A very generic overview about yet another area to remember when thinking about Information Security: your web services.  Interesting fact here was:

"Of all vulnerabilities disclosed in the last six months of 2005, nearly 70 percent were associated with Web applications, Symantec said."

http://www.cio.com/blog_view.html?CID=20038

While kind of light on depth, this article does bring up some good points.  My commentary on some of these:

#3 - External consultants know more about information security then in-house personnel

This is a good one, people think they need to bring in a security company to do a couple of "pen-tests", present a thick report on how bad security is and walk away.  That is not security.  I'm not saying don't use external consultants at all, they definitely have their place and Microsoft uses them extensively as well, but the outside security consultant is a tool just like any other tool in the Information Security Practitioner's drawer, it can be used appropriately and wisely, or not.  More often then not people spend a lot of money and get a false sense of security because they are leveraging these consultants incorrectly.

#4 - Info Sec must be a separate org to be effective

 I don't think particularly that this is a myth out there people believe one way or the other?  A good security organization is an important part of any large organization today but there are different approaches to security and, to a certain extent, of course security is the responsibility of all employees.

#5 - Complex Passwords make things more secure

Passwords suck.  That's why Microsoft is planning on getting rid of all user passwords in 2007.  I think other organizations are coming around to this as well.

#6 - Because SSL is turned on, the site is secure and so is my data

This is a personal pet peeve of mine.  Sites will say they are very secure and if you click on the "more info" button, more often then not, they'll explain they're more secure because their web pages are served over SSL!  What a crock.  Sure SSL mitigates a specific type of threat (the man-in-the-middle attack or sniffing) but of course it doesn't do anything else like what happens after the webserver?  What happens to the data in the database?  What kind of ACL policy is there?  What are the data transfer policies inside the corporate network?  Is the data left in a flat file on a share that all authenticated users have access to??  SSL in and of itself is not everything, its just another layer.

http://www.financetech.com/feed/showArticle.jhtml?articleID=184400638

This article discusses a way of generating one time pads using the frequency and strength of Quasar radio signals.  Supposedly this is new but I think some government agencies are already using this or similar methods.  Thanks /. for the link!

http://www.newscientistspace.com/article.ns?id=dn8913&feedId=space_rss20

One of the biggest features of Exchange in an enterprise environment is the shared calendering and collaboration features.  I can see when other people are busy or free, and setup meetings with them and even book a conference room all right from a Meeting request. 

Although these are sent to the client as “emails”, Outlook displays them differently, as Meeting requests with associated time/location/date etc. metadata.  If you need the notes in the meeting request, reply to it, it then becomes a regular email.  If you need someone else to attend the meeting, forward it.  If you need to decline the meeting but want to let someone else know that they should attend instead, decline it, edit the response, type in your reason and cc: the other person.  Now they will get the decline notice and the message.  You can also just forward them the original meeting request so it shows up on their calendar.

Conference Calls

Microsoft provides conference bridge services to anyone who may need to setup a conference call.  Because I do so many of them, I’ve created a separate email signature that includes my dial in information.  When I’m sending out a conference call request, I flip my signature and a nice text box shows up instead that includes the call in #, the passcode and the local # to dial.   Like this:

Notifications

One of the cool features I liked about Outlook 2003 when I was first dogfooding it was the small notice bar that would pop up for a few seconds every time I got an email that let me know who it was from and what the first few words of the email were… but as time went on I realized that this decreased my productivity.  I’d always be looking when something popped up and would feel the urge to reply immediately, taking me away from the task I was working on.  So all notifications of any kind, are now turned off.  I don’t take Outlook offline like some folks do, I check occasionally to see what’s new in my inbox throughout the work day.  Our team internally will generally communicate by Microsoft Office Communicator (IM for the enterprise) anyway so I don’t miss anything critical.

Knowing where to go

It was great that my Outlook always knew about all my meetings and when they were and where they were, unfortunately it’s not always convenient to check your laptop, for example, say when you’re driving. That’s why I find having a Microsoft Smartphone essential.  I have my trusty Audiovox SMT5600 that I upgraded to Windows Mobile 5.0 and its still kickin’ butt over most of the phones on the market out there.  I’m waiting for a while before upgrading.

I sync my phone every day or two with my Laptop, if you have a data plan and your Exchange server is setup for it, you can do it over the air as well.  By default, 15 minutes before every meeting I get a beep reminding me.  If it’s an in person meeting it tells me which conference room it’s in (and which building, the MS Campus is quite ginormous) or if it’s a conference call, what the dial in information is.  I can’t tell you how many times its saved me!!!

If you have some deadly Outlook tips of your own, please post them below :)

A while back I was talking to someone who was delivering a talk on security when an odd thing happened.  Whenever he was talking about phishing, he kept calling it "fizzing".  I spoke to him afterwards, apparently he had no idea what the significance of the "ph" in phishing is.  All you old time hackers should already know this so move along, nothing to see here!  But for everyone else:  back when most folks didn't know what computer security was and kids were breaking into everything that had a dial tone & a modem handshake; there developed a culture of "phone phreaks" (pronounced "freaks").  Phreaking was the art and science of bending the phone system and related hardware to your will; usually this had a lot to do with hacking corporate pbx's, calling card numbers, or the actual phone system switches.  Other times it was just playing around with things you found while calling random numbers, like the default passwords for cellular voicemail boxes, strange tones and screwy caller IDs.  Phreaks also developed the various tone boxes.  This was generally a sub-culture however, and most Americans had no idea what was going on or what level of access some of these guys were able to get.  For example, this Esquire article from 1971 was really the first time anyone had heard about blueboxes and the cool things you could do with them.  (By the way, most if not all of these no longer work :)

Anyway, so the "ph" comes from phone, and that's how phreaking and much later, phishing got it too.  It's pronounced like a "F".

Mike Poulson posted this quick registry hack to move your attachments and emails from your device's own memory to a storage card.  A registry editor is included with some of the devices shipped out there; some not.  If you know of a good (free) one that works with SmartPhone / PPC please post a comment.

https://blogs.msdn.com/mpoulson/archive/2006/01/09/510839.aspx

I have no knowledge of this from Microsoft internally whatsoever, all i know is what is posted in this article.  But if it's true, I think it's a great idea.  Why not let anyone who wants to develop for your platform?  It's what has made Windows so successful.  There may be some concern about game quality/testing etc. but that could easily be addressed by not giving the "official stamp of approval" to games that haven't passed the required testing; everything else would still run, but they would be restricted in using Xbox logos, Live integration etc.  Anyway, just some thoughts.

http://news.com.com/2061-10797_3-6052255.html

[Updated: 3/23/06: Welcome Digg users.  If you are interested in information security, please check out the rest of this blog, as well well as my team's blog and our threat modeling blog.  Happy digging :)]

This article is a good read.  Generally, most of the things highlighted in the article are things that we don't run up against at Microsoft.  Our default SQL Server configs in Microsoft IT are pretty solid.  We do see the occaisional SQL injection bug, but usually it is fixed quickly.  To address the SQL injection issue, we generally don't allow dynamic sql at all, and stored procs are the order of the day.

I talked about Bluehat in an earlier post here and here; at the time I didn't know how much or how little we were supposed to share about it but looks like the Bluehat team is going to be publically blogging about the sessions which is great!!  You can check it out and get all the details here:

http://blogs.technet.com/bluehat/default.aspx

If you happen to be in the Redmond/Seattle area and enjoy good Indian food, you should definitely drop by Preet's.  India has many regions, with many different peoples, languages and food types, Preet's serves Punjabi style food that is different from most of the food you may be used to when you think "Indian". 

For appetizers, try the "pakoras", they have an excellent taste, crispy, tangy and a nice level of spice.  For a drink, make sure to order a fresh Mango Shake and follow up at the end with a Chai.  For the main course, if you want to try a bit of everything, get the "thali", my personal favourites are the aloo gobi (potato/califlower), palak paneer is also great (spinach/cheese). 

What's also cool is that Preet's has a long list of parathas that they serve as meals as well, generally we use to think of parathas as a breakfast food but not here!  (A paratha is pan fried large roti with typically a vegetarian filling) Preets' parathas are not heavy or oily, so they are easy to eat.  Try the Mooli paratha it's excellent!  (For a different taste, ask them to make it "extra crispy with extra butter", its a little heavy but tastes great). 

Tell Manpreet that Ahmad sent you!

8440 160th Ave. NE, Redmond WA. 425-867-9400.

Over the years of using Microsoft Outlook, I’ve become quite proficient at using Outlook and I thought I’d share some of those lethal techniques with you.  Several of my collegues came to me recently asking for help with their influx of email and the following is a summary.  Keep in mind, that not everyone’s corporate environment will be the same, although most of these should work, regardless of whether you use Exchange Server or POP3/IMAP. 

Organizing:

One of the biggest headaches for users who receive high volumes of email is just simply how to deal with the onslaught.  Here’s a few helpful tips I’ve discovered:

Sort, sort, sort!  But not manually.  The more automatic rules based sorting you have in place, the easier it is to manage your inbox.  Here at Microsoft we have many internal distribution lists that are quite active, sometimes with a lot of useful information but sometimes not.  So I don’t want to read them until I have some free time, I have rules that sort all of these messages directly into subfolders.

