Roger's Security Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6

Office Binary Document Formats: Specification
2008-02-17 15:57:00
Last Friday we announced the availability of the Office Binary Format Specification (doc, xls, ppt) under the Open Specification Promise (OSP). From my point of view this is an additional step in our promise to support interoperability. Roger
More About: Document

TV-Interview during IDC Security event in Belgrade
2008-02-14 20:44:00
As you have seen in my post The Fun of Travel, I was in Belgrade this week. It was the opening event for a tour by IDC in Central and Eastern Europe. IDC has a series of security events across Eastern Europe and I had the honor of having a keynote there. Usually, when I visit these kind of events, we are trying to add some press engagements and customer meetings as well. This time it was all about press and I had 5 interviews, two with TV. I just got the raw cut of one of the interviews, which will be on Fox in Serbia this Sunday (and yes, I got the approval to link to it here and put it on Soapbox). Unfortunately they cut the questions. So, they are (approximately): What is Microsoft 's security vision? What were Microsoft's biggest achievements in security in the last few years? Why did Microsoft enter the security products business? Will Microsoft continue to work with other security vendors collaboratively? What is the impact on the security vendors, now with Vista having more ...
More About: Security , Events , Event , Training

The ?fun? of travel
2008-02-12 20:19:00
Well, there are people who keep telling me that travelling is fun. Let me tell you a story (true, just happened to me today) ? kind of business as usual. I am scheduled to speak at an IDC Event tomorrow in Belgrade (if you happen to be there, just come and say hello). So I was scheduled to fly from Zurich to Vienna tonight and then on a connection to Belgrade, being in the bar by 21:40 and having the preparation beer. As always, if you have enough time, flights are on time, if you have to connect, they are delayed. So, they announced an insignificant delay of 10 minutes, when we boarded, which grow to 30 minutes until we left (my connection time was 50 minutes and I was sitting in row 28?), which summed up to 45 minutes until we landed. I asked the cabin crew, whether I could go to business class for landing in order to leave the plane much faster, which the denied. So I am stranded in a hotel in Vienna now L. Good news is that there is an early morning flight to Belgrade tomorrow. ...
More About: Fun , Travel

What is a ?Kill-Bit??
2008-02-09 12:59:00
We often refer the kill-bit in our Security Bulletins when it comes to ActiveX or COM-objects as a workaround. So, pretty often I get questions around the kill-bit. The Secure Windows Initiative (SWI) just started to publish a series of three posts about that. The Kill -Bit FAQ: Part 1 of 3 Roger

How critical are the Undersea Cables?
2008-02-08 11:05:00
OK, I think I need to take this up a little bit as well. Let's look into what happened over the last few days. I think up to now we ended up with five cables cut in the Middle East. So, there are a lot of theories who was actually damaging those cables. The best one comes from WSJ J But there were a few pretty remarkable things: One is a statement I found in article about these cables. It is from Stephan Beckert of TeleGeography: He said there are approximately 50 cable cuts a year, 65 percent of which are due to fishing trawlers dragging heavy nets and 18 percent of which are due to ships' anchors. "They don't even track terrorism," he said. "Cable cuts are a routine part of the business." So, it is even a question whether this could not have been really business as usual and just the press and the bloggers taking it up. The second thing was that it does not seem to me that any of the Critical Infrastructure bodies I know of got really nervous. How far would a critical infras...
More About: Terrorism , Cables , Cybercrime

EISAS ? European InformationSharing and Alert System ? an ENISA Feasibility
2008-02-08 10:48:00
ENISA just recently published a pretty interesting study with the title EISAS ? European Information Sharing and Alert System . I think that it is definitely worth looking into Roger
More About: Policy , Cybercrime

Securing My Infrastructure: Risk Management
2008-02-05 14:04:00
This is a follow-up of my last post about how I secure my environment. If you want to read the start of the series, see at the end of this post but please do not expect me to keep this rhythm J. Let me start with an introduction first: After my first post, I got quite some reactions ? which was very good and promising. You raised quite some questions mainly about monitoring and authentication. I will answer then and would like you to keep asking ? that is the only way you get an answer, actually. However, I will start with a few different themes and then come to those. Mainly, I would like to start with Risk Management and how I secure my perimeter. From there on, we can talk about monitoring and how I do the authentication piece in my environment. So, before you actually start to talk about how to secure something, we need two things: What are your assets? What are the risks for these assets? If I look at my environment: My assets? Well, there are a few things I would like to...
More About: Risk Management , Infrastructure , Processes

Windows Vista SP1 and Windows Server 2008 RTMed!
2008-02-04 16:11:00
It's here now and ready to go: We just announced that we RTMed Windows Vista SP1 and Windows Server 2008 (two days earlier than expected) Read more here: Press Pass: http://www.microsoft.com/Presspass/press/ 2008/feb08/02-04VistaSP1MA.mspx Windows Vista Blog: http://windowsvistablog.com/blogs/windows vista/archive/2008/02/04/announcing-the-r tm-of-windows-vista-sp1.aspx - it includes the schedule how we will make it available on Windows Update Windows Server Blog: http://windowsvistablog.com/blogs/windows vista/archive/2008/02/04/announcing-the-r tm-of-windows-vista-sp1.aspx - it includes some guidance for the upgrade. Congratulations to the product teams! Roger
More About: Windows Server 2008

Oracle?s answer with regards to Security Patches
2008-02-04 15:42:00
You probably remember my post regarding Oracle DBAs rarely install patches. It was about a study where Sentrigo claimed (after having asked 305 people) that more than 2/3 of Oracle DBAs do not install the patches provided by Oracle. Now Oracle recently published a blog post called To Patch of Not To Patch? with some interesting comments definitely worth looking at. There are mainly two things I think we should look at: One of their key statements is that every administrator has to find a balance between the risk of patching and the risk of not patching. This is definitely true. There is the well-known truth "never touch a running system". Well, how true is it really? Some time ago I had this discussion with representatives of the Pharma industry. A key regulation to fulfill there is about validated systems ? mainly systems, where every change has to be thoroughly tested and documented as a failure could lead to significant problems with medications and finally even to loss of life. ...
More About: Security , Answer , Patches , Policy

Dependant on the Internet? Not me!
2008-02-01 08:33:00
I was reading this article this morning Internet failure hits two continents and was thinking about my dependence on the Internet. Well, outch: I am used to get the information I need everywhere! Always! Now! And I am used that the Internet is just here. Always! Might be that it is a little slower one day but the information is available. If such an outage would last longer ? I do not want t imagine the consequences for businesses? Roger
More About: Technology , The Internet

Microsoft Windows CardSpace and the Identity Metasystem
2008-01-31 13:44:00
A friend of mine (Ole Tom Seierstad, the Norwegian CSA) just published a very interesting article on Microsoft Windows CardSpace and the Identity Metasystem. So, have a look. Happy reading Roger
More About: Security , Microsoft Windows

Securing My Infrastructure: Introduction (part 2)
2008-01-29 13:59:00
Looking at Jacks comment to my initial post this morning (Securing My Infrastructure : Introduction ) it seems that I have to give you some additional information: So let me start with the goal of this network: Basically I started to build it on one server to play around with our technology. Soon I had to realize that unless I am running it in a "production-like" style, I will not learn the daily problems and challenges with a certain setup. It is one thing to make an environment to work and another to keep it running. Since then I connected my home PCs to the lab and run it 24*7 ? and learned a lot! Second point is about the physical setup of the servers: I am actually running three physical servers at the moment running Windows Server 2003 R2 at the moment: My oldest server is the oldest PC I have in the house with a 1.8 GHz CPU and 512 MB of RAM. It is running Windows Server 2008 R2 fully patched and is my ISA Server. The initial server mentioned above. It really rocked when I boug...
More About: Security , Part

LiveMessenger Trojan in the Wild
2008-01-29 09:11:00
At the moment we are tracking a Trojan that is spreading through Mess enger and AIM. It is called Win32/Pushbot.BD and you can find additional information on our Malware Protection Center. This just give me the opportunity to remind you that you definitely should make sure that files that are downloaded via IM are scanned by your AV-engine. How to do that? Well, it is described here. Roger
More About: Wild

Securing My Infrastructure: Introduction
2008-01-29 09:05:00
As you probably know, some time ago, I asked for feedback and themes you are interested in. Some of you replied to me privately, some with comments and I would like to thank you for the constructive feedback. One of the inputs I got several times is that you would like to get more information how to secure and run an infrastructure ? the usual ask for "best practices". Well, there are a lot of best practices out there. Be it from us on the Microsoft website or from third parties. However, they seem not to fit the need directly for you. So, what can I do? Give you some additional best practice? Well, this will not fulfill your need neither ? most probably. And what is the reason for that? Well, you are unique! Your situation is unique, your assets are unique and your risk appetite is unique. I tried to think of what could be valuable for you and am thinking that I could tell you, how I secure my environment at home in my lab. You will wonder what this has in common with the environm...
More About: Technology , Infrastructure , Introduction

Usually our customer support is not THAT bad (taking 10 years to call back
2008-01-25 08:59:00
Microsoft Customer Service Calls Back 10 Years Later Roger
More About: Fun , Support

?Creative Capitalism? by Bill Gates
2008-01-25 08:53:00
In Wall Street Journal there is a preview on Bill's speech today at World Economic Forum (they are actually flying over my house going to Davos ? I hear them all the time J). It is a pretty interesting reading on new ways how capitalism could work not only for the rich but also for the poor. What I like ? the longer the more ? is the idea not only of charity but of making money AND helping the poor. Impossible? I do not think so. When I was in South Africa recently I visited a customer of us being a bank and their business model is exactly that: They are handling the transaction (pretty small ones) for people not having a lot of money. Actually they have branch offices in the middle of the slums. They use high-tech solutions to keep their cost to a minimum but with that, these people all of a sudden can save money to buy things later on or can get micro-loans to invest in their businesses. And the cool thing: They are actually really profitable. It works at least for them. Read the...
More About: Creative , Bill Gates , Trends , Policy , Capitalism

Was the plain crash caused by hackers?
2008-01-24 08:47:00
If Al Qaida really has these capabilities, I am starting to get scared when I have to fly (which happens to me pretty often): There are reports that the plan crash last week could be caused by hackers attacking the plane before take-off in Beijing?. Al-Qaida ties to British crash probed Roger
More About: Terrorism , Plain , Hackers , Crash , Processes

CERT?s Secure Coding Standards
2008-01-24 08:44:00
Something that might be worth looking at: Carnegie Mellon's CERT just published two Secure Coding Standards : One for C++ and one for C. I had no chance to look into this and understand how this compares to our Writing Secure Code but it is definitely worth mentioning. Roger
More About: Security , Processes

Jeff?s Vista One-Year Vulnerability Report
2008-01-24 08:33:00
Jeff released another report: He is looking back into one year of Windows Vista . We had the discussion about the value of vulnerability comparison and I do not want to open another discussion thread about that. But as long as we hear that our products are less secure than others because we have sooo much vulnerabilities, these reports are important for us internally (we know where we stand) and externally to communicate our findings ? and they are pretty interesting. Have a look at the report at Download: Windows Vista One Year Vulnerability Report Last but not least it was interesting to see that readers of my blog are looking into these things as well: Vista logged fewer vulnerabilities in its first year than XP, Red Hat, Ubuntu, and Apple Mac OS X did in their first years Roger
More About: Jeff

What can you do if you are a victim of e-crime?
2008-01-21 18:33:00
I think that there is a very good example of how a platform could be offered for victims of cyber crime. There are often questions around: What are my rights? What can I do if something bad happens? Who is here to help?... www.e-victims-org offers answers to a lot of questions like those and offers help. Ed Gibson, my CSA mate in the UK, is actually on the Advisory Council. Roger
More About: Crime , Policy , Cybercrime , Processes , Victim

What is more important: Security or Privacy?
2008-01-17 08:40:00
This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore? What do you do now? Well, the Data Protection Officers actually had to give in. So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have ? we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for. If you look at this article US spy chief pu...
More About: Security , Terrorism , Privacy , Policy

2-year old terrorist
2008-01-16 08:43:00
Well, this is not new: Government agencies with insecure websites. Actually I did not want to blog on this (you find the article about an insecure TSA-website here) but then I drilled into the comments and there is one that actually shocked me (well, no, this is wrong it did not even surprise me but it shows the success of the fight against terror of the US): My two-year-old is on the list (this is the no-fly-list we are talking of here). After I found that out on a family trip, I lost the last ounce of faith I had in the system. The ticketing agent said he will always be on the list and will always be flagged for secondary screening for the rest of his life. I just laughed since I am pretty sure this security won't last too long. It is amazing: DHS is able to tell that you are becoming a terrorist even at the age of 2! Roger
More About: Security , Terrorism , Terrorist , Year

Investigating new public reports of Excel vulnerability
2008-01-16 08:13:00
I guess, you have seen this but I just want to make sure: Vulnerability in Microsoft Excel Could Allow Remote Code Execution. I would like to quote two things: Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability. <?> This vulnerability cannot be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac. Customers who are running Microsoft Office Excel 2003 Service Pack 2 and have deployed Microsoft Office Isolated Conversion Environment (MOICE) are n...
More About: Public

Oracle DBAs rarely install Patches
2008-01-15 08:43:00
Wow, this is scary: A company called Sentrigo just published a study about how DBAs patch Oracle databases. Even though you could challenge their findings (they asked only 305 people) and therefore only shows half the truth, it is really scary (I quote): When asked: "Have you installed the latest Oracle CPU?" ? Just 31 people, or ten percent of the 305 respondents, reported that they applied the most recently issued Oracle CPU. When asked: "Have you ever installed an Oracle CPU?" ? 206 out of 305 OUG attendees surveyed, or 67.5 percent of the respondents said they had never applied any Oracle CPU. Where does this come from? I am no Oracle specialist (I just to work on this DB decades ago) this is worrying me from two perspectives: It is a significant risk to the industry and I am worrying whether this is the same with SQL Server (even though our figures show a different picture). Is this because people are afraid of the downtime because of the reboots? Are they afraid that their app...
More About: Security , Patches , Processes

Participate in the Windows Server 2008 Security Guide Beta program!
2008-01-12 12:41:00
We just started the Beta program for the Windows Server 2008 Security Guide . So, if you plan to roll out Windows Server 2008 soon, participate and have a look at it: Here is the Technet Executive overview. To join the Beta program, click here. Roger

Hacker sent to jail
2008-01-12 12:11:00
You remember my post on The Economy of Cyber-Crime? One of my claims was, that you need to work with Law Enforcement in order to increase the cost for the criminals ? and here we have one of the outcomes: Norcross hacker sent to prison I quote: William Bryant, 38, was sentenced Thursday, Jan. 10 by U.S. District Judge Thomas W. Thrash on a charge of hacking-knowingly causing the transmission of information to a computer used in interstate commerce, and, as a result, intentionally and without authorization causing damage to that computer. <?> In addition to his prison term and home confinement, Bryant must spend two years in supervised release, perform 200 hours of community service and pay restitution of $15,470. I like that Roger
More About: Hacker , Jail , Cybercrime

Even the FBI has to pay the bills
2008-01-12 11:58:00
No comment: FBI wiretaps dropped due to unpaid bills Roger
More About: Fun , Bills

There it is ? the security Silver bullet
2008-01-12 11:43:00
I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair: There is an article out there called 11 open-source projects certified as secure. I quote from there "Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects." This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say "the software is secure" (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system....
More About: Security , Silver , Bullet , Processes , Silver Bullet

Video about the future: Bill Gates? last day at Microsoft
2008-01-07 20:39:00
Watch this: http://video.msn.com/video.aspx?mkt=en-us &vid=be9075bb-df0a-41c9-8d86-7ded4662 7e26 If you want to see the whole CES keynote: http://istream.edgeboss.net/wmedia-live/i stream/30743/750_istream-ces2008_080102.a sx Roger
More About: Video , Fun , Microsoft , Bill Gates , Future

How to Phish yourself :-)
2008-01-07 20:17:00
A guy in the UK wanted to prove that the loss of two CDs is not really serious and published his bank account details ? and lost £500 to a charity J Clarkson stung after bank prank Roger
More About: Fun , Phish