Owner: Roger\'s Security Blog URL:http://blogs.technet.com/rhalbheer Join Date: Mon, 12 Nov 2007 16:10:32 -0600 Rating:0 Site Description: I am Microsoft\' Chief Security Advisor for Europe, Middle East and Africa and this blog is mainly about information security. Site statistics:Click here
Want to check your Up- and Download-Speed 2007-11-15 06:38:02 I just stumbled across a pretty cool website allowing you to measure your up- and download speed wherever you are. Additionally you can compare it with others: http://www.speedtest.net
Roger Read more:Download
, Speed
More than 490’000 Database Server unprotected on the Web 2007-11-14 14:01:42 David Litchfield ran a scan on the Internet for the typical SQL Server and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet – unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs.
What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ...
Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid … I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the…., the…., the…. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime – unfortunately not f Read more:Database
Be Careful Whom You Trust 2007-11-13 13:50:00 When I talk to customers I sometimes ask them, whether they do background checks on whom they hire as employees or contractors. If it comes to security, the whole theme gets pretty sensitive. Imaging that you hire an employee to deal with your security architecture and he turns out to be a criminal. Or you give a project to work on your security to an external consultant and all of a sudden he is arrested for spreading malware. Fantasies? Not really! This just happened: Security consultant hijacked 250,000 machines and Ex-Security Pro Admits Running Huge Botnet
Would a background check have helped here? Probably not but we really have to think about whom we trust and how we hire people. I still cannot understand that there are companies hiring convicted hackers (even though everybody deserves a second chance – I agree). I blogged on that already once and the comments have been not in line with my view (Hackers getting Jobs in the Industry)
Any views from your side?
Roger Read more:Careful
TechEd-IT Forum: The Keynote and Announcements 2007-11-12 08:20:34 I told you that I will keep you posted. We had some pretty exciting announcement at the keynote at IT Forum
.
For me, the whole area of virtualization is probably the biggest step forward. We announced that we name the official product/feature "Hyper-V", which will be integrated in some of the Windows Server 2008 SKUs. There are some cool things to see:
We will releasing integration components to make Linux run on our virtualization platform (Hyper-V)
We are supporting 64bit, large memory, and up to four cores.
We are able to run Hyper-V as a core role, meaning with a thin layer of the OS just to support Hyper-V
We can take snapshots of a VM and are able to roll back to any snapshot without rebooting the VM!
In order to be able to manage the VMs, we are announcing the System Center Virtual Machine Manager. We can control the VMs directly, independent whether they are running on Virtual Server, Hyper-V or VMWare! Not only that, you can do more with System Center
You can move VMs from o Read more:Keynote
IT Forum is about to begin 2007-11-12 03:35:00 It is always fascinating to see an event of this size! I actually arrived in Barcelona yesterday night and yes, you might be jealous if you see the weather. But actually I will probably not have a lot of time to enjoy it - PR filled my schedule all over :-) but that is why I am here.
Here are the post in Technorati on TechEd-ITForum
: TechEd- ITForum
And here is the actual TechEd- ITForum web site with some cool videos to start with :-)
We will really kick it off at 2:00 pm with a 90 minutes keynote with some announcements. Tomorrow morning we are holding a panel for journalists with some pretty interesting security peoples all around the company like:
David Burt, Microsoft Security and Access Product Management (he is moderating the panel)
Vinny Gullotto, General Manager of the Microsoft Malware Protection Center
Paul Mayfield, Program Manager for Network Access Protection
Josh Edwards, Technical Product Manager, Microsoft Office
Steve Brown, Director for Security and Acces Read more:begin
A fun reading on social engineering 2007-11-09 09:36:07 I recently talked at different events on social engineering
or at least touched the theme. You might know the layer 8 problem J
When I had some discussions after my speech I realized that close to nobody (I talked with) knew about the "The Art of Deception: Controlling the Human Element of Security" by Kevin Mitnick. You probably know Kevin Mitnick – he was one of the first hackers being sent to jail. A lot of his attacks were about ticking people rather than really hacking systems. He then summarized his experience in a book. The way he does it is that he tells stories about different levels of attacks. When you read the first story you think: these things will never happen to me (at least this has been my initial reaction being one of these paranoid security people). When you reach towards the end of the book, you start thinking differently….. It is definitely worth reading
Roger
WabiSabiLabi and their view on ethics 2007-11-08 01:27:04 I commented on that already twice and I stated that WabiSabiLabi seems to have a different view on ethics than me. For those of you who do not know WabiSabiLabi, it is an online auction for vulnerabilities. We met the founder of this platform during Blue Hat in Redmond and had some discussions on ethics, vulnerabilities and his platform. I have to admit that the way he tweaked the ethical view of the world the way he needed it was pretty interesting.
Now, I see that my view on ethics is definitely the one that at least keeps me out of jail: WabiSabiLabi founder arrested in Italy
At least he gets press coverage (and blog coverageJ) for his platform
Roger
Mary Jo Foley: It’s payback time: If the Vista team could write ad copy … 2007-11-06 15:20:00 Well, well: You know that I never ever would bash a competitor and I will not do so now. However, I have to give you the link to the above mentioned article – not because of the article but because of the comments the article got. It seems that our efforts around Trustworthy Computing pay off. I have to quote a comment:
MS has good taste, <company> has none
Oh the irony of <CEO of company> accusing MS of having no taste! Those ads were the epitome of tastelessness and the fact that Microsoft won't stoop down to <company>'s level is proof that Microsoft is the company with the superior ethics. It says a lot about <company> when Microsoft is judged to be the morally superior company!!
If you want to read it: http://blogs.zdnet.com/microsoft/?p=905
Roger
P.S. A few years ago we wanted to have a big (and extremely successful) security event with Swiss TV and <company> and <company> told us that they will not participate because they "do not Read more:Foley
, payback
, Vista
Fight against Terror and how it can be abused 2007-11-06 13:14:00 I am not completely clear how much a lot of the measures we see (like the fluid restrictions on planes, the forced violation of privacy laws by airlines by having to transmit PII to the US, ...) really bring.
On the other hand we definitely see some pretty weird things happening as any suspicion seems to lead to serious consequences. Read this article I found today: Man angry with son-in-law fingers him as terrorist to FBI
Roger Read more:against
, Terror
The next step at home: Windows Home Server 2007-11-06 10:03:00 One of the big challenges we face all the time is how to control one of these growing networks at home. How shall I help my neighbors to actually manage their growing environment with different PCs (one per parent and one per kid and a mediacenter and, and, and)? I assume that you know that feeling.
I do not say (yet) that all the problems are solved but at least we did one significant step with a product we call Windows
Home Server - a server version (as OEM version) targeted to the above described scenarios. Definitely something to look at and something that will help us in the future to help our friends and family to manage their environment in a secure, safe and easy way.
Here is the blog of the Windows Home
Server team: http://blogs.technet.com/homeserver/
Here is the demo: http://www.microsoft.com/windows/products/winfamily/windowshomeserver/demo/index.html
And here is the product page: http://www.microsoft.com/windows/products/winfamily/windowshomeserver/default.mspx
Roger Read more:Windows Home Server
Social Engineering - Live 2007-11-05 22:12:00 I just found a pretty interesting article on "social engineering". It is one of these articles showing an anecdote on how to use social engineering to enter a building and get access to everything: The Spy in Your Server Room
Roger Read more:Social
Pricelist for Cybercriminals 2007-11-02 11:05:00 Remember Economy of Cybercrime? I hope so! There I made the statement that Cybercrime has to pay off.
On Zone-h today they summarized a research from G DATA with the title How much can cyberterrorist get? In there you see how much you have to pay for which "service". This is a pretty good income:
Doing simple math - working for just 20 hours per month, on 20 orders, spammer can send over 400 millions of messages and without much effort he could earn around 7000 euro. If that wasn't enough, you can get 10 millions of e-mail addresses for just 100 euro. Same goes to paypal accounts, credit cards numbers and internet game account's.
Roger
SAFECode: Writing Secure Code – learning from each other 2007-11-02 05:30:41 During RSA Europe an industry forum called SAFECode (Software Assurance Forum for Excellence in Code) was announced "to identify and share software assurance best practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks". I was really excited that I had to opportunity to represent Microsoft during the press conference at RSA as this is – from my point of view – a significant move for the industry. SAFECode was founded by some heavyweights in the software development industry: EMC2, Juniper, Symantec, SAP, and Microsoft.
Over the last few years we invested significantly into our Security Development Lifecycle (SDL). We make the experience we made available in different forms:
We wrote books like Security Development Lifecycle, Writing Secure
Code, Hunting Security Bugs, Threat Modeling, …
We integrate tools and technology we initially devel
Rumors about Cyber-Terror Attack, November 11th 2007-11-01 04:50:11 This is an interesting phenomenon on the Internet: There is one source publishing the statement that they picked up an Internet announcement by Al Qaeda that they will start a cyber attack on November
11th: DEBKAfile Exclusive: Al Qaeda declares Cyber
Jihad on the West. From there on the blogsphere went ballistic (the article was published October 30th). If you search for it, you will find quite a lot of articles and blog posts referring to the DEBKAfile site. Nobody actually really questions the source. I am definitely not in a position the quality and depth of this information as I do not have enough experience with DEBKAfile at all. It is just interesting to see how information spreads without really thinking twice about the trustworthiness of the source.
As you know, I wrote already several times about Cyberterrorism and there is definitely a certain probability that something like that might happen and that it might even happen on November 11th. However, I think that a certain lev Read more:Terror
Spotlight – The coolest online event platform 2007-11-01 01:31:00 You know about Silverlight, don't you? We built a new Online Event platform on it. Sorry? You did NOT hear of Silverlight yet? Come on, don't tell me you missed this announcement? It is absolutely cool and if you really missed it, there you go: Sliverlight.
But now let's really talk about Spotlight
. This is an absolutely cool platform we use for high-class recording of big technical event
s (or even videos produced especially for spotlight). You can find the homepage of Spotlight here. Additionally there is a blog on Spotlight, giving you the latest news and the opportunity to comment.
There are a few pretty cool security presentations:
John Craddock and Sally Storey: Is your IT Infrastructure Secure?
Steve Riley: The Fortified Datacenter in your Future: Build It Now and They Will Come
Mark Russinovich: Advanced Malware Cleaning
Mark Russinovich: Windows User Account Control Internals (you have to sign in)
…and a lot more…..
If you do not want to look into the dry securi Read more:online
The Value of Operating System Comparisons 2007-11-16 15:05:46 Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.
When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the b Read more:Value
, Operating
, System
I was visiting Nigeria – watch out! 2007-11-23 01:14:39 You know that I rarely did trip reports in the past. I am personally convinced that you do not want to read, what I had for breakfast in Barcelona. But this trip was different. When I told the people around me that I will be travelling to Nigeria
I got a lot of different reactions J.
I guess that most of these reactions are based on our constant confrontation with what we call the Nigeria scam. As you probably know there is section 419 of the Nigerian criminal code that is violated by these kinds of attacks. Therefore these scams are often called 419-scams. It is unbelievable; when you go to our search engine and search for "Nigeria scam 419" you find more than 400'000 hits! There is even a site called http://www.nigerian-scam.com/ . For a country like Nigeria, this is one of the worst possible things to happen if you want to base the growth of the economy on modern technology! Is this a Nigeria-only problem? Not by far. A lot of scams originate from Western countries, a lot of other Read more:watch
Are you ready for your users of the (near) future? 2007-11-20 14:53:19 Yankee Group Study
Actually near future might be wrong: I am convinced that the future (with regards to the requirements) is already
here. We sponsored a study with Yankee Group with the title Anywhere Access Technologies - Open Enterprise Networks. I read through it and tried to analyze the key findings in there:
more than 70% of IT executives said that more than half of their employees today access their networks remotely with a laptop or mobile device: This is significant, isn't it? Look at me: I am in the office to have some 1:1 meetings and mainly to hand in the expense reports. The rest of my time I am on the road or in my "home office". So my laptop hardly ever gets connected to the Corporate network. I am actually writing this blog post in a hotel room. On the other hand I know of a lot of companies where security and IT wants to limit the usage of laptops as much as possible. To my opinion, they are hindering a development, which will lead to higher productivity and employee Read more:users
Windows Vista is protecting the environment 2007-12-01 03:24:00 When we launched WindowsVista
, one of the features which was pointed out to me was power management and how it will lower the costs in the enterprise environment. Well, I put my focus on the security technologies (obviously) and ignored the power management part - and I seem to be wrong. Read the following blog post and see that you should definitely look into this: How green is your PC?
Roger Read more:Windows Vista
YOUR FEEDBACK REQUESTED 2007-11-30 13:10:00 I am in the position of the Chief Security Advisor in Europe, Middle East and Africa since February 1st. Since then I am blogging here (before that I ran together with Urs the Swiss Security Blog). The hits per post rose over the first 6-7 months but now started to slowly drop. However, looking at the ranking of all the Technet blogs, this one is slowly on the raise. Now, I think it is time to ask you:
Are you "just" looking at the RSS Feed or do you actually read the posts? (I have the figures of direct browser hits, which does not yet mean that you really read it).
Are the themes I am covering the ones you are interested in or would you expect something different? If yes, what?
Is it worth the time you invest to read the posts?
Are there not enough or too many posts?
What else?
I am open to any kind of feedback. Please avoid being "politically correct", you might be open and candid. You can give me the feedback directly (roger.halbheer@microsoft.com) or as comments, which I wou
IE and Firefox vulnerabilities 2007-11-30 12:59:10 I am still convinced that there is limited value in comparing vulnerabilities
between different products. However, there are a few products which seem extremely emotional: The Operating System, Office, and the browser.
We already discussed pretty emotionally (I liked that actually) the Operating System part. Office came into the spotlight in the last few days as one source claimed a significant raise of vulns from 2006 to 2007, where I would like to understand the source of this data and the methodology as the bulletin remained at least flat. It is always easy to claim something and there are even journalists that take this up without any further investigation, which is bad enough…
Now, the browser. This is always a very emotional discussion as the browser is the window to the Internet and the world. Jeff Jones, a Microsoft employee, does regular analysis on the figures of vulnerabilities. As I stated in a previous blog post, I think it is important to internally understand the progr Read more:Firefox
Hackers using Playstations to crack Passwords 2007-11-29 04:42:35 A reader of my blog actually pointed me to that (thank you Shoaib) and asked me for a comment. Here is the article: PlayStation a hacker's dream. It is really an interesting thing: Gaming consoles today have quite some computing power, so why should the bad guys not use them to do some brute force? There is an interesting quote in the article: "Breese's presentation comes just weeks after Russian company Elcomsoft claimed to have accelerated password cracking by a factor of 25 by using the processors found on PC graphics cards."
I never thought about that up until today but it is pretty natural to use this processing power and leverage it. It could even get worse: What would happen if the criminals could compromise the online gaming part on the console and do some remote code execution. They could do some interesting grid computing (during the time your console is idle) and distribute the calculation and brute force attack into different consoles – an interesting approach ;-)
Roge Read more:Hackers
Security Threats in 2008 2007-11-26 09:16:29 Well, slowly the year is coming to an end – 10% to go J. This is the time where everybody is looking back and – additionally – tries to look into the Crystal Ball to understand how 2008 could be.
Interestingly enough, I just had the discussion about the trends for 2008 this morning with a friend of mine and this afternoon a blog post by Symantec hit me with the title: A Look Ahead to Security Trends in 2008 which is an interesting read (pretty short, which is good).
I do not want to comment it (yet) as we are working on that as well at the moment but it seems that we are more or less on the same line. The only thing I am missing is that I think that social networks (like Xing, Facebook, Linkedin, …) have a high potential to be abused as a source for information for social engineering attacks.
What is everywhere in common is that we will see the criminals misuse the Internet to illegally (or immorally) make money
Roger
Teach a Man to Fish 2007-11-26 04:37:00 I just read a pretty good article that goes definitely into the direction I am trying to work with the different communities we are in touch. Even though technology is a key part of any security solution, the user is key and explaining the user the "why" is even more important.
Read yourself: Teach a Man to Fish
Roger
A Retrospect on my Trip to Kenya 2007-12-07 17:41:33 I asked for feedback from you and got quite some. Some privately and some publically – thank you all who took the time to answer. One of the feedbacks I heard more than once was, that you are interested in my view on the region and the security there. So, what I will try to do is giving you some insights in trips I do to more "exotic" places (so I will most probably not cover my trips to Brussels and London next week).
So, I just came back today from Nairobi, Kenya
. Let me share my impressions and my program. We mainly did three things
Visited a call center called KenCall
Did some internal business stuff (which I will not be talking of J)
Visited some NGOs helping the people in the slums.
So, there are two main areas to share with you, let's start with KenCall: KenCall is a classical outsourcer for call center services. The interesting thing were the regulative hurdles they had to overcome. As an example: In order to use Voice over IP, they need a certification. However, the govern
Update on our Piracy Strategy - Important Changes to WGA 2007-12-04 10:00:00 From time to time people ask me about piracy and security.
Let's start with piracy first. If you look at the 2007 Global Piracy Study by BSA, the numbers are frightening. Looking at EMEA, it starts with Moldova on 94% pirated software to Denmark with 25% (which is still every fourth copy!) - the rest is somewhere in between! This is pretty significant and I think it is clear that we are flighting against people stealing our property.
If it come to the relation between security and privacy, I would love to have any figures. All the figures about malware we have are mainly from the Malicious Software Removal Tool (which is mainly delivered through Automatic Update
) and somebody who is deliberately using a pirated copy would most probably not switch on AU (even though we do not look at the machines). This makes it pretty bad - probably - as the machines will not be patched. To make the point clear: We are delivering critical security updates even to people who have stolen our software i Read more:Strategy
You are hacked - by your toaster :-) 2007-12-15 04:19:44 I just read this this morning Man Uses Toaster to Hack Computer. Is this now funny or scary?
Roger
HP confirms vulnerabilities on 82 Laptop models. 2007-12-15 04:17:15 Remember this post OEMs: Join in to "Secure by Default"? I wrote it in June…
Now, HP just confirmed a vulnerability in their software delivered on 82 laptop models
on all the different Windows versions: HP Quick Launch Buttons Critical Security Update
What about the Security Development Lifecycle for third-party applications? There is a reason, why I always flatten OEM PCs and just install, what I need…
Roger Read more:Laptop
, vulnerabilities
"Keep Everything Clear of the Doors" 2007-12-14 01:29:34 Ed Gibson, the Chief Security Advisor in the UK just wrote an interesting article, I would like to share with you:
You've seen it, read it, heard it so many times you've blocked it out … routine, mundane. . . but instinctively you take the necessary precautions. And the idiots who think they can beat the doors for gosh sakes . . . some make it, most don't… when will they learn. Even though, I suspect the next time you hear this spoken over the intercom in the Underground, or read the warning label on the inside of the carriage you'll take just that extra second to really make sure everything is clear of the doors. "Why?", you ask. "Because you've just read this!" No different than the many times you've looked at your watch, and then someone else asks you what time it is; you can't remember, so you look again.
Unremarkably, the same applies when it comes to being more safe online. This past year you bought a brand new state of the art, 2g of RAM, 600g hard drive t Read more:Everything
, Clear
, Doors
Have a look at Server and Domain Isolation 2007-12-13 14:25:07 I am often talking about different zones in the network and how you can create them. There is no a demo kit available for you to download and "play" with it: Server and Domain Isolation
Demo
Roger   Â
Recommend Site To A Friend
