// archives

Internet

This tag is associated with 15 posts

RSA 2015 – Microsoft Key Announcements in Security

 

The US RSA conference is probably the world’s leading security conference with about 30’000 participants and took place last week in San Francisco. Scott Charney, Microsoft’s CVP Trustworthy Computing, gave a noteworthy keynote on Enhancing Cloud Trust that can be watched here. It is well worth the time.

The announcements made by us and the presence that Microsoft had at the conference was impressive. The main theme was very clearly that we truly live in a mobile first, cloud first world and that with the explosion of devices and apps come new challenges. Security has been a top priority for Microsoft for a long time already and Microsoft is committed to providing customers with transparency and control over their data in the cloud. Here are the highlights that we announced:

  • New Security & Compliance signals and activity log APIs so that customers can access enhanced activity logs of user, admin and policy related actions through the new Office365 Management Activity API.
  • New customer Lockbox for O365 that brings the customer into the approval workflow if one of our service engineers would have to troubleshoot an issue that requires elevated access. With the customer lockbox the customer has the control to approve or reject that request.
  • Device guard is the evolution of our malware protection offering for Windows 10 and brings a new capability to completely lock down the Windows desktop such that it is incapable of running anything other than trusted apps on the machine.
  • Increasing levels of encryption where O365 will implement content level encryption for e-mail in addition to the BitLocker encryption we offer today (similar to OneDrive for Business’ per-file encryption). In addition we expect enabling the ability for customers to require Microsoft to use customer generated and controlled encryption keys to encrypt their content at rest.
  • Microsoft Passport is a new two factor authentication designed to help consumers and businesses securely log-in to applications, enterprise content and online experiences without a password.
  • Windows Hello which will provide that Microsoft Passport can be unlocked using biometric sensors on devices that support that (most notably iris and face unlock feature in addition to fingerprint).
  • Azure Key Vault which helps customers safeguard and control keys and secrets using FIPS 140-2 Level 2 certified Hardware Security Modules in the cloud with ease and at cloud scale and provides enhanced data protection and compliance and control.
  • New Virtual appliances in Azure where we work with industry leaders to enable a variety of appliances so that customers have greater flexibility in building applications and enabling among others network security appliances in Azure.
  • Enterprise Mobility where we have the Enterprise Mobility Suite (EMS) bringing customers enterprise grade cloud identity and access management, mobile device management and mobile app management and data protection (Reto’s comment: not new but worthy to call out having grown our install base by 6x just in the last year)

More information can be found on Scott Charney’s blog on “Enabling greater transparency and control” that also has further links to more in-detail information on the individual technologies mentioned above.

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.

 

I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Windows Defender Offline – new tool against advanced malware

I wrote previously about how to secure your computer but last week Microsoft’s Malware Protection Center released a new tool against rootkits and other advanced malware that I would briefly like to review – the Windows Defender Offline.

Windows Defender Offline is scanning your PC to remove rootkits and other advanced malware that can’t always be detected by antimalware programs. If such a type of malware is detected on your PC you will be prompted by Microsoft Security Essentials to use Defender. However, it is good practice to run the Defender Offline on a regular basis as some advanced malware doesn’t necessarily get detected by any anti-virus program.

The main difference between Defender Offline and most other anit-malware tools is that it is run from a clean boot disk/CD/USB Stick and that way anti-malware that tries to use some cloaking technique will not have the possibility to hide.

For more information on what Windows Defender Offline does and what the system requirements are, please visit this website: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.

Best of breed or end-to-end security stack

One of the discussions that I often have with senior IT decision makers is the overall security architecture and how the different layers of security mechanisms work together. In these talks I often see that security in enterprises is approached as a layered approach where, on purpose, security elements and products of different software vendors are used. I call this the best of breed approach as for each security function one can pick the top performer on the market. The main motivation behind this is that if there would be a weakness in a product from one vendor that the same problem will then not be found in the underlaying security layer as it is not from the same origin.

Sounds great? Adds clearly more security? Well yes in theory but maybe no in practice. The reality is that with the financial pressure that is common on todays system’s integrators, operations resources (financial, people and know-how) are sparse and the nicely designed layered approach has suddenly gaps as the complexity is just too high to have it properly handled. This then leaves gaps in the defense. In addition, the interaction of different products is often not well known. What hurts in that regard is that applying security patches can only be done once a thorough testing has occurred – which in turn takes time and resources and means that crucial patches are applied later and the window of opportunity for an attack is open longer.

With this now comes the question. What in practice brings you more security. The best of breed approach that is seldom fully implemented or the end-to-end security stack where your dependence on one supplier is increasing? How much of the dependence do you have already anyway? I observe a move to the second approach – mostly out of lack of operational resources – also in large enterprises with a quite a high security level. I see this even more accelerating in the future when we have more and more security solutions that are offered as cloud or hybrid services where platform compatibility will be a large factor. Does that mean we are having a sort of consumerization of IT also for security?

Less Spam today? Good news – I will tell you why

Microsoft Digital Crimes Unit

Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”.  This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.

Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.

The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.

What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.

Interested to know more about the botnet takedown? Read here the official Microsoft Blog.

Follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

 

Evolution of Datacenters – Secure, Scalable and Reliable Cloud Services

I often get asked how Microsoft provides over 200 cloud services and what security measures are in place. There is a good video available that addresses how Microsoft delivers cloud services to more than a billion customers and 20 million businesses in over 70 countries. It is also a fascinating view onto the evolution of modern datacenters and their energy efficiency.

Here it goes:

Beta for next version of Windows Intune

A while ago I wrote about that small and medium businesses have become the new primary target for cybercrime and how to secure your PC in a second post. Today I want to combine the two and share some thoughts on how today the cloud helps in securing your desktops.

When this blog is going live, Microsoft will have the beta of the next release of Windows Intune announced. More information on that is available on the Windows for your Business Blog. In short, the next release of Windows Intune has features specifically requested by partners to better serve their customers. This release is in response to the need for the ability to distribute software – with this beta, administrators can deploy updates or software to PCs that can be located virtually anywhere without server infrastructure or physically touching each PC to install the software or update.

Intune shows the trend to move security capabilities into the cloud. To have a central administration possibility used to involve a fair amount of resources and was felt beyond the possibilities of many small and medium businesses. Not any more. With solutions like Windows Intune every business – as small as it might be – can centrally administrate the PC’s, patch and update them, install software, check the health of the virusscanners etc from an easy web-based interface. You pay for as many PC’s as you are administrating. Not more – not less. In addition to significantly increasing the security of the network it might also save money and reduce the dependence on external IT support if you have outsourced the administration of your endpoints so far.

With this we see another answer to the question if the cloud is safe and if security is possible in the cloud. It is a great example that security is made possibly by the cloud reducing the investment needed to provide security services. A development I like a lot.

Security updates – measuring effect (Autorun Abuse)

Obviously I am a strong advocate of keeping computers up to date and especially on installing security updates. However, it is normally pretty hard to measure the effects on such activities. And now that we have an example where we can see very directly the effect of a security update I would like to share that with you.

Maybe you are aware of Windows XP and Vista’s autorun feature. Basically very convenient but also unfortunately widely exploited. On 8. February Microsoft started the release of updates for Win XP and Vista to prevent AutoPlay from being enabled automatically except in combination with CD’s and DVD’s. Effectively locking down this feature more. With this we can now look at infection rate before and after this update and measure the effect. You can read the whole thread in our threat research and response blog.

In a nutshell – the effect was pretty substantial. The infection rates for Win XP and Vista went significantly down. XP’s infections on scanned computers were reduced by 59% and the ones of Vista by 74% while Win 7 stayed basically the same as it had this feature already enabled. An additonal interesting point is that the infection rate didn’t change significantly with Win XP SP2 as it is out of support and therefore didn’t get the update.

Chart showing effect of autorun update. Source: Microsoft

 

 

 

 

 

 

 

Another interesting aspect was that the overall infection rates changed also significantly. By May of 2011 the number of infections found by the Microsoft Malicious Software Removal Tool was reduced by 68%. Which means that by making even just one section of a computer “population” more secure it can have a significant residual effect with the rest of the computers.

My conclusion? This is a good example to show the effectiveness of security updates. So my recommendations is to let the update feature install them automatically as soon as they get available and to make sure that your operating system is still receiving the updates and is not out of support. So if you still run XP SP2 please make sure to update as quickly as possible to XP SP3.

FaceNiff – who is posting your Facebook updates?

So, you are sitting at Starbucks or at the airport or any other relatively crowded place and you have Facebook open or twitter or Amazon. You look to your right and see a nicely dressed woman/man tap on his/her mobile. Maybe you are smiling – thinking that he/she texts too much. Well – think again – because your seemingly nice neighbor might be in that second updating your Facebook status, adding weird “Friends”, posting a twitter message or rummaging through your Amazon shopping basket.

What? How? Why? These are the thoughts that might run through your mind. Well it’s easy – because there is a new app in town running on Android. It’s called FaceNiff and it highjacks everybody’s Facebook, Twitter, Youtube, Amazon and Nasza-Klasa account (more to come) that has it open on the same wireless network. It’s not really much new – firesheep did more or less the same a while ago but now it’s even less obvious and even easier (watch the video on here). It is a shame that the platforms that are affected did not take the firesheep warning serious and secure their systems better and maybe they learn from it. However, I see the problem at least as much in the mobile platform. Android is in effect an open platform. If you have an app that runs on it – you can install it. It might be easier or harder but even something that is just out there to download can be put on a rooted device. This leaves the door wide open to take the step to develop mobile platforms into mobile attack platforms. The mobile devices get more and more powerful and they are so unintrusive – the perfect platform for the new cyber criminal. And yes – I regard everybody that breaks into my accounts as a cyber criminal. There is no glory involved – it is just cheap and it’s exploiting my privacy and might be harmful to me and/or my reputation.

So what should we do? First – think again if you sign into any of the affected platforms when connected to a shared network. Second, show to providers that you support closed platforms. As an example, you will not find FaceNiff on a Microsoft Windows Phone platform because Microsoft (and others too to some extent) has a phone architecture that only lets apps installed through the their marketplace. Only apps get onto the marketplace that have been tested. And there is no jealbreak for WP7 so that option is out too. So you can favor platforms that protect you and you can write to the makers of the less secure platforms and voice your concern. Please do iit if you care. Will it help for the next time you sit at Starbucks? No it will not – but I believe that in time the platform(s) will survive that serve all customers and not just an individual. This is not about telling you what you are allowed to do on your mobile – as long as you are doing something legitimate. Consumers should have a choice, they should be able to make choices. That is what brings us further and boosts innovation. But I also want to have my private and work life on an Internet that is more secure for everybody than what we see today and phone platforms will have a massive impact on that.

So, if you sit at Starbucks next time – maybe look around with a new question on your mind. Who is posting updates on their own – and who on other person’s accounts. You might be surprised.

New Microsoft Security Incident Report – current and emerging threats

 

This morning the microsoft trustworthy computing team released the new Security Incident Report (SIR). The report provides in-depth perspectives on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches in both Microsoft and third party software.

And why is this relevant? While reading a crime novel has certainly more entertainment value, the report gives an impression on where cybercrime is heading and how the threats are evolving. This has relevance for security experts, government officials but also for everybody using the internet. Here are some information that I found especially interesting:

  • Cybercriminals continue in deceiving customers through “marketing-like” campains and fake product promotions.
  • Pornpop is an adware family that attempts to display adult advertising. In the 4th quarter of 2010 it was the most prevalent malware worldwide and was cleaned from nearly 4 million systems by Microsoft’s anti malware desktop products. Cybercrime has definitely moved to becoming a business.
  • Phishing attacks to social networking sites jump 8.3% to 84.5% which shows that criminals have seen success with social engineering based approaches especially on social networking sites.
  • Specifically to Switzerland. The MSRT detected malware on 4.1 of every 1’000 computers scanned in Switzerland in 4Q10. This compares to an average worldwide of 8.7 of every 1’000.

The security incident report is special insofar, that it contains the most comprehensive data coverage of any report in the industry. It includes over 600 million data samples, executing millions of malware removals annually, scanning billions of e-mails, over 280 million active Hotmail accounts, and billions of pages scanned by Bing each day. The data collection is actually quite impressive. The data included is gathered from a wide range of Microsoft products and services globally, including: Bing, Windows Live Hotmail, Forefront Online Protection for Exchange, Windows Defender, the Malicious Software Removal Tool (MSRT), Microsoft Forefront Client Security, Windows Live OneCare, Microsoft Security Essentials and the Phishing Filter in Internet Explorer.

You can read and download the report at www.microsoft.com/sir. Maybe not something to put on your bedside table as it will probably keep you awake at night!

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

replica Rolex