Wednesday, June 06, 2012
A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.
You may have heard that apparently the LinkedIn password list consisting on 16.5 million passwords was stolen and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit.
One message I consistently try to send is that it’s *always* a good idea to change your passwords regularly to protect against threats such as this and others.
This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys could possess that additional info, and just not be releasing it. Yet. We don’t know.
“Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *someone’s* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info might be held by the bad guys who posted the hash list, there’s no way to tell for sure.
If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials.
So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet.
Wednesday, April 20, 2011
Update: Apple has posted a Q&A page with information about the data in question, exactly what that data is, and changes they have planned.
This is, well... it's at least very interesting. Which is to say, it’s something that has to make you wonder: Even when core location tracking is not active, apparently your iOS4 device is keeping a log of everywhere it goes. Which is to say, everywhere it goes with you.
The four images here are a visualization of the info harvested from my own iPad, retrieved automatically from a iTunes backup of my iPad on my Mac (click on each of the images to view full-size). I should note that the locations are actually displayed in a less accurate fashion (visually) by the program that generates the map plots, so as to somewhat avoid any issues and abuse associated with exact location tracking. The information in the data file being analyzed is substantially more accurate and detailed.
From cell tower triangulation (it appears this is where the data comes from), you can see a cross country trip I took with a friend from New York to New Mexico, visits to the Denver/Boulder area, and of course a whole slew of travel around the Pacific northwest, where I live.
Also of interest is that I very recently (within the past two months) had my iPad replaced when the sync jack went bad, yet much of the data is from the old iPad in addition to the new one. Obviously when I restored a backup on the old one to the new one, the data was retained as part of the restore. Interesting. Also, there's location info that's recorded on mine, and in some cases I don't see the location data for areas I know I have been to. I'm not completely sure of the rhyme or reason for that.
Video of the two guys who discovered this and created the visualization program is here. They discuss how this was discovered and go into some detail about the data, where it lives and what they found. Video is via the Where 2.0 conference.
Got a 3G iPhone or iPad? You can run the "iPhone Tracker" app on your own Mac and see what your iTunes backup has sitting around on your computer. If your iTunes backups are encrypted (not a default setting) the data is still there but it's not readable.
On it's face and in isolation this is not exactly a huge deal. The location data is not being sent anywhere as far as we know. It resides on your iPad or iPhone (3G models) and on your computer where you sync to iTunes. Well, that's assuming you don't sync to someone else's computer, of course. In that case, they might have your location data available to view and play with.
And really, that's why this could be a big deal, on some level. And it's not just that the data is being collected, cataloged, stored and exists, it's that it's been there since iOS4 was released, and we didn't know because no one really noticed until now. Someone had to get curious, poke around, dig into the data and discover it by accident. Makes you wonder what other info might be hanging around in places we don't know about, eh?
Hopefully Apple will explain exactly what all the data is, why it's there and how it's used - in great detail. It can't be there for no reason, and I can think of a few cool reasons for collecting the data, but unencrypted and no notification of tracking is a little concerning to me. I'm looking forward to hearing from Apple to understand more.
Wednesday, June 16, 2010
And to Apple: I’m sorry, but as good as you make me feel about the world of technology, I just don’t love you enough to endure AT&T’s bad habits anymore. So, the iPhone has to go, too. And that makes me sad. I truly wish things were different. I almost can’t believe I’m doing this. They say if you love something, let it go free. It’s a brutal suggestion, really.
Let me start out by saying, for those who don’t know, that I’m a security and IT management professional by trade. I’ve held executive and senior management roles for both security and IT functions at a publicly-held company in the financial services space, I’ve consulted with governments and companies large and small on cyber-security issues, and these days I manage security strategy for a Fortune-500 company. So, I have some perspective and reality-based opinions about security and quality.
Let me also say - plainly and clearly - that this blog is where I voice my own opinion about things that are on my mind (as opposed to discussing work-related topics). And my mind is pretty active right now as it concentrates on my personal AT&T Wireless account and the lack of service and security quality the company has delivered over time. In other words, I have some strong opinions on the topic.
This is certainly a bit of a rant, but it’s not a knee-jerk reaction. It’s grounded in reality and reason and I have put some time and thought into my decision.
And enough is enough: I’m done with AT&T.
First AT&T’s reliability and call-handling problems were the issue, and frankly those were bad enough on their own. There are locations where I can *guarantee* calls will drop on my iPhone on the 3G network, every single time. Areas with three to five (out of five) bars of signal strength that suddenly drops the call and goes to zero, before churning around trying to reconnect and eventually coming back with a full signal once (I assume) a tower hand-off finishes. I actually have to tell people that the call will drop in a few seconds and that I will call them back in a couple minutes when the service recovers. They always want to know how I can know that. It’s sad. Coverage has gotten *worse* over the past several months in many areas where I travel, and call reliability has suffered. It’s probably worth noting that the same bad service areas affect my iPad’s 3G data access, as well. So, it’s not just my iPhone.
As if that wasn’t enough, there’s the costs associated with the AT&T service. We pay a premium for iPhone voice and data plans, and get crap for service in return. If I had a buck for every time someone tried to call me and got voice mail, while my phone was sitting in front of me with four or five bars yet never rang once, I’d be able to pay that early termination penalty AT&T requires of it’s customers. It’s bad enough that AT&T sells us this poor service, but it’s even worse that Apple isn’t more publicly vocal and more forceful about getting the problems solved. It’s been three freakin’ years already, for gosh sakes! There is absolutely no excuse.
Then a week ago comes news that AT&T’s iPad registration service was exposing email addresses and validating iPad hardware identifiers, as uncovered by a hacker group with an unfortunate name (don’t Google it if you are not already familiar with why it’s unfortunate, just trust me on that one). I, too got the victim-list email from AT&T describing what had happened, six or seven days after the fact. It’s not the actual leak that stinks in this case, it’s the fact that such a design would make it into a Internet service in the first place.
Since then, there’s been a bit of a meta-debate about who’s responsible for what, and all of it is really just details. The fact that the information leak *could* happen in the first place is yet another indicator of why AT&T is a sloppy, careless company when it comes to the services I consume and my personal information. Shame on them. But there’s more…
Then this week comes the straw that broke my proverbial camel’s back, as AT&T’s servers fail massively under load during the iPhone 4 pre-order, and we discover that apparently the company's critical software changes didn’t get tested, and changes got made at the last minute. Oh, and as a result our personal data is being exposed – once again - due to a supposed flaw in the AT&T systems and how they access database records.
Regardless of the variety of outstanding questions about the exact details and severity of the security situations, the very existence of these problems is more than just problematic.
One has to wonder, if one is being pragmatic and watching the past couple weeks’ activity: What else might they be skimping on that we don’t already know about? If I followed the same practices and didn’t test or validate security and functionality in my line of work, there’s no doubt I’d be gone in a second. Again, simply unacceptable for a huge company and it’s customers, who demand and require trust.
None of this is indicative of a company that practices good, basic security principles as a matter of course. It’s not indicative of a company that strives first for quality. And it’s not the type of company I feel like I can trust anymore.
So, I am quitting you, AT&T. I’d say it’s been nice knowing you, but that would be mostly a lie. So I’ll just walk away and let the past be the past, and focus on the future. Nine-plus years is enough. Good luck to you. I hope you will change, but it’s going to take some serious work, and I just don’t know if you can actually do it. Your track record is not good. Change is hard. Change means pain. And in the end, most people aren’t willing to endure that process. But maybe you will, and if you do please let me know. I’d like nothing more than to be a happy customer and to write something happy and positive here. I’ll keep my iPad service going with you, since I don’t really have much of a choice and its very existence is part of what makes it possible for me to let the iPhone go. But it’s time for a new phone on a new carrier.
Maybe someday you’ll earn my business back. You might have Apple in your jaws of exclusivity, but not me. For now, you’ve lost my trust and business -- and please realize that you killed an Apple iPhone customer in the process.
And that’s really saying something.
P.S. – A quick final thought to Apple:
I love the hardware. I love the OS. I love the apps. But I can’t stand the service provider, which has failed us for too long now.
I fail to see how you can continue to do exclusive business with a company like AT&T, and I hope you’ll quickly open up options for your customers. Maybe you’re already working on it, which would be a breath of fresh air in this cramped, stuffy, smelly room. I’m sure many will suffer the pains of AT&T to get your hardware and software in your hands, and honestly this is a painful decision for me to make because your phone is something I want and need. But your corporate quality and image is directly tied – even intertwined - to AT&T in the United States, and for a company that stands tall on the ideals of doing things well rather than doing them first, your AT&T relationship is a failure of massive proportions, with quality never measuring up and ability to correct way too lacking. For what it’s worth. I want your products more than any other, but AT&T’s issues have finally crossed a line and have reached the summit of Mt. Unacceptable.
So, what do I do? Please, tell me. Do I wait patiently for a relatively short period of time for another carrier option, or do I just make the move now and use someone else’s hardware?
I am truly sorry to have to leave, Steve. Please, win me back.
Wednesday, April 21, 2010
Many users of McAfee's virus scanning products are experiencing some real pain today due to a false positive virus alert (for the wecorl.a virus) that is resulting in dcom error reboots and in many cases the removal of the valid Windows svchost.exe from affected systems.
Despite a massive slew of articles and posts made on web sites today saying a new virus is in the wild and infecting computers (typically referring to this is a zero-day vulnerability), this is not in fact a virus outbreak, as anyone who knows how to use Google and has a remotely curious mind can discover in a matter of seconds. It’s an antivirus false-positive. The wecorl.a trojan is a couple years old, and this is not it. Even if it was a virus, it would not be zero-day.
In a nutshell, McAfee made a big mess with their AV update early this morning, and they are working feverishly to fix it. Read on.
First of all, if you're affected by the problem described below, information about a workaround fix and an update is available from McAfee at the McAfee Threat Center web site:
One of my own computers fell victim to this today, and I've been fighting with it since. I just got it back online, restored to normal and fully operational. My problem started at about 7am today and so I was figuring it out on my own, but the instructions McAfee has provided for the workaround/fix (linked above) are basically the same thing.
A DAT (virus definition 5958) file that appears was released earlier today has an issue that causes the valid Microsoft svchost.exe critical system file to be flagged as infected. It's not infected, though. This appears to impact primarily Windows XP SP3 computers, but it could be broader than that. As a result of the false flagging of the file, the McAfee AV software takes action, which can include doing nothing, quarantining the file, or in some cases removing it completely (that's what happened to mine).
If the file is quarantined or deleted, Windows stops working normally and a lot of the typical Windows functionality just isn't there anymore. Things like start menus, drag and drop capabilities, copy and paste in Explorer, and a whole lot more. You can still open Task Manager and launch new tasks manually, and the CMD window interface (command line shell) works just like always, so it's possible to get around to fix it up.
If you are running McAfee Virus Scan and have a signature file version 5958 (open the "about" dialog and look for the DAT version), then it appears you are affected. Rolling back to 5957.0000 (which was issued 4/20) will resolve the issue. There is also an "extra.dat" file available that can be dropped into the McAfee AV scanner's DAT directory while in safe mode, and then the computer should be restarted. Or if you're a business using EPO to centrally manage your AV system, you can push it out with that.
But if your svchost.exe file has been quarantined or deleted, you'll have to do some hands-on repair (at east for now, until a better solution is put together). The link at the top of this article walks you through what's needed.
This is a serious challenge today for McAfee. Their web sites appear to be badly overloaded and I have friends in the business who are waiting on hold with McAfee for extended periods on time. In speaking with people working at other (huge) companies, it's apparent the impact is huge and widespread. Thousands of people who should be working are dead in the water now, so to speak, with no computer to do their work on.
I hate to think what the financial impact of this is. It's got to be huge. Follow the link above and check it for updates from McAfee as time goes on.
Friday, September 25, 2009
One of the upcoming online summits at BrightTalk is the Cloud Security Summit, which consists of a bunch of web conferences on September 30th.
You can visit the summit overview and schedule page here.
Lots of topics around security, legal issues and compliance in the context of cloud computing. Good stuff. Recently on RunAs Radio we have have had a couple discussions where cloud computing came up, too.
Monday, March 23, 2009
UPDATE: We've had a great response and have assigned all of our beta invitations for the first round of testing, but please check the details below and let me know if you think you'd be able to help in a future phase!
I'm working with a software company to test some cool software that's currently in the early beta stage of development. The software is of a security nature and will be of interest to IT and security folks as well as individual computer users. We're looking for people with netbooks and notebook computers, especially ones with webcams built in, to test the software and provide feedback.
You'll be provided a test key and the beta software, and will need to honor the confidentiality provisions of the test program. It's nothing too complicated and the test risks are very small. You'll install the software, run through a few operational tests and let us know the results. We will ask first for technical results ("Did this work?") as well as your opinions and thoughts, should you wish to provide them.
What you'll need to provide and have available for the test:
- One or more notebook or netbook computers
- Computer(s) must be running Windows XP, Vista or Windows 7
- If it has a webcam built in, all the better (but not required)
- A Flickr account (basic account is fine)
- An email account and server information (for application configuration to allow sending of email alerts)
What you'll get as a result of testing and providing feedback:
- A free copy of the release version of the software when it's released (and you'll be glad you have it installed if your computer is ever lost or stolen, hint hint)
- Satisfaction and a sincere thank-you from me and the developers of the software
This software is quite interesting and has a lot of promise to provide real security value when it hits the streets, so we want to find as many complete test cases as we can. If you're interested, please email me at email@example.com and provide the details about your system, OS, etc - or call me at 503-766-2258. We are testing now, so let me know!
Wednesday, March 04, 2009
More than once someone has asked me if there is a way to get Google to change their search results to exclude mean, inaccurate, defamatory, rude, or otherwise hard-to-swallow web pages. Often the desire motivating the question is legitimate, as someone has been smeared unfairly or - even worse - in a completely fabricated and malicious fashion, sometimes by anonymous online personalities.
The short answer is, "Probably not."
Now, before you think the proper solution is to have Google block the pages from their search results, it's important to understand that Google is not the Internet, and that it's not really making recommendations to you when it lists web pages that match what you're looking for. Rather, it's showing you an extensive list of links to content out there on the Internet that seems to match what you're looking for.
And that's what Google's search engine is: A way to find information created by other people and displayed on the Internet. It's not a filter that's meant to decide good from bad, who's right and who's wrong, who's lying or telling the truth, etc.
That said, there are things that Google works hard to avoid showing you. Spammy pages (especially ones that try to game Google's own advertising systems) are filtered out, and there are a couple topics that won't return results in their adsense and adwords advertising systems (just try to set up adsense on a site that sells or promoted firearms, for example). So they're not completely hands off, but for the most part they don't discriminate.
When you want to have a web page removed from the search listings at Google, the most effective (and almost the only) way to do so is to convince the person controlling the web page to change the information or remove it. If you can't get them to do that, it might be time to go to a court - assuming you have convincing proof that the page is inaccurate and/or malicious, etc.
Granted, if a judge sends Google a legal notice requiring them to take action, they'll probably do so. But good luck getting a judge to agree to do that.
Always go after the source of the problem. It's not Google's fault that some mean person posted a page that says you're a jerk and thief (even though you're not). But you might be able to convince a judge that the person you claim is defaming you should change or remove the page. If that happens, Google's indexing bots will automatically update the search results the net time they crawl the offending pages and see the content has changed.
Matt Cutts has a good article (with a great graphic) discussing this. Here's a brief excerpt of what Matt tells people when they ask him the same question:
We really don’t want to be taking sides in a he-said/she-said dispute, so that’s why we typically say “Get the page fixed, changed, or removed on the web and then Google will update our index with those changes the next time that we crawl that page.”
His post prompted me to think about this again since I get this type of question several times a year. Just keep in mind that while it's an emotionally difficult thing to have someone write mean things and lies about you for all to see, it's a relatively clinical process to try to get that information changed or removed. Just make sure you stay calm and look to the right people to help with driving those changes.
Google's official page that addresses how to remove content from the company's search results is located at:
Monday, February 09, 2009
I dropped into a Starbucks this afternoon, all prepared to get some emails written and to get some work done between my Sunday afternoon and evening commitments. Everything was fresh in my mind and ready to go via the keyboard and onto the screen. I fetched my grande two-pump sugar-free vanilla skinny latte and sat down in the chair, opened the laptop and watched it wake up and connect to the AT&T wireless access point.
But much to my dismay nothing would load over the network. The AirPort icon in the status bar showed the name of the network and indicated that I was connected to the access point, but I had no connection to the Internet.
After a brief bit of trying over and over to load a web page, I checked the network preferences in the apple system preferences panel and found that I was not getting an IP address. The Mac was self-assigning a 169.* address, which is a non-routable local-only address. I tried restarting the AirPort card in the Mac, but that didn't help. I then found I was able to connect normally with my iPhone to the AT&T WiFi network and get a "real" IP address (192.x), so I quickly deduced that something was wrong with my Mac.
I had to give up on troubleshooting and head back out into the world, but I spent the rest of the day wondering if maybe there was something about the MAC address for my wireless card that AT&T had chosen to hate. After finishing my day of activities, I drove home this evening and fired my laptop back up. It connected to my home wireless network. But again, no IP address assigned. Hmm, definitely the laptop.
I started thinking now. What could be happening? Powering the AirPort on and off, shutting down the Mac and powering it back up, manually telling the network stack to renew it's DHCP lease - all these things did no good.
I finally decided to take a look at the Mac firewall logs. You'd think that would be the first place I'd look, being a security guy. They're kind of hidden in plain sight, a few layers deep in the Mac's preferences dialogs. You go to the System Preferences panel, in the Security section, then the Firewall tab, then click the Advanced button, and finally click the Open Log button. If logging isn't already turned on, you can enable it there, as well.
Sure enough, I looked in the log and found several examples of this (emphasis mine):
Feb 8 23:02:04 greg-hughess-macbook-air Firewall: Deny configd data in from 192.168.0.1:67 uid = 0 proto=17
Feb 8 23:02:26: --- last message repeated 2 times ---
Ah hah... Apparently the firewall was refusing inbound connections initiated by the router as it tried to set up the DHCP address being requested by the laptop. The configd daemon is a service that handles configuration changes for various pieces of the system, mostly all network-related. Great, I had something to fix!
I first confirmed configd was in fact running, then deleted the firewall configuration file (located at /Library/Preferences/com.apple.alf.plist) and configured the firewall to temporarily allow all connections, and then back to allowing essential services. Sure enough, as soon as I made the changes the Mac was able to get a DHCP address from the router, and the network was back up and working.
I have no real idea how the firewall got messed up. At one point I had it set to configure access for specific services and apps, so that might have had something to do with it. But it's strange that this problem only started today. It's possible the configd process was denied by a rule, I suppose. Perhaps I hit a key on a pop-up dialog to deny firewall access to the daemon without even realizing it while typing?
At any rate, it seems to be working now (as evidenced by the fact that I am able to post this blog entry, of course) and hopefully it will continue to work as expected. Maybe this will help someone else troubleshoot a similar issue.
Friday, November 07, 2008
While at the TechEd EMEA conference is Spain this week, I had the opportunity to visit with Thomas Dawkins from Microsoft's Trustworthy Computing Group. He's the guy responsible for the Microsoft Security Assessment Tool (or MSAT for short). The MSAT is a tool that's been around for a couple of years, but it was recently updated by Thomas with some great new enhancements, including a new user interface and a stronger, more complete set of back end information.
MSAT is a free tool that you can download from Microsoft. It's targeted to companies of 1,500 employees or smaller (as a general rule) and follows a questionnaire format to assess weaknesses in the IT security environment. Bt it's not a parching tool or a scanning tool. Instead, it leverages standards like ISO 27001 and NIST-800.x to baseline the security readiness of your organization.
It enables people to do what we security professionals hope for: analysis across each of the people, process and technology elements of a business' computing environment in order to ascertain how and where we need to spend our time and energy. The tool not only describes the state of readiness of the assessed environment, it also provides best-practice recommendations rooted in industry-accepted standards that can be used to improve the organization's security stance.
One of the most likely users of a tool like this is the IT manager, but one can also picture security consultants, business managers, and anyone else with responsibility for an organization's security operations leveraging the tool and the reports it generates.
You'll also likely be interested to know that Microsoft has released the fifth version of its Security Intelligence Report, which looks at the state of computer and information security over the past six months. You can find links to the full report and the key findings summary documents on Microsoft's web site.
Thursday, September 18, 2008
It's really the classic case study in information (in)security and the need for strong authentication. With all due respect to the good people at Yahoo!, this opportunity to review Internet security mechanisms is too good and too useful to pass up.
By now, we all know Republican vice-presidential candidate Sarah Palin's Yahoo! email account was broken into on Tuesday night (read the link to get the details). Apparently (and fairly obviously), access was gained via the forgotten password mechanism on the Yahoo! webmail interface, which allowed the malicious person to reset the profile's password with just a few pieces of information about the Alaska governor (birthdate, ZIP code and a piece of info related to where she met her spouse) that could be easily discovered by searching Google. That fact that so much of Palin's life history has been documented on the Web makes her that much more vulnerable to knowledge-based security mechanism hacks. It should also be noted that some security questions are better (or stronger) than others, so it's important that questions you choose for online protection are not ones that can be answered with information available on the Internet.
We security folk frequently talk about something called "multifactor authentication." By "multifactor" we mean an authentication process that requires two or more of the following:
- Something you know (passwords, user names, answers to questions)
- Something you have (token, device, phone, etc.)
- Something you are (physical fingerprint, voiceprint, or other biometric measure such as a verifiable, non-spoofable behavior (some call this "something you do"))
Most multifactor auth systems are pretty easy to recognize. You know them when you see them. Those key fobs or cards with the revolving digits that you have to provide at login are a common example. They're also fairly expensive and complicated. Some multifactor technologies are easier to use than others. There are a variety of behind-the scenes systems that track user behavior and other markers to determine if the person accessing an account is the legitimate user or a bad guy, for example. A well-designed and well-implemented system balances usability with security strength, and some systems yield higher results in that regard than others.
In this particular case, the bad guy was able to leverage only things he knew (found via a search engine) to change the password on the account and gain access to the Yahoo! Mail account. No other verification or mechanism was required. That's simply weak security in this day and age.
I walked through the account password reset system on my Yahoo! account, just so I could get a first-hand look at how it works and how simple it is to reset an account there. Honestly, it was a little too easy. Here are the details (you can click each image to see them full-size):
First of all, I selected the option on the login screen that says, "Forgot your ID or password?"
Next I was prompted either to supply an email address for reset, or to choose the option to reset without access to a registered email account (which to me was an immediate red flag). Obviously, I chose the latter.
This is where the security mechanism breaks down. I'm immediately asked to answer a "secret" security question. This process is called knowledge-based authentication. It's an additional layer of validation in a single-factor authentication scheme - I have to provide "something else I know." Even in my case it's information that could be fairly easily discovered (assuming I answered the question accurately). It should also be noted that in order to change my security question, I need to contact Yahoo! customer support (which I did).
Once I supply the correct answer to a single question, I'm immediately allowed to change my password. At this point it should be noted that if I was prompted to answer multiple questions in this validation workflow, using some randomization of questions and setting a time limit to answer each one, that would at least make it more difficult for someone to gain unauthorized access. Systems are available to do exactly that (I know, I used to manage a team that built one such authentication app).
I'm asked to verify my ZIP code and country (just for profile information), and that's it. Note that other analyses of this process seemed to say that providing the ZIP code and Country was required to reset, but that was not the case in my review. In fact, it appears the bad guy is just being handed that information after changing the password, for free. Take that info, stick it in your Google and smoke it: More search accuracy for the next phase in your attack. Not good.
I'm then notified that my account is now "up to date." I also got an email notifying me of the changes that were made to an account I had tied to the Yahoo! profile for communication purposes. At least I can rest assured that I'll get an email before the bad guy goes into my profile and removes that address from the account.
I think you're starting to get the picture. The authentication mechanism is only as strong as it's weakest part, and the fact that I have an option to reset without ever having to leave the browser window is a problem. Even changing the system to require that I receive an email (which is already the standard reset mechanism) would be better. As it stands today, that's an option, but not a requirement.
Many will argue that hey, it's just an email account, and that Yahoo! can't be expected to implement stronger security on their site as a requirement. I say that's flat out wrong (and what the account was or wasn't used for isn't particularly relevant to this analysis). Email is the number one mechanism used to move information - both innocuous and sensitive - among people. The fact that it's not the best mechanism for doing so ignores the fact that it's how people do things. There are a variety of options available to help ensure only authorized users can get access to email accounts. The fact they are not regularly implemented is a sad state of affairs.
There are many options to strengthen the identification and authentication processes. We can't discuss them all here, but a couple on my mind are described below.
Physical tokens - Making the jump from only having to remember a user name (which is usually the email address, so hardly a secret ) and a password to a scheme where one must carry a token and provide information from it in order to log in is quite a leap (carrying yet another piece of technology around doesn't exactly appeal to me), but it works. The costs associated with fulfilling, supporting and maintaining such a system are very real, and for Yahoo! may not be realistic. But there are systems available to those who know and choose to use them that can substially improve your authentication profile. Check out Omar Shahine's recent blog entry describing how he's securing his accounts in a few ways, including with an OpenID-integrated single-sign-on token system from Verisign.
But, even if you use an OpenID to sign in, what if your OpenID is a Yahoo! ID or other identity that you can reset with a single piece of discoverable knowledge? It still needs to be protected from unauthorized changes and access.
How to do that? There are several ways. I have a couple of favorites, but please feel free to share yours.
Require security changes to take place out of band - One option, probably quicker and less expensive to implement than physical tokens, is using something like an automated telephone call or text message to require the owner of the account to verify a change should be allowed. By registering one or more phone numbers when the account is created and requiring a unique secret be provided via that channel to authorize a change, one can sufficiently secure the account. Vidoop uses a system like this for resetting information on their OpenID accounts. It's simple and it works. It requires me to have the correct device (my phone), uses a different communication channel (the phone network, hence "out-of-band") to contact me and then verifies I am a legitimate user. It requires me to interact as part of any change.
But the technology options get even better: JanRain's myOpenID, for example, now has a feature called "CallVerfID" that equips your myOpenID for two-factor authentication via the phone. It's quick and easy to set up and instantly protects every login with a multifactor authentication mechanism. I found I was not able to use it with a couple phone services due to the way they answer the call (I should provide feedback about that, added to my to-do list), but when set up for my cell or home phone it works as advertised.
Expect more of this class of technology in the future. Think, for example, about voice biometrics: Is that really you that's answering your phone? That kind of technology would be very cool if it was reliable. It's a complicated but useful technology that's being refined even as we discuss this.
I would guess that "review of all Internet email accounts" has been added to every campaign manager's list of things to do deal with early in the vetting process (not to mention the Secret Service's list). Any of the technologies above would likely have prevented the malicious bad guy from accessing the Yahoo! email account.
In the security world, change only happens when enough people make enough noise, a regulator gives an order, or enough companies feel enough financial pain. This looks like one of those cases where noise is the better option. It's certainly better than regulatory mandates (which tend to create collateral damage), and waiting on big companies to suffer is not exactly a reliable plan.
So... Feeling okay? How safe is your account, really?
Thursday, September 11, 2008
Over at Wired's Gadget Labs blog, Brian Chen writes about information discovered during a webcast presentation on Thursday covering the recently discussed iPhone security weaknesses having to do with bypassing the password-protected lock screen.
Jonathan Zdziarski, a data forensics expert and author of the forthcoming book "iPhone Forensics," did the presentation for law enforcement personnel and anyone else who might have a need to access an iPhone to discover information. During the presentation, in which he outlines a method for breaking into the phone with modified firmware and some hairy manipulation, he also showed how the iPhone takes a screenshot of every application the iPhone's user closes by pressing the "home" button. The saved image is used to "draw" the collapsing screen animation you see when your application closes and you're returned to the home screen. The image file is then deleted from the iPhone's storage.
But, nothing is ever really completely "deleted." And in this case, apparently when the temporary image file is killed from storage, the data "on-disk" is not overwritten or otherwise cleaned, so anyone with some basic forensics knowledge can search the iPhone storage space for the old files and recover them easily. You can do the same thing on pretty much any computer.
Depending on your point of view, this is either a potential privacy issue or a great forensics feature. Having worked as both a police officer and as a business security professional responsible for privacy and data integrity issues, I can understand both arguments. Certainly as a cop, being able to dig into someone's iPhone (with a proper warrant of course) to find evidence of crimes where the phone was used in some manner is of real value, and screen shots are potentially pretty useful evidence. But as a person who also values privacy as a matter of basic principle, it's a little disconcerting, especially since I didn't realize until today screen shots are being made.
The webcast recording is not yet available as of the time of this writing, but it should be posted to http://www.youtube.com/OreillyMedia in the next few days. If you're interested in learning something about electronic data forensics, it will be worth the time to check it out. Here's the O'Reilly abstract from the session:
In this free, live webcast, iPhone hacker and data forensics expert Jonathan Zdziarski guides you through the steps used by law enforcement agencies to bypass the iPhone 3G's passcode lock by creating a custom firmware bundle. Author of the upcoming book, iPhone Forensics, Jonathan has devoted much of his talent supporting law enforcement personnel with his development of a forensics toolkit that allows them to recover, process, and remove sensitive data stored on the iPhone, iPhone 3G, and iPod Touch. This live presentation is aimed towards law enforcement and anyone else who has a need to access the not-so-readily available data on an iPhone.
Monday, September 01, 2008
Google seeded a paper comic book to some people recently, to present and describe their future web browser (or you might just think of it as the web browser of the future), which is called Google Browser or Chrome.
So, what's the story? Making the browser more stable, more usable, more secure. At first glance, it looks like a strong starting point for the future of Internet browsers. Written from the ground-up from scratch and with the experience of several years of past browser platforms to learn from, Google has addressed many of the main concerns in today's browsers.
Now the only question is: When will we get it? I will be watching here to see if something shows up. Hopefully it's soon!
UPDATE: The release date is tomorrow (Tuesday, September 2, 2008) - More info and link to screenshots here.
And, it's all open source. That's right - Anyone (including other browser makers) can leverage the work done in the Chrome project and can contribute or modify to meet their own needs. Good move, Google.
Pretty exciting stuff. It will be fun to see what comes next, and when.
Friday, August 29, 2008
Vidoop Labs has a dream:
The dream is to see Identity baked into all browsers. Just imagine opening your web browser and then selecting your Identity Provider (IDP) the way you select your default search provider. The benefits are numerous; never type in a username, never look for a login button/page (you are authenticated when you land on a domain), no phishing/MITM (the browser can do domain and SSL cert validation). You fire up your browser and authenticate (or login) similar to the way you log in to your computer every time you turn it on. The difference is you get to choose your provider and can take control of the data you safeguard, store and share on the Internet.
I could get into that.
Vidoop is a Portland, Oregon company that has built some interesting technology around OpenID. I really like the idea of OpenID, and I have a couple OpenIDs of my own that I use on various sites. But OpenID is not exactly perfect. It's still relatively young, and from the usability standpoint it needs improvement. The identity and authentication requirements of the modern Internet demand some additional features and capabilities that OpenID doesn't deliver (and you can argue that it shouldn't). By combining openID with other technologies (such as Information Cards and other strong-auth offerings) and improving usability for end-users, it could become a widely-adopted, used and trusted standard, or part of a broader one covering strong authentication and identity protection/assertion in a commonly-accepted and deployed package.
Vidoop's Luke Sontag today posted an announcement that the company's newly-formed Vidoop Labs has fired up a community project called IDIB (pronounced "Eye-Dib"), which aims to improve on the OpenID usability model and make it stronger at the same time. They've released a developer preview of IDIB in hopes of involving people and getting your input and feedback.
From the Vidoop announcement:
Over the past few years we’ve seen the adoption of OpenID continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.
It was almost two years ago when the Firefox 3.0 roadmap wasannounced and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.
In light of that missed opportunity, Vidoop Labs has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.
And the current developer preview (which is open-source) is just a beginning. Imagine leveraging Information Cards (such as one would use with Microsoft's CardSpace, or the similar open-source offerings for Mac and Linux) in the cloud, and being able to use OpenID - one logon for all your web sites - confidently, securely and with proper security protection.
The Internet needs a good, strong, reliable, usable and secure standard technology to solve the issues related to user names, passwords, single sign on and identity protection. IDIB looks like a serious and positive attempt to start the journey directly down that path.
Wednesday, August 27, 2008
Well, this is a little embarrassing
. Intergalactic malware has made it's way into the news. A computer virus on the International Space Station. No AV software on the laptops they use, nor (apparently) is there a process of security checks on personal computer equipment like USB thumb drives carried by astronauts being rocketed to the International Space Station.
Granted, the virus in question in this case is pretty innocuous, and apparently other viruses that have made it into space aboard computer gear in the past (it's really quite difficult to mention that in passing) have also been more of an inconvenience than a real security threat.
But imagine a virus that might make its way on-board and do more damage. Not good. It looks like it's time for some effective process and possibly some basic security technology - You know, just in case.
The author of that virus has something new to brag about, though. That's for sure.
Tuesday, August 12, 2008
A bunch of IT and web-app teams have lost a lot of sleep lately...
Over the past several days, a significant number (in the thousands) of web applications, some of them well-known and well-used, have fallen victim to a distributed SQL injection attack that takes advantage of weak or non-existent input validation to inject malicious HTML code that then performs a drive-by malware attack on unsuspecting visitors. Since visitors to your site trust it, if your site has been hacked they are more likely to allow the malware to install on their computer (especially if, for example, the malware is delivered in the form of a browser helper object or something along those lines).
The malware in question appears to steal WoW account information and insert a back-door (trojan) program on PCs it infects (among other things).
Web sites that do not properly validate all input - and by proper I mean trust nothing by default and only allow input that specifically matches what is appropriate - and which run on a Microsoft SQL server back-end (and possibly other database servers that use the same basic table structure) are at risk. I've observed web sites running on both Apache and IIS that have been hacked, the only common thread is SQL server (despite reports to the contrary).
About data validation...
I've personally spoken with people from a few companies who have had to contend with the fact that their sites were attacked in this manner over the past several days. In each case, they were utilizing a so-called "black-list" (or "deny-list" to be a little more appropriate) of bad input in their application logic. The problem with black-listing is the cases where you don't realize something should be on the list, or when new threats emerge. Instead, a white-list (or "allow-list") methodology requires you to specify what input is allowed. Your application won't change much over time. The threats will. Deny all by default,
it's the only safe way to go.
UPDATE: Neil Carpenter mentions in the comments here that he recently posted an excellent blog entry about using parametrized queries in SQL server, and he makes some great points. While input validation is a useful and often appropriate layer of security (not all apps are database-driven), solving this specific type of problem using his method is an important idea to look at and leverage. A layered conbination of both input validation (where it's practical and workable) and paramaterized queries is a good approach, in my opinion.
Secure Computing's TrustedSource (good site, read it) has some detail about the attack...
You'll see this in your web server logs (assuming you are logging, and you sure as heck better be - more on that later):
Which is a hex-encoded injection that, when translated, creates this SQL statement string (bad-guy address has been removed):
DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+””>
To search your web server logs for any offending lines, look for "DECLARE" anywhere in the query string. That's a dead give-away. You'll find attacks from various unsurprising countries including North Korea and China (or at least what's where I have seen them coming from).
How to solve?
If you need a tactical approach to block this particular threat right now while you plan validation improvements, I'd recommend what many people are doing: Monitor all the input with your web server, and re-write the offending statements to something innocuous. That's a band-aid, but it can help in the short-term with this one particular need. In addition, you could use application-layer firewalls in from of your web server/farm to do the same thing. But neither of these approaches would be considered acceptable as a complete or permanent solution. You can certainly keep them in place after an app fix, as part of a layered security approach. But ultimately the site needs to be coded properly and not allow the bad input.
HP recently released a tool that you can use to check for SQL injection vulnerabilities specifically called Scrawlr. You can find it, and related information, here.
Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!
If you are dealing with this attack or have related thoughts, please feel free to post in the comments with your experiences.
Sunday, July 27, 2008
Over on the Internet Evolution site I recently wrote an article
discussing the fact that MySpace is becoming an OpenID provider. Of note is the fact that they will be provider-only, and not a relying party, at least initially. This is a trend we've seen with other big companies like Yahoo!, and many of us are not-too-patiently waiting for these companies to start trusting and relying upon other organizations, so the utopia of user-controlled Internet single-sign-on can become a reality.
That begs the question, "What will it take to achieve the level of trust and confidence needed to make it easy for these big provider companies to join the relying-party crowd?" I'm certain there are plenty of detailed conversations and that things are being hammered out and actively discussed behind the scenes at all these major companies, but I tend to think about these things out loud anyhow.
So, I hope you'll read my article and thoughts over on Internet Evolution
and that you'll take advantage of the opportunity to comment there. I'd be interested to know what you think.
Saturday, July 26, 2008
The DNS vulnerability discovered earlier this year by Dan Kaminsky, and recently patched by DNS software providers in an unprecedented cross-vendor cooperation, has graduated from vulnerability to exploit-in-the-wild.
According to Kaminsky, 52% of the DNS servers on the Internet are still vulnerable, better than the number of exploitable systems just a few weeks ago when the patches were released by all the vendors.
Kaminsky has written up a plain-language helper guide to explain the problem to non-technical (read: management and decision-making) people. There's also a Black Hat webcast with Kaminsky available where he details the vulnerability and discusses the fixes.
Read more at Ars Technica.
Wednesday, July 23, 2008
In the case of Terry Childs, a network admin who gained notoriety recently for locking the City of San Francisco and his managers out of their own critical network, comic-book style progress has been made, with Childs' attorney inviting the mayor of SF to a secret meeting at the jail, where Childs handed over the passwords he'd previously refused to disclose.
Childs' lawyer, again in typical comic book fashion, has also come out saying that Childs' actions were essentially noble and that he was acting to protect the network he built from his management and peers, whom he characterized as being neglectful and without the proper knowledge to support the network. About what you'd expect from a defense lawyer in a public case, I suppose.
But Childs is in no way a hero. Even if what he says is completely true, he's (allegedly) committed a real crime. He does not own that network even if he helped build it, and regardless of whether the management in his department was capable of exercising its responsibilities, when Childs locked everyone out he crossed a clear line. If it was to make a point, he simply went overboard. The whole unfortunate case just smacks of ego and manic behavior.
But from arm's length the city doesn't exactly look like a helpless victim, either. Any professional management team that creates an environment where one person can control a critical and sensitive network in the manner exercised in this case has missed some of the most crucial and common-sense aspects of IT and security design. In fact, most of the time when cases of one-man-too-much-power crop up, we find that the IT staff is also responsible for security with little or no separation of duties, no checks and balances, and no controls to ensure one bad apple doesn't ruin the whole barrel.
Was Childs right? Absolutely not. Was the City wrong? I don't see how you can argue otherwise.
You'd likely be surprised how many real-world computer networks - big and small, important and less so - are run on the concept of "we just trust that one guy." It's what we call a "Beer Truck" risk problem: If I'm that guy you trust, what if I get hit by a beer truck and killed, or alternatively what if I drink everything on that beer truck and go nuts and wipe out the network? What then?
Systems should be set up to ensure no one person holds all the keys. Over the past few days I've read comments made about this story, in many cases by angry IT-types who say if you hire someone you have to give them access to everything and you have to trust them to do the right thing. Otherwise they cannot do their job, you're a terrible person and your network and systems are doomed. That premise is simply and blatantly false, and in fact following that method puts you in the same boat the City of San Francisco has just found itself in. Please, don't listen to the old-skool IT admin crowd, telling you to hand it all over to them because you obviously don't know what you're doing. Fire those guys and find some real help.
If you want a healthier view of the situation, check out articles written by smart, thoughtful people, like this one by Paul Doyle. Also, Paul Venezia wrote an in-depth article about what went wrong, with some detailed inside information.
To be clear, no one person should control all the systems. Control and authority are not the same thing. Checks and balances are important. The Air Force doesn't allow one person to perform all the steps needed to launch a ballistic missile, right? Apply the same principles to your IT systems.
Case in point: I was the chief security executive at a major online financial services company. I had administrative access to nothing. I couldn't even get in the data center without an escort and records being kept. I had no account access to critical or sensitive systems. And no one person there could make changes in a vacuum. IT workers didn't have access to security systems. Security workers didn't have administrative access to anything by default. And we operated effectively, smoothly, with full knowledge of what was happening on the network and systems. No one person had control. Authority, sure. But actual control of systems? No. To operate otherwise would have been negligent.
I often preach the value of formalizing security management and putting proper process, technology and organization in place to ensure a good, stable system that can effectively support business. One of the pillars of an effective security management system is hiring good people (probably not ones who have been convicted of aggravated robbery in the past, sorry) and separating duties in a way that protects everyone involved - employees included. Doing so is not punishment, it's just good common sense.
If nothing else, lets hope businesses and governments all over learn from this embarrassing public spectacle. There are standards out there (my background and experience is in ISO 27001, an international security management standard), the very purpose of which is to make sure things like this don't happen. It's high time to start using them.
DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right Now.
Dan Kaminsky found a security hole in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference.
But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must - and I do mean must - drop what they're doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking.
DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 188.8.131.52). It's the Internet's phone book, so to speak.
The security hole allows malicious people to spoof a web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relys upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the web page would be a malicious one - a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn't really change the underlying protocol).
Aaron Massey wrote a very good post describing the issue and it's various details. He also links to Halvar Flake, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar's guess, another security blog that had specific knowledge of the threat details confirmed Flake's hypothesis. As a result, the threat was disclosed.
Luckily, the various creators of the DNS systems used all over the Internet released patches about two weeks ago. The real question is, have you patched your servers? This is a critical flaw - it needs to be patched immediately.
If you want to know whether the DNS server your computer relies upon is vulnerable or not, you can use the DNS Checker in the sidebar of Kaminsky's blog (as long as it remains there).
Sunday, July 20, 2008
Chances are, if you're reading this around the time I am writing it, that your computer is not exposed to an IPv6 network. You're most likely on an IPv4 (classic) network. You can easily tell by trying the quick IPv6 test on this page.
Even if you're not on the new network stack yet, change is happening, and systems have to be adapted to make sure not only that the new network works (most - but not all - modern hardware and software "understands" IPv6), but also that when you do actually start to operate in an IPv6 world, that you are properly secured.
In an effective security world, you need to put protections in place soon enough, meaning before the threat appears. You have to protect proactively, without waiting for bad guys to exploit a network or system. In the case of the IPv4 to IPv6 transition, that means making sure things like intrusion prevention and detection systems, firewalls, and other software and devices that function in the network layer even know how to "talk" the IPv6 language.
A number of current security applications just don't know how, so now is the time for a call to action: IPv6-enable your technology right now, to prevent opportune threats in the future. Don't get caught with your pants down.
Kim Zetter wrote a good article on the subject the other day at WIred. "The Ghost in Your Machine: IPv6 Gateway to Hackers" outlines quite well the potential threat imposed by a lack of readiness from a security perspective. It's not all bleak and terrible news, but as the article makes clear, now is the time to fix the problem, before something bad happens.
Probably the most difficult aspect of understanding the potential issues introduced by an environment not ready for IPv6 is the lack of awareness among IT folk in general as to how IPv6 works, how it's used, and the services (quite good ones, I might add - take a look at how IPsec is baked right in, for example) integral to the protocol.
What's it take to get from here to there? Being prepared with real, solid and accurate information is probably the most important step. Not many of us are naturally wired to take action before something bad happens. As an IT guy, I can tell you this: In the real world, most IT people don't learn what they need to know until after they need to know it. A lazy learning methodology just won't work in this case.
For IT professionals, do not assume that just because you were able to pick up your IPv4 knowledge over a long weekend of studying and tinkering that you'll be able to do the same with IPv6 - That's just not the case. IPv6 is more complex and has a lot more parts to understand. If you haven't learned it by now, for shame. Some of you have a little time left. Get on the ball, and gain the deep understanding you need to do your job properly.
For application and hardware vendors that haven't yet dealt with the IPv6 change, you're running late. While many vendors of firewall software, switched, home routers, etc. have made the proper changes, there are also many that have not. Even worse, there are a variety of IPv4-to-IPv6 workarounds that can relatively easily be put in place by unknowing people (read: the IT guys mentioned above) that circumvent firewalls and other protections that are relied upon for good security. Bad design, convenient at the time, disaster waiting to happen. Prevent this.
If you're an individual computer user or owner, what is the status of your software vendors with regard to dealing with IPv6 network traffic? Are you running the latest firewall software, current router firmware? Do the latest versions protect you in an IPv6 world?
IPv6 is a great move, and in time it will dramatically change for the better how computers and devices interact. That is, if we don't manage to screw it all up in the process.
Now is the time. IPv6 is here, Go forth. Learn, analyze and secure.
Tuesday, July 15, 2008
I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good.
No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement.
Wednesday, July 02, 2008
You have firewalls and anti-malware system, video surveillance and monitoring systems for network traffic to and from the Internet. But look at eWeek's semi-smart list of the top ten infosec risks workers pose to your business today, and you may need to rethink your plans.
I call this a "semi-smart" list because it's practical and real-world, and doesn't assume the "standards" out there cover all the bases. But, at the same time it doesn't offer much in the way of solutions, which always frustrates me (and it misses some key points, especially related to intentional worker behavior, as opposed to neglect, and how it can substantially enhance the potential associated with these risks).
Point is, each of the items pointed out is very much worth considering and reviewing in your business security program. Just don't forget to look at them in the big-picture perspective of the business.
And now for the list:
- USB Flash Drives
- Web Mail
- Smart Phones
- Collaboration Tools
- Social Networks
- Unauthorized Software Updates
- Virtual Worlds
Pretty much every modern technical productivity enhancer. Before anyone starts screaming the alarmist song, think about not only how these things can be used for good, but also about how they could be used to to Very Bad Things.
How many of those technologies are specifically and can be proven effectively covered under your infosec policies? How many have you tested in the real world to see what your compliance profile really looks like? Could you meaningfully test for these threats, even if they were on your plan?
You can check out the eWeek article here.
Monday, June 30, 2008
Nate Westheimer of The Silicon Alley Insider has this to say:
Twitter should take full advantage of their messaging platform, user base and user disposition to lead in the P2P mobile payments space, where, despite years of hype, no one has much of a head start.
Link to the article: How Twitter Could Be Worth A Billion In A Year
I have to admit, coming from the Internet financial services space, the thought of this actually happening scares me slightly, given the serious lack of stability and the manner in which changes have been made at Twitter with less than complete communication. But at any rate, they have a lot of money to throw at the problems, so I am rooting for them to get things right. It just hurts. :)
Westheimer makes some good points. Twitter is carrier/provider-agnostic and has amazingly terrific user and market penetration. Just as I send you a direct message today by typing "d yourname hi how are you?" I could pay you using syntax like "p yourname $20."
But getting from here to there is an whole other story. It's far from trivial to create a financial transaction and accounting system, especially one that scales to the sizes required (but it certainly can be done).
It's an appealing and interesting idea and one that warrant some real thought. As someone who comes from the the online banking software, infrastructure and security world, I can see the market need as well as the challenges from many fronts that will face any company that finally jumps fully on-board the micro-payments and mobile-payments train. A number of good, well-funded companies have given it a run before with limited success. It's a complex problem to solve, but it's doable.
It sure sounds like a fun challenge, and there's a massive marketplace out there just waiting for someone to get it right. Note the operative verbiage there - Doing it well is critical to success. The fact is there's no room for "scale later" in this game.
What do you think? Would you pay people via Twitter if you could? Would it be useful to you?
Tuesday, June 10, 2008
Last month, Microsoft released the Microsoft Forefront Integration Kit for Network Access Protection
, a solution accelerator that enables their Forefront Client Security products to interoperate with the Network Access Protection (NAP) capabilities included in Windows Server 2008. In a nutshell, it allows an integrated system of policy compliance and real-time checking of the status of a computer's Forefront security status, as well as remediation and access protection for machines that fall or are found to be out of compliance.
Using the technologies together, administrators can leverage the state of a client computer as part of the information and policy status that NAP leverages in controlling access to the network.
You can use the Kit to help protect your network infrastructure by configuring a Forefront Client Security compliance health policy across your network, monitoring the operational health of Forefront Client Security in real time, and remediating problems that arise.
More and better in-depth defense mechanisms, and ones that work well together on top of that, are good to see coming out of Microsoft and others. It's the kind of progress that's needed to stay on top of quickly evolving threats, and to proactively keep them from spreading.
(via Dan Griffin
Saturday, April 26, 2008
I'm pulling my hair out (what I have left, anyhow) trying to find a good home/home office wireless router that includes all the features I need. Granted, I'm a bit of a power user, but I'm honestly a bit surprised I can't find what I want out there somewhere. You'd think someone would build it. My list of features and performance requirements includes:
- Gigabit WAN and LAN ports - and needs to have four LAN ports
- VPN capability that I can use cross-platform - an SSL VPN might be the best option, but whatever works well and lets me connect with Windows, Mac, etc. is what really matters to me
- Working, reliable and effective QOS - routers I have used in the past have either been terrible or mediocre at properly shaping and allocating traffic for VoIP and other services
- Reliable and full-featured administrative capabilities in firmware
- Quiet, reliable hardware
- IPv6 support
Until recently, I have been using a D-Link DIR-625 router, which has been stable and reliable. But it's a 100-megabit device and the QOS is marginal for VoIP traffic in my experience. Plus the firmware has not been updated recently and there is no VPN capability. It's rock-solid at what it does, though. I've only had to reset it a couple times since I have had it.
I've looked at the D-Link DIR-655 router, which is their currently-touted gigabit version of the 625 model. It's still on my list possible solutions, but with no VPN it doesn't meet all my needs, and D-Link doesn't seem to have one that includes all the features.
Yesterday I picked up a VPN router with gigabit and QOS made by Linksys, the WRVS4400N. It's not cheap and honestly I'm not sure why I allowed myself to buy a Linksys product after all the headaches I have had with them before. The net result of the past 12 hours of use is that I'm going to return it today. Between the slow reboots required with every other change I make and the lack of capabilities in the software (and some stuff that just doesn't work), it's already frustrating me. D-Link has seriously spoiled me in the Admin interface/firmware capabilities department, even without releasing any updates. Add to that the high-pitched whine the Linksys router makes and the heat it generates when plugged in and there's just no way. The whine is pretty awful, and gives me a serious headache within minutes if I am near it. Back to the store it goes.
So, I am left without a solution that meets all my needs. I may just have to pick up the D-Link DIR-655 and live without VPN and then find a separate VPN solution, but I don't want to if I don't have to. Any ideas anyone? Is there an option out there that will meet my needs and expectations?
Friday, April 18, 2008
IPv6 has been around for something on the order of 15 years, yet it has yet to see widespread adoption. It was recently enabled on Internet core DNS infrastructure, and had been adopted in some network like those operated by certain mobile carriers. The current IP addressing and allocation scheme, dubbed IPv4, will eventually run out of IP addresses. There's been a sort of boy-called-wolf debate over whether we're really going to allocate the entire IPv4 address space anytime soon or not. But eventually we'll run out - some say in 2010.Sean Siler
, Program Manager responsible for IPv6, joined Richard Campbell and me for a RunAs Radio show
. Sean really knows his stuff and did a terrific job of describing IPv6, comparing it to IPv4, and other useful information.
IPv6 enables a lot more than just additional addresses, though. Sean discusses what's the same, what's different and what's new (hint: IPSEC and multicasting everywhere). He also offers a great analogy to describe the enormous size of the IPv6 address space. It's mind-boggling, really.
If you don't understand or know much about IPv6, this interview is a great place to start learning, and you truly need to be doing so if you do network design or other work in your job. The change is significant, but not impossible - so go listen to the show and get learning
Sunday, April 06, 2008
, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It's a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-to's in this one.
Fortunately, the session was recorded and is available online
for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it's an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything - terrific stuff.(Updated 4/7 - link to video fixed)
Friday, March 21, 2008
Got iTunes, or anything else Apple on your Windows computer? If so, when the Apple software checks for updates, you'll probably see an option (which is enabled by default) to install Safari - even if you don't already have it installed on your computer. Safari is Apple's default web browser (and actually not a bad one at that). But since people are used to seeing - well - updates when the software checks for updates, you might not realize you're installing new software.
Just making sure you're paying attention here, is all.
Sure enough, when I check for updates on my Windows machine, where Safari has never been installed, I'm presented with the option to install it...
As Tom Krazit tells us... Just un-check the box if you don't want to install Safari. Simple as that.
"It seems that at some point people became conditioned to downloading anything that shows up from an official source, like Microsoft, Apple, AOL, Yahoo, or whoever. Remember, it's your PC; spend your installation capital wisely." (link)
It's always important to pay attention to what you're clicking on. Fact is, Apple's probably counting on the fact that a significant number of people will just click without thinking - And that's indicative of a whole slew of problems, with users, companies, you name it.
For my part, I made the educated decision to install it. I actually kind of like Safari on the Mac, so I'm interested din trying it on Windows.
Thursday, March 06, 2008
Microsoft and Apple have announced that they are working together to make Exchange Server and the iPhone mobile phone work well together. Apple will license Exchange ActiveSync for use on the iPhone, which will in Turn help assure the Exchange Server dominance in the marketplace stays they way it is. It's really as simple as that.
The fact is that Exchange is a pretty terrific server product for email, calendaring and a lot more. The iPhone is a pretty terrific mobile device. They don't integrate too terribly well today: You can sync your calendar and contacts via the USB connection to your computer, and you can get IMAP email from a properly-configured Exchange server (which works, but is not exactly optimal). But it's far from simple, far from seamless, and far from supportable in the enterprise.
One has to wonder what this means, either directly or indirectly, for the Windows Mobile world. I know the arguments: Different markets, different platforms, different purposes, etc. etc. etc... but with the iPhone SDK availability, that gap will be much narrower. And the fact of the matter is, Apple has the usability nailed with the iPhone. Sure, there's a few enhancements needed. But those are ones that can (and I'm certain will) be done.
ActiveSync will provide the ability (assuming Apple leverages all the features) to do push email, calendar and contact sync over the air, and task list sync.
Perhaps one of the more important potential benefits from ActiveSync integration with the iPhone is the ability to get enterprise-class security on the device, which to date is lacking and doesn't meet the needs or standards of most commercial IT departments. Exchange 2007 clients can be set up for enforced enterprise IT "policies" or controls, which would go a long way toward satisfying the security needs. In my mind, that's the biggest potential win. Without that, pushing email and syncing calendars and contacts is to risky an activity.
From Apple's press release come details of what they intend to provide - and it looks liek Cisco VPNs are in the package, as well:
Apple has licensed Exchange ActiveSync from Microsoft and is building it right into the iPhone, so that iPhone will connect out-of-the-box to Microsoft Exchange Servers 2003 and 2007 for secure over-the-air push email, contacts, calendars and global address lists. Built-in Exchange ActiveSync support also enables security features such as remote wipe, password policies and auto-discovery. The iPhone 2.0 software supports Cisco IPsec VPN to ensure the highest level of IP-based encryption available for transmission of sensitive corporate data, as well as the ability to authenticate using digital certificates or password-based, multi-factor authentication. The addition of WPA2 Enterprise with 802.1x authentication enables enterprise customers to deploy iPhone and iPod touch with the latest standards for protection of Wi-Fi networks.
The iPhone 2.0 software provides a configuration utility that allows IT administrators to easily and quickly set up many iPhones, including password policies, VPN setting, installing certificates, email server settings and more. Once the configuration is defined it can be easily and securely delivered via web link or email to the user. To install, all the user has to do is authenticate with a user ID or password, download the configuration and tap install. Once installed, the user will have access to all their corporate IT services.
Good move Apple. Good move Microsoft. Looking forward to this one!
Thursday, February 21, 2008
Looks like Vista SP1 for the 64-bit version of the OS is now available publicly on Windows Update. No sign of the 32-bit version yet, but I'm glad to get it for this particular computer.
Knowledge Base article KB936330 is available, as is the release-notes publication at TechNet.
Thursday, February 14, 2008
IBM Internet Security Systems' X-Force has released its annual report outlining the malicious software threat and trending landscape. In a nutshell, things are getting more complicated (landscape-wise) and the impact is becoming more technically complex. Read the report and you can directly glean as well as infer certain facts.
As malware becomes harder and harder to catch in real-time using currently-available technology (a trend that has become quite clear over the past year or more) and as the intent of the malicious software becomes more and more geared toward complete remote system control and access, the potential situation looks - I'll just say it - pretty darned bleak.
It's important to stay up-to-date if you're an IT or Security professional (or hard-core geek). Here are your links:
Quiz in the morning. :)
Wednesday, February 13, 2008
It's not like we didn't already know the malware (short for "malicious software") infection rate is increasing, but Google's security folks posted a technical paper and blog entry on Monday that illustrates the prevalence of "drive-by" malware distribution and just how big the problem has become.
“During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware” … “In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing.”
Add to that the fact that a significant and growing amount of newer malware recompiles itself into new forms each time it redistributes, making it virtually undetectable by current means, and the situation potentially becomes even scarier.
The technical paper is a very interesting read and explains some of the distribution techniques and designs. It also points out one piece of browser technology that has resurfaced to plague the security world many, many times: the iFrame.
The problem is most deeply rooted in China, where 67% of all malware distribution servers are located, and 64.4% of all landing sites (sites that point to a distribution site) are located. The next closest offending country is the United States, which accounts for about 15% of the distribution and landing sites. So, one can easily see where a significant portion of the problem lies. With the increases in business and trade taking place in China now, one has to worry about the future if computer systems are in such bad shape. Clearly, something needs to change.
If you're a security person, an IT server admin, work with web applications, develop web apps, or are for any reason interested in scary figures (such as the fact that "38.1% of the Apache servers and 39.9% of servers with PHP scripting support reported a version with security vulnerabilities."), read the report. It's worth the time you'll spend.
Tuesday, February 12, 2008
I somehow missed the release, but a little while back Microsoft released Windows Live OneCare v2.0, and in that release added support for 64-Bit Windows Vista. A few months ago (before OneCare v2) I had just bought a new laptop that came with the 64-bit Vista Ultimate edition pre-installed, and when I went to install the then-released version of OneCare, I was pretty disappointed that it would not work.
When I was in Costco the other day, I noticed a OneCare package on the shelf and picked it up to glance at the system requirements. Lo and behold, the packaging had changed and now indicated that 64-bit Vista was supported! When did they slip that in? I didn't see mention of it on the OneCare blog or anywhere else.
But hey, all I knew was it looked like I would be able to use it now, so I was looking forward to giving it a try.
Today I uninstalled my frustratingly cruddy other (to remain nameless) antivirus software and installed the OneCare suite. For about $40 a year I can protect three PCs and centrally manage two of them from the computer I designate as the "hub" machine. Nice.
OneCare v2 includes:
- Antivirus & Antispyware protection
- Online ID protection
- Bi-Directional Firewall
- Multi-PC management
- Printer sharing
- Data backup and restore capabilities
- Maintenance and cleanup tasks (defrag, clean up useless stuff, etc.)
It's an easy and quick install, and a good way to make sure you're protected. You can watch a product demo and download the free 90-day trial here.
On my Windows Vista Ultimate 64-bit laptop, one of today's many Microsoft patches keeps prompting to be installed over and over, even after it indicates it is successfully installed. The patch in question is related to Microsoft Knowledge Base article KB937287, and is a prerequisite to Vista SP1, which is set to be made available next month.
Update 937287 is a prerequisite package that contains updates to the Windows Vista installation software. The installation software is the component that handles the installation and the removal of software updates, language packs, optional Windows features, and service packs. Update 937287 is necessary to successfully install and to remove Windows Vista SP1 on all versions of Windows Vista. This update will be available on the Windows Update Web site soon after the release of update 935509 and before the release of Windows Vista SP1.
I ran the installation for all of today's patches which applied to my computer (twelve of them in total) and this one kept hanging around. Each time I restarted the computer, Windows Update again prompted me to start the installation. Confusing and frustrating after the fourth or fifth time, to be sure (reminds me of a joke about the definition of "insanity" heh).
I was able to resolve this problem by downloading the individual 64-bit patch from the Microsoft Downloads site and installing it manually. Note that the linked download location is for 64-bit Vista OS users only. Once I did that, the prompts stopped and it shows up in the installation list as successfully installed on the machine. In fact, the list now shows all of the installation attempts as successful, with a separate line for each try. Only the first try now shows "failed." Strange.
It's interesting that the KB article points out that this update will be required in order to install Vista SP1 via Windows Update when it is released, but not if you chose to download and install the service pack manually (as it will contain the fix). Extra interesting is that for this update I was unable to install it via Windows Update, but was successful with the manual install.
At any rate, there have been a flurry of posts on a variety of forums and other sites today where people were having this problem. Some people were recommending grabbing a leaked version of SP1 Refresh 2 via non-MS sites (read: not a good idea) and installing that, but for those who wish to wait and make sure they get what MS releases when they release it, this option is probably better for you.
If it works, drop a comment. Actually, be sure to comment if it doesn't work for you, too. :)
Updating from IE6 to IE7 is a considerably good thing to do, but IT pros need to plan for these things in some cases for compatibility and other reasons, so awareness is important.
If you're an IT shop using Windows Software Update Services (WSUS), be aware that today marks the date that Microsoft planned to start automatically delivering Internet Explorer 7 to desktop machines as an automatic update on WSUS systems. Computers on WSUS-managed computers that have IE6 installed will be updated, either automatically or upon administrative approval, depending on your configuration.
So, if you don't want your IE software updated today, it's important to check that your WSUS system is set up to require administrative approval before updates are pushed to the machines on your network (this is the default setting, but I've seen it changed in many cases for "convenience").
From the Microsoft Knowledge Base article (KB946202):
If you have configured WSUS to "auto-approve" Update Rollup packages (this is not the default configuration), Windows Internet Explorer 7 will be automatically approved for installation after February 12, 2008 and consequently, you may want to take the actions below to manage how and when this update is installed. You will need to take action if:
- You use WSUS to manage updates in your organization.
- You have Windows XP Service Pack 2 (SP2)-based computers or Windows Server 2003 Service Pack 1 (SP1)-based computers that have Internet Explorer 6 installed.
- You do not want to upgrade Internet Explorer 6 machines to Windows Internet Explorer 7 at this time.
- You have configured WSUS to auto-approve Update Rollups for installation.
- This does not apply to Windows Vista because Windows Internet Explorer 7 is a component of Windows Vista.
- The Internet Explorer Blocker Toolkit blocks only installation that occurs by using Windows Update and Automatic Update. The toolkit does not block distribution that occurs by using WSUS. This article concerns distribution that occurs by using WSUS. Internet Explorer 7 is already available in 23 languages by using Windows Update and Automatic Update. On February 12, 2008, Internet Explorer 7 will also be made available in Japanese by using Windows Update and Automatic Update
The KB article also includes instructions describing how to configure the WSUS server, if needed.
(reminded via Mary Jo Foley - All About Microsoft)
Monday, February 11, 2008
UPDATE: Want to be able to track a BlackBerry when it gets lost or stolen with a more robust online system? Check out GadgetTrak, available for GSM-based devices.
Got a Blackberry? Ever worried what you'd do if you lost it? Ever actually had to replace a lost one before? Lost or stolen, it's good to be able to find your handheld, especially if it has important data on it.
A couple years ago I was in Minnesota on a trip and went to play FrisbeeTM Golf with a friend. The course went through the woods and across a couple fields. When we got done, I realized my Blackberry phone was missing. Not good.
We used my friend's cell phone and started calling it. I got lucky that day. It was (thankfully) not on vibrate mode, and we eventually found it deep in the woods (where I had been forced to bushwhack in order to get to my flying disc). The battery was near dead.
Now it appears there's a better way. Berry Locator is a software program that will cause your Blackberry device to scream and flash - even when set on silent mode. When you lose your device (or if you can't find it in the house clutter) you just send it a specially-formed email and it wakes up and does its thing, letting you find it. Even better, if your BB has GPS capabilities, you send an email and it will reply via email with a map showing you the coordinate where the device is located. Plus, you can type text in the body of your email that will be displayed on the screen when it's activated, in case someone else finds (or otherwise has possession of) your Blackberry.
Combine that feature with a password, data encryption and the ability to nuke the device in a worst-case scenario (on a corporate BES system), and you're pretty good to go.
Cool capability, but it only works if you install it ahead of time. There's a free trial version, and when you decide to buy it, it's only five bucks.
Wednesday, January 30, 2008
Today came an announcement that represents a pretty big step in the identity space. Yahoo! announced they have rolled out beta support for OpenID v2.0 and that Yahoo! is now a provider of OpenIDs. In fact, anyone who has a Yahoo! account can quickly generate a Yahoo! or Flickr-branded OpenID to sign onto any web site that supports OpenID v2.0 for authentication. That's 248 million accounts at Yahoo! that can now potentially be leveraged across the Internet for sign-on.
OpenID is an important standard that came out of the open-source community, which will likely change the way we provide identifying information and gain access to secured web sites on the Internet. It allows its users to have a single identity that can be used across different sites on the Internet. It also allows users to have the proper level of control over how they identify themselves and who they want to trust with that process.
One significant key to success for OpenID as a standard is adoption by a set of trusted identity "providers" - or OpenID-issuing organizations that people are comfortable with when it comes to asserting their identity information. With Yahoo! a large number of regular, everyday people can use their existing accounts to perform OpenID logins on any site supporting the standard. In the future, the hope is that other consumer-trusted providers will see the value of brand recognition that goes along with being the OpenID provider for consumers. Yahoo has me as an OpenID client now, which means every time I log onto an OpenID-enabled site and use that ID, I am by default thinking on some level about Yahoo! -- Pretty smart. It's time for banks, other financial service providers, and similar industries to seriously start thinking this one through. It's coming, and now is the time to be on the bandwagon.
Where can you use your OpenID to log in? Lots of places. There's a list of web sites over at myopenid.com, a service provided by Portland company JanRain. The people at JanRain have created some great software and services around the OpenID standard that businesses can use to leverage OpenID, and that enable social networks around the standard. It's pretty cool stuff.
Here's some basic information about OpenID from the Yahoo! OpenID provider site:
What is OpenID?
In a nutshell, the OpenID technology makes life simpler by having only one username and password to remember.
Once you have enabled your Yahoo! account for OpenID access, you only need to remember your Yahoo! ID and password to use hundreds of websites... So bid farewell to password spreadsheets and stickies all over your desk!
When you are on a web site that supports OpenID login, simply look for a Yahoo! login button. Or if you see a text box with an OpenID icon, simply type in "yahoo.com". You will be sent to Yahoo! to verify your Yahoo! ID and password, and then you will be able to continue on.
You can find out even more at openid.net (the OpenID Foundation), and it's worth pointing out that you can also get an OpenID from a slew of other organizations - after all, it's all about making it your choice. The OpenID foundation keeps a list of providers on its wiki and at this link.
Tuesday, November 06, 2007
People just don't think, research or plug in their brains a lot of the time before
Such was the case the other day over at Kim Cameron's Identity Weblog, which was defaced recently via a vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is their Identity Architect. So, he's in a public-facing security role at the company.
As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, it's applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it's BSD Unix, Apache, mySQL and PHP).
Kim's site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using - for example - Linux, Apache, mySQL and PHP -- the very platform that they did not take the time to discover (or even ask) had just been victimized.
You know what they say about assuming things? Yeah.
Security threats are real and exist on all platforms equally, not just IIS and Windows, not just in Windows applications. Bad programmers are bad programmers, and even when well-programmed, new threats arise all the time and need to be remediated once known. There's nothing about that fact that's Microsoft-specific, and to assume such is irresponsible.
I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.
I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.
Facts: Problems exist everywhere - Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I've managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don't have a solid application, you're screwed. It's a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass ... and leaving the front door standing open.
Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, "There’s a lot of ideology to get past in teaching people about security." So true.
Tuesday, October 16, 2007
Adam Shostack of Microsoft takes a critical look at threat modeling and changes to TM processes in a short series of posts on the MSDN Security Development Lifecycle (SDL) blog. It's a good read, especially when aligned with Larry Osterman's recent writings (which I mentioned recently) and those of others. If you're not a reader of the SDL blog and you're a security person or developer, I recommend it highly, by the way.
"In this first post of a series on threat modeling, I’m going to talk a lot about problems we had in the past. In the next posts, I’ll talk about what the process looks like today, and why we’ve made the changes we’ve made. I want to be really clear that I’m not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better."
Here's quick links to the blog articles by Adam. Those interested in secure development need to know and use a threat modeling process, and a critical view of said processes is important, so it's good to see this healthy example:
(also via Michael Howard's blog, which is a must-read security resource, too)
Tuesday, October 02, 2007
I've worked in the financial services software industry for years. For the last couple years I ran the security division of a major online-banking software and services provider. Security is paramount in that market. The responsibility that goes along with the role is huge, but it's a responsibility that's shared by everyone involved. Taking security seriously can't be something that happens after the work is done, and it can't just happen at some milestone point in a project. It needs to be an ingrained principle, part of the way things are done from beginning to end.
Threat modeling, loosely-described, is a design process by which you examine your software application design through the eyes of the bad guys, in order to determine what your design needs to take into consideration and how it should be built to protect against malicious threats. From the design phase you take your documented threat model into development and use it as a living document throughout the development lifecycle. Or at least that's how we did it.
Larry Osterman, who's worked at Microsoft pretty much forever, is a pro when it comes to threat modeling and secure coding. I haven't ever met Larry, but I've read his thoughts on the topic and they're solid. He's written before a couple times about this, and more recently (over the past month) he wrote and posted a series of excellent articles on his blog about threat modeling at Microsoft in the Windows division. If you're into this sort of thing, as I am, it's also very interesting to look back at his articles from the earlier years and to compare how they do things today. They've matured quite a bit.
I'll leave the narrative and examples to Larry, but let me add this by way of punctuation: Threat modeling takes some time and effort, but understand that security is a critical component of quality. Reputations (and therefore businesses) depend on it. It takes a very intentional process to properly understand the landscape and to look at all the threats and vectors of attack. It's not easy for people to shift gears. Most developers spend all their time thinking in terms of getting software to function according to customer requirements. Just as important is making sure it won't do what the bad guys want it to do. So, if you're ready to argue that you don't have time to do threat modeling, I have a solid argument (several of them really, which are backed up by real-world proof) that you can't afford not to. Threat modeling is risk management for the software industry.
And then there's the very-real side benefit of threat modeling. When your designers and developers sit down before building the product and really start to think about all aspects of quality in a formal, documented manner, you don't just get security improvements. They'll be seeing and thinking about general product improvements that you just won't get otherwise. I can't tell you how many times someone has come to me during a threat modeling process with a look of glee in their eyes, excited to tell me "hey this threat modeling stuff is pretty cool, and we even came up with some other stuff that isn't strictly security-related but will make it a much better product. I'm glad we did this."
The rule of the game is strategic thought, proper defense, quality first, and better software done faster that costs less. And it can happen if you let it.
If you're a software developer, tester or product manger and you don't know what threat modeling is and how it works, you're missing out on something that really should be required in this day and age. So here is what you should do:
Be a leader and implement what you learn.
- Read Larry's articles, they're quite good.
- Buy three books (you'll notice Michael Howard is an author on them all):
Monday, August 27, 2007
This one should be interesting to watch. There's a new blog at Microsoft's MSDN blogs system called hackers @ microsoft (http://blogs.msdn.com/hackers/), and the first (introductory) post is up. I hope to see some interesting security and general information here. Might be a good source of some useful insight. There are many things Microsoft is doing right these days, security-wise. More on that in another post some other time.
From the opening post on hackers @ microsoft:
"Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work on all kinds of projects, whether it be in development, research, testing, management and of course security ... So yes, Microsoft does have hackers, and its time to introduce you to some of them and show you what it is, exactly that they do."
Tuesday, August 14, 2007
I just ran across Microsoft.com's strong password checker, which is a little web-based app that lets you type a password or passphrase in and it tells you the relative strength. It's pretty nice and worth bookmarking.
Why are strong passwords important? Simple - because the simpler it is, the easier it is for someone to "brute-force" attack. That's a term that means they take a program that uses common terms, words and phrases to try to figure out your password by trying it over and over until it works. Strong passwords are complex in the variety of character types, are longer in size and don't use dictionary or other predictable, common terms.
Wednesday, August 01, 2007
Monday, July 30, 2007
Ouch, this news is a few days old but I am just catching up on security reading and ran across this one. The securityevaluators.com guys have found some real issues with the iPhone's security and have been able to exploit it. The New York Times and others have covered this recently. Seems much of the iPhone application library runs as admin/root. The overall design of the iPhone seems to rely in large part on preventing apps from running, rather than creating a robust security environment. But leverage browser vulnerabilities or similar issues on a hacked wireless network or Internet web site and it can get very interesting very quickly.
From the executive summary in the findings document:
To demonstrate these security weaknesses, we created an exploit for the Safari browser on the iPhone. We used an unmodified iPhone to surf to a malicious HTML document that we created. When this page was viewed, the payload of the exploit forced the iPhone to make an outbound connection to a server we controlled. The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection. All of this data was collected automatically and surreptitiously. After examination of the file system, it is clear that other personal data such as passwords, emails, and browsing history could be obtained from the device. We only retrieved some of the personal data but could just as easily have retrieved any information off the device.
Additionally, we wrote a second exploit that performs physical actions on the phone. When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced it to make a system sound and vibrate the phone for a second. Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party.
This is the sort of thing I was afraid of when I wrote about the potential for iPhone security and use in the enterprise. Security vulnerabilities are not just about the Windows platform, after all. Here's a mobile platform, effectively in v1, and it has flaws that can be readily exploited. Hopefully Apple will be able to get some patches ready and out before the these evaluators release the details the evening of August 2nd at the Black Hat conference, which is where the researchers - who have already provided Apple with the full details so they can create and distribute a fix - will be presenting their discoveries.
Monday, July 09, 2007
One of the cool new features in Windows Server 2008 (which is currently available in beta) is Network Access Protection. This feature allows network admins to set up comprehensive network controls to allow access only to the proper computers and users, and based on a set of "health" criteria determined by the admin. For example, let's say you want to require antivirus software to be up to date and patches installed before allowing a VPN connection to the LAN. NAP lets you do that. Wireless and wired networks can be significantly enhanced for local and remote access. It's the next wave of access management and control, and any IT network admin needs to get familiar. This is leaps and bounds above the "NAP-lite" capabilities from Server 2003.
This podcast interview with Jeff Sigman covers the subject well, and give you a quick preview into what the capabilities are. Listen, download the beta and give it a try.
RunAs Radio Show #13 | 7/4/2007 (34 minutes)
Jeff Sigman Gives Us Network Access Protection
The final installment of interviews from Microsoft Tech Ed US 2007 in Orlando, Richard and Greg talk to Jeff Sigman, the Release Manager for Network Access Protection (NAP). Jeff digs into exactly what NAP is all about, how it interact with Windows Server 2008, Vista and Windows XP.
Links: RunAs Radio web site and RSS feed
As always, we welcome your input and ideas for the show - Just email firstname.lastname@example.org and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear more about as we book our guests.
Thursday, June 28, 2007
Identity and Access Management (often referred to by identity geeks as IAM) is a field I have come to know and love. There's been a resurgence in the past few years in this space, brought on by a number of builders of critical mass. One of those drivers, in the financial services industry, was some "guidance" issued by the FFIEC (United States federal government agency that regulates banks) in 2005 that requires banks to use stronger authentication for online banking services (better than just user name and password). In addition, the general discomfort across all industries that use the Internet as a true platform for doing business has become a motivator, especially in the wake of multiple news cycles about fraud and data theft. In a nutshell, The Internet is a technology platform that is being used for something it was not originally architected to do, and as a result there are some critical gaps from a technology perspective - especially in the area of security. Many defensive "point" solutions have been cobbled together over the years to plug holes in the metaphorical levee, but at some point you have to start thinking about either building some serious reinforcements or - quite possibly - building a whole new dam to serve the needs.
Over the past couple years the open source community, Microsoft, and a number of other companies large and small have embarked on a bit of a shared crusade (and a good one, at that) to first redefine and then re-architect identity on the Internet, how it works and what the principles are that guide and drive Identity going forward. It's been a rare and refreshing community effort, and as a result we are starting to see some real-world traction in markets like financial services; Interest is growing outside the circle of academics and programmers that are implementing the new systems. Interoperability is being seen as critical and that's likely the one things that will drive success. And while we can design a great system that can solve all the world's ills, adoption is the second-to-final gauge of success in this case (longevity and strength are the final-final determining factor, but we can't truly get there without meaningful and across-the-industry adoption).
One of the architects of this whole concept in redefining and improving Identity on the Internet is Kim Cameron. He writes the Identity Blog (worth a subscription if you're not already there) and was the publishing author of his "Laws of Identity," or what he refers to as "the missing layer of the Internet." I had the good fortune to play host to Kim and his compadre, Rich Turner (both work for Microsoft) when they spoke at a security conference I hosted a couple months ago. They discussed identity in general as well as CardSpace, Microsoft's effort in the larger community effort to add this missing layer to the Internet schema.
Richard Turner is the Product Manager for Microsoft's Identity Platform Developer Marketing group and owns Windows CardSpace Product Management there. While at the Microsoft TechEd conference in Orlando a few weeks back, I found him and pulled him aside for about 45 minutes to chat with Richard Campbell and me for the RunAs radio show we do each week. You can hear the interview here:
RunAs Radio Show #12 | 6/27/2007 (47 minutes)
Richard Turner Checks Our Identity
Another Tech Ed US 2007 interview from Orlando, Richard and Greg sit down with Richard Turner and discuss how CardSpace impacts the IT professional. CardSpace (formerly code-named "InfoCard") is a key technology in Microsoft's Identity Platform.
Links: RunAs Radio web site and RSS feed
As always, we welcome your input and ideas for the show - Just email email@example.com and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear more about as we book our guests.
Monday, June 25, 2007
In my line of work, we spend a lot of our time writing software that catches bad guys and keeps them out of systems that require protection. So, in the course of building good security and forensics software I often work closely with partner companies that bring something valuable to the table - technology that we might include or integrate with but would not build ourselves. One of the technology areas that adds value to what we do is the business of Internet Protocol (IP) address intelligence and geolocation. The ability to glean a variety of valuable information about any given IP address or block provides the opportunity for both intelligent and - if the partner does their job well - reliable decision making, in a manner not otherwise possible. Imagine your application being able to present information or make decisions based on the actual physical location of a user, or base don the type of connection they are making. In the case of the software I've been involved with creating, IP intelligence is a key capability that helps to enhance the products.
So, for last week's RunAs Radio interview, we sat down with an expert in the field, Bill Varga, who works for a company out of Mountain View, California called Quova - one of the partners I have worked with for a few years now. They do IP geolocation and IP intelligence - and that's their business. They're focused on that market and they're very good at it. IP intelligence is a world that is growing quickly and always generates ideas and thought when brought up for discussion. The applications of IP-related metadata are many, and Bill effectively describes them in our interview. He also discusses some of the new things Quova is doing in the field.
RunAs Radio Show #11 | 6/20/2007 (38 minutes)
Bill Varga Makes Us IP Intelligent
Richard and Greg talk to Bill Varga about what IP (that's Internet Protocol) Intelligence is all about. They also dig into how IP geolocation helps with regulatory compliance and fraud detection. Bill also talks about the new technology Quova (his employer) has developed that can deal with geolocation of satellite and megaproxy IP addresses.
Links: RunAs Radio web site and RSS feed
We welcome your input and ideas for the show - Just email firstname.lastname@example.org and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear about as we book our guests.
Saturday, June 23, 2007
eWeek has a good summary in their article "Analysts: iPhone Has Neither Security nor Relevance" with a number of links to other resources of the likely security problems introduced by (of not in - we'll see) the iPhone. Certainly the iPhone is not the only device where we have to worry about these types of problems, but let's face it: iPods and other mass storage devices are already too loosely allowed at many companies and organizations, and the hype surrounding the iPhone and the potential excitement of iPod owners can cloud judgement. Read Andrew Storm's article on the topic.
In contrast, Blackberry's enterprise services are well-secured and provide a whole slew of workable and effective controls that the iPhone can't even begin to match up with. In a nutshell, the iPhone is a consumer device that probably doesn't belong in the enterprise - at least not in it's first version. Gartner plans to recommend businesses keep the iPhone out of the enterprise.
Also - sounds like typing on the on-screen keyboard is an index-finger exercise, not for thumb typers. So again, not so much an enterprise device. But we'll see all this stuff for ourselves in just a few days. The iPhone debuts on June 29th.
Note: I think the iPhone is a cool looking device and probably a great consumer item. I'm not knocking the device for consumers, just pointing out it's not appropriate for use in the enterprise. So before anyone starts with "iPhone/Apple-Hater" rhetoric, you can just stop. :)
Thursday, June 14, 2007
The FBI is contacting more than one million computer owners and operators whose computers have been victimized and taken over by fraudsters and other criminals who have installed "bots" which they then use to launch distributed criminal computer attacks and fraud scams.
“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”
So, if the FBI calls you might want to cooperate. But - exercise some common sense and a little caution: if you get a call or contact, be sure to confirm it's actually the FBI. The classic technique used by scammers is to take commonly used communication methods and closely mirror or duplicate them in order to make you think you're providing sensitive data to a legitimate business or agency, when in fact it's the bad guy in disguise. So verify, verify, verify.
The FBI press release is here. Snipped from the press release, an important warning about being wary of potential malicious information requests:
"The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov."
RunAs Radio Show Number Ten is now online. While at Tech Ed US 2007 in Orlando last week, we sat down to chat with Isaac Roybal for the RunAs audio podcast, a Microsoft Product Manager on the Windows Server team working on the next version of Internet Information Services - IIS7.
Put simply, IIS7 includes a large number of significant improvements and enhancements for both developers and for the IT pros and hosting providers that have to implement, support, secure and maintain the servers. Tons of great information and interaction around IIS7 is available at the new community web site, IIS.NET. Many of the improvements and changes to IIS are listed on that site, as well. You can download Windows Server Beta 3 and go live with IIS7 now, and Microsoft has a program for doing so. If nothing else, you should be starting your lab work so you can plan, get familiar and see what the future of IIS holds.
RunAs Radio Show #10 | 6/13/2007 (41 minutes)
Isaac Roybal Shows Us IIS7
Isaac Roybal is a Product Manager on the Windows Server team who is deeply involved in Web Workload, especially IIS 7. Isaac digs into the details of the new management features in IIS 7, now available as part of Windows Server 2008 Beta 3. His responsibilities cover all things Web related with Windows Server and has been involved with IT for over ten years. Five of those years have been with Microsoft.
Links: RunAs Radio web site and RSS feed
We welcome your input and ideas for the show - Just email email@example.com and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear about as we book our guests.
Wednesday, June 06, 2007
Catching up on announcing a few new RunAs RunAs Radio shows that I've neglected to mention here over the past couple weeks. We publish a new episode each and every Wednesday. The show has been live since mid-April and it's been pleasantly surprising to see how quickly it's taken off!
Anyhow - RunAs Radio Shows 7, 8 and 9 are now online. Discussions in these shows include disk and file encryption and the TrueCrypt open source software, Public Key Infrastructure (PKI) and what it means to you as an IT professional, and Microsoft Operations Manager (MOM) 2007, a great tool for managing and monitoring your enterprise, whether small or large.
Links: RunAs Radio web site and RSS feed
We always welcome your input and ideas for the show - Just email firstname.lastname@example.org and let us know what's on your mind! We might even read (and answer) your email "on the air," and we are always interested to know what you would like to hear about as we book our guests.
Monday, June 04, 2007
I just arrived in Florida this evening for TechEd, so I am catching up on some news, and found this at BetaNews.com. It's good news in the "let's make effective security easier and better" category:
At TechEd 2007 this morning, Microsoft's senior vice president Bob Muglia generated the biggest applause of the day (not related to the Christopher Lloyd cameo) by announcing the new Server Core installation option in the forthcoming Windows Server 2008 will have as one of its ready-made "roles" the ability to rapidly appropriate Internet Information Services in a command-line-only environment.
The Server Core option allows you to run Windows Server without all the fancy Windows stuff - I other words, it's truly bare-bones and includes only what you really need.
UPDATE: On the TechEd floor today I learned that the "server core" implementation of IIS7 won't support ASP.NET applications - just HTML and ASP type stuff. Hopefully ASP.NET will be an option in the future.
From Microsoft, here is a description of the concepts behind the Server Core installation option:
The Server Core installation option of the Microsoft Windows Server 2008 operating system is a new option for installing Windows Server 2008. A Server Core installation provides a minimal environment for running specific server roles that reduces the maintenance and management requirements and the attack surface for those server roles.
The Server Core installation option of Windows Server 2008 provides the following benefits:
- Reduced maintenance - Because a Server Core installation installs only what is required to have a manageable DHCP, File, Print, DNS, Media Services, AD LDS, or Active Directory server, less maintenance is required.
- Reduced attack surface - Because Server Core installations are minimal, fewer services and applications run on the server, thereby decreasing the attack surface.
- Reduced management - Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage.
- Less disk space required - A Server Core installation only requires about 1 gigabyte (GB) of disk space to install and approximately 2 GB for operations after the installation.
You can keep up to date with the Server Core team's efforts on their blog, and participate in the Server Core TechNet forum.
Reference Link: TechEd 2007: IIS7 to Become Seventh Server Core Role
Wednesday, May 02, 2007
RunAs Radio Show Number Four is now online. Richard and I speak with Simon Goldstein, who (it just so happens) works with me and is a good friend. Simon has a depth of knowledge and expertise that sets him apart in the areas of risk management, compliance and a variety of other topics. In this interview we discussed the compliance and security world and how it applies to practical IT. Simon distills a lot of broad topics down into the nuts and bolts, so pretty much anyone can understand how compliance works and why it's important:
RunAs Radio Show #4 | 5/2/2007 (44 minutes)
Simon Goldstein on Compliance
Simon Goldstein talks to Richard and Greg about making sense out of compliance with rules and regulations around Information Technology.
Links: RunAs Radio web site and RSS feed
We welcome your input and ideas - Just email email@example.com and let us know what's on your mind! We are always looking to know what you would like to hear about as we book our guests.
Thursday, April 26, 2007
I'm playing host in mid-May at my company's annual Security Summit, and thought you might be interested. It's geared toward people who have technical and operational security as a part of what they are charged with professionally, and the sessions will have a financial services slant. There are a couple days left to sign up, so if you might be interested then either act quickly or let me know of any questions. We'd be glad to have security professionals attending.
Among the activities and sessions, we will be talking ISO 27001 certification and standards, hacking and investigating violated web servers in order to see both sides of the game, practical exercises around dealing with security incidents, sessions on identity management and CardSpace (Kim Cameron from Microsoft will keynote), Mobile banking and related security, and much more. Plus some great fun activities in the area.
The summit itself is free-of-charge for participants. You just pick up the cost of travel and hotel. An agenda is located here that also includes hotel information (the conference hotel block expires on Friday this week), and of course I am glad to answer any questions.
We already have a great list of attendees and participants, so if it's also of interest to you I hope you'll check it out!
Wednesday, April 25, 2007
So, Carl let us know this morning that in the first two weeks of RunAs Radio, there have been 13,588 downloads - a figure that pleasantly surprised me - Pretty exciting!
And we're keeping at it: RusAs Radio Show Number Three is now online. Richard and I spoke with Dana Epp of Scorpion Software about CardSpace and the future of access management and authentication:
RunAs Radio Show #3 | 4/22/2007 (35 minutes)
Dana Epp talks CardSpace on the Client-Side
Richard and Greg speak to Microsoft Security MVP Dana Epp about Microsoft's CardSpace initiative for secure authentication. They hint at another show focusing on the server side.
Links: RunAs Radio web site and RSS feed
We welcome your input and ideas - Just email firstname.lastname@example.org and let us know what's on your mind! We have a couple good shows coming up in the next weeks, and are always wanting to know what you would like to hear about as we book our guests.
Sunday, February 04, 2007
If you happen to be at the RSA security conference in San Francisco this week, get in touch and hopefully we can meet up sometime. I'm here through Thursday doing a bunch of media briefings and whatnot (for work) and (whenever I can) attending sessions. My cell number is in the right sidebar, or email me (greg-greghughes-dot-net).
Friday, February 02, 2007
Bad guys are not stupid. What the lack in morals they sometimes make up for in creativity and smarts. That's why they can be so dangerous. Think like a bad guy: If you wanted to find a way to take advantage of a large public event in order to gain fraudulent access to thousands (or more) individual computers so you could install keystroke logging software and trojan software to allow you to grow your rogue bot network, what would you do?
Well if it was today, maybe you'd think to yourself, "Hey the Superbowl is this weekend. Let's set up a fake site and trick people into going there with an email and screw 'em all over."
Or, if you were smarter, you'd just take over the server that houses the site for Dolphins Stadium.
If this doesn't tell you why you should be focused on security, then what does?
The news item is here, and an advisory with a description is here.
The official Web site of Dolphin Stadium, home of Sunday’s Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.
A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker “full access to the compromised computer,” Hubbard said.
Oy. What's it gonna take??
Monday, January 15, 2007
I recently moved the greghughes.net domain (web site, mail and everything else) to a godaddy.com virtual dedicated server. In doing so, I lost the anti-spam services that were previously provided by my old web host. Needless to say, the resulting load of spam was fairly overwhelming. My prior host had an appliance out front that caught the better part of the junk email headed for my email server, but a fair amount still got through. At any rate, the move and resulting lack of junk mail protection necessitated a thoughtful look at the options out there.
My criteria were as follows:
- Needs to be software I can run myself. I've had my fun (yeah, that's sarcasm) with expensive services that are not overly effective. Complicated billing, archaic payment systems (invoices without a dollar amount? what?) and a couple hundred bucks or more a year was not for me.
- Preferably open-source. Nothing solves problems that plague the community like the members of the community, so I figured there must be something out there that the afflicted masses build and maintain.
- It had to stop spam, not just identify and tag it. My email server (MailEnable) is already capable of detecting and "flagging" emails as spam, but that doesn't stop it from getting to my mail server in the first place. The goal was to prevent, not react. So I was looking for a gateway-like solution - something that receives all the inbound email, checks it, and forwards on only the good stuff.
- It needs to learn how to act. Static rules don't work. We see it in the fraud world, and it certainly applies to spam battles, as well. The system has to be able to learn and adapt and operate in the context of my email accounts.
- It needs to be kept current. An open source project that no one has worked on for six months or more is likely a dead project, and that won't get you anywhere in a world where the landscape changes constantly. Spammers change tactics a lot, and the tools to prevent spam have to evolve to keep pace.
I did a bit of research, and frankly I came up with very little that met all my criteria. Sure, there are a whole slew of commercial products out there, but as I said before, I was looking for open source and free (or very close to it). I'm not looking to buy.
The one thing I found that truly seemed to fit the bill was ASSP, which stands for Anti-Spam SMTP Proxy. It's an open source, Perl-based gateway application that you can run on any operating system that supports the Perl interpreted language (which is pretty much all of them). It requires Perl v5.8 and a specific set of Perl modules, and it can be run as a daemon/service. ASSP has been updated about every two months in the recent past, with the most recent update having been in December (as of the time of this writing).
"The ASSP server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam."
I quickly downloaded the ASSP files, installed the necessary Perl modules and was on my way. I had the ASSP service up and running within just about 15 or 20 minutes. Note that to get the app to run as a service, you will need to manually edit the config file and set the flag in there to specify that you want to run it as a service, or else the only way you'll be able to get it to start is on the command line. Alternatively, you can start ASSP from the command line, access the web admin interface, and change the setting there. Once you do so, you'll be able to start the Windows service or run the daemon in Linux or whatever OS you're working with.
The first thing I did after getting the service set up was to access the web administrative interface and change the default admin password. Do that first. Please. Then I put all of the anti-spam options into "training" mode and I specified a few of the basic server settings (like my domain and email account). I set it up to accept all inbound connections for email (SMTP) from the Internet on port 25, and to forward all emails that are determined not to be spam to the MailEnable server on another (unused) port. Since the MailEnable SMTP server is on the same host, the configuration and security setup was pretty simple. Of course, I them spent some considerable time looking through the many, many settings available. It's cool stuff, but you don't have to tackle it all right up front.
It's worth mentioning here that the ASSP wiki has a lot of good information about setting you system up. Be sure to refer to that resource. If you do, you can be up and running in no time. If you don't, you might just wish you had. Remember, always read the freakin' manual before you ask questions. Heh.
The training mode actually results in all email being delivered (not blocked), but it adds some header information to the email which you can read if you like in order to determine whether or not the ASSP system is flagging it as spam. I actually set up my Thunderbird client with a rule to look for the ASSP header and if the spam flag was true, to move the email off to another folder.
What you are supposed to do during this training period is to categorize the good and bad email, and in doing so tell the ASSP service how to treat the email it sees coming in. I used the email interface for submitting spam and good mail to ASSP for about a week before I turned training mode off. Reporting is very easy. I specified two email aliases in the ASSP system, such as email@example.com and firstname.lastname@example.org (those are not the actual addresses of course) and on a regular basis forwarded groups of email back to the ASSP service that fit into each category. In fact, I even went back into my archive of valid email from before installing ASSP and forwarded a bunch of it to the system, so it could quickly learn what valid email looks like in my world. Your learning period will probably be about a week or so, or however long it takes you to gather 400 or more spam emails along with some some good, valid email.
Once you've provided the system with a corpus of good and bad email, you run a little Perl script on the server to update the Bayesian spam detection database, which is the adaptive learning part of the system. I did this a few times - about daily - throughout the first week. With each update the system got smarter and smarter. Once spam email was being very effectively categorized by ASSP, I switched the system from learning mode into normal operating mode and also configured ASSP to forward a copy of all spam emails it receives to a separate email account (say something like email@example.com). In doing so I have created a place for the system to provide me with all the spam email so that I can continue to peruse it when I feel like it in order to make sure nothing gets trapped in there as a false positive. But my main email account is spam-free. Initially I found a few valid emails were ending up being categorized as spam, but all I had to do was to forward those to the email error reporting interface mentioned above and then rebuild the database, and now for the past few days I have seen zero false positives. I intend to continue to check that account now and then, just to ensure I don't miss any critical email. It's a quick and easy process, especially since all the spam that is blocked by the system as a result of coming from known spammer sources (RBL lists) never even makes it into the system. So, I'm just weeding through the small remainder of the stuff that the system analyzes and weeds out in the second phase of its analysis.
Here is what the service has done for my email account since I turned it on about 12 days ago:
General Runtime Information
ASSP Proxy Uptime:
2297 (187.8 per day)
Non-Local Mail Blocked (percentage of email that is spam):
That's 288 valid emails and 2009 blocked as spam. As I said at the beginning, a bit overwhelming for only one email account in the mix, and obviously quite necessary to do something about it.
I still need to do some small amount of work to make sure the service stays up and running from a high-availability standpoint, and in fact I have that minor issue with not only the ASSP service but also a couple other email services and even the IIS service. Resource constraints seem to play havoc now and then on my virtual server, but I think I have managed to get a handle on that.
For anyone that's looking to put an anti-spam proxy in place for your own mail server, I most definitely recommend checking out ASSP and giving it a try. Download it here (use the most recent stable version). Or check out the ASSP Wiki, which contains documentation, the FAQ, and everything else you can think of. A high-level list of features can also be found on the ASSP home page at SourceForge.
Sunday, January 07, 2007
In May, the National Security Agency (yes, that one) published a guide in PDF form (818KB PDF file) called "The 60 Minute Network Security Guide - First Steps Towards a Secure Network Environment."
It's good stuff. Sure, it's not a 100% guide to everything you need to know and do, but it covers the bases quite well. Some have balked at the complex password and rotation requirements and made the requisite "that won't work in the real world" noise, but those of us who actually do operate in the real world know it can be done and that 90 days is a bad number (it's too long IMO, and lacks usability - it should be either 84 or 42 days). Sure, a few people will complain (it's human nature and it takes all kinds), but the vast majority are more than happy to do their part. Don't let the vocal few chase you away from what is proven over and over to be right.
There are always good and effective ways to accomplish goal while meeting requirements: For example, the use of passphrases instead of regular passwords makes complex, long passwords a cinch, and all it takes is about 5 minutes of user education to show people how well it can work (use your all-hands meetings and you'll be amazed what you'll get accomplished in a short period).
Read the guide, use it, and you'll be better off. A variety of other security configuration guides from the NSA can be found here. There are more than 80 guides covering server and client operating systems, network infrastructure, database platforms, and more.
Saturday, December 30, 2006
MS has released v6 of it's Remote Desktop Connection client.
Remote Desktop Connection (Terminal Services Client 6.0) provides a way to use any new Terminal Services features introduced in Microsoft Windows Vista and Microsoft Windows Server Code Name “Longhorn” from a computer running Microsoft Windows XP with Service Pack 2 or Microsoft Windows Server 2003 with Service Pack 1.
The features in this release are really about Vista and Longhorn server for the most part. But, one feature that works in XP while connecting to Windows Server 2003 (and I was prompted to do this by default after upgrading, by the way) is the option to provide the username and password in the client before logging on, and the option to save that information so you don't have to re-enter it each time (not sure I like that specific idea for security purposes, but it has its place, and there are several security enhancements when connecting to Vista and Longhorn server).
Download it from Microsoft here. Read the KB article here (which includes links to versions for OSes other than 32-bit XP, as well).
Thursday, October 05, 2006
Well, honestly, it's about time.
Bloggers are all over the story, and are espousing a variety of opinions, but I have wondered for years when Microsoft would finally crack down on software thieves and simply not allow their software to run unless it was legitimately licensed. I'm responsible for cutting a big check each year to Microsoft to pay for the software we use at the company I work at. It costs me more, in effect, because others are taking without paying.
So, Windows Vista will detect piracy and take action. In Microsoft's words:
"Collectively termed the Microsoft Software Protection Platform, the new technologies will introduce improvements in how Microsoft software activates, is validated online and behaves when tampering or hacking is detected."
Thinking about this from a security guy's perspective, one thing bothers me: Turning off the anti-malware capabilities on unlicensed copies? Are you kidding me? That means the rest of the world falls victim to everyone out there that's running pirated Windows? Please, please, please change this one - Microsoft might be a victim, but no need to invite the rest of the world into that club. And it looks like Richi Jennings agrees with me on that one. That's just poor prioritization. Hopefully someone will rethink the approach in that specific area...
Elsewhere, Ed Bott at ZDNet has written a very good piece describing the changes and his thoughts on the matter. He has some important point, ones that Microsoft should make sure they have thought completely through and have a plan for - especially where it comes to Volume License customers. Those are the people you don't want to aggravate, for sure.
Among Bott's comments:
Microsoft denies that this is a "kill switch" for Windows Vista, even giving it a separate question and answer in its mock interview announcing the program. Technically, they're right, I suppose. Switching a PC into a degraded functionality where all you can do is browse the Internet doesn't kill it; but it's arguably a near-death experience. The accompanying white paper describes the experience in more detail:
By choosing "Access your computer with reduced functionality," the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features. [emphasis added]
My head practically exploded when I read this sentence describing the new, improved punishment regimen: "Windows Vista will have a reduced functionality mode but one that is enhanced." Enhanced reduced functionality? Orwell would be proud.
Snarky as ever, Engadget reports:
Well, Microsoft has fired the first salvo in this war on pirates -- according to The Associated Press, the Redmond crew will be taking "much harsher steps to curtail piracy" than in years past. First, the company will "deny access" to some of the "most anticipated features," including Windows Aero, the new GUI. Then, Vista will start issuing ransom demands (we're not kidding about this part), demanding that a legitimate copy be bought within 30 days, or else. What would such consequences entail? How about limiting Web access to an hour at a time? Further, what about not being able to open documents from the desktop or "run other programs such as Outlook e-mail software" ? However, the article goes on to say: "Microsoft said it won't stop a computer running pirated Vista software from working completely, and it will continue to deliver critical security updates." So for those of you keeping score, Microsoft wants to make using your computer as miserable as possible, while keeping it as "safe" as possible, ok?
People out there will whine and complain and say it's not fair, that it's all a bunch of red tape and people will be inconvenienced (and they might be right about that one point), and a million other things that go along with the typical victim mentality (sorry guys, but possession of stolen goods is illegal, even if it's inconvenient, and possessing stolen stuff unknowingly doesn't make the goods any less stolen). And Microsoft needs to make sure that legitimate users are not impacted in a truly meaningful and workable way. But the fact of the matter is that Microsoft is right on this one. In fact, it seems to me that if I ran a company that created software for use by consumers and businesses, and if I wanted to make sure it was being legitimately used and paid for, I'd just keep it from working at all if it was obviously stolen.
But the politics of huge-mega-corporation-attacked-by-angry-mob is a multi-billion-dollar business, apparently.
Glad to see they're finally doing something about it, though.
Some Techmeme-tracked discussion on the topic:
Tuesday, October 03, 2006
My job is all about catching bad guys, building great software to help do that, protecting information, and a variety of similar things. the company I work for builds software than somewhere around a third of the country uses in some manner to conduct financial transaction on the Internet, so the topic of security is important to me.
I'm regularly participating these days in interviews with members of the media, and recently one resulting story was published that I thought did a nice job of covering the bases regarding security in financial services and the human elements. What has to be recognized in order to succeed in this fight is that the user is not predictable, accountable or reliable. It's the truth, it's important to know, and it's a fact we have to plan for and design into our security models.
Read the story here: Finance on Windows - "For Your Eyes Only"
Tuesday, September 05, 2006
"You really don't want to go there today..."
It's a bug zapper for web browsing. It's a cool idea. How it will be secured and made solid I am not sure, but this is good news and a positive step toward solving zero-day exploits and quite possibly many vulnerabilities on unpatched browsers in the future.
Microsoft Research is working on something they call BrowserShield, which will allow Internet Explorer to detect malicious code and rewrite it, then displaying the cleaned version of any static or dynamic page in the browser to the end user.
Researchers at the Redmond, Wash., company have completed work on a prototype framework called BrowserShield that promises to allow IE to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.
"We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang said. "We're inserting our layer of code at run-time to make the Web page safe for the end user."
More on eWeek.com
Tags: IE, Internet Explorer, BrowserShield, Microsoft, Security, Malware, Scripts, Hack
Still using Office 2000? Note that it's about seven years old and two versions have been released since then (with one more coming soon). Here's another good reason to stay up to date...
An "extremely critical flaw" in Microsoft Word 2000 is currently being exploited by malicious attackers, which could lead to remote execution of code on a user's system, security researcher Secunia advised Tuesday...
...Microsoft has not yet issued a patch for the vulnerability, and users are advised to forgo opening untrusted documents.
Wednesday, August 09, 2006
Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. From MSNBC:
"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes.
" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."
Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else?
How do we convince people, and what will it take?
Monday, August 07, 2006
UPDATE - AOL apologizes
(not as if it makes a difference at this point, though):
"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."
AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything you searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a "vanity" search?
It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire.
Michael Arrington at TechCrunch wrote about it in his blog entry entitled "AOL Proudly Releases Massive Amounts of Private Data," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability.
Arrington: "AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."
When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch.
Yeah, and so much for the privacy of AOL's users. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again from Arrington:
"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. "
Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much.
Any would-be AOL boycotters better be prepared, though. Last we checked, you can't even cancel your account at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "Number One" in a list of things you'd really rather not be on...
Saturday, August 05, 2006
The U.S. Senate on Thursday ratified the first and only international treaty designed exclusively to combat computer crime. You can read the full text of the Council of Europe Convention on Cybercrime here.
What does this mean? Well, a lot of things. But all told, it means law enforcement officials from around the world will have a more agile, speedier, and more capable framework for cooperating in combating bad guys that are out to hurt others on the Internet. For those of us working to stop bad guys, it makes doing so more possible and can help remove some barriers that tend to get in the way. For those of us in the United States, the provisions are not really anything new. But for other countries that ratify, it means a much enhanced ability to work together.
The Senate did not consider an optional provision of the convention that deals with combating Internet hate speech, which would likely have run afoul of the First Amendment to the U.S. Constitution.
Summary of the Senate activity is in an article at news.com.
Sunday, July 30, 2006
SPI Dynamics is one of the companies mentioned in the article. They're discussing the results of their research at the Black Hat event this week, but they have also posted the article and a sample ("proof of concept" as they say) web page that does some of what they've discovered for all to see, use... and copy for that matter.
SPI Dynamics, by the way, has a quality set of expert articles, white papers, webcasts, and more on their web site.
... "We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks" ...
Friday, July 28, 2006
Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.
You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" your banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.
The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.
You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.
Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.
You get the picture.
So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.
We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.
There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.
For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?
Do you have any idea who the bad guys are?
That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.
Tuesday, July 11, 2006
Microsoft made this announcement today in their Security Newsletter for Home Users. Interesting the email headline they used, since the web site actually says Win XP SP1 support is supposed to stop on October 10th. Support for Win 98 and ME were set to end today. At any rate, if you're running Windows 98 or ME, it's well past time to pack it in:
Effective today, Microsoft no longer provides support for Windows 98, Windows Millennium Edition (Windows Me), and Windows XP Service Pack 1. Customers can access existing support documents through the Microsoft Support Product Solution Center, but telephone and e-mail support and security updates are not available.
Saturday, July 08, 2006
Looks like a new variant of an old virus is making the rounds.
I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.
Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.
Here is the info about the infected contents of the ZIP file (specifically the JPG file):
Scan type: Auto-Protect Scan
Event: Threat Found!
File: C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg
Location: C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip
Action taken: Delete succeeded : Access denied
Date found: Saturday, July 08, 2006 11:22:31 PM
If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.
CAPTION="Microsoft SMS Manager"
This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.
The original email I received is below. The subject line was "SMS Manager from Microsoft."
This email provides you information about new product from Microsoft
Corporation, called Microsoft SMS Manager.
These product would help your activities, you can send and receive SMS
messages through your PC with no charge before December 31, 2005 (trial
It's compatible with most of GSM and CDMA operators.
The Installation's document is attached (Microsoft SMS Manager.zip).
For further informations, please contact firstname.lastname@example.org
Saturday, July 01, 2006
The headline reads: "Credit card security rules to get update."
I see that and I think to myself, "Hey, cool."
Then I read the story.
What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."
Now, that's not so cool.
Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...
From CNET's News.com:
While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.
"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.
The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.
To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter, the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.
Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.
Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.
It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.
To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.
It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me. Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.
Monday, June 05, 2006
A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.
So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.
Up until today I was frustrated to no end with these events.
Now it's personal. Now I'm angry.
And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...
This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.
There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.
The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.
All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.
What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.
But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.
BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems. It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.
If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.
Did he say "negligent?" Yes, negligent. And I mean it.
It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.
So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?
Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.
Of the 2600+ organizations on the certificate register, there are only seven (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.
This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.
And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.
If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well.
The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.
So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.
What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?
Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.
Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.
Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.
Sunday, June 04, 2006
Not able to register and sign up for college classes and hike on down there to learn some useful crypto skills? No problem. The University of Washington's crypto course is available online for anyone to access. And this is some truly decent content.
Practical Aspects of Modern Cryptography - course description
The full semester of class content is available online - slides, video of each class session, audio in MP3 format (there's even a podcast link) - great stuff. You'll spend some real time working through the class presentation, which means you'll be spending the time it takes to actually learn the content.
By far the best way to view the content online is with a special app you can download from the UofW web site for free. If you install their WebViewer application you can get the video and slides and instructor annotations playing all together in one nifty package. Quite excellent since they teach with - get this - a Tablet PC in real time. It's kind of like Monday Night Football for geeks. Heh.
There's a whole slew of math and number crunching stuff in the first class sessions, but it's information that is fundamental to a complete understanding. Then the instructors move into protocols and more practical, real-world applications.
There's a TON of presentation content here. Anyone who wants to learn about cryptography for real will likely find this worthwhile. Kudos to the instructors and the University of Washington for providing this online class content. We need more complete educational stuff like this on the web. Like MIT's OpenCourseWare. Excellent.
Saturday, June 03, 2006
Steve Knopper took a new Dell computer and spent 18 days infecting it with all the malware and viruses he could get his hands on. His account if the whole thing is published at Wired.
"What kind of idiot buys a computer and willingly – even eagerly – exposes it to all the malware and viruses he can? Me. I bought a Dell Dimension B110 ($468! Cheap!) and tried to kill it for more than two weeks. I clicked on every pop-up and downloaded the gnarliest porn, gambling, and hacker files I could find."
And then he returned it to Best Buy on the 18th day. Classic. Read Steve's account here.
Sunday, May 14, 2006
Recently I've been speaking with a lot of reporters and other media-types about the work we at Corillian do on financial services security. It's fun to be taken back to my old journalism days, and I've come to find there are a lot of very smart people out there working the security technology beat. In addition to speaking to the media, I've also been presenting in person at a number of conferences, and have quite a few more coming up over the next several months.
I recently had a chance to speak with one reporter to discuss the state of the industry in terms of online financial services and recent FFIEC mandates on banks to implement strong authentication for their online banking web sites. Eric Norlin is well-known to many, and he writes for some well-respected publications, including Digital ID World and on ZDNet.com. We talked about the risk management components that go into deciding how to solve the authentication problem. The strong authentication software we build at Corillian uses a risk-based model, and Norlin's approach to the story is (I think) spot-on, especially his recognition of the need for an identity-first/identity-risk mechanism:
"Corillian is one of those interesting companies that you hardly ever hear about: several hundred financial institutions as customers; running back-end financial industry specific software; aware of all of the stringent requirements of financial institutions. So, its not like Corillian is just "getting into the game," its more like they're adding to an already deep bench. They're adding their Intelligent Authentication product.
"The interesting thing about Intelligent Authentication is that it begins by recognizing the risk management approach to strong authentication. Accordingly, it uses a variety of methods to authenticate you based upon the interaction (or transaction) that you're having. These methods include: client OS and browser checks, behavioral pattern analysis, geo-location (via a partnership with Quova), challenge and response questions (chosen by the customer), and my favorite - out of band phone authentication (via a partnership with StrikeForce)."
(Link to Eric Norlin's story on ZDNet.com)
He also noted that we at Corillian have already done some early, in-depth work in conjunction with Microsoft integrating a new authentication technology code-named InfoCard, which places the control, proof and credentials used in the authentication process back in the user's hands (in other words, right where they belong) while also helping to solve weak authentication problems. What I especially like about InfoCard is the community support and open-ness, as well and the user/identity-centric approach, which ties directly to Kim Cameron's Laws of Identity and the concept of the Identity Metasystem (an interoperable architecture for identity on the Internet). The security model on the desktop (it will run in Windows XP and 2003 Server and will also ship in Windows Vista) is also very interesting and encouraging. It will be quite interesting to see how, where and when InfoCard is adopted. I'll be speaking and writing here about InfoCard more in the future.
Wednesday, April 26, 2006
What rolls out on day-one with more than 300 million users and nearly a BILLION authentications per day?
The new Windows Live ID, that's what. And that's exactly what happened, while you were using it and going about your daily business.
Microsoft's completed the roll-out of Windows LiveID to replace its Passport network infrastructure. It was all happening behind the scenes recently, and the next steps are for Microsoft and its partners to start rolling out some of the new technologies - some of which you can see and some of which is under the covers - to show off and leverage the new service.
"You'll start to see the new sign-in experience and all the goodness within a few weeks when we light up some partners," said Trevin Chow, Lead Program Manager on the Windows LiveID team.
So, what exactly is LiveID?
Well, you can read a whitepaper that was recently published to get all the salient details, but basically it's a new component in the Identity Metasystem that replaces Passport. It will eventually support both self-issued and third-party managed/issued InfoCards as credentials, and a SDK will be available.
What this all means is that Passport has grown up, and control of personal information will be more and more in the hands of the end users. In the future, Live ID will leverage InfoCards, which means more individual control of the claims used to identify users to online apps. Participation in the Identity Metasystem and following it's governing standards - the Laws of Identity - mean end users can leverage a centralized service but still maintain control over - and make decisions about - what specific information is sent to what services.
It's good news. Check out http://login.live.com - you'll notice the new footer on the signin section.
Thursday, April 20, 2006
Chris Corio, a program manager on the Windows Security team, has put together an article for the May/June 2006 issue of TechNet Magazine that takes a first look at the new security features that will be included in Windows Vista. Items covered in the article are:
- User Account Control
- Consent and Credentials
- Code Integrity
- Data Encryption
- Application Isolation
- Data Redirection
- Credential Providers
- Service Hardening
- Windows Defender
- Rights Management Services
It's a good summary all in one place of many of the security improvements that will be built into or will ship with the new OS. From reduced privileges to improved use of strong cryptography and other new features, Vista looks like it will be a major step forward in the Windows security world - a welcome set of core changes.
Read the article here.
Wednesday, April 19, 2006
If you run Firefox (or other Mozilla software based on the same codebase like Thunderbird) and have not upgraded it to the latest version (the latest Firefox - 184.108.40.206 - was released just last week), CERT says you really really need to.
"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.
"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.
"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.
Users of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're way out of date and you should visit http://getfirefox.com right now and download the newest version ASAP.
Also, of use to corporate IT people is the Firefox Community Edition package from FrontMotion that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion. Larger organizations that don't use such a package have to deal with either a more complicated update process or reliance on end users to perform the updates - which is never 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy.
Wednesday, April 12, 2006
I work in the security field (we build anti-fraud and authentication software and services for financial services and electronic commerce companies like banks, etc). Recently I've been asked by a significant number of people why certain banks are being phished in such large volumes. Now, while I don't write about specific financial institutions or security events (that would not be appropriate), I can tell you that any given bank has little to no control over whether or not it is made a target in the first place. All the big banks (and many tiny ones) get hit hard at some point. What they do have control over is their chosen prevention, mitigation and response plans and methodologies.
In the end, the most effective solution is the fairly simple one: Make it hard enough for the fraudsters and eventually they will move on to another bank. Stopping phishing and other online fraud is really just like everyday police work - It's not actually about ending crime, it's about making it go elsewhere. In the real world, the cops just push the burglars, drunks and drug dealers to someone else's town. We don't solve these problems, we just move them somewhere else.
So, eventually the scammers' targets and victims change. The real problem with online fraud is that we can't put an end to it with infrastructure technology they way it is now. We can get way out in front of it (where I work, we write software that can help prevent most phishing attacks from being launched in the first place, as well as strong authentication software to help stop bad guys from getting in the door even if they have a key). But it's way too easy to run a phishing scam, and prosecution is not an effective solution. Prevention is the way to go, and that means diligence on the part of financial institutions, using the right kinds of technology where needed, and a implementing a whole-community effort to stop the problem before it ever gets started. Tools are out there to let the bank get in front of the problem, and but it off at the knees before the crime occurs - a lot like stopping the bank robber well before he walks into the bank's branch office. Preventing the robbery is a lot less messy than cleaning up afterwards, explaining it to everyone, and trying to convince your customers that have just been held hostage not to leave your bank for another one.
Email is, as designed, one significant part of the problem we face. It's just too easy to abuse. Without getting too far into the whole "email-limitation" debate (Sidebar: When I spoke at a security conference last week one attendee tried to lure me into taking a political position on whether charging to send each email is a good idea... Heh, no I think not...), it's clear at least that there are many problems with the medium. Educating people not to respond and not to click on links will not solve the problem, as has been proven time and time again. Email is an insecure method of information transport, and unless access can somehow be reasonably curtailed, this problem won't go away. The real question is, can email be restricted for bad guys while still keeping it free and in the spirit of the open Internet for everyone else? If so, how? Something tells me the debate and answers have not changed much over the years.
Ah, what the heck, let's just kill email completely. Block port 25 at the backbone routers. It's a counter-productive way to communicate much of the time anyhow. Imagine all the misunderstandings we'd avoid. The tangible and intangible benefits would be many. :)
But seriously, in the real world, there are three basic approaches to tackling this problem (phishing and cyber-fraud) if you're a financial institution. I'll mention them here briefly, and will likely dive into them in more detail in another post sometime soon:
- Option One - Purely Reactive Posture - Apologize to customers when they call and tell you there's a problem, refund their accounts, change their passwords for them, hope they don't leave you for another bank.
- Option Two - Hybrid Reactive Posture - Watch for phishing emails and when you see them, use technology to block them and see if the sites in the emails are real, and if so try to get them taken down, either on your own or through a professional take-down service. Apologize to less customers, and hopefully change their passwords before the bad guys get into the accounts.
- Option Three - Preemptive Approach - Prevent the fraud attack from being launched in the first place, shut down fraudulent sites before the victims receive an email, make it difficult for the attackers, and protect your customers from being victimized at all.
Which option do you think is best? Which posture do you expect your bank to adopt? For my part, I vote for leveraging all three options, with a strong primary emphasis on Option Three, where prevention is the main focus. That's the area where I spend the majority of my professional time, with a team of developers and forensic techies who build software that prevents attacks and gives banks what they need to protect customers from becoming victims. It's a worthwhile job.
Microsoft's Windows Live ID team has started a blog to communicate information about the new product, which is a replacement/upgrade for the Passport service. From the inaugural post:
"Windows Live ID is the upgrade/replacement for the Microsoft Passport service and is the identity and authentication gateway service for cross-device access to Microsoft online services, such as Windows Live, MSN, Office Live and Xbox Live. Is this the authentication service for the world? No It's primarily designed for use with Microsoft online services and by Microsoft-affiliated close partners who integrate with Windows Live services to offer combined innovations to our mutual customers. We will continue to support the Passport user base of 300+ Million accounts and seamlessly upgrade these accounts to Windows Live IDs. Partners who have already implemented Passport are already compatible with Windows Live ID.
"Windows Live ID is being designed to be an identity provider among many within the Identity Metasystem. In the future, we will support Federated identity scenarios via WS-* and support InfoCards.
"For developers we will be providing rich programmable interfaces via server and client SDKs to give third party application developers access to authenticated Microsoft Live services and APIs.
"Over the next few weeks as we complete our deployment, you will see the Windows Live ID service come alive through our respective partners sites and services. The first thing you’ll notice as early as today is that the word Passport is being replaced by Windows Live ID. But isn't a rebranding exercise -- there is stuff going on under the hood. This will be more understandable in the coming weeks and months when you start seeing the new, exciting Windows Live sign-in UI. Not only is the page load time significantly reduced, but you will see some really cool innovative features that we’re sure you’ll love :)"
I'll likely be writing here on this weblog about Infocard (which I have early some experience with), authentication and other related topics, since I have a professional connection to all of the above. Glad to see the Live ID team getting their blog start - this is the beginning of what should be a great phase of changes and improvements in the area.
Friday, February 24, 2006
Recently a couple coworkers at Corillian turned me on to TextPayMe, which is a cool service you can use to send money to others (and even to a few online merchants). Click the banner below to check it out and sign up for free - They'll even deposit five bucks in your TextPayMe account when you sign up. For real. You don't even have to provide a credit card or bank account info unless you want to transfer funds into the TextPayMe account, so there's no risk. It costs you nothing.
And, if 35 people sign up via this link, I'll get a XBOX 360. You can do the same thing. nice eh?
TextPayMe services are used to send payments to (and receive payments from) people you know, using text messaging on your mobile phones or wireless PDAs (I'm using it on my Blackberry phone). Let's say you go to a restaurant with three friends. Instead of asking the waiter to split the bill, or even worse trying to find the right amount of cash to put in the pool and pay your part, one person pays the bill, and the other three send their part to the person who paid using TextPayMe. They send it to your cell phone number, nice and easy. And for the people sending the money, the security system (which is a two-factor secure system - nice) calls their cell as soon as they text the payment. They answer the phone and are prompted by the peppy IVR voice on the other end to enter a PIN (which you provide at the time you sign up). Only then is money sent.
So - a cool service to try, nothing to lose, and five bucks to gain! Click here to go to the TextPayMe site and sign up to give it a try!
Tuesday, February 21, 2006
Verisign's iDefense Labs has a program running that will pay you up to $10,000 if you submit a security vulnerability to them during this quarter that ends up being ranked as critical by Microsoft:
For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on March 31, 2006.
Well, there you go - if you gots the skillz, go gets some cash.
And by the way - the iDefense Labs site is a great resource for IT and security types to keep any eye on. They provide content on the site as well as webcasts with well-done content.
Sunday, February 19, 2006
On Friday Microsoft released a the latest version of their anti-malware product, which is now called Windows® Defender (Beta 2). This software replaces the product formally known as Microsoft Antispyware. There's both 32- and 64-bit versions available to download.
I've installed it and it runs just fine, but I get an error when it tries to update itself with the latest detection signatures. I'll try a reboot and see what happens a little later on. Hopefully that will help.
The new UI is nicely done, and I like the fact that you don't have to be an administrator to run Defender.
From the Windows Defender download site:
Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.
This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s growing understanding of the spyware landscape.
Specific features of Windows Defender Beta 2 include:
- A redesigned and simplified user interface – Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.
- Improved detection and removal – Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.
- Protection for all users – Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.
- Support for 64-bit platforms, accessibility and localization - Windows Defender Beta 2 also adds support for accessibility and 64-bit platforms. Microsoft also plans to release German and Japanese localized versions of Windows Defender Beta 2 soon after the availability of the English versions. Use WindowsDefenderX64.msi for 64-bit platforms.
Monday, February 06, 2006
My co-worker Mike pointed out an article that's got to make some people more than a little nervous. Imagine if an RFID chip could be embedded in a piece of paper, virtually undetectable.
Well, it can. You can imagine the security and privacy concerns (while marveling at the technical advances). From EETimes.com:
"Hitachi was due to present details of the 0.15-millimeter by 0.15-millimeter, 7.5-micron-thick chip on Sunday (Feb. 5) at the IEEE International Solid-State Circuits Conference (ISSCC) in San Francisco.
"Paper is typically 80 microns to 100 microns thick, and the chip substrate has been made small and thinned to 7.5 micron to ease application in paper, where it could be used as an intelligent watermark."
Sunday, January 29, 2006
Saturday, January 28, 2006
Published just this month, an important whitepaper is now available that provides authoritative information about applying the "don't run as admin" concept in the real world.
Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.
Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.
People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.
People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.
But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.
So... What's the problem we're trying to solve? From the paper:
"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."
The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.
"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.
"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."
Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.
I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.
I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.
Description and summary of the whitepaper from the Microsoft download page:
This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:
- Risks associated with administrative privileges
- Definition of the principle of least privilege
- Definition of the least-privileged user account (LUA) approach
- Benefits of the LUA approach
- Risk, security, usability, and cost tradeoffs
- Implementing the LUA approach
- Future developments
This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.
Thursday, January 26, 2006
Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.
Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:
On code security and secure code review processes:
"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."
And on the cultural challenges of prioritizing security:
"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."
If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.
From Mark Harrison's weblog:
All Windows SharePoint Services customers are entitled to an extended free trial of Antigen for SharePoint. This trial version will be active through June 30, 2006.
To download, simply go to www.sybari.com/wss and fill out the form.
Antigen for SharePoint allows Windows SharePoint Services users to collaborate without the risk of uploading or downloading infected documents or inappropriate content.
The simple and honest fact is that many people who have deployed WSS or SPS don't run any anti-virus software on their SharePoint implementations - and that's a huge mistake. Running plain-ol' AV on the server's file system is exactly the wrong thing to do, because all the SharePoint files are stored in the database where regular AV software can't touch them. And besides that, running real-time AV scans of a SQL database file (which is constantly changing) is a supreme resource and performance killer if there ever was one.
I've worked with Sybari's Antigen products on both SharePoint and Exchange for several years. In my book, it's the best thing in AV-Land since sliced bread. So check it out.
Sunday, January 15, 2006
As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:
"The use of IPv4 Link-Local Addresses may open a network host to new attacks. In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks. By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)
Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.
The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.
The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.
On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).
On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.
An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:
Computer Configuration > Windows Settings > Security Settings >Wireless Networks
You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).
Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.
Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.
For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.
Thursday, January 05, 2006
A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in Security Bulletin MS06-001. It's available for your WSUS server and from Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page.
This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. UPDATE NOW!
On January 12th at 9:00 am Pacific time my boss, Jim Maloney, will be presenting along with George Tubin, a senior analyst at Tower Group, on the topic of preventing fraud in the online banking world. They'll discuss the threats, ways to protect customers, and some tools and processes that can help get the job done. It's a hot topic in the marketplace, and I think many people will find this web cast interesting from a security perspective, regardless of whether or not you work at a financial institution.
There's been a lot of talk and movement in this space in the past few months, after the FFIEC (the federal government organization that's made up on several individual federal agencies responsible for setting banking standards) issued new guidance to banks and other financial institutions that says something needs to be done to further protect online banking accounts, and that it needs to be done sooner rather that later. The emphasis of the guidance is on a defense in depth and layered security approach. Jim and George will be specifically addressing that guidance in the web cast.
You can sign up for the web cast here (uses LiveMeeting). A press release that announces the event is available here.
Tuesday, December 06, 2005
I've written before about FrontMotion's Firefox MSI installers and their Active Directory ADM policy templates, but with the recent release of Firefox v1.5 and the resultant updating of the installers by FrontMotion, I figured it's worth another mention. In a security-conscious IT environment, we all know how difficult it can be to exercise the necessary level of control over programs that are used to access the Internet - and the web browser is number one or two on the list of possible problem Internet apps (along with email programs). So being proactive whenever the tools are available to us is quite important.
Luckily, FrontMotion distributes MSI (Microsoft Installer) versions of the Firefox web browser for people to use (free of charge at this time) and there are two editions of the installers available. FrontMotion's Firefox Community Edition - which is the one that includes the Active Directory integration for centralized management and control - is slated to be updated shortly, and their stand-alone MSIs (which are not AD-integrated) have already been updated to incorporate Firefox v1.5.
The features of the Firefox Community Edition should be of interest to companies that centrally manage software for IT and security purposes, and the package allows you to upgrade non-MSI installations as well as those from other organizations. Features of the community edition include:
- Active Directory deployable and upgradeable.
- Active Directory management through Administrative Templates (*.adm).
- Desktop Icon similar to IE.
- Shell integration similar to IE.
- Set Default browser
- Macromedia Flash plug-in preinstalled
- Detect and upgrades non-MSI installs.
- Can upgrade 3rd party MSI's from MIT, Webheat.co.uk, and ZettaServe.
- Able to properly perform uninstalls and restores system associations
You can subscribe to the FrontMotion mailing list for occcasional announcements about updates at: http://www.frontmotion.com/mailinglist.php. I don't see a blog or RSS feed, but we can hope.
Wednesday, November 30, 2005
Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.
First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of.
- If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
- Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
- Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
- Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
- Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.
Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.
Tuesday, November 29, 2005
It's a question many of us in the security field have been asking for some time. How is a user supposed to know they are on the correct web site when they enter their credentials or make an online purchase? How are they supposed to know when it's not the trusted site they're on?
I was having a side conversation about more ways to solve this problem with some coworkers today (common topic in our line of work), and this evening I ran across some details on the IEBlog discussing how Microsoft is dealing with it in IE7 (found via Mark Harrison). And other browser vendors are playing nicely, too. Ahh, solving problems is such a good thing to see... Nice!
IEBlog: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
Here are some visuals that show what the user expeience looks and feels like in the dev versions. Visit the link above to get the complete details.
Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter
Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter
Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)
Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)
Tuesday, November 22, 2005
Microsoft yesterday announced a zero-day exploit that affects Internet Explorer. The Zero Day Security weblog describes it well:
"Of course, to be compromised the user must first browse to a malicious web site. According to Computer Terrorism: Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user.
"Several informative sites include Microsoft, FrSIRT, MITRE, US-CERT, InfoWorld, eWeek and SANS (which suggests disabling Java or using another browser and has a BleedingSnort Rule on their site).
"Get ready for a patch blast from Microsoft on this one."
Microsoft's comments have been updated with the latest information. From their Security Advisory 911302 information page:
"...We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time. We will continue to investigate these public reports.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
"This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests..."
I was on the phone with a professional contact today, a guy who happens to do cybercrime and anti-fraud work in his job as a special agent for the FBI. That's a part of what I do in my day job, by the way - help chase down bad guys on the 'net and interact with law enforcement to shut them down. It's a fairly effective way to keep one foot in the door of my previous career (police work) and at the same time be firmly planted in the computer technology world. I also get to working with some really smart people who build great software that is used to prevent fraudsters from reaching victims.
Anyhow... So I was on the phone with my anti-fraud cohort, and he had that "FBI-agent-having-a-rough-day" sound in his voice. He's one of these guys who's always very positive, but it was clear quite a bit of work had been cut out for him and his coworkers over the past day or two.
It turns out there's a new set of fake emails running around that try to look like they came from the FBI or the CIA, and which have an attachment that is actually a virus.
Now, let's get one thing completely clear: If you ever get an unsolicited email that has a file attached, DO NOT OPEN THE ATTACHMENT. It doesn't matter if it's from the President of the United States or the Creator of of the Universe... Email is inherently insecure, and if it looks out of place, it probably is. You can read the FBI's press release about the situation here, which describes the fake emails in some detail.
This is just another example of social engineering and the fact that given the opportunity, people will fall for almost anything. Oh - and if you don't have antivirus protection at your email service provider, change providers now. Seriously. Get a GMail or Hotmail account or something.
I'll tell ya one thing... Whoever had cohones enough to construct that virus variety to send email pretending to be from the FBI is in for a rude awakening. Seriously, seriously stupid move. Heh.
Monday, November 21, 2005
The Microsoft anti-malware team has posted information about their products' ability to remove the rootkit associated with the Sony DRM mess that everyone and their brother has written about over the past couple weeks. If you don't know whether your Sony CD was one that may have installed this junk on your computer, there's a list of CD titles available here. If your CD is not on the list, it's ok. If it is on the list, Sony BMG will send you a replacement.
If you think you might have a problem (or if you just want to make sure you're cleaned up in general), go to the Windows Live Safety Center, where you can scan your computer for this and other malicious or bad software and clean it right up. Select the "Full Service Scan" followed by the "Quick scan" option. You'll need to install the ActiveX control for the scanner.
And the other two removal tools the team works on are also able to resolve the problem:
"The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December."
If you've not yet used the Windows Live Safety Center, it's a great place to run a scan on any computer for a variety of potential problems, without having to download and install special software programs. The complete scan checks for open ports that might cause problems, viruses, malicious software and more. It can also clean up temp files and defragment your hard drive to improve performance and reliability. This whole services thing is looking pretty promising.
Sunday, November 20, 2005
Another of the new Windows Live series of services officially launched the other day - It's Windows Live Custom Domains, and essentially it allows you to use the great Hotmail email services with your personal domain name.
All you have to do is go to http://domains.live.com/, specify your domain name (which you must already have registered), make a change to your DNS settings for the domain (the service will let you know what the settings are - this is the most complicated part of the whole deal), and create email accounts (which become passport logon accounts for the system).
I created a mail service for blogaholic.net (a domain which I have yet to launch, maybe someday) and added an email account, logged in and was sending mail - all in less than 10 minutes. Suhhh-lick!
Serious about Security
The service is really darn cool (seriously, if you're looking for the power and convenience of Hotmail and the uniqueness of your own domain name, it's hot), but the one thing that stood out to me the most was the client security Microsoft has built into the account setup process for this service. Yes, I know - basic security tools, blah blah... But it's become the rule more and more lately, which deserves mention. It's a terrific sign that the company is building better security - and better user tools to enable and teach effective security - into their services.
For example, when I created the email@example.com email account, it required me (as the administrator for that email domain) to set a temporary password. In other words, if I create accounts for others (yes, just let me know), I only know the password they'll use to log into the account the first time.
Once I logged in to activate the email account and start using it, I had to provide the temporary password, and it required me to choose a new one and confirm it. But even better than that, as I typed the new password, a color-coded "password strength" bar showed me the complexity strength of my password. It went from Red (weak) to Yellow (so-so) to Green (strong) as I typed. Nice! That's what we need more of - simple, powerful tools to help end users be more secure in real time. Great work, whoever decided to put that in, and to whoever built it. It's quite effective.
[UPDATE: Apparently this is a feature that shipped earlier this year and was included in the LCD package and which was PM'ed by Trevin in Windows Live Identity Services - cool! Looks like I found another blog to subscribe to!]
On the same page, the user has the option to set their password to expire every 72 days. Unfortunately, that box is not checked by default (it really should be), but the fact that it's available is very good. Hopefully they'll change their tun and check that box by default, and let people un-check it of they don't want it. I'm always a proponent of more-secure-by-default.
If you want to find out more, Omar Shahine (Lead Program Manager on the HotMail front-door team) has info here and here, and the Custom Domains team has a blog here.
Sunday, November 13, 2005
I've been a T-Mobile Hot Spot subscriber for more than a year now. I have used it all over the country, and it's always there when I need it, whether I am traveling or if I'm just dropping into a Starbucks for coffee on a whim. It lets me leave my desk and still work from time to time - and we all have those times when the value of sitting in a coffee shop where no one can find you in person is seriously valuable.
One thing that's always frustrated me is the fact that I always have to open the web browser and load some random page to authenticate to the HotSpot service. It's a pain, and today (while sitting here logged onto a Starbucks HotSpot in Beaverton, Oregon) I decided to see if there was anything available to automate the process for me.
You can imagine how stupid/ignorant/DOH! I felt when my google search pointed me right back to T-Mobile's web site, where I found a description of their Connection Manager software. After hitting the 'back' button on the browser a few times to return to the page confirming I was signed on, I decided to read that page for the first time and sure enough, right there in the menu bar is a link to "Download Connection Manager." Heh.
Turn off your speakers if you're in the coffee shop before you click on the link, though, or you'll quickly become the target of startled stares from everyone else in the shop when the completely unnecessary Flash movie with LOUD SOUND. Kinda like this (you'll need those speakers back on again, dude).
Download the file, run the installer, and choose from a completely goofy skinned app or a Neapolitan-colored stylized app. I chose the lesser of the two evils.
Then things got interesting. It immediately required me to disable the Wireless Zero Configuration Service in Windows XP, which will no doubt break everything else I had set up for wireless connections prior to installing this thing. It sure as hell better work... Why can't things be simple an non-intrusive?
Now, clearly this software does more than automatically log you onto their regular WiFi HotSpot network. It sees a WPA-protected network, which means encryption and privacy. +1 for that. And the the EDGE/GPRS options obviously refer to using their data cards to connect from the road. Cool to have that in one place. Too bad there's no task bar icon when the app in on the screen.
The interface works well and there's really a whole slew of options. One of the coolest was the fact that when I went to the "Tools>Settings" menu and chose the "VPN" tab, it automatically detected my Cisco Systems VPN client and all of it's profiles and let me choose which to use when clicking the big, fat "VPN" button in the T-Mobile UI. It works great, and I'm connected as I type. Nice feature:
VPN options dialog - click to view full size
Perhaps one of the greatest benefits of using the software is the availability of the secured wireless network. Seems like they could offer this without having to install custom software, but oh well...
Access to a secured network - click to view full size
Here's where the automatic logon happens - they give you the opportunity to provide your T-Mobile account name and password, and you can save it for later use:
Save your credentials to authenticate automatically later - click to view full size
Of course, it failed miserably when I first tried. I had to randomly select a whole slew of messy windows that kept popping up when I was trying to fill in the account dialog. Some of them were especially helpful:
Not sure what they're wanting with this dialog
But eventually (after fighting several windows that continually took focus away from the "enter your authentication info" dialog box) I found success:
Success - click to view full size
Sure enough, wireless zero config is disabled and I am connected using their software. Good enough for now, but that will likely have to change due to the complexity of some of the networks I have to access with this thing. We'll see.
As I was typing this, without warning yet another random box pops up and steals focus. Apparently it was downloading every single T-Mobile HotSpot location in the entire freakin' world. Weeee... Anyhow, it was bit confusing for a second, and all these windows just popping up, downloading stuff without asking and stealing focus are aggravating and just plain bad design. But it does work:
Random pop-ups everywhere - click to view full size
So... Despite the fact that it's custom, proprietary software, there are some cool things in this app. For example, the Available Networks dialog is better than anything built into Windows:
Nice network list visuals - click to view full size
Well, I'll leave it installed for now. Maybe I'll get lucky and the other networks I access will just work. Not counting on it though. Heh.
Somewhere there must be a third-party app that will automagically log me on. Just haven't found one yet. Maybe I'll make one.
I saw this when it was posted on the anti-malware weblog the other day, and I thought, "Sure, makes sense, yep uh huh." But I guess others found it to be big news. The Microsoft anti-malware software (Windows Defender) and the Anti-spyware beta software will be able to detect and remove the Sony DRM rootkit that's been discussed in extreme detail over the last week. the Malicious Software removal tool will eradicate it as well.
I think this is great and all, but in my book it's not actually huge news. Big news would be if they didn't detect and remove it. Glad to see the MS software and team is for real and doesn't worry about business boundaries. Bad is bad is bad, and doing something about it is good. It's what we expect.
Saturday, November 05, 2005
Well, it's getting more and more interesting (and official) with each passing day. The anti-spyware team at Microsoft has announced the new name for their anti-spyware application (which really handles more than spyware). It's going to be called Windows Defender, and will ship with Vista. That's good news. Even more good news comes in the later part of the blog announcement, where Jason Garms explains the package will also be available to Windows XP users.
They'll be delivering the malware signature updates over Windows Server Update Service (WSUS), as well. As a result, "Windows Defender" will begin appearing in the WSUS product list and a category called "signatures" will also appear. It sounds like a beta will be released sometime in the future that will take advantage of those update facilities.
Read the announcement here.
Wednesday, November 02, 2005
The security geek in me is a happy guy today. The Anti-Malware product team at Microsoft has fired up their new blog. They're "the team responsible for building Microsoft's antivirus and anti-spyware technology (along with anti-rootkit, anti-bot, and other stuff)." Malware, for those who are not yet familiar with the term, is short for "Malicious Software."
"We already have two pieces of technology our technology shipping: the Windows Malicious Software Removal Tool, which helps to remove some of the most prevalent malware from a user's machine. We also are shipping a beta of the Windows AntiSpyware technology. We'll talk more about these in future blog posts. We also have a bunch of other cool stuff in the pipelines."
This will be one worth watching, I imagine. The security threat landscape has eroded, changed and reshaped itself significantly in the past year, and things are only getting more and more complicated. So, it's good to see the face of a critical team in Redmond and to have some insight into what they're addressing.
Tuesday, October 18, 2005
If you have the MSN Toolbar on IE6, go grab the new beta Phishing Filter (shouldn't that be PHilter?) and install it.
The Phishing Filter Add-in offers access to the beta version of a new dynamic online service, updated several times an hour to warn you and help protect your personal information from these fraudulent websites by:
- Scanning websites you visit and warning you if they are potentially suspicious.
- Dynamically checking the web sites you visit with up to the hour online information via an online service run by Microsoft and blocking you from sharing personal information if a site is a known phishing website.
I only get, ohhhhh... maybe 50 phishes a day (seriously), so I checked my email from tonight, chose one of the several PayPal phishes that arrived this evening (most of which still had live web sites associated with them) and found the new add-in for the MSN Search Toolbar did the job quite well. It caught the page and blocked my ability to enter info into the form fields (click the image to view full size):
Monday, October 17, 2005
Correction posted: SANS updated their post to reflect the fact that it was in fact MS05-012 that had been exploited. That's good news, but get patched before it's here...
If you think you can wait to apply patches til it's convenient, think again. According to an update from the Handler's Diary at SANS, the first instances of code exploiting MS05-051 have been detected in the wild on the Internet:
Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.
Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.
Trend Micros virus statistics do not report any "captures" of this exploit in the wild. Not exactly sure if this is just a lab sample, or if it was actually seen in the "wild".
We will update this diary as we learn more.
Friday, October 14, 2005
Rich Claussen has the low-down on a new pact between Microsoft and the government of Nigeria to combat fraud:
Not well publicized is how this came to be. Unknown to most, Microsoft's Chief Software Architect, Bill Gates, received the following (condensed) email from the government of Nigeria soliciting his and his company's assistance.
FIRST, I MUST SOLICIT YOUR STRICTEST CONFIDENCE IN THIS TRANSACTION. THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND 'TOP SECRET'. I AM SURE AND HAVE CONFIDENCE OF YOUR ABILITY AND RELIABILITY TO PROSECUTE A TRANSACTION OF THIS GREAT MAGNITUDE INVOLVING A PENDING TRANSACTION REQUIRING MAXIIMUM CONFIDENCE.
Read more on Rich's blog here. Nice sense of humor there, man.
Seriously though - Read the news about the *actual* agreement (for real) between the company and the country here.
Microsoft on Tuesday released nine security patches that are intended to alleviate 14 problems in various versions of the Windows operating system. Today the company issued an advisory to its enterprise customers via email that the MS05-051 patch, which is considered to be the most critical of the bunch, may cause problems on some computers where it is applied. However, Microsoft if still strongly encouraging everyone to apply the patch and has published a knowledge base article describing the issue with the patch and explaining how to resolve the associated problem, should it come up.
On a computer that is running Microsoft Windows XP, Microsoft Windows 2000 Server, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following:
||The Windows Installer service may not start.|
||The Windows Firewall Service may not start. |
||The Network Connections folder is empty.|
||The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer. |
||Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message. |
||The Microsoft COM+ EventSystem service will not start.|
||COM+ applications will not start. |
||The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.|
||Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.|
For a complete description and resolution instructions, read KB article 909444.
Tuesday, October 11, 2005
None last month, but nine security patches were released today for Patch Tuesday - three critical, four important and two moderate severity. So, do your testing where needed and then go get all patched up.
November Security Bulletins:
MS05-050 - Vulnerability in DirectShow Could Allow Remote Code Execution
MS05-051 - Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
MS05-052 - Cumulative Security Update for Internet Explorer
MS05-046 - Vulnerability in the Client Services for Netware Could Allow Remote Code Execution
MS05-047 - Vulnerability in Plug and Play Could Allow Remote code Execution and Local Elevation of Privilege
MS05-048 - Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution
MS05-049 - Vulnerabilities in Windows Shell Could Allow Remote Code Execution
MS05-044 - Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering
MS05-045 - Vulnerability in Network Connection Manager Could Allow Denial of Service
Monday, October 03, 2005
The beginnings of putting some more bite behind the anti-phishing bark are in play. The Governor of California (you all know who he is) today signed a bill into law that makes phishing - the practice of using fake e-commerce web sites to try to trick people into submitting their personal information - punishable with civil penalties.
"Victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater. Phishing often involves the use of names of legitimate banks, retailers and financial institutions to convince recipients of bogus e-mail offers to respond."
This is a good thing, in theory. Federal anti-fraud investigations are driven - like it or not - by the dollar amount associated with the loss. If it's not $100,000 you can't expect a lot of federal action, which makes sense when you consider that there are limited resources ad you have to focus on the biggest crimes.
Only thing I want to know is this: How are we going to recover judgments from bad guys in Romania and other foreign countries? Fact of the matter is that most all phishers are not in the United States. That's something to think about.
Friday, September 30, 2005
Earlier today, Alex Scoble wrote about an IM conversation he and I had regarding VPNs and solving the nagging issue of firewall and other network roadblocks that tend to wreak havoc for people who need to connect to a remote private network. If your VPN client forces you to use some random or uncommon port, you're bound to get frustrated when you try to connect from many business networks, not to mention when you try from the hotel on the road. Now, maybe you shouldn't be plugged into that business network, but blocked by the hotel? Come on, give me a break.
There's no one perfect solution to this problem. There are lots of ideas, though. Many companies (most or all of the big players in the space) are coming out with VPN over SSL options, which is great. But what if you have a need to run a VPN software client, and it doesn't (yet) support SSL tunnels?
Here's one way to skin that cat, a la Cisco: Use TCP 443 in the Cisco VPN client to connect via an IP Sec tunnel to your VPN endpoint. Note that you'll need to specify this in the connection settings. Typically the Cisco client uses the UDP protocol to do it's thing (click to enlarge):
But as you can see, you can also set it up to use the TCP protocol and whatever port(s) your VPN concentrator is configured allow. For example, you could choose to use TCP over port 80, or port 443, since both of those are commonly open from any network. Note that port 80 might be proxied in some cases, but that's probably not a problem with 443, so it's a good one to try (click to enlarge):
If you set up a couple or few profiles in your VPN client software sufficient to cover the bases (like, say one using UDP and one or two using common TCP ports), you'll pretty much always be able to connect from the road. Again, there's no guarantees and there's no 100% perfect solution, but this gets you better than 95% of the way there, I am confident. Just make sure your VPN host/endpoint is configured to support the ports and protocols you specify. In the past year or two, I have yet to come across a network while traveling (except for a couple of highly-secure ones at business locations, but hey...) that I could not successfully connect through with at least one of the settings I have available to me.
And while we're on the subject, there are some interesting and promising SSL options out there, with more undoubtedly coming. As far as other brands of VPN software clients, well - I've used most of them and let me tell ya, you're better off going with Cisco and looking at the PIX firewalls and the 3000-series VPN concentrators. Trust me, I've dealt with most of them, and there's a reason Cisco's such a prolific Internet company.
But tell me - what do you use and how have you solved this type of problem?
Tuesday, September 27, 2005
Microsoft today released SP2 for Office 2003, which can be downloaded via Office Update, or you can grab it here and you can read about it here.
In addition, OneNote 2003 SP2 was also released today - read about it here, and download it here.
One of the notable features in my book is the Phishing protection update for Outlook:
Microsoft Office Outlook® 2003 Phishing Protection and Junk E-mail Filter
SP2 contains a new Phishing Protection feature to be used with the Outlook Junk Email Filter. Phishing is the luring of sensitive information through e-mail, such as passwords and other personal information, by an attacker masquerading as someone trustworthy. Phishing attacks can result in a user divulging sensitive information, including financial information, that can result in a loss of privacy or money. Phishing e-mail is hard to identify, because attackers make their e-mail appear genuine and often mimic recognizable e-mail sent out routinely by legitimate organizations such as banks and credit card companies.
To enable phishing protection, you need both Office 2003 SP2 and the latest Outlook 2003 Junk E-mail Filter Update. Once both are installed, Office 2003 SP2 has phishing protection turned on by default.
For best results, we recommend you regularly download the latest version of the Outlook 2003 Junk E-mail Filter Update. To determine whether you need this update, see the Microsoft Knowledge Base article (872976): How to obtain the latest Outlook 2003 Junk E-mail Filter.
Sunday, September 25, 2005
In the course of trying to save some time and make things a little more streamlined at work, I've been looking for Microsoft RSS feeds for security patch releases with sufficient detail in them to be able to do some automation of our internal patch tracking. I am already aware of the RSS feed at TechNet, since I have been subscribed to it since day-one:
But unfortunately it munges multiple pieces of discreet information into one data element (specifically the title) and also leaves a bunch of stuff completely out, since it's just a list of summaries, really:
<title>MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)</title>
<description>This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</description>
<pubDate>Tue, 9 Aug 2005 00:00:00 GMT</pubDate>
Maybe this is a good example of where RSS extensions could or should come into play, or maybe what I need instead is a more generic (non-RSS for all I care) XML feed that has a schema that supports keeping the patch number, KB article title, bulletin name and long description as separate data points. Plus, where's the rest of the info for each bulletin? I'd also like to see what platforms each bulletin applies to (in a yes-or-no format for each one), the intricate details about the vulnerability, and other stuff like that.
Is there an XML feed that does that already? Maybe there is but I've just not found it. There's the old MSSecure.XML from the HFNetChk command line tool (not updated since 2004 on the MS Downloads site, it appears), but even that's much more verbose than what I need. I've looked around here and here, and I have done some searching, just no luck. I figure they have the data available to build all those services, but I can't find a good detailed source to build my own lists.
I did three minutes worth of Excel work to play with the feed (and I suck at Excel so my formatting in it is poor, but it basically works) and came up with a working spreadsheet from the TechNet feed. I definitely need to be able to do more with it though. You can see my l33t Excel skiilz (um, not) here:
What I really want is to be able to automatically pull the details of each released security bulletin into a list or Excel spreadsheet, add my own metadata to each one, and have that list/spreadsheet live over time. I'm trying to avoid a whole lot of cut/paste activity and need to find a way to speed this process up. Before you say I should just use Excel and VBA to parse through the available data, let me ask you - What if Microsoft changes their formatting on their bulletins?
So - my biggest obstacle right now is a data feed. If anyone knows of one, drop me a line and let me know.
Wednesday, September 14, 2005
My employer, Corillian Corporation, announced the other day that it's achieved certification under the international security standard BS7799, which is also the basis for the about-to-be-released ISO17799 standard. Without disclosing anything confidential here, I wanted to write a few of my own personal thoughts about the process and my experience in it, and what I think it means in the real world.
Those of us that have been involved in making this happen - which in the end really means every single person employed by the company - are excited about the achievement. We didn't just work to certify a portion of the company's operations, we did the full-meal-deal. I know that those of us on the security team all feel a real sense of accomplishment and success, while cautiously recognizing that we now have that much more to continue to live up to, now that we've arrived. After all, resting on one's laurels in the security world is a dangerous place to be, and security is a process, not an event.
What does it mean to be certified under the "7799" standard? Simply put, the certification says that the company has put in place a comprehensive security management system and program, and that it has shown evidence through a set of documentation and on-site examinations that it's meeting the complete set of standards without deficiencies. In other words, it means we've proven under close scrutiny that we have a solid security program that we take very seriously, and that it works.
I can't begin to explain the amount of learning I did in the process of doing my part in the effort to attain certification. I can tell you that I am convinced - well beyond the shadow of a doubt - that a strong security program and management system can and does contribute directly to the delivery of high quality of products and services. It's a lot of work to get to the point where certification is even possible, and many people dedicated incredible effort over the course of a couple of years to reach this point, but the value gained through the process is very high.
Every organization that deals with security issues and responsibilities should go through the process of certification under the standard. It would make for a much better operating environment, and would result in better-run companies. And in this day, age and operating environment, where trust and security are of paramount importance to business success, there's almost no excuse not to do so.
Saturday, September 10, 2005
We're not all perfect, bulletproof or even smart. Funny how it works that way. In fact, there's a certain percentage of IT and security pros out there that come up with bone-headed, stupid ideas - and who make decisions based on those ideas.
Marcus Ranum wrote about what he calls "The Six Dumbest Ideas in Computer Security." It's a good read, and I agree with almost everything he says there:
In reality, anyone in the IT and security field should have a solid, well-formed opinion that they can back up on everything Marcus mentions in his essay.
(via Bruce Schneier)
Monday, September 05, 2005
One of the things that keeps some companies from patching computers in a timely fashion is the potential for data loss if a computer being patched restarts and data open on the desktop is lost.
Windows Vista promises to fix that problem by "freeze-drying" any work open on the PC at patch time, allowing the user to reconstitute the work when the computer restarts.
Even better, they're making the patching process better, so restarts will be necessary much less often. Many apps can be patched while they're running, and are replaced at next restart. We have some of that now, but will have more of it in the Vista release.
Read more - Tech News at ZDNet
Thursday, August 18, 2005
Tuesday, August 16, 2005
If you're responsible for (or just into) computer security - at a fairly involved level - check out (IN)SECURE Magazine, a PDF distribution, at http://www.insecuremag.com/.
Issue 3 is out. It's 67 pages. Serious stuff. Lots of great, practical, useful stuff.
Check it out.
In the August issue:
- Security vulnerabilities, exploits and patches
- PDA attacks: palm sized devices - PC sized threats
- Adding service signatures to Nmap
- CSO and CISO - perception vs. reality in the security kingdom
- Unified threat management: IT security's silver bullet?
- The reality of SQL injection
- 12 months of progress for the Microsoft Security Response Centre
- Interview with Michal Zalewski, security researcher
- OpenSSH for Macintosh
- Method for forensic validation of backup tapes
Saturday, August 13, 2005
Last year, I picked up a couple Wireless PC Lock devices, to see if they'd work in a business environment to control workstation security. What I found was that I'd purchased what seemed to be some cool hardware, packaged with really crappy software. In fact, the software was so bad, it made the hardware pretty much useless. Useless doesn't help in the security world, so I was disappointed overall.
Then about a week later, I discovered that Bryan Batchelder, another security type, had also picked one up, reverse engineered how it works, and written his own software for it. Bryan's software was a vast improvement - measurable in orders of magnitude - over the software that shipped with the hardware.
Then Scott Hanselman, a coworker and friend of mine, found the device and software and decided to contact Bryan and work with him to use take it to the next level, using the new .NET Framework v2.0, to control and take advantage of the hardware.
And today, a new article was published that Scott wrote for hobbiest programmers, as an installment in his excellent "Some Assembly Required" series on Microsoft's MSDN Coding4Fun site. The article is entitled, "Is that you? Writing Better Software for Cool USB Hardware." In this edition, Scott explains how the new software, built from Bryan's base, is made and how it can be extended by anyone who wants to (since it's an open source program published on SourceForge).
I've installed the new software myself (after downloading and installing the .NET v2.0 Beta 2 framework) and have it running, and I can tell you this: The new software really shows how cool the hardware is, as opposed to the original software, which made the hardware look sloppy and bad.
The hardware consists of a USB stick (it looks much like a USB storage device) and a small round button you can hang on your keychain (or wherever). With the new software, a tiny green icon appears in the Windows status notification area (the tray) and flashes to show you it's getting a heartbeat from the key fob button. If you turn the button transmitter off (it lasts for-freakin-ever on one battery, mine's almost a year old and it's still going strong), the software on the compute notices and does whatever it's configured to do. The image below gives you an idea of the things it can do out of the box, and it's plug-in-able, so if you want something else, you can go build it.
Hmmm, gotta go see if I can learn enough to be able to write a plugin now.
Monday, August 08, 2005
"...wouldn’t it be wonderful if there was a native Windows version that resided totally on CD and could be used to recover your distressed PC..."
Yes, it would. And as JK points out, there is one available. It's called BartPE (Bart Preinstalled Environment), and it lets you construct an awesomely useful boot CD. There's lots of plugins available, too.
Okay for personal use, and for business use in your company, but not free to redistribute.
Saturday, August 06, 2005
There's been all sorts of rumor and story-making flying around the Intarweb the past few days about a supposed first virus to attack some new part of Windows Vista (which is the next generation of the Windows Operating System - Vista was released recently in a Beta 1 test version to a closed group of testers and MSDN subscribers).
Well, it turns out that's not quite true.
Now, there might be a proof-of-concept script-based "virus" that takes advantage of a new beta shell technology called Monad. But Monad is not part of the Windows Vista beta, it won't be part of the release when Vista is done, and as such the rumors are inaccurate and based in false assumptions, according to the Microsoft Security Response Center weblog (which, by the way, security and IT professionals should subscribe to).
"There’s been some commentary the past couple of days regarding a potential Windows Vista virus and we wanted to weigh in with some details. First of all, in examining the details of the reports, there is no Windows Vista virus described in them. Instead, the reports are regarding potential proof of concept viruses in the form of malicious scripts that are developed to affect a new interactive shell codenamed Monad, which is currently in early phase of beta testing.
"Now to be clear, these reports pose no risk for Microsoft customers. The viruses do not attempt to exploit a software vulnerability and do not encompass a new method of attack. Furthermore, Monad is not widely available for general use. It’s a beta, and we do not recommend or support the use of beta software in a production environment. Microsoft continues to analyze the feedback from testers as Monad continues to be developed.
"But most important, Monad is not included in the beta release of Windows Vista or in Windows Server 2003 R2.
"Monad will not be included in the final version of Windows Vista and there is no relation between Monad and Windows Vista Beta 1. Monad is being considered for the Windows Operating System platform for the next three to five years. So these potential viruses do not affect Windows Vista or any other version of Windows if Monad has not been installed on the system."
Note that Microsoft did not decide to pull Monad from Windows vista in response to this Monad virus scare/story, and they point out that Monad is an early beta technology, not intended to be used in a production environment. Well, yeah... Duh...
It's worth repeating that last point: Beta versions of commercial software are - by their very nature - not fully tested or officially QA'ed, and as such one has to consider beta code to be less secure in general. That should always be considered in deployment.
This is a great example of rumor run rampant, assumption trumping investigation, and the power of hate amongst those who drink of that darker cool-aid, and who wish for nothing less than harm to befall a great-big software company. If you want to believe something bad enough, if you're waiting in the trenches for something to jump on, if you do that often enough and get crazed enough in the process, you're going to lose your perspective. In my previous career, where I sometimes had to deal with those sorts, they call that a cult mentality.
Anyhow - Point is, it wasn't true. And that's something that should be said.
Thursday, July 14, 2005
Where I work we run a couple of high-security data centers, and the security policies don't allow outbound network connections to the Internet to be initiated from inside the datacenter. It's a good policy and makes for a much more secure environment. So, when it comes time to activate a copy of Windows Server 2003, I frequently get asked how to do that over the phone.
I could just say "Ask Google," but instead I think I'll just point people here, heheh...
The Microsoft Windows Product Activation phone number (for the US anyhow) is 1-888-571-2048
Also -- It's worth noting that Windows should tell you what number to call if you let it. From the Microsoft web page on the topic
** Toll-free telephone numbers are available in all countries where telephony infrastructures provide for them. The telephone numbers are displayed when telephone activation is chosen.
Tuesday, July 12, 2005
Hopefully you don't need this advice because you've been victimized, but this is something everyone should know.
If you ever become a victim of online fraud or any other form of fraud where you believe or know your personal information has been obtained or used improperly, there are a number of things you need to do. Microsoft's Security at Home team has put together a list of things you should do. They include:
- Close any affected accounts - both verbally on the phone and in documented written form
- Place a fraud alert on your credit reports - will all the credit reporting agencies
- Contact the proper authorities - both federal (FTC) and local (police or sheriff's office)
- Record and save everything - document, document, document
That's all good advice in general. Additional resources and more specific information is available on their web site.
Wednesday, July 06, 2005
Over on Microsoft's Channel 9, Scoble's posted a new video of Kim Cameron, who has a weblog called the Identity Blog. He discusses identity and trust, and what it will take to build a single-experience trusted system for common identification. It's an interesting conversation. I've read his weblog for a while now, so it's good to see him speak about this.
"Identity is like the Hotel California of Technology - you can come but you can never leave. We have a lot of work to do."
This is a topic that is near and dear to my professional heart. Identity protection and theft is something I deal with every day. It's complicated. It's not easy. It's a goose chase at times. There are almost no standards. But it's of great importance right now. The people I manage and work with are super-talented and are building a couple terrific pieces of security software right now, software intended to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.
Where I work we are charged with protecting the identities and assets of people who are doing critical financial transactions with their banks and credit unions. To us this stuff matters - it matters a lot. And it should matter to anyone that's doing business on the 'net and everyone who writes software used to do business on the 'net.
"It's impossible to be too paranoid about this ... We have to be paranoid."
The video is about 55 minutes, and it's worth the time for people who are concerned (or who should be concerned) about the topic. You'll need to get about two-thirds of the way through it til you get to Cameron's "Laws of Identity," which are akin to pure gold in their simplicity. Go watch.
Sunday, July 03, 2005
Last week I went on a mission trip with our church youth group. It was fun (for the short time I was able to be there), and a good experience. One of the youth talked to me for awhile about a book I gave him and the other group members several months ago.
The book is called "Always Use Protection - A Teen's Guide to Safe Computing." It has its own web site, and is a great conversational read for both teens and adults. The author, Dan Appleman, wrote it with the assistance of youth he works with - they were his editors and reviewers, and because of that it is a great book for young and old people alike.
I had given the books to the youth group members during a meeting, and we'd discussed some of the content. Now my young friend has continued reading it (as have several of the others in the group), and as a result he understands his computer much better than most kids his age.
I had used the book to talk to the youth about security and safety in the computer world, and so they could have an excellent reference for them as they grow up to become the next digeratti. I'm a security and IT guy by trade, so it was not too much of a stretch for me to take this on - but the book enhances the experience, and is a permanent fixture for these young people to use and learn from over time.
In fact, when we returned to Portland, the young man's grandmother had her own glowingly positive review when she picked him up. Apparently she's been reading it as well, and found it easy to understand and quite useful.
So Dan, if you happen to see this, know that your book is doing good work with good people. And thanks for that.
Also - Dan was interviewed on Microsoft's Channel 9 a while back in a series of very good segments - so hey kids, check them out:
Saturday, June 25, 2005
Microsoft's released a new build of their Microsoft Antispyware beta software. Several improvements are included. The expiration date for the beta software is also extended through the end of the year. Download here.
From the MS web site description:
In this second beta refresh (Build 1.0.614), we’ve made other enhancements to the detection and removal capabilities, including improved Winsock LSP removal capabilities and support for long descriptions of categorized software. In addition, we have also extended the Windows AntiSpyware beta expiration date to December 31, 2005.
Existing users of the beta (Builds 1.0.501 and 1.0.509) will receive a software update that extends the expiration date and includes the enhancements to the detection and removal capabilities. The second beta refresh is also available for download through this site.
Saturday, June 11, 2005
More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.
Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:
I posted a question on the PCWorld forum and your name came up regarding my question. My issue was regarding passwords. I am a Realtor and our main access to the MLS is starting to require password changes monthly. This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control. I asked for opinions on software and also philosophy. I'd like to hear your opinion. Thanks and I'm looking forward to reading your response.
My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.
Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.
My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.
As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:
- Upper-case alpha characters (A-Z)
- Lower-case alpha characters (a-z)
- Numeric characters (0-9)
- Punctuation or other special characters (!@#$%&(*?>< etc.)
In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.
Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.
I think you'll find that most experts will agree with the above recommendations.
Maintaining passwords and passphrases securely - helpful software
Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.
RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.
But none of that matters if you can't solve the real problem
But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.
The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:
Cleo is my Cat!
Cleo get off the freaking furniture darnit!
You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:
Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
Pow bang boom! Oh wow did you see that?
Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.
You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.
There's no perect answer - some unthinking person with no concern for security will throw in a wrench
Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.
** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.
By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).
But Dr. Johansson's the one who's really got it covered...
For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:
The Great Debate: Pass Phrases vs. Passwords
- Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
- Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
- Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy
I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.
Friday, June 10, 2005
There is an interesting post describing the exploit of a weakness in MD5 via collisions, with a reproducible real-world example. The authors computationally found the collisions and were able to reliably and predictably produce two completely different postscript documents with the identical MD5 checksum. Their use-case story revolves around maliciously capturing a digital signature and using it for something other than it was intended. In the story, the MD5 checksum is relied upon to validate the authenticity of a document. The researchers wanted to show how this flaw could possibly be used in the real world.
"Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms ("attacks") to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting - but many so-called "practitioners" turned them down as "practically irrelevant". The point is that while it is possible to find colliding messages M and M', these messages appear to be more or less random - or rather, contain a random string of some fixed length (e.g., 1024 bit in the case of MD5). If you cannot exercise control over colliding messages, these collisions are theoretically interesting but harmless, right? In the past few weeks, we have met quite a few people who thought so.
"With this page, we want to demonstrate how badly wrong this kind of reasoning is! We hope to provide convincing evidence even for people without much technical or cryptographical background."
Once again, security by obscurity defeated. Interesting read and might make you think. If anyone has comments on their test or process. I'd be interested to hear.
Tuesday, June 07, 2005
Microsoft has released their Windows Server Update Services (WSUS) product, which is a replacement for Software Update Services (SUS). The server solution acts as an in-house patch management and deployment solution for your networked Windows machines and core applications.
What's New in Windows Server Update Services:
- More updates for Microsoft products, in more categories (Windows XP Professional, Windows 2000, Windows Server 2003, Microsoft Office XP, Office 2003, Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine [MSDE] 2000, and Microsoft Exchange Server 2003, with additional product support over time)
- Ability to automatically download updates from Microsoft Update by product and type
- More language support for customers worldwide
- Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0 (BITS 2.0 is not installed by Update Services and is available on Microsoft Update)
- Ability to target updates to specific computers and computer groups
- Ability to verify that updates are suitable for each computer before installation—a feature that runs automatically for critical and security updates
- Flexible deployment options
- Reporting capabilities
- Flexible database options
- Data migration and import/export capabilities
- Extensibility through the application programming interface (API)
This new release is ten-fold better than the old SUS product, and if you are responsible for deployingpatches reliably and verifably across your company, this is something you must at least try. It will save time, improve your comtrols, and generally help you sleep at night.
Oh - and it's free to download. Just install it on a Windows 2000 SP4 or Windows 2003 server - your existing CALs cover it.
Saturday, June 04, 2005
eWeek says Microsoft will release a security roll-up for Windows 2000 this week. The roll-up package replaces Windows 2000 SP5, which was recently scrapped. You'll need to have SP4 already installed to apply the rollup. It will be available via Windows Update, SUS, et al.
It's scary how time flies...Windows 2000 is five years old now - wow... Speakimng of which, mainstram support for Windows 2000 ends on June 30th, when the OS goes in to "extended support" mode (which means you pay for support pretty much no matter what).
Information from Microsoft's web site to answer questions people have asked in email and elsewhere:
Windows 2000 Server and Windows 2000 Advanced Server support dates:
- Mainstream Support ends June 30, 2005
- Extended Support ends June 30, 2010
Mainstream support includes:
- Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
- Security update support
- The ability to request non-security hotfixes
Extended support includes:
- Paid support
- Security update support at no additional cost
- Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased. Per-fix fees also apply.
- Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
- Extended support is not available for Consumer, Hardware, Multimedia, and Business Solutions.
Complete Windows lifecycle dates are listed here. Other products also listed here.
Not running on Windows Server 2003 yet? Make the move now and you'll be glad you did - if you haven't tried it, you seriously don't know what you're missing. Not to mention the fact that most every substantial future network security enhancement from Microsoft will rely on the back-end of Windows Server 2003.
And for those still on NT4 - Your version expired long ago, and it's replacement is entering the old folks' home. Time to get with the program and secure your little world.
Thursday, May 26, 2005
From Longhornblogs.com, some of the first information about IIS7, which is reportedly code-complete and is now being integrated into Longhorn:
"IIS7 represents the unification of ASP.NET and IIS. Let me clarify what that means. Right now, ASP.NET is implemented as an ISAPI extension for IIS. That will still be true in ASP.NET 2.0. In IIS7, that changes. Instead, the concepts of HTTP pipelines, handlers, modules, XML config files, etc... are all natively built into the platform.
"Along with that, the IIS7 team has completely refactored the whole platform, so now practically every feature in the pipeline has been broken out into a separate module. From a security standpoint, this is a whole new realm for IIS..."
Read more here. Glad to see they'll be releasing it on the Pro and Server OS'es. Cool stuff.
Tuesday, May 24, 2005
In an interesting and (at the same time, but for different reasons) rather scary turn of events, a company's computer data has apparently been locked up, by means of encryption, by an evil-doer and held ransom.
For - get this one - $200.
Tell me that is not the perfect Austin Powers moment. I can hear Dr. Evil now, from his Evil Hacker Base:
Twooooooo Hunnnnnnndred Dolllllllarrrzzzzz! Muuuhahahahahahhhh!!!
Unfortunately, it's worrisome in that through some lack of security protection or another, some bad guy was able to get malicious code into a company that located business files and packaged them up in a nice, neat encrypted (and therefore completely unaccessible without the key) form. They didn't even (necessarily) take the files off the network - they just locked them up and left them there. Maybe. Who knows.
Link to the story: http://it.slashdot.org/article.pl?sid=05/05/24/1321200&from=rss
Security researchers at the San Diego-based Websense uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.
A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.
"This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination," said Oliver Friedrichs, a security manager for Symantec Corporation.
The FBI said the scheme, which appears isolated, was unlike other Internet extortion crimes.
Leading security and anti-virus firms this week were updating protective software for companies and consumers to guard against this type of attack, which experts dubbed "ransom-ware."
Friday, May 20, 2005
I'm a dual-browser kind of guy. Honestly, I use Internet Explorer most of the time, and Firefox is in my backup slot. Recently security concerns have been pretty evenly divided between the two, and I am not married to one browser or another - I just use what works best for me at the time.
The one thing that tends to keep IT administrators from deploying Firefox across their companies in many cases is the complete lack of a process and ability to patch and update the software.
Well, IT admins, worry no more. Someone's been thinking about how to help.
FrontMotion has created a MSI installer for Firefox 1.0.4 that can be deployed via Active Directory - just like any MSI installer - and a set of accompanying ADM files that you can deploy as extensions to your group policy, in order to be able to exercise the level of control necessary in a corporate environment. You can download them here.
FrontMotion's Firefox Community Edition is Firefox with the ability to lockdown settings through Active Directory. Similar to lockdown with mozilla.cfg on one computer, you can now use our Community Edition to set settings across your organization by loading Administrative Templates. Both the firefox.adm and mozilla.adm file can be loaded at the same time.
For those who want or need to do an Active Directory deployment:
- Download the MSI installer and save it to a network location accessible by client computers (e.g. a network share on a domain controller).
- Create or edit a Group Policy Object (GPO). Right click on an Organizational Unit (OU) or your top level domain, then Properties. In the Group Policy tab, click New to create a new Group Policy or Edit. (Note: If you have an existing deployment of Firefox MSI, you should Edit an existing GPO)
- Edit the GPO and navigate to Computer Configuration -> Software Settings -> Software Installation
- Add the new package, specify the location of the Firefox MSI on a network share. (e.g. \\server\appinstalls\firefox\firefox-x.x.x.x.msi)
- If you are doing an upgrade, be sure to specify the older packages in the Upgrades tab in the new package's properties.
Friday, May 13, 2005
I heard a little about this upcoming Microsoft program earlier today (well, yesterday actually) so it's cool they just kicked out a press release: Microsoft just announced OneCare, a service offering that's geared toward the consumer PC market of unmanaged desktops. It will be available for beta testing by the public sometime in the future (see below).
A natural extension of the Windows Update and MBSA concepts, which can patch computers without user intervention and tell you where you stand from a security standpoint, OneCare will take that type of service to a new level. They'll be adding things like PC health management (performance maintenance) and data protection, as well as integrated spyware and bidirectional (yay!) firewall capabilities.
Features of OneCare will include:
- Defense against evolving threats: Windows OneCare will provide automatically updated anti-virus, anti-spyware and two-way firewall protection.
- Performance and reliability tools: PC owners will be able to choose to have Windows OneCare automatically carry out periodic maintenance tasks such as disk cleanup, hard-drive defragmentation and file repair. The service also will offer boot-time information and proactive support tools to help improve the customer experience.
- Backup and restore capabilities: Windows OneCare will enable automated backup of files by category on CD and DVD, along with the option to back up all files on the system or only those that have changed since the last time the action was performed. If files are accidentally deleted or corrupted on the PC hard drive, the service is designed to restore saved versions or map them on a new PC.
- Simple, integrated service experience: PC users will have one simple point of reference for checking the overall health of their system. Windows OneCare will automatically notify users of available updates or other recommended actions and enable users to easily act as needed. Otherwise, the service stays quiet and in the background.
Microsoft employees are having a shot at it this week for a dogfooding phase of testing, and the public will be able to use it during a beta phase later this year. If you want to nominate yourself to participate in the Public Beta, go to http://beta.microsoft.com and use "OneCare" as the guest ID there.
Kudos to Microsoft for an initiative-taking program that brings better managed services to unmangaed PCs.
Thursday, May 05, 2005
From now til June 8th, you can do your best to hack an IIS 6.0 server, and if you're successful, you'll win an Xbox. WindowsIT Pro has issues their Hack IIS 6.0 Challenge.
If you think you've got what it takes, head on over and hack away!
- May 2 - Challenge begins with very basic static HTML web site to focus hackers on hacking IIS code
- May 16 - ASP.NET web site put up to give more potential hacking angles
- June 8 - Contest ends
- June 9 - Winner (or lack of winner) announced at TechEd in Orlando.
All the details are here, and the rules are here.
Monday, May 02, 2005
Microsoft has a couple of online webcast workshops on secure coding coming up:
Sounds interesting. Secure coding is critical - much more so now than ever. Every developer of any web app should be required to become and stay proficient in secure coding.
Saturday, April 30, 2005
Sunday, April 24, 2005
There's slashdot conversation taking place about using and enforcing cryptographically strong passwords (it's all about passphrases, people, passphrases - read my experiences here). In that thread, someone linked to an old and quite perfect social engineering example that I had not seen in a while. In my field I see and hear some of the funniest (or rather scariest) stories about situations like this.
From an IRC chatroom:
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Pretty darn funny - unless it's you.
Of course, much of the /. conversation has evolved into the requisite noise and talk about how the original question is a moot point because passwords are dead, etc etc etc blah blah blah shashdotadnauseum...
And, since we need something useful to go with the something-funny/scary, here's some information worth reading about how to make it possible for users to remember and use cryptographically strong authentication without having to resort to post-it's and .txt files on the computer:
The Great Debate: Pass Phrases vs. Passwords
- Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
- Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
- Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy
Sunday, April 17, 2005
I was making an online payment on my Discover Card account today when I noticed they are offering a computer program called Discover Deskshop that not only fills out web forms for you when you are making online purchases, it also has an option to use a unique one-time card number instead of your actual Discover Card account number. That means if you use their application, you never have to send your real card account information to online vendors. Instead you send a pretend card number assigned at the time of purchase by Discover, and that information can only be used for that one purchase.
I buy things online frequently. I'm a computer security guy by trade, so I am extra careful about how I do Internet purchases. I have one thing to say about Discover's Deskshop software:
THAT IS SO COOL.
There's also a web-based version that one can use from any web browser. It won't fill out purchase forms for you automatically, but does allow you to use one-time card numbers for purchases you make.
I installed it and used it for the first time today as I purchased a copy of HotRecorder (software that lets you record Skype conversations without the typical hassle). It worked great, but did not set the expiration date for me - I had to do that myself. Every other field it nailed right on.
I like this - it's a real step up in security, with the one-time card number and associated info. Discover's auto-complete software and one-time card number feature will mean I will be using that card more frequently for purchases, which mean it's good news for Discover and for the customer. Good deal.
I've scribbled out a few things in the image at right to protect myself, but you can get an idea of what the program looks like and how it works. It's all automagical. I have to log onto my Discover Online account in the program interface before I can use the program to make purchases (so moms and dads can rest assured Junior won't be able to make any sneaky purchases).
All I did was tell the program to fill out the form and it did the rest. I set the expiration date and executed the purchase.
Nice. No more taking the card out of my wallet and squinting my getting-older eyes to read the account info and type it in. No more fat-finger mistakes. And better security on top of it all.
Thanks, Discover - you just made me a much happier customer.
There's another new version of the Firefox web browser out. You know, it's a good browser, but the number one problem I have with Firefox is a lack of automated, verifiable security patching... Plus apparently you have to download a whole new version to update it, and the release notes known issues section says not to install it over an older version:
"Prior to installing Firefox 1.0.3, please ensure that the directory you've chosen to install into is clean and doesn't contain any previous Firefox installations."
Anyhow... The following security issues are fixed in v1.0.3, so if you are using Firefox, go get it now:
Severity key: critical, high, moderate, low
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides
Wednesday, April 13, 2005
I was wondering when this would happen. Microsoft can now alert you to new security bulletins via .NET instant messaging and mobile device alerts (as well as RSS). Great idea:
Microsoft Security Update instant message alerts notify you when time sensitive information about Microsoft products has been posted on the Security Web site. You can choose to receive these alerts through MSN Messenger or Windows Messenger, your e-mail, or a mobile device like your cell phone or PDA. Register at the Microsoft Security Alerts Web page.
Information on Microsoft Security Update Instant Message Alerts as well as RSS Feeds for Security Bulletins, the Microsoft Security Notification Service, and the Microsoft Security Notification Service Comprehensive Edition can be found at this location:
SIDEBAR: Oh, and it looks like they are using LiveMessage, which is what powers my .NET IM alerts for this weblog:
Microsoft's posted a quick online quiz that checks everyday people's spyware knowledge:
"Do you know what spyware is, how to help protect yourself against it, and what you should do if it’s on your computer? Take this quiz to test your knowledge."
After you take the first quiz (which is, admittedly, pretty darn basic), you can move on to the "advanced" quiz. How did you do? I scored 100%, but this is what I do every day.
Other useful information and education about spyware from Microsoft:
Wednesday, March 30, 2005
Windows Server 2003 SP1 was finalized and released to the world today at 5:20 PM Pacific Standard Time, in English and German language versions. Let the compatibility testing begin!
In addition, Windows Server 2003 x64 Editions and Windows XP Professional x64 Edition were released to manufacturing (RTM), but they won't be available until sometime in April.
Thursday, March 24, 2005
F-Secure has a real knack for creative sarcasm on it's security weblog, and today is no exception in their headline linking to an interesting report. Apparently, a study has been published showing the relative number of vulnerabilities, comparing Windows 2003 Server to a Linux distribution in several configurations.
Update: In a won't-really-build-confidence-with-the-common-folk move, apparently the researchers did not reveal at the RSA conference that this study was funded (but according to the researchers, not influenced by) Microsoft. They reveal this fact in the published study itself, but did not tell the audience at the conference when they presented the results. Read more here.
