Roger Halbheer on Security
A question that was often raised after the launch of Windows Server 2008 was about Server Core and our Security Bulletins: How do you know whether a Server Core installation needs updating as well? We just added a statement to our Security Bulletins this month answering this question. As an example in MS08-036 we state…
DetailsI am in Qatar at the moment at the Doha Information Security Conference. They actually have a very interesting setup as they only have very short presentations (about 5-10 minutes) of approx. 2 people and from there on they are working with a panel discussion on the topic during the rest of the hour. As…
DetailsI wrote about it as we released the Beta. Now, the Solution Accelerator for Security Compliance Management is live and available. It is definitely worth looking at it: Security Compliance Management. Just to quote from the webpage: In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley…
DetailsI was reading through a paper ISF wrote on the security implications of a Service Oriented Architecture and was thinking about whether this is really that difference from the “non-Service-Oriented-Architecture”. Let’s have a brief look at that: What is SOA? I do not want to elaborate on this as I guess most of you know…
DetailsFresh out of press (ok, it is out since beginning of April but I just saw it now): Brian Komar, the well-known author of several PKI books on Windows Server just released a new book called Windows Server 2008 PKI and Certificate Security. If you are planning a Windows Server 2008 PKI, this is a…
DetailsI was made aware of a pretty good report on Software as a Service Quocirca did in collaboration with Microsoft. It is not the kind of “new, what you never heard before”-thing but I personally think that it is a good investment of time to get an overview of Software as a Service and some…
DetailsIn the world of Chinese Hackers there seems to be a group especially for female hackers. I just read this post: Chinese Female Hacker Group which show a pretty high growth rate of women joining: The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The…
DetailsI guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft’s Identity Metasystem CardSpace. Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will…
DetailsI posted yesterday on the Safari flaw (Why Apple has to fix the Safari flaw) as Apple did not acknowledge that this is a security vulnerability. Unfortunately we had now to release an advisory for this as we started to see that the bad guys could use this “feature” to attack machines – we are…
DetailsWe just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it:
Roger
Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it? Now, we can debate on what a vulnerability is and what not. Personally I am convinced that a…
DetailsWell, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did…
DetailsI just read this article on Cryptography Expert Wins ACM Award for Advances in Protecting Privacy of Information Retrieval. This is really cool to see that research with do at Microsoft Research not “only” leads to advancements in our products but to public recognition as well. Well done Sergey!
Roger
No, no. For sure. I am not going to give you advise how to hack – but look at this video: . I am always amazed about these kind of videos, which still surprise people. If look years back, we published the 10 Immutable Laws of Security, which contains Law #3: If a bad guy…
DetailsIf you are planning to implement Windows Server 2008, there are two paper recently published that could help you with it:
Roger
I just read this essay by Bruce Schneier: How to Sell Security. This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the “mechanics” about it.
Roger
You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it. This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime. This is as “we…
DetailsShoaib’s blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? – Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View. Not surprisingly Bruce says “yes” and Marcus says “no”. If you read through their points, you might even agree partly with each of them: Bruce…
DetailsWe just announced that we will add support for additional file formats in Office System 2007 SP2. Just read more on Open XML, ODF, PDF, and XPS in Office
Roger
We all remember the cyber-attacks on Estonia last April. A lot of people are interested what really was going on during these attacks. You find a lot of sites looking into the technical analysis of the attack – which could be more or less speculation. What I found recently and just had time to read…
Details