Microsoft Malaysia Security Advisor Page e·van·gel·ist

Technocrati

Sat, 20 Sep 2008 09:33:03 GMT

Deep Packet Inspection: Big Brother Technology for ISP's

Fri, 01 Aug 2008 03:23:50 GMT

These 'big brother' or 'eavesdropping' technology has long been use by the military of the United States.

Notoriously known as Echelon, a remnant of the Cold War is now still being operated.

From Wikipedia:

ECHELON is a name used in global media and in popular culture to describe a signals intelligence (SIGINT) collection and analysis network operated on behalf of the five signatory states to the UK-USA Security Agreement (Australia, Canada, New Zealand, the United Kingdom, and the United States, known as AUSCANZUKUS).[1]
The system has been reported in a number of public sources.[2] Its capabilities and political implications were investigated by a committee of the European Parliament during 2000 and 2001 with a report published in 2001.[3]

On the civilian side, same technology have been deployed in the US or other countries to sniff packets in real time ~ big brother.

Michael Kassner wrote a very interesting article on Deep Packet Inspection and its potential abused by government through ISP's.

User's privacy is at stake here.

Anyone who uses the Internet needs to be aware of Deep Packet Inspection (DPI), its uses, and potential misuses. You may recognize DPI as what ISPs use to conform to CALEA, the U.S. government-ordered Internet wire-tapping directive. If that’s not enough, DPI, albeit behind the scenes, allows ISPs to block, shape, and prioritize traffic, which is now fueling the “Net Neutrality” versus traffic priority debate. So, what is DPI and how does it work?

So what is DPI?

DPI is next-generation technology that’s capable of inspecting every byte of every packet that passes through the DPI device, that means packet headers, types of applications, and actual packet content. Up until now, this wasn’t possible with IDS/IPS systems or stateful firewalls. The difference being, DPI has the ability to inspect traffic at layers 2 through 7, hence the “deep” in DPI. A simple analogy would be that of snail mail. IDS/IPS firewalls would be the mail sorters who just read the letter’s address, knowing nothing about the letter’s content. Inspecting Internet traffic from layers 2 through 7 would correspond to the person who actually reads the letter and understands the contents.

To recap, DPI allows people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted e-mail is scanned, the actual body of the e-mail can be reassembled and read. Nate Anderson wrote an excellent Ars Technica article “Deep Packet Inspection Meets Net Neutrality, CALEA.” The following quote appears in that article:

“Deep packet inspection refers to the fact that these boxes don’t simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble e-mails as they are typed out by the user.”

Mr. Anderson also explains what happens at layer 7:

“Layer 7 is the application layer, the actual messages sent across the Internet by programs like Firefox or Skype or Azureus. By stripping off the headers, deep packet inspection devices can use the resulting payload to identify the program or service being used. Procera, for instance, claims to detect more than 300 application protocol signatures, including BitTorrent, HTTP, FTP, SMTP, and SSH. Ellacoya reps tell Ars that their boxes can look deeper than the protocol, identifying particular HTTP traffic generated by YouTube and Flickr, for instance. Of course, the identification of these protocols can be used to generate traffic shaping rules or restrictions.”

What makes DPI all the more impressive is that the packet analysis happens in real time, with data stream throughput approaching 20-30 Gb. See where I’m going with this? With no loss of throughput, ISPs are able to insert these devices directly in their data streams, forcing all traffic to pass through the devices. Procera, Narus, and Ellacoya are front-runners in development of this technology, having placed equipment throughout the world.

DPI’s potential uses

DPI technology is unique in that as of now it’s the only way to accomplish certain governmental security directives. DPI also has the potential to do a great deal of good. For example, DDoS attacks are virtually impossible to thwart. Conceivably if DPI were in place and configured correctly it would detect the DDoS packets and filter them out. Some more potential uses are listed below:

Network security: DPI’s ability to inspect data streams at such a granular level will prevent viruses and spyware from either gaining entrance to a network or leaving it.
Network access: DPI creates conditions where network access rules are easy to enforce due to the deep inspection of packets.
CALEA compliance: DPI technology augments traffic access points (TAP) technology used initially for governmental surveillance equipment.
SLA enforcement: ISPs can use DPI to ensure that their acceptable use policy is enforced. For example, DPI can locate illegal content or abnormal bandwidth usage.
QoS: P2P traffic gives ISPs a great deal of trouble. DPI would allow the ISP to instigate traffic control and bandwidth allocation.
Tailored service: DPI allows ISPs to create different services plans, which means users would pay for a certain amount of bandwidth and traffic priority. This one is controversial and affects Net Neutrality.
DRM enforcement: DPI has the ability to filter traffic to remove copyrighted material. There’s immense pressure from the music and movie industries to make ISPs responsible for curtailing illegal distribution of copyrighted material.

The above applications have the potential to give users a better Internet experience. Yet it wouldn’t take much mission creep to create major privacy concerns. I would feel remiss if I didn’t point them out and help everyone understand the ramifications.

Possible misuses of DPI

DPI is another innovative technology that has ISPs arguing with privacy advocates. ISPs and DPI developers are adamant that the technology is benign and will create a better Internet experience. However, privacy groups have two major concerns: little or no oversight and the potential for losing still more individual privacy. Many experts find the following uses of DPI to be especially troubling:

Traffic shaping: Traffic shaping is where certain traffic or entities get priority and a predetermined amount of bandwidth. With the increasing number of bandwidth-hungry applications, ISPs are having to make decisions on whether to increase available bandwidth with infrastructure build out or increase control of the existing bandwidth. Installing a DPI system is usually the choice as it’s cheaper and has a more predictable RoI. Albeit cheaper, it’s riskier, and I suspect that’s why the Net Neutrality debate is going on right now.
Behavioral targeting (BT): BT uses DPI technology for the sole purpose of harvesting user information anonymously (supposedly) and selling it to interested parties who use the information to create ads that are targeted to the individual.

Final thoughts

This is a very complex subject, having the potential to change everyone’s view of the Internet. An optimist would say that DPI will help enhance the experience, even producing ads that are relevant to each individual user. Whereas a pessimist would say it’s “big brother” technology that only benefits ISPs. I don’t think anyone is sure how the Internet will look when the dust settles about DPI, but it should be interesting.

I hope that I was able to increase awareness of how ISPs using a DPI device can intercept, read, and interpret every one of your Internet-destined packets. An ulterior motive for explaining DPI is that in my next article I’d like to discuss behavioral targeting, a very controversial technology that uses DPI. I also want to discuss what, if any, options are available to prevent DPI from scanning your Internet traffic. Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.

The Last Lecture: Professor Randy Pausch

Mon, 28 Jul 2008 17:04:37 GMT

God takes away the good ones first, so living will take note and learn from them. Last Friday,25th of July 2008, the renowned and respected Prof Dr Randy Pausch passed away after a long battle with pancreatic cancer.He was 47. He is survived by his wife and children Dylan, Logan, and Chloe.

His contribution, not only to Carnegie Mellon University, but the world showed his dedication in teaching others and the value of humanity. He was the founder of Alice program, an animated educational system for high school and college students.

Rest in Peace.

Microsoft: Forget iPhone; we're still No. 2 in business

Tue, 22 Jul 2008 10:04:20 GMT

The big(ger) dog gets growly

July 21, 2008 (Computerworld) Companies -- lots of them -- are still buying Windows Mobile smart phones, and Microsoft Corp. doesn't want to let iPhone mania make them forget.

During Microsoft's most recent fiscal year, 325 enterprises purchased at least 500 Windows Mobile phones, with many buying many more, said Scott Rockfeld, group products manager for the mobile communications business at Microsoft, in a Friday interview.

"From the armed forces to the U.S. Court System, people are not just trying Windows Mobile, they are buying them," Rockfeld said, in apparent reference to a statement by Apple Inc. CEO Steve Jobs last month that 35% of Fortune 500 companies were beta-testing the iPhone.

more...

My opinion, the Iphone is a fun phone, still a toy for the kids. Big boys still prefers Windows Mobile smart phones.

Storm Worm - wrecking havoc across the planet

Tue, 22 Jul 2008 09:54:56 GMT

The Storm worm (not to be confused with W32/Storm.worm) was first discovered on 17th of January 2007. It was named by the finish company F-Secure and it is a trojan malware that infects Microsoft operating system. It spreads via email, with these headings:

A killer at 11, he's free at 21 and kill again!

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel

British Muslims Genocide

Naked teens attack home director.

230 dead as storm batters Europe.

Re: Your text

Radical Muslim drinking enemies's blood.

Chinese/Russian missile shot down Chinese/Russian satellite/aircraft

Saddam Hussein safe and sound!

Saddam Hussein alive!

Venezuelan leader: "Let's the War beginning".

Fidel Castro dead.

If I Knew

When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.^[10] The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates.^[9] Some of the known names for the attachments include:^[10]

Postcard.exe
ecard.exe
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe
GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe
NflStatTracker.exe
ArcadeWorld.exe
ArcadeWorldGame.exe

more information here,here and here.

Microsoft Security Assessment Tool for Governments (MSATg)

Sun, 13 Jul 2008 05:10:20 GMT

The Microsoft Security Assessment Tool 3.75G (g for government version) is a revised version of the Microsoft Security Assessment Tool (MSAT) developed by Microsoft’s Trustworthy Computing Group. MSAT is comprehensive toolset to help security organizations within governments become more aware of the evolving security threat landscape that could impact their organizations.

The tool employs a holistic approach to measuring security postures by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources can help maintain awareness of specific tools and methods changing the security posture of the IT environment.

The new Microsoft Security Assessment Tool conducts an assessments focused on 4 primary areas:

• Infrastructure Security

• Application Security

• Security Operations

• People, Process, Policy

After completing each Assessment, a detailed report of the results is available to review.

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

The MSAT v3.75g is now be available to SCP Participants. The “g” version will remove the feature that allows for uploading and sharing the results with Microsoft and comparing those with other companies. This version will have the added ability to compile results on a user agency’s own servers and compare results between departments. Also as a part of this version, we provide instructions on developing a standard baseline and how this standard baseline can be distributed to other agencies to conduct an assessment comparison.

The MSAT 3.75G version is now available in the following languages:

Canadian French, French, German, Russian, Italian, Spanish (Latin America), Spanish (Spain), Portuguese (Portugal), Portuguese (Brazil), Chinese (Simple), Chinese (Mandarin), Japanese, Swedish, Norwegian, Danish, English (US), and English (UK.)

Microsoft Security Tuesday/Wednesday

Sun, 13 Jul 2008 05:03:11 GMT

Bulletin Number	Maximum Severity	Affected Products	Impact
MS08-037	Important	Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008.	Spoofing
MS08-038	Important	Windows Vista and Windows Server 2008	Remote Code Execution
MS08-039	Important	Exchange Server 2003 and Exchange Server 2007	Elevation of Privilege
MS08-040	Important	SQL Server 7.0, SQL Server 2000, SQL Server 2005, MSDE 1.0, MSDE 2000, SQL Server 2005 Express, SQL Server 2005 Express with Advanced Services, WMSDE, Windows Internal Database (WYukon)	Elevation of Privilege

Summaries for these new bulletins may be found at the following pages:

http://www.microsoft.com/technet/security/bulletin/MS08-jul.mspx

Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU) and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool can be located here: http://go.microsoft.com/fwlink/?LinkId=40573

High-Priority Non-Security Updates

High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU) or Windows Server Update Services (WSUS) will be detailed in the following KB Article: http://support.microsoft.com/?id=894199

Microsoft Security Taxonomy 2.0

Tue, 08 Jul 2008 09:47:24 GMT

From a counterpart's blog..Microsoft Italia....

Feliciano Intini has effortlessly compiled Microsoft security web sites.

Microsoft Security Experts Blogs (in alphabetic order):

Aaron Margosis

Cyril Voisin [UPD-08-04]

David LeBlanc [UPD-08-04]

Kimmo Bergius [UPD-08-04]

Mark Russinovich

Michael Howard

· (BK) Writing Secure Code 2nd Ed

· (BK) 19 Deadly Sins of Software Security

· (BK) The Security Development Lifecycle

· (BK) Writing Secure Code for Windows Vista

Robert Hensing

Roger Halbheer [UPD-08-04]

Steve Lamb

Steve Riley

Urs P. Küderli [UPD-08-04]

Vittorio Bertocci

· (BK) Understanding Windows CardSpace [UPD-08-03]

Vladimir Mamykin [UPD-08-04]

0.0 Microsoft Strategy & Initiatives

0.1 Security & Privacy

0.1.1 Trustworthy Computing (TwC)
(W3) Trustworthy Computing homepage [UPD-08-04]

0.1.1.1 End to End Trust
(W3) End to End Trust homepage [UPD-08-04]

0.2 Interoperability
(W3) Interoperability homepage [UPD-08-04]

0.2.1 Interoperability Principles
(W3) Interoperability Principles homepage [UPD-08-04]

1.0 Internet Security

1.1 Identity Metasystem & Windows CardSpace
(SB) Kim Cameron’s Identity Blog [UPD-08-03]
(SB) Vittorio Bertocci’s Vibro.NET blog [UPD-08-03]
(SB) CardSpace: Behind The Code [UPD-08-03]
(W3) Windows CardSpace MSDN Resources [UPD-08-03]
(W3) Windows CardSpace on Microsoft .NET Framework 3.0 Community [UPD-08-03]
(BK) Understanding Windows CardSpace [UPD-08-03]

1.2 Online Services Security
(W3) Microsoft Online Services TechCenter [UPD-08-04]
(WP) Security Features in Microsoft Online [UPD-08-04]

1.2.1 Windows Live Security
(B) Windows Live ID Team Blog

2.0 Perimeter & Network Security

2.1 Forefront Edge Security (Internet Access Protection & Secure Remote Access)
(W3) Forefront Edge Security homepage [UPD-08-04]

2.1.1 Internet Security & Acceleration (ISA) Server
(W3) ISA Server homepage [UPD-08-04]

2.1.1.1 Previous versions: ISA 2000, ISA 2004
(SB) ISA Server Product Team Blog

2.1.1.2 Internet Security & Acceleration (ISA) Server 2006
(SB) ISA Server Product Team Blog
(W3) ISA Server TechCenter [UPD-08-01]

2.1.1.3 Forefront Threat Management Gateway (TMG)
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

2.1.2 Internet Application Gateway (IAG)
(W3) IAG homepage [UPD-08-04]

2.1.2.1 Internet Application Gateway (IAG) 2007
(W3) IAG 2007 TechCenter [UPD-08-01]

2.1.2.2 Forefront Unified Access Gateway (UAG)
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

2.2 Network Access Protection (NAP) Solution
(SB) Network Access Protection Blog
(W3) NAP TechCenter
(BK) Windows Server® 2008 Networking and Network Access Protection (NAP)

2.3 Remote Access, VPN & Quarantine Services
(SB) Routing and Remote Access Blog
(SB) ISA Server Product Team Blog
(W3) Routing and Remote Access TechCenter
(W3) VPN TechCenter [UPD-08-04]

2.3.1 ISA 2006 VPN/QS
(W3) VPN Concepts in ISA Server 2006 [UPD-08-04]

2.3.2 Win2003 RAS/IAS/QS
(W3) IAS TechCenter [UPD-08-04]
(W3) Win2003 Remote Access Quarantine homepage [UPD-08-04]

2.3.3 Win2008 NPS
(W3) Win2008 NPS TechCenter [UPD-08-04]

2.4 Wireless Security
(B) Windows Core Networking Blog
(W3) Wireless Networking TechCenter [UPD-08-04]
(W3) Wireless and Mobile Security: Technical Resources [UPD-08-04]

2.5 IPSEC, “Server & Domain Isolation” Solution
(B) Windows Core Networking Blog
(W3) IPSEC TechCenter [UPD-08-04]
(W3) Server & Domain Isolation TechCenter [UPD-08-04]

2.6 Windows Firewall

(W3) Windows Firewall TechCenter [UPD-08-04]

3.0 Operating System Security

3.1 Client Operating System Security
(SB) Security Tips & Talk Blog [UPD-08-03]

3.1.1 Windows 2000 client security
(WP) Windows 2000 Hardening Guide [UPD-08-02]

3.1.2 Windows XP security
(WP) Windows XP Security Guide [UPD-08-02]

3.1.3 Windows Vista security
(SB) Windows Vista Security Blog
(W3) Windows Vista Security TechCenter [UPD-08-04]
(WP) Windows Vista Security Guide [UPD-08-02]
(SB) Windows Genuine Advantage Blog
(W3) Genuine Microsoft Software
(WP) IDC Study: The risks of obtaining and using pirated software

3.2 Server Operating System Security
(B) Windows Server Team Blog

3.2.1 Windows 2000 Server security
(W3) Windows Server 2000 Security TechCenter [UPD-08-04]
(WP) Securing Windows 2000 Server [UPD-08-02]

3.2.2 Windows Server 2003 security
(W3) Windows Server 2003 Security TechCenter [UPD-08-04]
(WP) Windows Server 2003 Security Guide [UPD-08-02]

3.2.3 Windows Server 2008 security
(W3) Win2008 Security & Protection TechCenter [UPD-08-04]
(WP) Windows Server 2008 Security Guide [UPD-08-04]
(BK) Windows Server® 2008 Networking and Network Access Protection (NAP)
(BK) Windows Server® 2008 PKI and Certificate Security

3.3 Windows Mobile Security
(B) Windows Mobile Team Blog
(W3) Device Management & Data Security
(W3) Wireless and Mobile Security: Technical Resources [UPD-08-04]

3.4 Server & Desktop Virtualization Security
(B) Windows Virtualization Team Blog [UPD-08-04]
(W3) Virtualization TechCenter [UPD-08-04]

3.5 Anti-Malware Solutions (for systems)
(SB) Anti-Malware Engineering Team

3.5.1 Windows Defender
(W3) Windows Defender homepage [UPD-08-04]
(W3) Windows Defender TechCenter [UPD-08-04]

3.5.2 Forefront Client Security
(SB) Microsoft Forefront Client Security Team Blog
(W3) Forefront Client Security TechCenter [UPD-08-01]

3.5.2.1Forefront “Stirling”
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

3.5.3 Windows Live OneCare
(W3) Windows Live OneCare homepage [UPD-08-04]
(SB) Windows Live OneCare Team Blog
(SB) Windows Live Safety Center Team Blog
(SB) Windows Live OneCare Family Safety Blog

4.0 Application Security

4.1 Application & Platform Core Security
(SB) The Security Development Lifecycle Blog
(SB) Microsoft Application Threat Modeling Blog
(SB) ACE Team (Security, Performance, and Privacy) Blog
(SB) "%41%43%45%20%54%65%61%6d" Blog

4.2 Client Applications Security

4.2.1 Office Security
(W3) Office Security TechCenter [UPD-08-04]
(B) Microsoft Office Team Blogs

4.2.1.1Previous versions: Office 2000, Office XP
(WP) Office 2003 Security Whitepaper [UPD-08-04]

4.2.1.2Office 2007 Security
(WP) 2007 Microsoft Office Security Guide [UPD-08-02]

4.2.2 Internet Explorer Security
(W3) Internet Explorer TechCenter [UPD-08-04]
(B) Internet Explorer Team Blog

4.2.2.1Previous versions: IE 6.0
(WP) Understanding Security in IE 6 in Windows XP SP2 [UPD-08-04]

4.2.2.2IE 7.0 Security
(WP) IE 7 Desktop Security Guide [UPD-08-04]

4.2.2.3IE 8.0 Security
(W3) Internet Explorer 8 beta 1 homepage [UPD-08-04]

4.2.3 Instant Messaging Security
(WP) Security Considerations for Instant Messaging in the Workplace [UPD-08-04]

4.2.3.1Windows Live Messenger Security
(B) Windows Live Messenger Team Blog

4.2.3.2Office Communicator 2007 Security
(B) Microsoft Office Communicator Team Blog

4.3 Server Applications Security

4.3.1 Exchange Security
(W3) Exchange Server TechCenter [UPD-08-04]
(B) Microsoft Exchange Team Blog

4.3.1.1Previous versions: Exchange 2000, Exchange 2003 Security
(W3) Exchange Server 2003 Security TechCenter [UPD-08-04]

4.3.1.2Exchange 2007 Security
(W3) Exchange Server 2007 Security TechCenter [UPD-08-04]

4.3.2 SQL Security
(W3) SQL Server TechCenter [UPD-08-04]
(W3) SQL Server Security TechCenter [UPD-08-04]
(B) Microsoft SQL Server Support Blog

4.3.2.1Previous versions: SQL 2000 Security
(W3) Checklist: Securing SQL Server 2000 [UPD-08-04]

4.3.2.2SQL 2005 Security
(W3) SQL Server 2005 Security TechCenter [UPD-08-04]

4.3.2.3SQL 2008 Security
(W3) SQL Server 2008 Security homepage [UPD-08-04]
(WP) SQL Server 2008 Security overview for DB administrators [UPD-08-04]

4.3.3 IIS Security
(B) IIS.net Blogs

4.3.3.1Previous versions: IIS 5.0 Security
(W3) IIS Security Guidance [UPD-08-04]

4.3.3.2IIS 6.0 Security
(W3) Security in IIS 6.0 [UPD-08-04]
(W3) Securing Web Sites and Applications [UPD-08-04]

4.3.3.3IIS 7.0 Security
(W3) IIS 7.0: Configure Web Server Security [UPD-08-04]

4.3.4 Sharepoint Security
(B) Microsoft Office SharePoint Server Team Blog
(W3) MOSS TechCenter [UPD-08-04]

4.3.4.1Microsoft Office Sharepoint Server (MOSS) 2007
(W3) MOSS Security TechCenter [UPD-08-04]

4.3.5 Unified Communications Solutions
(W3) Unified Communications homepage [UPD-08-04]

4.3.5.1 Office Communications Server (OCS) 2007 Security
(B) Microsoft Office Communications Server Team Blog
(W3) OCS TechCenter [UPD-08-04]

4.3.6 Application Virtualization Security
(W3) Application Virtualization TechCenter [UPD-08-04]

4.4 Anti-Malware Solutions (for Server applications)
(SB) Anti-Malware Engineering Team

4.4.1 Forefront Server Security
(SB) Microsoft Forefront Server Security Blog
(W3) Forefront Server Security TechCenter [UPD-08-04]

4.4.1.1Microsoft Antigen
(W3) Antigen TechCenter [UPD-08-01]

4.4.1.2Forefront Security for Exchange (Exchange 2007)
(W3) Forefront Security for Exchange TechCenter [UPD-08-01]

4.4.1.3Forefront Security for Office Communications Server
(W3) Forefront Security for OCS TechCenter [UPD-08-04]

4.4.1.4Forefront Security for Sharepoint (Office SharePoint Server 2007 and Microsoft Windows SharePoint Services 3.0)
(W3) Forefront Security for Sharepoint TechCenter [UPD-08-01]

4.4.1.5Forefront “Stirling”
(SB) Forefront Stirling Blog [UPD-08-04]
(W3) Forefront "Stirling" TechCenter [UPD-08-04]

5.0 User Security

5.1 Identity & Access Solutions
(W3) Microsoft Identity & Access Solutions homepage [UPD-08-04]

5.1.1 Directory Services Security
(W3) Active Directory Domain Services (AD DS) in Win2008 TechCenter [UPD-08-04]
(W3) Active Directory Lightweight Directory Services (AD LDS) in Win2008 TechCenter [UPD-08-04]
(W3) Group Policy TechCenter [UPD-08-04]
(B) Ask the Directory Services Team blog [UPD-08-04]
(B) Tim Springston’s Active Directory blog [UPD-08-03]

5.1.2 Identity Lifecycle Manager (ILM) 2007
(W3) ILM 2007 TechCenter [UPD-08-04]

5.1.3 Active Directory Federation Services (AD FS)
(W3) Active Directory Federation Services (AD FS) in Win2008 TechCenter [UPD-08-04]

5.1.4 Certificate Services and SmartCard
(W3) Active Directory Certification Services (AD CS) in Win2008 TechCenter [UPD-08-04]
(SB) Windows PKI blog
(SB) SmartCard Infrastructure Blog
(BK) Windows Server® 2008 PKI and Certificate Security

6.0 Data Security

6.1 Data Encryption solutions
(WP) The Data Encryption toolkit for Mobile PCs [UPD-08-04]

6.1.1 Encrypting File System (EFS)
(W3) The Encrypted File System [UPD-08-04]

6.1.1.1Previous versions: EFS in Win2000, WinXP, Win2003
(W3) EFS in WinXP and Win2003 [UPD-08-04]

6.1.1.2EFS in Windows Vista & Windows Server 2008
(W3) EFS in Win2008 [UPD-08-04]

6.1.2 BitLocker
(W3) BitLocker TechCenter [UPD-08-04]

6.2 Policy Enforcement solutions

6.2.1 Rights Management Server (RMS)
(SB) RMS: Protecting Your Assets.

6.2.1.1RMS in Windows Server 2003
(W3) RMS in Win2003 TechCenter [UPD-08-04]

6.2.1.2RMS in Windows Server 2008
(W3) RMS in Win2008 TechCenter [UPD-08-04]

6.3 Privacy Enhancing Technologies (PET)
(SB) The Data Privacy Imperative

6.3.1 Privacy Enhancements in Windows XP SP2
(WP) Controlling Internet Communications in WinXP SP2 [UPD-08-04]

6.3.2 Privacy Enhancements in Windows Vista
(WP) Windows Vista Privacy Statement [UPD-08-04]
(WP) Controlling Internet Communications in Windows Vista [UPD-08-04]

7.0 Security Foundations – Technology

7.1 Security Update & Compliance Management solutions
(SB) Microsoft Security Response Center
(SB) Security Vulnerability Research & Defense
(W3) Update Management TechCenter [UPD-08-04]
(SB) Solution Accelerators - Security & Compliance

7.1.1 Windows Update, Microsoft Update & Automatic Update Agent
(B) Microsoft Update Team Blog

7.1.2 WSUS
(B) WSUS Product Team Blog
(B) WSUS Support Team Blog [UPD-08-04]
(W3) WSUS TechCenter [UPD-08-04]

7.1.3 SMS & System Center Configuration Manager
(B) SMS & MOM Product Team Blog [UPD-08-04]

7.1.3.1 SMS 2003
(W3) System Management Server 2003 TechCenter [UPD-08-04]

7.1.3.2 System Center Configuration Manager 2007
(W3) System Center Configuration Manager 2007 TechCenter [UPD-08-04]

7.1.4 Microsoft Baseline Security Analyzer
(W3) MBSA homepage [UPD-08-04]
(W3) MBSA 2.1 homepage [UPD-08-04]

7.2 Security Monitoring & Auditing Solutions

7.2.1 System Center Operations Manager 2007
(B) Operations Manager Product Team Blog
(W3) System Center Operations Manager TechCenter [UPD-08-04]

7.3 Systems Management Solutions

7.3.1 System Center
(W3) System Center homepage [UPD-08-04]
(B) Nexus SC: The System Center Team Blog [UPD-08-04]
(W3) System Center TechCenter [UPD-08-04]

7.4 Hardware & Physical Security

7.4.1 Physical Security
(WP) Physical Security at Microsoft [UPD-08-04]

7.4.2 Trusted Platform Module (TPM)
See Bitlocker topic.

8.0 Security Foundation – Processes
(B) MOF and Service Management at Microsoft

8.1 Organizational Security & Policies

8.2 Operational Security & Procedures

Cisco, IBM, Intel, Juniper and Microsoft fight cyber terror together

Tue, 08 Jul 2008 06:30:29 GMT

Five major network hardware, software and services vendors are banding together to improve IT security by promoting faster responses to threats.

Industry Consortium for Advancement of Security on the Internet (ICASI) is a nonprofit organization created by Cisco, IBM, Intel , Juniper and Microsoft to address what it calls multi-product security threats.

The companies say ICASI will let vendors and customers work together on global IT security threats and resolve them in a government-neutral way. Last month, a group of countries banded together to create the International Multilateral Partnership Against Cyber Terrorism ( IMPACT), funded by private businesses as well as governments and based in Malaysia. The center is to offer emergency response, training and other resources.

“To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers' behalf,” the group says in a statement. “ICASI aims to fill this void.” Related Content

ICASI will target “global, multivendor cyber threats” to reduce their impact on end users. The group’s statement says these attacks target multiple products or protocols in products, giving them a broader impact. These attacks pose problems not only for end user customers, but also for vendors, the group says.

By working together the vendors hope to block this class of threat more quickly and blunt their effects on the security of customer networks. To that end, ICASI will develop efficient and effective practices for responding to these threats.

The hope is that with the group creating a forum of trust among members, they will share critical data about specific attacks more readily and thwart them more quickly. ICASI says it wants to set security response standards that it can share with the industry in general.

ICASI’s statement says it may work with other firms committed to similar goals, but does not say whether they will be full members.

Formation of the group was announced at the FIRST Conference in Vancouver for IT incident-response and security teams.

This story appeared on Network World at
http://www.networkworld.com/news/2008/062707-icasi-cyber-terror.html

Security virtual labs at HELLO SECURE WORLD

Wed, 18 Jun 2008 06:53:06 GMT

Check out the latest (but not so recent) Virtual labs, Videos and more

http://www.microsoft.com/click/hellosecureworld/default.mspx

I'm not a developer, so XSS really doesn't interest me. Videos are cool, but I've seen better.

It's running on Silver Light, so do install it, else you won't be able to access the content.

To run the lab, you will also need to install (risky and dangerous) ActiveX. Pop-up blocker must also be disabled.

So, what's in the virtual lab?

Cross Site Scripting
SQL Injection

There's also links to MS Dev blog,like Steve Riley and Kai Axford.

Security Videos - Securitytube.net

Fri, 06 Jun 2008 12:57:46 GMT

When it comes to Security, nothing beats classroom training. However, if cost is a hurdle, you may want to check out security videos on Securitytube.net. It's a library of security videos presented by h8x0r and security consultants alike. Like Youtube but focuses on security.

My personal favorite:

History of Hacking Series Part 1

Tons of Security related videos. Check it out!

Data Wiping Tool - Derik's Boot and Nuke

Fri, 06 Jun 2008 12:24:50 GMT

So I have discuss extensively on Full Disk Encryption,protecting your data that is residing in storage,be it USB or Hard Disk etc. But what if the data has reach its end-of-life, what do you do with a server or computer that no longer serve its purpose and is to be discarded? Unless the data is encrypted, then it could just be discarded. However, encryption is still considered a 'luxury' or an 'ideal' for many.

In my beloved country of mine, Malaysia, there is no Data Privacy Law. For the Financial Institution which is governed by the Bank Negara, in all of the IT Guideline, there is no chapter of 'Data Sanitization. Banks,Insurance companies with old pc may simply sell of their out dated PC's,servers with the hard disk intact without sanitizing the data first.

Knowing this, my response was to introduce a policy of 'Data Wiping' to my previous company. I included a chapter in the companies 'Information Security Policy', that required all desktop,server,storage devices to be sanitized prior to decommissioning. The policy I introduced also covered vendors,contractors etc which did business with my company. This also includes sanitizing computers and servers which my company used during our annual Disaster Recovery Test;which is usually conducted at a vendor's premises.

The tool I have used before is a no-brainer, simple to use, require no installation and best of all, for a IT Department on tight budget or the curse of having a Scrooge for CIO. Its called Darik (the creator) Boot and Nuke. The name says it all, boot up the desktop,laptop or server you intent to wipe, and nuke (wipe) it. You need to download the iso image, either burn it to a DVD,USB or a 3.5 floppy. The image will be loaded up when the system is boot up and a menu will allow you to choose the format of wiping, either a DoD (US Defense Department, RCMP (Royal Canadian Mounted Police),Guttman etc.

Extractor

Starting screen

Choosing wiping method

Selecting drive to be wiped

Wiping in action

Success

The tool is not only restricted for organization, however individuals who are aware and concern about their privacy. Before you sell that old piece of hard disk on Ebay or Lelong.com.my, be sure the wipe it clean.

Malaysian Prime Minister Official Website Defaced

Thu, 05 Jun 2008 06:03:45 GMT

So the goverment finally decided to raise the petrol price for Malaysians. Apart from causing massive traffic jams around the nation, the decision has also drawn protest from the undeground world. The Malaysian's PM Official website has just been defaced. I did save the print screen. Here's the link.

PMO Defaced

Feds encrypt 800,000 laptops; 1.2 million to go

Mon, 26 May 2008 07:39:54 GMT

A proactive move by the US Goverment. Private sector in the US has long mandated the use of FDE for laptops. The US goverment recieved up to 80% discount from FDE vendors for the initiave. My only hope that my local goverment and even local private sector follows this proactive informtion protection effort.

An excerpt from Infoworld:

U.S. government agencies are scrambling to plug one of their biggest security holes: sensitive information -- names, addresses and Social Security numbers, for example -- stored on laptops, handhelds, and thumb drives.

In the last year, agencies have purchased 800,000 licenses for encryption software through the federal Data at Rest (DAR) Encryption program, which is run jointly by the General Services Administration and the U.S. Department of Defense.

"Sales have been very brisk," says Fred Schobert, CTO for integrated technology services at the General Services Administration's Federal Acquisition Service. "We've been somewhat overwhelmed."

The government's fast adoption rate of encryption software comes after numerous headline-grabbing security breaches. Laptop encryption has also been on the rise among corporations, including the likes of EMC and IBM.

It's been two years since teens stole a laptop from the home of a U.S. Department of Veterans' Affairs employee's home, putting at risk for identity theft a database of 26.5 million names and Social Security numbers for 26.5 million veterans and military personnel.

But this year alone, laptops with personally identifiable information have been stolen from Bolling Air Force Base, a Marine Corps base in Okinawa, Japan and the National Institutes of Health in Bethesda, Md. In all of these cases, data that wasn't encrypted on these laptops could have been used by thieves for identity theft, according to a list of known security breaches compiled by the Privacy Rights Web site.

more here from InfoWorld

Server Lost during Renovation

Sun, 18 May 2008 02:54:57 GMT

I know how easy it is to lose a laptop, that's so common. But how do you lose a server?
HSBC stated that the server had 'multiple layers' of security.
I'm guessing Full Disk Encryption, Token-Key access etc.

All the more reason to have a 'Defense-in-Depth' appproach to security.
While firewall, IPS etc reduces the risk of attacks from network, those controls do little to protect physical treat like server theft.

I used to work in a shipping company where not only desktops and laptops were chained to the desk, but servers in server room were 'chained' too.
The server room had CCTV and a full time guard was placed to guard the server room,and this was only a shipping company.

HSBC lost server with customer data

By Computerworld UK Staff , Computerworld UK , 05/09/2008

HSBC has admitted losing a server containing data on 159,000 customers.

The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work on 26 April. The server held customer names, account numbers, transaction amounts and transaction types, the banking giant confirmed.

HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".

It also said the server contained no PIN codes or online banking login credentials.

The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.

The Hong Kong incident is the latest security foul-up involving HSBC. In April, HSBC admitted it lost an unencrypted disc containing 370,000 customer details in the post.

HSBC has also struggled with its Secure e-payments system, with three outages reported this year that left merchants stranded and unable to process payments.

Security Assessment Tool - MSAT

Tue, 06 May 2008 18:46:55 GMT

      Firewall and Anti-Virus are commonly found in any of todays organization. This was not true back in the 80's or even 70's. Thanks to virus writer and script kiddies (and also the media), attacks on networks and malicious codes has forced companies to include Firewall and Anti-Virus as the 'must-have' in their LAN setup buy-list. Any companies who operates without these two security apparatus would be chastised and ridiculed. Even the CEO who's totally clueless about IT will not approve a LAN without a basic network firewall and anti-virus. People in general has become more aware of the treats,either by first-hand experience or even enlighten by the media. For the banking and financial industry, the push for them to have these basic security apparatus comes from either self-realization or better still, regulators. A bank or insurance company which operates without a these two basics will immediately raised a red flag during an audit exercise by the regulators, and the consequences would be very harsh, either summoned or lose their licensed.

    As we move on beyond 90's and into the 21st century, threats have now evolved. Threats are multi-facet, blended and sophisticated. the term 'zero-day' attack also begin in the year 2000,refers to Zero-day exploits generally circulate through the ranks of hackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor. What about fishing attacks or spyware or botnet etc? Wireless attacks etc.

   The threats has become more sophisticated and deadly, however, the average IT Pro's knowledge on Information Security, has remain unchanged or static. IT Pros are still deploying firewall and anti-virus as 'the only' line of defense. CEO or business owners are still not keen on adding other security apparatus to their line of defense like patch management, Intrusion Prevention System, Wireless Firewall/IDS etc.


For these people, their practice of Security has always been and always be - catching up with the treat. The idea of conducting Security Risk Assessment has never cross their mind.

What is Security Risk Assessment?

Security Risk Analysis
Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter. One of the prime functions of security risk analysis is to put this process onto a more objective basis.

There are a number of distinct approaches to risk analysis. However, these essentially break down into two types: quantitative and qualitative.

Quantitative Risk Analysis

This approach employs two fundamental elements; the probability of an event occurring and the likely loss should it occur.

Quantitative risk analysis makes use of a single figure produced from these elements. This is called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost (EAC)'. This is calculated for an event by simply multiplying the potential loss by the probability.

It is thus theoretically possible to rank events in order of risk (ALE) and to make decisions based upon this.

The problems with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency. In addition, controls and countermeasures often tackle a number of potential events and the events themselves are frequently interrelated.

Notwithstanding the drawbacks, a number of organisations have successfully adopted quantitative risk analysis.

Qualitative Risk Analysis

This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used.

Most qualitative risk analysis methodologies make use of a number of interrelated elements:

THREATS

These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are ever present for every system.

VULNERABILITIES

These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).

CONTROLS

These are the countermeasures for vulnerabilities. There are four types:

o Deterrent controls reduce the likelihood of a deliberate attack

o Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact

o Corrective controls reduce the effect of an attack

o Detective controls discover attacks and trigger preventative or corrective controls.

These elements can be illustrated by a simple relational model:

Dazed and Confused?

To the average IT Pro or even non-technical, the above sounds so academic and so difficult to implement. Rather, they would just prefer to leave their standard security defense as it is rather than hiring a consultant to do a Risk Assessment,which would incur additional cost to a very tight budgeted IT organization.

Security Assessment is very crucial, it helps IT Pro's and Business Owners understand what threats thier organization are exposed to, and more importantly how to reduce the risk exposure, without over spending. In dealing with threats, there is also the scenario of 'over spending'. This happens when either the IT Pro or the Business Decision Makers are all too hype up about the security threats, they start 'throwing money' at security, hoping that, thier organization would be solid and sound like Fort Knox. Most often, despite the investment, they still find themselves attack,and very often from areas which are overlooked. The only people who are laughing all the way to the bank when this happens,are the security vendors who sold them all the products.

So, an assessment is very necessary and crucial. An assessment should be conducted before even purchasing the two most basic security apparatus, firewall and anti-virus.

Are there some basic tools out there that could help IT Pro's and Business Managers to do a self-security-risk-assessment, without having to be 'schooled' first? A point-and-click tool that only requires, Yes and No and at most a 10 minutes blank-stare to get the answer.

Enter - Microsoft Security Assessment Tool.

So to make IT Pro's and IT Managers life easier when it comes to conducting security assessment, I urge you to use the MSAT. It's free and its easy to use.

It gives you an overview of where your organization is in terms of security, and where you want to go.

Key Features:

Recognize areas of business risk.
Identify Defense-in-Depth.
Generate reports that will identify areas of concern.
Analyze the results from the perspectives of technology, people, and processes.

When to Use:

The Security Assessment tool should be used to gather information and provide recommendations and best practices for your customers. This tool will not only identify specific security applications, but will also focus on people and processes. It provides information on business risk profile, infrastructure, applications, operations, and people.

Synopsis:

This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environments. It will help identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within the organization.

Estimated Time to Complete:

1-3 hours

Download It Here

- I know this pretty basic for some, but most orgnization hardly conducts any security assessment, and have been doing so for the longest time.

Best approach to security, with your eyes wide open!