Get the PDF file of the study here. For a document describing the methodology in detail and for more information (including an email address to provide comments), go here.
F-Secure used the headline, "It's Official - Linux Sucks?" No doubt others will comment that the reality of the situation is that Windows is better for stupid people (meaning people who don't harden their machines). Flames will go forth, but you can't deny the report.
The end result of the study is that Windows Server 2003 was more secure than the Linux distributions tested.
Uh, heh... That should make a few people stand up and scream.
Using out-of-the-box, standard/recommended OS installs, the researchers found that the Windows 2003 server was more secure, with less vulnerabilities counted and a lower average for days of risk, when compared to the Linux distributions tested (Red Hat Enterprise Linux in default and "minimal" recommended configurations):
"In this report, we have studied both quantitative and qualitative data that affects the vulnerability and thus operational security risk of different web server platforms. In order to produce a meaningful comparison of platforms, systems were tested in their default configurations and then looked at in minimal server role configurations. When the default configuration did not provide for a functional web server, systems were configured according to manufacturer’s directions."
For a quick Readers' Digest style overview of the result of the study, get the free PDF of the report and flip down to page 35 and look at the charts on that page. I won't post all the images and tables here, that's what the report is for.
In reality, this is a complex study that is worth reading. The methodologies applied appear to be good ones, and the results are pretty compelling. The real world is never as simple as s lab environment, but if nothing else, this certainly shows how far Windows Server has come over the years (or else it shows how poor Linux distributions have become, or maybe some of both).
Wednesday, March 23, 2005
Another update to the Firefox web browser has just been released, and all users are advised to download and install the new version, as it contains a critical security patch.
The new version includes a number of fixes:
MFSA 2005-32 Drag and drop loading of privileged XUL
MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel
MFSA 2005-30 GIF heap overflow parsing Netscape extension 2
Download here: http://getfirefox.com/
Microsoft has announced a large number of security webcasts that are set for April. The list here is quite long, so click to see them all, or check out the Security Webcast Calendar, which is a Word doc calendar with all the upcoming webcasts listed and linked.
There are lots of very good sessions planned. Anyone with a security responsibility or emphasis in their jobs should take a good look at these upcoming webcasts and consider viewing...
Upcoming Security Webcasts: April 2005
Security Webcasts are a convenient way for IT Professionals and Developers to stay technically updated on the latest Microsoft Security Guidance. These webcasts concentrate on security information and are presented by senior executives and other subject matter experts. They feature interactive technical presentations, product demonstrations, and question-and-answer sessions.
Microsoft Security Webcast Series: Upcoming & On-Demand
Security Webcast Calendar
NEW: Now you can register for an on-demand webcast and choose how you would like to view the archive. Downloadable Microsoft Office System PowerPoint and .wmv files are available for most webcasts that took place Dec. 1, 2004 or later. Once you register, you will be directed to the on-demand webcast and also shortly receive a confirmation email with links to the PowerPoint and .wmv downloads.
Additional Webcast Resources
Microsoft Security Webcast Series: Upcoming & On-Demand
Digital Blackbelt Series: Defend your code from attacks
Ongoing through May
How would your code stand up to an attack? If you are not sure, join us for the Digital Blackbelt webcast series as Developer Community Champion Joe Stagner discusses security risks, vulnerabilities, and solutions from the software developer's perspective. We will provide real-life examples and security tips and tricks that can help you gain the knowledge and techniques to become an experienced “blackbelt” in writing secure code.
Web Development: Increase the security of your applications
Ongoing through May
Increasing the security of your software is not the result of a single event. From design through development, to testing and deployment, a multi-disciplinary approach must be taken to deliver a quality software product that minimizes organizational risk. Join Dennis Hurst, Senior Consulting Engineer at SPI Dynamics, and other guest speakers as they detail knowledge that can help developers increase security around the coding of web applications.
Third Tuesday of Every Month
Learn best practices to guide your security strategy during this monthly webcast series. Each webcast focuses on a specific security topic and includes commentary from industry experts outside of Microsoft.
Security Webcast Calendar
Security webcasts listed in an easy-to-use calendar format.
BONUS: Attend any live webcast through June and you could win a Portable Media Center. See official rules for more details.
Additional Live & On-Demand Webcast Series Available NOW:
For IT Executives
Microsoft Executive Circle Webcast: Security360 with Mike Nash: Secure E-mail, It’s More than Filtering (Level 100)
Tuesday, April 19, 2005 - 9:00 AM - 10:00 AM Pacific Time
Mike Nash, Corporate Vice President Security Business & Technology Unit, Microsoft
Reducing the amount of spam clogging e-mail systems is top-of-mind. However, e-mail security is not just about preventing unsolicited messages; it is also about protecting the digital information assets you send through e-mail. On this month's Security360, guest host Amy Roberts, director of product management in Microsoft's Security Business and Technology Unit, will discuss with industry experts the whole spectrum of e-mail security, including filtering technologies, e-mail policies and enforcement, and partner solutions. As with every Security360, this session includes a checklist of recommendations and resources, as well as a live Q&A with industry experts.
For IT Professionals
TechNet Webcast: Implementing Exchange Server Security (Part 1 of 2): Securing Services and Messaging Protocols (Level 300)
Monday, April 04, 2005 - 1:00 PM - 2:00 PM Pacific Time
Harold Wong, TechNet Presenter, Microsoft
Securing communication over networks is essential to securing your organization from intrusions, overloads, and interruptions of many types. In this first session of a two-part series on Exchange Server Security, we describe how to deploy a more secure Exchange Server 2003 infrastructure and how to secure its server services and messaging protocols.
TechNet Webcast: How Microsoft IT Deployed PKI Inside Microsoft (Level 300)
Tuesday, April 05, 2005 - 9:00 AM - 10:00 AM Pacific Time
Larry Talbot, Microsoft IT SECURITY TECHNOLOGIST, Microsoft
This webcast presents a detailed discussion of how Microsoft IT installed a Public Key Infrastructure, built originally with Windows 2000 Server Certificate Services, and later upgraded with Windows Server 2003, to implement a secure communications and remote authentication infrastructure. This enabled the use of S/MIME signatures and encryption, secured Web connections by using SSL or TLS, ensured the confidentiality of stored data by using EFS, ensured the confidentiality and integrity of transmitted date by using IPSec, and enabled strong network user authentication by using Smart Cards. Join this webcast to find out how you can do this - or something similar - too.
TechNet Webcast: "Ask The IT Security Experts" Series: Building Security Training and Awareness (Level 100)
Tuesday, April 05, 2005 - 11:00 AM - 12:00 PM Pacific Time
Ben Smith, Senior Security Strategist, Microsoft
Experts often talk about the importance and need for security training, but few actually talk about how to do it. Join us for this webcast as we bring together some of the sharpest security-focused Microsoft IT professionals to provide expert answers to your questions about Building Security Training and Awareness. This webcast presents proven, and slightly unconventional, methods of training users and administrators on security. As with all of our "Ask the Experts" webcasts, there will be plenty of Q&A time for the experts to field your questions. Send your security-related questions to our panel of experts ahead of time at: firstname.lastname@example.org.
TechNet Webcast: Network Isolation Using Group Policy and IPSec (Part 1 of 3): Overview of Internet Protocol Security (Level 300)
Wednesday, April 06, 2005 - 11:00 AM - 12:30 PM Pacific Time
John Baker, TechNet Presenter, Microsoft
Data Isolation: How can it make your IT infrastructure safer, and how do you use Group Policies and IPSec to implement it? This session is the first of a three-part series presenting the information and tasks needed to implement data isolation using Group Policies and IPSec within an organization. This first installation provides an overview of the nature of Internet Protocol Security - the challenges to secure network communication, how IPSec can help, and the various ways IPSec can be implemented to achieve different types of secure communication.
TechNet Webcast: Windows Server 2003 SP1 Technical Overview (Level 200)
Thursday, April 07, 2005 - 9:00 AM - 10:30 AM Pacific Time
Rand Morimoto, Author, President, Convergent Computing
Windows Server 2003, the latest server operating system from Microsoft, builds upon the security, reliability, and performance improvements implemented in previous versions. Organizations need these continuing improvements as their networks develop and network usage evolves with new technologies. Organizations also need Service Pack 1 to protect themselves from an increasing variety of network and computer. Join this webcast for a technical overview of Windows Server 2003 Service Pack 1, where we will present its features, configuration tools, system security enhancements, network security enhancements, and deployment options.
TechNet Webcast: SQL Server 2005 Series (Part 4 of 10): Securing your SQL Server (Level 200)
Monday, April 11, 2005 - 9:00 AM - 10:00 AM Pacific Time
Bryan Von Axelson, TechNet Presenter, Microsoft
Parts four and five in our series highlight the security enhancements in SQL Server 2005. Part four of this series focuses on authentication and authorization while crypto support is covered in part five. We begin with authentication, examining the Security model, endpoint-based authentication and the password policy. Then we move on to explore authorization, covering User Schema separation, module execution context, granular permission control and Catalog security.
TechNet Webcast: Implementing Exchange Server Security (Part 2 of 2): Protecting Against Unwanted E-Mail (Level 300)
Monday, April 11, 2005 - 1:00 PM - 2:00 PM Pacific Time
Chris Avis, TechNet Presenter, Microsoft
This second session of a two-part series on Exchange Server Security describes how to increase the security of e-mail that flows through an organization's Exchange servers. We also introduce you to Exchange Server 2003 features such as Real Time Block List support and Intelligent Message Filtering, tools making it easier to reduce the amount of unwanted e-mail before it spreads through your organization.
TechNet Webcast: How Microsoft IT Implements Trustworthy Messaging at Microsoft (Level 300)
Tuesday, April 12, 2005 - 9:00 AM - 10:00 AM Pacific Time
Grant Hogan, Microsoft IT Service Manager, Microsoft
Similar to most enterprise organizations, Microsoft shares information among its resources through e-mail and other electronic documentation. At the same time, we have a concern for the security and privacy of this data. With that in mind, Microsoft created the Trustworthy Messaging initiative to provide confidentiality for key business sensitive data sent to and from internal corporate clients without sacrificing their ability to freely share this data. Join us as we review, in detail, Microsoft IT's implementation of Trustworthy Messaging.
TechNet Webcast: Information about Microsoft's April Security Bulletins (Level 100)
Wednesday, April 13, 2005 - 11:00 AM - 12:00 PM Pacific Time
Christopher Budd, CISM, CISSP/Security Program Manager, Microsoft
Debby Fry Wilson, Director/Security Response Marketing, Microsoft
On April 12th, Microsoft will release its monthly security bulletins. Join this webcast for a brief overview of the technical details of these April security bulletins. This webcast will provide you the opportunity to raise your questions and concerns about the security bulletins. A majority of the session will be devoted to addressing your questions and providing answers from our security experts.
TechNet Webcast: Network Isolation Using Group Policy and IPSec (Part 2 of 3): Understanding Network Isolation Using IPSec (Level 300)
Wednesday, April 13, 2005 - 1:00 PM - 2:00 PM Pacific Time
John Baker, TechNet Presenter, Microsoft
This session is the second of a three-part series with the information and tasks you need to implement data isolation using Group Policies and IPSec. This session shows how to use IPSec to create network isolation zones. Topics include the advantages and limitations of network isolation, where network isolation fits into a defense-in-depth scheme, and how to use Group Policies and Active Directory groups to restrict access to specific servers.
TechNet Webcast: Maximizing Security Features within Microsoft Office Live Communications Server 2005 (Level 300)
Thursday, April 14, 2005 - 9:00 AM - 10:30 AM Pacific Time
Sean Olson, Lead Program Manager, Microsoft
This technical session describes potential security threats and their mitigations for the Microsoft Office Live Communications Server 2005 release. We will focus on the new features and challenges differentiated from Live Communications Server 2003. The ultimate goal of this presentation is to provide you with the information commonly required to satisfy a security audit of a product prior to its commercial deployment. Topics will include authentication, auditing, and security recommendations for the new Live Communications Server 2005.
TechNet Webcast: Securing the Network Perimeter with ISA Server 2004 (Level 200)
Friday, April 15, 2005 - 11:00 AM - 12:30 PM Pacific Time
Keith Combs, TechNet Presenter, Microsoft
Do you currently have an effective way to secure your network perimeter against risks introduced by the Internet, remote users, and remote network segments? Learn how Microsoft Internet Security and Acceleration (ISA) Server 2004 can help protect against all of these threats and more. This session demonstrates how ISA Server 2004 can enhance security for internal servers as well as external-facing resources such as Microsoft Exchange Server or Microsoft Internet Information Services. We will also show how ISA Server can operate as a virtual private networking server for more secure remote access to the internal network.
TechNet Webcast: SQL Server 2005 Series (Part 5 of 10): Protecting Sensitive Data (Level 200)
Monday, April 18, 2005 - 9:00 AM - 10:00 AM Pacific Time
Bryan Von Axelson, TechNet Presenter, Microsoft
Parts four and five in our series highlight the security enhancements in SQL Server 2005. Building upon the discussion of authentication and authorization in the previous session, part five of the series covers the crypto support in SQL Server 2005. We begin with an introduction to the concepts of database encryption including encryption support, keys, certificates and key management. We show how SQL 2005 can protect sensitive data using data encryption and module signatures, and introduce sign modules, what these are and how they work.
TechNet Webcast: Assessing Network Security (Part 1 of 2): Planning and Research (Level 200)
Monday, April 18, 2005 - 1:00 PM - 2:00 PM Pacific Time
Kai Axford, Security Specialist, Microsoft
How do you know whether your network is secure? And how do you know how to find out? This session is the first of a two-part series to help organizations plan and implement processes to identify vulnerabilities to network attacks. This first session shows how to plan your security assessment and how to gather information such that the methods and results fit your organization's needs. In this presentation we'll specifically show how to plan a security assessment and the details and processes for gathering network security information about your organization.
TechNet Webcast: Threat Mitigation for Windows 98 and Windows NT 4.0 (Level 200)
Wednesday, April 20, 2005 - 9:00 AM - 10:30 AM Pacific Time
Harold Wong, Senior Technology Specialist, Microsoft
While migration to a newer platform is recommended, many customers have key business applications that will only run on legacy operating systems. This session offers prescriptive information and test plans for hardening legacy Windows clients and servers, with the goal of reducing the security risk factors for Windows NT and Windows 98 systems as much as possible. We also provide guidance on how to upgrade securely to newer operating systems.
TechNet Webcast: Network Isolation Using Group Policy and IPSec (Part 3 of 3): Advanced Network Isolation Scenarios (Level 300)
Wednesday, April 20, 2005 - 11:00 AM - 12:00 PM Pacific Time
Matthew Hester, TechNet Presenter, Microsoft
This session is the final presentation of a three-part series about the information and tasks needed to implement data isolation using Group Policies and IPSec within an organization. The session describes several scenarios where you can use IPSec to enhance network security by using IPSec to create network isolation zones. This scenario-focused view of Group Policies and IPSec is based on Microsoft's prescriptive guidance.
TechNet Webcast: Assessing Network Security (Part 2 of 2): Penetration Testing (Level 200)
Monday, April 25, 2005 - 1:00 PM - 2:00 PM Pacific Time
Kai Axford, Security Specialist, Microsoft
How do you know whether your network is secure? And how do you know how to find out? This session is the second of a two-part series on assessing network security, to help organizations plan and implement processes to identify vulnerabilities to network attacks. This second session shows how to implement penetration testing for intrusive network attacks, presents checklists that will help identify and remediate common issues, the tools and processes for scanning systems for vulnerabilities, and concludes with a case study where all these factors are put to work at a typical commercial enterprise.
TechNet Webcast: Security Risk Management (Level 300)
Wednesday, April 27, 2005 - 9:00 AM - 10:30 AM Pacific Time
Kai Axford, Security Specialist, Microsoft
When establishing security for your network, you must take risk assessment, cost-benefit analysis, and implementation of security countermeasures into account. The Security Risk Management Guide, designed by Microsoft, can help your organization establish the ongoing process of security risk management. This 90-minute webcast presents a qualitative approach to risk management, tying in best practices from both the industry as well as the ones learned and formulated by the Microsoft internal IT Group.
TechNet Webcast: Defense-in-Depth Against Malicious Software (Level 200)
Friday, April 29, 2005 - 11:00 AM - 12:30 PM Pacific Time
Michael Murphy, TechNet Presenter, Microsoft
Malicious software has become increasingly advanced; worms and viruses can propagate more quickly and evade detection more effectively. This session describes how a defense-in-depth approach to antivirus solution design can help protect various components of a computing infrastructure from malicious software attacks, including client computers, servers and networking devices. This webcast also covers implementing an effective outbreak control and recovery plan and identifying, containing and remedying the effects of malicious software.
MSDN Webcast: Practical Security for Intranet Solutions (Level 200)
Friday, April 01, 2005 - 9:00 AM - 10:30 AM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
Internal Web and Windows-based applications often require integration with existing applications and systems, access to databases, strong authorization and authentication mechanisms, and identity management. This webcast discusses strategies for incorporating security best practices into intranet solution development. We will provide practical guidance on how to implement security enhancements throughout intranet solutions and introduce future security improvements available to developers through Visual Studio .NET 2005 and ASP.NET 2.0.
MSDN Webcast: Practical Security for Internet and Extranet Solutions (Level 200)
Monday, April 04, 2005 - 11:00 AM - 12:30 PM Pacific Time
Rob Jackson, Developer Community Champion, Microsoft
This session discusses strategies for incorporating security best practices into intranet solution development. Internal Web and Windows-based applications often require integration with existing applications and systems, access to databases, strong authorization and authentication mechanisms, and identity management. This session provides practical guidance on how to implement security enhancements throughout intranet solutions and introduces future improvements available to developers through Visual Studio .NET 2005 and ASP .NET 2.0.
MSDN Webcast: Implementing Security for Mobile Device Solutions (Level 200)
Friday, April 08, 2005 - 9:00 AM - 10:30 AM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
Are you dealing with security issues and concerns with your Microsoft Windows Mobile-based solutions? This webcast will describe the various the security considerations for building mobile software solutions and the tools, technologies and strategies available to the mobile developer. Both traditional applications accessed through mobile devices and solutions designed specifically for mobile use can be affected. You will learn how to use the security features of the Microsoft .NET Compact Framework in conjunction with Windows Mobile-based PocketPC and Smartphone capabilities to provide more secure file storage and data access. During this 90-minute webcast will also cover how to protect mobile device communications with your application servers.
MSDN Webcast: Digital Blackbelt Series: Defending the Database (Part 1 of 2): The SQL Injection Attack in Detail (Level 300)
Friday, April 08, 2005 - 11:00 AM - 12:30 PM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
Developers the world over underestimate the seriousness of a SQL Injection Attack. In this session we will dive deep into the topic and do some live hacks to see the huge danger of SQL Injection. We'll discuss how a Mal-Tech might find and approach your box, discover your schema, table, and field names, steal your data, corrupt your table records, add himself as an administrator, reduce your own admin rights, pollute your network, take over your mail server, shutdown your application (and hide it from your ops people), upload his own wares and OWN YOUR NETWORK. Don't miss this webcast.
MSDN Webcast: Writing Secure Code (Part 1 of 2): Best Practices (Level 200)
Monday, April 11, 2005 - 11:00 AM - 12:00 PM Pacific Time
Rob Jackson, Developer Community Champion, Microsoft
Do you want to learn more about analyzing, mitigating and modeling threats? This presentation is part one of a two-part series to help experienced developers build their knowledge of secure coding best practices. Join this 60-minute webcast to learn about established threat modeling methodologies and tools and how to apply them with other best practices to minimize vulnerabilities and limit damage from attacks.
MSDN Webcast: Assessment: Tips and Tricks for Web Application Security Testing (Level 300)
Tuesday, April 12, 2005 - 11:00 AM - 12:00 PM Pacific Time
Dennis Hurst, Senior Consulting Engineer, SPI Dynamics
Caleb Sima, Founder and CTO, SPI Dynamics
This session will demonstrate the proper technique for testing a Web application to ensure that it is properly secure. In addition, we will discuss the challenges of Web application security throughout the development life cycle, and the available methods and tools used to test the security of Web-based applications. Attend this webcast and learn how to test a Web application using a Web browser and the inherent limitations of this approach. You'll also learn what obstacles must be overcome during application testing to ensure proper security.
MSDN Webcast: Developing Applications in Windows XP Service Pack 2 (Level 200)
Friday, April 15, 2005 - 9:00 AM - 10:30 AM Pacific Time
Rob Jackson, Developer Community Champion, Microsoft
Have you installed Microsoft Windows XP Service Pack 2 (SP2) and some of your applications are not working or are not working correctly? The new security features of SP2 may affect how certain types of applications run. Join this webcast to see examples of applications that may be affected and learn how to modify them to work with Windows XP SP2. Also, learn how to configure your development environment to work successfully on Windows XP SP2.
MSDN Webcast: Writing Secure Code (Part 2 of 2): Best Practices (Level 200)
Monday, April 18, 2005 - 11:00 AM - 12:00 PM Pacific Time
Anand Iyer, Developer Community Champion, Microsoft
Are you looking for effective strategies to defend against common security threats faced by application developers? In part two of this two-part series for experienced developers, you will continue learning more about established best practices for applying security principles throughout the development process. During the 60-minute webcast we will discuss common security threats faced by application developers, such as buffer overruns, cross-site scripting and denial of service attacks, and how to effectively defend against these threats.
MSDN Webcast: Advanced Application Development with Windows XP Service Pack 2 (Level 400)
Friday, April 22, 2005 - 9:00 AM - 10:30 AM Pacific Time
Rob Jackson, Developer Community Champion, Microsoft
With Microsoft Windows XP Service Pack 2 (SP2), Microsoft is introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. To developers these technologies will have an impact on the applications they create and the tools they use. SP2 restricts how remote procedure calls are made across a network which may affect the operation of enterprise applications. Join this session as we discuss these interface restrictions and provide you with advanced application development techniques for SP2, including how to reduce RPC-based incompatibilities.
MSDN Webcast: Digital Blackbelt Series: Defending the Database (Part 2 of 2): Making the Right Design Choices (Level 300)
Friday, April 22, 2005 - 11:00 AM - 12:00 PM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
After drilling down into the infamous SQL Injection attack in Part 1 of the Defending the Database, we will now address several of the questions and answers developers have concerning the database and security. This session will cover topics such as, Secure Connections, SQL versus Windows Authentication, user versus role-based authentication, EXPs, Managed Stored Procedures, Alerts and Monitors.
MSDN Webcast: Implementing Security in the Development Lifecycle (Level 200)
Monday, April 25, 2005 - 11:00 AM - 12:30 PM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
Security should be your primary concern throughout the development process. This session discusses how security can be implemented at each stage of the software development life cycle. Microsoft has created the Security Development Life Cycle to describe how to implement security best practices by adding pointed and well-defined checkpoints to the existing development life cycle. This session outlines recommended changes to the design, development, testing, verification and release phases that can reduce the number and severity of security vulnerabilities shipped to customers.
MSDN Webcast: Remediation: Developing Secure ASP.NET Applications (Level 300)
Tuesday, April 26, 2005 - 11:00 AM - 12:00 PM Pacific Time
Dennis Hurst, Senior Consulting Engineer, SPI Dynamics
Prashant Sridharan , Lead Product Manager - VS, Microsoft
Are you looking for a way to correctly validate input easily and quickly to ensure it is secure? This webcast will show you real-life examples and demonstrate how you can do this. Throughout the webcast we will discuss secure state management, how to apply state management across multiple applications, as well as how to setup and develop proper authorization and access control to ensure that privilege escalation defects/vulnerabilities are removed. Attend this webcast to learn advanced Web application protection techniques covering how to code login forms and other form inputs so they are immune to malicious brute force attacks.
MSDN Webcast: Practical Security for Intranet Solutions (Level 200)
Friday, April 29, 2005 - 9:00 AM - 10:30 AM Pacific Time
Joe Stagner, Developer Community Champion, Microsoft
Internal Web and Windows-based applications often require integration with existing applications and systems, access to databases, strong authorization and authentication mechanisms, and identity management. This webcast discusses strategies for incorporating security best practices into intranet solution development. We will provide practical guidance on how to implement security enhancements throughout intranet solutions and introduce future security improvements available to developers through Visual Studio .NET 2005 and ASP.NET 2.0.
Additional Webcast Resources
Sunday, March 20, 2005
Microsoft has published their Security Development Lifecycle whitepaper, where they describe the process that Microsoft has adopted for the development of software that needs to withstand malicious attack.
It's a good read for people responsible for writing software, as well as those responsible for ensuring software development processes properly addresses security as a requirement.
The basic principles of the Security Development Lifecycle are described in the paper:
- Secure by Design: the software should be architected, designed, and implemented so as to protect itself and the information it processes, and to resist attacks.
- Secure by Default: in the real world, software will not achieve perfect security, so designers should assume that security flaws would be present. To minimize the harm that occurs when attackers target these remaining flaws, software's default state should promote security. For example, software should run with the least necessary privilege, and services and features that are not widely needed should be disabled by default or accessible only to a small population of users.
- Secure in Deployment: Tools and guidance should accompany software to help end users and/or administrators use it securely. Additionally, updates should be easy to deploy.
- Communications: software developers should be prepared for the discovery of product vulnerabilities and should communicate openly and responsibly with end users and/or administrators to help them take protective action (such as patching or deploying workarounds).
Also discussed are the phases of the lifecycle in application, and Microsoft's experience in putting the DSL into use at that company, as well as the results of the initiative. If the small amount of information quoted above is of interest, take the time to read the paper.
Dana Epp comments and has insights into the changes that have happened at Microsoft over the past few years. It is pretty darned amazing to have watched (and participated in, as part of my roles as partner and customer) the changes Microsoft has made with regard to security. I can say from my own experience that security is at the front of MSFT developers' minds every day, and while it's not perfect (and never will be, regardless of the software or authors), it definitely shows.
(via Dana Epp's weblog)
Tuesday, March 15, 2005
There's a excerpt from a yet-to-be released book by Jesper Johansson and Steve Riley available to read online. The article, entitled "Security Myths," it takes a look at some of the security shortcomings typical to use of security guides and reliance upon following a predefined set of steps without looking at the whole picture. It's a great lesson in how to look at things, rather than how to follow prescriptive
This section is somewhat (OK, very) cynical. Take it with a grain of salt and laugh at some of the examples we give. Do not lose sight, however, of the message we are trying to get across: These are myths. If you are careful to avoid falling into the trap of believing them, you will be able to focus your efforts on the things that make a real difference instead of being lured like so many others into staring at a single tree and failing to see the security forest.
So what are the myths? Well, for the details go read the article, but at a high level...
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It the Bad Guys Won’t Find It
- Myth 3: The More Tweaks the Better
- Myth 4: Tweaks Are Necessary
Thursday, March 10, 2005
Microsoft has released a new prescriptive paper describing in step-by-step fashion how to deploy a secure wireless LAN using Protected Extensible Authentication Protocol (PEAP) and passwords:
The Securing Wireless LANs with PEAP and Passwords solution guide is designed to help small- and medium-sized organizations protect their wireless local access network (LANs). This prescriptive guidance will assist you in planning, deploying, testing, and managing a wireless LAN security infrastructure using Microsoft Windows XP, Windows Server 2003, and Pocket PC 2003. The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates.
The solution uses industry standards such as 802.1X to ensure broad interoperability. Windows XP Wireless Auto Configuration and the Microsoft Active Directory directory service help to minimize the complexity of installing and managing the solution—many of the more complex operations are automated in scripts that are provided with the guide. You can also install the solution entirely on existing servers in your environment to keep costs low.
Also useful in the context of these articles:
Microsoft has posted "What to do if you've responded to a phishing scam," a set of four steps (with some details about each) you should take if you think you may have mistakenly provided personal financial or identification information in response to a fraudulent email. They've also updated and posted a set of related articles dealing with phishing and email fraud (listed and linked below).
The steps they list in the article are:
- Step 1: Report the incident
- Step 2: Change the passwords on all your accounts
- Step 3: Routinely review your credit card and bank statements
- Step 4: Use up-to-date antivirus and anti-spyware software
And they have posted more articles with information about phishing and email fraud:
But remember: Being prepared and on the watch before the fraud ever happens is the best way to not become a victim. The links above and other resources on the 'net can help you educate yourself and people you know about the things people should do to keep from becoming victims.
Thursday, February 24, 2005
Tuesday, February 15, 2005
An announcement by Bill Gates at the RSA conference: Internet Explorer 7 is set to be released for testing this summer, says Microsoft. It will include anti-spyware functionality, and will not wait for the next version of Windows.
Monday, February 07, 2005
Did you know that only 11% of identity theft takes place online? You're much more likely to have your identity stolen or discovered on paper, and chances are the bad guy (or gal) will be someone you know...
"The 2005 Identity Fraud Survey Report shows that despite growing fears about identity theft and online fraud, of the victims that know the identity and method used by the criminal, these crimes are more frequently committed offline than online. Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.
"Further, the study concludes that those who access accounts online can provide earlier detection of crime than those who rely only upon mailed monthly paper statements."
Those of us who work in the field have known this for some time. And those of us who do our banking and other important transactions online also know we'll notice if something gets out of the ordinary, and we won't have to wait for a paper statement or a bounced check to tip us off.
How safe are you? Take the quiz. If there's anything you should be aware of in this day and age, it's how to protect your personal information.
Here's my results:
Your Score is 10
Please note that a perfect score is 0 and the worst possible score is 100; a typical score is 38.
How did you score?
F-Secure has published a RSS feed where you can get listings of all newly-discovered viruses (see HTML list here). People responsible for knowing what's new and changing will likely want to subscribe. This is one great way to get an ongoing education, not to mention a useful reference for daily AV routines:
"We've received some questions on whether it would be possible to receive the list of our new virus descriptions as an RSS feed.
"Well, turns out we've had this available for quite some time already, but I guess we've never really officially announced it.
"So: our new virus descriptions are available as an RSS feed here: "
Sunday, January 30, 2005
An "open letter" to Microsoft...
Once again, commenters everywhere are espousing opinions on Microsoft's latest statements regarding the company's plans to disallow updates for pirated copies of Windows (and other software).
We all know taking that position results in one primary problem: Unpatched computers get infected or overrun and then bombard computers of others - making victims of people with valid, paid-for copies of Windows.
I understand Microsoft's position, I disagree with it, and I have a solution.
Patch the pirated computers, "update" the pirated computer's firewall to control two-way traffic, then turn that firewall on. Turn it on all the way. Like as in "nothing-in, nothing-out." Stop all the network traffic on those machines. And put "PIRATED" in all four corners of the screen, like you do with Safe Mode. Heck, for that matter, only allow users to boot into safe mode if it's pirated.
Of course, you could leave open connections to, say, a Microsoft site where people could be allowed something like, oh maybe 30 days to register their software. Give 'em a reduced registration rate maybe. Or maybe not. That's up to you.
Seriously - A significant portion of my job is protecting my company from all those unpatched and out-of-date computers. My time is valuable, and so is the time of many others like me. The ball belongs in your court - Where thousands of people have to spend hours and hours defending networks, you can fix it for all of us in one fell-swoop.
Microsoft's failure to patch problem computers makes for a less-secure Internet. It makes for higher operating costs for my company. It means I am focusing my time on things I need not deal with. It means I'm not focused on more important things that deserve my individual time.
Revenues are important, sure, but so are your customers, and so is wide area network security. This is the one area where revenues might just need to take a back seat. Think about it. Do the right thing.
Drastic? Sure, but healthier than leaving security holes all over the planet.
By not helping your enemies, you hurt your friends. You can't win, but you can make sure the people who are already on your side are taken care of.
Patch that software. Then get 'em with the firewall. Do it. We need you.
And thanks for listening.
P.S. - Is this a little tongue in cheek? Sure it is, somewhat. The idea is to discuss all the options and possibilities, and I think people need to talk more about the option of making it harder for software thiefs, regardless of the PR impact. Talking about it and actually doing it are two very different things, and often useful ideas come out of the conversations about the "fringe" options.
Already several emails and opinions are coming in (keep 'em coming, and you can also use the comments link below), so let me point out a few things...
- First, I don't think Microsoft is "evil" - and that was not my point. Not even close.
- Second, I know automatic updates would still work for pirated software under the proposed plan. That's not my concern - apparently there are some idiots who steal software that just don't have the brains or desire to turn it on, for whatever reasons.
- Third, I'm not freaking out over something that hasn't happened yet. Rather, I am thinking about and commenting on something that's being discussed and in which I have professional interest and experience. Part of my experience is that if you offer opinions before Microsoft takes action, you're more likely to have your opinion count for something, however small. Come to think of it, that's more about the way the world works in general than it is about Microsoft...
- Fourth, my thoughts are more about Microsoft asserting itself from both the "security-custodian" and "software-seller" roles. Two statements (drastic ones, granted) in one brush stroke.
Mitch Wagner at Security Pipeline has his own opinions on the matter, too. See what other people are writing about the subject with Feedster.
Interesting conversation. What do you think?
Monday, January 24, 2005
I had to change one of my passwords today (good security practices and all that), and with the recent discussions around the 'net concerning using passphrases in place of passwords, I decided to go full tilt and start using passphrases on this account rather than passwords.
One of the great things about passphrases is that they can be quite long and secure, yet easy to type and remember. For example, I could use either of these as a secure passphrase that more than meets all the security requirements of a Windows standard password-complexity template:
Is this my nifty-difty passphrase?
- or -
Wow yo thats a really cool Red Radio you have there!
Of course, I could also be more paranoid (and in real life I am) by using something like "Is this my nyftie-dyftie passphraze?" but even with the standard dictionary words, the combination of having to determine the number of words, case, punctuation, order and spacing is a pretty darn complicated task. For more information about effectiveness of passphrases and their complexity, read what Jesper Johanssen wrote on the topic.
I can included spaces and everything - they're part of the passphrase, and the fact that I am using dictionary words works in the case of a passphrase, where they don't really pass muster when using 8-character-minimum passwords.
Passphrases use multiple words or variations, can be out of place and odd, easy to remember and easy to type quickly. The only problem I have had since changing to my new passphrase is remembering that I changed my password at all - I keep typing the old one... It's like writing "2004" on checks, I guess... This, too, shall pass.
Anyhow, I can type my passphrase accurately every single time, very quickly and reliably, so I am happy with that. If I choose a phrase that means something to me at the time, it will be easy to work with until I have to change it again in several weeks. I think it's a good thing - all in all better from a user standpoint than convoluted and hard-to-type passwords.
More on passwords vs. passphrases can be found here. Also, Susan Bradley, who blogs about Small Business Server quite a bit, has some thoughts on the subject and some policy configuration information (via Adam Field).
Last year, a company called MailFrontier produced their Phishing IQ test. Phishing is a form of fraud, where the bad guys set up web sites to collect personal data and then send out emails to get you to visit the web sites. More often than not, the web sites look at least semi-official, and at times they look like the real thing. While financial institutions are the most frequent targets (emails and web sites that look like they came from a bank, but did not), insurance companies ad other online merchants are also often spoofed in these phishing scams.
Now MailFrontier has a new Phishing IQ Test:
Ready for more? Over 225,000 people took the first MailFrontier Phishing IQ Test, successfully raising "phishing" awareness to an all-time high in both the industry and consumer media. But with phishing emails increasing daily—and the online holiday shopping season officially open--it's time for a whole new challenge: the MailFrontier Phishing IQ Test II.
We're back with 10 new suspect "phish" fresh from our collection – all actually received by real people like you. Whether you're brand new or a repeat tester, the question is the same: If you received one of these emails in your inbox – what would you do?
Take the Phishing IQ Test II
Tuesday, January 11, 2005
Microsoft today released three security bulletins, two of which are classified as “Critical” severity, and related patches to resolve the issues described in each bulletin:
|Jan 11, 2005
||Vulnerability in HTML Help Could Allow Code Execution (890175): MS05-001
Affected Software: Windows NT Server 4.0, Windows NT Server 4.0, Enterprise Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows Me, Internet Explorer 6
|Windows NT4 Service Pack 6a, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold, Windows 98 Gold, Windows 98 SE Gold, Windows 98 SP1, Windows Me Gold, Internet Explorer 6 SP1
|Jan 11, 2005
||Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711): MS05-002
Affected Software: Windows NT Server 4.0, Windows NT Server 4.0, Enterprise Edition, Windows NT Server 4.0, Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows Me
|Windows NT4 Service Pack 6a, Windows NT4 Terminal Server Service Pack 6, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows Server 2003 Gold, Windows 98 Gold, Windows 98 SE Gold, Windows 98 SP1, Windows Me Gold
|Jan 11, 2005
||Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250): MS05-003
Affected Software: Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition
|Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows Server 2003 Gold
Monday, January 10, 2005
From MS MVP Jerry Bryant comes news about the new malicious software combat tools that will launch on Tuesday this week from Microsoft:
Announcement of Upcoming Release of Malicious Software Removal Tools
Starting from January 11th, 2005, Microsoft will provide Windows customers with Malicious Software Removal Tools. New versions of these tools will be available monthly (second Tuesday of every month on the same schedule that Microsoft already delivers other security updates) or more frequently if necessary…
…Microsoft will provide new versions of this tool updated to remove malicious software that is found to be prevalent for that month. The first version of the tool available in January will be able to remove Blaster, Sasser, MyDoom, DoomJuice, Zindos, Berweb (also known as Download.Ject), Gailbot and Nachi viruses / worms.
These removal tools will be made available to customers through the following delivery vehicles:
- As a download through the Microsoft Download Center
- As a critical update through Windows Update and through Auto Update for those customers who have Auto Update turned on
- As an ActiveX control also available at www.microsoft.com/malwareremove
Thursday, January 06, 2005
“Meet Your Computer’s New Bodyguards” is one of the taglines you’ll see when installing the new Microsoft AntiSpyware beta software. Microsoft today launched its public beta of the software, which is available to download from the company’s web site.
A lot has been said recently about Microsoft’s acquisition of Giant, a company that makes anti-spyware software used to protect computers from prying eyes and privacy leaches.
After installing it and running it, it’s interesting that its flagging things that AdAware and SpyBot S&D don’t alert on. That’s good. In my case, it didn’t hit on anything I wanted to change or remove (I have a few tools on my computer that it sees as potentially problematic, if someone else had put them there, for example.
The UI is nice and clean, and I like the automatic updates (already working). It’s pretty darn IO intensive, so don’t plan to do any disk-related work while it’s performing a check. By default it schedules a scan to happen at 2am each day (you can change this) and it sets up a real-time protection service that works a lot like an anti-virus program does, watching for known spyware and prompting the user for certain types of system changes as they happen.
I really have only one complaint. If I am running a scan and click on any menu item or button in the user interface to to go to another page, my current scan aborts without warning. This is really very frustrating and will likely cause many people to skip completing a full scan because they’d just killed a scan after 10 minutes and would have to start over again.
Overall, great start and I already like the interface and approach better than the other options out there today. Look out, here comes Microsoft – again. This is one area they’ll have to get right, for sure.
(found via NeoWin)
Thursday, December 30, 2004
Engadget points to a mention of a USB computer locking mechanism that includes a key you insert into the USB slow on your computer and a strange little medallion that you wear. When you step far enough away from the computer, the computer is locked at the console, and when you return, it’s unlocked for you automatically.
Sounds great. Sounds like a security hole waiting to happen if it’s not well-executed, but if it’s solid, it’s pretty darn cool. For under $20 per piece, you have to wonder, though…
But – If this does work, it sounds very interesting. I’ve ordered a few to see what they’re like and if they are actually reliable and secure. I will post a review once I get a chance to put them to the test. I’ll likely be using Bryan Batchelder’s replacement software, after reading a few reviews of the software that comes in the box (for example, if you have multiple screens or know anything about windows security at all, it’s east to defeat – not so good). It’s quite cool that someone is doing that kind of alternative software work, since its clear the original software will not be even remotely close to adequate.
In fact, after reading Bryan’s weblog, I’ve subscribed:
Smart guy, cool stuff!
Friday, December 24, 2004
Wednesday, December 22, 2004
From a technet email recieved this morning
Microsoft Anti-Spyware Tool Coming Soon
As you might have heard, Microsoft recently acquired Giant Software, Inc., the maker of a well-regarded anti-spyware tool. Although we'd hoped to be able to provide you with a link to a beta release of a Microsoft-branded version of this tool, it isn't quite ready yet. We're told the beta software will be freely downloadable from the Download Center sometime in the next few weeks. Until then, here's the press release outlining the capabilities of this spyware blocking and removal tool, and another statement explaining some little-known facts surrounding a legal agreement between Sunbelt and Giant that preceded the Microsoft purchase of the Giant technology.
Tuesday, December 21, 2004
In the wonderful world of computer security, we’d just assume have all you users logged in under an account that doesn’t have administrator rights to the computer. It’s not that we don’t
trust you, it’s just that we can’t
. There are too many risks associated with running that way, and some people will tell you
it’s bad form (or even just plain lazy) to do so while developing software.
Along those lines, this is pretty darn cool: If you have the new MSN Desktop Suite’s DeskBar running for desktop search, you can do much more than just search your computer (as mentioned a few days back). So, for those of use looking for easier ways to run as an unprivileged user but still launch an occasional app as admin, here is a nugget of gold that you can use in the DeskBar:
@su,=runas /user:administrator $w
Once you enter that little line of code into the DeskBar and hit enter, all you’ll have to do going forward is type something like this in your DeskBar field:
Do that, and a window will open up prompting you to enter the Administrator account password (note that your @entry configuration line could just as easily specify an account other than Administrator – even domain\username). If you do so successfully, Notepad will open, running in the context of (and with the permissions associated with) the administrator account. Obviously, notepad is not the most likely candidate for this – I can see other programs getting some real miles out of this setup, though.
(Thanks to Brandon Paddock and a link found via someone’s linkblog
Thursday, December 16, 2004
Near and dear to my heart (professionally speaking), the latest increasing numbers related to the number of fraudulent phishing sites (sites that look like a bank or other business, but which are actually set up by bad people who are wanting to steal your personal and private information) are worth taking notice of:
“The number of phishing sites, or fake Web sites set up to fool victims into handing over personal information, reached 1,518 last month, the Anti-Phishing Working Group said in a report released on Wednesday. The total was up almost a third over October and three times the level in September.”
That’s an increase of 29% over the previous month. It’s also – in my opinion – an understatement of the real number, since it deals only with reported phishing sites. But it pays to be conservative with numbers, I suppose.
“A total of 51 brands were hijacked by cybercriminals during the month, the group found. Financial services was again the most targeted industry, averaging 75 percent of all hijacked brands. ISPs faced a fair share of scams, accounting for 16 percent, according to the report.”
The Anti-Phishing Working Group publishes the monthly stats. You can find them here.
Also close to me professionally is the fact that recently the company I work for banded together with and a few other organizations to form the Anti-Fraud Alliance - a team of companies with existing, powerful software and services that can be used together or individually to combat fraud online, including phishing.
Note: My employer, Corillian Corporation, is a member of the Anti-Fraud Alliance. I mention them here simply because I wanted to and because I believe its relevant. No compensation involved, and opinions expressed here are my own, not those of my employer.
Apparently some are of the opinion this is not a security vulnerability, according to Microsoft’s comments to ZDNet reporters, but in the real world – it’s a hole. A Mack-Truck-sized security hole. The news story reads a bit like one team saying “Hey, we’re not in charge of that, so it’s not a problem” and the other one saying “We do things the way we do them, and that’s what we do.” Oof.
If you run Windows XP with SP2 you need to make sure you have this update.
After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet.
This problem occurs because of the way that Windows Firewall interprets local subnets when the “My network (subnet) only” option is used. Windows Firewall is included with Windows XP SP2.
Because of the way that some dialing software configures routing tables, Windows Firewall in Windows XP SP2 can sometimes interpret the whole Internet to be a local subnet. This can let anyone on the Internet access the Windows Firewall exceptions. When the "My network (subnet) only" option is enabled, it is automatically selected for file and print sharing. Therefore, your shared drives can be unexpectedly revealed on the Internet when you use a dial-up connection.
To resolve this problem, you must download and install the Critical Update for Windows XP (KB886185).
Use Windows Update or click the above link. If you’re not already set up for automatic updates, make that change now.
Sunday, November 21, 2004
Jesper M. Johansson, Security Program Manager at Microsoft, has published the third in his series of three articles about the pro’s and con’s of using passwords or pass-phrases in authenticating users to a network or application.
“This is the final article in our series on passwords versus pass phrases. The first part covered the fundamentals of passwords and pass phrases, how they are stored, and so on. The second part focused on relative strength and detailed mathematical approaches to determine which is stronger. This final installment concludes the series and gives some guidance on how to choose passwords and configure a password policy.”
Read the article here. Also read Rob Hensing’s review and point of view. His comments are worthwhile.
Friday, November 12, 2004
Looks like TopLayer will be hosting a series of three “webinars” (oh how these new clichés bug me) on the topic of Understanding Network Intrusion Prevention.
I am not personally familiar with the company, but the content looks interesting. It is advertised as free training, and specifically not a sales pitch.
Here's the info and links to sign up if you're interested. Each session will last for about 60 minutes. From their email and web site, the session will include:
- Understanding problems that Network IPS can solve
- Network Intrusion Prevention technology overview
- Vulnerabilities, exploits, regular expressions, and protocol validation
- Comparing and contrasting IPS technology to IDS technology
- Requirements for in-line operations
- Reliable, scalable network IPS deployment scenarios
This educational webinar series will be led by Top Layer's senior engineering team. Individuals that are investigating or installing network intrusion prevention technologies should attend this webinar series. There will be a question and answer period at the end of each session. Each webinar is an educational session, it is not a sales presentation.
To Register: http://www.toplayer.com/content/news/webinars.jsp
Detailed Descriptions of the Sessions:
Network Intrusion Prevention Webinar Session I
Topic: "Problems that Can be Solved by Network IPS"
- Background of IPS and Attacks
- Problem Review
- Massive Network Attacks
- Known and Unknown Network Exploits
- Requirements for an Inline Network Device
Network Intrusion Prevention Webinar Session II
Topic: "Network IPS Deployment Goals"
- Brief Review of Session I
- Universe of Attacks
- IPS Mechanisms
- Protection vs. Recognition & Classification
- Requirements for Inline Network Device
Network Intrusion Prevention Webinar Session III
Topic: "Network IPS Requirements and Example"
- Brief Review of Session I & II
- Network Usage Model
- Network and Security Performance/High Availability Requirements
- The challenges of IP Fragments and TCP Segments
- Security Event Reporting
- IPS Deployment Example
Saturday, November 06, 2004
Microsoft announced on Thursday that they will be returning to providing advanced notifications to the public of security bulletins. From the TechNet web site, here is the announcement:
In response to consumer feedback, Microsoft is expanding its security bulletin program to provide all customers with advance information about upcoming monthly security updates.
Starting in November 2004, the TechNet Security site will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release. Currently, security bulletins are scheduled to be released on the second Tuesday of each month.
The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected.
The purpose of the advance notification is to assist customers with resource planning for the monthly security bulletin release. The information provided in the notification will be general and will not disclose vulnerability details or other information that could put customers at risk.
The notification will be based on the information available three business days before the monthly bulletin release date. However, this information often changes due to the complexity of testing security updates. Therefore, the notification should not be viewed definitive.
Check back again in December when customers will be able to sign up and receive advance bulletin notifications via email.
See the most recent security bulletin advance notification
Wednesday, November 03, 2004
I guess I should make those who know me from outside the office aware that I have accepted a new job where I work, since much of what I write here is related - albeit somewhat indirectly - to my job. That, and many readers of this blog tell me they keep an eye on this site because of my professional work and experience in that regard.
Note: Just a quick reminder that this blog represents my own personal thoughts, positions and beliefs alone. Nothing I say here is in any way associated with my employer.
Up until last week, I was the Corporate IT Director at a terrific software company in the Portland Oregon area, managing the team of people that makes all the IT systems the company relies upon work. The team there does a lot of work: They handle all company desktops and laptops, software, help desk and end user support, phones, servers, enterprise apps, intranet and Internet web sites, corporate web and software app development, networks, lab environments, infrastructure, network security, and a bunch of other aspects of IT at the company. I have had the pleasure to work with a talented and great group of people in that department, and am proud of all the employees there and the work they have done and will continue to do. One real sign of success as a manager is when you get to the point where you have one or more employees who are ready, able and even hungry to take your job away from you. I was privileged to be in that position as a manager with my employees, and as a result I am confident the department will continue to grow and serve the company well.
So what now? I have made the move to a new position at the same company as Director of IT and Security Operations. That means I will be focusing on working with a team that does amazing security work at Corillian, while continuing to work with the IT department in a higher-level guidance and strategic planning role.
It's a natural and positive move for me (I have been heavily involved in many aspects of security operations and planning over the past few years) and an opportunity to continue to learn and grow in a red-hot and quickly-expanding area. It also means I can maintain somewhat of an IT-planning focus and continue to stay on top of new and unusual software and technology. It's a challenge that looks exciting to me, and for which I am quite motivated.
And it means a slight change of pace, which will be nice. I've worked at the same company for five years, and a little change here and there is a good and healthy thing.
It also means this blog will likely take on an even stronger security slant and emphasis, but I intend to continue to cover IT and technology in general. In fact, it's hard to divorce the two from each other and truly stay in touch with goings on.
And besides, when it comes down to it, I'm really just a technology and gadget geek.
Tuesday, October 19, 2004
Saw this coming, had a discussion with a colleague this morning about it, and Security Pipeline has an article about it.
Google's desktop search (in public beta) indexes local machine content to let you search though it and quickly find stuff on your computer.
Problem is, it might let others find and read your stuff if your computer is used by anyone other than you. Hmmm. Details...
From the article:
If you're the computer's only user, the software is helpful "as a photographic memory of everything you've seen on the computer," said Marissa Mayer, director of consumer Web products at Google Inc. The giant index remains on the computer and isn't shared with Google. The company can't access it remotely even if it gets a subpoena ordering it to do so, Mayer said.
Where the privacy and security concerns arise is when the computer is shared.
Type in "hotmail.com" and you'll get copies, or stored caches, of messages that previous users have seen. Enter an e-mail address and you can read all the messages sent to and from that address. Type "password" and get password reminders that were sent back via e-mail.
Acknowledging the concerns, Mayer said managers of shared computers should think twice about installing the software until Google develops advanced features like password protection and multi-user support.
Monday, October 18, 2004
In a well-written and well-argued article on Security Pipeline, Mitch Wagner tells us the story of the little pigs and their houses of straw and brick, and then draws from the story to illustrate the state of Internet security, stating:
"The preceding has been a fairy tale with no bearing on the current state of Internet security."
Except that it really does. Have a bearing, that is.
Wagner's analysis of the arguments on both sides of the browser wars is interesting and well-explained.
Secure coding and design wins the argument every time - with regard to secure applications, that is. Of course, functionality, usability and other aspects of computer programs have to come into play and be taken into account, as well. But ultimately, the structural materials with which you build your house (be it brick or straw) determine whether you'll survive the hurricane. Or the wolves....
The little pig's big brother said, "Dude, you can't blow down a brick house. Brick is fundamentally more resistant to huffing and puffing."
Good point, Mitch.
Thursday, October 14, 2004
Jesper M. Johansson, Ph.D., ISSAP, CISSP is a Security Program Manager at Microsoft. The second part of his three-part article on the use of passwords vs. passphrases was recently published.
The Great Debates: Pass Phrases vs. Passwords
- Part One - coveres the fundamentals of passwords and pass phrases, how they are stored, and so on
- Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
- Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy
In this installment, he looks at three arguments for the use of pass-phrases:
- Claim 1: Users Can Remember Pass Phrases
- Claim 2: Longer is Stronger
- Claim 3: Pass Phrases Can Have More Randomness
This is a great read, worth the time for anyone who works in the security field or in IT operations and security. I am looking forward to the third installment, as well. Jesper has a powerful way of cutting to the heart of the arguments and coming out the other end of the conversation with good facts in tow.
Saturday, October 09, 2004
Friday, October 01, 2004
I didn't know I was going to be asked to speak, but Chris roped me into participating in a panel session first thing this morning, the topic of which was “the future of security.” It was an honor to do so, and the conversation was a good one. The audience was involved and had great questions and comments. The participants on the schedule were:
Chris DiBona (moderator)
Neil Wyler aka Grifter
Fred Felman of Zone Labs
Dan Appleman - whose book, Always Use Protection, should be read by every teen (and adult) who uses a computer
Robert Scoble joined in
Picture below thanks to noded.com
Being involved up on the stage, I don't clearly remember everything we talked about in detail. I used/borrowed/stole the “PPT” mantra often used one of my friends and mentors, Jim, in my words during the panel discussion: “Security is about three things - People, Process and Technology.”
Security as a topic of conversation or debate, especially when discussed among geeks, seems always to attract such a strong technology focus. But the other two aspects of security - process and people - cannot be ignored. If you remove any one part from a security effort, it cannot ultimately succeed. If you have a successful security strategy and program already up and running, you cannot afford to forget to address and maintain all three components. If you do, again, it's bound to fail eventually.
Technology is important, though. You can't discount the fact that when you run computers and networks, technology is what you're securing, so you'll almost certainly use more technology to help you.
The panel discussed hardware security technology, and (as expected) the “patch and fix” and other typically Microsoft-centric topics and questions came up.
My response to the Microsoft-Security debate: Think about football teams. The team that plays tough games season after season and gets its butt kicked over and over will eventually learn the basics, and then will evolve into a mature powerhouse of a team. You just hope the other teams (the ones that had been kicking your team's butt) don't get too lazy or take any thing for granted. Or, if they do, that you have not made an investment in that team.
Three years ago, I was looking at Microsoft as a team I had a relationship with, but who I could not count on to win the game. Today my position is just the opposite: Microsoft has learned the hard lessons, has had their butts kicked, and has emerged from the fray a stronger, better and more mature company in the security arena. They may only be 60% there, as Scoble noted on the stage, but this is a team that I feel I can count on to do the right thing and fight the good fight.
This was a good session, covering a lot of ground. Feedback from audience members afterward was positive, which was cool. Security has become a hot topic in the past year or so in the user world, and will become even bigger in the future.
Again, because it bears repeating: Always Use Protection - buy it now. <eom>
Thursday, September 23, 2004
If you are running a pirated or otherwise improperly-acquired copy of Windows and you think you'll be able to download updates and add-on's, you may find yourself out of luck in the future.
Security Pipeline reports
that Microsoft has quietly debuted a mechanism that can block pirated copies of Windows from downloading fixes, patches, and software.
According to Microsoft, 23 percent of Windows computers in the United States are running bogus versions of Windows. The new program installs an Active-X control (users can opt out, at least at this point) that examines a system
accessing certain files on Microsoft's Download Center
to see if the copy of Windows that is installed on the machine is legitimate. At this time a number of Windows Media files are flagged for the check, along with several others. Files that will prompt the user to validate his or her copy of Windows are marked in the file listings with a small gold arrow on a blue circle background (see above).
I was interested to find that my computer, the very one from which I am writing this weblog entry, a computer provided to me by my workplace and which I know for a fact runs a legitimate copy of Windows XP Tablet PC Edition, was initially denied access to the Windows Media Player 10 download because the test did not immediately verify it as a legitimate OS installation. Wow, I thought - that's just great.
However, once I correctly entered the product code from the friendly license sticker (the one with the teeny tiny print so small I almost could not read it) into the web interface provided for computers that could not be automagically verified, I was passed straight through to the download page. So in the end, it worked just fine:
No doubt Microsoft is legitimately interested in making sure its updates are getting into the hands of those who have purchased the products the company produces, while at the same time providing software thieves with a reason and incentive to pay for the operating system they use. It should not come as a surprise that Microsoft is doing this now, nor that they will likely expand this capability in the future. Ultimately, it takes people spending money on software to allow a company, regardless of how big that company may be, to continue to build new and better software products. No matter what your philisophical position with regard to Microsoft, the one core rule of business always applies: If you're not making money, you shouldn't be in business.
Wednesday, September 22, 2004
Security Pipeline has an interesting article that explains how you can do some simple and cost-free things with your network setup to significantly improve your security situation, in the event you have not already applied the measures they describe.
Note: I am not so sure I agree with the article as a whole (in my book, a good firewall is an absolute must, and vulnerability scanners do add real value, especially when used in combination with common sense and a good, well-trained set of brains and eyes), but the points made in the article are interesting and, at least on a case-by-case basis, valid. But I do not agree that implementing just those measures would provide anything even approaching acceptable network security. To state that many IT managers become mired in the volume of patches and configurations is a valid point on its face, and is worth considering when looking at how to manage security and prioritize, but to suggest or imply that one therefore avoid any of the patches and tools is not - in my opinion - a good option.
From the article (which gives specific items to address):
"According to Peter Tippett, CTO of the newly-formed security company Cybertrust (formed from TruSecure, BeTrusted and Ubizen), you're better off looking for good solutions instead of perfect answers. "A few solutions that are only 80 percent effective give an overall 99.9 percent solution," Tippett says. In fact, he says that the most effective security solutions require little time and less expense, and can reduce your exposure 40-fold."
Monday, September 20, 2004
Last week while I was out, Microsoft released a new tool on their downloads site called SSL Diagnostics Version 1.0, which aids in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.
x86 and ia64 versions are available. The download contains a document called the SSL FAQ that is a great resource for people wanting to learn about SSL from the beginning, as well.
Recommended for anyone who might need to deal with web servers, certification authorities or SSL certificates for any reason.
Microsoft's TechNet has released a useful set of step-by-step guides to help people learn, understand, plan, deploy, configure and maintain Active Directory infrastructures on Windows 2003 domains.
From the AD Step-by-Step Guides page, the following individual titles are available (see the main page for more information about each):
- Installing Windows Server 2003 as a Domain Controller
- Installing a Windows XP Professional Workstation and Connecting It to a Domain
- Setting Up Additional Domain Controllers
- Managing Active Directory
- Understanding the Group Policy Feature Set
- Using the Group Policy Management Console
- Enforcing Strong Password Policies
- Using the Delegation of Control Wizard
- User Data Management and User Settings Management through Group Policy
- Configuring a Dial-Up Remote Access Server
- Building a Site-to-Site Virtual Private Network Connection
- Using the Encrypting File System
- Digitally Signed and Encrypted E-Mail
- Active Directory Sites and Services
- Active Directory Bulk Import and Export
Wednesday, September 15, 2004
Security firm Secunia has issued a "highly critical" advisory that details 10 separate vulnerabilities found in Mozilla, Firefox and Thunderbird. The flaws can be exploited remotely, allowing an attacker to compromise a system and expose sensitive data. Mozilla users are urged to upgrade to the latest releases of each application, which contain the necessary fixes.
This follows a JPEG vulnerability annmouncement (MS04-028) from Microsoft, as well. If you are running any of these programs, be sure to get the latest versions - these are serious vulnerabilities in all the apps, just as important to patch as where there's a vulnerability discovered in Windows or IE.
Cory over at SANS commen