Roger's Security Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6

Hacking a Boeing 787
2008-01-06 22:46:00
It seems that the new dreamliner has a serious security vulnerability: FAA: Boeing 's New 787 May Be Vulnerable to Hacker Attack Roger
More About: Security

Extranet Collaboration Toolkit for SharePoint - Beta
2008-01-06 21:41:00
Working together within different organizations and companies is always a big challenge. How can you work within different workspaces and share documents etc.? Usually you use E-Mail is the core infrastructure to share information. We just released a beta version of a Solution Accelerator we call "Extranet Collaboration Toolkit for SharePoint". Just have a look and subscribe. Roger
More About: Security , Beta , Sharepoint

You thought Worms are gone? Think again!
2008-01-05 21:52:00
I am one of the security guys saying that the likelihood for us seeing events like Blaster or Slammer again is very, very low (this shall not be a "call to action" for the criminals?). I think that the measures the whole industry took as well as the increased awareness with the consumer made it very hard to write a highly automated, aggressive worm again. Well, I just read about a new threat: We have seen more and more cities starting to offer free WiFi for anybody being nearby. The village I was in for my skiing vacation in Switzerland actually offered a free service as well for 30 minutes. Then you had to sign in again. If you did not want to do that, you might pay. It seems, however, that the WiFi routers are open for wormable attacks as well: WiFi flu: viral router attack could hit whole cities Roger
More About: Technology , Trends , Worms , Thought , Cybercrime

Analysis of recent vulnerabilities
2008-01-05 20:21:00
Michael Howard just wrote a post about recent vulnerabilities of third-party applications he looked into. This is pretty interesting as it shows certain challenges of current processes (e.g. what do you do with third-party software you rely on?): Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL Roger
More About: Security , Technology , Analysis , Vulnerabilities

IPSec Interop
2008-01-01 16:51:00
Based on my post about IPSec, Steve Lamb posted about IPSec Interop erability and has an interesting follow-up link: How to implement IPSec between LINUX and Windows Vista: Why use IPSec network security? Roger
More About: Security , Technology

I could not resist...
2008-01-01 16:29:00
... on the one hand to wish you all a Happy New Year - but on the other hand: This is the view I had this morning during breakfast - immediately before I got ready to get on the skis :-) Have a good time Roger
More About: Fun

The PICNIC Problem
2007-12-28 12:22:00
I hope you know the PICNIC problem (Problem in Chair not in Computer) ? it happened to me L. I get a significant amount of Spam-comments on my blog, which are filtered in the corresponding Spam-filter. From time to time I clean it up. Unfortunately I made a mistake and deleted about 5 or 6 comments and trackbacks before I realized that the corresponding filter was not set to "Spam" but to "Published" which means that I deleted legitimate comments. I have to apologize. I did not delete a comment because I disagreed (which I never do unless you are advertising or spamming me) or because of anything else. It was just a PICNIC Problem LRoger
More About: Picnic

How the security magic happens at Microsoft
2007-12-28 12:11:00
This is cool: Microsoft Security Elves Roger
More About: Fun , Magic

Common Criteria and answering the ?real? questions
2007-12-28 12:08:00
It seems that I am not yet gone J. Eric Bidstrup, a colleague of mine, wrote a great blog post about Common Criteria, where it does a pretty good job and where it fails. Basically he claims ? and I could not agree more ? that the customer "only" wants to know whether the operating system "is safe". I quote: In terms of software security, all of the following most people would think of as being "bad": Viruses, worms, malware, hackers, criminals, and espionage. These items listed have one thing in common ? all of those bad things require a weakness (a "vulnerability") in the software used, and finding a way to exploit that vulnerability for a nefarious purpose. I slightly disagree as we have seen a lot of attacks to perfectly patched systems without exploiting a software vulnerability but the user. However, as we will never be able to "Common Criteria Certify" the user, the definition definitely works for the Common Criteria discussion. He writes another pretty remarkable statement: ...
More About: Security , Questions , Trends , Real

I am gone ? now :-)
2007-12-28 10:55:00
Well, not really but I will now leave for the mountains and go skiing for the next week. Therefore, have a good time and "talk" to you in 2008 Roger BTW: Happy new year as soon as is it started!!!

Insights into our Security Vulnerability Research
2007-12-28 10:52:00
Secure Windows just started a blog which could be of interest for you as well. They will give some more insights into our vulnerability research and the outcome thereof. Definitely something worth keeping an eye on, especially if you have a technical background. See yourself: Security Vulnerability Research & Defense Roger
More About: Microsoft , Insights

Insight into IPSec
2007-12-27 11:08:00
I hope you enjoyed Christmas as much as I did (now working on losing weight again J). Soon I will be in the mountains but before I leave, I found something pretty interesting to read: Tech Insight : Microsoft 's IPSec Roger
More About: Technology

Consumer Trust in e-Business
2007-12-21 16:38:00
If the light of the latest outreach we did around scam (Lottery Scam ? The voice of the victim), Research firm Ipsos was retained to conduct research with consumers in Germany, Italy, Denmark, UK and The Netherlands. About 3'500 users were contacted and here are some of the highlights (well, lowlights?): 28% of people said they do not feel safe on the Internet 67% said they either had not heard of, or had heard of but did not know about phishing (58% identify theft, 67% Nigerian bank fraud) This compares to 'only' 36% who said they had not heard of, or had heard of but did not know about lottery scams 23% said they think they are likely to be a victim of an Internet scam that will cost them money. This was actually impressive. ¼ is telling us that they expect to be a Mr. Ericson (see the blog post referenced above). This compares to 26% saying that they thought there was a likelihood that their house could be burgled 31% said they expected their identify to be used aga...
More About: Security , Business , Trends , Consumer , Trust

Lottery Scam ? The voice of the victim
2007-12-20 19:47:00
We all know that there are scammers telling you that you won in the lottery. A lot of security people think that the victims are naïve and dumb. We just started to run a story on lottery scam and part of it was an interview with a victim. The victim ? let's call him "Mr. Ericson" to protect his privacy, was a former bank manager and definitely is an intelligent and up to a certain point vigilant person. However, during the whole lottery scam he lost all his retirement savings and had to go back to work in order to survive. This is a very, very sad story and shows how ruthless these people are. The interesting thing was how they actually tricked him into losing about ? 61'000. I saw the raw interview and it really makes you think. So, a friend of mine summarized the way they tricked him (read through it ? it is worth it!): 'Mr. Ericson' ? Victim of Advance Fee Fraud On 23rd October 2006, Mr. Ericson received a personally addressed email telling him that he had won a prize of £...
More About: Security , Voice , Trends , Lottery , Scam

You are hacked ? by your toaster :-)
2007-12-15 11:19:00
I just read this this morning Man Uses Toaster to Hack Computer. Is this now funny or scary? Roger
More About: Security , Fun , Technology , Hacked , Aster

HP confirms vulnerabilities on 82 Laptop models.
2007-12-15 11:17:00
Remember this post OEMs: Join in to "Secure by Default"? I wrote it in June? Now, HP just confirmed a vulnerability in their software delivered on 82 laptop models on all the different Windows versions: HP Quick Launch Buttons Critical Security Update What about the Security Development Lifecycle for third-party applications? There is a reason, why I always flatten OEM PCs and just install, what I need? Roger
More About: Models , Laptop , Trends , Vulnerabilities

?Keep Everything Clear of the Doors?
2007-12-14 08:29:00
Ed Gibson, the Chief Security Advisor in the UK just wrote an interesting article, I would like to share with you: You've seen it, read it, heard it so many times you've blocked it out ? routine, mundane. . . but instinctively you take the necessary precautions.  And the idiots who think they can beat the doors for gosh sakes . . . some make it, most don't? when will they learn.  Even though, I suspect the next time you hear this spoken over the intercom in the Underground, or read the warning label on the inside of the carriage you'll take just that extra second to really make sure everything is clear of the doors.  "Why?", you ask.  "Because you've just read this!"  No different than the many times you've looked at your watch, and then someone else asks you what time it is; you can't remember, so you look again. Unremarkably, the same applies when it comes to being more safe online.  This past year you bought a brand new state of the art, 2g of RAM, 600g hard drive that wil...
More About: The Doors , Clear , Cybercrime , Doors

Have a look at Server and Domain Isolation
2007-12-13 21:25:00
I am often talking about different zones in the network and how you can create them. There is no a demo kit available for you to download and "play" with it: Server and Domain Isolation Demo Roger    
More About: Security , Technology , Microsoft

Nigeria: I told you they are serious
2007-12-13 11:52:00
Remember my blog post where I told you not to forget countries like Nigeria (I was visiting Nigeria ? watch out!)? They really seem to be serious. In the last few weeks we had some troubles getting hold of the head of EFCC (I will tell you more in a week) and now, we have at least some suspicion why: Nigerian ex-oil governor arrested Corruption is probably one of the biggest problem most of the developing countries have and therefore I congratulate any efforts to fight corruption in these systems. BTW, we have a hard and clear policy that we do not bribe ? never ever. If you lose a deal because you did not bribe, too bad. If you are bribing ? you are fired. We do not support any illegal activities. Roger
More About: Told

How to Build a Bomb
2007-12-12 10:05:00
Well, only partly. I commented several times already about WabiSabiLabi. I especially like their statement "closer to zero risk". At the moment there is an SAP vulnerability at stake. It is initially priced on ?4'000. If you read their blog, Focus on: SAP MaxDB remote code execution, it seems to be clear that is vulnerability is a very high risk. So in order to get "closer to zero risk" they sell it to whomever is ready to spend enough money (e.g. organized crime) ? I still question their view of the world? Roger
More About: Bomb , Build , A-Bomb

Once More: Only the Easiest Way is the Secure Way
2007-12-12 09:01:00
Well, my credo is well known in the meantime: We have to make it easy for users to work in a secure way. Otherwise the business (say: the users) will find ways around all our security solutions. I customer of us recently said: "I rather accept a little bit of higher risks but I know them compared to the user circumventing my security measures and therefore generating risks I do not know" ? and he is right in my opinion. Security is here to support IT to support the business. This is it! Too many IT people run IT as the core part of the business but in 99% of the companies, IT is here to help me to do my job and security is here to help IT (and the business). I read an article this morning called End Users Flout Enterprise Security Policies and there is an interesting quote in it: "What we're finding is that there is a third, growing group of users who knowingly violate security policy not to do something malicious, but because they are trying to get their jobs done. This sort of vi...
More About: Secure

A Retrospect on my Trip to Kenya
2007-12-08 00:41:00
I asked for feedback from you and got quite some. Some privately and some publically ? thank you all who took the time to answer. One of the feedbacks I heard more than once was, that you are interested in my view on the region and the security there. So, what I will try to do is giving you some insights in trips I do to more "exotic" places (so I will most probably not cover my trips to Brussels and London next week). So, I just came back today from Nairobi, Kenya . Let me share my impressions and my program. We mainly did three things Visited a call center called KenCall Did some internal business stuff (which I will not be talking of J) Visited some NGOs helping the people in the slums. So, there are two main areas to share with you, let's start with KenCall: KenCall is a classical outsourcer for call center services. The interesting thing were the regulative hurdles they had to overcome. As an example: In order to use Voice over IP, they need a certification. However, the gover...
More About: Trip

Update on our Piracy Strategy - Important Changes to WGA
2007-12-04 17:00:00
From time to time people ask me about piracy and security. Let's start with piracy first. If you look at the 2007 Global Piracy Study by BSA, the numbers are frightening. Looking at EMEA, it starts with Moldova on 94% pirated software to Denmark with 25% (which is still every fourth copy!) - the rest is somewhere in between! This is pretty significant and I think it is clear that we are flighting against people stealing our property. If it come to the relation between security and privacy, I would love to have any figures. All the figures about malware we have are mainly from the Malicious Software Removal Tool (which is mainly delivered through Automatic Update ) and somebody who is deliberately using a pirated copy would most probably not switch on AU (even though we do not look at the machines). This makes it pretty bad - probably - as the machines will not be patched. To make the point clear: We are delivering critical security updates even to people who have stolen our softwar...
More About: Microsoft , Strategy , Cybercrime

Windows Vista is protecting the environment
2007-12-01 10:24:00
When we launched Windows Vista , one of the features which was pointed out to me was power management and how it will lower the costs in the enterprise environment. Well, I put my focus on the security technologies (obviously) and ignored the power management part - and I seem to be wrong. Read the following blog post and see that you should definitely look into this: How green is your PC? Roger
More About: Technology , Environment , Windows Vista

YOUR FEEDBACK REQUESTED
2007-11-30 20:10:00
I am in the position of the Chief Security Advisor in Europe, Middle East and Africa since February 1st. Since then I am blogging here (before that I ran together with Urs the Swiss Security Blog). The hits per post rose over the first 6-7 months but now started to slowly drop. However, looking at the ranking of all the Technet blogs, this one is slowly on the raise. Now, I think it is time to ask you: Are you "just" looking at the RSS Feed or do you actually read the posts? (I have the figures of direct browser hits, which does not yet mean that you really read it). Are the themes I am covering the ones you are interested in or would you expect something different? If yes, what? Is it worth the time you invest to read the posts? Are there not enough or too many posts? What else? I am open to any kind of feedback. Please avoid being "politically correct", you might be open and candid. You can give me the feedback directly (roger.halbheer@microsoft.com) or as comments, which I ...
More About: Trends , Feedback

IE and Firefox vulnerabilities
2007-11-30 19:59:00
I am still convinced that there is limited value in comparing vulnerabilities between different products. However, there are a few products which seem extremely emotional: The Operating System, Office, and the browser. We already discussed pretty emotionally (I liked that actually) the Operating System part. Office came into the spotlight in the last few days as one source claimed a significant raise of vulns from 2006 to 2007, where I would like to understand the source of this data and the methodology as the bulletin remained at least flat. It is always easy to claim something and there are even journalists that take this up without any further investigation, which is bad enough? Now, the browser. This is always a very emotional discussion as the browser is the window to the Internet and the world. Jeff Jones, a Microsoft employee, does regular analysis on the figures of vulnerabilities. As I stated in a previous blog post, I think it is important to internally understand the prog...
More About: Firefox , Vulnerabilities

Hackers using Playstations to crack Passwords
2007-11-29 11:42:00
A reader of my blog actually pointed me to that (thank you Shoaib) and asked me for a comment. Here is the article: PlayStation a hacker's dream. It is really an interesting thing: Gaming consoles today have quite some computing power, so why should the bad guys not use them to do some brute force? There is an interesting quote in the article: "Breese's presentation comes just weeks after Russian company Elcomsoft claimed to have accelerated password cracking by a factor of 25 by using the processors found on PC graphics cards." I never thought about that up until today but it is pretty natural to use this processing power and leverage it. It could even get worse: What would happen if the criminals could compromise the online gaming part on the console and do some remote code execution. They could do some interesting grid computing (during the time your console is idle) and distribute the calculation and brute force attack into different consoles ? an interesting approach ;-) Roger
More About: Hackers , Crack , Passwords

Security Threats in 2008
2007-11-26 16:16:00
Well, slowly the year is coming to an end ? 10% to go J. This is the time where everybody is looking back and ? additionally ? tries to look into the Crystal Ball to understand how 2008 could be. Interestingly enough, I just had the discussion about the trends for 2008 this morning with a friend of mine and this afternoon a blog post by Symantec hit me with the title: A Look Ahead to Security Trends in 2008 which is an interesting read (pretty short, which is good). I do not want to comment it (yet) as we are working on that as well at the moment but it seems that we are more or less on the same line. The only thing I am missing is that I think that social networks (like Xing, Facebook, Linkedin, ?) have a high potential to be abused as a source for information for social engineering attacks. What is everywhere in common is that we will see the criminals misuse the Internet to illegally (or immorally) make money Roger
More About: Threats

Teach a Man to Fish
2007-11-26 11:37:00
I just read a pretty good article that goes definitely into the direction I am trying to work with the different communities we are in touch. Even though technology is a key part of any security solution, the user is key and explaining the user the "why" is even more important. Read yourself: Teach a Man to Fish Roger
More About: Security , Policy , Processes

I was visiting Nigeria ? watch out!
2007-11-23 08:14:00
You know that I rarely did trip reports in the past. I am personally convinced that you do not want to read, what I had for breakfast in Barcelona. But this trip was different. When I told the people around me that I will be travelling to Nigeria I got a lot of different reactions J. I guess that most of these reactions are based on our constant confrontation with what we call the Nigeria scam. As you probably know there is section 419 of the Nigerian criminal code that is violated by these kinds of attacks. Therefore these scams are often called 419-scams. It is unbelievable; when you go to our search engine and search for "Nigeria scam 419" you find more than 400'000 hits! There is even a site called http://www.nigerian-scam.com/ . For a country like Nigeria, this is one of the worst possible things to happen if you want to base the growth of the economy on modern technology! Is this a Nigeria-only problem? Not by far. A lot of scams originate from Western countries, a lot of ot...
More About: Security , Watch , Events , Trends , Training