There be dragons here…

Posted in Cookies, Internet Explorer, Security on 26 Aug 2011 by Stuart Aston

Blue Dragon Boxshot FrontSo… I’m a security guy, and I tend to think of privacy as a good outcome that comes from good security with supporting policy, I’m not a “privacy” guy.

But the bit of work I did on TPL’s did kick off a small brainstorm in my head, about how much of this stuff is out there?

So I went to my favourite news site and went to there privacy page; they were very good and clearly displayed the kinds of cookies and who they were going to and for what purpose.  I was kind of stunned at how many of them their were , go on have a guess …


…on one site; that did have a really good and clear way of telling me about them, security aside, there must be “a” performance impact…  I have amended my tracking protection list accordingly:

# Above is a version header.
# “Expires” sets the number of days when to check the server for an update
: Expires=3
# block the following domains
-d kissmetrics
-d nielsen-online
-d quantcast
-d netratings
-d sagemetrics
-d ominiture
-d scorecardresearch
-d doubleclick
-d google
-d specificmedia
-d 247realmedia
-d mediamind
-d atlassolutions
-d mediaplex
-d audiencescience

now I know people out there will be thinking … it can’t be that bad surely.

So a challenge to you go and find a site that you use regularly see if Error wrong badyou can find its privacy page, if you can see if you can find the tracking cookies it gives you… At least one site I went to claimed to have a privacy page, but, it must have been in the filing cabinet,  in a disused lavatory with a sign on the door saying beware of the leopard … because I couldn’t find it , and another had a privacy page that essentially said nada.  So how bad could it be…

I genuinely don’t know, but, I’m slowly looking at each site I’m going to and finding its privacy page, if it has one and seeing what’s there…


Cookie Re-spawning Neutered

Posted in Cookies, Internet Explorer, Security on 19 Aug 2011 by Stuart Aston

This article was drawn to my attention recently: Man reveals secret recipe behind undeletable cookies, which seemed to be troubling for a lot of people. I spoke to a couple of friends and colleagues about this, and I thought I would see if I could use Tracking Protection Lists in IE9 to neuter them.

It turns out that it was easy to write the tracking protection list; it took me a few minutes to write the list, this included reading the spec, and working out how to host it:

# Above is a version header. 
# “Expires” sets the number of days when to check the server for an update
: Expires=3
# block the kissmetrics domain 
-d kissmetrics

it’s not particularly hard, the above example blocks kissmetics site, completely I can still browse their site, but, iwont be getting any downloads from them.

And I have hosted it here just click on the “install list” button to install this Tracking Protection List to IE9.

So that was simple … much easier than i thought in fact, Tracking Protection Lists, write one today!

Bluehat Prize

Posted in Security on 3 Aug 2011 by Stuart Aston

Microsoft’s Trustworthy Computing Group today announced the “BlueHat Prize,” an incentive for researchers to develop original ideas to help protect customers, computers, and devices.
The top three winners in the BlueHat Prize competition will earn a total approximate retail value of over $250,000 in cash and prizes: $200,000 for the Grand Prize; $50,000 for Second-Place; and an MSDN Universal subscription valued at $10,000 for Third-Place. Prizes will be awarded to contestants who design a novel way to prevent the use of memory safety vulnerabilities, a key area of focus for Microsoft. Examples of similar technologies include Data Execution Prevention (DEP), which helps prevent attacks that attempt to exploit vulnerabilities in software.
The new twist on the incentive is designed to inspire researchers to engage in ground-breaking research, unlike other companies that pay per-vulnerability.
Beginning today, the official rules and guidelines for the competition are available at and contest submissions will be accepted from Tuesday, Aug. 3, 2011 until Sunday, April 1, 2012. A panel of Microsoft security engineers will judge submissions based on the following criteria: Practicality and Functionality (30 percent); Robustness—how easy it would be to bypass the proposed solution (30 percent); and Impact (40 percent). The winners will be announced at Black Hat USA 2012.
Posted from WordPress for Windows Phone

Security Intelligence Report (SIR) vol.10

Posted in Security on 12 May 2011 by Stuart Aston

imageToday, we published our latest security Intelligence report. Taking data from a wide variety of sources and bringing them together to provide a clear picture of what is going on in the threat landscape.

For me the SIR is always a useful tool in understanding threat trends, it helps IA professionals understand the broad scheme of risk that is threatening our customers, and there are some surprising trends; in Q3of 2010 the malicious use of Java Script rose by a factor of 14 compared to the previous quarter.

With the rise in use of social networking sites, criminals have started to use them as a potential source/target for phishing attacks and as a result social networking phishing attacks rose from 8.3% in January 2010 of Phishing attacks we saw to 84.5% in December of 2010 for all Phishing attacks we saw in that period. The latest versions of IE have the SmartScreen Filter technologies that actively defend against this kind of attack.

The use of rogue security software is also on the rise and is one of the most common ways that is used to swindle money form unsuspecting consumers. In many cases this “scareware” looks very professionally produced, and makes claims about “their” ability to detect and remove threats that only “they” can see. In actual fact these claims are false and the goal is to get a consumer to hand over their credit card details or install malware.  A number of these packages were added to the Microsoft Malicious Software Removal Tool, this runs as part of the monthly security updates most consumers download from Microsoft, and still more sites were added to the reputation service that SmartScreen Filter uses, to enable their browser to protect them from these  threats.

But for consumers and for businesses our  advice remains unchanged stay up to date on your Microsoft software updates (via Microsoft Update) and also ensure that your other software has its security updates applied as well.  Make sure that you have a reputable antivirus program , Microsoft Security Essentials if free to consumers and small businesses and uses the same antimalware engine as our Enterprise product Forefront Endpoint Protection.

It’s also clear that using the latest software means that you will be less likely to be successfully attacked, and the 64 bit versions of our products are the most robust:


For enterprises there are more options available such as the use of AppLocker. Over 98% the threats that we see are not signed and using AppLocker to only allow the execution of signed code; will significantly decrease the amount of malware that will be able to execute.  Enterprises can also use  the  Enhanced Mitigation Evaluation Toolkit (EMET) which enables you to turn on Data Execution Prevention (DEP) and Structured Exception Handling and Overwrite Protection (SEHOP) may enable enterprise customers to “upgrade” the protection of existing applications, though EMET may require some work on the part of an enterprise.    I say these are for enterprises; and they are available to consumers EMET via download and AppLocker via the Ultimate Edition of Windows 7, but these tools are aimed more at the IT Professional than the home user.

The important thing to remember is that you can take action which makes you safer:

– Anti Virus software, get some if you haven’t already and keep it up to date

– Update all your software regularly from your software provider, many providers have automatic mechanisms for this, use them when they are available.

– Upgrade to the most recent version of the software that you can,  they typically have better inbuilt defences, at both the application and the operating system level.  64 bit operating systems are safer still in, general you are about 1/3 less likely to get an infection.

– Use Complex passwords and don’t have the same one for everything… they protect your data and if a single site you use is compromised not all of your passwords will be.

Security Intelligence Report (SIR) vol.10

– Police issue warning over ‘Microsoft’ telephone scam

Posted in Fraud, Security, Social Engineering on 12 May 2011 by Stuart Aston

Whilst this particular article is not recent it does seem that this type of activity is still going on, alas these scams are not new, and like most “types” of crimes they don’t seem to go away. I have been asked for advice by a number of colleagues on recent activity.


First off I would like to remind readers that Microsoft does not keep track of consumers that purchase our software and we do not directly contact consumers for any reason whatsoever. Do not to trust anyone who has called you claiming to be from Microsoft and needing access to your home PC.

In some ways this is “spam via a phone”; and unsolicited calls of this nature, no matter the “reason” should be treated the same way, don’t give your credit card details or personal information to people you don’t know; and don’t invite them “inside”.

I do encourage you to keep  safe when online and to always ensure the copy of Windows they are running is genuine and fully up to date. We encourage all PC users to visit

When using a PC that is connected to the internet we also encourage users to download and install legitimate software to guard against viruses, spyware, and other malicious software.

Free products such as Microsoft Security Essentials and Internet Explorer will help protect users from online threats.   

– Police issue warning over ‘Microsoft’ telephone scam

Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC – Darkreading

Posted in Cloud, Passwords, Security, Tools on 12 Jan 2011 by Stuart Aston


binary ring codeSo why is this news? Well, other than it is the first time that a researcher has made an announcement regarding it?


Largely any workload could be put into the cloud. Cloud vendors, ourselves included, have suggested that large mathematical functions that require intensive processing could and should be offloaded to the cloud either in part or in totality, since the launch of cloud based services and cracking passwords is a large maths function.

cloud illustration iconThat  the "cloud could be used for password cracking", should not surprise anyone, it will gain the same economic benefits as any other application when applied to the cloud, this was inevitable. 

In the meantime use a strong password, or two factors of authentication about stuff you care about…

Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC – Darkreading

Windows 7, the safest Microsoft operating system yet…

Posted in Government, Security, UK on 18 Dec 2010 by Stuart Aston


CESG recently said of Windows 7 that it was “the safest version of a Microsoft operating system” and “encouraged Her Majesty’s Government to adopt Windows 7 when choosing a Microsoft Operating system”.

Security secure Download all no shadowAs some of you may know we work with CESG to produce a best practice framework for configuring Windows 7 for its use within UK Government. We call this guidance the Government Assurance Pack (GAP), and is made freely available to all UK government departments via CESG.  It does not require the use of expensive third party software and builds on Microsoft’s investments in developing secure  code (SDL) and features like AppLocker, Group Policy, ASLR, DEP,  x64,  etc… to provide a low impact, supportable security configuration for UK governments use.

The approach of the GAP is to utilise the basic features of the operating system to provide a common starting point in making risk management decisions, from a “default deny” perspective.   In doing so it allows business owners  to make a positive risk management decision between  the use of a particular feature or application and the business requirement for its use.

In addition Microsoft BitLocker and BitLocker to Go can be used be used by UK Government departments to protect information at rest up to Business Impact Level 3, with appropriate guidance from CESG, which will meet or exceed the requirements for most government users,

people operator hard hat construction iconSome people have asked why would you do something special for government?   I don’t typically go to work wearing a hard hat and safety boots, but, I know that in certain environments it is appropriate to wear them.  Windows is a general purpose operating system, and while it is secure by design, by default and in deployment, government in general faces a higher level of risk than most consumers and even enterprises and so it is appropriate to take additional measures to mitigate those risks.  The measures we use are built into the operating system, though they are regarded as a configuration not generally required by most businesses and consumers, but, the advantage this gives is that the GAP configuration is fully supported .

The GAP was created in conjunction with CESG and with Microsoft’s Security Centre of Excellence a true joint effort between government and industry, if you are a  UK government department requiring information on the use of Windows 7 please contact your CESG representative for more details.

%d bloggers like this: