// archives


This category contains 23 posts

The Beauty of Airtravel

I travel a lot for work and it brings me in touch with many different people and cultures. Sometimes when I am sitting in a busy airport I look up from my screen and am watching the planes come and go. My thoughts might then trail towards the security discussions that we need to increase with critical infrastructure, the complexity of the logistics behind such an airport or that it is just beautiful to watch a plane take-off.

I found by coincidence a visualization of air traffic over Europe that sheds a new scale on the points above. It emphasizes the need to be able to protect our digital command, control and communication systems involved with managing something as complex as airtravel but at this point I suggest you just click on the movie and enjoy the beauty of it.


Europe 24 from NATS on Vimeo.

The video was created from real flight data, using UK radar data from June 21 and European flight plan information from July 28. If you want to know more check out the original blogpost by Paul Beachamp.

Microsoft increases protection of customer data from government snooping


One topic has been on the top of most discussions I had during the last months – the “NSA/PRISM” data leakages. While some of the points were already known previously and were for example part of Microsoft’s transparency report there were points that were worrysome. Here especially tje recent allegations in the press on a broader and concerted effort by some governments to circumvent online security measures to collect private customer data.

As a result of these concerns were many discussions that I had over the last months where confidence in the security and privacy of online communication was questioned. As a result of these allegations Microsoft decided to take immediate and coordinated action and Brad Smith, General Counsel & Executive VP Legal and Corporate Affairs sketched out in a blog post on Microsofts actions for better protecting customer data from government snooping.

The actions are concentrating on three areas:

· We are expanding encryption across our services.
· We are reinforcing legal protections for our customers’ data.
· We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.

Please see the original blog post from Brad Smith for more information. From a European perspective it is especially interesting to know that we will open a transparency Center in Europe so that governments have appropriate ability to review Microsoft source code, reassure themselves of ist integrity and confirm there are no back doors.

Windows 8.1 Security Functions – Enabling new Workstyles


I am now working with Windows 8.1 for a while and I really like it. It enables me to have one device for two work modes. I use the modern Interface when I am more reading/consuming information and then change to the traditonal desktop when I am writing documents, presentations etc.

As a security professional I also like Windows 8.1 because it enables new scenarios in the enterprise. For accessing the most sensitive information I want to be able to know the device that is accessing it and to know the health of the device before letting it so. And with Windows 8 I can now do exactly that for a touch device.

Dustin Ingalls, our Group Program Manager for Windows Security & Identity was attending Black Hat and gave a presentation on the Windows 8.1 security functions and published a blog post about it. I summarize the most important points below and encourage you to read his full blogpost with the details:

The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home. The main Points are the follow:

#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.

#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Key Points are here first class biometrics and multi-factor authentication for BYOD.

#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. In addition we implemented Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.

#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers by improving Windows Defender and enhancements to Internet Explorer.

The points above are only a selection of things and more is in the original post.

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.


I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Microsoft phases out MSN Messenger – Cybercriminals try to profit

Microsoft informed a while ago that Skype and Messenger are coming together. That means that millions of Messenger users will be able to reach their Messenger friends on Skype. By updating to Skype, Messenger users can instant message and video call their Messenger friends. This good news seems to being used now cybercriminals for attacking new systems. The criminals approach is fairly simple – they take advantage that MSN Messenger is still popular. Microsoft now promotes the download of Skype on the former MSN Messenger page and informs that the Messenger contacts will be available in Skype. There are then people that then still want to download MSN Messenger and this is the window of opportunity that cybercriminals exploit. They are registering malicious domains, buy advertising links on search engines and try to trick the user to download and install malware that masquerades as the MSN Messenger. With this they then get access to the computers of the victims and from there on the computer of the victim is under their control.

Don’t fall into that trap! Take steps to protect your computer (I wrote earlier a blog post about this that I now updated) and only download software from official sources which in this specific case download Skype from the official Microsoft site or from skype.com and you will be able to merge your messenger and skype contacts.


Migrate to Skype

Migrate to Skype


Empfehlungen zum Säubern eines Computers

Normalerweise schreibe ich meine Blogposts auf Englisch aber da ich viele Anfragen auf Deutsch erhalte was jemand machen kann wo sich ein Cyberkrimineller (z.B. ein falscher “Microsoft Supporter”) Zugang zu einem Computer erschlichen hat poste ich mein empfohlenes Vorgehen auf Deutsch.

Die Frage was auf einem Computer während einer falschen “support session” gemacht wurde kann man leider nicht generell beantworten, da das Vorgehen nicht immer gleich ist. Wenn Sie jemandem Zugriff auf das Gerät gegeben haben oder ein Programm heruntergeladen und ausgeführt haben dann kann grundsätzlich alles „passiert“ sein. Sehr Wahrscheinlich haben es die Kriminellen auf Ihre Bank- und Kreditkarteninformationen abgesehen. Das Ziel können sie auf verschiedene Weise erreichen – sei es dass Sie direkt einen falschen Virenschutzservice bezahlen oder indem ein Spionageprogramm auf Ihrem Computer installiert wird.

