I read this article today, which really made me think: Black Hats are Winning, Symantec Says – wow! A fairly clear statement. We lost . . . → Read More: Are We Losing the Fight Against Cybercrime?]]> It is an interesting and difficult question. What can we do to really be able to stay on top? Or shall we give up? Well, clearly, I do not think so.

I read this article today, which really made me think: Black Hats are Winning, Symantec Says – wow! A fairly clear statement. We lost (at least according to Symantec). And the solution is – you guess – new technology:

“Technology that does not rely on capturing and analysing a threat in order to protect against it, like Symantec’s Reputation-Based Security, is indeed becoming imperative. Other methods that are also playing a key role in combating today’s most pervasive threats are heuristic, behavioural and intrusion prevention technologies.”

So, I agree that new ways are need but really in enhancing today’s technology? Sure, we have to make sure we keep up with what is going on, but is it a technology problem, which can be solved by the next generation of any security product?

Remember that, a few years ago, we launched Trustworthy Computing in order to change the way we, Microsoft, internally think but we always said that this is an industry initiative. After a while, we realized that this was not enough and we came up with a model we call End to End Trust. The reason we did that was fairly simple: We did the SD3+C (Security by Design, Secure by Default, Secure in Deployment and Communication), we introduced the Security Development Lifecycle, and we worked on specific threat mitigation (actually, this is what Symantec seems to refer to). But unless the underlying architecture does fundamentally change, we (the industry) will not be able to change the rules and always run behind the criminals.

So, the ecosystem needs the trusted stack and a sound identity system which allows for strong identities and for minimal disclosure at the same time – without risking the freedom of speech.

All this is not new, the technologies are available. The problem is, that this is not a Microsoft challenge – it is an industry problem and the ecosystem has to buy in. We are doing a lot of groundwork there but as long as we are looking for medication to cure the symptoms and are not ready to look for the big bold changes, we will definitely lose. However, clearly we need to work on the medication in the meantime as well.

And then, let’s think about what this means for the Cloud… but this is something for another post…

Roger

Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we . . . → Read More: Microsoft and Adobe: Collaboration Against Threats]]> You know my opinion on collaboration between countries, on public-private-partnerships as well as on collaboration between companies.

Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we release a security update.

Additionally, we know form our data (see the Security Intelligence Report) that PDF is the most exploited file format. Therefore I think it is a great signal that Adobe will join the MAPP program to tighten our joint collaboration.

It is another clear signal that we are up for action to address the security challenges in the ecosystem.

Roger

Now, planning for such . . . → Read More: The Importance of International Collaboration–Even in Exercises]]> One of the biggest challenges in Critical Infrastructure Protection or Incident Response is collaboration. Collaboration between the public and the private sector as the private sector is most often running the critical infrastructure; collaboration between different governments as well as incidents do not tend to stop at a country’s border.

Now, planning for such a collaboration is one thing but really trying out whether the collaboration really works is another one. Just testing whether all the communication channels come up and can get established is hard by itself.

The US was already running exercises called “Cyberstorm” within the US to test the collaboration and the plans within the US. Now it seems that they are planning to extend that: Next Cyberstorm exercise to stress international cooperation on security. This is a great development and it will be interesting to see what the results will be.

Roger

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we . . . → Read More: Microsoft Security Intelligence Report – What it means for EMEA]]> “Unfortunately” I have been on vacation when we released the Security Intelligence Report last week. Nevertheless I would like to take the opportunity and look at it more from a EMEA perspective.

One of the interesting data points we always publish is the Malware Infection Rate. Remember, there is a huge amount of data we can collect from different like the Malicious Software Removal Tool, Microsoft Security Essentials, Defender, etc. given you agreed to share your data with us.

If we look at the heat map in EMEA, this is the picture you will see:

So, there are different countries which are red (highly infected) and green (not very infected). Now, obviously we do not have the same amount of data for all the countries. If we take the countries with more than 100’000 average executions per month of the Malicious Software Removal Tool, we see this ranking for the best and the worst countries worldwide (the bold countries have an execution rate with more then a million average executions per month):

Let’s take the EMEA countries in this list and see how they developed over the last three reports. The best countries first:

It is actually good to see that with the exception of Senegal all the EMEA countries in the top list could reduce their infection rate. Often this is based on a good collaboration between the public and the private sector.

But what about the other end of the ranking? Let’s see:

Here the picture is not as clear. Some countries like Serbia and Montenegro, Turkey etc. have a very bad 1H09 but then came back to their “normal” level. Unfortunately we cannot see a clear trend here but there are some countries, which are slowly improving (e.g. Russia). There is definitely coordinated activity needed in these countries. Turkey for example is working on pulling people together to address the issue.

If we turn it around and look at it from an Operating System perspective, we definitely see that newer Operating Systems are better than older (which was to be expected):

From the malware we can turn to the vulnerabilities. Since quite a while we are talking about having the problem moving up the stack, which is reflected in the picture on the industry-wide vulnerabilities:

This means as well, that you definitely should cover all your applications when you think about patch management and you have to do this for all your vendors:
When it comes to patching, we see a fairly good coverage with Windows Update, Microsoft Update and WSUS. Especially if you are looking at the relative growth compared to the Windows installed base:

So, you see: There is a lot of great information in the Security Intelligence Report – go and look at it.

Even though I did not go into the details here but Rogue Security Software is still a huge a problem out there and there is a chapter again on this theme as well!

Finally, if I could have three take-away, this would be it:

• Get a coordinated approach to fight malware between the public and private sector
• Move to the latest version of software, wherever you can
• Cover all the products you have with your Patch Management processes

Roger

Now it is time to look back and try to understand what we learned so far. sudosecure traces the Waledac infections and give a good view of new infections by the . . . → Read More: Results of Operation b49 (Botnet Takedown)]]> On February 24th we announced the work we did on taking down Waledac – read Tim Cranton’s blog post called Cracking Down on Botnets.

Now it is time to look back and try to understand what we learned so far. sudosecure traces the Waledac infections and give a good view of new infections by the bot:

But I guess to better understand, what really happened and what the impact was, you should read the post by the Microsoft Malware Protection Center What we know (and learned) from the Waledac takedown

Really good reading

Roger

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we . . . → Read More: Legal Challenges of International Business and the Cloud]]> To start with: I am an engineer not a lawyer – and this might be part of the problem…

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer ?)

Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in .

And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info

And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?

The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!

As I said, the situation gets incredible complex.

Where does this lead us to? To me there are a few things which should be done:

• Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
• Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
• The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.

This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think

Roger