Brandon's WebLog

Not sure what to say yet.....I'm sure I'll think of something :)

TIP: Quick thoughts on Security....

I'm not going to reveal anything revolutionary here, but it's important nonetheless.....

IMO, if there's one site that you need to pay attention to at Microsoft, it's this one:
http://www.microsoft.com/security/security_bulletins/

You hate websites?  Or need notification services?
http://www.microsoft.com/security/security_bulletins/alerts2.asp
- Make sure to read this if you're going to use the Email services:

When's this information coming in an RSS Feed?....
I hear this one alot lately and the reasons seem great.  Your notifications aren't tied to your email, there would be no more concerns about if the message was really from MS (no SMTP spoofing concerns), etc...

That one I can't help directly with, but definitely let Microsoft know that this is something that customers really want so that we can make the changes.  One Suggestion from me?

The monthly Executive Circle Security Webcast with Mike Nash, Vice President of Microsoft's Security Business Unit, is a resource to help customers keep up-to-date on security improvements across Microsoft.

These webcasts are an opportunity for customers to get the latest details on security enhancements in Microsoft's products as well as tips and insights into key security strategies.

On Tuesday, 16 March 2004 at 8:30AM PST the next monthly Executive Circle Security Webcast will be held with Mike Nash and Eric Lockard, general manager of host security technologies at Microsoft. Log in to learn about security assessment tools and best practices for security policy, assessment and vulnerability analysis.

More information and registration are available at:

http://go.microsoft.com/fwlink/?LinkId=24508

Thank you,

Microsoft PSS Security

Get this in your calendar and let our Security Business Unit know that this is something that you want!!

Published Friday, March 12, 2004 1:38 PM by brandonhoff
Filed under:

Comments

 

Jerry Pisk said:

And why exactly should I trust an RSS feed anymore than e-mail? If they're not secured (S/MIME or SSL respectively) neither should be trusted. And if they are secured (e-mails signed and RSS feeds authenticated) then you can trust either. Saying e-mail insecure, RSS feed secure is too much simplification... Afterall, it's not that difficult to spoof a web site, as long as it doesn't use SSL (then you'd have to come up with a trusted certificate to a well known site). And you can trust e-mails, as long as they're signed (and of course, you verify the certificate, as you would with SSL).
March 12, 2004 4:23 PM
 

Brandon said:

ok, so NO MORE CONCERNS was a blanket statement that probably should be retracted, thanks Jerry. With the incredible simplicity in which SMTP is spoofed, and the difficulty for the average person to understand how to verify and handle digital certs. Excellent point however Jerry, I concur
March 12, 2004 5:18 PM
 

Jerry Pisk said:

Brandon, I actually wanted it to point out that spoofing web sites is not as difficult as most people think. A simple hosts file entry will have you downloading malicious code while you think you're getting critical updates from Microsoft. Especially since most Windows users run as Administrators, so they do have enough rights to change their hosts files (offtopic rant: would someone please explain why WinXP creates user accounts as Administrators? At least the first one, but how many users actually create an extra account just to get around this).

But my points about signed e-mails still stand...
March 13, 2004 1:15 AM
 

TIP: Quick thoughts on Security.... said:

PingBack from http://feeds.maxblog.eu/item_943214.html

November 25, 2007 10:21 PM
Anonymous comments are disabled

This Blog

Syndication

Tags

News

This is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use

Archives

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker