Directory —
Technology —
Blog Details for "Roger's Security Blog"
Roger's Security BlogRoger's Security BlogI am Microsoft' Chief Security Advisor for Europe, Middle East and Africa and this blog is mainly about information security. Articles
Security Risks of VoIP
2008-04-03 08:42:00 Internet Telephony Has Security Problems: This was an interesting read this morning for different reasons: First of all, it is not surprising (even if we would not have known the problems it would have to be expected). I liked the statement: The goal is to raise awareness about flaws in these systems ? and create a market for VoIPshield's product? - This is the scary part: It is not about the security of the environment or the ecosystem but about sales. But then: Dalmazzi says he tried unsuccessfully to get the attention of the VoIP makers, including shoving a business card with a note describing the vulnerabilities he'd discovered into one executive's hand at a conference. One company told us that it wants to learn more about the vulnerabilities but has had difficulty working with VoIPshield. In other words, it isn't a clean process. It seems that there are still too many companies not being able to handle this kind of information (if it is really true). I guess today, if a Mic... More About: Technology , Voip
How to do security in Development
2008-04-02 16:09:00 Michael Howard just pointed us to a resource that could be interesting for you as well ? it was new to me at least J We have a set of short videos (3-10 min.) on how to address some security challenges in development: "How Do I?" Videos for Security And this time you can even download them in the format you want J J Roger More About: Technology , Development
All the Vista SP1 Features where you have time to read them :-)
2008-04-02 10:18:00 I just found this blog post: In Japan there is toilet paper with all the Vista SP1 features on it?. At least, there you have time to read Windows Vista SP1 Toilet Paper - It's really available now Roger More About: Time , Features , Read
Microsoft Diagnostics and Recovery Toolset
2008-04-02 07:37:00 Well, we call it simply DaRT. You know the feeling: A machine does not boot anymore, crashed, has a virus you cannot clean with the OS in a running state or any of the other nightmare scenarios in daily operations of computers. Since quite some time there are recovery toolsets out there but with our acquisition of the sysinternal tools, the value of ours grew significantly. I just tested the latest version for Vista and believe me ? it rocks (as far as a tool can rock that tries to recover me from a crash?). If you need information on this, there you go: Microsoft Diagnostics and Recovery Toolset Let me give you a very brief insight: Basically DaRT is based on the Vista Recovery Toolset. So, when you boot, you get a pretty familiar screen: The only different is, that you see the link at the bottom to the Microsoft Diagnostic and Recovery Toolset ? where all the magic happens J. If you decide to choose them, you get a broad selection of tools: ERD Registry Editor: A registry ed...
The Death of the DMZ = The Death of the Castle
2008-04-01 13:10:00 Since quite some time we are talking about the "Death of the DMZ". This seems a little bit provocative but I am convinced that it is coming very closer to the truth. Do not get me wrong: I do not think that you should replace your firewall with routers and leave your network open to the Internet. But today's trends definitely show the need for new models and for saying goodbye to the "I defend the perimeter and I am secure"-methodology. My notebook which is travelling with me around the globe and is connected much more often to a non-trusted network than to a trusted one has to be part of the perimeter of Microsoft-IT's network Today's businesses have completely new ways of doing partnerships. Some customers even tell me that it might be that their business switches partnerships within hours. How do you handle this, if you infrastructure is not able to deal with a high level of flexibility. You business wants to do business with people on the Internet. I have seen network designs... More About: Security , Castle , Processes
Still undecided about Vista?
2008-03-31 13:44:00 To Vista or not to Vista ? a question quite some enterprises are asking these days. Mark Russinovich recently hosted a roundtable to discuss Vista deployments including its challenges with different people: Customers who have already deployed as well as Microsoft people responsible for the product. So, watch the roundtable at Spotlight Roger
Open Government Data Principles
2008-03-27 12:14:00 In December about 30 government advocates assembled to decide on - what they called - Open Government Data Principles. Even though the group was very US focused (if you look at the list of participants), the outcome is very interesting. I quote the main page of the working group: By embracing the eight principles, governments of the world can become more effective, transparent, and relevant to our lives.So, here are the principles Roger More About: Technology , Policy
Pricelist for Botnets
2008-03-27 08:11:00 It is not new and I blogged several times on it: If you own a botnet, you can make quite some money. As the Law Enforcement is going after the bot herder I would not suggest you to enter this business, nevertheless. I just read an article today with a pricelist for botnets. Read it yourself: Spyware authors offer dollars for downloads Roger More About: Botnets , Cybercrime
SPAM moving to SMS?
2008-03-26 08:43:00 Well, I do not hope and I do not expect it to. Why? Well, mobile text messages are not free ? mails are (at least kind of). Nevertheless, if the "vulnerability" is within the mobile provider, all of a sudden, SMS could become a real SPAM channel. Recently happened in China: China to Probe Online Text Message Spam Roger More About: Security , Moving , Cybercrime
Safari to crash XP
2008-03-25 22:01:00 Not only that it is "forced" on the clients ? it seems even to crash Windows XP machines: Safari 3.1 Crash es On Windows XP, Users Complain ? and now I stop complaining Roger More About: Technology
Sun and Apple Updates ? A Sheer Nuisance!! ? Part 2
2008-03-25 15:28:00 Quite some of you read my initial post on that ? and I like the comments I got. Now, it seems that I am not the only one being angry: I quote from What Microsoft can teach Apple about software updates For the record, I think Apple is dead wrong in the way it's gone about using its iPod monopoly to expand its share in another market. Ironically, an excellent model for how this update program should work already exists. It's called Windows Update, and it embodies all the principles that Apple should follow. And: Apple Software Update (btw John is the CO of Mozilla). It seems that John and me are in agreement: It's wrong because it undermines the trust that we're all trying to build with users. Because it means that an update isn't just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It's a bad practice and should stop. [I'll make 2 points that I want to make very clear: (1) this is not a crit... More About: Security , Updates , Privacy , Part
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Cod
2008-03-22 11:26:00 I usually do not blog on Advisories we release as I guess that you subscribed to the corresponding alerts. If not, you should do that now here. This one is a little bit different as I know that quite some people within Microsoft are working during Easter because of this vulnerability. Therefore I want to make sure that you have seen it. Please read the Advisory called Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution and make sure you do your proper risk assessment Roger More About: Security
Sun and Apple Updates ? A Sheer Nuisance!!
2008-03-19 22:26:00 As you all know: I rarely blog on competitors and ? even rarer ? blog about them negatively. But this time I definitely had to: As most of us I have QuickTime on my PC as well as a Java VM. I know that there are alternatives for this software and the same is true for RealPlayer, which is ? for me ? from Privacy perspective about where Windows Media Player has been about 6-7 years ago but this shall not be the theme here. Regularly I am prompted by Apple to install updates ? for software I do not even have. So, I am not only prompted regularly to install security updates for QuickTime (and there are a lot) but they want to force iTunes down on my machine since quite some time. Regularly I tell this updater not to prompt me anymore for this update but this seems to be valid for the current version of the product only. Today it got even worse: I was prompted again by this so-called updater to install updates and was asked to install Safari! It was not just a proposal, it was already pr... More About: Security , Updates , Policy , Sheer
New Technology ending Hardware Piracy?
2008-03-16 13:53:00 I just read an interesting article on a new hardware technology that ? the patent owner hope ? would end piracy on Integrated Circuits. Obviously, piracy s not only a software problem?? New Tech Fights Chip Piracy With Virtual Lock and Key Roger P.S: Pretty bad is the typo in the first paragraph: A new technology unveiled Wednesday aims to prevent hardware privacy by protecting microchips with the virtual equivalent of an embedded "lock" that can be opened only by the patent owner. Are they use they mean Privacy and not Piracy J???? More About: Hardware , Security , Technology , Ending
Technology to Circumvent Censorship
2008-03-15 10:52:00 Well, I was thinking hard whether I shall blog on that or not. But then a friend of mine brought up a valid point: I am always claiming that a lot of issues on the Internet are missing a public debate yet, what is more important - and this might well be one of those. I do not want to take a position here and I am clear, looking at the map of my visitors, that the debate would be pretty one-sided: However, it is an interesting project: http://psiphon.civisec.org/ and if you want to know the details: http://psiphon.civisec.org/samples/psipho n_guide.pdf To quote from their website: psiphon is a human rights software project developed by the Citizen Lab at the Munk Centre for International Studies that allows citizens in uncensored countries to provide unfettered access to the Net through their home computers to friends and family members who live behind firewalls of states that censor. Living in a European country it is normal for me to have the freedom of speech and it is intere... More About: Security , Technology , Censorship , Policy
A New Model to Taylor your Testing
2008-03-15 10:01:00 I guess you know the problem: You ran a development project and have to test the code (if the testing phase did not already have to be cut significantly as you ran out of time ? too often seen with projects at customer sites?). A German research now has found a way to analyze your code and determine, where you should spend more or less time to test. Pretty interesting piece of research Model predicts chance of software flaws Roger More About: Security , Testing , Taylor , Processes
New Privacy-Technology enables new (private) Business Models
2008-03-14 13:49:00 We announced it recently: Be acquired the U-Prove technology by a company called Credentica and quite some key members of Credentica have joined us. When we announced it, my excitement was ? well ? limited. It was another company we bought. But when I started to look into it, I started to understand the potential of the technology. Think about the following scenario: You want to offer a chartroom for teenagers. Typical problem of this scenario is, how do you make sure that the teen can come in and the perverts stay out and leave the teens alone? What you usually do is, collecting all kinds' o information (name, address etc) in trying to find a way proving the age. With that, you just created a privacy problem and probably not, what I would like to see as a parent. So, U-Prove now allows you to verify an attribute of the identity (in this case the age) without revealing the whole identity. If you think it through, this gives you all new ways of creating tailored services without ha... More About: Business , Technology , Models , Privacy , Private
Analysis of Cyber-Terror
2008-03-13 11:21:00 The US Military just released a pretty interesting in-depth article on Cyber -Terror ism and the different aspects of it. Even though it has a little bit more than 40 pages, it is worth reading: Cyber Operations and Cyber Terrorism Roger More About: Analysis
Steve Ballmer on next revolution in computing
2008-03-06 07:39:00 Over the next time (actually starting at RSA) you will hear more from us how we see the future of security. You should watch out for Craig Mundie's keynote there. But last Monday Steve Ballmer had a speech at the CeBIT in Germany on the next revolution in computing. You will find a summary of this talk here. Roger More About: Trends , Revolution , Steve Ballmer , Computing
Internet Explorer 8 Beta 1 is available
2008-03-05 20:22:00 We just made Internet Explorer 8 Beta 1 available. This is especially important if you are developing web applications in order to test them. Os, here are the important links: IE 8 Beta 1 Readiness Toolkit Channel 9 discussion on IE8 features Channel 10 first look at IE8 Have funRoger More About: Internet Explorer , Trends
External Collaboration Toolkit for Sharepoint
2008-03-03 23:09:00 Often exchanging information and collaborating with external people is a big challenge. Therefore we just published a Solution Accelerator called External Collaboration Toolkit for SharePoint Roger More About: Sharepoint
How to handle a security crisis
2008-03-03 16:59:00 Do you know that problem: You are at the beginning of a security crisis and should be able to give an official statement but PR (or whoever is responsible to draft this statement) is not ready yet ? but you really, really, urgently need something? Well, there is a solution to that: http://www.crypto.com/bingo/pr Thanks to Martin for sending this to me Roger More About: Security , Fun , Crisis , Handle
Infoworld on Windows Server 2008 Security and Privacy
2008-03-01 05:27:00 We launched Windows Server 2008 (as you hopefully know J). Infoweb published an article on Windows Server 2008 Security and Privacy : http://www.infoworld.com/article/08/02/27 /Microsoft-touts-Longhorn-security_1.html Roger
DHS Security Level on your Webpage
2008-03-01 05:24:00 A blog reader sent me a mail informing me that he wrote a small application that links the DHS security level to your webpage. I added it to my news section and it looks pretty interesting. If you want to do that as well, here is the link: http://www.milestactical.com/hlsa.html Thanks to Justin Hofer, making this available to me Roger More About: Security , Terrorism , Webpage
Windows Server 2008 Security Guide released
2008-02-29 17:02:00 You all showed great interest in the Windows Server 2008 Security Guide Beta. Now the "real" version is here. Get it on Technet Roger More About: Released
Securing My Infrastructure: Firewall
2008-02-28 16:33:00 Well, this is a follow-up of my last posts about how I secure my environment. If you want to read the earlier posts of the series, see at the end of this post. So, we did the Risk Assessment, now, let's look a little bit closer into my perimeter. Technically I have a "normal" ADSL connection with a static IP-address. However, I decided to use the provided modem only as a bridge and do the dial-up from my firewall, which is ? surprise, surprise ? an ISA Server2006. This enables me to avoid a NAT-NAT type of configuration and allows me as well to see what is going on on the outside adapter. Looking at the classical design of a perimeter network, we travel through the world since quite some time and talk about the diminishing importance of the perimeter network or how Steve Riley puts it: "The death of the DMZ" ? a concept I implemented in my network. There are quite some services I am providing on my network to the Internet: I am running a Web Server, a Mail Server (which offers P... More About: Security , Firewall , Infrastructure
Spammers are using Out-Of-Office Messages to Spam
2008-02-27 22:50:00 It once more shows that the criminals are extremely creative in abusing features to do their business: See this article on Techworld Roger More About: Security , Office , Spam , Messages , Spammers
Hackers crack Bitlocker ? really?
2008-02-25 10:12:00 Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days. There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek. What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it is a good idea that the standard behavior of a Windows Vista machine is going to sleep if you close the lid. As Bitlocker is not enabled by default, I think we can argue around this but it is not... More About: Hackers , Crack , Processes
Converter from Office Binary files to OpenXML
More articles from this author:2008-02-17 15:59:00 We are supporting a project on Source Forge to write an Open Source translator for Office Binary files (doc, xls, ppt) to the OpenXML specification. See the initialization here. Roger More About: Converter , Files 1, 2, 3, 4, 5, 6 |
|