The folders that are more important, I name something like: “@Blog”.   The @ forces Outlook to sort those folders higher up.  I read this on some other Microsoft blog, but cannot remember who’s so sorry, I can’t credit!!

I create folders for logical groupings, so all email from a distribution group is a good logical grouping for example, and that’s easy.  But what about all email related to a security project?  Then what about email from the same person, about two different projects?  (Of course your individual circumstances will dictate how you proceed, but I can be receiving emails on 20 different projects at anyone time, most people will likely have fewer ongoing conversations).  Whereas in years gone by I used to maintain a separate folder for each project, sorting and moving emails on each project as I went; I’ve stopped doing that now.  It’s just not worth the hassle.  It would be great if Outlook had some AI engine that could do it all for you… but that’s not yet available. So…

I let my rules filter “off the top”, and allow all other emails to land in my inbox. 

At Microsoft, we generally have a 200 MB Exchange mailbox limit.  After 180 MB, you start getting warnings and after 200 MB you won’t be able to send any more emails.  The easiest way to deal with this is to “auto-archive” to a local PST file every week or so (any more then a week’s worth of emails on the server and I risk hitting the 200 MB limit).  Now all of you who have email spread over an Exchange Server local cache, a PST or other archive folders will know that Outlook’s internal search function can’t search across different mail stores in one go.  So if you don’t happen to know where that email is your looking for, it can be a frustrating experience.  That’s why the only plugin for Outlook I use is a real lifesaver: LookOut.  You can still download it from here.  Microsoft’s MSN actually bought LookOut and incorporated it into the MSN Desktop Search but I needed something leaner and LookOut does a great job.  Most searches take literally less then a second, and it can search across all stores on all criteria (something the native Outlook search can't do).  It’s a must for any heavy Outlook user.  (From what I understand Office 12’s search built-in is much improved so you won’t need it then, but for now it's a great tool in the meantime).

What this allows you to do is truly awesome, I have huge pile of emails, but I can find any email I need within seconds.  Which brings me to my last point in this first part: Don't delete any emails.  I know some people don't agree with this but hear me out on it: weeks or even months later, you may need a particular email about some project or a status report or something else, if you regularly delete emails you think you won't need, you won't remember whether you kept it or deleted it in the first place.  Another obvious reason to keep all your emails is so that you can refer back to ones you may actually need later in the future.  But here's one other good reason not to delete emails that doesn't occur to a lot of people: it wastes valuable time.  If I get let's say 200 emails a day, if I spend even 10 seconds average on each deciding whether I should keep it or delete (which obviously wouldn't be the case, I may may need to read long threads or emails before deciding whether I need it or not) that's over a 1/2 hour a day wasted.  It's not worth the hassle.  Just keep everything and auto archive automatically or manually every few days and you won't run into any of the above issues and you'll save time as well.

Stay tuned for part II of Outlook Kung Fu and post your own lethal techniques in the comments :)

This is hilarious.  So apparently NBC uses tech support located in India.  What happens when someone tries to figure out where exactly to get personal support? Enjoy :)

Link off my personal blog here:

http://allthingstech.wordpress.com/2006/03/11/indian-tech-support-nbc/

I wasn't able to attend the morning sessions because I was busy interviewing some folks but caught the afternoon Vista Security Review presentation.  The security for this session was especially tight, everyone (several hundred people) were asked to leave the room and come back in one by one and "badge in" (Microsoft uses IDs that are smartcards.  They use card readers for attendence at conferences).  So after all that, the security vendors working on the Vista FSR & Pen test presented some of their findings over the past several months.  While some interesting tidbits, I was surprised at the lack of actual information presented, I don't know if this was because they were told not to, or for some other reason...  It was good to hear that they were finding the threat models useful during feature reviews (one poor guy's job was to read threat models all day :)) 

Today was the second day of bluehat at Microsoft.  bluehat is basically the Microsoft version of blackhat.  Various security researchers and speakers trek to Seattle and talk to Microsoft employees about different topics related to security.  I was able to make most of today's session and thought it was awesome.  A lot of the speakers did a great job and even though they only had an hour, were for the most part able to make great presentations. 

Today's memorable presentations included:

• Breaking into Database Systems
• Exploiting Web Applications
• Search Engine Hacking

I'm not sure exactly how much detail we are/aren't allowed to talk about but overall the presentations are generally semi-technical to medium technical; they generally try to cover what's happening in the security industry and talk about interesting things they are working on or have come across.  j0hnny long had a great presentation on Search Engine hacking, especially towards the end were he showed some of the things he was able to find using just Google and creative queries.

Day 2 continues tomorrow... I'll post more then.  Great work BlueHat team!!