Bezüglich des weiteren Vorgehens schlage ich das Folgende vor: • Schliessen Sie Ihren PC nicht mehr ans Internet an bevor dieser „gereinigt“ wurde • Ändern Sie alle Passwörter • Lassen Sie den PC von einem Fachmann untersuchen ob er Spionageprogramme oder ähnliches installiert hat. Wenn Sie dies selber machen wollen/können dann ist ein gutes Hilfsmittel dazu unter http://www.retohaeni.net/2012/04/windows-defender-offline/ aber leider bietet auch dies keine 100% Sicherheit. Ich würde empfehlen, dass ein Computerspezialist den Computer untersucht. Alternativ ist es wohl das Sicherste das Betriebssystem von Grund auf neu aufzusetzen (Windows und alle Applikationen neu installieren – nicht update oder upgrade) und anschliessend den Computer wieder so zu sichern wie ich es in meinem Blogpost dazu aufzeige. Hier vergessen Sie bitte nicht alle Daten etc vorher zu sichern. • Nehmen Sie Kontakt mit Ihrer Bank auf und beschreiben Sie den Vorfall um abzuklären ob zB Kreditkarten ausgetauscht werden müssen oder ähnliches.

Als Microsoft sind wir hier auch Opfer und können gegen kriminelle Handlungen wenig unternehmen da wir nur indirekt betroffen sind. Entsprechend müssten Sie gegebenenfalls Anzeige erstatten. Melden können Sie den Fall zB unter http://www.cybercrime.admin.ch/kobik/de/home.html. Dies ist noch keine Anzeige aber KOBIK wird Ihnen dann ein weiteres Vorgehen empfehlen.

Ich hoffe, dass dies als Ausgangspunkt hilft.

On Privacy: Things might not be what they appear

I got this forwarded at work and thought I share it with you. It is a video promoting safe internet banking but it is valid for all online topics. Be cautious what you put at any point online – it might be used in a way you did not intend it.


Windows Defender Offline – new tool against advanced malware

I wrote previously about how to secure your computer but last week Microsoft’s Malware Protection Center released a new tool against rootkits and other advanced malware that I would briefly like to review – the Windows Defender Offline.

Windows Defender Offline is scanning your PC to remove rootkits and other advanced malware that can’t always be detected by antimalware programs. If such a type of malware is detected on your PC you will be prompted by Microsoft Security Essentials to use Defender. However, it is good practice to run the Defender Offline on a regular basis as some advanced malware doesn’t necessarily get detected by any anti-virus program.

The main difference between Defender Offline and most other anit-malware tools is that it is run from a clean boot disk/CD/USB Stick and that way anti-malware that tries to use some cloaking technique will not have the possibility to hide.

For more information on what Windows Defender Offline does and what the system requirements are, please visit this website: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.

Windows 8 – why it matters for business

I have heard a couple of times from enterprises that Windows 8 looks great but that it is a consumer product and that adoption in the enterprise does not seem to bring an obvious advantage as most users work on a laptop and desktop and don’t need a metro surface. While I understand this initial reaction I see a large benefit for business to use Windows 8.

The way people work has changed and more work is done mobile. Until now the challenge was to still have the reliability, productivity and security a business needs. This is one of the strong advantages of Windows 8. It integrates seamlessly into the IT infrastructure and provides enterprise class security. And this even in multiple ways. Windows 8 provides an innovative and fun way to work on a slate or tablet in addition to more traditional laptops and desktop PCs. In addition there is the possibility to have Windows 8 on a USB stick with Windows To Go – a fully managed corporate Windows 8 desktop. Travelling light has never been that easy.

Picking some elements to talk about is not easy as the new functionalities are significant but looking at today’s cybersecurity threats I very much like the improvements that were made with the secure foundation. Trusted Boot is a key element. It validates the integrity of the entire boot process – from hardware, boot loader, kernel, boot-related system files to drivers. With antimalware loaded before all non-critical Windows components we achieve a better protection from rootkits. This in combination with Measured Boot Process, BitLocker Drive Encryption, AppLocker, and claim-based access control delivers end-to-end security like never before.

This is only a short overview on some of the Windows 8 features for business. A deeper and broader description was posted today in the Windows Team Blog here. It is worthwhile reading it.

Also check out the short video for an overview of  some central aspects of Windows 8:



Best of breed or end-to-end security stack

One of the discussions that I often have with senior IT decision makers is the overall security architecture and how the different layers of security mechanisms work together. In these talks I often see that security in enterprises is approached as a layered approach where, on purpose, security elements and products of different software vendors are used. I call this the best of breed approach as for each security function one can pick the top performer on the market. The main motivation behind this is that if there would be a weakness in a product from one vendor that the same problem will then not be found in the underlaying security layer as it is not from the same origin.

Sounds great? Adds clearly more security? Well yes in theory but maybe no in practice. The reality is that with the financial pressure that is common on todays system’s integrators, operations resources (financial, people and know-how) are sparse and the nicely designed layered approach has suddenly gaps as the complexity is just too high to have it properly handled. This then leaves gaps in the defense. In addition, the interaction of different products is often not well known. What hurts in that regard is that applying security patches can only be done once a thorough testing has occurred – which in turn takes time and resources and means that crucial patches are applied later and the window of opportunity for an attack is open longer.

With this now comes the question. What in practice brings you more security. The best of breed approach that is seldom fully implemented or the end-to-end security stack where your dependence on one supplier is increasing? How much of the dependence do you have already anyway? I observe a move to the second approach – mostly out of lack of operational resources – also in large enterprises with a quite a high security level. I see this even more accelerating in the future when we have more and more security solutions that are offered as cloud or hybrid services where platform compatibility will be a large factor. Does that mean we are having a sort of consumerization of IT also for security?

About the Author

I am Microsoft's Chief Security Officer and Advisor for Western Europe and have over 15 years work experience in an information security and risk focused IT environment as program manager, technical director, Chief Risk Officer and group CIO.

more about me and contact info


Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish