A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan	1602	Brazil	9	Slovenia	2
UK	244	Sweden	8	South Africa	2
India	186	Spain	7	Armenia	1
Taiwan	92	Turkey	7	Bahrain	1
Germany	57	Iceland	6	Chile	1
Italy	42	Greece	5	Egypt	1
USA	39	Kuwait	4	Lebanon	1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.

Not able to register and sign up for college classes and hike on down there to learn some useful crypto skills? No problem. The University of Washington's crypto course is available online for anyone to access. And this is some truly decent content.

Practical Aspects of Modern Cryptography - course description

The full semester of class content is available online - slides, video of each class session, audio in MP3 format (there's even a podcast link) - great stuff. You'll spend some real time working through the class presentation, which means you'll be spending the time it takes to actually learn the content.

By far the best way to view the content online is with a special app you can download from the UofW web site for free. If you install their WebViewer application you can get the video and slides and instructor annotations playing all together in one nifty package. Quite excellent since they teach with - get this - a Tablet PC in real time. It's kind of like Monday Night Football for geeks. Heh.

There's a whole slew of math and number crunching stuff in the first class sessions, but it's information that is fundamental to a complete understanding. Then the instructors move into protocols and more practical, real-world applications.

There's a TON of presentation content here. Anyone who wants to learn about cryptography for real will likely find this worthwhile. Kudos to the instructors and the University of Washington for providing this online class content. We need more complete educational stuff like this on the web. Like MIT's OpenCourseWare. Excellent.

(via Digg)

Steve Knopper took a new Dell computer and spent 18 days infecting it with all the malware and viruses he could get his hands on. His account if the whole thing is published at Wired.

"What kind of idiot buys a computer and willingly – even eagerly – exposes it to all the malware and viruses he can? Me. I bought a Dell Dimension B110 ($468! Cheap!) and tried to kill it for more than two weeks. I clicked on every pop-up and downloaded the gnarliest porn, gambling, and hacker files I could find."

And then he returned it to Best Buy on the 18th day. Classic. Read Steve's account here.

Recently I've been speaking with a lot of reporters and other media-types about the work we at Corillian do on financial services security. It's fun to be taken back to my old journalism days, and I've come to find there are a lot of very smart people out there working the security technology beat. In addition to speaking to the media, I've also been presenting in person at a number of conferences, and have quite a few more coming up over the next several months.

I recently had a chance to speak with one reporter to discuss the state of the industry in terms of online financial services and recent FFIEC mandates on banks to implement strong authentication for their online banking web sites. Eric Norlin is well-known to many, and he writes for some well-respected publications, including Digital ID World and on ZDNet.com. We talked about the risk management components that go into deciding how to solve the authentication problem. The strong authentication software we build at Corillian uses a risk-based model, and Norlin's approach to the story is (I think) spot-on, especially his recognition of the need for an identity-first/identity-risk mechanism:

"Corillian is one of those interesting companies that you hardly ever hear about: several hundred financial institutions as customers; running back-end financial industry specific software; aware of all of the stringent requirements of financial institutions. So, its not like Corillian is just "getting into the game," its more like they're adding to an already deep bench. They're adding their Intelligent Authentication product.

"The interesting thing about Intelligent Authentication is that it begins by recognizing the risk management approach to strong authentication. Accordingly, it uses a variety of methods to authenticate you based upon the interaction (or transaction) that you're having. These methods include: client OS and browser checks, behavioral pattern analysis, geo-location (via a partnership with Quova), challenge and response questions (chosen by the customer), and my favorite - out of band phone authentication (via a partnership with StrikeForce)."

(Link to Eric Norlin's story on ZDNet.com)

He also noted that we at Corillian have already done some early, in-depth work in conjunction with Microsoft integrating a new authentication technology code-named InfoCard, which places the control, proof and credentials used in the authentication process back in the user's hands (in other words, right where they belong) while also helping to solve weak authentication problems. What I especially like about InfoCard is the community support and open-ness, as well and the user/identity-centric approach, which ties directly to Kim Cameron's Laws of Identity and the concept of the Identity Metasystem (an interoperable architecture for identity on the Internet). The security model on the desktop (it will run in Windows XP and 2003 Server and will also ship in Windows Vista) is also very interesting and encouraging. It will be quite interesting to see how, where and when InfoCard is adopted. I'll be speaking and writing here about InfoCard more in the future.

What rolls out on day-one with more than 300 million users and nearly a BILLION authentications per day?

The new Windows Live ID, that's what. And that's exactly what happened, while you were using it and going about your daily business.

Microsoft's completed the roll-out of Windows LiveID to replace its Passport network infrastructure. It was all happening behind the scenes recently, and the next steps are for Microsoft and its partners to start rolling out some of the new technologies - some of which you can see and some of which is under the covers - to show off and leverage the new service.

"You'll start to see the new sign-in experience and all the goodness within a few weeks when we light up some partners," said Trevin Chow, Lead Program Manager on the Windows LiveID team.

So, what exactly is LiveID?

Well, you can read a whitepaper that was recently published to get all the salient details, but basically it's a new component in the Identity Metasystem that replaces Passport. It will eventually support both self-issued and third-party managed/issued InfoCards as credentials, and a SDK will be available.

What this all means is that Passport has grown up, and control of personal information will be more and more in the hands of the end users. In the future, Live ID will leverage InfoCards, which means more individual control of the claims used to identify users to online apps. Participation in the Identity Metasystem and following it's governing standards - the Laws of Identity - mean end users can leverage a centralized service but still maintain control over - and make decisions about - what specific information is sent to what services.

It's good news. Check out http://login.live.com - you'll notice the new footer on the signin section.

Chris Corio, a program manager on the Windows Security team, has put together an article for the May/June 2006 issue of TechNet Magazine that takes a first look at the new security features that will be included in Windows Vista. Items covered in the article are:

• User Account Control
• Consent and Credentials
• Code Integrity
• Data Encryption
• Application Isolation
• Data Redirection
• Cryptography
• Credential Providers
• Service Hardening
• Windows Defender
• Rights Management Services

It's a good summary all in one place of many of the security improvements that will be built into or will ship with the new OS. From reduced privileges to improved use of strong cryptography and other new features, Vista looks like it will be a major step forward in the Windows security world - a welcome set of core changes.

Read the article here.

If you run Firefox (or other Mozilla software based on the same codebase like Thunderbird) and have not upgraded it to the latest version (the latest Firefox - 1.5.0.2 - was released just last week), CERT says you really really need to.

From ZDNET:

"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.

"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.

"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.

"One error that occurs in Firefox would allow arbitrary JavaScript code to be injected into Web pages as they load."

Users of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're way out of date and you should visit http://getfirefox.com right now and download the newest version ASAP.

Also, of use to corporate IT people is the Firefox Community Edition package from FrontMotion that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion. Larger organizations that don't use such a package have to deal with either a more complicated update process or reliance on end users to perform the updates - which is never 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy.

I work in the security field (we build anti-fraud and authentication software and services for financial services and electronic commerce companies like banks, etc). Recently I've been asked by a significant number of people why certain banks are being phished in such large volumes. Now, while I don't write about specific financial institutions or security events (that would not be appropriate), I can tell you that any given bank has little to no control over whether or not it is made a target in the first place. All the big banks (and many tiny ones) get hit hard at some point. What they do have control over is their chosen prevention, mitigation and response plans and methodologies.

In the end, the most effective solution is the fairly simple one: Make it hard enough for the fraudsters and eventually they will move on to another bank. Stopping phishing and other online fraud is really just like everyday police work - It's not actually about ending crime, it's about making it go elsewhere. In the real world, the cops just push the burglars, drunks and drug dealers to someone else's town. We don't solve these problems, we just move them somewhere else.

So, eventually the scammers' targets and victims change. The real problem with online fraud is that we can't put an end to it with infrastructure technology they way it is now. We can get way out in front of it (where I work, we write software that can help prevent most phishing attacks from being launched in the first place, as well as strong authentication software to help stop bad guys from getting in the door even if they have a key). But it's way too easy to run a phishing scam, and prosecution is not an effective solution. Prevention is the way to go, and that means diligence on the part of financial institutions, using the right kinds of technology where needed, and a implementing a whole-community effort to stop the problem before it ever gets started. Tools are out there to let the bank get in front of the problem, and but it off at the knees before the crime occurs - a lot like stopping the bank robber well before he walks into the bank's branch office. Preventing the robbery is a lot less messy than cleaning up afterwards, explaining it to everyone, and trying to convince your customers that have just been held hostage not to leave your bank for another one.

Email is, as designed, one significant part of the problem we face. It's just too easy to abuse. Without getting too far into the whole "email-limitation" debate (Sidebar: When I spoke at a security conference last week one attendee tried to lure me into taking a political position on whether charging to send each email is a good idea... Heh, no I think not...), it's clear at least that there are many problems with the medium. Educating people not to respond and not to click on links will not solve the problem, as has been proven time and time again. Email is an  insecure method of information transport, and unless access can somehow be reasonably curtailed, this problem won't go away. The real question is, can email be restricted for bad guys while still keeping it free and in the spirit of the open Internet for everyone else? If so, how? Something tells me the debate and answers have not changed much over the years.

Ah, what the heck, let's just kill email completely. Block port 25 at the backbone routers. It's a counter-productive way to communicate much of the time anyhow. Imagine all the misunderstandings we'd avoid. The tangible and intangible benefits would be many. :)

But seriously, in the real world, there are three basic approaches to tackling this problem (phishing and cyber-fraud) if you're a financial institution. I'll mention them here briefly, and will likely dive into them in more detail in another post sometime soon:

• Option One - Purely Reactive Posture - Apologize to customers when they call and tell you there's a problem, refund their accounts, change their passwords for them, hope they don't leave you for another bank.
• Option Two - Hybrid Reactive Posture - Watch for phishing emails and when you see them, use technology to block them and see if the sites in the emails are real, and if so try to get them taken down, either on your own or through a professional take-down service. Apologize to less customers, and hopefully change their passwords before the bad guys get into the accounts.
• Option Three - Preemptive Approach - Prevent the fraud attack from being launched in the first place, shut down fraudulent sites before the victims receive an email, make it difficult for the attackers, and protect your customers from being victimized at all.

Which option do you think is best? Which posture do you expect your bank to adopt? For my part, I vote for leveraging all three options, with a strong primary emphasis on Option Three, where prevention is the main focus. That's the area where I spend the majority of my professional time, with a team of developers and forensic techies who build software that prevents attacks and gives banks what they need to protect customers from becoming victims. It's a worthwhile job.

Microsoft's Windows Live ID team has started a blog to communicate information about the new product, which is a replacement/upgrade for the Passport service. From the inaugural post:

"Windows Live ID is the upgrade/replacement for the Microsoft Passport service and is the identity and authentication gateway service for cross-device access to Microsoft online services, such as Windows Live, MSN, Office Live and Xbox Live.  Is this the authentication service for the world?  No   It's primarily designed for use with Microsoft online services and by Microsoft-affiliated close partners who integrate with Windows Live services to offer combined innovations to our mutual customers.  We will continue to support the Passport user base of 300+ Million accounts and seamlessly upgrade these accounts to Windows Live IDs.  Partners who have already implemented Passport are already compatible with Windows Live ID.
 
"Windows Live ID is being designed to be an identity provider among many within the Identity Metasystem.  In the future, we will support Federated identity scenarios via WS-* and support InfoCards.
 
"For developers we will be providing rich programmable interfaces via server and client SDKs to give third party application developers access to authenticated Microsoft Live services and APIs.
 
"Over the next few weeks as we complete our deployment, you will see the Windows Live ID service come alive through our respective partners sites and services.  The first thing you’ll notice as early as today is that the word Passport is being replaced by Windows Live ID.  But isn't a rebranding exercise -- there is stuff going on under the hood.  This will be more understandable in the coming weeks and months when you start seeing the new, exciting Windows Live sign-in UI.  Not only is the page load time significantly reduced, but you will see some really cool innovative features that we’re sure you’ll love :)"

I'll likely be writing here on this weblog about Infocard (which I have early some experience with), authentication and other related topics, since I have a professional connection to all of the above. Glad to see the Live ID team getting their blog start - this is the beginning of what should be a great phase of changes and improvements in the area.

Recently a couple coworkers at Corillian turned me on to TextPayMe, which is a cool service you can use to send money to others (and even to a few online merchants). Click the banner below to check it out and sign up for free - They'll even deposit five bucks in your TextPayMe account when you sign up. For real. You don't even have to provide a credit card or bank account info unless you want to transfer funds into the TextPayMe account, so there's no risk. It costs you nothing.

And, if 35 people sign up via this link, I'll get a XBOX 360. You can do the same thing. nice eh?

TextPayMe services are used to send payments to (and receive payments from) people you know, using text messaging on your mobile phones or wireless PDAs (I'm using it on my Blackberry phone). Let's say you go to a restaurant with three friends. Instead of asking the waiter to split the bill, or even worse trying to find the right amount of cash to put in the pool and pay your part, one person pays the bill, and the other three send their part to the person who paid using TextPayMe. They send it to your cell phone number, nice and easy. And for the people sending the money, the security system (which is a two-factor secure system - nice) calls their cell as soon as they text the payment. They answer the phone and are prompted by the peppy IVR voice on the other end to enter a PIN (which you provide at the time you sign up). Only then is money sent.

So - a cool service to try, nothing to lose, and five bucks to gain! Click here to go to the TextPayMe site and sign up to give it a try!

Verisign's iDefense Labs has a program running that will pay you up to $10,000 if you submit a security vulnerability to them during this quarter that ends up being ranked as critical by Microsoft:

For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on March 31, 2006.

Well, there you go - if you gots the skillz, go gets some cash.

And by the way - the iDefense Labs site is a great resource for IT and security types to keep any eye on. They provide content on the site as well as webcasts with well-done content.

On Friday Microsoft released a the latest version of their anti-malware product, which is now called Windows® Defender (Beta 2). This software replaces the product formally known as Microsoft Antispyware. There's both 32- and 64-bit versions available to download.

I've installed it and it runs just fine, but I get an error when it tries to update itself with the latest detection signatures. I'll try a reboot and see what happens a little later on. Hopefully that will help.

The new UI is nicely done, and I like the fact that you don't have to be an administrator to run Defender.

Defender information  on Microsoft.com: Windows Defender home Product information •  Beta overview •  FAQ •  System requirements •  Release notes Support and training •  Getting started •  Beyond basics Resources for software vendors Microsoft's focus on spyware

From the Windows Defender download site:

Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.

This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s growing understanding of the spyware landscape.

Specific features of Windows Defender Beta 2 include:

• A redesigned and simplified user interface – Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.
  
• Improved detection and removal – Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.
  
• Protection for all users – Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.
  
• Support for 64-bit platforms, accessibility and localization - Windows Defender Beta 2 also adds support for accessibility and 64-bit platforms. Microsoft also plans to release German and Japanese localized versions of Windows Defender Beta 2 soon after the availability of the English versions. Use WindowsDefenderX64.msi for 64-bit platforms.

My co-worker Mike pointed out an article that's got to make some people more than a little nervous. Imagine if an RFID chip could be embedded in a piece of paper, virtually undetectable.

Well, it can. You can imagine the security and privacy concerns (while marveling at the technical advances). From EETimes.com:

"Hitachi was due to present details of the 0.15-millimeter by 0.15-millimeter, 7.5-micron-thick chip on Sunday (Feb. 5) at the IEEE International Solid-State Circuits Conference (ISSCC) in San Francisco.

"Paper is typically 80 microns to 100 microns thick, and the chip substrate has been made small and thinned to 7.5 micron to ease application in paper, where it could be used as an intelligent watermark."

The Microsoft Download Center has a new audio podcast available (MP3 and WMA formats are listed) titled "How Microsoft IT Implements Encryption Using SQL Server 2005."

Podcasts appear to be a new thing there (first one was posted on January 19th), although I am not sure the technical name of "podcast" is accurate in this case, since I don't find a RSS Subscription feed anywhere that points to the files, and that's kind of half of what makes it a podcast. If anyone can find a RSS feed for these, please let me know.

But at any rate, there's some good content there. If you're an IT pro looking for some good drive time geek out audio, click here to search for podcasts on Microsoft Downloads. I'm grabbing "Podcasts: How Microsoft Information Security Protects Critical Information Assets" for my flight to North Carolina on Monday. Between that and the Battlestar Galactica season one video, I think I'll have plenty of content to keep me busy between powerpoint deck edits.

(via Chris Pirillo)

Published just this month, an important whitepaper is now available that provides authoritative information about applying  the "don't run as admin" concept in the real world.

Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.

Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.

People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.

People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.

But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.

So... What's the problem we're trying to solve? From the paper:

"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."

The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.

"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.

"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."

Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.

I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.

I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.

Description and summary of the whitepaper from the Microsoft download page:

This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:

• Risks associated with administrative privileges
• Definition of the principle of least privilege
• Definition of the least-privileged user account (LUA) approach
• Benefits of the LUA approach
• Risk, security, usability, and cost tradeoffs
• Implementing the LUA approach
• Future developments

This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.

Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.

Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:

On code security and secure code review processes:

"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."

And on the cultural challenges of prioritizing security:

"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."

If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.

From Mark Harrison's weblog:

All Windows SharePoint Services customers are entitled to an extended free trial of Antigen for SharePoint. This trial version will be active through June 30, 2006.

To download, simply go to www.sybari.com/wss and fill out the form.

Antigen for SharePoint allows Windows SharePoint Services users to collaborate without the risk of uploading or downloading infected documents or inappropriate content.

The simple and honest fact is that many people who have deployed WSS or SPS don't run any anti-virus software on their SharePoint implementations - and that's a huge mistake. Running plain-ol' AV on the server's file system is exactly the wrong thing to do, because all the SharePoint files are stored in the database where regular AV software can't touch them. And besides that, running real-time AV scans of a SQL database file (which is constantly changing) is a supreme resource and performance killer if there ever was one.

I've worked with Sybari's Antigen products on both SharePoint and Exchange for several years. In my book, it's the best thing in AV-Land since sliced bread. So check it out.

As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:

"The use of IPv4 Link-Local Addresses may open a network host to new attacks.  In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks.  By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)

Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.

The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.

The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.

On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).

On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.

An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:

Computer Configuration > Windows Settings > Security Settings >Wireless Networks

You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).

Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.

Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.

For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.

A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in Security Bulletin MS06-001. It's available for your WSUS server and from Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page.

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. UPDATE NOW!

On January 12th at 9:00 am Pacific time my boss, Jim Maloney, will be presenting along with George Tubin, a senior analyst at Tower Group, on the topic of preventing fraud in the online banking world. They'll discuss the threats, ways to protect customers, and some tools and processes that can help get the job done. It's a hot topic in the marketplace, and I think many people will find this web cast interesting from a security perspective, regardless of whether or not you work at a financial institution.

There's been a lot of talk and movement in this space in the past few months, after the FFIEC (the federal government organization that's made up on several individual federal agencies responsible for setting banking standards) issued new guidance to banks and other financial institutions that says something needs to be done to further protect online banking accounts, and that it needs to be done sooner rather that later. The emphasis of the guidance is on a defense in depth and layered security approach. Jim and George will be specifically addressing that guidance in the web cast.

You can sign up for the web cast here (uses LiveMeeting). A press release that announces the event is available here.

I've written before about FrontMotion's Firefox MSI installers and their Active Directory ADM policy templates, but with the recent release of Firefox v1.5 and the resultant updating of the installers by FrontMotion, I figured it's worth another mention. In a security-conscious IT environment, we all know how difficult it can be to exercise the necessary level of control over programs that are used to access the Internet - and the web browser is number one or two on the list of possible problem Internet apps (along with email programs). So being proactive whenever the tools are available to us is quite important.

Luckily, FrontMotion distributes MSI (Microsoft Installer) versions of the Firefox web browser for people to use (free of charge at this time) and there are two editions of the installers available. FrontMotion's Firefox Community Edition - which is the one that includes the Active Directory integration for centralized management and control - is slated to be updated shortly, and their stand-alone MSIs (which are not AD-integrated) have already been updated to incorporate Firefox v1.5.

• Download Firefox MSI installer files (stand-alone)
• Download FrontMotion Firefox Community Edition for use with Active Directory

The features of the Firefox Community Edition should be of interest to companies that centrally manage software for IT and security purposes, and the package allows you to upgrade non-MSI installations as well as those from other organizations. Features of the community edition include:

• Active Directory deployable and upgradeable.
• Active Directory management through Administrative Templates (*.adm).
• Desktop Icon similar to IE.
• Shell integration similar to IE.
• Set Default browser
• Macromedia Flash plug-in preinstalled
• Detect and upgrades non-MSI installs.
• Can upgrade 3rd party MSI's from MIT, Webheat.co.uk, and ZettaServe.
• Able to properly perform uninstalls and restores system associations

You can subscribe to the FrontMotion mailing list for occcasional announcements about updates at: http://www.frontmotion.com/mailinglist.php. I don't see a blog or RSS feed, but we can hope.

Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.

First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of. 

• If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
• Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
• Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
• Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
• Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.

Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.

It's a question many of us in the security field have been asking for some time. How is a user supposed to know they are on the correct web site when they enter their credentials or make an online purchase? How are they supposed to know when it's not the trusted site they're on?

I was having a side conversation about more ways to solve this problem with some coworkers today (common topic in our line of work), and this evening I ran across some details on the IEBlog discussing how Microsoft is dealing with it in IE7 (found via Mark Harrison). And other browser vendors are playing nicely, too. Ahh, solving problems is such a good thing to see... Nice!

IEBlog: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Here are some visuals that show what the user expeience looks and feels like in the dev versions. Visit the link above to get the complete details.

Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter 

Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter

Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)

Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)

Microsoft yesterday announced a zero-day exploit that affects Internet Explorer. The Zero Day Security weblog describes it well:

"A UK group known as 'Computer Terrorism' has released a proof of concept zero day exploit for fully patched Windows systems running Internet Explorer 5.5 & 6.x that takes advantage of a previously known JavaScript vulnerability. Microsoft Security Advisory 911302 covers the essentials. The only Windows systems seeming not affected are Windows Server 2003 and Windows Server 2003 with SP1.

"Of course, to be compromised the user must first browse to a malicious web site. According to Computer Terrorism: Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user.

"Several informative sites include Microsoft, FrSIRT, MITRE, US-CERT, InfoWorld, eWeek and SANS (which suggests disabling Java or using another browser and has a BleedingSnort Rule on their site).

"Get ready for a patch blast from Microsoft on this one."

Microsoft's comments have been updated with the latest information. From their Security Advisory 911302 information page:

"...We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time. We will continue to investigate these public reports.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

"This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests..."

I was on the phone with a professional contact today, a guy who happens to do cybercrime and anti-fraud work in his job as a special agent for the FBI. That's a part of what I do in my day job, by the way - help chase down bad guys on the 'net and interact with law enforcement to shut them down. It's a fairly effective way to keep one foot in the door of my previous career (police work) and at the same time be firmly planted in the computer technology world. I also get to working with some really smart people who build great software that is used to prevent fraudsters from reaching victims.

Anyhow... So I was on the phone with my anti-fraud cohort, and he had that "FBI-agent-having-a-rough-day" sound in his voice. He's one of these guys who's always very positive, but it was clear quite a bit of work had been cut out for him and his coworkers over the past day or two.

It turns out there's a new set of fake emails running around that try to look like they came from the FBI or the CIA, and which have an attachment that is actually a virus.

Now, let's get one thing completely clear: If you ever get an unsolicited email that has a file attached, DO NOT OPEN THE ATTACHMENT. It doesn't matter if it's from the President of the United States or the Creator of of the Universe... Email is inherently insecure, and if it looks out of place, it probably is. You can read the FBI's press release about the situation here, which describes the fake emails in some detail.

This is just another example of social engineering and the fact that given the opportunity, people will fall for almost anything. Oh - and if you don't have antivirus protection at your email service provider, change providers now. Seriously. Get a GMail or Hotmail account or something.

I'll tell ya one thing... Whoever had cohones enough to construct that virus variety to send email pretending to be from the FBI is in for a rude awakening. Seriously, seriously stupid move. Heh.

The Microsoft anti-malware team has posted information about their products' ability to remove the rootkit associated with the Sony DRM mess that everyone and their brother has written about over the past couple weeks. If you don't know whether your Sony CD was one that may have installed this junk on your computer, there's a list of CD titles available here. If your CD is not on the list, it's ok. If it is on the list, Sony BMG will send you a replacement.

If you think you might have a problem (or if you just want to make sure you're cleaned up in general), go to the Windows Live Safety Center, where you can scan your computer for this and other malicious or bad software and clean it right up. Select the "Full Service Scan" followed by the "Quick scan" option. You'll need to install the ActiveX control for the scanner.

And the other two removal tools the team works on are also able to resolve the problem:

"The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December."

If you've not yet used the Windows Live Safety Center, it's a great place to run a scan on any computer for a variety of potential problems, without having to download and install special software programs. The complete scan checks for open ports that might cause problems, viruses, malicious software and more. It can also clean up temp files and defragment your hard drive to improve performance and reliability. This whole services thing is looking pretty promising.

Another of the new Windows Live series of services officially launched the other day - It's Windows Live Custom Domains, and essentially it allows you to use the great Hotmail email services with your personal domain name.

All you have to do is go to http://domains.live.com/, specify your domain name (which you must already have registered), make a change to your DNS settings for the domain (the service will let you know what the settings are - this is the most complicated part of the whole deal), and create email accounts (which become passport logon accounts for the system).

I created a mail service for blogaholic.net (a domain which I have yet to launch, maybe someday) and added an email account, logged in and was sending mail - all in less than 10 minutes. Suhhh-lick!

Serious about Security

The service is really darn cool (seriously, if you're looking for the power and convenience of Hotmail and the uniqueness of your own domain name, it's hot), but the one thing that stood out to me the most was the client security Microsoft has built into the account setup process for this service. Yes, I know - basic security tools, blah blah... But it's become the rule more and more lately, which deserves mention. It's a terrific sign that the company is building better security - and better user tools to enable and teach effective security - into their services.

For example, when I created the greg@blogaholic.net email account, it required me (as the administrator for that email domain) to set a temporary password. In other words, if I create accounts for others (yes, just let me know), I only know the password they'll use to log into the account the first time.

Once I logged in to activate the email account and start using it, I had to provide the temporary password, and it required me to choose a new one and confirm it. But even better than that, as I typed the new password, a color-coded "password strength" bar showed me the complexity strength of my password. It went from Red (weak) to Yellow (so-so) to Green (strong) as I typed. Nice! That's what we need more of - simple, powerful tools to help end users be more secure in real time. Great work, whoever decided to put that in, and to whoever built it. It's quite effective.

[UPDATE: Apparently this is a feature that shipped earlier this year and was included in the LCD package and which was PM'ed by Trevin in Windows Live Identity Services - cool! Looks like I found another blog to subscribe to!]

On the same page, the user has the option to set their password to expire every 72 days. Unfortunately, that box is not checked by default (it really should be), but the fact that it's available is very good. Hopefully they'll change their tun and check that box by default, and let people un-check it of they don't want it. I'm always a proponent of more-secure-by-default.

If you want to find out more, Omar Shahine (Lead Program Manager on the HotMail front-door team) has info here and here, and the Custom Domains team has a blog here.

I've been a T-Mobile Hot Spot subscriber for more than a year now. I have used it all over the country, and it's always there when I need it, whether I am traveling or if I'm just dropping into a Starbucks for coffee on a whim. It lets me leave my desk and still work from time to time - and we all have those times when the value of sitting in a coffee shop where no one can find you in person is seriously valuable.

One thing that's always frustrated me is the fact that I always have to open the web browser and load some random page to authenticate to the HotSpot service. It's a pain, and today (while sitting here logged onto a Starbucks HotSpot in Beaverton, Oregon) I decided to see if there was anything available to automate the process for me.

You can imagine how stupid/ignorant/DOH! I felt when my google search pointed me right back to T-Mobile's web site, where I found a description of their Connection Manager software. After hitting the 'back' button on the browser a few times to return to the page confirming I was signed on, I decided to read that page for the first time and sure enough, right there in the menu bar is a link to "Download Connection Manager." Heh.

Turn off your speakers if you're in the coffee shop before you click on the link, though, or you'll quickly become the target of startled stares from everyone else in the shop when the completely unnecessary Flash movie with LOUD SOUND. Kinda like this (you'll need those speakers back on again, dude).

Download the file, run the installer, and choose from a completely goofy skinned app or a Neapolitan-colored stylized app. I chose the lesser of the two evils.

Then things got interesting. It immediately required me to disable the Wireless Zero Configuration Service in Windows XP, which will no doubt break everything else I had set up for wireless connections prior to installing this thing. It sure as hell better work... Why can't things be simple an non-intrusive?

Now, clearly this software does more than automatically log you onto their regular WiFi HotSpot network. It sees a WPA-protected network, which means encryption and privacy. +1 for that. And the the EDGE/GPRS options obviously refer to using their data cards to connect from the road. Cool to have that in one place. Too bad there's no task bar icon when the app in on the screen.

The interface works well and there's really a whole slew of options. One of the coolest was the fact that when I went to the "Tools>Settings" menu and chose the "VPN" tab, it automatically detected my Cisco Systems VPN client and all of it's profiles and let me choose which to use when clicking the big, fat "VPN" button in the T-Mobile UI. It works great, and I'm connected as I type. Nice feature:

   
   VPN options dialog - click to view full size

Perhaps one of the greatest benefits of using the software is the availability of the secured wireless network. Seems like they could offer this without having to install custom software, but oh well...

  
   Access to a secured network - click to view full size

Here's where the automatic logon happens - they give you the opportunity to provide your T-Mobile account name and password, and you can save it for later use:

  
   Save your credentials to authenticate automatically later - click to view full size

Of course, it failed miserably when I first tried. I had to randomly select a whole slew of messy windows that kept popping up when I was trying to fill in the account dialog. Some of them were especially helpful:

  
   Not sure what they're wanting with this dialog

But eventually (after fighting several windows that continually took focus away from the "enter your authentication info" dialog box) I found success:

  
   Success - click to view full size

Sure enough, wireless zero config is disabled and I am connected using their software. Good enough for now, but that will likely have to change due to the complexity of some of the networks I have to access with this thing. We'll see.

As I was typing this, without warning yet another random box pops up and steals focus. Apparently it was downloading every single T-Mobile HotSpot location in the entire freakin' world. Weeee... Anyhow, it was bit confusing for a second, and all these windows just popping up, downloading stuff without asking and stealing focus are aggravating and just plain bad design. But it does work:

   
   Random pop-ups everywhere - click to view full size

So... Despite the fact that it's custom, proprietary software, there are some cool things in this app. For example, the Available Networks dialog is better than anything built into Windows:

 
   Nice network list visuals - click to view full size

Well, I'll leave it installed for now. Maybe I'll get lucky and the other networks I access will just work. Not counting on it though. Heh.

Somewhere there must be a third-party app that will automagically log me on. Just haven't found one yet. Maybe I'll make one.

I saw this when it was posted on the anti-malware weblog the other day, and I thought, "Sure, makes sense, yep uh huh." But I guess others found it to be big news. The Microsoft anti-malware software (Windows Defender) and the Anti-spyware beta software will be able to detect and remove the Sony DRM rootkit that's been discussed in extreme detail over the last week. the Malicious Software removal tool will eradicate it as well.

I think this is great and all, but in my book it's not actually huge news. Big news would be if they didn't detect and remove it. Glad to see the MS software and team is for real and doesn't worry about business boundaries. Bad is bad is bad, and doing something about it is good. It's what we expect.

Well, it's getting more and more interesting (and official) with each passing day. The anti-spyware team at Microsoft has announced the new name for their anti-spyware application (which really handles more than spyware). It's going to be called Windows Defender, and will ship with Vista. That's good news. Even more good news comes in the later part of the blog announcement, where Jason Garms explains the package will also be available to Windows XP users.

They'll be delivering the malware signature updates over Windows Server Update Service (WSUS), as well. As a result, "Windows Defender" will begin appearing in the WSUS product list and a category called "signatures" will also appear. It sounds like a beta will be released sometime in the future that will take advantage of those update facilities.

Read the announcement here.

The security geek in me is a happy guy today. The Anti-Malware product team at Microsoft has fired up their new blog. They're "the team responsible for building Microsoft's antivirus and anti-spyware technology (along with anti-rootkit, anti-bot, and other stuff)." Malware, for those who are not yet familiar with the term, is short for "Malicious Software."

"We already have two pieces of technology our technology shipping: the Windows Malicious Software Removal Tool, which helps to remove some of the most prevalent malware from a user's machine. We also are shipping a beta of the Windows AntiSpyware technology. We'll talk more about these in future blog posts. We also have a bunch of other cool stuff in the pipelines."

This will be one worth watching, I imagine. The security threat landscape has eroded, changed and reshaped itself significantly in the past year, and things are only getting more and more complicated. So, it's good to see the face of a critical team in Redmond and to have some insight into what they're addressing.

Subscribed.

The future of identity is in flux, and now is the time for those of us working in the field - and for those of you who have an identity (yeah, all of you) - to wake up, stand up and get informed. Seriously. If you wait, you'll be to late. Now is the time to know what the problem is and now is the time to do something about it. I will be writing about the topic more and more here, because it matters to me. A lot. It's a problem. It needs to be fixed, grown up, evolved... the right way. Time to get involved. Time to do it right - meaning "right" by the people.

So - click the link in the below message. Seriously. Do it. As a bonus, not only will you learn about identity and how and why it works (and doesn't), you'll also get to see an excellent presentation by an excellent presenter (Dick Hardt of Sxip » pronounced ( skip ) as in "skip").

Here is the email I sent to my team at work yesterday, after Scott (another uber-presenter) sent me the link:

From: Greg Hughes
Sent: Friday, October 28, 2005 10:48 AM
To: [edited] Security
Subject: Security Stuff - Watch this presentation

Watch this sometime today (or the day you get this email). Seriously. Consider it an assignment. J

As you watch, think about his topic (which is critical) and think about his presentation style.

There will be a pop-quiz.

greg

If you have the MSN Toolbar on IE6, go grab the new beta Phishing Filter (shouldn't that be PHilter?) and install it.

The Phishing Filter Add-in offers access to the beta version of a new dynamic online service, updated several times an hour to warn you and help protect your personal information from these fraudulent websites by:  

• Scanning websites you visit and warning you if they are potentially suspicious.
• Dynamically checking the web sites you visit with up to the hour online information via an online service run by Microsoft and blocking you from sharing personal information if a site is a known phishing website. 

I only get, ohhhhh... maybe 50 phishes a day (seriously), so I checked my email from tonight, chose one of the several PayPal phishes that arrived this evening (most of which still had live web sites associated with them) and found the new add-in for the MSN Search Toolbar did the job quite well. It caught the page and blocked my ability to enter info into the form fields (click the image to view full size):

Correction posted: SANS updated their post to reflect the fact that it was in fact MS05-012 that had been exploited. That's good news, but get patched before it's here...

If you think you can wait to apply patches til it's convenient, think again. According to an update from the Handler's Diary at SANS, the first instances of code exploiting MS05-051 have been detected in the wild on the Internet:

Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included  as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.

Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.

Trend Micros virus statistics do not report any "captures" of this exploit in the wild. Not exactly sure if this is just a lab sample, or if it was actually seen in the "wild".

We will update this diary as we learn more.

Rich Claussen has the low-down on a new pact between Microsoft and the government of Nigeria to combat fraud:

Not well publicized is how this came to be. Unknown to most, Microsoft's Chief Software Architect, Bill Gates, received the following (condensed) email from the government of Nigeria soliciting his and his company's assistance.

FIRST, I MUST SOLICIT YOUR STRICTEST CONFIDENCE IN THIS TRANSACTION. THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND 'TOP SECRET'. I AM SURE AND HAVE CONFIDENCE OF YOUR ABILITY AND RELIABILITY TO PROSECUTE A TRANSACTION OF THIS GREAT MAGNITUDE INVOLVING A PENDING TRANSACTION REQUIRING MAXIIMUM CONFIDENCE.

Read more on Rich's blog here. Nice sense of humor there, man.

Seriously though - Read the news about the *actual* agreement (for real) between the company and the country here.

Microsoft on Tuesday released nine security patches that are intended to alleviate 14 problems in various versions of the Windows operating system. Today the company issued an advisory to its enterprise customers via email that the MS05-051 patch, which is considered to be the most critical of the bunch, may cause problems on some computers where it is applied. However, Microsoft if still strongly encouraging everyone to apply the patch and has published a knowledge base article describing the issue with the patch and explaining how to resolve the associated problem, should it come up.

•	The Windows Installer service may not start.
•	The Windows Firewall Service may not start.
•	The Network Connections folder is empty.
•	The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
•	Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message.
•	The Microsoft COM+ EventSystem service will not start.
•	COM+ applications will not start.
•	The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
•	Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

For a complete description and resolution instructions, read KB article 909444.

None last month, but nine security patches were released today for Patch Tuesday - three critical, four important and two moderate severity. So, do your testing where needed and then go get all patched up.

November Security Bulletins:

Critical
MS05-050 - Vulnerability in DirectShow Could Allow Remote Code Execution
MS05-051 - Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
MS05-052 - Cumulative Security Update for Internet Explorer

Important
MS05-046 - Vulnerability in the Client Services for Netware Could Allow Remote Code Execution
MS05-047 - Vulnerability in Plug and Play Could Allow Remote code Execution and Local Elevation of Privilege
MS05-048 - Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution
MS05-049 - Vulnerabilities in Windows Shell Could Allow Remote Code Execution

Moderate
MS05-044 - Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering
MS05-045 - Vulnerability in Network Connection Manager Could Allow Denial of Service

The beginnings of putting some more bite behind the anti-phishing bark are in play. The Governor of California (you all know who he is) today signed a bill into law that makes phishing - the practice of using fake e-commerce web sites to try to trick people into submitting their personal information - punishable with civil penalties.

"Victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater. Phishing often involves the use of names of legitimate banks, retailers and financial institutions to convince recipients of bogus e-mail offers to respond."

This is a good thing, in theory. Federal anti-fraud investigations are driven - like it or not - by the dollar amount associated with the loss. If it's not $100,000 you can't expect a lot of federal action, which makes sense when you consider that there are limited resources ad you have to focus on the biggest crimes.

Only thing I want to know is this: How are we going to recover judgments from bad guys in Romania and other foreign countries? Fact of the matter is that most all phishers are not in the United States. That's something to think about.

Earlier today, Alex Scoble wrote about an IM conversation he and I had regarding VPNs and solving the nagging issue of firewall and other network roadblocks that tend to wreak havoc for people who need to connect to a remote private network. If your VPN client forces you to use some random or uncommon port, you're bound to get frustrated when you try to connect from many business networks, not to mention when you try from the hotel on the road. Now, maybe you shouldn't be plugged into that business network, but blocked by the hotel? Come on, give me a break.

There's no one perfect solution to this problem. There are lots of ideas, though. Many companies (most or all of the big players in the space) are coming out with VPN over SSL options, which is great. But what if you have a need to run a VPN software client, and it doesn't (yet) support SSL tunnels?

Here's one way to skin that cat, a la Cisco: Use TCP 443 in the Cisco VPN client to connect via an IP Sec tunnel to your VPN endpoint. Note that you'll need to specify this in the connection settings. Typically the Cisco client uses the UDP protocol to do it's thing (click to enlarge):

But as you can see, you can also set it up to use the TCP protocol and whatever port(s) your VPN concentrator is configured allow. For example, you could choose to use TCP over port 80, or port 443, since both of those are commonly open from any network. Note that port 80 might be proxied in some cases, but that's probably not a problem with 443, so it's a good one to try (click to enlarge):

If you set up a couple or few profiles in your VPN client software sufficient to cover the bases (like, say one using UDP and one or two using common TCP ports), you'll pretty much always be able to connect from the road. Again, there's no guarantees and there's no 100% perfect solution, but this gets you better than 95% of the way there, I am confident. Just make sure your VPN host/endpoint is configured to support the ports and protocols you specify. In the past year or two, I have yet to come across a network while traveling (except for a couple of highly-secure ones at business locations, but hey...) that I could not successfully connect through with at least one of the settings I have available to me.

And while we're on the subject, there are some interesting and promising SSL options out there, with more undoubtedly coming. As far as other brands of VPN software clients, well - I've used most of them and let me tell ya, you're better off going with Cisco and looking at the PIX firewalls and the 3000-series VPN concentrators. Trust me, I've dealt with most of them, and there's a reason Cisco's such a prolific Internet company.

But tell me - what do you use and how have you solved this type of problem?

Microsoft today released SP2 for Office 2003, which can be downloaded via Office Update, or you can grab it here and you can read about it here.

In addition, OneNote 2003 SP2 was also released today - read about it here, and download it here.

One of the notable features in my book is the Phishing protection update for Outlook:

Microsoft Office Outlook® 2003 Phishing Protection and Junk E-mail Filter

SP2 contains a new Phishing Protection feature to be used with the Outlook Junk Email Filter. Phishing is the luring of sensitive information through e-mail, such as passwords and other personal information, by an attacker masquerading as someone trustworthy. Phishing attacks can result in a user divulging sensitive information, including financial information, that can result in a loss of privacy or money. Phishing e-mail is hard to identify, because attackers make their e-mail appear genuine and often mimic recognizable e-mail sent out routinely by legitimate organizations such as banks and credit card companies.

To enable phishing protection, you need both Office 2003 SP2 and the latest Outlook 2003 Junk E-mail Filter Update. Once both are installed, Office 2003 SP2 has phishing protection turned on by default.

For best results, we recommend you regularly download the latest version of the Outlook 2003 Junk E-mail Filter Update. To determine whether you need this update, see the Microsoft Knowledge Base article (872976): How to obtain the latest Outlook 2003 Junk E-mail Filter.

In the course of trying to save some time and make things a little more streamlined at work, I've been looking for Microsoft RSS feeds for security patch releases with sufficient detail in them to be able to do some automation of our internal patch tracking. I am already aware of the RSS feed at TechNet, since I have been subscribed to it since day-one:

http://www.microsoft.com/technet/security/bulletin/secrss.aspx

But unfortunately it munges multiple pieces of discreet information into one data element (specifically the title) and also leaves a bunch of stuff completely out, since it's just a list of summaries, really:

   <item>

  <title>MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)</title>

  <link>http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx</link>

  <description>This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</description>

  <guid isPermaLink="false">http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx</guid>

  <pubDate>Tue, 9 Aug 2005 00:00:00 GMT</pubDate>

</item>

Maybe this is a good example of where RSS extensions could or should come into play, or maybe what I need instead is a more generic (non-RSS for all I care) XML feed that has a schema that supports keeping the patch number, KB article title, bulletin name and long description as separate data points. Plus, where's the rest of the info for each bulletin? I'd also like to see what platforms each bulletin applies to (in a yes-or-no format for each one), the intricate details about the vulnerability, and other stuff like that.

Is there an XML feed that does that already? Maybe there is but I've just not found it. There's the old MSSecure.XML from the HFNetChk command line tool (not updated since 2004 on the MS Downloads site, it appears), but even that's much more verbose than what I need. I've looked around here and here, and I have done some searching, just no luck. I figure they have the data available to build all those services, but I can't find a good detailed source to build my own lists.

I did three minutes worth of Excel work to play with the feed (and I suck at Excel so my formatting in it is poor, but it basically works) and came up with a working spreadsheet from the TechNet feed. I definitely need to be able to do more with it though. You can see my l33t Excel skiilz (um, not) here:

• File Attachment: MSFT_Patches_RSS.zip (8 KB)

What I really want is to be able to automatically pull the details of each released security bulletin into a list or Excel spreadsheet, add my own metadata to each one, and have that list/spreadsheet live over time. I'm trying to avoid a whole lot of cut/paste activity and need to find a way to speed this process up. Before you say I should just use Excel and VBA to parse through the available data, let me ask you - What if Microsoft changes their formatting on their bulletins?

So - my biggest obstacle right now is a data feed. If anyone knows of one, drop me a line and let me know.

My employer, Corillian Corporation, announced the other day that it's achieved certification under the international security standard BS7799, which is also the basis for the about-to-be-released ISO17799 standard. Without disclosing anything confidential here, I wanted to write a few of my own personal thoughts about the process and my experience in it, and what I think it means in the real world.

Those of us that have been involved in making this happen - which in the end really means every single person employed by the company - are excited about the achievement. We didn't just work to certify a portion of the company's operations, we did the full-meal-deal. I know that those of us on the security team all feel a real sense of accomplishment and success, while cautiously recognizing that we now have that much more to continue to live up to, now that we've arrived. After all, resting on one's laurels in the security world is a dangerous place to be, and security is a process, not an event.

What does it mean to be certified under the "7799" standard? Simply put, the certification says that the company has put in place a comprehensive security management system and program, and that it has shown evidence through a set of documentation and on-site examinations that it's meeting the complete set of standards without deficiencies. In other words, it means we've proven under close scrutiny that we have a solid security program that we take very seriously, and that it works.

I can't begin to explain the amount of learning I did in the process of doing my part in the effort to attain certification. I can tell you that I am convinced - well beyond the shadow of a doubt - that a strong security program and management system can and does contribute directly to the delivery of high quality of products and services. It's a lot of work to get to the point where certification is even possible, and many people dedicated incredible effort over the course of a couple of years to reach this point, but the value gained through the process is very high.

Every organization that deals with security issues and responsibilities should go through the process of certification under the standard. It would make for a much better operating environment, and would result in better-run companies. And in this day, age and operating environment, where trust and security are of paramount importance to business success, there's almost no excuse not to do so.

We're not all perfect, bulletproof or even smart. Funny how it works that way. In fact, there's a certain percentage of IT and security pros out there that come up with bone-headed, stupid ideas - and who make decisions based on those ideas.

Marcus Ranum wrote about what he calls "The Six Dumbest Ideas in Computer Security." It's a good read, and I agree with almost everything he says there:

http://www.ranum.com/security/computer_security/editorials/dumb/

In reality, anyone in the IT and security field should have a solid, well-formed opinion that they can back up on everything Marcus mentions in his essay.

(via Bruce Schneier)

One of the things that keeps some companies from patching computers in a timely fashion is the potential for data loss if a computer being patched restarts and data open on the desktop is lost.

Windows Vista promises to fix that problem by "freeze-drying" any work open on the PC at patch time, allowing the user to reconstitute the work when the computer restarts.

Even better, they're making the patching process better, so restarts will be necessary much less often. Many apps can be patched while they're running, and are replaced at next restart. We have some of that now, but will have more of it in the Vista release.

Read more - Tech News at ZDNet

Microsoft promised to back-port some of the technology that's going into IE7, and their anti-phishing filter is now available (see software requirements below).

Microsoft® Phishing Filter Add-in for MSN® Search Toolbar (Beta)

Increase your protection against identity theft and financial scams. The Microsoft Phishing Filter Add-in Beta warns you of Web sites containing suspicious content and protects you from accidentally sharing personal information on reported phishing sites with a dynamically updated online service.*

Requires MSN Search Toolbar with Windows Desktop Search and Microsoft Windows XP SP2, Microsoft Internet Explorer 6 or later

More Information

Tools like these are great, and people should use them, but being realistically cautious and aware is still the most important and final layer of defense.

Cutting through all the hype and hyperbole, Dominic White summarizes Microsoft vulnerability patch MS05-039 and the Zotob virus. Anyone who has to protect from this group of viral variants or who cares about security should take the time to read this summary article:

http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html

If you're responsible for (or just into) computer security - at a fairly involved level - check out (IN)SECURE Magazine, a PDF distribution, at http://www.insecuremag.com/.

Issue 3 is out. It's 67 pages. Serious stuff. Lots of great, practical, useful stuff.

Check it out.

In the August issue:

• Security vulnerabilities, exploits and patches
• PDA attacks: palm sized devices - PC sized threats
• Adding service signatures to Nmap
• CSO and CISO - perception vs. reality in the security kingdom
• Unified threat management: IT security's silver bullet?
• The reality of SQL injection
• 12 months of progress for the Microsoft Security Response Centre
• Interview with Michal Zalewski, security researcher
• OpenSSH for Macintosh
• Method for forensic validation of backup tapes

(via Scoble)

Last year, I picked up a couple Wireless PC Lock devices, to see if they'd work in a business environment to control workstation security. What I found was that I'd purchased what seemed to be some cool hardware, packaged with really crappy software. In fact, the software was so bad, it made the hardware pretty much useless. Useless doesn't help in the security world, so I was disappointed overall.

Then about a week later, I discovered that Bryan Batchelder, another security type, had also picked one up, reverse engineered how it works, and written his own software for it. Bryan's software was a vast improvement - measurable in orders of magnitude - over the software that shipped with the hardware.

Then Scott Hanselman, a coworker and friend of mine, found the device and software and decided to contact Bryan and work with him to use take it to the next level, using the new .NET Framework v2.0, to control and take advantage of the hardware.

And today, a new article was published that Scott wrote for hobbiest programmers, as an installment in his excellent "Some Assembly Required" series on Microsoft's MSDN Coding4Fun site. The article is entitled, "Is that you? Writing Better Software for Cool USB Hardware." In this edition, Scott explains how the new software, built from Bryan's base, is made and how it can be extended by anyone who wants to (since it's an open source program published on SourceForge).

I've installed the new software myself (after downloading and installing the .NET v2.0 Beta 2 framework) and have it running, and I can tell you this: The new software really shows how cool the hardware is, as opposed to the original software, which made the hardware look sloppy and bad.

The hardware consists of a USB stick (it looks much like a USB storage device) and a small round button you can hang on your keychain (or wherever). With the new software, a tiny green icon appears in the Windows status notification area (the tray) and flashes to show you it's getting a heartbeat from the key fob button. If you turn the button transmitter off (it lasts for-freakin-ever on one battery, mine's almost a year old and it's still going strong), the software on the compute notices and does whatever it's configured to do. The image below gives you an idea of the things it can do out of the box, and it's plug-in-able, so if you want something else, you can go build it.

• Buy the hardware if you don't have it
• Download the new USB Wireless Security software (source also available at that link)
• Download the .NET Framework v2 (beta 2) for x86

Hmmm, gotta go see if I can learn enough to be able to write a plugin now. 

"...wouldn’t it be wonderful if there was a native Windows version that resided totally on CD and could be used to recover your distressed PC..."

Yes, it would. And as JK points out, there is one available. It's called BartPE (Bart Preinstalled Environment), and it lets you construct an awesomely useful boot CD. There's lots of plugins available, too.

• Screenshots here
• Download and get started here

Okay for personal use, and for business use in your company, but not free to redistribute.

There's been all sorts of rumor and story-making flying around the Intarweb the past few days about a supposed first virus to attack some new part of Windows Vista (which is the next generation of the Windows Operating System - Vista was released recently in a Beta 1 test version to a closed group of testers and MSDN subscribers).

Well, it turns out that's not quite true.

Now, there might be a proof-of-concept script-based "virus" that takes advantage of a new beta shell technology called Monad. But Monad is not part of the Windows Vista beta, it won't be part of the release when Vista is done, and as such the rumors are inaccurate and based in false assumptions, according to the Microsoft Security Response Center weblog (which, by the way, security and IT professionals should subscribe to).

"There’s been some commentary the past couple of days regarding a potential Windows Vista virus and we wanted to weigh in with some details.  First of all, in examining the details of the reports, there is no Windows Vista virus described in them. Instead, the reports are regarding potential proof of concept viruses in the form of malicious scripts that are developed to affect a new interactive shell codenamed Monad, which is currently in early phase of beta testing.

"Now to be clear, these reports pose no risk for Microsoft customers. The viruses do not attempt to exploit a software vulnerability and do not encompass a new method of attack.  Furthermore, Monad is not widely available for general use. It’s a beta, and we do not recommend or support the use of beta software in a production environment. Microsoft continues to analyze the feedback from testers as Monad continues to be developed.

"But most important, Monad is not included in the beta release of Windows Vista or in Windows Server 2003 R2.

"Monad will not be included in the final version of Windows Vista and there is no relation between Monad and Windows Vista Beta 1. Monad is being considered for the Windows Operating System platform for the next three to five years.  So these potential viruses do not affect Windows Vista or any other version of Windows if Monad has not been installed on the system."

Note that Microsoft did not decide to pull Monad from Windows vista in response to this Monad virus scare/story, and they point out that Monad is an early beta technology, not intended to be used in a production environment. Well, yeah... Duh...

It's worth repeating that last point: Beta versions of commercial software are - by their very nature - not fully tested or officially QA'ed, and as such one has to consider beta code to be less secure in general. That should always be considered in deployment.

This is a great example of rumor run rampant, assumption trumping investigation, and the power of hate amongst those who drink of that darker cool-aid, and who wish for nothing less than harm to befall a great-big software company. If you want to believe something bad enough, if you're waiting in the trenches for something to jump on, if you do that often enough and get crazed enough in the process, you're going to lose your perspective. In my previous career, where I sometimes had to deal with those sorts, they call that a cult mentality.

Anyhow - Point is, it wasn't true. And that's something that should be said.

Where I work we run a couple of high-security data centers, and the security policies don't allow outbound network connections to the Internet to be initiated from inside the datacenter. It's a good policy and makes for a much more secure environment. So, when it comes time to activate a copy of Windows Server 2003, I frequently get asked how to do that over the phone.

I could just say "Ask Google," but instead I think I'll just point people here, heheh...

Also -- It's worth noting that Windows should tell you what number to call if you let it. From the Microsoft web page on the topic:

Hopefully you don't need this advice because you've been victimized, but this is something everyone should know.

If you ever become a victim of online fraud or any other form of fraud where you believe or know your personal information has been obtained or used improperly, there are a number of things you need to do. Microsoft's Security at Home team has put together a list of things you should do. They include:

• Close any affected accounts - both verbally on the phone and in documented written form
• Place a fraud alert on your credit reports - will all the credit reporting agencies
• Contact the proper authorities - both federal (FTC) and local (police or sheriff's office)
• Record and save everything - document, document, document

That's all good advice in general. Additional resources and more specific information is available on their web site.

Over on Microsoft's Channel 9, Scoble's posted a new video of Kim Cameron, who has a weblog called the Identity Blog. He discusses identity and trust, and what it will take to build a single-experience trusted system for common identification. It's an interesting conversation. I've read his weblog for a while now, so it's good to see him speak about this.

"Identity is like the Hotel California of Technology - you can come but you can never leave. We have a lot of work to do."

This is a topic that is near and dear to my professional heart. Identity protection and theft is something I deal with every day. It's complicated. It's not easy. It's a goose chase at times. There are almost no standards. But it's of great importance right now. The people I manage and work with are super-talented and are building a couple terrific pieces of security software right now, software intended to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.

Where I work we are charged with protecting the identities and assets of people who are doing critical financial transactions with their banks and credit unions. To us this stuff matters - it matters a lot. And it should matter to anyone that's doing business on the 'net and everyone who writes software used to do business on the 'net.

"It's impossible to be too paranoid about this ... We have to be paranoid."

The video is about 55 minutes, and it's worth the time for people who are concerned (or who should be concerned) about the topic. You'll need to get about two-thirds of the way through it til you get to Cameron's "Laws of Identity," which are akin to pure gold in their simplicity. Go watch.

Last week I went on a mission trip with our church youth group. It was fun (for the short time I was able to be there), and a good experience. One of the youth talked to me for awhile about a book I gave him and the other group members several months ago.

The book is called "Always Use Protection - A Teen's Guide to Safe Computing." It has its own web site, and is a great conversational read for both teens and adults. The author, Dan Appleman, wrote it with the assistance of youth he works with - they were his editors and reviewers, and because of that it is a great book for young and old people alike.

I had given the books to the youth group members during a meeting, and we'd discussed some of the content. Now my young friend has continued reading it (as have several of the others in the group), and as a result he understands his computer much better than most kids his age.

I had used the book to talk to the youth about security and safety in the computer world, and so they could have an excellent reference for them as they grow up to become the next digeratti. I'm a security and IT guy by trade, so it was not too much of a stretch for me to take this on - but the book enhances the experience, and is a permanent fixture for these young people to use and learn from over time.

In fact, when we returned to Portland, the young man's grandmother had her own glowingly positive review when she picked him up. Apparently she's been reading it as well, and found it easy to understand and quite useful.

So Dan, if you happen to see this, know that your book is doing good work with good people. And thanks for that.

Also - Dan was interviewed on Microsoft's Channel 9 a while back in a series of very good segments - so hey kids, check them out:

• http://channel9.msdn.com/ShowPost.aspx?PostID=17363
• http://channel9.msdn.com/ShowPost.aspx?PostID=17366
• http://channel9.msdn.com/ShowPost.aspx?PostID=17493
• http://channel9.msdn.com/ShowPost.aspx?PostID=18081
• http://channel9.msdn.com/ShowPost.aspx?PostID=17926

Microsoft's released a new build of their Microsoft Antispyware beta software. Several improvements are included. The expiration date for the beta software is also extended through the end of the year. Download here.

From the MS web site description:

In this second beta refresh (Build 1.0.614), we’ve made other enhancements to the detection and removal capabilities, including improved Winsock LSP removal capabilities and support for long descriptions of categorized software. In addition, we have also extended the Windows AntiSpyware beta expiration date to December 31, 2005.

Existing users of the beta (Builds 1.0.501 and 1.0.509) will receive a software update that extends the expiration date and includes the enhancements to the detection and removal capabilities. The second beta refresh is also available for download through this site.

More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.

Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:

Hi Greg,
I posted a question on the PCWorld forum and your name came up regarding my question.  My issue was regarding passwords.  I am a Realtor and our main access to the MLS is starting to require password changes monthly.  This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control.  I asked for opinions on software and also philosophy.  I'd like to hear your opinion.  Thanks and I'm looking forward to reading your response.

Preamble

My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.

Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.

Philosophy

My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.

As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:

• Upper-case alpha characters (A-Z)
• Lower-case alpha characters (a-z)
• Numeric characters (0-9)
• Punctuation or other special characters (!@#$%&(*?>< etc.)

In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.

Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.

I think you'll find that most experts will agree with the above recommendations.

Maintaining passwords and passphrases securely - helpful software

Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.

RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.

But none of that matters if you can't solve the real problem

But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.

The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:

Cle0IsMyKat!
Cleo is my Cat!
cleoizmykittykat
Cleo get off the freaking furniture darnit!

You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:

Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
FireworksOnJuly4thAreSoCool...
Woahdudethosefirew0rkzaresokool*
Pow bang boom! Oh wow did you see that?

Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.

You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.

There's no perect answer - some unthinking person with no concern for security will throw in a wrench

Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.

** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.

By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).

But Dr. Johansson's the one who's really got it covered...

For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:

The Great Debate: Pass Phrases vs. Passwords

• Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.

There is an interesting post describing the exploit of a weakness in MD5 via collisions, with a reproducible real-world example. The authors computationally found the collisions and were able to reliably and predictably produce two completely different postscript documents with the identical MD5 checksum. Their use-case story revolves around maliciously capturing a digital signature and using it for something other than it was intended. In the story, the MD5 checksum is relied upon to validate the authenticity of a document. The researchers wanted to show how this flaw could possibly be used in the real world.

"Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms ("attacks") to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting - but many so-called "practitioners" turned them down as "practically irrelevant". The point is that while it is possible to find colliding messages M and M', these messages appear to be more or less random - or rather, contain a random string of some fixed length (e.g., 1024 bit in the case of MD5). If you cannot exercise control over colliding messages, these collisions are theoretically interesting but harmless, right? In the past few weeks, we have met quite a few people who thought so.

"With this page, we want to demonstrate how badly wrong this kind of reasoning is! We hope to provide convincing evidence even for people without much technical or cryptographical background."

Once again, security by obscurity defeated. Interesting read and might make you think. If anyone has comments on their test or process. I'd be interested to hear.

Microsoft has released their Windows Server Update Services (WSUS) product, which is a replacement for Software Update Services (SUS). The server solution acts as an in-house patch management and deployment solution for your networked Windows machines and core applications.

What's New in Windows Server Update Services:

• More updates for Microsoft products, in more categories (Windows XP Professional, Windows 2000, Windows Server 2003, Microsoft Office XP, Office 2003, Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine [MSDE] 2000, and Microsoft Exchange Server 2003, with additional product support over time) 
• Ability to automatically download updates from Microsoft Update by product and type
• More language support for customers worldwide
• Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0 (BITS 2.0 is not installed by Update Services and is available on Microsoft Update)
• Ability to target updates to specific computers and computer groups
• Ability to verify that updates are suitable for each computer before installation—a feature that runs automatically for critical and security updates
• Flexible deployment options
• Reporting capabilities
• Flexible database options
• Data migration and import/export capabilities
• Extensibility through the application programming interface (API)

This new release is ten-fold better than the old SUS product, and if you are responsible for deployingpatches reliably and verifably across your company, this is something you must at least try. It will save time, improve your comtrols, and generally help you sleep at night.

Oh - and it's free to download. Just install it on a Windows 2000 SP4 or Windows 2003 server - your existing CALs cover it.

• Info here
• Download here
• FAQ here
• Full product overview here

eWeek says Microsoft will release a security roll-up for Windows 2000 this week. The roll-up package replaces Windows 2000 SP5, which was recently scrapped. You'll need to have SP4 already installed to apply the rollup. It will be available via Windows Update, SUS, et al.

It's scary how time flies...Windows 2000 is five years old now - wow... Speakimng of which, mainstram support for Windows 2000 ends on June 30th, when the OS goes in to "extended support" mode (which means you pay for support pretty much no matter what).

Information from Microsoft's web site to answer questions people have asked in email and elsewhere:

Windows 2000 Server and Windows 2000 Advanced Server support dates:

• Mainstream Support ends June 30, 2005
• Extended Support ends June 30, 2010

Mainstream support includes:

• Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
• Security update support
• The ability to request non-security hotfixes

Extended support includes:

• Paid support
• Security update support at no additional cost
• Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased. Per-fix fees also apply.
• Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
• Extended support is not available for Consumer, Hardware, Multimedia, and Business Solutions.

Complete Windows lifecycle dates are listed here. Other products also listed here.

Not running on Windows Server 2003 yet? Make the move now and you'll be glad you did - if you haven't tried it, you seriously don't know what you're missing. Not to mention the fact that most every substantial future network security enhancement from Microsoft will rely on the back-end of Windows Server 2003.

And for those still on NT4 - Your version expired long ago, and it's replacement is entering the old folks' home. Time to get with the program and secure your little world.

From Longhornblogs.com, some of the first information about IIS7, which is reportedly code-complete and is now being integrated into Longhorn:

"IIS7 represents the unification of ASP.NET and IIS. Let me clarify what that means. Right now, ASP.NET is implemented as an ISAPI extension for IIS. That will still be true in ASP.NET 2.0. In IIS7, that changes. Instead, the concepts of HTTP pipelines, handlers, modules, XML config files, etc... are all natively built into the platform.

"Along with that, the IIS7 team has completely refactored the whole platform, so now practically every feature in the pipeline has been broken out into a separate module. From a security standpoint, this is a whole new realm for IIS..."

Read more here. Glad to see they'll be releasing it on the Pro and Server OS'es. Cool stuff.

In an interesting and (at the same time, but for different reasons) rather scary turn of events, a company's computer data has apparently been locked up, by means of encryption, by an evil-doer and held ransom.

For - get this one - $200.

Tell me that is not the perfect Austin Powers moment. I can hear Dr. Evil now, from his Evil Hacker Base:

Twooooooo Hunnnnnnndred Dolllllllarrrzzzzz! Muuuhahahahahahhhh!!!

Unfortunately, it's worrisome in that through some lack of security protection or another, some bad guy was able to get malicious code into a company that located business files and packaged them up in a nice, neat encrypted (and therefore completely unaccessible without the key) form. They didn't even (necessarily) take the files off the network - they just locked them up and left them there. Maybe. Who knows.

Link to the story: http://it.slashdot.org/article.pl?sid=05/05/24/1321200&from=rss

Security researchers at the San Diego-based Websense uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.

A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.

"This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination," said Oliver Friedrichs, a security manager for Symantec Corporation.

The FBI said the scheme, which appears isolated, was unlike other Internet extortion crimes.

Leading security and anti-virus firms this week were updating protective software for companies and consumers to guard against this type of attack, which experts dubbed "ransom-ware."

I'm a dual-browser kind of guy. Honestly, I use Internet Explorer most of the time, and Firefox is in my backup slot. Recently security concerns have been pretty evenly divided between the two, and I am not married to one browser or another - I just use what works best for me at the time.

The one thing that tends to keep IT administrators from deploying Firefox across their companies in many cases is the complete lack of a process and ability to patch and update the software.

Well, IT admins, worry no more. Someone's been thinking about how to help.

FrontMotion has created a MSI installer for Firefox 1.0.4 that can be deployed via Active Directory - just like any MSI installer - and a set of accompanying ADM files that you can deploy as extensions to your group policy, in order to be able to exercise the level of control necessary in a corporate environment. You can download them here.

FrontMotion's Firefox Community Edition is Firefox with the ability to lockdown settings through Active Directory.  Similar to lockdown with mozilla.cfg on one computer, you can now use our Community Edition to set settings across your organization by loading Administrative Templates. Both the firefox.adm and mozilla.adm file can be loaded at the same time.

For those who want or need to do an Active Directory deployment:

• Download the MSI installer and save it to a network location accessible by client computers (e.g. a network share on a domain controller).
• Create or edit a Group Policy Object (GPO). Right click on an Organizational Unit (OU) or your top level domain, then Properties.  In the Group Policy tab, click New to create a new Group Policy or Edit. (Note: If you have an existing deployment of Firefox MSI, you should Edit an existing GPO)
• Edit the GPO and navigate to Computer Configuration -> Software Settings -> Software Installation
• Add the new package, specify the location of the Firefox MSI on a network share. (e.g. \\server\appinstalls\firefox\firefox-x.x.x.x.msi)
• If you are doing an upgrade, be sure to specify the older packages in the Upgrades tab in the new package's properties.

I heard a little about this upcoming Microsoft program earlier today (well, yesterday actually) so it's cool they just kicked out a press release: Microsoft just announced OneCare, a service offering that's geared toward the consumer PC market of unmanaged desktops. It will be available for beta testing by the public sometime in the future (see below).

A natural extension of the Windows Update and MBSA concepts, which can patch computers without user intervention and tell you where you stand from a security standpoint, OneCare will take that type of service to a new level. They'll be adding things like PC health management (performance maintenance) and data protection, as well as integrated spyware and bidirectional (yay!) firewall capabilities.

Features of OneCare will include:

• Defense against evolving threats: Windows OneCare will provide automatically updated anti-virus, anti-spyware and two-way firewall protection.
• Performance and reliability tools: PC owners will be able to choose to have Windows OneCare automatically carry out periodic maintenance tasks such as disk cleanup, hard-drive defragmentation and file repair. The service also will offer boot-time information and proactive support tools to help improve the customer experience.
• Backup and restore capabilities: Windows OneCare will enable automated backup of files by category on CD and DVD, along with the option to back up all files on the system or only those that have changed since the last time the action was performed. If files are accidentally deleted or corrupted on the PC hard drive, the service is designed to restore saved versions or map them on a new PC.
• Simple, integrated service experience: PC users will have one simple point of reference for checking the overall health of their system. Windows OneCare will automatically notify users of available updates or other recommended actions and enable users to easily act as needed. Otherwise, the service stays quiet and in the background.

Microsoft employees are having a shot at it this week for a dogfooding phase of testing, and the public will be able to use it during a beta phase later this year. If you want to nominate yourself to participate in the Public Beta, go to http://beta.microsoft.com and use "OneCare" as the guest ID there.

Kudos to Microsoft for an initiative-taking program that brings better managed services to unmangaed PCs.

From now til June 8th, you can do your best to hack an IIS 6.0 server, and if you're successful, you'll win an Xbox. WindowsIT Pro has issues their Hack IIS 6.0 Challenge.

If you think you've got what it takes, head on over and hack away!

• May 2 - Challenge begins with very basic static HTML web site to focus hackers on hacking IIS code
• May 16 - ASP.NET web site put up to give more potential hacking angles
• June 8 - Contest ends
• June 9 - Winner (or lack of winner) announced at TechEd in Orlando.

All the details are here, and the rules are here.

Microsoft has a couple of online webcast workshops on secure coding coming up:

• Writing Secure Code (Part 1 of 3): Threat Defense - May 6 at 9:00 A.M. PDT
• Writing Secure Code (Part 2 of 3): Threat Defense - May 13 at 9:00 A.M. PDT
• Writing Secure Code (Part 3 of 3): Threat Defense - May 20 at 9:00 A.M. PDT

Sounds interesting. Secure coding is critical - much more so now than ever. Every developer of any web app should be required to become and stay proficient in secure coding.

Microsoft on Friday released Live Communication Server 2005 Service Pack One (SP1), which is a free update that incorporates some important new and enhanced features as well as security changes:

• Enhanced federation - connect to LCS servers at other companies and enterprises and share presence information securely via the Internet
• Support for the upcoming Microsoft Office Communicator IM client -currently in closed beta, but it requires LCS SP1 to operate (more info here)
• Public IM Connectivity (a.k.a. "PIC") - offers corporate users a way to connect with trusted customers and partners who may be using the most popular IM clients—MSN Messenger, AOL Instant Messenger, or Yahoo! Messenger.
• URL blocking and spim filters to help stop the spread of IM worms

Download links:

• Download LCS 2005 SP1 Upgrade files here (reads the release notes and instructions to see if this applies to you)
• Download a 120-day trial version of LCS2005 with SP1 here (keep an eye on the calendar if you try thin in your business, it really will stop working at 120 days, without warning you!)

More information:

• Live Communication Server home page
• Microsoft Office Communicator 2005 Overview
• Live Communications Server Deployment Center
• Public IM Connectivity (PIC) Datasheet
• Public IM Connectivity Provisioning Page (only for use when licenses are in place and you're ready to activate PIC)
• KB 897567: Known issues that occur with public instant messaging after you install Office Live Communications Server Service Pack 1 (lots of useful info about inter-service client behavior and firewall/IP info

There's slashdot conversation taking place about using and enforcing cryptographically strong passwords (it's all about passphrases, people, passphrases - read my experiences here). In that thread, someone linked to an old and quite perfect social engineering example that I had not seen in a while. In my field I see and hear some of the funniest (or rather scariest) stories about situations like this.

From an IRC chatroom:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Pretty darn funny - unless it's you.

Of course, much of the /. conversation has evolved into the requisite noise and talk about how the original question is a moot point because passwords are dead, etc etc etc blah blah blah shashdotadnauseum...

And, since we need something useful to go with the something-funny/scary, here's some information worth reading about how to make it possible for users to remember and use cryptographically strong authentication without having to resort to post-it's and .txt files on the computer:

The Great Debate: Pass Phrases vs. Passwords

• Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I was making an online payment on my Discover Card account today when I noticed they are offering a computer program called Discover Deskshop that not only fills out web forms for you when you are making online purchases, it also has an option to use a unique one-time card number instead of your actual Discover Card account number. That means if you use their application, you never have to send your real card account information to online vendors. Instead you send a pretend card number assigned at the time of purchase by Discover, and that information can only be used for that one purchase.

I buy things online frequently. I'm a computer security guy by trade, so I am extra careful about how I do Internet purchases. I have one thing to say about Discover's Deskshop software:

THAT IS SO COOL.

There's also a web-based version that one can use from any web browser. It won't fill out purchase forms for you automatically, but does allow you to use one-time card numbers for purchases you make.

I installed it and used it for the first time today as I purchased a copy of HotRecorder (software that lets you record Skype conversations without the typical hassle). It worked great, but did not set the expiration date for me - I had to do that myself. Every other field it nailed right on.

I like this - it's a real step up in security, with the one-time card number and associated info. Discover's auto-complete software and one-time card number feature will mean I will be using that card more frequently for purchases, which mean it's good news for Discover and for the customer. Good deal.

I've scribbled out a few things in the image at right to protect myself, but you can get an idea of what the program looks like and how it works. It's all automagical. I have to log onto my Discover Online account in the program interface before I can use the program to make purchases (so moms and dads can rest assured Junior won't be able to make any sneaky purchases).

All I did was tell the program to fill out the form and it did the rest. I set the expiration date and executed the purchase.

Nice. No more taking the card out of my wallet and squinting my getting-older eyes to read the account info and type it in. No more fat-finger mistakes. And better security on top of it all.

Thanks, Discover - you just made me a much happier customer.

• The Discover DeskShop FAQ is here
• The Deskshop demos are here

There's another new version of the Firefox web browser out. You know, it's a good browser, but the number one problem I have with Firefox is a lack of automated, verifiable security patching... Plus apparently you have to download a whole new version to update it, and the release notes known issues section says not to install it over an older version:

"Prior to installing Firefox 1.0.3, please ensure that the directory you've chosen to install into is clean and doesn't contain any previous Firefox installations."

Anyhow... The following security issues are fixed in v1.0.3, so if you are using Firefox, go get it now:

Severity key: critical, high, moderate, low

MFSA 2005-33 Javascript "lambda" replace exposes memory contents
MFSA 2005-34 javascript: PLUGINSPAGE code execution
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-37 Code execution through javascript: favicons
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides

Microsoft Security Update instant message alerts notify you when time sensitive information about Microsoft products has been posted on the Security Web site. You can choose to receive these alerts through MSN Messenger or Windows Messenger, your e-mail, or a mobile device like your cell phone or PDA. Register at the Microsoft Security Alerts Web page.

Information on Microsoft Security Update Instant Message Alerts as well as RSS Feeds for Security Bulletins, the Microsoft Security Notification Service, and the Microsoft Security Notification Service Comprehensive Edition can be found at this location:

http://www.microsoft.com/technet/security/bulletin/notify.mspx

SIDEBAR: Oh, and it looks like they are using LiveMessage, which is what powers my .NET IM alerts for this weblog:

• Check out LiveMessage from MessageCast
•  Get alerts for this weblog

Microsoft's posted a quick online quiz that checks everyday people's spyware knowledge:

"Do you know what spyware is, how to help protect yourself against it, and what you should do if it’s on your computer? Take this quiz to test your knowledge."

After you take the first quiz (which is, admittedly, pretty darn basic), you can move on to the "advanced" quiz. How did you do? I scored 100%, but this is what I do every day.

Other useful information and education about spyware from Microsoft:

• Video: Protecting your computer from spyware
• Try Microsoft Windows AntiSpyware (Beta)
• Signs of a spyware infection
• How to get rid of spyware and other unwanted software

Windows Server 2003 SP1 was finalized and released to the world today at 5:20 PM Pacific Standard Time, in English and German language versions. Let the compatibility testing begin!

• Review overview information
• Get detailed technical information
• Download Windows Server SP1
• Windows Server 2003 SP1 FAQ
• Top 10 Reasons to Install Windows Server 2003 SP1

In addition, Windows Server 2003 x64 Editions and Windows XP Professional x64 Edition were released to manufacturing (RTM), but they won't be available until sometime in April.

F-Secure has a real knack for creative sarcasm on it's security weblog, and today is no exception in their headline linking to an interesting report. Apparently, a study has been published showing the relative number of vulnerabilities, comparing Windows 2003 Server to a Linux distribution in several configurations.

Update: In a won't-really-build-confidence-with-the-common-folk move, apparently the researchers did not reveal at the RSA conference that this study was funded (but according to the researchers, not influenced by) Microsoft. They reveal this fact in the published study itself, but did not tell the audience at the conference when they presented the results. Read more here.

Get the PDF file of the study here. For a document describing the methodology in detail and for more information (including an email address to provide comments), go here.

F-Secure used the headline, "It's Official - Linux Sucks?" No doubt others will comment that the reality of the situation is that Windows is better for stupid people (meaning people who don't harden their machines). Flames will go forth, but you can't deny the report.

The end result of the study is that Windows Server 2003 was more secure than the Linux distributions tested.

Uh, heh... That should make a few people stand up and scream.

Using out-of-the-box, standard/recommended OS installs, the researchers found that the Windows 2003 server was more secure, with less vulnerabilities counted and a lower average for days of risk, when compared to the Linux distributions tested (Red Hat Enterprise Linux in default and "minimal" recommended configurations):

"In this report, we have studied both quantitative and qualitative data that affects the vulnerability and thus operational security risk of different web server platforms. In order to produce a meaningful comparison of platforms, systems were tested in their default configurations and then looked at in minimal server role configurations. When the default configuration did not provide for a functional web server, systems were configured according to manufacturer’s directions."

For a quick Readers' Digest style overview of the result of the study, get the free PDF of the report and flip down to page 35 and look at the charts on that page. I won't post all the images and tables here, that's what the report is for.

In reality, this is a complex study that is worth reading. The methodologies applied appear to be good ones, and the results are pretty compelling. The real world is never as simple as s lab environment, but if nothing else, this certainly shows how far Windows Server has come over the years (or else it shows how poor Linux distributions have become, or maybe some of both).

Another update to the Firefox web browser has just been released, and all users are advised to download and install the new version, as it contains a critical security patch.

The new version includes a number of fixes:

MFSA 2005-32 Drag and drop loading of privileged XUL
MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel
MFSA 2005-30 GIF heap overflow parsing Netscape extension 2

Download here: http://getfirefox.com/

Microsoft has published their Security Development Lifecycle whitepaper, where they describe the process that Microsoft has adopted for the development of software that needs to withstand malicious attack.

It's a good read for people responsible for writing software, as well as those responsible for ensuring software development processes properly addresses security as a requirement.

The basic principles of the Security Development Lifecycle are described in the paper:

• Secure by Design: the software should be architected, designed, and implemented so as to protect itself and the information it processes, and to resist attacks.
• Secure by Default: in the real world, software will not achieve perfect security, so designers should assume that security flaws would be present. To minimize the harm that occurs when attackers target these remaining flaws, software's default state should promote security. For example, software should run with the least necessary privilege, and services and features that are not widely needed should be disabled by default or accessible only to a small population of users.
• Secure in Deployment: Tools and guidance should accompany software to help end users and/or administrators use it securely. Additionally, updates should be easy to deploy.
• Communications: software developers should be prepared for the discovery of product vulnerabilities and should communicate openly and responsibly with end users and/or administrators to help them take protective action (such as patching or deploying workarounds).

Also discussed are the phases of the lifecycle in application, and Microsoft's experience in putting the DSL into use at that company, as well as the results of the initiative. If the small amount of information quoted above is of interest, take the time to read the paper.

Dana Epp comments and has insights into the changes that have happened at Microsoft over the past few years. It is pretty darned amazing to have watched (and participated in, as part of my roles as partner and customer) the changes Microsoft has made with regard to security. I can say from my own experience that security is at the front of MSFT developers' minds every day, and while it's not perfect (and never will be, regardless of the software or authors), it definitely shows.

(via Dana Epp's weblog)

There's a excerpt from a yet-to-be released book by Jesper Johansson and Steve Riley available to read online. The article, entitled "Security Myths," it takes a look at some of the security shortcomings typical to use of security guides and reliance upon following a predefined set of steps without looking at the whole picture. It's a great lesson in how to look at things, rather than how to follow prescriptive

Warning
This section is somewhat (OK, very) cynical. Take it with a grain of salt and laugh at some of the examples we give. Do not lose sight, however, of the message we are trying to get across: These are myths. If you are careful to avoid falling into the trap of believing them, you will be able to focus your efforts on the things that make a real difference instead of being lured like so many others into staring at a single tree and failing to see the security forest.

So what are the myths? Well, for the details go read the article, but at a high level...

• Myth 1: Security Guides Make Your System Secure
• Myth 2: If We Hide It the Bad Guys Won’t Find It
• Myth 3: The More Tweaks the Better
• Myth 4: Tweaks Are Necessary

Wow... This is great information: Microsoft recently published a couple series of helpful information for small- and medium-sized IT shops. It's a useful way for IT pro's in businesses with less than 50 employees (small-sized) or around 50-250 employees (medium-sized) to get a strong start of planning and designing IT projects that are secure and reliable, and that meet business needs. Small-solution details can be found at the link above.

For those responsible for all or part of a medium-sized business IT environment, Microsoft offers a whole slew of valuable information. The entire solution package can be downloaded here (with the exception of the beta papers, referenced below - you'll need to download those separately).

• Introduction to the Medium IT Solution Series
• Medium Business Solution for Core Infrastructure
• Medium Business Solution for Management and Security using Active Directory Group Policy (beta)
• Medium Business Solution for Messaging Services
• Medium Business Solution for Collaboration Services
• Medium Business Solution for Print Services
• Medium Business Solution for Remote Connectivity
• Medium Business Solution for Patch Management
• Medium Business Solution for Client Configuration
• Medium Business Guide for Antivirus
• Medium Business Guide for Backup and Recovery
• Medium Business Guide for Pilot Deployment and Migration (beta)

IT infrastructure is more and more complicated as time goes on - for Microsoft "shops," this information series can save time and help make sure your work is solid. There's information in these articles that I sound useful, and I've been pretty heavily involved in what's covered for several years now.

Recommended.

Microsoft has released a new prescriptive paper describing in step-by-step fashion how to deploy a secure wireless LAN using Protected Extensible Authentication Protocol (PEAP) and passwords:

The Securing Wireless LANs with PEAP and Passwords solution guide is designed to help small- and medium-sized organizations protect their wireless local access network (LANs). This prescriptive guidance will assist you in planning, deploying, testing, and managing a wireless LAN security infrastructure using Microsoft Windows XP, Windows Server 2003, and Pocket PC 2003. The guide is a companion to the earlier solution guide Securing Wireless LANs – a Certificate Services Solution. However, this updated guide uses passwords to authenticate users and computers to the LAN instead of digital certificates.

The solution uses industry standards such as 802.1X to ensure broad interoperability. Windows XP Wireless Auto Configuration and the Microsoft Active Directory directory service help to minimize the complexity of installing and managing the solution—many of the more complex operations are automated in scripts that are provided with the guide. You can also install the solution entirely on existing servers in your environment to keep costs low.

Also useful in the context of these articles:

• Planning a Secure Wireless LAN using Windows Server 2003 Certificate Services: Designing Your PKI
• Securing Wireless LANs - A Windows Server 2003 Certificate Services Solution
• Windows Server 2003 W-Fi resources from microsoft.com
• Windows XP Resource Kit - Wireless networking for IT professionals
• Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows
• Newsgroup: microsoft.public.windows.networking.wireless

Microsoft has posted "What to do if you've responded to a phishing scam," a set of four steps (with some details about each) you should take if you think you may have mistakenly provided personal financial or identification information in response to a fraudulent email. They've also updated and posted a set of related articles dealing with phishing and email fraud (listed and linked below).

The steps they list in the article are:

• Step 1: Report the incident
• Step 2: Change the passwords on all your accounts
• Step 3: Routinely review your credit card and bank statements
• Step 4: Use up-to-date antivirus and anti-spyware software

And they have posted more articles with information about phishing and email fraud:

• What is a phishing scam? (updated)
• How can I tell if an e-mail message is fraudulent? (new)
• The do's and don'ts of dealing with suspicious e-mail (new)

But remember: Being prepared and on the watch before the fraud ever happens is the best way to not become a victim. The links above and other resources on the 'net can help you educate yourself and people you know about the things people should do to keep from becoming victims.

If you use the Firefox web browser, you need to get the latest release, v1.0.1, which contains a number of security-related bug fixes that are important to patch.

Here's what's new in Firefox 1.0.1:

• Improved stability
• International Domain Names are now displayed as punycode.
• Several security fixes

Download your preferred language version from here.

Press release is here.

An announcement by Bill Gates at the RSA conference: Internet Explorer 7 is set to be released for testing this summer, says Microsoft. It will include anti-spyware functionality, and will not wait for the next version of Windows.

• Info on the IE Blog
• Microsoft press release
• Reversal: Next IE update divorced from Windows (news.com)
• Microsoft to Release New Internet Browser (Yahoo! News)

Did you know that only 11% of identity theft takes place online? You're much more likely to have your identity stolen or discovered on paper, and chances are the bad guy (or gal) will be someone you know...

"The 2005 Identity Fraud Survey Report shows that despite growing fears about identity theft and online fraud, of the victims that know the identity and method used by the criminal, these crimes are more frequently committed offline than online. Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.

"Further, the study concludes that those who access accounts online can provide earlier detection of crime than those who rely only upon mailed monthly paper statements."

Those of us who work in the field have known this for some time. And those of us who do our banking and other important transactions online also know we'll notice if something gets out of the ordinary, and we won't have to wait for a paper statement or a bounced check to tip us off.

How safe are you? Take the quiz. If there's anything you should be aware of in this day and age, it's how to protect your personal information.

Here's my results:

Your Score is 10
Please note that a perfect score is 0 and the worst possible score is 100; a typical score is 38.

How did you score?

F-Secure has published a RSS feed where you can get listings of all newly-discovered viruses (see HTML list here). People responsible for knowing what's new and changing will likely want to subscribe. This is one great way to get an ongoing education, not to mention a useful reference for daily AV routines:

"We've received some questions on whether it would be possible to receive the list of our new virus descriptions as an RSS feed.

"Well, turns out we've had this available for quite some time already, but I guess we've never really officially announced it.

"So: our new virus descriptions are available as an RSS feed here: "

An "open letter" to Microsoft...

Once again, commenters everywhere are espousing opinions on Microsoft's latest statements regarding the company's plans to disallow updates for pirated copies of Windows (and other software).

We all know taking that position results in one primary problem: Unpatched computers get infected or overrun and then bombard computers of others - making victims of people with valid, paid-for copies of Windows.

I understand Microsoft's position, I disagree with it, and I have a solution.

Patch the pirated computers, "update" the pirated computer's firewall to control two-way traffic, then turn that firewall on. Turn it on all the way. Like as in "nothing-in, nothing-out." Stop all the network traffic on those machines. And put "PIRATED" in all four corners of the screen, like you do with Safe Mode. Heck, for that matter, only allow users to boot into safe mode if it's pirated.

Of course, you could leave open connections to, say, a Microsoft site where people could be allowed something like, oh maybe 30 days to register their software. Give 'em a reduced registration rate maybe. Or maybe not. That's up to you.

Seriously - A significant portion of my job is protecting my company from all those unpatched and out-of-date computers. My time is valuable, and so is the time of many others like me. The ball belongs in your court - Where thousands of people have to spend hours and hours defending networks, you can fix it for all of us in one fell-swoop.

Microsoft's failure to patch problem computers makes for a less-secure Internet. It makes for higher operating costs for my company. It means I am focusing my time on things I need not deal with. It means I'm not focused on more important things that deserve my individual time.

Revenues are important, sure, but so are your customers, and so is wide area network security. This is the one area where revenues might just need to take a back seat. Think about it. Do the right thing.

Drastic? Sure, but healthier than leaving security holes all over the planet.

By not helping your enemies, you hurt your friends. You can't win, but you can make sure the people who are already on your side are taken care of.

Patch that software. Then get 'em with the firewall. Do it. We need you.

And thanks for listening.

EDIT:

P.S. - Is this a little tongue in cheek? Sure it is, somewhat. The idea is to discuss all the options and possibilities, and I think people need to talk more about the option of making it harder for software thiefs, regardless of the PR impact. Talking about it and actually doing it are two very different things, and often useful ideas come out of the conversations about the "fringe" options.

Already several emails and opinions are coming in (keep 'em coming, and you can also use the comments link below), so let me point out a few things...

• First, I don't think Microsoft is "evil" - and that was not my point. Not even close.
• Second, I know automatic updates would still work for pirated software under the proposed plan. That's not my concern - apparently there are some idiots who steal software that just don't have the brains or desire to turn it on, for whatever reasons.
• Third, I'm not freaking out over something that hasn't happened yet. Rather, I am thinking about and commenting on something that's being discussed and in which I have professional interest and experience. Part of my experience is that if you offer opinions before Microsoft takes action, you're more likely to have your opinion count for something, however small. Come to think of it, that's more about the way the world works in general than it is about Microsoft...
• Fourth, my thoughts are more about Microsoft asserting itself from both the "security-custodian" and "software-seller" roles. Two statements (drastic ones, granted) in one brush stroke.

Mitch Wagner at Security Pipeline has his own opinions on the matter, too. See what other people are writing about the subject with Feedster.

Interesting conversation. What do you think?

Joe Stagner, a Developer Community Champion at Microsoft, will be presenting a series of two webcasts per month, starting this week and running through May on the general topic of designing and writing secure applications.

Dubbed the "Digital Blackbelt Series," the webcasts will cover these topics:

I had to change one of my passwords today (good security practices and all that), and with the recent discussions around the 'net concerning using passphrases in place of passwords, I decided to go full tilt and start using passphrases on this account rather than passwords.

One of the great things about passphrases is that they can be quite long and secure, yet easy to type and remember. For example, I could use either of these as a secure passphrase that more than meets all the security requirements of a Windows standard password-complexity template:

Is this my nifty-difty passphrase?

   - or -

Wow yo thats a really cool Red Radio you have there!

Of course, I could also be more paranoid (and in real life I am) by using something like "Is this my nyftie-dyftie passphraze?" but even with the standard dictionary words, the combination of having to determine the number of words, case, punctuation, order and spacing is a pretty darn complicated task. For more information about effectiveness of passphrases and their complexity, read what Jesper Johanssen wrote on the topic.

I can included spaces and everything - they're part of the passphrase, and the fact that I am using dictionary words works in the case of a passphrase, where they don't really pass muster when using 8-character-minimum passwords.

Passphrases use multiple words or variations, can be out of place and odd, easy to remember and easy to type quickly. The only problem I have had since changing to my new passphrase is remembering that I changed my password at all - I keep typing the old one... It's like writing "2004" on checks, I guess... This, too, shall pass.

Anyhow, I can type my passphrase accurately every single time, very quickly and reliably, so I am happy with that. If I choose a phrase that means something to me at the time, it will be easy to work with until I have to change it again in several weeks. I think it's a good thing - all in all better from a user standpoint than convoluted and hard-to-type passwords.

More on passwords vs. passphrases can be found here. Also, Susan Bradley, who blogs about Small Business Server quite a bit, has some thoughts on the subject and some policy configuration information (via Adam Field).

Last year, a company called MailFrontier produced their Phishing IQ test. Phishing is a form of fraud, where the bad guys set up web sites to collect personal data and then send out emails to get you to visit the web sites. More often than not, the web sites look at least semi-official, and at times they look like the real thing. While financial institutions are the most frequent targets (emails and web sites that look like they came from a bank, but did not), insurance companies ad other online merchants are also often spoofed in these phishing scams.

Now MailFrontier has a new Phishing IQ Test:

Ready for more? Over 225,000 people took the first MailFrontier Phishing IQ Test, successfully raising "phishing" awareness to an all-time high in both the industry and consumer media. But with phishing emails increasing daily—and the online holiday shopping season officially open--it's time for a whole new challenge: the MailFrontier Phishing IQ Test II.

We're back with 10 new suspect "phish" fresh from our collection – all actually received by real people like you. Whether you're brand new or a repeat tester, the question is the same: If you received one of these emails in your inbox – what would you do?

Take the Phishing IQ Test II

Microsoft today released three security bulletins, two of which are classified as “Critical” severity, and related patches to resolve the issues described in each bulletin:

Jan 11, 2005	Vulnerability in HTML Help Could Allow Code Execution (890175): MS05-001 Affected Software: Windows NT Server 4.0, Windows NT Server 4.0, Enterprise Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows Me, Internet Explorer 6	Windows NT4 Service Pack 6a, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold, Windows 98 Gold, Windows 98 SE Gold, Windows 98 SP1, Windows Me Gold, Internet Explorer 6 SP1	Critical
Jan 11, 2005	Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711): MS05-002 Affected Software: Windows NT Server 4.0, Windows NT Server 4.0, Enterprise Edition, Windows NT Server 4.0, Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition, Windows 98, Windows 98 SE, Windows Me	Windows NT4 Service Pack 6a, Windows NT4 Terminal Server Service Pack 6, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows Server 2003 Gold, Windows 98 Gold, Windows 98 SE Gold, Windows 98 SP1, Windows Me Gold	Critical
Jan 11, 2005	Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250): MS05-003 Affected Software: Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition	Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows Server 2003 Gold	Important

From MS MVP Jerry Bryant comes news about the new malicious software combat tools that will launch on Tuesday this week from Microsoft:

Announcement of Upcoming Release of Malicious Software Removal Tools

Starting from January 11th, 2005, Microsoft will provide Windows customers with Malicious Software Removal Tools. New versions of these tools will be available monthly (second Tuesday of every month on the same schedule that Microsoft already delivers other security updates) or more frequently if necessary…

…Microsoft will provide new versions of this tool updated to remove malicious software that is found to be prevalent for that month. The first version of the tool available in January will be able to remove Blaster, Sasser, MyDoom, DoomJuice, Zindos, Berweb (also known as Download.Ject), Gailbot and Nachi viruses / worms.

These removal tools will be made available to customers through the following delivery vehicles:

• As a download through the Microsoft Download Center
• As a critical update through Windows Update and through Auto Update for those customers who have Auto Update turned on
• As an ActiveX control also available at www.microsoft.com/malwareremove

“Meet Your Computer’s New Bodyguards” is one of the taglines you’ll see when installing the new Microsoft AntiSpyware beta software. Microsoft today launched its public beta of the software, which is available to download from the company’s web site.

A lot has been said recently about Microsoft’s acquisition of Giant, a company that makes anti-spyware software used to protect computers from prying eyes and privacy leaches.

After installing it and running it, it’s interesting that its flagging things that AdAware and SpyBot S&D don’t alert on. That’s good. In my case, it didn’t hit on anything I wanted to change or remove (I have a few tools on my computer that it sees as potentially problematic, if someone else had put them there, for example.

The UI is nice and clean, and I like the automatic updates (already working). It’s pretty darn IO intensive, so don’t plan to do any disk-related work while it’s performing a check. By default it schedules a scan to happen at 2am each day (you can change this) and it sets up a real-time protection service that works a lot like an anti-virus program does, watching for known spyware and prompting the user for certain types of system changes as they happen.

I really have only one complaint. If I am running a scan and click on any menu item or button in the user interface to to go to another page, my current scan aborts without warning. This is really very frustrating and will likely cause many people to skip completing a full scan because they’d just killed a scan after 10 minutes and would have to start over again.

Overall, great start and I already like the interface and approach better than the other options out there today. Look out, here comes Microsoft – again. This is one area they’ll have to get right, for sure.

(found via NeoWin) 

I ran across this weblog tonight while perusing other sites – was found via a link from another blog.

The F-Secure Antivirus Research Team’s Weblog is a great resource for computer security professionals to keep an eye on. There are obviously some smart people working for F-Secure and it shows in their team blog.

The weblog is here: http://www.f-secure.com/weblog/ …

  … and their RSS feed is here:

Also, F-Secure’s 2004 Security Summary is available and well worth the read. Wow – good find!

Engadget points to a mention of a USB computer locking mechanism that includes a key you insert into the USB slow on your computer and a strange little medallion that you wear. When you step far enough away from the computer, the computer is locked at the console, and when you return, it’s unlocked for you automatically.

Sounds great. Sounds like a security hole waiting to happen if it’s not well-executed, but if it’s solid, it’s pretty darn cool. For under $20 per piece, you have to wonder, though…

But – If this does work, it sounds very interesting. I’ve ordered a few to see what they’re like and if they are actually reliable and secure. I will post a review once I get a chance to put them to the test. I’ll likely be using Bryan Batchelder’s replacement software, after reading a few reviews of the software that comes in the box (for example, if you have multiple screens or know anything about windows security at all, it’s east to defeat – not so good). It’s quite cool that someone is doing that kind of alternative software work, since its clear the original software will not be even remotely close to adequate.

In fact, after reading Bryan’s weblog, I’ve subscribed: 

Smart guy, cool stuff!

MSN has a special web site dedicated to educating people about online safety and security:

http://safety.msn.com/

It’s a decent resource for the average user, and provides easy-to-understand facts and answers to common questions and issues people face on the Internet.

In particular, information about protecting kids online and how to recognize and avoid falling victim to phishing schemes are among the topics addressed.

From a technet email recieved this morning…

Microsoft Anti-Spyware Tool Coming Soon

As you might have heard, Microsoft recently acquired Giant Software, Inc., the maker of a well-regarded anti-spyware tool. Although we'd hoped to be able to provide you with a link to a beta release of a Microsoft-branded version of this tool, it isn't quite ready yet. We're told the beta software will be freely downloadable from the Download Center sometime in the next few weeks. Until then, here's the press release outlining the capabilities of this spyware blocking and removal tool, and another statement explaining some little-known facts surrounding a legal agreement between Sunbelt and Giant that preceded the Microsoft purchase of the Giant technology.

Near and dear to my heart (professionally speaking), the latest increasing numbers related to the number of fraudulent phishing sites (sites that look like a bank or other business, but which are actually set up by bad people who are wanting to steal your personal and private information) are worth taking notice of:

“The number of phishing sites, or fake Web sites set up to fool victims into handing over personal information, reached 1,518 last month, the Anti-Phishing Working Group said in a report released on Wednesday. The total was up almost a third over October and three times the level in September.”

That’s an increase of 29% over the previous month. It’s also – in my opinion – an understatement of the real number, since it deals only with reported phishing sites. But it pays to be conservative with numbers, I suppose.

“A total of 51 brands were hijacked by cybercriminals during the month, the group found. Financial services was again the most targeted industry, averaging 75 percent of all hijacked brands. ISPs faced a fair share of scams, accounting for 16 percent, according to the report.”

The Anti-Phishing Working Group publishes the monthly stats. You can find them here.

Also close to me professionally is the fact that recently the company I work for banded together with and a few other organizations to form the Anti-Fraud Alliance - a team of companies with existing, powerful software and services that can be used together or individually to combat fraud online, including phishing.

Note: My employer, Corillian Corporation, is a member of the Anti-Fraud Alliance. I mention them here simply because I wanted to and because I believe its relevant. No compensation involved, and opinions expressed here are my own, not those of my employer.

Apparently some are of the opinion this is not a security vulnerability, according to Microsoft’s comments to ZDNet reporters, but in the real world – it’s a hole. A Mack-Truck-sized security hole. The news story reads a bit like one team saying “Hey, we’re not in charge of that, so it’s not a problem” and the other one saying “We do things the way we do them, and that’s what we do.” Oof.

Anyhow… If you run Windows XP with SP2 you need to make sure you have this update.

http://support.microsoft.com/default.aspx?scid=kb;en-us;886185

SYMPTOMS
After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet.

CAUSE
This problem occurs because of the way that Windows Firewall interprets local subnets when the “My network (subnet) only” option is used. Windows Firewall is included with Windows XP SP2.

Because of the way that some dialing software configures routing tables, Windows Firewall in Windows XP SP2 can sometimes interpret the whole Internet to be a local subnet. This can let anyone on the Internet access the Windows Firewall exceptions. When the "My network (subnet) only" option is enabled, it is automatically selected for file and print sharing. Therefore, your shared drives can be unexpectedly revealed on the Internet when you use a dial-up connection.

RESOLUTION
To resolve this problem, you must download and install the Critical Update for Windows XP (KB886185).

Use Windows Update or click the above link. If you’re not already set up for automatic updates, make that change now.

Microsoft today released RC1 of Windows Server 2003 SP1. Also released at the same time was their Windows XP x64 Edition tech beta.

Among the changes to the server service pack, the Security Configuration Wizard has been reworked and significantly enhanced, with lots of new server roles and ability to more significantly lock down a Windows 2003 server.

Windows Server 2003 SP1 RC1 includes the host of new networking features included with Windows XP Service Pack 2 (SP2) and provides additional features and enhancements to support server services and operations. Also, support for network access quarantine control appears to have been added - a much anticipated feature that will allow an administrative examination of the client computer accessing the network remotely. If the client computer meets the required security standards, it is released from quarantine and granted access to the secured network. If not, it is denied access and is held in the quarantine zone network.

It's a beta - not yet intended for prime-time or production use, but worth a look, especially if you run secure Windows servers. The RC1 package is available for download at the site linked above.

Jesper M. Johansson, Security Program Manager at Microsoft, has published the third in his series of three articles about the pro’s and con’s of using passwords or pass-phrases in authenticating users to a network or application.

“This is the final article in our series on passwords versus pass phrases. The first part covered the fundamentals of passwords and pass phrases, how they are stored, and so on. The second part focused on relative strength and detailed mathematical approaches to determine which is stronger. This final installment concludes the series and gives some guidance on how to choose passwords and configure a password policy.”

Read the article here. Also read Rob Hensing’s review and point of view. His comments are worthwhile.

Looks like TopLayer will be hosting a series of three “webinars” (oh how these new clichés bug me) on the topic of Understanding Network Intrusion Prevention.

I am not personally familiar with the company, but the content looks interesting. It is advertised as free training, and specifically not a sales pitch. 

Here's the info and links to sign up if you're interested. Each session will last for about 60 minutes. From their email and web site, the session will include:

• Understanding problems that Network IPS can solve
• Network Intrusion Prevention technology overview
• Vulnerabilities, exploits, regular expressions, and protocol validation
• Comparing and contrasting IPS technology to IDS technology
• Requirements for in-line operations
• Reliable, scalable network IPS deployment scenarios

To Register: http://www.toplayer.com/content/news/webinars.jsp

Detailed Descriptions of the Sessions:

Network Intrusion Prevention Webinar Session I

Topic: "Problems that Can be Solved by Network IPS"

• Background of IPS and Attacks
• Problem Review
• Massive Network Attacks
• Known and Unknown Network Exploits
• Requirements for an Inline Network Device

Register Now>		December 8		12:00 PM Eastern Daylight Time (EDT)

Network Intrusion Prevention Webinar Session II

Topic: "Network IPS Deployment Goals"

• Brief Review of Session I
• Universe of Attacks
• IPS Mechanisms
• Protection vs. Recognition & Classification
• Requirements for Inline Network Device

Register Now>		December 9		12:00 PM Eastern Daylight Time (EDT)

Network Intrusion Prevention Webinar Session III

Topic: "Network IPS Requirements and Example"

• Brief Review of Session I & II
• Network Usage Model
• Network and Security Performance/High Availability Requirements
• The challenges of IP Fragments and TCP Segments
• Security Event Reporting
• IPS Deployment Example

Register Now>		December 15		12:00 PM Eastern Daylight Time (EDT)

Microsoft announced on Thursday that they will be returning to providing advanced notifications to the public of security bulletins. From the TechNet web site, here is the announcement:

In response to consumer feedback, Microsoft is expanding its security bulletin program to provide all customers with advance information about upcoming monthly security updates.

Starting in November 2004, the TechNet Security site will publish a general summary of planned security bulletin releases three business days before each regularly scheduled monthly bulletin release. Currently, security bulletins are scheduled to be released on the second Tuesday of each month.

The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected.

The purpose of the advance notification is to assist customers with resource planning for the monthly security bulletin release. The information provided in the notification will be general and will not disclose vulnerability details or other information that could put customers at risk.

The notification will be based on the information available three business days before the monthly bulletin release date. However, this information often changes due to the complexity of testing security updates. Therefore, the notification should not be viewed definitive.

Check back again in December when customers will be able to sign up and receive advance bulletin notifications via email.

See the most recent security bulletin advance notification

I guess I should make those who know me from outside the office aware that I have accepted a new job where I work, since much of what I write here is related - albeit somewhat indirectly - to my job. That, and many readers of this blog tell me they keep an eye on this site because of my professional work and experience in that regard.

Note: Just a quick reminder that this blog represents my own personal thoughts, positions and beliefs alone. Nothing I say here is in any way associated with my employer.

Up until last week, I was the Corporate IT Director at a terrific software company in the Portland Oregon area, managing the team of people that makes all the IT systems the company relies upon work. The team there does a lot of work: They handle all company desktops and laptops, software, help desk and end user support, phones, servers, enterprise apps, intranet and Internet web sites, corporate web and software app development, networks, lab environments, infrastructure, network security, and a bunch of other aspects of IT at the company. I have had the pleasure to work with a talented and great group of people in that department, and am proud of all the employees there and the work they have done and will continue to do. One real sign of success as a manager is when you get to the point where you have one or more employees who are ready, able and even hungry to take your job away from you. I was privileged to be in that position as a manager with my employees, and as a result I am confident the department will continue to grow and serve the company well.

So what now? I have made the move to a new position at the same company as Director of IT and Security Operations. That means I will be focusing on working with a team that does amazing security work at Corillian, while continuing to work with the IT department in a higher-level guidance and strategic planning role.

It's a natural and positive move for me (I have been heavily involved in many aspects of security operations and planning over the past few years) and an opportunity to continue to learn and grow in a red-hot and quickly-expanding area. It also means I can maintain somewhat of an IT-planning focus and continue to stay on top of new and unusual software and technology. It's a challenge that looks exciting to me, and for which I am quite motivated.

And it means a slight change of pace, which will be nice. I've worked at the same company for five years, and a little change here and there is a good and healthy thing.

It also means this blog will likely take on an even stronger security slant and emphasis, but I intend to continue to cover IT and technology in general. In fact, it's hard to divorce the two from each other and truly stay in touch with goings on.

And besides, when it comes down to it, I'm really just a technology and gadget geek.

Saw this coming, had a discussion with a colleague this morning about it, and Security Pipeline has an article about it.

Google's desktop search (in public beta) indexes local machine content to let you search though it and quickly find stuff on your computer.

Problem is, it might let others find and read your stuff if your computer is used by anyone other than you. Hmmm. Details...

From the article:

If you're the computer's only user, the software is helpful "as a photographic memory of everything you've seen on the computer," said Marissa Mayer, director of consumer Web products at Google Inc. The giant index remains on the computer and isn't shared with Google. The company can't access it remotely even if it gets a subpoena ordering it to do so, Mayer said.

Where the privacy and security concerns arise is when the computer is shared.

Type in "hotmail.com" and you'll get copies, or stored caches, of messages that previous users have seen. Enter an e-mail address and you can read all the messages sent to and from that address. Type "password" and get password reminders that were sent back via e-mail.

Acknowledging the concerns, Mayer said managers of shared computers should think twice about installing the software until Google develops advanced features like password protection and multi-user support.

In a well-written and well-argued article on Security Pipeline, Mitch Wagner tells us the story of the little pigs and their houses of straw and brick, and then draws from the story to illustrate the state of Internet security, stating:

"The preceding has been a fairy tale with no bearing on the current state of Internet security."

Except that it really does. Have a bearing, that is.

Wagner's analysis of the arguments on both sides of the browser wars is interesting and well-explained.

Secure coding and design wins the argument every time - with regard to secure applications, that is. Of course, functionality, usability and other aspects of computer programs have to come into play and be taken into account, as well. But ultimately, the structural materials with which you build your house (be it brick or straw) determine whether you'll survive the hurricane. Or the wolves....

The little pig's big brother said, "Dude, you can't blow down a brick house. Brick is fundamentally more resistant to huffing and puffing."

Good point, Mitch.

Jesper M. Johansson, Ph.D., ISSAP, CISSP is a Security Program Manager at Microsoft. The second part of his three-part article on the use of passwords vs. passphrases was recently published.

The Great Debates: Pass Phrases vs. Passwords

• Part One - coveres the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

In this installment, he looks at three arguments for the use of pass-phrases:

• Claim 1: Users Can Remember Pass Phrases
• Claim 2: Longer is Stronger
• Claim 3: Pass Phrases Can Have More Randomness

This is a great read, worth the time for anyone who works in the security field or in IT operations and security. I am looking forward to the third installment, as well. Jesper has a powerful way of cutting to the heart of the arguments and coming out the other end of the conversation with good facts in tow.

The new SANS 2004 Top 20 list of critical Internet security vulnerabilities is out. It's actually two top-10 lists, one for Windows and one for UNIX:

Top Vulnerabilities to Windows Systems

W1 Web Servers & Services

W2 Workstation Service

W3 Windows Remote Access Services

W4 Microsoft SQL Server (MSSQL)

W5 Windows Authentication

W6 Web Browsers

W7 File-Sharing Applications

W8 LSAS Exposures

W9 Mail Client

W10 Instant Messaging

Top Vulnerabilities to UNIX Systems

U1 BIND Domain Name System

U2 Web Server

U3 Authentication

U4 Version Control Systems

U5 Mail Transport Service

U6 Simple Network Management Protocol (SNMP)

U7 Open Secure Sockets Layer (SSL)

U8 Misconfiguration of Enterprise Services NIS/NFS

U9 Databases

U10 Kernel

I didn't know I was going to be asked to speak, but Chris roped me into participating in a panel session first thing this morning, the topic of which was “the future of security.” It was an honor to do so, and the conversation was a good one. The audience was involved and had great questions and comments. The participants on the schedule were:

Picture below thanks to noded.com

Being involved up on the stage, I don't clearly remember everything we talked about in detail. I used/borrowed/stole the “PPT” mantra often used one of my friends and mentors, Jim, in my words during the panel discussion: “Security is about three things - People, Process and Technology.”

Security as a topic of conversation or debate, especially when discussed among geeks, seems always to attract such a strong technology focus. But the other two aspects of security - process and people - cannot be ignored. If you remove any one part from a security effort, it cannot ultimately succeed. If you have a successful security strategy and program already up and running, you cannot afford to forget to address and maintain all three components. If you do, again, it's bound to fail eventually.

Technology is important, though. You can't discount the fact that when you run computers and networks, technology is what you're securing, so you'll almost certainly use more technology to help you.

The panel discussed hardware security technology, and (as expected) the “patch and fix” and other typically Microsoft-centric topics and questions came up.

My response to the Microsoft-Security debate: Think about football teams. The team that plays tough games season after season and gets its butt kicked over and over will eventually learn the basics, and then will evolve into a mature powerhouse of a team. You just hope the other teams (the ones that had been kicking your team's butt) don't get too lazy or take any thing for granted. Or, if they do, that you have not made an investment in that team.

Three years ago, I was looking at Microsoft as a team I had a relationship with, but who I could not count on to win the game. Today my position is just the opposite: Microsoft has learned the hard lessons, has had their butts kicked, and has emerged from the fray a stronger, better and more mature company in the security arena. They may only be 60% there, as Scoble noted on the stage, but this is a team that I feel I can count on to do the right thing and fight the good fight.

This was a good session, covering a lot of ground. Feedback from audience members afterward was positive, which was cool. Security has become a hot topic in the past year or so in the user world, and will become even bigger in the future.

Again, because it bears repeating: Always Use Protection - buy it now. <eom>

According to Microsoft, 23 percent of Windows computers in the United States are running bogus versions of Windows. The new program installs an Active-X control (users can opt out, at least at this point) that examines a system accessing certain files on Microsoft's Download Center to see if the copy of Windows that is installed on the machine is legitimate. At this time a number of Windows Media files are flagged for the check, along with several others. Files that will prompt the user to validate his or her copy of Windows are marked in the file listings with a small gold arrow on a blue circle background (see above).

No doubt Microsoft is legitimately interested in making sure its updates are getting into the hands of those who have purchased the products the company produces, while at the same time providing software thieves with a reason and incentive to pay for the operating system they use. It should not come as a surprise that Microsoft is doing this now, nor that they will likely expand this capability in the future. Ultimately, it takes people spending money on software to allow a company, regardless of how big that company may be, to continue to build new and better software products. No matter what your philisophical position with regard to Microsoft, the one core rule of business always applies: If you're not making money, you shouldn't be in business.

Security Pipeline has an interesting article that explains how you can do some simple and cost-free things with your network setup to significantly improve your security situation, in the event you have not already applied the measures they describe.

Note: I am not so sure I agree with the article as a whole (in my book, a good firewall is an absolute must, and vulnerability scanners do add real value, especially when used in combination with common sense and a good, well-trained set of brains and eyes), but the points made in the article are interesting and, at least on a case-by-case basis, valid. But I do not agree that implementing just those measures would provide anything even approaching acceptable network security. To state that many IT managers become mired in the volume of patches and configurations is a valid point on its face, and is worth considering when looking at how to manage security and prioritize, but to suggest or imply that one therefore avoid any of the patches and tools is not - in my opinion - a good option.

From the article (which gives specific items to address):

"According to Peter Tippett, CTO of the newly-formed security company Cybertrust (formed from TruSecure, BeTrusted and Ubizen), you're better off looking for good solutions instead of perfect answers. "A few solutions that are only 80 percent effective give an overall 99.9 percent solution," Tippett says. In fact, he says that the most effective security solutions require little time and less expense, and can reduce your exposure 40-fold."

Last week while I was out, Microsoft released a new tool on their downloads site called SSL Diagnostics Version 1.0, which aids in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.

x86 and ia64 versions are available. The download contains a document called the SSL FAQ that is a great resource for people wanting to learn about SSL from the beginning, as well.

Recommended for anyone who might need to deal with web servers, certification authorities or SSL certificates for any reason.

Microsoft's TechNet has released a useful set of step-by-step guides to help people learn, understand, plan, deploy, configure and maintain Active Directory infrastructures on Windows 2003 domains.

From the AD Step-by-Step Guides page, the following individual titles are available (see the main page for more information about each):

• Installing Windows Server 2003 as a Domain Controller
• Installing a Windows XP Professional Workstation and Connecting It to a Domain
• Setting Up Additional Domain Controllers
• Managing Active Directory
• Understanding the Group Policy Feature Set
• Using the Group Policy Management Console
• Enforcing Strong Password Policies
• Using the Delegation of Control Wizard
• User Data Management and User Settings Management through Group Policy
• Configuring a Dial-Up Remote Access Server
• Building a Site-to-Site Virtual Private Network Connection
• Using the Encrypting File System
• Digitally Signed and Encrypted E-Mail
• Active Directory Sites and Services
• Active Directory Bulk Import and Export

via BetaNews.com:

Security firm Secunia has issued a "highly critical" advisory that details 10 separate vulnerabilities found in Mozilla, Firefox and Thunderbird. The flaws can be exploited remotely, allowing an attacker to compromise a system and expose sensitive data. Mozilla users are urged to upgrade to the latest releases of each application, which contain the necessary fixes.

This follows a JPEG vulnerability annmouncement (MS04-028) from Microsoft, as well. If you are running any of these programs, be sure to get the latest versions - these are serious vulnerabilities in all the apps, just as important to patch as where there's a vulnerability discovered in Windows or IE.

Cory over at SANS commented on the situation, too.

Interestingly, in an article by the Associated Press posted on the Security Pipeline web site, Microsoft is quoted as saying that their new biometric authentication products, which I posted about the other day, should not be used for securing important/sensitive data or networks:

"Curiously, Microsoft warns that the Fingerprint Reader shouldn't be trusted to secure access to corporate networks or to protect sensitive data, such as financial information.

"Basically, the company says it's about convenience, not security. That seems to rule out password-protected Web sites for credit cards, utilities, banking and others for which I might want to be spared having to remember and type a litany of passcodes."

Hmmm, well I guess I probably won't be ordering any of these to evaluate for work, then. Maybe at home though. From the review, it appears they work well and that they passed the Silly Putty test, which is good. Despite Microsoft's advice regarding use of the equipment, I'll look forward to getting my hands on one of the devices to try it out for non-critical purposes.

Lots of passwords to remember for web sites and Windows accounts? Now you can log into them using your fingerprint.

Microsoft has released three new devices: A keyboard with built-in reader, an advanced mouse with a reader to accompany it, and a simple reader device all on its own.

I'll be interested to see how these are secured.

See the informative animated flash marketing thing here.

Microsoft has extended (doubled) the time they will allow businesses to block the automated installation Windows XP SP2. I have mixed feelings/thoughts about this, but ultimately I think it's a good thing for Microsoft to allow it's customers to control the update for a while.

For my part, I think everyone should install this service pack as soon as you reasonably can. Companies should know that delaying without a good business reason to do so is almost certainly a mistake. If your reason is that you overheard or read about some vague problems, you better have the details, and they better be real. I've already had a number of conversations with IT-types who made what they positioned as an informed business decision not to install SP2, with absolutely no good reasoning behind their decision.

Details on the delay from Microsoft Watch:

Microsoft has allowed XP users who were leery of taking delivery of Windows XP Service Pack 2 to postpone the patch by using automatic-patch-blocking tools. Microsoft is now giving XP customers using Windows Update/Automatic Update a deadline (April 12, 2005) by which they need to finish preparing for SP2 before Microsoft pushes SP2 out to them.

and from Microsoft's web site:

Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 240 days (8 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems.

If you run any version of dasBlog, this is important to you.

Thanks to Bliz for letting me know to update my dasBlog installation. A new patch is available to fix an issue with all previous versions that can allow a malicious person to gain access to your user credentials for the dasBlog app (but not the system).

• Get the patch
• Read the news
• Visit Bliz

CERT (the Computer Emergency Readiness Team) made it little more official this week and issued a Cyber Security Alert [SA04-243A] recommending that computer users upgrade to Windows XP SP2.

Taken from the US-CERT web site alert:

Recommendation

To help protect your Windows XP computer from attacks and vulnerabilities, install Service Pack 2 using Windows Update or Automatic Updates.

Note: Service Pack 2 makes significant changes to improve the security of Windows XP, and these changes may have negative effects on some programs and Windows functionality. Before you install Service Pack 2, back up your important data and consult your computer manufacturer's web site for information about Service Pack 2.

The recommendation is made specifically for home users, which stand to see the highest benefit, but applies in principle to businesses as well. However, note that many business computing environments are centrally managed. If you work in a company that has centrally-managed software and security procedures, be sure to check in with those people before you install SP2 - they may already have a plan in place.

Larry Osterman points out what should be obvious, but is largely overlooked or ignored since it makes tasty "news." Recent reports that there is a security "hole" in Windows XP SP2 miss the big picture, he says.

The gist of the reported complaint is this: The new Security Center in SP2 uses WMI to control what information is displayed to the end user regarding what software is in place and it's status. Malicious code can, therefore, potentially use WMI to modify the information displayed by the Security Center, thereby convincing the user of the system that their firewall is on and AV software is running when in fact it's not.

PC Magazine and others ran articles about how they were able to spoof the new Windows XP SP2 Security Center, causing it to display false information about the status of the system. Microsoft later responded and PC Magazine followed up on the response, where they changed their tone somewhat.

From PC Magazine's original article:

"Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes."

While this is technically possible, what is missed is the fact that in order to use WMI to make those changes, a program would have to be downloaded and installed on the machine with "system" level permissions. Any unwelcome code that is allowed/able to get that level of access has already won the race and is able to do much more harm than simply changing the information displayed in the Security Center. Even if the security center was not a part of your system, as soon as you ran the malicious code you'd be equally screwed, and the malware could make changes to pretty much any other apps running on your system. It would not need the Security Center to do its dirty work.

Read Larry's post for more, but remember one thing: The fact that someone claims something is a security hole - or in this case, a "crater" - does not mean they're right. It is, of course, always best to check things out and play the role of the skeptic, but accuracy in reporting is of primary importance, even if it is not as exciting. I'm glad PC Week followed up with their second story.

Their conclusion?

"We see the WMI and WSC as an indirect security risk, or hole, or whatever you want to call it. Maybe we're giving hackers and malware writers too much credit. WMI allows a program to get the security status of a user's system, as well as spoof it to give the user a false sense of security. Maybe it is too subtle. However, it is another tool in the hacker's toolbox. To have easy public access to the security status of a user's machine is like sending a password in plain text to a web site. It may not be used, but then again it might..."

"Do we think that end users should upgrade? Yes, Windows XP Service Pack 2 is a must do, especially for end users. However, we would recommend users not take the WSC as gospel, If you use an antivirus, or 3rd party firewall, look at their status panels as a sanity check. Keep your Antivirus, windows, firewall updates current, and most of all, be very careful of what you run on your system."

I do think the articles serve an important and valid purpose, though: They call to light the importance of securing systems by default and continuing to improve in that area. It's fair to say that in the real world, people will do exactly what you hope they would not do, and that the default configuration of the operating system, which is certainly greatly improved with the new service pack, is still a real concern. They point out that there is still work to be done, and that while things are better, they;re not perfect.  In that sense, I think they're right on.

Crater? No. Worth mentioning and asking about? Absolutely.

Microsoft will ship the CD to you free of charge. This CD includes the same Service Pack 2 software that is available for download from Windows Update. You'll wait 4-5 weeks for delivery, according to the site. You can also download the complete service pack here.

Note that Microsoft started the electronic delivery of SP2 to Windows XP Home Edition users last week, and to XP Professional Edition today via the Automatic-Updates distribution route.

Yesterday, the Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2 was published.

This guide considers potential application compatibility issues that may arise after a Service Pack 2 deployment. The guide provides mitigation procedures that can be followed to overcome compatibility issues. Since the mitigation procedures relax the default security configuration, the guide in no way recommends that they should be followed, but if there is no other way of overcoming compatibility issues, they can be applied in the short term.

The Guide also includes a download of example scripts. The scripts demonstrate how to reconfigure a Service Pack 2 computer to overcome compatibility issues. The scripts are designed as functional samples and will require modification for use in a production environment.

I've only flicked though it, but I am very impressed with the level of detail of what I've seen to date.

Last night Robert Scoble posted a commentary about a commentary on Windows XP SP2 and whether or not people should be told to upgrade to it right away. I pretty much agree with Robert that now is better than later, with an added mention that different users probably need to take different paths to deploy this service pack. Our company, for example, will complete our deployment when it will not interrupt an ongoing project. It's not the service pack that we're hesitating on, it's the time the computer will be unavailable - or performance potentially reduced - by the background installation that we'll be doing over the network.

But more interesting then the original commentary, or Robert's commentary-on-the-commentary, is the commentary-on-the-commentary-on-the-commentary: Robert's also opened up the exact can of worms in the comments on his blog that you'd expect from the "community" on this subject. But hey, I guess that's what community is all about, after all. It takes all kinds.

[yes, I know that's two Scoble posts in a row, I'll stop now :)]

MailFrontier, a company that makes a great anti-spam gateway package, has put together “The MailFrontier Phishing IQ Test.” The have assembled 10 real-world suspected-fraud emails as captured by their systems. You review them and decide, is each one legitimate or fraudulent?

Take the test now. What's your score?

A little phishing lesson:

Phishing is a term used to describe various methods used by scam artists to persuade you to send them your personal information, so they can fraudulently use it for their own benefit. Almost always, phishers use what appear to be legitimate business emails and web-sites to get you to submit your personal information to them. But in fact, the emails and web sites are not legitimate, even though they may appear to be.

The information collected in phishing scams runs the gamut, and includes credit card information, social security numbers, bank account information, and any other items crooks can use to clean out banking accounts or benefit from assuming some portion of your identity.

Never submit personal information via an email form or on a web site in response to an email or other communication you receive asking you to update that kind of data. If you ever suspect you are being phished, call the bank or other company that sent you the email at their standard customer service number (don't trust a number in the email, look it up in the book or on your statement) and ask them if it's a legitimate request. You'll find that at no time do banks or other reputable businesses call or email you asking you to provide personal information.

My friend and coworker Scott pointed me to an article by Robert Hensing on his new security incident-response weblog that does a great job of explaining “Why you shouldn't be using passwords of any kind on your Windows networks.”

The fact that Microsoft's security people are now starting to blog about their areas of expertise is awesome - and I realize it's not an easy thing for security management to buy into for a number of justifiable reasons. What Robert suggests in this article is right on the money, and is where many companies are already heading (and where the rest should be heading).

Subscribed:

Microsoft has published this list of dates for where and how XP SP2 will be made available:

• From 8/06 - Release to manufacturing
• 8/09 - Release to Microsoft Download Center (full network install package)
• 8/10 - Release to Automatic Updates (for machines running pre-release versions of Windows XP SP2 only)
• 8/16 - Release to Automatic Updates (for machines not running pre-releases versions of Windows XP SP2)
• 8/16 - Release to SUS
• Later in August - Release to Windows Update for interactive user installations

UPDATE: If you have to deploy to an organization, you should read this guide.

Other Methods of Deployment
In addition, they have published an article and related tools called "Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates," which offers a number of options to IT operations shops that may need to delay the auto-updating of SP2 on any one of a number of machines, until testing can be completed. The tools allow you to temporarily disable application of the service pack via Windows Update, as well as to re-enable it. The article also discusses some of the benefits of using Software Update Services (SUS) or Systems Management Server (SMS) to deploy SP2.

By the way, a little about SUS: Do you have a company that relies on Windows Updates to patch your computers, but wish you had more control over the process? Ever have a patch cause a problem because you didn't get to test it first? SUS is your answer. Information on SUS is available at www.microsoft.com/sus. Note that SUS is available as a free download to customers with a Windows Server 2003 or Windows 2000 Server license and can be downloaded from here.

For those who are thinking they'll just block the Windows Update IP address or URL at the firewall or content filter, think again... Laptops, anyone? You get the picture. Plus, a firewall block would just be a cheap, lazy "solution" that would break every other update. Read the article and the FAQ.

Windows XP SP2 will be available starting August 16th for automatic download over the Internet, if you have automatic updating turned on. If you run Windows XP at home, you should have it turned on by now. If you don't know how, or whether it's on or off - don't worry, we are here to help. In the next three or four paragraphs, your computing life will become easier. Read and learn, it's easy!

So - Why so many redundant posts here about SP2 and how to get it? Because, the greater the number of home users who get SP2 and install it now, the better. Why? It will make your lives easier, as well as everyone else's. It will at least help prevent security issues. It will practically eliminate the browser pop-up problems you have, and as such will reduce the footprint of spy-ware and other malicious code. If you'll also go and get the free year's worth of AV software and firewall protection that Computer Associates will let you download (for home use), you'll not be a platform for the rampant spread of viruses. It will make all our computing lives better...

BUT ONLY IF YOU PREPARE AND INSTALL IT!!

So, PLEASE - if you are a home user, do two things:

1. Go to this web site to prep your system automatically to receive SP2, or watch the video linked above and follow the instructions to enable automatic updates.
2. Tell everyone you know to do the same thing. Think of it as a positive viral infection effort -- word-of-mouth, power-to-the-people style of getting out the message.

Please, pretty please.

Go. Do it. NOW!

TYVM.

Microsoft has now made XP SP2 available as a (great big ol') download for those needing to distribute it over a network, and (as of August 15th - date change) will also made it available via Windows Update soon to anyone who has auto-updating turned on.

Starting on August 15th your system will automatically download the express version of Windows XP SP2 in the background, if you have auto-updates turned on as described below. For typical home users this is about a 75 MB download, as opposed to the 250+ MB download of the complete network install pack. As soon as the background download is complete, you will be prompted to install SP2 and to accept the EULA (SP2 does not install automatically even if Automatic Updates is set to automatically install security updates). If you have a modem connection, don't "Cancel" the update once it's in progress; just disconnect and when you reconnect later, it will automatcially pick up where it left off until it completes.

If you are a home user or if your computer is not in a managed environment, and you don't need to ask permission to upgrade to SP2, you should go to the Protect Your PC page at Microsoft's web site, which will walk you through setting up your computer (automagically if you use XP Home Edition) to be ready to get SP2 as soon as Windows Update is ready to send it to you. Whether you use the step-by-step instructions or let the application do it for you, you'll be all set.

Administrators of Windows networks (wired and wireless) may be interested in reading about the network protections built into the new service pack. That article is part of a broader set of information entitled “Changes to Functionality in Microsoft Windows XP Service Pack 2,” which was published today on the TechNet web site. Note that the full technical documentation can be downloaded here, as well.

Other useful links (there's so many, here are a few of what appear to be the most useful - feel free to add more links in the comments if you see something else that's good):

• TechNet's SP2 web page for IT Pros
• Videos and step-by-step how-to's (video - very nice!)
• A less-technical page of information on the Windows web site
• Security updates included in the SP
• Complete list of fixes in SP2 (long)
• XP SP2 Support Center
• Various screen-shots with captions (useful to help explain features)

If you are a MS Premier Support customer, there are a wide variety of information and tools available to you now on your premier support web site, as well - just log in.

If you use SQL 2000 or MSDE on Windows XP, you'll want to do some research before you apply WinXP SP2.

Microsoft has provided a FAQ list that covers the bases pretty well. Excerpted from that page:

Q.  Why is Windows XP SP2 important to SQL Server customers?
A.  Windows XP SP2 will turn on the Windows Firewall by default. By turning on the Windows Firewall, computers are more resilient to attacks from worms similar to Blaster and Slammer.

Q.  How does Windows XP SP2 affect SQL Server?
A.  SQL Server will have access to the local subnet by means of file and print sharing, which will enable access to named pipes, also known as multi-protocol, that use Port 445. TCP/IP and UDP will be turned off by default. Applications that connect to a SQL Server database by means of a network will not be able to accept or make connections. This setting change helps protect the customer system by making it resilient to malicious worms that send port requests to a computer in an attempt to create a denial of service attack.

In addition, KB article 841249, "How to configure Windows XP Service Pack 2 (SP2) for use with SQL Server," includes information about manual configuration of the SP2 firewall for use with SQL server, how to script configuration administratively, and troubleshooting tips and steps. Note that users of Windows Group Policy can also configure the firewall via that method using the new ADM files (which are included in the service pack).

I've been working with SP2 configuration via Windows domain Group Policy for a while now, with the beta versions. If you have the GPO option available to you, do yourself a huge favor and take advantage of it. Same goes for Office System settings - You can quickly, easily and effectively configure and maintain all your computers in one place.

Testers have it (running it now) and it will be available on the web soon. Windows XP SP2 is Gold.

Tablet PC and Media Center Edition users get all kinds of new features included, too - can't beat that.

If you're a home user, turn on auto-updates and when there is bandwidth to serve you, you'll get the full meal deal.

If you're a business user in a managed computing environment, don't take the chance - talk to your IT department before doing anything, as there are a number of possible Bad Things that could result in applying the service pack before they're ready, especially in the area of application compatibility with all those wonky custom business applications.

If you're a web designer or developer and your site doesn't work with SP2 - you're too late and well beyond the point of having reasonable excuses, so fix it fast and skip the whine.

Rumor was that SP2 was supposed to RTM on Thursday, but that didn't happen. Microsoft Watch reports it's still right around the corner. Others say this month. I hear the same thing. Apparently, there are a few last-minute things that need to be worked out, which is about what you'd expect with a service pack that makes the kinds of changes this one does.

The RC2 version of the service pack was removed from the web on August 2nd, in preparation for release of the final version this month, according to the TechNet web site pages dedicated to XP SP2 information:

Aug 2, 2004: Windows XP SP 2 Release Candidate 2 (RC2) Removed from the Web

This signifies the end of the pre-release distribution program in anticipation of the final release of SP2. Windows XP SP2 remains on schedule for release this month.

The process of implementing SP2 in the real world is more complicated and sensitive than previous Windows service packs, due to the security changes in areas like firewall, DCOM, Java Virtual Machine, Active-X and other aspects of the new code. Testing in individual environments is critical except in the most plain-vanilla situations.

End users in managed environments will need to check with their IT departments before they download the service pack, and IT pros will certainly need to evaluate the service packs in their environments closely for application and network issues, so they can be remediated prior to roll-out. Group Policy attributes new with SP2 can assist administrators of Active Directory networks in deploying, configuring and enforcing consistency in the service pack roll-out, as well.

Developers who rely on SP2 platform security and certain other areas of functionality will need to be thinking ahead, as well. Even Microsoft's recently-released CRM v1.2 functionality breaks when XP SP2 is applied, so they'll need to supply a patch for that product. We can expect this to be a common - but ultimately necessary - occurrence.

Web site designers will certainly need to make sure their implementation of applets using the JavaVM, Active-X controls or embedded content, and pop-ups are reviewed and changes made where necessary.

Microsoft has made a number of documents available recently regarding the service pack and how different people need to plan for its arrival and use.

Amit Singh has written an article touching on many key aspects of what is needed to get a good understanding of the world of computer security. It's not a forensics manual or an exhaustive book on the subject, but it does a very good job of hitting all the bases and educating at a level deeper than you'll get from the new sources that write quick one-off stories, and in this day and age, that's a worthwhile thing.

His paper, which is entitled "A Taste of Computer Security," is divided into these chapters:

• Popular Notions About Security \
• Defining Computer Security
• Traditional Unix Security
• Security Uprooting Vehicles
• The Net Growth In Insecurity
• Digital Life: Viruses
• Digital Life: Worms
• Viruses on Unix
• Platform-Independent Malware
• Defeating Memory
• Securing Memory
• Access Control
• Detecting Intrusion
• Sandboxing
• An Example: Solaris Security
• Miscellaneous
• Unix vs. Windows
• Epilogue

I found it worth the read, and recommend it to people who may not be security professionals full-time, but need a certain level of understanding to really know what they need to know in their daily jobs.

In a new video on Channel 9, Microsoft's top security man, Michael Howard, discusses how hackers do their thing, discovering and exploiting security holes and whatnot. Additional links to other security-related video interviews with Howard are also provided.

Hopefully no one gets any bright ideas. :)

Spammers wreak havoc on millions of people for one simple reason: It's a money-making enterprise, and it's easy to do.

Microsoft Research has a piece just out that explains that if a hundred thousand people receive a single spam email broadcast, only one recipient needs to spend $11.00 on whatever they're selling to make the effort profitable.

It's hard to make spamming unprofitable when the costs are so low, so instead one solution would be to make it awfully inconvenient. The research article contains some interesting ideas about how to counter spam in ways that might actually stick.

The article is a good one for anyone interested in the technical, social and geographical detailed of spamming.

Mike Nash is responsible for security at Microsoft. He will be speaking during the newly-established monthly webcast briefing on July 28th:

Date: Wednesday, July 28, 2004
Time: 8:30AM-9:30AM Pacific Time (GMT-7, US & Canada)
(Click here to register for the webcast)

Description: Join Mike Nash, Microsoft's senior executive in charge of security, for his monthly security update. Mike will provide the latest details on Microsoft's security enhancements and offer tips and insights into key security strategies for customers.  This month, learn more about Microsoft's security strategy and the key focus of improving software updating.  Mike will provide details on what Microsoft is doing to reduce the cost, complexity, downtime and risk associated with deploying software updates. Learn how these improvements can help you with patch management in your environment.

Anyone who deals with computer and network security in their jobs owes it to themselves to check these two security resources now and then. Microsoft's security-related webcasts have been broken down into slightly smaller (it's all relative - 45 minutes is shorter than 2 hours ) chunks. You can check out archived presentations as well as sign up for live session to be held in the near future.

• Upcoming Live Security Webcasts
• On-Demand (Archived) Security Webcasts

In my experience. these are quality webcasts with actual useful information - A great resource for learning as well as staying on top of things. Webcasts provide a forum for addressing things in a fashion that's a lot like the real-world, so the practical use of the information is often better than that from other means of communication. If you happen to catch any of the live webcasts, there is typically a chance to ask questions during the session - so take advantage where needed.

In response to Download.Ject, Microsoft has just released a patch, which actually makes a change to Windows that disables the ADODB.Stream object in MS Data Access Components. This appears to be more of an intermediate fix than a true patch, to be used until a comprehensive fix that allows ADODB.Stream use without the vulnerability can be prepared.

People can get the update from Windows Update, or at this web page on Microsoft's Downloads web site. If you are a business network user, check with your IT department before you download or apply this fix - They might be applying it for you automatically from a central server, or they may have reasons it should not be applied if there are browser-based applications used that rely on the functionality disabled by this update.

Some will still whine and complain that this is "just a stop-gap fix," and that it doesn't actually repair the flaw. Give it a rest people: This is Microsoft responding to complaints about not getting fixes out soon enough, and they're doing it by making a valuable intermediate fix available to protect users. I applaud that. If you want to have a productive and constrcutive conversation, that's great -- comment here if you like, or go over to the Channel 9 web site, where Microsoft shows it's listening.

Microsoft has filed the new Sender-ID email spec with the Internet Engineering Task Force. The spec is a hybrid of Microsoft's "Caller ID for E-mail" and the competing-but-similar "Sender Policy Framework" (SPF).

Security Pipeline: "The new specification, called Sender ID, proposes that organizations publish information about their outgoing e-mail servers, particularly IP (Internet Protocol) addresses, in the Domain Name System (DNS) in XML. If adopted, Sender ID would serve as an e-mail authentication system that verifies the message actually originated with the purported address."

This will be a hot item over the next year or so. Expect to see this actually happen. The merged specs that were filed allow verification that the sender domain is legitimate and not spoofed on two layers, and the concept of sender-authenticated email is picking up a real head of steam.

If it flies, the bad effects of all those phishers and spammers will be significantly reduced (at least until they figure a way around that, too...).

UPDATE: Bill Gates' announcement about the new technologies and anti-spam roadmap is viewable on the web. I received the "executive email" from Microsoft a couple days after posting this original entry.

If you work with Windows XP Professional on a Windows 2000/2003 domain and you use Group Policy, this is for you.

Microsoft has released an updated version of their spreadsheet that lists the full set of Group Policy settings described in Administrative Template (.adm) files shipped with Windows XP Professional Service Pack 2 Release Candidate 2. This includes all policy settings supported on Windows 2000, Windows XP Professional and Windows Server 2003. The spreadsheet includes separate worksheets for each of the .adm files shipped, as well as a consolidated worksheet for easy searching. Using column filters, the spreadsheet allows simple filtering by operating system, component and machine/user configuration, as well as regular text search of keywords through Excel.

Essential for network admins planning a move to SP2 when it's released later this year - so go get it.

NOTE FOR DOMAIN ADMINS AND GPO GEEKS: The .ADM template files associated with Win XP SP2 can be found on your XP computer after you apply the service pack. Search for *.ADM or browse to:

   %SYSTEMROOT%\inf\

Or, extract them from the service pack CAB files if you're feeling adventuresome.

In other words, this works just like any other set of ADM files. Once you've applied the template files to your group policy objects on a domain controller, you'll see new options for lots of things like the Windows firewall and other nifty new GPO features.

IMPORTANT: Note that applying the ADM templates to your DC does not modify the group policy data in existence - it just opens up the new policy fields. However, you should carefully test the new settings, probably in a test OU with the proper ADM templates applied. In reality, you should not test these on a production domain until you are familiar and comfortable from testing on a lab or test domain system. Also remember that as long as SP2 is in beta, nothing is guaranteed, so it's all at your own risk.

There's a pretty sudden and major uptick on our mail servers - and apparently on the mail servers of others - of instances of the Zafi worm/virus attepting to propagate itself. It's particularly pervasive, and while the payload does not appear destructive, it could quickly become a cleanup nightmare, including the possibility of disabling AV software and running in its place. If ever there was a justification for a really good email antivirus product, this is one.

From Panda Software's virus encyclopedia:

Brief Description

Zafi.B is a worm that looks for directories in which antivirus programs are installed. If successful, Zafi.B overwrites the executable files with copies of itself. By doing so, the user will be unprotected against the attack of other malware. So whenever users run the antivirus, they will be running the Zafi.B without noticing. In addition, Zafi.B searches for certain processes, such as the Windows Registry Editor, the Task Manager, etc. If successful, Zafi.B ends them. Zafi.B spreads via e-mail in a message with variable characterics that can be written in different languages, and through peer to peer file sharing programs (P2P).

Visible Symptoms

Zafi.B is easy to recognize once it has affected the computer, as it attempts to open any of the web sites stored in the following path of the Windows Registry every time it is executed: HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ TypedURLs

See:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39333 

on CA's web site for info about the worm and how to remove.

Also see:

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=48433 

on Panda's web site for further info.

New security features will be introduced in Windows XP SP2 this summer that will affect Internet Explorer and ActiveX controls, file downloads, pop-up windows, and more. As a result, depending on the types of technology you've employed on your Web site, it's possible your site won't play well with the enhanced security of SP2.

So, Microsoft has released a white paper that explains the potential problem areas and how to make sure your site will work well with the updated software. You can get the info here.

NOTE: Since SP2 is available as a pre-release download for beta testers and in a preview version, now is a good time for companies with large, important Web sites to do some controlled testing and make sure they've got any kinks worked out. People in business with IT departments should definitely check in with your IT department before you download the service pack, because it introduces a number of changes that a) may break certain functionality on your computer in the beta version, and b) are not quite ready for prime time, but are ready to be tested in a controlled environment. Your IT people will almost certainly want to put some controls around the installation of the test software, such as installing it in a lab environment or similar.

Here are a couple of links to information about Windows XP SP2 and its impact on other programs and servers:

• How to Make Your Web Site Work with Windows XP Service Pack 2
• Windows XP SP2 Information for IT Professionals on Microsoft TechNet
• FAQ: How Windows XP Service Pack 2 (SP2) Affects SQL Server and MSDE
• The New Wireless Network Setup Wizard in Windows XP Service Pack 2
• New Networking Features in Microsoft® Windows® XP Service Pack 2
• Changes to Functionality in Microsoft Windows XP Service Pack 2
• Windows XP Service Pack 2: Security Information for Developers

Now's the time to get ready, and for all those web-development businesses out there (the few that have survived) to prepare their big fast-push marketing campaign and make some extra cash this fall fixing sites for people who don't know what they have, and can't for the life of them figure out why end users are complaining about their suddenly-broken Web sites.

TechNet's security team has just announced the first version of an RSS feed for its security bulletins.

Finally! There's lots of RSS feeds out there, many of them useful, but this one just got added to my high-priority list. The format is perfect - a headline with the MS-code, description, and update number folowed by a complete description of the update. Anyone responsible - even remotely - for security patching needs this to subscribe.

Checking in on the industry between calls, found this news item from yesterday, related to Microsoft's security “tour” program they running right now:

Discussing how some have tried to position security efforts as potentially beneficial to the bottom line, Microsoft chief security officer Scott Charney admitted he was cynical. "Security is a cost center. If there were no attacks, no one would bother," he told a few hundred IT professionals at the event.

So true. Sure, beefing up security is important, required, beneficial and prudent in this day and age. But the fact of the manner is if there was no pain, we would not be spending big bucks in this area.

It's also worth noting that - in reality - a relatively small amount of preventative planning in this area today can save huge numbers of reactive dollars tomorrow and after. Security budgets are important. They may look expensive to some, but when you consider the potential costs on not preventing problems, the downside could be very costly, indeed.

Since I am plugging security-related stuff today:

“Join Mike Nash, Microsoft's senior executive in charge of security, for his monthly security update. This month, learn more about Authentication, Authorization and Access Management. Mike's guests will talk about the Microsoft Identity and Access Management Series and Public Key Infrastructure and how each can be used in corporate environments to enhance security and reduce costs. In addition, Mike will report on the latest details of what Microsoft is doing across the company to improve security through guidance, tools, training and technology.”

Signup: Register Online
Date: Tuesday, May 18, 2004
Time: 8:30AM-9:30AM Pacific Time (GMT-8, US & Canada)

Microsoft's new TechNet Radio audio show is an informative way to learn about IT. Their first bradcast is called “IT Security at Microsoft,” and it covers a lot of ground. Worth the listen!

• Windows Media Stream version
• Download the .wma and listen on your audio device
• Show transcript

Learning about how other companies deal with network and information security, especially big ones like Microsoft, is a valuable exercise in developing your own IT security strategy. Microsoft has over 300,000 network devices, and more than 50,000 employees. They are pretty free-form in terms of allowing their employees to install software as needed, run beta and “dogfood” software in production, and have some interesting ways of dealing with the environment. Microsoft's similar to where I work in terms of culture and whatnot. I've had the opportunity to visit Redmend and to talk with people there on a regualr basis, but even so this broadcast was useful and made me think.

Finally, someone has the right answer to how to clean a compromised system. So, you didn’t patch the system and it got hacked. What to do?

Click here to find out.

Is it the one correct answer - If you have already been compromised? Three cheers for Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I, Security Program Manager at Microsoft for pointing this out. Maybe.

However, it should be noted (as was done to me by a security professional whom I respect greatly) that there are many options other than and in addition to patching available to prevent system compromise. Here's what my colleague said in email:

“I can't believe they actually published that!  While instilling fear and hopelessness it has no redeeming value and makes MS look bad (by implying a 'justification' for the pain of the patch process).  There are other alternatives to cleaning systems and validating what has been altered besides reformatting.  Things like Tripwire, regular audits, etc. etc. etc.  The real decision is what is it worth to not have to reformat?  Also you don't need any of the MS patches to prevent a system from being compromised.”

All valid points. I agree on one level or another with everyone here: Prevention and planning are worth a ton of cure. But when you have been compromised at the system level (i.e. did not plan and prevent), you're assuming a fairly large risk if you continue to use the compromised system.

UPDATED: Apparently, somone one mis-spoke, and Microsoft has corrected earlier reports - see eWeek's coverage of the change in the story.

Sorry guys, all you software thieves out there will not be able to install SP2 after all (unless this all changes again). From a business and antipiracy perspective, I agree with not allowing it to install. From a security perspective, I was looking forward to seeing what impact (if any) the loosening of the reins might have.

But I don't hink Microsoft has a responsibility to provide anything to people who steal software.

It's a change of direction for Microsoft, but apparently they will allow SP2 for Windows XP to be installed on pirated copies of the OS when the service pack is released later this year. This was not the case with SP1, which has protections in it that keep people with pirated copies of Windows XP from installing it successfully.

"It was a tough choice, but we finally decided that even if someone has pirated copy of Windows, it is more important to keep him safe than it is to be concerned about the revenue issue," he added. He admitted, however, that it is more than altruism that helped Microsoft come to this decision. "Having these unsecured users means bigger worm and virus outbreaks - which also impacts the Internet and consequently, our legitimate users as well."

 - Microsoft group product manager Barry Goffe

Considering the potential positive impact of SP2 on the computing world, this is probably a good idea. After all, keeping users from spreading viruses and becoming launching platforms for hackers is an important part of securing the Internet and - in a broad sense - the Windows OS.

German police arrested the 18-year-old author of the Sasser virus. Apparently he also confessed to authoring other viruses, including NetSky.

Which is good. But not amazing. For the most part, the bad guys eventually get caught.

What amazes me is the fact that so many companies and government agencies were actually shut down by the Sasser worm. A friend of mine who works for a government agency called me tonight to tell me that last week the city, county and related agencies where he works were shut down by the worm.

My response: “WHAT?!?!?!!?!?” The departments that were shut down in my friend's account of the situation included public safety departments and a fire/police dispatch center among others... No small potatoes when you consider how critical it is that things just need to work. Maybe someone needs to lose his or her job.

Good vs. Bad, or “Dude, that's pretty extreme.”

I'm serious - this one was so easy to avoid, there's simply no excuse for having a problem. I can think of one only reason any company or agency would be affected, and come to think of it, it's a problem rampant the world over.

Sadly, some IT professionals aren't - well - they're just not very professional.

So, here's an important message for companies and agencies employing lazy IT staff: If they don't prevent the outbreaks, they're not doing their jobs. The mark of a good IT crew is not that they respond to a virus outbreak and make everyone feel good that they're able to disinfect computers and (hopefully) go to tape backups to restore ruined data. The good IT crew is not the one that tells you it will take two to three days to recover, and then “delivers” in one day.

So what, then, makes for a good IT crew? And how do you know if you have one? It's very simple: While everyone else is freaking out about viruses and other threats, your company is still operating and you're not really too concerned, because your company just doesn't ever have many network security issues. Besides, if there was going to be a problem, you would have heard about it from the IT crew by now. In other words, things just work, problems are prevented, work doesn't stop, and you don't have to worry. That's what a good IT crew does for you.

An Ounce of Prevention Is Worth Big $$$

Believe it or not, I'm not supposed to be an exterminator. My job is to make sure the virus outbreak never happens in the first place, and the people who work in my department share in that responsibility. Ultimately, I am the one responsible (and held accountable) for network and data integrity when it comes to viruses and intrusions, but we all take a significant amount of pride in making sure problems never get a chance to occur.

What many may not realize is that it's actually pretty easy to do. In fact, it's a lot less work to prevent the problems than it is to react to them after they occur. Keeping a problem from happening is akin to preventing a cancer from ever growing; You can be so much more confident, and if the ability to prevent is there, it's simply negligent to assume the reactive posture. The removal of a cancer is painful, time consuming and expensive. Worse yet, you almost always have to wonder if you got it all, if it will ever resurface, and what the result will be when it does.

To be perfectly clear about where I'm going with this: I believe that organizations need to adopt a zero-tolerance policy toward avoidable downtime. Virus outbreaks should be very few, very far between, and extremely isolated in scope. If a virus infects an entire network, something is not being done correctly. If data is lost and can't be recovered, there's simply no excuse.

Kick Me If You Like, But I Know I'm Right

Some who work in the IT field will read this and be upset with me. Am I really telling people like my boss to fire their employees if they can't prevent the problems from happening?

Yes, in a matter of speaking I am. After all, if I can't (or rather “won't,” since pretty much anyone can) protect the company from internal and external threats, I am not doing my job and my boss needs to find someone who can (and will). While there are occasional threats that cannot be prevented, he knows that those are so rare that he'll know when the exception to the rule occurs.

IT professionals around the world, regardless of the organization's size or business, should hold themselves to this standard. If you're an employer, you're responsible for maintaining or hiring people who meet the standard.

We no longer live in a world where the guy your neighbor knows who “works in computers” is sufficient for a professional IT job. Even the interns I hire require a special skill and work ethic that's hard to find. High standards make for quality work and results, and I think that's the way it should be. To expect less in this day and age is to neglect the needs of the real world of IT.

It's Bigger Than Just Your Organization

By the way - when the people responsible to do the prevention at your organizations fail in their duties, who do you think those failures impact? It's not just your employees and customers. The nature of the Internet is that your failure will almost certainly impact many organizations outside of you own. That's what virus writers count on, that the poorly-designed and -managed networks of the world won't be proactively managed, and that employers who don't know the difference won't do anything about it.

If you're the employer and you can't for the life of you determine whether your IT employees know how to do their jobs, here's your best clue: They probably don't. It's one of those things where you know if they're doing their jobs. How? It's a dangerous world we work in; If they are not educating you and keeping you aware, they're not doing their jobs.

For the Record - Bad Employers Are Part of the Problem

Before I finish, I should say that I realize the world is not black-and-white, that there are many aspects of operational IT work that can put a very good and responsible IT professional in a position where he or she is doomed to fail. There are times when, despite the best efforts of the individual, the budget or company priorities actually prevent you from doing good security. I only see two options for you there: One is to make them aware, change the outlook and attitude, and failing that the second option is to find a place to work that will leverage your skills and and fits your priorities.

Line In The Sand

So, here's the challenge: I think that anyone responsible for day-to-day IT security who walks away from these words upset that I'd adopt this position probably needs to take a look at why they're upset. Seems to me if one does one's job, there's nothing there to be upset about.

Anyhow, that's what I think. It's a little more black and white in writing than in real-world practice, but I've read and re-read my words, and I'm good with them. This started out to be a short post about the 18-year-old kid who wrote a computer worm. It ended up becoming a bit of a rant about what really matters to my employer. Catching this kid doesn't mean less viruses and worms - We still have a job to do, and it's just getting more and more complicated as time goes on.

And since all good blog entries should include a question, tell me: What do you think? Click the comments link and talk back if you're so inclined. I could be wrong, you know.

Interesting interview over at news.com with John Levine, co-chair of the Internet Research Task Force's Anti-Spam Research Group.

“I tell people that dealing with spam is like curing cancer. For example, cancer isn't one disease; it's 100 diseases, and you will need to come up with a 100 cures for it. Another way spam is like cancer is that when you try to cure cancer, you need to come up with something that will kill the cancer without killing the patient. If you kill the patient, it is easy to get rid of the cancer.”

Not sure I agree with all his positions, particularly with the stated need for new laws (although I agree the ones on the books now are ineffective). He may be right, but technology changes are what's really needed in the absence of laws that will actually work. Besides, I'm not exactly a big fan of lots of laws.

Good read though. And if you're a security-watcher, The Get Up To Speed on Enterprise Security feature at news.com (RSS feed here) is a good place to watch.