These 'big brother' or 'eavesdropping' technology has long been use by the military of the United States.

Notoriously known as Echelon, a remnant of the Cold War is now still being operated.

From Wikipedia:

ECHELON is a name used in global media and in popular culture to describe a signals intelligence (SIGINT) collection and analysis network operated on behalf of the five signatory states to the UK-USA Security Agreement (Australia, Canada, New Zealand, the United Kingdom, and the United States, known as AUSCANZUKUS).[1]

The system has been reported in a number of public sources.[2] Its capabilities and political implications were investigated by a committee of the European Parliament during 2000 and 2001 with a report published in 2001.[3]

On the civilian side, same technology have been deployed in the US or other countries to sniff packets in real time ~ big brother.

Michael Kassner wrote a very interesting article on Deep Packet Inspection and its potential abused by government through ISP's.

User's privacy is at stake here.

Anyone who uses the Internet needs to be aware of Deep Packet Inspection (DPI), its uses, and potential misuses. You may recognize DPI as what ISPs use to conform to CALEA, the U.S. government-ordered Internet wire-tapping directive. If that’s not enough, DPI, albeit behind the scenes, allows ISPs to block, shape, and prioritize traffic, which is now fueling the “Net Neutrality” versus traffic priority debate. So, what is DPI and how does it work?

So what is DPI?

DPI is next-generation technology that’s capable of inspecting every byte of every packet that passes through the DPI device, that means packet headers, types of applications, and actual packet content. Up until now, this wasn’t possible with IDS/IPS systems or stateful firewalls. The difference being, DPI has the ability to inspect traffic at layers 2 through 7, hence the “deep” in DPI. A simple analogy would be that of snail mail. IDS/IPS firewalls would be the mail sorters who just read the letter’s address, knowing nothing about the letter’s content. Inspecting Internet traffic from layers 2 through 7 would correspond to the person who actually reads the letter and understands the contents.

To recap, DPI allows people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted e-mail is scanned, the actual body of the e-mail can be reassembled and read. Nate Anderson wrote an excellent Ars Technica article “Deep Packet Inspection Meets Net Neutrality, CALEA.” The following quote appears in that article:

“Deep packet inspection refers to the fact that these boxes don’t simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble e-mails as they are typed out by the user.”

Mr. Anderson also explains what happens at layer 7:

“Layer 7 is the application layer, the actual messages sent across the Internet by programs like Firefox or Skype or Azureus. By stripping off the headers, deep packet inspection devices can use the resulting payload to identify the program or service being used. Procera, for instance, claims to detect more than 300 application protocol signatures, including BitTorrent, HTTP, FTP, SMTP, and SSH. Ellacoya reps tell Ars that their boxes can look deeper than the protocol, identifying particular HTTP traffic generated by YouTube and Flickr, for instance. Of course, the identification of these protocols can be used to generate traffic shaping rules or restrictions.”

What makes DPI all the more impressive is that the packet analysis happens in real time, with data stream throughput approaching 20-30 Gb. See where I’m going with this? With no loss of throughput, ISPs are able to insert these devices directly in their data streams, forcing all traffic to pass through the devices. Procera, Narus, and Ellacoya are front-runners in development of this technology, having placed equipment throughout the world.

DPI’s potential uses

DPI technology is unique in that as of now it’s the only way to accomplish certain governmental security directives. DPI also has the potential to do a great deal of good. For example, DDoS attacks are virtually impossible to thwart. Conceivably if DPI were in place and configured correctly it would detect the DDoS packets and filter them out. Some more potential uses are listed below:

• Network security: DPI’s ability to inspect data streams at such a granular level will prevent viruses and spyware from either gaining entrance to a network or leaving it.
• Network access: DPI creates conditions where network access rules are easy to enforce due to the deep inspection of packets.
• CALEA compliance: DPI technology augments traffic access points (TAP) technology used initially for governmental surveillance equipment.
• SLA enforcement: ISPs can use DPI to ensure that their acceptable use policy is enforced. For example, DPI can locate illegal content or abnormal bandwidth usage.
• QoS: P2P traffic gives ISPs a great deal of trouble. DPI would allow the ISP to instigate traffic control and bandwidth allocation.
• Tailored service: DPI allows ISPs to create different services plans, which means users would pay for a certain amount of bandwidth and traffic priority. This one is controversial and affects Net Neutrality.
• DRM enforcement: DPI has the ability to filter traffic to remove copyrighted material. There’s immense pressure from the music and movie industries to make ISPs responsible for curtailing illegal distribution of copyrighted material.

The above applications have the potential to give users a better Internet experience. Yet it wouldn’t take much mission creep to create major privacy concerns. I would feel remiss if I didn’t point them out and help everyone understand the ramifications.

Possible misuses of DPI

DPI is another innovative technology that has ISPs arguing with privacy advocates. ISPs and DPI developers are adamant that the technology is benign and will create a better Internet experience. However, privacy groups have two major concerns: little or no oversight and the potential for losing still more individual privacy. Many experts find the following uses of DPI to be especially troubling:

• Traffic shaping: Traffic shaping is where certain traffic or entities get priority and a predetermined amount of bandwidth. With the increasing number of bandwidth-hungry applications, ISPs are having to make decisions on whether to increase available bandwidth with infrastructure build out or increase control of the existing bandwidth. Installing a DPI system is usually the choice as it’s cheaper and has a more predictable RoI. Albeit cheaper, it’s riskier, and I suspect that’s why the Net Neutrality debate is going on right now.
• Behavioral targeting (BT): BT uses DPI technology for the sole purpose of harvesting user information anonymously (supposedly) and selling it to interested parties who use the information to create ads that are targeted to the individual.

Final thoughts

This is a very complex subject, having the potential to change everyone’s view of the Internet. An optimist would say that DPI will help enhance the experience, even producing  ads that are relevant to each individual user. Whereas a pessimist would say it’s “big brother” technology that only benefits ISPs. I don’t think anyone is sure how the Internet will look when the dust settles about DPI, but it should be interesting.

I hope that I was able to increase awareness of how ISPs using a DPI device can intercept, read, and interpret every one of your Internet-destined packets. An ulterior motive for explaining DPI is that in my next article I’d like to discuss behavioral targeting, a very controversial technology that uses DPI. I also want to discuss what, if any, options are available to prevent DPI from scanning your Internet traffic.

God takes away the good ones first, so living will take note and learn from them. Last Friday,25th of July 2008, the renowned and respected Prof Dr Randy Pausch passed away after a long battle with pancreatic cancer.He was 47. He is survived by his wife and children Dylan, Logan, and Chloe.

His contribution, not only to Carnegie Mellon University, but the world showed his dedication in teaching others and the value of humanity. He was the founder of Alice program, an animated educational system for high school and college students.

Rest in Peace.

The big(ger) dog gets growly

July 21, 2008 (Computerworld) Companies -- lots of them -- are still buying Windows Mobile smart phones, and Microsoft Corp. doesn't want to let iPhone mania make them forget.

During Microsoft's most recent fiscal year, 325 enterprises purchased at least 500 Windows Mobile phones, with many buying many more, said Scott Rockfeld, group products manager for the mobile communications business at Microsoft, in a Friday interview.

"From the armed forces to the U.S. Court System, people are not just trying Windows Mobile, they are buying them," Rockfeld said, in apparent reference to a statement by Apple Inc. CEO Steve Jobs last month that 35% of Fortune 500 companies were beta-testing the iPhone.

more...

My opinion, the Iphone is a fun phone, still a toy for the kids. Big boys still prefers Windows Mobile smart phones.

The Storm worm (not to be confused with W32/Storm.worm) was first discovered on 17th of January 2007. It was named by the finish company F-Secure and it is a trojan malware that infects Microsoft operating system. It spreads via email, with these headings:

When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.^[10] The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates.^[9] Some of the known names for the attachments include:^[10]

• Postcard.exe
• ecard.exe
• FullVideo.exe
• Full Story.exe
• Video.exe
• Read More.exe
• FullClip.exe
• GreetingPostcard.exe
• MoreHere.exe
• FlashPostcard.exe
• GreetingCard.exe
• ClickHere.exe
• ReadMore.exe
• FlashPostcard.exe
• FullNews.exe
• NflStatTracker.exe
• ArcadeWorld.exe
• ArcadeWorldGame.exe

more information here,here and here.

The Microsoft Security Assessment Tool 3.75G (g for government version) is a revised version of the Microsoft Security Assessment Tool (MSAT) developed by Microsoft’s Trustworthy Computing Group.  MSAT is comprehensive toolset to help security organizations within governments become more aware of the evolving security threat landscape that could impact their organizations.

The tool employs a holistic approach to measuring security postures by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources can help maintain awareness of specific tools and methods changing the security posture of the IT environment.

The new Microsoft Security Assessment Tool conducts an assessments focused on 4 primary areas:

•       Infrastructure Security

•       Application Security

•       Security Operations

•       People, Process, Policy

After completing each Assessment, a detailed report of the results is available to review.

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

The MSAT v3.75g is now be available to SCP Participants.  The “g” version will remove the feature that allows for uploading and sharing the results with Microsoft and comparing those with other companies.  This version will have the added ability to compile results on a user agency’s own servers and compare results between departments. Also as a part of this version, we provide instructions on developing a standard baseline and how this standard baseline can be distributed to other agencies to conduct an assessment comparison.

The MSAT 3.75G version is now available in the following languages:

Canadian French, French, German, Russian, Italian, Spanish (Latin America), Spanish (Spain), Portuguese (Portugal), Portuguese (Brazil), Chinese (Simple), Chinese (Mandarin), Japanese, Swedish, Norwegian, Danish, English (US), and English (UK.)

Summaries for these new bulletins may be found at the following pages:

http://www.microsoft.com/technet/security/bulletin/MS08-jul.mspx   

Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU) and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool can be located here: http://go.microsoft.com/fwlink/?LinkId=40573

High-Priority Non-Security Updates

High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU) or Windows Server Update Services (WSUS) will be detailed in the following KB Article: http://support.microsoft.com/?id=894199 

From a counterpart's blog..Microsoft Italia....

Feliciano Intini has effortlessly compiled Microsoft security web sites.

.

Microsoft Security Experts Blogs (in alphabetic order):

Aaron Margosis

Cyril Voisin [UPD-08-04]

David LeBlanc [UPD-08-04]

Eric Fitzgerald

Jeff Jones

Kai Axford

Kim Cameron

Kimmo Bergius [UPD-08-04]

Mark Russinovich

Michael Howard

· (BK) Writing Secure Code 2nd Ed

· (BK) 19 Deadly Sins of Software Security

· (BK) The Security Development Lifecycle

· (BK) Writing Secure Code for Windows Vista

Robert Hensing

Roger Halbheer [UPD-08-04]

Steve Lamb

Steve Riley

Urs P. Küderli [UPD-08-04]

Vittorio Bertocci

· (BK) Understanding Windows CardSpace [UPD-08-03]

Vladimir Mamykin [UPD-08-04]

0.0 Microsoft Strategy & Initiatives

0.1 Security & Privacy

0.1.1 Trustworthy Computing (TwC)
(W3) Trustworthy Computing homepage [UPD-08-04]

0.1.1.1 End to End Trust
(W3) End to End Trust homepage [UPD-08-04]

0.2 Interoperability
(W3) Interoperability homepage [UPD-08-04]

0.2.1 Interoperability Principles
(W3) Interoperability Principles homepage [UPD-08-04]

1.0 Internet Security

1.1 Identity Metasystem & Windows CardSpace
(SB) Kim Cameron’s Identity Blog [UPD-08-03]
(SB) Vittorio Bertocci’s Vibro.NET blog [UPD-08-03]
(SB) CardSpace: Behind The Code [UPD-08-03]
(W3) Windows CardSpace MSDN Resources [UPD-08-03]
(W3) Windows CardSpace on Microsoft .NET Framework 3.0 Community [UPD-08-03]
(BK) Understanding Windows CardSpace [UPD-08-03]

1.2 Online Services Security
(W3) Microsoft Online Services TechCenter [UPD-08-04]
(WP) Security Features in Microsoft Online [UPD-08-04]

1.2.1 Windows Live Security
(B) Windows Live ID Team Blog

2.0 Perimeter & Network Security

2.1 Forefront Edge Security (Internet Access Protection & Secure Remote Access)
(W3) Forefront Edge Security homepage [UPD-08-04]

2.1.1 Internet Security & Acceleration (ISA) Server
(W3) ISA Server homepage [UPD-08-04]

2.1.1.1 Previous versions: ISA 2000, ISA 2004
(SB) ISA Server Product Team Blog

2.1.1.2 Internet Security & Acceleration (ISA) Server 2006
(SB) ISA Server Product Team Blog
(W3) ISA Server TechCenter [UPD-08-01]

2.1.1.3 Forefront Threat Management Gateway (TMG)
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

2.1.2 Internet Application Gateway (IAG)
(W3) IAG homepage [UPD-08-04]

2.1.2.1 Internet Application Gateway (IAG) 2007
(W3) IAG 2007 TechCenter [UPD-08-01]

2.1.2.2 Forefront Unified Access Gateway (UAG)
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

2.2 Network Access Protection (NAP) Solution
(SB) Network Access Protection Blog
(W3) NAP TechCenter
(BK) Windows Server® 2008 Networking and Network Access Protection (NAP)

2.3 Remote Access, VPN & Quarantine Services
(SB) Routing and Remote Access Blog
(SB) ISA Server Product Team Blog
(W3) Routing and Remote Access TechCenter
(W3) VPN TechCenter [UPD-08-04]

2.3.1 ISA 2006 VPN/QS
(W3) VPN Concepts in ISA Server 2006 [UPD-08-04]

2.3.2 Win2003 RAS/IAS/QS
(W3) IAS TechCenter [UPD-08-04]
(W3) Win2003 Remote Access Quarantine homepage [UPD-08-04]

2.3.3 Win2008 NPS
(W3) Win2008 NPS TechCenter [UPD-08-04]

2.4 Wireless Security
(B) Windows Core Networking Blog
(W3) Wireless Networking TechCenter [UPD-08-04]
(W3) Wireless and Mobile Security: Technical Resources [UPD-08-04]

2.5 IPSEC, “Server & Domain Isolation” Solution
(B) Windows Core Networking Blog
(W3) IPSEC TechCenter [UPD-08-04]
(W3) Server & Domain Isolation TechCenter [UPD-08-04]

2.6 Windows Firewall

(W3) Windows Firewall TechCenter [UPD-08-04]

3.0 Operating System Security

3.1 Client Operating System Security
(SB) Security Tips & Talk Blog [UPD-08-03]

3.1.1 Windows 2000 client security
(WP) Windows 2000 Hardening Guide [UPD-08-02]

3.1.2 Windows XP security
(WP) Windows XP Security Guide [UPD-08-02]

3.1.3 Windows Vista security
(SB) Windows Vista Security Blog
(W3) Windows Vista Security TechCenter [UPD-08-04]
(WP) Windows Vista Security Guide [UPD-08-02]
(SB) Windows Genuine Advantage Blog
(W3) Genuine Microsoft Software
(WP) IDC Study: The risks of obtaining and using pirated software

3.2 Server Operating System Security
(B) Windows Server Team Blog

3.2.1 Windows 2000 Server security
(W3) Windows Server 2000 Security TechCenter [UPD-08-04]
(WP) Securing Windows 2000 Server [UPD-08-02]

3.2.2 Windows Server 2003 security
(W3) Windows Server 2003 Security TechCenter [UPD-08-04]
(WP) Windows Server 2003 Security Guide [UPD-08-02]

3.2.3 Windows Server 2008 security
(W3) Win2008 Security & Protection TechCenter [UPD-08-04]
(WP) Windows Server 2008 Security Guide [UPD-08-04]
(BK) Windows Server® 2008 Networking and Network Access Protection (NAP)
(BK) Windows Server® 2008 PKI and Certificate Security

3.3 Windows Mobile Security
(B) Windows Mobile Team Blog
(W3) Device Management & Data Security
(W3) Wireless and Mobile Security: Technical Resources [UPD-08-04]

3.4 Server & Desktop Virtualization Security
(B) Windows Virtualization Team Blog [UPD-08-04]
(W3) Virtualization TechCenter [UPD-08-04]

3.5 Anti-Malware Solutions (for systems)
(SB) Anti-Malware Engineering Team

3.5.1 Windows Defender
(W3) Windows Defender homepage [UPD-08-04]
(W3) Windows Defender TechCenter [UPD-08-04]

3.5.2 Forefront Client Security
(SB) Microsoft Forefront Client Security Team Blog
(W3) Forefront Client Security TechCenter [UPD-08-01]

3.5.2.1Forefront “Stirling”
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

3.5.3 Windows Live OneCare
(W3) Windows Live OneCare homepage [UPD-08-04]
(SB) Windows Live OneCare Team Blog
(SB) Windows Live Safety Center Team Blog
(SB) Windows Live OneCare Family Safety Blog

4.0 Application Security

4.1 Application & Platform Core Security
(SB) The Security Development Lifecycle Blog
(SB) Microsoft Application Threat Modeling Blog
(SB) ACE Team (Security, Performance, and Privacy) Blog
(SB) "%41%43%45%20%54%65%61%6d" Blog

4.2 Client Applications Security

4.2.1 Office Security
(W3) Office Security TechCenter [UPD-08-04]
(B) Microsoft Office Team Blogs

4.2.1.1Previous versions: Office 2000, Office XP
(WP) Office 2003 Security Whitepaper [UPD-08-04]

4.2.1.2Office 2007 Security
(WP) 2007 Microsoft Office Security Guide [UPD-08-02]

4.2.2 Internet Explorer Security
(W3) Internet Explorer TechCenter [UPD-08-04]
(B) Internet Explorer Team Blog

4.2.2.1Previous versions: IE 6.0
(WP) Understanding Security in IE 6 in Windows XP SP2 [UPD-08-04]

4.2.2.2IE 7.0 Security
(WP) IE 7 Desktop Security Guide [UPD-08-04]

4.2.2.3IE 8.0 Security
(W3) Internet Explorer 8 beta 1 homepage [UPD-08-04]

4.2.3 Instant Messaging Security
(WP) Security Considerations for Instant Messaging in the Workplace [UPD-08-04]

4.2.3.1Windows Live Messenger Security
(B) Windows Live Messenger Team Blog

4.2.3.2Office Communicator 2007 Security
(B) Microsoft Office Communicator Team Blog

4.3 Server Applications Security

4.3.1 Exchange Security
(W3) Exchange Server TechCenter [UPD-08-04]
(B) Microsoft Exchange Team Blog

4.3.1.1Previous versions: Exchange 2000, Exchange 2003 Security
(W3) Exchange Server 2003 Security TechCenter [UPD-08-04]

4.3.1.2Exchange 2007 Security
(W3) Exchange Server 2007 Security TechCenter [UPD-08-04]

4.3.2 SQL Security
(W3) SQL Server TechCenter [UPD-08-04]
(W3) SQL Server Security TechCenter [UPD-08-04]
(B) Microsoft SQL Server Support Blog

4.3.2.1Previous versions: SQL 2000 Security
(W3) Checklist: Securing SQL Server 2000 [UPD-08-04]

4.3.2.2SQL 2005 Security
(W3) SQL Server 2005 Security TechCenter [UPD-08-04]

4.3.2.3SQL 2008 Security
(W3) SQL Server 2008 Security homepage [UPD-08-04]
(WP) SQL Server 2008 Security overview for DB administrators [UPD-08-04]

4.3.3 IIS Security
(B) IIS.net Blogs

4.3.3.1Previous versions: IIS 5.0 Security
(W3) IIS Security Guidance [UPD-08-04]

4.3.3.2IIS 6.0 Security
(W3) Security in IIS 6.0 [UPD-08-04]
(W3) Securing Web Sites and Applications [UPD-08-04]

4.3.3.3IIS 7.0 Security
(W3) IIS 7.0: Configure Web Server Security [UPD-08-04]

4.3.4 Sharepoint Security
(B) Microsoft Office SharePoint Server Team Blog
(W3) MOSS TechCenter [UPD-08-04]

4.3.4.1Microsoft Office Sharepoint Server (MOSS) 2007
(W3) MOSS Security TechCenter [UPD-08-04]

4.3.5 Unified Communications Solutions
(W3) Unified Communications homepage [UPD-08-04]

4.3.5.1 Office Communications Server (OCS) 2007 Security
(B) Microsoft Office Communications Server Team Blog
(W3) OCS TechCenter [UPD-08-04]

4.3.6 Application Virtualization Security
(W3) Application Virtualization TechCenter [UPD-08-04]

4.4 Anti-Malware Solutions (for Server applications)
(SB) Anti-Malware Engineering Team

4.4.1 Forefront Server Security
(SB) Microsoft Forefront Server Security Blog
(W3) Forefront Server Security TechCenter [UPD-08-04]

4.4.1.1Microsoft Antigen
(W3) Antigen TechCenter [UPD-08-01]

4.4.1.2Forefront Security for Exchange (Exchange 2007)
(W3) Forefront Security for Exchange TechCenter [UPD-08-01]

4.4.1.3Forefront Security for Office Communications Server
(W3) Forefront Security for OCS TechCenter [UPD-08-04]

4.4.1.4Forefront Security for Sharepoint (Office SharePoint Server 2007 and Microsoft Windows SharePoint Services 3.0)
(W3) Forefront Security for Sharepoint TechCenter [UPD-08-01]

4.4.1.5Forefront “Stirling”
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

5.0 User Security

5.1 Identity & Access Solutions
(W3) Microsoft Identity & Access Solutions homepage [UPD-08-04]

5.1.1 Directory Services Security
(W3) Active Directory Domain Services (AD DS) in Win2008 TechCenter [UPD-08-04]
(W3) Active Directory Lightweight Directory Services (AD LDS) in Win2008 TechCenter [UPD-08-04]
(W3) Group Policy TechCenter [UPD-08-04]
(B) Ask the Directory Services Team blog [UPD-08-04]
(B) Tim Springston’s Active Directory blog [UPD-08-03]

5.1.2 Identity Lifecycle Manager (ILM) 2007
(W3) ILM 2007 TechCenter [UPD-08-04]

5.1.3 Active Directory Federation Services (AD FS)
(W3) Active Directory Federation Services (AD FS) in Win2008 TechCenter [UPD-08-04]

5.1.4 Certificate Services and SmartCard
(W3) Active Directory Certification Services (AD CS) in Win2008 TechCenter [UPD-08-04]
(SB) Windows PKI blog
(SB) SmartCard Infrastructure Blog
(BK) Windows Server® 2008 PKI and Certificate Security

6.0 Data Security

6.1 Data Encryption solutions
(WP) The Data Encryption toolkit for Mobile PCs [UPD-08-04]

6.1.1 Encrypting File System (EFS)
(W3) The Encrypted File System [UPD-08-04]

6.1.1.1Previous versions: EFS in Win2000, WinXP, Win2003
(W3) EFS in WinXP and Win2003 [UPD-08-04]

6.1.1.2EFS in Windows Vista & Windows Server 2008
(W3) EFS in Win2008 [UPD-08-04]

6.1.2 BitLocker
(W3) BitLocker TechCenter [UPD-08-04]

6.2 Policy Enforcement solutions

6.2.1 Rights Management Server (RMS)
(SB) RMS: Protecting Your Assets.

6.2.1.1RMS in Windows Server 2003
(W3) RMS in Win2003 TechCenter [UPD-08-04]

6.2.1.2RMS in Windows Server 2008
(W3) RMS in Win2008 TechCenter [UPD-08-04]

6.3 Privacy Enhancing Technologies (PET)
(SB) The Data Privacy Imperative

6.3.1 Privacy Enhancements in Windows XP SP2
(WP) Controlling Internet Communications in WinXP SP2 [UPD-08-04]

6.3.2 Privacy Enhancements in Windows Vista
(WP) Windows Vista Privacy Statement [UPD-08-04]
(WP) Controlling Internet Communications in Windows Vista [UPD-08-04]

7.0 Security Foundations – Technology

7.1 Security Update & Compliance Management solutions
(SB) Microsoft Security Response Center
(SB) Security Vulnerability Research & Defense
(W3) Update Management TechCenter [UPD-08-04]
(SB) Solution Accelerators - Security & Compliance

7.1.1 Windows Update, Microsoft Update & Automatic Update Agent
(B) Microsoft Update Team Blog

7.1.2 WSUS
(B) WSUS Product Team Blog
(B) WSUS Support Team Blog [UPD-08-04]
(W3) WSUS TechCenter [UPD-08-04]

7.1.3 SMS & System Center Configuration Manager
(B) SMS & MOM Product Team Blog [UPD-08-04]

7.1.3.1 SMS 2003
(W3) System Management Server 2003 TechCenter [UPD-08-04]

7.1.3.2 System Center Configuration Manager 2007
(W3) System Center Configuration Manager 2007 TechCenter [UPD-08-04]

7.1.4 Microsoft Baseline Security Analyzer
(W3) MBSA homepage [UPD-08-04]
(W3) MBSA 2.1 homepage [UPD-08-04]

7.2 Security Monitoring & Auditing Solutions

7.2.1 System Center Operations Manager 2007
(B) Operations Manager Product Team Blog
(W3) System Center Operations Manager TechCenter [UPD-08-04]

7.3 Systems Management Solutions

7.3.1 System Center
(W3) System Center homepage [UPD-08-04]
(B) Nexus SC: The System Center Team Blog [UPD-08-04]
(W3) System Center TechCenter [UPD-08-04]

7.4 Hardware & Physical Security

7.4.1 Physical Security
(WP) Physical Security at Microsoft [UPD-08-04]

7.4.2 Trusted Platform Module (TPM)
See Bitlocker topic.

8.0 Security Foundation – Processes
(B) MOF and Service Management at Microsoft

8.1 Organizational Security & Policies

8.2 Operational Security & Procedures

Check out the latest (but not so recent) Virtual labs, Videos and more

http://www.microsoft.com/click/hellosecureworld/default.mspx

I'm not a developer, so XSS really doesn't interest me. Videos are cool, but I've seen better.

It's running on Silver Light, so do install it, else you won't be able to access the content.

To run the lab, you will also need to install (risky and dangerous) ActiveX. Pop-up blocker must also be disabled. 

So, what's in the virtual lab?

• Cross Site Scripting
• SQL Injection

There's also links to MS Dev blog,like Steve Riley and Kai Axford.

When it comes to Security, nothing beats classroom training. However, if cost is a hurdle, you may want to check out security videos on Securitytube.net. It's a library of security videos presented by h8x0r and security consultants alike. Like Youtube but focuses on security.

My personal favorite:

History of Hacking Series Part  1

Tons of Security related videos. Check it out!

        So I have discuss extensively on Full Disk Encryption,protecting your data that is residing in storage,be it USB or Hard Disk etc. But what if the data has reach its end-of-life, what do you do with a server or computer that no longer serve its purpose and is to be discarded? Unless the data is encrypted, then it could just be discarded. However, encryption is still considered a 'luxury' or an 'ideal' for many.

       In my beloved country of mine, Malaysia, there is no Data Privacy Law. For the Financial Institution which is governed by the Bank Negara, in all of the IT Guideline, there is no chapter of 'Data Sanitization. Banks,Insurance companies with old pc may simply sell of their out dated PC's,servers with the hard disk intact without sanitizing the data first.

       Knowing this, my response was to introduce a policy of 'Data Wiping' to my previous company. I included a chapter in the companies 'Information Security Policy', that required all desktop,server,storage devices to be sanitized prior to decommissioning. The policy I introduced also covered vendors,contractors etc which did business with my company. This also includes sanitizing computers and servers which my company used during our annual Disaster Recovery Test;which is usually conducted at a vendor's premises.

      The tool I have used before is a no-brainer, simple to use, require no installation and best of all, for a IT Department on tight budget or the curse of having a Scrooge for CIO. Its called Darik (the creator) Boot and Nuke. The name says it all, boot up the desktop,laptop or server you intent to wipe, and nuke (wipe) it. You need to download the iso image, either burn it to a DVD,USB or a 3.5 floppy. The image will be loaded up when the system is boot up and a menu will allow you to choose the format of wiping, either a DoD (US Defense Department, RCMP (Royal Canadian Mounted Police),Guttman etc.

      Extractor

    Starting screen

    Choosing wiping method

    Selecting drive to be wiped

    Wiping in action

    Success

The tool is not only restricted for organization, however individuals who are aware and concern about their privacy. Before you sell that old piece of hard disk on Ebay or Lelong.com.my, be sure the wipe it clean.

HSBC lost server with customer data

      Firewall and Anti-Virus are commonly found in any of todays organization. This was not true back in the 80's or even 70's. Thanks to virus writer and script kiddies (and also the media), attacks on networks and malicious codes has forced companies to include Firewall and Anti-Virus as the 'must-have' in their LAN setup buy-list. Any companies who operates without these two security apparatus would be chastised and ridiculed.  Even the CEO who's totally clueless about IT will not approve a LAN without a basic network firewall and anti-virus. People in general has become more aware of the treats,either by first-hand experience or even enlighten by the media. For the banking and financial industry, the push for them to have these basic security apparatus comes from either self-realization or better still, regulators. A bank or insurance company which operates without a these two basics will immediately raised a red flag during an audit exercise by the regulators, and the consequences would be very harsh, either summoned or lose their licensed.

    As we move on beyond 90's and into the 21st century, threats have now evolved. Threats are multi-facet, blended and sophisticated.  the term 'zero-day' attack also begin in the year 2000,refers to Zero-day exploits generally circulate through the ranks of hackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor. What about fishing attacks or spyware or botnet etc? Wireless attacks etc.

   The threats has become more sophisticated and deadly, however, the average IT Pro's knowledge on Information Security, has remain unchanged or static. IT Pros are still deploying firewall and anti-virus as 'the only' line of defense. CEO or business owners are still not keen on adding other security apparatus to their line of defense like patch management, Intrusion Prevention System, Wireless Firewall/IDS etc.

  
For these people, their practice of Security has always been and always be - catching up with the treat. The idea of conducting Security Risk Assessment has never cross their mind.

What is Security Risk Assessment?

Security Risk Analysis
Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter. One of the prime functions of security risk analysis is to put this process onto a more objective basis.

There are a number of distinct approaches to risk analysis. However, these essentially break down into two types: quantitative and qualitative.

 
Quantitative Risk Analysis

This approach employs two fundamental elements; the probability of an event occurring and the likely loss should it occur.

Quantitative risk analysis makes use of a single figure produced from these elements. This is called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost (EAC)'. This is calculated for an event by simply multiplying the potential loss by the probability.

It is thus theoretically possible to rank events in order of risk (ALE) and to make decisions based upon this.

The problems with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency. In addition, controls and countermeasures often tackle a number of potential events and the events themselves are frequently interrelated.

Notwithstanding the drawbacks, a number of organisations have successfully adopted quantitative risk analysis.

Qualitative Risk Analysis

This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used.

Most qualitative risk analysis methodologies make use of a number of interrelated elements:

THREATS

These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system.

VULNERABILITIES

These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).

CONTROLS

These are the countermeasures for vulnerabilities. There are four types: 

o    Deterrent controls reduce the likelihood of a deliberate attack

o    Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact

o    Corrective controls reduce the effect of an attack

o    Detective controls discover attacks and trigger preventative or corrective controls.

These elements can be illustrated by a simple relational model:

Dazed and Confused?

To the average IT Pro or even non-technical, the above sounds so academic and so difficult to implement. Rather, they would just prefer to leave their standard security defense as it is rather than hiring a consultant to do a Risk Assessment,which would incur additional cost to a very tight budgeted IT organization.

Security Assessment is very crucial, it helps IT Pro's and Business Owners understand what threats thier organization are exposed to, and more importantly how to reduce the risk exposure, without over spending. In dealing with threats, there is also the scenario of 'over spending'. This happens when either the IT Pro or the Business Decision Makers are all too hype up about the security threats, they start 'throwing money' at security, hoping that, thier organization would be solid and sound like Fort Knox. Most often, despite the investment, they still find themselves attack,and very often from areas which are overlooked. The only people who are laughing all the way to the bank when this happens,are the security vendors who sold them all the products.

So, an assessment is very necessary and crucial. An assessment should be conducted before even purchasing the two most basic security apparatus, firewall and anti-virus.

Are there some basic tools out there that could help IT Pro's and Business Managers to do a self-security-risk-assessment, without having to be 'schooled' first? A point-and-click tool that only requires, Yes and No and at most a 10 minutes blank-stare to get the answer.

Enter - Microsoft Security Assessment Tool.

So to make IT Pro's and IT Managers life easier when it comes to conducting security assessment, I urge you to use the MSAT. It's free and its easy to use.

It gives you an overview of where your organization is in terms of security, and where you want to go.

Download It Here

- I know this pretty basic for some, but most orgnization hardly conducts any security assessment, and have been doing so for the longest time.

Best approach to security, with your eyes wide open!

Security Focus.

Europe asks ISPs to help battle cybercrime
Published: 2008-04-02

The Council of Europe plans to vote this week on drafted guidelines that call for more cooperation from Internet service providers (ISPs) in combatting online attacks.

During the Council of Europe's Octopus 2008 Conference on Cybercrime -- which is taking place in Strasbourg, France -- participants will be asked to adopt a set of guidelines to speed response to cyberattacks and share more information, especially between Internet service providers and government agencies. The guidelines have been proposed by Estonia and other nations following the attacks on the northern European country last spring.

"The draft guidelines build upon the existing Council of Europe Convention on Cybercrime -- to which many countries in Europe and beyond have acceded -- and call for formal partnerships between Internet service providers (ISPs) and law enforcement," the Council of Europe said in a statement published about the conference.

In late April and early May 2007, massive denial-of-service attacks hobbled online communications in Estonia, a nation that depends on the Internet for much of its commerce and access to government. The attacks began on April 28, following violent clashes between the Estonian police and ethnic Russians in the country over the removal of a Red Army monument that symbolizes the defeat of Nazi Germany by the Soviet Union during World War II, but is also a reminder to Estonians of the more than four decades that the Soviets occupied the nation. Following the incident, the North Atlantic Treaty Organization (NATO) -- of which Estonia is a member -- began evaluating whether such attacks should trigger the treaty's clause for common defense, Article 5.

The latest guidelines, and the request for ISPs to share data with government, worries many privacy experts, according to a report on the issue by the International Herald Tribune. More information on the conference is available from the Council or Europe's Web site.

If you have tips or insights on this topic, please contact SecurityFocus.

Enter TrueCrypt,an open-source On-The-Fly software application. TrueCrypt works by creating a "file-hosted container" or write a partition which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. This free software supports Windows, Mac and Linux. There is a "Traveler mode" with truecrypt that allows an autorun to execute in the host PC as long as it has XP. Unfortunately, this mode
does not works with Linux.