Will the user define security policies in the future?
I think, I blogged about this event already earlier: Years ago I was meeting a customer and was talking about the future of IT. I was telling the audience (about 10 people including the Security Officer) that there is a good chance that IT will not define a set of hardware anymore but that the user will buy their own and use it for business. Additionally, different people have different ...
Get off XP or Risk your Business?
One of the highest hit rates I ever had on my blog was one I wrote right before Conficker broke out. I called it Playing Russian Roulette with your Network. The background was, that we released an out of band security update and our customers came back and asked us, whether they really shall deploy it – this situation then led to Conficker.
About 12 months from today, Windows XP will ...
Security in 2013 – the way forward?
Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.
Let's try to understand, where we stand ...
The Directory in the Cloud?
It seems that it is an eternity ago – and it is. Pretty much three years ago, Doug Cavit and me published a paper called the Cloud Computing Security Considerations. Even though it is three years, the paper is still worth reading as the content still applies. What we basically said was, that if you look at the Cloud, there are five areas of Considerations:
Compliance and Risk Management: Organizations shifting ...
Security Implications of Pirated Software By Roger Halbheer, on September 18th, 2012 A while ago, when I was travelling a journalist told me that he never pays for our software as he can easily download a tool to crack Windows XP (he was still running XP). We had an interesting discussion afterwards (besides the fact that he showed me how he steals our goods) about security. He ran a tool with highest privileges and was then proud how Windows worked without a key. I asked him how he could be sure that the tool did not install any backdoor on his machine, while cracking it – and he went kind of pale….
We know of these stories and we know that pirated copies of Windows, which can be downloaded often are coming with pre-installed malware. As you might have heard, we disrupted another botnet last week, which spread through the supply chain: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain.
This leads for me to another fairly interesting question: Most governments today are relying on Common Criteria certification to evaluate products. However, to me a good product is the result of a good engineering and assembling process. So, when it comes to software, make sure that the development process is designed to lead to “secure” results (e.g. ISO 27034) and having a deeper look into your supply chain generally makes sense if I look at the botnet takedown.
Roger
Leave a Reply
|
|
|
“I asked him how he could be sure that the tool did not install any backdoor on his machine, while cracking it – and he went kind of pale…”
Poor guy, the answer is simple, the tool is probably an free piece of software, this means he has access to the code thus no issue, he can see and look what the code does. He is even less sure that there is no backdoor on MS products…
“So, when it comes to software, make sure that the development process is designed to lead to “secure” results (e.g. ISO 27034)” : This is why iexplore, a so well known MS piece of software that obviously respects the ISO 27034 devl process and lead to “secure” results but was lacking to solve some critical security holes since years …
Windows was never designed with security in mind, security patches have been added afterwards. It is not because MS did not try, it is because make Windows secure is almost as impossible to achieve as making a farm house as secure as the US Fed Gold reserve…