It hits the press from time to time that somebody was successful taking down a botnet. We had some success as well with the Waledac Botnet Takedown.

There is actually a good article on What it takes to shut down a botnet. When I was doing some bing-search on the botnet takedowns, I found good work from Microsoft research as well: Your botnet is my botnet: analysis of a botnet takeover.

It is not only about taking down the botnet, it is about going after the criminals and making sure it does not recover.

Roger

Related posts:

1. Results of Operation b49 (Botnet Takedown)
2. Is there a Botnet building on MS08-067 exploits?
3. How a Botnet looks like

It is an interesting and difficult question. What can we do to really be able to stay on top? Or shall we give up? Well, clearly, I do not think so.

I read this article today, which really made me think: Black Hats are Winning, Symantec Says – wow! A fairly clear statement. We lost (at least according to Symantec). And the solution is – you guess – new technology:

“Technology that does not rely on capturing and analysing a threat in order to protect against it, like Symantec’s Reputation-Based Security, is indeed becoming imperative. Other methods that are also playing a key role in combating today’s most pervasive threats are heuristic, behavioural and intrusion prevention technologies.”

So, I agree that new ways are need but really in enhancing today’s technology? Sure, we have to make sure we keep up with what is going on, but is it a technology problem, which can be solved by the next generation of any security product?

Remember that, a few years ago, we launched Trustworthy Computing in order to change the way we, Microsoft, internally think but we always said that this is an industry initiative. After a while, we realized that this was not enough and we came up with a model we call End to End Trust. The reason we did that was fairly simple: We did the SD3+C (Security by Design, Secure by Default, Secure in Deployment and Communication), we introduced the Security Development Lifecycle, and we worked on specific threat mitigation (actually, this is what Symantec seems to refer to). But unless the underlying architecture does fundamentally change, we (the industry) will not be able to change the rules and always run behind the criminals.

So, the ecosystem needs the trusted stack and a sound identity system which allows for strong identities and for minimal disclosure at the same time – without risking the freedom of speech.

All this is not new, the technologies are available. The problem is, that this is not a Microsoft challenge – it is an industry problem and the ecosystem has to buy in. We are doing a lot of groundwork there but as long as we are looking for medication to cure the symptoms and are not ready to look for the big bold changes, we will definitely lose. However, clearly we need to work on the medication in the meantime as well.

And then, let’s think about what this means for the Cloud… but this is something for another post…

Roger

Related posts:

1. SANS Commits $1 Million to Fight Cybercrime in Developing Countries
2. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
3. Use Music to Fight Cybercrime: ‘Maga No Need Pay’

If you do not know this blog, it is definitely worth looking at it from time to time: Paleo-Future.

There I found a prediction on cybercrime dated 1981:

It describes the impact of computers in the “future” – say today. If you click on the picture, you can see the original.

There is a good quote in there:

However, it is very difficult to carry out a successful robbery by computer. Many computers have secret codes to prevent anyone but their owners from operating them. As computers are used more and more, it is likely that computer crime will become increasingly difficult to carry out.

– the original post can be found here: Computer Criminals of the Future (1981)

Roger

Related posts:

1. Success against Cybercrime
2. Are We Losing the Fight Against Cybercrime?
3. SANS Commits $1 Million to Fight Cybercrime in Developing Countries

I just read this article E-crime unit arrests suspected phishing gang, which shows that we are making progress in fighting cybercrime. Very good news

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2
3. Council of Europe: We need ONE Cybercrime Convention

I blogged about the vulnerability which was publically disclosed by a researcher working for Google earlier this month. In the meantime the attacks started to increase. I think that it would be important for you to look at what is going on. There is a good blog post by our malware protection center: Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

Roger

Related posts:

1. Vulnerability Disclosure to Compete?
2. End of Support for Windows 2000 and Windows XP SP2
3. Attacks on MS08-067

Probably not. However, it indefinitely is a security risk. We are talking about this since a looooooong time as such copiers are sold since 2002. I just recently heard that the criminals are looking into this heavily and now it is even discussed publically on BCS News: Copy Machines, a Security Risk?

Actually a really good video.

Roger

Related posts:

1. Assessing the risk of the August security updates
2. Lottery Scams – One of the Biggest Threat to End Users
3. More of a third of software is stolen

I guess you still know the discussions a while ago where it was made public that notebooks can be searched without suspicion when you cross the border to the US. Actually the truth is, that this can happen everywhere as far as I understand. To be clear: I am not a lawyer, I am an engineer. However, when I discussed this with a lawyer, he explained to me that anything I carry with me when I cross a border can be searched – something we got used to, no? The notebook is just part of the “anything” in the statement above.

So, the nervousness is really about the customs officer keeping a notebook and getting access to the data, which is scary but again, is this any different to carrying paper across the border – except for the sheer volume but basically if you carry confidential documents across any country’s border the customs officer can search you and have a look at your paper.

So far so good but it seems that some customs officers took their time when they actually wanted to search a notebook – a few months until an year.  They simply kept it. Now a court in the US ruled that this is illegal: Judge limits DHS laptop border searches

So, while the search at entry is still acceptable due to the points I made above, the confiscation of a computer for a longer period of time seems to be illegal. Will be interesting to see how this will develop.

Roger

Related posts:

1. Schneier on US Customs Notebook Searches: Do not follow the rules
2. Legal Challenges of International Business and the Cloud
3. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

This is actually an interesting question. A lot of governments enforce rules and regulations on how you have to run your car, how often you have to check it, in which condition you have to keep your tires etc. The same is true for a lot of other devices we are using.

Now, it seems that the US just passed a bill to give the president the power to order companies to deploy security updates or block a certain type of traffic. I understand where this is coming from: You need some level of authority if your critical infrastructure is under attack. Here, a lot of governments rely on the collaboration of the different players. The US seems to go one step further. Honestly, I am not completely sure whether I like it or not. It has a lot of pros and cons.

What is your view?

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. The Importance of International Collaboration–Even in Exercises
3. Analysis of the Estonian Attacks

As you know (I stress that fairly often ), I am Swiss. The reason why I am stressing this today is that I want to give you an example on security from the Swiss market: The banks here on place compete with each other – obviously. However, I have never seen the banks competing on security. They never use for example new authentication schemes in eBanking to compete. There is nothing like “our eBank is more secure than our competitor’s” or “have you seen, our competitor was just successfully phished”. The reason for that is fairly simple: The whole banking system will lose as trust will erode in the ecosystem as such if they start to blame each other and this is not to the advantage of all the banks.

Why do I tell you this? Well, as you know, we at Microsoft are promoting responsible disclosure of vulnerabilities since years. We do not buy vulnerabilities and if we find vulnerabilities in third party products, we let the vendor know and help them to fix the issue. This is to protect the ecosystem, to protect our customers as public, irresponsible disclosure puts all our joint customers at risk.

By the way, on a side-note I want to make sure you have seen the advisory we release yesterday on a Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution as it might be important for you to understand the workarounds. The history of this vulnerability can be found here: Windows Help Vulnerability Disclosure. I just want to quote the blog post: This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

…

Roger

Related posts:

1. How to Deal With Vulnerabilities
2. Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)
3. Selling Vulnerabilities and Ethics

The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is “As defenders get out their patches, the attackers have more incentive to move on to a different exploit,” Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger

Related posts:

1. The Debate on Security Metrics
2. We Need Solid and Strong Transparent Processes for the Cloud
3. The Importance of Application Security