Roger's Security Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6

Are you ready for your users of the (near) future?
2007-11-20 21:53:00
Yankee Group Study Actually near future might be wrong: I am convinced that the future (with regards to the requirements) is already here. We sponsored a study with Yankee Group with the title Anywhere Access Technologies - Open Enterprise Networks. I read through it and tried to analyze the key findings in there: more than 70% of IT executives said that more than half of their employees today access their networks remotely with a laptop or mobile device: This is significant, isn't it? Look at me: I am in the office to have some 1:1 meetings and mainly to hand in the expense reports. The rest of my time I am on the road or in my "home office". So my laptop hardly ever gets connected to the Corporate network. I am actually writing this blog post in a hotel room. On the other hand I know of a lot of companies where security and IT wants to limit the usage of laptops as much as possible. To my opinion, they are hindering a development, which will lead to higher productivity and employ...
More About: Future , Users , Ready

The Value of Operating System Comparisons
2007-11-16 22:05:00
Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are ? and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on. When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" ? and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bi...
More About: Security , System , Operating System , Operating , Processes

Want to check your Up- and Download-Speed
2007-11-15 13:38:00
I just stumbled across a pretty cool website allowing you to measure your up- and download speed wherever you are. Additionally you can compare it with others: http://www.speedtest.net Roger
More About: Download , Check , Speed

More than 490?000 Database Server unprotected on the Web
2007-11-14 21:01:00
David Litchfield ran a scan on the Internet for the typical SQL Serve r and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet ? unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs. What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ... Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid ? I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the?., the?., the?. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime ? unfortunately not for securi...
More About: Database

Be Careful Whom You Trust
2007-11-13 20:50:00
When I talk to customers I sometimes ask them, whether they do background checks on whom they hire as employees or contractors. If it comes to security, the whole theme gets pretty sensitive. Imaging that you hire an employee to deal with your security architecture and he turns out to be a criminal. Or you give a project to work on your security to an external consultant and all of a sudden he is arrested for spreading malware. Fantasies? Not really! This just happened: Security consultant hijacked 250,000 machines and Ex-Security Pro Admits Running Huge Botnet Would a background check have helped here? Probably not but we really have to think about whom we trust and how we hire people. I still cannot understand that there are companies hiring convicted hackers (even though everybody deserves a second chance ? I agree). I blogged on that already once and the comments have been not in line with my view (Hackers getting Jobs in the Industry) Any views from your side? Roger
More About: Trust , Careful , Cybercrime , Processes

TechEd-IT Forum: The Keynote and Announcements
2007-11-12 15:20:00
I told you that I will keep you posted. We had some pretty exciting announcement at the keynote at IT Forum . For me, the whole area of virtualization is probably the biggest step forward. We announced that we name the official product/feature "Hyper-V", which will be integrated in some of the Windows Server 2008 SKUs. There are some cool things to see: We will releasing integration components to make Linux run on our virtualization platform (Hyper-V) We are supporting 64bit, large memory, and up to four cores. We are able to run Hyper-V as a core role, meaning with a thin layer of the OS just to support Hyper-V We can take snapshots of a VM and are able to roll back to any snapshot without rebooting the VM! In order to be able to manage the VMs, we are announcing the System Center Virtual Machine Manager. We can control the VMs directly, independent whether they are running on Virtual Server, Hyper-V or VMWare! Not only that, you can do more with System Center You can move VMs fro...
More About: Keynote , Events , Tech , Training

IT Forum is about to begin
2007-11-12 10:35:00
It is always fascinating to see an event of this size! I actually arrived in Barcelona yesterday night and yes, you might be jealous if you see the weather. But actually I will probably not have a lot of time to enjoy it - PR filled my schedule all over :-) but that is why I am here. Here are the post in Tech norati on TechEd-ITForum : TechEd- ITForum And here is the actual TechEd- ITForum web site with some cool videos to start with :-) We will really kick it off at 2:00 pm with a 90 minutes keynote with some announcements. Tomorrow morning we are holding a panel for journalists with some pretty interesting security peoples all around the company like: David Burt, Microsoft Security and Access Product Management (he is moderating the panel) Vinny Gullotto, General Manager of the Microsoft Malware Protection Center Paul Mayfield, Program Manager for Network Access Protection Josh Edwards, Technical Product Manager, Microsoft Office Steve Brown, Director for Security and Ac...
More About: Events , Training

A fun reading on social engineering
2007-11-09 16:36:00
I recently talked at different events on social engineering or at least touched the theme. You might know the layer 8 problem J When I had some discussions after my speech I realized that close to nobody (I talked with) knew about the "The Art of Deception: Controlling the Human Element of Security" by Kevin Mitnick. You probably know Kevin Mitnick ? he was one of the first hackers being sent to jail. A lot of his attacks were about ticking people rather than really hacking systems. He then summarized his experience in a book. The way he does it is that he tells stories about different levels of attacks. When you read the first story you think: these things will never happen to me (at least this has been my initial reaction being one of these paranoid security people). When you reach towards the end of the book, you start thinking differently?.. It is definitely worth reading Roger
More About: Social , Reading , Engineering , Erin , Social Engineering

WabiSabiLabi and their view on ethics
2007-11-08 08:27:00
I commented on that already twice and I stated that WabiSabi Labi seems to have a different view on ethics than me. For those of you who do not know WabiSabiLabi, it is an online auction for vulnerabilities. We met the founder of this platform during Blue Hat in Redmond and had some discussions on ethics, vulnerabilities and his platform. I have to admit that the way he tweaked the ethical view of the world the way he needed it was pretty interesting. Now, I see that my view on ethics is definitely the one that at least keeps me out of jail: WabiSabiLabi founder arrested in Italy At least he gets press coverage (and blog coverageJ) for his platform Roger
More About: Security , Ethics , Policy , View

Mary Jo Foley: It?s payback time: If the Vista team could write ad copy ?
2007-11-06 22:20:00
Well, well: You know that I never ever would bash a competitor and I will not do so now. However, I have to give you the link to the above mentioned article ? not because of the article but because of the comments the article got. It seems that our efforts around Trustworthy Computing pay off. I have to quote a comment: MS has good taste, <company> has none Oh the irony of <CEO of company> accusing MS of having no taste! Those ads were the epitome of tastelessness and the fact that Microsoft won't stoop down to <company>'s level is proof that Microsoft is the company with the superior ethics. It says a lot about <company> when Microsoft is judged to be the morally superior company!! If you want to read it: http://blogs.zdnet.com/microsoft/?p=905 Roger P.S. A few years ago we wanted to have a big (and extremely successful) security event with Swiss TV and <company> and <company> told us that they will not participate because they "do not...
More About: Security , Foley , Time , Vista , Write

Fight against Terror and how it can be abused
2007-11-06 20:14:00
I am not completely clear how much a lot of the measures we see (like the fluid restrictions on planes, the forced violation of privacy laws by airlines by having to transmit PII to the US, ...)  really bring. On the other hand we definitely see some pretty weird things happening as any suspicion seems to lead to serious consequences. Read this article I found today: Man angry with son-in-law fingers him as terrorist to FBI Roger
More About: Terrorism , Terror , Fight , Policy , Abused

The next step at home: Windows Home Server
2007-11-06 17:03:00
One of the big challenges we face all the time is how to control one of these growing networks at home. How shall I help my neighbors to actually manage their growing environment with different PCs (one per parent and one per kid and a mediacenter and, and, and)? I assume that you know that feeling. I do not say (yet) that all the problems are solved but at least we did one significant step with a product we call Windows Home Server - a server version (as OEM version) targeted to the above described scenarios. Definitely something to look at and something that will help us in the future to help our friends and family to manage their environment in a secure, safe and easy way. Here is the blog of the Windows Home Server team: http://blogs.technet.com/homeserver/ Here is the demo: http://www.microsoft.com/windows/products /winfamily/windowshomeserver/demo/index.h tml And here is the product page: http://www.microsoft.com/windows/products /winfamily/windowshomeserver/default.mspx Roger
More About: Step

Social Engineering - Live
2007-11-06 05:12:00
I just found a pretty interesting article on "social engineering". It is one of these articles showing an anecdote on how to use social engineering to enter a building and get access to everything: The Spy in Your Server Room Roger
More About: Security , Social , Engineering , Live , Erin

