 29 Working Party, which issued a statement in April to search providers concerning   search anonymization policies. A major part of their focus  is the length of time search companies store customer data. The Article 29 Working Party’s view is that this should be no more than six months. 

Earlier today we announced that we support the Article 29 Working Party’s call for a common industry standard for search data anonymization methods and timeframes to help protect users’ privacy. We also said that whilst the timeframe is important, more important still is the adoption of strong data anonymization methods. I am glad we made this commitment and I hope that others will follow our lead and support the standard laid down by the Article 29 Working Party. To truly protect users’ privacy, it is imperative that all search companies adopt the same standard.

If you want to read more, read Peter Cullen’s (our Chief Privacy Strategist) blog post: Microsoft Supports Strong Industry Search Data Anonymization Standards

Roger

Well, you saw my post earlier this week on the 1.96% of PCs being updated according to Secuina. Well, as time does, I decided to install this tool as well to look at it. I did an initial scan on my home PC and this was the outcome:

Outch, this hurts my soul but shows as well the problem: I definitely have all our software updated and with must of the solutions above, I have the updates switched on (except Apple, where I switched it off when they wanted to install Safari as an update :()

But honestly, the tool is pretty cool. If you switch to advanced mode, you even get pretty detailed information:

So, this makes me really think. This is a PC which I really look after and keep it updated. Nevertheless I seem to have failed.

This shows me the fundamental problem: If I am not able to keep it up to date, how shall my Mom and Dad? The Secunia Personal Software Inspector helps a little bit but I am nut sure whether my parents are able to handle it. So, what we are basically missing is a central point and mechanism to distribute security updates. But who controls this channel? Who ensures that no criminal can get access to it? That no viruses are distributed?

Still a long way to go…

Roger

P.S: Do not even try to attack my PC based on these vulns – they are closed in the meantime

I am working on a blog post on Security and Piracy looking into the data I have available. Probably it will be ready next week but what I wanted to know: Is there anybody who did some research about this already? I would appreciate if you could let me know. I will definitely share my view on this in the next few days

Roger

One of the questions I often get is my position on Cyber-Terrorism. I doubt that there will be “isolated” technology-related terrorism. What we see much more is the use of high-tech during classical terrorism attacks.

If you look at the recent terrorism events in Mumbai, there was some pretty interesting background on it:

• In order to prepare for the attacks, the terrorists seem to have used Google Maps (as any tourist would do) and GPS and Satellite Phones. This is definitely not surprising but shows the development in this area. In this article Update: Google Earth used by terrorists in India attacks on Infoworld there is an interesting quote: Google Earth has previously come in for criticism in India, including from the country's former President, A.P.J. Abdul Kalam. Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused by terrorists. I do not think that it would have live much harder for terrorists if they would not have had Google Earth available but it shows the tension between economy (and technology) and law enforcement. In certain countries I have been in recently, the pure possession of a GPS device is illegal.
• The terrorists used everyday technology like Blackberries to stay ahead of Law Enforcement: Terrorists turn technology into weapon of war in Mumbai: The use of BlackBerrys by the terrorists to monitor international reaction to the atrocities, and to check on the police response via the internet, provided further evidence of the highly organized and sophisticated nature of the attacks.
• The organization in these teams seems to have been very good (and scaring therefore): Analysis: Mumbai attack differs from past terror strikes

So, this is a really disgusting example of how terrorists use and leverage today’s technology in order to commit their attacks. Therefore I beleive that we will unfortunately see more of this rather than “Internet-only” terrorism but this is just a guess

Roger

I was recently at an event for Law Enforcement where one of the discussion points was how critical it is to protect Smartphones – actually it was more about how easy to would be to claim that my Smartphone was hacked and how proof can be found.

That you should run Anti-Malware software on phones, is nothing new (even though just very, very, very few people I know are actually running it) but I was stunned what kind of software is offered to be run on Windows Mobile/Symbian/Black Berry. Let me give you an example: There is a software called FlexiSpy. The sub-title of the product is “Protect Your Children | Catch Cheating Spouses”. I wanted to try this product once but I will never ever try to run this software on any phone with business data on. There is a demo on the page, let me give you some screenshots, what the product (once installed) is able to grab:

This is the overview over all events

Let’s look at an SMS:

So, it’s not “only” the recipient of the text, it is the content as well. The same it true for mails (!) as well.

Unfortunately the demo does not show one other key feature, which is the location tracking either via the cell you are in or via the built-in GPS…

The worst thing is that you do not see the software anywhere – neither in the installed software nor in any process running. The only thing somebody needs is brief access to your phone. So make sure, that you ran AV-software and have a PIN at your phone

Roger