Roger Halbheer on Security
I posted yesterday on the Safari flaw (Why Apple has to fix the Safari flaw) as Apple did not acknowledge that this is a security vulnerability. Unfortunately we had now to release an advisory for this as we started to see that the bad guys could use this “feature” to attack machines – we are…
DetailsWe just published yesterday two new pieces of guidance for the latest SQL Injection attacks, which I want to make sure you saw it:
Roger
Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it? Now, we can debate on what a vulnerability is and what not. Personally I am convinced that a…
DetailsWell, there was quite some chatter over the last few weeks with regards to the massive defacements we saw based on SQL Injection Attacks. So, what was really new? Close to nothing. Well, this is not completely true. The new thing we have seen with these attacks is automation; however a lot of people did…
DetailsI just read this article on Cryptography Expert Wins ACM Award for Advances in Protecting Privacy of Information Retrieval. This is really cool to see that research with do at Microsoft Research not “only” leads to advancements in our products but to public recognition as well. Well done Sergey!
Roger
No, no. For sure. I am not going to give you advise how to hack – but look at this video: . I am always amazed about these kind of videos, which still surprise people. If look years back, we published the 10 Immutable Laws of Security, which contains Law #3: If a bad guy…
DetailsIf you are planning to implement Windows Server 2008, there are two paper recently published that could help you with it:
Roger
I just read this essay by Bruce Schneier: How to Sell Security. This is definitely a must-read in my opinion. Not that it really tells you how to sell it but it helps you to understand the “mechanics” about it.
Roger
You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it. This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime. This is as “we…
DetailsShoaib’s blog actually pointed me to a pretty interesting article called Face-Off: Is vulnerability research ethical? – Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View. Not surprisingly Bruce says “yes” and Marcus says “no”. If you read through their points, you might even agree partly with each of them: Bruce…
DetailsWe just announced that we will add support for additional file formats in Office System 2007 SP2. Just read more on Open XML, ODF, PDF, and XPS in Office
Roger
We all remember the cyber-attacks on Estonia last April. A lot of people are interested what really was going on during these attacks. You find a lot of sites looking into the technical analysis of the attack – which could be more or less speculation. What I found recently and just had time to read…
DetailsInternet Telephony Has Security Problems: This was an interesting read this morning for different reasons: First of all, it is not surprising (even if we would not have known the problems it would have to be expected). I liked the statement: The goal is to raise awareness about flaws in these systems – and create…
DetailsDoes not solve any of the security problems (challenges?) but it sounds promising anyway
Building A Faster Internet
Roger
I start to get scared – more and more. Back in September I blogged on Critical Infrastructure Protection – Live which shows what would happen if somebody would be able to tamper with power generators. Now, during RSA there was a guy called Ira Winkler telling the audience that they had the job to do…
DetailsThis is actually an interesting statement. If you had ever to deal with the press you know how these headlines are composed. It might be that the person actually made the sentence in this way – the question is whether he meant it so absolute. Nevertheless, if you read the corresponding article on darkReading, I…
DetailsLast week we published – as you hopefully know – our “End to End Trust” whitepaper. If not, please read my blog post on it J Now, Eric Bidstrup just commented on End to End Trust in the light of the Security Development Lifecycle (or better: the other way around). It might be interesting for…
DetailsI was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef VyskoÄ. You may have a look at his blog (provided your Slovakian is better…
DetailsThe Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into. Now, let’s be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss…
DetailsPretty often there is a discussion how far it is allowed to hack back. I was just reading an interesting post called Hackers Could Become The Hacked? which I wanted to share with you
Roger