Pricelist for Cybercriminals
2007-11-02 17:05:00
Remember Economy of Cybercrime ? I hope so! There I made the statement that Cybercrime has to pay off. On Zone-h today they summarized a research from G DATA with the title How much can cyberterrorist get? In there you see how much you have to pay for which "service". This is a pretty good income: Doing simple math - working for just 20 hours per month, on 20 orders, spammer can send over 400 millions of messages and without much effort he could earn around 7000 euro. If that wasn't enough, you can get 10 millions of e-mail addresses for just 100 euro. Same goes to paypal accounts, credit cards numbers and internet game account's. Roger
More About: Security , Law Enforcement , Criminals , Mina

SAFECode: Writing Secure Code ? learning from each other
2007-11-02 11:30:00
During RSA Europe an industry forum called SAFECode (Software Assurance Forum for Excellence in Code) was announced "to identify and share software assurance best practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks". I was really excited that I had to opportunity to represent Microsoft during the press conference at RSA as this is ? from my point of view ? a significant move for the industry. SAFECode was founded by some heavyweights in the software development industry: EMC2, Juniper, Symantec, SAP, and Microsoft. Over the last few years we invested significantly into our Security Development Lifecycle (SDL). We make the experience we made available in different forms: We wrote books like Security Development Lifecycle, Writing Secure Code, Hunting Security Bugs, Threat Modeling, ? We integrate tools and technology we initially develope...
More About: Policy

Rumors about Cyber-Terror Attack, November 11th
2007-11-01 10:50:00
This is an interesting phenomenon on the Internet: There is one source publishing the statement that they picked up an Internet announcement by Al Qaeda that they will start a cyber attack on November 11th: DEBKAfile Exclusive: Al Qaeda declares Cyber Jihad on the West. From there on the blogsphere went ballistic (the article was published October 30th). If you search for it, you will find quite a lot of articles and blog posts referring to the DEBKAfile site. Nobody actually really questions the source. I am definitely not in a position the quality and depth of this information as I do not have enough experience with DEBKAfile at all. It is just interesting to see how information spreads without really thinking twice about the trustworthiness of the source. As you know, I wrote already several times about Cyberterrorism and there is definitely a certain probability that something like that might happen and that it might even happen on November 11th. However, I think that a certain ...
More About: Terrorism , Terror , Rumors

Spotlight ? The coolest online event platform
2007-11-01 07:31:00
You know about Silverlight, don't you? We built a new Online Event platform on it. Sorry? You did NOT hear of Silverlight yet? Come on, don't tell me you missed this announcement? It is absolutely cool and if you really missed it, there you go: Sliverlight. But now let's really talk about Spotlight. This is an absolutely cool platform we use for high-class recording of big technical events (or even videos produced especially for spotlight). You can find the homepage of Spotlight here. Additionally there is a blog on Spotlight, giving you the latest news and the opportunity to comment. There are a few pretty cool security presentations: John Craddock and Sally Storey: Is your IT Infrastructure Secure? Steve Riley: The Fortified Datacenter in your Future: Build It Now and They Will Come Mark Russinovich: Advanced Malware Cleaning Mark Russinovich: Windows User Account Control Internals (you have to sign in) ?and a lot more?.. If you do not want to look into the dry securit...
More About: Fun , Technology , Microsoft

MS Products Security Bloglist
2007-10-31 16:25:00
Feliciano Intini, our CSA in Italy just published a list of blogs he knows of run by our product teams. Have a look here.Roger
More About: Security , Products , Microsoft

The Complexity of the ?Spyware Landscape?
2007-10-31 14:47:00
A pretty interesting article on Spyware (and a lot of other "beasts"): The Increasing Complexity of the New Spyware Landscape Roger
More About: Security , Trends , Lexi

Defend the Flag Workshop at Deepsec
2007-10-30 08:34:00
There is a cool workshop at Deepsec in Vienna mid of November, which is called "Defend the Flag ". The idea is that you will be trained for a day and during the second day, you have to configure your systems and they will be attacked. The one that holds the longest wins. If you are interested, my colleague Gerhard Göschl blogged on it: Deepsec: Hacker Konferenz in Wien ? Einladung zu kostenlosem Workshop "TechNet Briefing Spezial > Security " Roger
More About: Events , Training