Owner: Roger\'s Security Blog URL:http://blogs.technet.com/rhalbheer Join Date: Mon, 12 Nov 2007 16:10:32 -0600 Rating:0 Site Description: I am Microsoft\' Chief Security Advisor for Europe, Middle East and Africa and this blog is mainly about information security. Site statistics:Click here
Nigeria: I told you they are serious 2007-12-13 04:52:23 Remember my blog post where I told you not to forget countries like Nigeria
(I was visiting Nigeria - watch out!)? They really seem to be serious
. In the last few weeks we had some troubles getting hold of the head of EFCC (I will tell you more in a week) and now, we have at least some suspicion why: Nigerian ex-oil governor arrested
Corruption is probably one of the biggest problem most of the developing countries have and therefore I congratulate any efforts to fight corruption in these systems. BTW, we have a hard and clear policy that we do not bribe - never ever. If you lose a deal because you did not bribe, too bad. If you are bribing - you are fired. We do not support any illegal activities.
Roger
How to Build a Bomb 2007-12-12 03:05:40 Well, only partly. I commented several times already about WabiSabiLabi. I especially like their statement "closer to zero risk". At the moment there is an SAP vulnerability at stake. It is initially priced on €4'000. If you read their blog, Focus on: SAP MaxDB remote code execution, it seems to be clear that is vulnerability is a very high risk. So in order to get "closer to zero risk" they sell it to whomever is ready to spend enough money (e.g. organized crime) - I still question their view of the world…
Roger Read more:Build
Once More: Only the Easiest Way is the Secure Way 2007-12-12 02:01:57 Well, my credo is well known in the meantime: We have to make it easy for users to work in a secure way. Otherwise the business (say: the users) will find ways around all our security solutions. I customer of us recently said: "I rather accept a little bit of higher risks but I know them compared to the user circumventing my security measures and therefore generating risks I do not know" - and he is right in my opinion. Security is here to support IT to support the business. This is it! Too many IT people run IT as the core part of the business but in 99% of the companies, IT is here to help me to do my job and security is here to help IT (and the business).
I read an article this morning called End Users Flout Enterprise Security Policies and there is an interesting quote in it: "What we're finding is that there is a third, growing group of users who knowingly violate security policy not to do something malicious, but because they are trying to get their jobs done. This sort of vio Read more:Secure
Consumer Trust in e-Business 2007-12-21 09:38:00 If the light of the latest outreach we did around scam (Lottery Scam - The voice of the victim), Research firm Ipsos was retained to conduct research with consumers in Germany, Italy, Denmark, UK and The Netherlands. About 3'500 users were contacted and here are some of the highlights (well, lowlights?):
28% of people said they do not feel safe on the Internet
67% said they either had not heard of, or had heard of but did not know about phishing (58% identify theft, 67% Nigerian bank fraud)
This compares to 'only' 36% who said they had not heard of, or had heard of but did not know about lottery scams
23% said they think they are likely to be a victim of an Internet scam that will cost them money. This was actually impressive. ¼ is telling us that they expect to be a Mr. Ericson (see the blog post referenced above).
This compares to 26% saying that they thought there was a likelihood that their house could be burgled
31% said they expected their identify to be used aga Read more:Business
, Consumer
Lottery Scam - The voice of the victim 2007-12-20 12:47:00 We all know that there are scammers telling you that you won in the lottery. A lot of security people think that the victim
s are naïve and dumb. We just started to run a story on lottery scam and part of it was an interview with a victim.
The victim - let's call him "Mr. Ericson" to protect his privacy, was a former bank manager and definitely is an intelligent and up to a certain point vigilant person. However, during the whole lottery scam he lost all his retirement savings and had to go back to work in order to survive. This is a very, very sad story and shows how ruthless these people are. The interesting thing was how they actually tricked him into losing about € 61'000. I saw the raw interview and it really makes you think. So, a friend of mine summarized the way they tricked him (read through it - it is worth it!):
'Mr. Ericson' - Victim of Advance Fee Fraud
On 23rd October 2006, Mr. Ericson received a personally addressed email telling him that he had won a priz Read more:Lottery
Steve Ballmer on next revolution in computing 2008-03-06 00:39:27 Over the next time (actually starting at RSA) you will hear more from us how we see the future of security. You should watch out for Craig Mundie's keynote there.
But last Monday SteveBallmer
had a speech at the CeBIT in Germany on the next revolution
in computing. You will find a summary of this talk here.
