Archive for the Security Category

10 years of building trust

Posted in Cyber Security, Security, Security Development Lifecycle, TWC on 12 Jan 2012 by Stuart Aston


When I joined Microsoft  the world was a different place, we were not always connected and always on, and computer threats were a curiosity for the majority.  That started to evolve rapidly and  10 years ago today Bill Gates published his memo on Trustworthy Computing; he laid out the  change of direction we would take as a company placing security and trustworthiness  as integral component of the way in which we build software and delivers services to our customers. 

Over that 10 years we have changed and have evolved, SDL is not only an integral component of developing software inside Microsoft, but many  partners and developers around the world. We have made significant contributions to improve Security but also in Privacy, Reliability and Business Practices.  Newer software continues to be safer software as we have shown in our Security Intelligence Reports as a result of our efforts in SDL.  Microsoft Security Essentials is freely available to those who desire to use it to protect their computers.

In the last 10 years we have learnt a lot and built a trust with many of our customers, and trust is one of the greatest assets that a company can have. But to maintain that trust, Trustworthiness must continue to evolve and grow to deal with the changing environment, as people place a greater reliance on computing and it becomes entwined with every aspect of our daily lives, we must continue to advance trust in technology.

TWC NextBut, this is not something that anyone technology or individual or  company can accomplish alone; we will continue to work with government and industry partners, on combating cyber criminals through the work of the Digital Crimes Unit a their work on botnet takedowns and PhotoDNA, but, it is only achievable by working with partners and working together to make the internet a safer place.

How can you celebrate it ?  I think that we can best celebrate an event by embracing it:

-Moving to x64 based architectures as part of a defence in depth strategy

-Moving to the most recent version of software that you can and keeping it patched and up to date

-Employing SDL in your development practices, or looking for behaviours like SDL in software you procure for your business

-Educate your users and developers about best practice for them, and acceptable risk for you

-Educate your family on how to be safe online.        

Trustworthy computing is more important today than it was 10 years ago, and we remain committed to delivering it, with our partners.


Tell a friend…

Posted in Cyber Security, Fraud, Security, SIR, UK on 4 Nov 2011 by Stuart Aston

GSO FriendSo, in our latest SIR report we note that about 50% of attacks we see require some form of user interaction, more and more criminals are using confidence tricks either online or the telephone to target “us” and get our money.  

The reality is that the best defence to these type of attacks is personal awareness that the problem exists; sure IE9 and other modern browser can help protect you as can AV, having a strong password and staying current on all your software and keeping them updated all help, but, all those defences are not present when a criminal phones you up claiming to be from reputable company offering you support, just to be clear we will not phone you and nor will any of our partners offering support for a fee.

If you are a consumer and you think you have a security problem use this link:

or to contact us more generally look here:

cut and paste them into your browser. 

Next week is Get Safe Online week, it’s about promoting awareness of these issues, helping people, and business be “safer online”. Be aware, tell a friend and get them to go and read , who knows if we can get our friends to be safe online maybe we can get our businesses to be safe as well…

SEC == Security

Posted in Cyber Security, Government, Security, SIR on 23 Oct 2011 by Stuart Aston


CF Disclosure Guidance: Topic No. 2 – Cybersecurity

600px-US-SecuritiesAndExchangeCommission-Seal_svg_-325x325I would have completely missed this if it wasn’t for a colleague who spotted it; she described it as “This is the single largest announcement in cyber security in 10 years”…

And she is right to do so; this fundamentally changes the behaviour of companies in relationship to security.

By getting companies to report incidents and assert a value associated with the loss it puts Cyber Security on the agenda of the board, which is where it should have been for the last decade at least.

It enables investors to make choices based upon reported incidents, and determine if a company is a wise investment as a result in comparison to it’s peers. 

Well done SEC… now maybe the customers will do security updates in a timely fashion, and take user education about security seriously as an investment in investor confidence. 

sir_infographic_poster_MM_v11_updateIt will be interesting to see how they report and what mitigations they start to take; in our latest Security Intelligence Report we note that of the most common attacks we see most do not use an 0-day and can be mitigated with simple maintenance and that just under half require some level of user interaction, hopefully this will put both of patch management and user training on the board agenda of all publically traded companies. 

Cloud and End Points and Security

Posted in Cloud, Security, Security Updates on 19 Oct 2011 by Stuart Aston

So…a question that often throws me for a loop is this:

Internet cloud web “If ‘I’ move to the cloud I don’t have to worry about security at my client end point, right?”…

err… no that’s not right.

But, “why”, I hear you ask?

Well of course if you go to a reputable cloud service provider they will apply security updates to the servers that provide you services as commercial providers of services they will keep those servers up to date, and hardened to deal with attack utilise defence in depth, etc…

But the end-point; the thing that accesses the actual data, mail or services; still needs to be kept up to date; as much as it does in a non-cloud scenario, that’s still ‘your’ responsibility as an IT professional  for your environment, you still need to manage it.  Malware will still be able to take data from these devices using un-patched vulnerabilities; using the privileges of the user.

Do we have to do less work keeping things up to date?  Well yes it does, for those servers that you no longer manage and have moved to the cloud they will be updated by the service supplier in a SaaS and PaaS models.  In the IaaS model, the user is still responsible for managing the patching of the guest operating system, whatever it is.

Of course you could always move the management of the endpoint to the cloud using a service like Windows InTune.

In summary; moving to the cloud doesn’t mean you can just “stop” updating your end points, depending on the model of cloud service you adopt you may be able to stop patching some of your servers.

There be dragons here…

Posted in Cookies, Internet Explorer, Security on 26 Aug 2011 by Stuart Aston

Blue Dragon Boxshot FrontSo… I’m a security guy, and I tend to think of privacy as a good outcome that comes from good security with supporting policy, I’m not a “privacy” guy.

But the bit of work I did on TPL’s did kick off a small brainstorm in my head, about how much of this stuff is out there?

So I went to my favourite news site and went to there privacy page; they were very good and clearly displayed the kinds of cookies and who they were going to and for what purpose.  I was kind of stunned at how many of them their were , go on have a guess …


…on one site; that did have a really good and clear way of telling me about them, security aside, there must be “a” performance impact…  I have amended my tracking protection list accordingly:

# Above is a version header.
# “Expires” sets the number of days when to check the server for an update
: Expires=3
# block the following domains
-d kissmetrics
-d nielsen-online
-d quantcast
-d netratings
-d sagemetrics
-d ominiture
-d scorecardresearch
-d doubleclick
-d google
-d specificmedia
-d 247realmedia
-d mediamind
-d atlassolutions
-d mediaplex
-d audiencescience

now I know people out there will be thinking … it can’t be that bad surely.

So a challenge to you go and find a site that you use regularly see if Error wrong badyou can find its privacy page, if you can see if you can find the tracking cookies it gives you… At least one site I went to claimed to have a privacy page, but, it must have been in the filing cabinet,  in a disused lavatory with a sign on the door saying beware of the leopard … because I couldn’t find it , and another had a privacy page that essentially said nada.  So how bad could it be…

I genuinely don’t know, but, I’m slowly looking at each site I’m going to and finding its privacy page, if it has one and seeing what’s there…

Cookie Re-spawning Neutered

Posted in Cookies, Internet Explorer, Security on 19 Aug 2011 by Stuart Aston

This article was drawn to my attention recently: Man reveals secret recipe behind undeletable cookies, which seemed to be troubling for a lot of people. I spoke to a couple of friends and colleagues about this, and I thought I would see if I could use Tracking Protection Lists in IE9 to neuter them.

It turns out that it was easy to write the tracking protection list; it took me a few minutes to write the list, this included reading the spec, and working out how to host it:

# Above is a version header. 
# “Expires” sets the number of days when to check the server for an update
: Expires=3
# block the kissmetrics domain 
-d kissmetrics

it’s not particularly hard, the above example blocks kissmetics site, completely I can still browse their site, but, iwont be getting any downloads from them.

And I have hosted it here just click on the “install list” button to install this Tracking Protection List to IE9.

So that was simple … much easier than i thought in fact, Tracking Protection Lists, write one today!

Bluehat Prize

Posted in Security on 3 Aug 2011 by Stuart Aston

Microsoft’s Trustworthy Computing Group today announced the “BlueHat Prize,” an incentive for researchers to develop original ideas to help protect customers, computers, and devices.
The top three winners in the BlueHat Prize competition will earn a total approximate retail value of over $250,000 in cash and prizes: $200,000 for the Grand Prize; $50,000 for Second-Place; and an MSDN Universal subscription valued at $10,000 for Third-Place. Prizes will be awarded to contestants who design a novel way to prevent the use of memory safety vulnerabilities, a key area of focus for Microsoft. Examples of similar technologies include Data Execution Prevention (DEP), which helps prevent attacks that attempt to exploit vulnerabilities in software.
The new twist on the incentive is designed to inspire researchers to engage in ground-breaking research, unlike other companies that pay per-vulnerability.
Beginning today, the official rules and guidelines for the competition are available at and contest submissions will be accepted from Tuesday, Aug. 3, 2011 until Sunday, April 1, 2012. A panel of Microsoft security engineers will judge submissions based on the following criteria: Practicality and Functionality (30 percent); Robustness—how easy it would be to bypass the proposed solution (30 percent); and Impact (40 percent). The winners will be announced at Black Hat USA 2012.
Posted from WordPress for Windows Phone

%d bloggers like this: