Posted on 9th March 2010 by Roger in Crime | Cybercrime | Government | Law Enforcement | Legislation | Microsoft | Privacy | Process | Processes | Security | Strategy
behavior, citizens, Cloud, collaboration, Crime, criminals, Government, harmonization, International, Internet, jurisdiction, Law Enforcement, Legal, Legislation, MLAT, Policy Makers, Privacy
To start with: I am an engineer not a lawyer – and this might be part of the problem…
When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer 
?)
Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in 
.
And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info
And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?
The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!
As I said, the situation gets incredible complex.
Where does this lead us to? To me there are a few things which should be done:
- Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
- Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
- The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.
This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think
Roger
Posted on 8th March 2010 by Roger in Microsoft | Process | Processes | Security
Development Lifecycle, ecosystem, news, Threat Modeling, tools
I often talk about how we learned to engineer security into the products and the results prove that we are on the right track. One of the challenges we always have is how to help the ecosystem to improve as well. One of the ways is to communicate through our website. Not, that this is really new news – it is actually a few weeks old but still… We renewed our Security Development Lifecycle site.
If you are developing software internally you should definitely look at the site and think how to implement SDL in your organization. If you want help, there is the SDL Pro Network here to help you to implement SDL. Or leverage the tools we make available. Or much more…
If you are “just” buying software, look at the lifecycle and start to ask your vendors a few questions like:
- How do you engineer security into the products? (I am not talking about the classical software engineering processes – I am talking about security…)
- How do you do Threat Modeling (to me a key piece of the engineering process)
- …
Roger
Posted on 7th March 2010 by Roger in Microsoft | Processes | Products | Strategy
Malware, management, Microsoft, policies, Risk Assessment, standardization, Tool, Update Detection, Updates, Virus
Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.
So far, in the first 4 chapters, we have addressed the usual excuses for not Managing Your IT Environment and Security Updates:
- Security is not worth it, nothing ever happens and if it does it will be “no big deal”
- I installed the Microsoft updates, but my network was still compromised
- OK now I understand why Security is important but no idea how I start
- I now know what I want to do, I just don’t know how, I need training
Here we address the need for automation, cost reduction and standardization, Microsoft has literally hundreds of tools to help management assess risk and administrators implement security updates and policies.
Security Update Management Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EPC
Security Update Detection Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EID
Security Risk Assessment Tool: http://technet.microsoft.com/en-gb/security/cc297183.aspx#EUD
Lockdown, Auditing, Intrusion Detection, Remediation Tools: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E2D
Virus and Malware Protection and Removal Tools & Apps: http://technet.microsoft.com/en-gb/security/cc297183.aspx#E1E
Reduce Your Risk: 10 Security Rules To Live By
This is from 2006 but it demonstrates on a conceptual level how the technology can change but the rules remain the same. Yet again we learn that Security is a Process, not a Product!
http://technet.microsoft.com/en-us/magazine/2006.05.reducerisk.aspx
Henk and Roger
Posted on 6th March 2010 by Roger in Microsoft
Active Directory, Blog, Codeplex, Enterprise, Hyper-V, Linux, MySQL, Novell, OpenSource, SharePoint, SUSE, Windows
If you are a regular reader of my blog, you might have been surprise today – but yes, it is still my blog 
From time to time I am looking into different ways of doing things. I ran my blog until now on SharePoint 2007 and an extension I found on Codeplex, which is part of the Community Kit for SharePoint called Enhanced Blog Edition. The reason for that was that I did not like the blog offered by SharePoint natively.
Now, I wanted to do a real revolutionary thing – for a Microsoftie : I wanted to migrate the blog on a Linux server with OpenSource software. I have to admit I failed. I started to play with the SUSE Enterprise Server (remember, we have a partnership with Novell). I set it up on my Hyper-V and it worked fairly soon without too much problems. The problems came as a Microsoftie wanted to add what is needed to run a blog and integrate the SUSE Server into Active Directory. I just gave up after spending a couple of hours and rolled back my plan – at least for the OS.
So, I decided to install Windows Server 2008 R2 and from there on wanted to experience the OpenSource side. Now, the blog runs in Windows Server 2880 R2, PHP, MySQL and WordPress. Until now, I really like WordPress as it gives me a lot of flexibility with all the PlugIns – more than I actually need. The only real hassle I had was the migration of the blog posts but finally even that worked….
So, for you nothing should change. Basically even the RSS-feed should still work even though the default feed now has a new URL but I used URL Rewriter to map.
So, if you experience any issue, please get in touch with me (see the About page)
Roger
Posted on 1st March 2010 by Roger in Cybercrime | Incidents | Microsoft
It is so old: Software telling you that you are infected and that you have to install this latest security software immediately. You can bet that this then installs malware on your PC instead of cleaning it. We mentioned this problem already in the first chapters of our Security Intelligence Report v7.
And it was to be expected that the success of the Microsoft Security Essentials will be leveraged by criminals as well to do exactly what I just mentioned – it happened last week. Read yourself: If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?
Roger
Posted on 1st March 2010 by Roger in Cybercrime | Incidents | Incidents
As it happens: I have been skiing last week (the weather was gorgeous) and now I am back (unfortunately) and confronted with the next Internet Explorer 0Day vulnerability, which already causes noise – in my opinion too much for the real technical problem. If you read the blog post of the Microsoft Security Response Center called Investigating a new win32hlp and Internet Explorer issue, you will find the following facts – as far as we know them by now:
- The user has to be tricked into pressing F1 in response to a Pop-Up (no automation)
- We are not aware of any attacks exploiting this issue
- It is Windows XP “only”
This leads me back to the discussions I had with customers over the last few weeks: Windows XP was released 31. December 2001 – 8 years ago. If you would give it 2 years development and engineering time, we are talking of a 10 year old operating system. During a discussion a friend of mine said “your are not driving a 10 years old car neither” – which is not accurate. If you look how the threat landscape developed on the Internet over the last 10 years, you should probably compare it with a 50 years old car. The real problem with Windows XP in my opinion is, that it is rock-solid – but in my opinion not suited anymore for today’s threats. As you have a great alternative now – you should definitely consider moving to Windows 7. And you should move from IE 6 (if you are still there) to IE8!!
If I would have one wish to you from a security perspective: Move to the latest version of your software – everywhere (knowing that this is not an easy task to do)
Roger
Posted on 18th February 2010 by Roger in Processes | Products
As you all know, I have two main pet themes: Risk Management and Compliance Management as I see very often that there is room for improvement when it comes to such processes within our customers. Internally, we often think about how we can make it easier for our customers to manage compliance in their networks.
So, basically it is about helping you to plan, deploy, operate, and manage the baselines in your environment. As you might know, we provide free tools, which we call Solution Accelerators since quite a while (if you did not know, shame on us), we provide a Security Compliance Manager in this program as well and have the new version just in Beta now.
Basically the new Security Compliance Manager Solution Accelerator helps you to provides you a few pretty exciting features:
- Centralized management and baseline portfolio
- You can customize the security baselines
- You can compare them and export them (e.g. to GPOs)
- You can verify and monitor them
As a picture shows more than a thousand words, here are a few (cool!!) screenshots of the tool:
![500x303[1]](http://www.halbheer.info/security/Media/WindowsLiveWriter/MakingtheManagementofSecurityComplianceE_8865/500x303[1]_1.png "500x303[1]")
Check for Baselines
![500x268[1]](http://www.halbheer.info/security/Media/WindowsLiveWriter/MakingtheManagementofSecurityComplianceE_8865/500x268[1]_1.png "500x268[1]")
Compare Baselines
![521x480[1]](http://www.halbheer.info/security/Media/WindowsLiveWriter/MakingtheManagementofSecurityComplianceE_8865/521x480[1]_1.png "521x480[1]")
Customize the Baseline
![535x480[1]](http://www.halbheer.info/security/Media/WindowsLiveWriter/MakingtheManagementofSecurityComplianceE_8865/535x480[1]_1.png "535x480[1]")
Export it (to enforce it through GPOs)
![500x285[1]](http://www.halbheer.info/security/Media/WindowsLiveWriter/MakingtheManagementofSecurityComplianceE_8865/500x285[1]_1.png "500x285[1]")
Merge different Baselines
So, if you are as excited as I am, you should join the Beta program, which is now open. That’s the way to give feedback and influence it now! Therefore my “call to action” for you is:
The beta will run through March 2010. That means now is the time to join the beta program, take an early look at this tool, and provide the Security Solution Accelerators team with your feedback.
Want the facts straight from the development team? Check out this series of short videos! Better yet, post your own video response sharing your favorite feature.
Want more information on a specific feature? Interested in speaking with the development team? Please contact Michelle Arney.
Have a lot of fun!!
Roger
Posted on 17th February 2010 by Roger in Associations | General | Incidents | Trends
I just worked my way through the list SANS published. Looking at the list it is not surprising but scary to see which errors made it to the top of the list:
- Cross-site Scripting
- SQL Injection
- Classic Buffer Overflow
- Cross-Site Request Forgery
- Improper Access Control
It shows as we often say that the attacks moved up the stack and a lot of challenges are based on improperly written applications. So, if you are organization is developing applications, you should start to implement a process like the Security Development Lifecycle. If you need information about this, look at our website: Microsoft Security Development Lifecycle
Roger
Posted on 10th February 2010 by Roger in Incidents | People | Trends
I read this article this morning: Safer Internet Day: How children can undermine corporate security and it actually reminds me of all the PCs I looked at in my private environment. When I see a heavily infected PC, the parents always keep telling me that the Peer-to-Peer network software on the PC was installed by the kids and that they are downloading software. This is a problem at home – but definitely a bigger one on your corporate notebook.
What can you do against it? Well, you could lock down the notebooks – and make it impossible for people to work anymore.I think much more it is about awareness as well as enforcing policy compliance. It is pretty obvious that if somebody runs illegal copies of software on a corporate asset, this puts you as a company at legal risks. Therefore it might make sense to run a Software Inventory and check regularly for such software – an then kick off the corresponding administrative processes.
Roger
Posted on 9th February 2010 by Roger in Government | Strategy | Trends
When I travel through Africa, the high piracy rate is often something we address. Not necessarily from a commercial perspective but much more from a security angle. We know that pirated software is often infected with malware and therefore used for criminal activities. However, the discussion is a difficult one as a lot of people do not really see the value of software as you cannot touch it. I sometime face discussions like a customer telling me that they hired a consulting company to assess their security and now they want Microsoft’s help to fix the problems. We we talk about Microsoft Consulting Services, the customer tells me: “I am paying so much for your software, why do I have to pay for consultants as well?”. It is often clear for them that consulting has a price but the value of software is what we have to “sell” there.
Now, the government of Nigeria and Microsoft started to use music to fight Cybercrime (not only piracy). This is a thrilling way to spread the word and to address the target audience – something I think you should look at.
Here you find the press release by the Nigerian government: EFCC, Microsoft, Employ Music To Fight Cybercrime
The music clip can be found here.
And finally, a blog post but Tim Cranton, an Associate General Counsel at Microsoft: ‘Maga No Need Pay’: Nigeria Gets Creative to Fight Cyber Scams
Have a lot of fun
Roger