Roger
Internet Explorer 8 Beta 1 is available 2008-03-05 13:22:38 We just made InternetExplorer
8 Beta 1 available
. This is especially important if you are developing web applications in order to test them. Os, here are the important links:
IE 8 Beta 1 Readiness Toolkit
Channel 9 discussion on IE8 features
Channel 10 first look at IE8
Have funRoger Read more:Internet Explorer
How to handle a security crisis 2008-03-03 09:59:18 Do you know that problem: You are at the beginning of a security
crisis and should be able to give an official statement but PR (or whoever is responsible to draft this statement) is not ready yet – but you really, really, urgently need something? Well, there is a solution to that:
Thanks to Martin for sending this to me
Roger
DHS Security Level on your Webpage 2008-02-29 22:24:21 A blog reader sent me a mail informing me that he wrote a small application that links the DHS security level to your webpage. I added it to my news section and it looks pretty interesting. If you want to do that as well, here is the link:
Thanks to Justin Hofer, making this available to me
Roger
Securing My Infrastructure: Firewall 2008-02-28 09:33:00 Well, this is a follow-up of my last posts about how I secure my environment. If you want to read the earlier posts of the series, see at the end of this post.
So, we did the Risk Assessment, now, let's look a little bit closer into my perimeter. Technically I have a "normal" ADSL connection with a static IP-address. However, I decided to use the provided modem only as a bridge and do the dial-up from my firewall, which is – surprise, surprise – an ISA Server2006. This enables me to avoid a NAT-NAT type of configuration and allows me as well to see what is going on on the outside adapter.
Looking at the classical design of a perimeter network, we travel through the world since quite some time and talk about the diminishing importance of the perimeter network or how Steve Riley puts i Read more:Infrastructure
, Firewall
Spammers are using Out-Of-Office Messages to Spam 2008-02-27 15:50:20 It once more shows that the criminals are extremely creative in abusing features to do their business: See this article on Techworld
Roger
Hackers crack Bitlocker – really? 2008-02-25 03:12:28 Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days.
There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek.
What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it Read more:Hackers
Converter from Office Binary files to OpenXML 2008-02-17 08:59:23 We are supporting a project on SourceForge to write an OpenSource translator for Office Binaryfiles
(doc, xls, ppt) to the OpenXML specification. See the initialization here.
Roger
Office Binary Document Formats: Specification 2008-02-17 08:57:06 Last Friday we announced the availability of the Office Binary
Format Specification
(doc, xls, ppt) under the Open Specification Promise (OSP). From my point of view this is an additional step in our promise to support interoperability.
Roger Read more:Formats
TV-Interview during IDC Security event in Belgrade 2008-02-14 13:44:06 As you have seen in my post The Fun of Travel, I was in Belgrade
this week. It was the opening event
for a tour by IDC in Central and Eastern Europe. IDC has a series of security events across Eastern Europe and I had the honor of having a keynote there. Usually, when I visit these kind of events, we are trying to add some press engagements and customer meetings as well. This time it was all about press and I had 5 interviews, two with TV. I just got the raw cut of one of the interviews, which will be on Fox in Serbia this Sunday (and yes, I got the approval to link to it here and put it on Soapbox).
Unfortunately they cut the questions. So, they are (approximately):
What is Microsoft's security vision?
What were Microsoft's biggest achievements in security in the last few years?
Why did M
The „fun“ of travel 2008-02-12 13:19:59 Well, there are people who keep telling me that travelling is fun. Let me tell you a story (true, just happened to me today) – kind of business as usual.
I am scheduled to speak at an IDC Event tomorrow in Belgrade (if you happen to be there, just come and say hello). So I was scheduled to fly from Zurich to Vienna tonight and then on a connection to Belgrade, being in the bar by 21:40 and having the preparation beer. As always, if you have enough time, flights are on time, if you have to connect, they are delayed. So, they announced an insignificant delay of 10 minutes, when we boarded, which grow to 30 minutes until we left (my connection time was 50 minutes and I was sitting in row 28…), which summed up to 45 minutes until we landed. I asked the cabin crew, whether I could go to bus
Analysis of Cyber-Terror 2008-03-13 05:21:06 The US Military just released a pretty interesting in-depth article on Cyber
-Terror
ism and the different aspects of it. Even though it has a little bit more than 40 pages, it is worth reading: Cyber Operations and Cyber Terrorism
Roger Read more:Analysis
Technology to Circumvent Censorship 2008-03-15 04:52:00 Well, I was thinking hard whether I shall blog on that or not. But then a friend of mine brought up a valid point: I am always claiming that a lot of issues on the Internet are missing a public debate yet, what is more important - and this might well be one of those.
I do not want to take a position here and I am clear, looking at the map of my visitors, that the debate would be pretty one-sided:
However, it is an interesting project: and if you want to know the details:
To quote from their website:
psiphon is a human rights software project developed by the Citizen Lab at the Munk Centre for International Studies that allows citizens in uncensored countries to provide unfettered access to the Net through their home computers to friends and family members who live behind firewalls o Read more:Technology
, Censorship
A New Model to Taylor your Testing 2008-03-15 04:01:00 I guess you know the problem: You ran a development project and have to test the code (if the testing phase did not already have to be cut significantly as you ran out of time – too often seen with projects at customer sites…). A German research now has found a way to analyze your code and determine, where you should spend more or less time to test. Pretty interesting piece of research
Model predicts chance of software flaws
Roger Read more:Taylor
, Testing
New Privacy-Technology enables new (private) Business Models 2008-03-14 07:49:00 We announced it recently: Be acquired the U-Prove technology by a company called Credentica and quite some key members of Credentica have joined us. When we announced it, my excitement was – well – limited. It was another company we bought. But when I started to look into it, I started to understand the potential of the technology.
Think about the following scenario: You want to offer a chartroom for teenagers. Typical problem of this scenario is, how do you make sure that the teen can come in and the perverts stay out and leave the teens alone? What you usually do is, collecting all kinds' o information (name, address etc) in trying to find a way proving the age. With that, you just created a privacy problem and probably not, what I would like to see as a parent. So, U-Prove now allo Read more:Technology
, Privacy
, Business
, Business Models
New Technology ending Hardware Piracy? 2008-03-16 07:53:00 I just read an interesting article on a new hardware technology that – the patent owner hope – would end piracy on Integrated Circuits. Obviously, piracy s not only a software problem……
New Tech Fights Chip Piracy With Virtual Lock and Key
Roger
P.S: Pretty bad is the typo in the first paragraph: A new technology unveiled Wednesday aims to prevent hardware privacy by protecting microchips with the virtual equivalent of an embedded "lock" that can be opened only by the patent owner. Are they use they mean Privacy and not Piracy J???? Read more:Technology
, Hardware
Sun and Apple Updates – A Sheer Nuisance!! 2008-03-19 16:26:56 As you all know: I rarely blog on competitors and – even rarer – blog about them negatively. But this time I definitely had to:
As most of us I have QuickTime on my PC as well as a Java VM. I know that there are alternatives for this software and the same is true for RealPlayer, which is – for me – from Privacy perspective about where Windows Media Player has been about 6-7 years ago but this shall not be the theme here.
Regularly I am prompted by Apple
to install updates – for software I do not even have. So, I am not only prompted regularly to install security updates for QuickTime (and there are a lot) but they want to force iTunes down on my machine since quite some time. Regularly I tell this updater not to prompt me anymore for this update but this seems to be valid for the Read more:Sheer
, Apple Updates
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution 2008-03-22 05:26:09 I usually do not blog on Advisories we release as I guess that you subscribed to the corresponding alerts. If not, you should do that now
here.
This one is a little bit different as I know that quite some people within Microsoft
are working during Easter because of this vulnerability. Therefore I want to make sure that you have seen it. Please read the Advisory called Vulnerability in Microsoft Jet DatabaseEngine
(Jet) Could AllowRemote
Code Execution
and make sure you do your proper risk assessment
Roger
SPAM moving to SMS? 2008-03-26 02:43:00 Well, I do not hope and I do not expect it to. Why? Well, mobile text messages are not free – mails are (at least kind of). Nevertheless, if the "vulnerability" is within the mobile provider, all of a sudden, SMS
could become a real SPAM channel. Recently happened in China: China to Probe Online Text Message Spam
Roger
Safari to crash XP 2008-03-25 16:01:02 Not only that it is "forced" on the clients – it seems even to crash
Windows XP machines: Safari
3.1 Crashes On Windows XP, Users Complain – and now I stop complaining
Roger
Sun and Apple Updates – A Sheer Nuisance!! – Part 2 2008-03-25 09:28:46 Quite some of you read my initial post on that – and I like the comments I got. Now, it seems that I am not the only one being angry:
I quote from What Microsoft can teach Apple
about software updates
For the record, I think Apple is dead wrong in the way it's gone about using its iPod monopoly to expand its share in another market. Ironically, an excellent model for how this update program should work already exists. It's called Windows Update, and it embodies all the principles that Apple should follow.
And: Apple Software Update (btw John is the CO of Mozilla). It seems that John and me are in agreement:
It's wrong because it undermines the trust that we're all trying to build with users. Because it means that an update isn't just an update, but is maybe something more. Because it ul Read more:Sheer
, Apple Updates
Recommend Site To A Friend
