Tuesday, 29 September 2009

Microsoft Security Essentials

Morro Launch Day!

Without a hint of a sense of irony, Redmond today acknowledged the leaking (on a New Zealand website) of the Microsoft Security Essentials launch, by bringing forward an announcement originally planned for 5pm BST.

That's a free download incorporating anti-virus, among other things such as protection from spyware and malware, but in a basic form that's unlikely to threaten the big players - including their own Forefront Client Security paid-for business offering.

Microsoft has said that it wants to provide a free security offering for all consumers. The Forefront team blog describes the relationship between Forefront and Security Essentials here. Initially, the new software will be available in eight languages and 19 countries: Australia, Austria, Belgium, Brazil, Canada, France, Germany, Ireland, Israel, Italy, Japan, Mexico, the Netherlands, New Zealand, Singapore, Spain, Switzerland, the United Kingdom and the United States (the originally planned list included ten languages and 20 countries; the missing one is China). Windows XP, Vista and Windows 7 are supported in both 32-bit and 64-bit versions. There is no support for "legacy" operating systems, like Windows 98 or Windows 2000.

The limited beta had been running in the U.S., Israel and Portugal, since June 23, when it dovetailed into the June 30 discontinuation of retail sales for the Windows Live OneCare subscription service.

Monday, 28 September 2009

Geek Points

Heavenly Bodies

It was just getting dark when we arrived home after an evening out, earlier this summer. As I turned to retrieve my jacket from the car seat, Linda looked up at the night sky, then said "Wow, look at that!"

Years ago, I showed her how to spot satellites in the clear night sky. We still do that sometimes, whenever we get away somewhere with good clean air. The sky over Skye, for example. But this satellite was quite unusual. It was far brighter than any we'd seen before, and moving fast.

"Ah, well that's the International Space Station," I remembered from reading an article earlier that week. "It's a lot brighter than usual, because space shuttle Endeavour is docked onto it right now. Wish we had the binoculars, you would actually see it hanging down from the station."


We watched it speed across the night, until it disappeared behind Earth's shadow, setting in the east. "Let's get the kettle on," I said, wide grinning as my geek credentials earned me yet another big hug.

Note: the photograph below shows Endeavour docked to the ISS, with the sun in the background. But I don't remember the sun being there that night.

Friday, 25 September 2009

Security Digest

Being a collection of minor articles, references, and other resources, relating to the fascinating world of computer security, often with particular relevance to the Microsoft SDL; and wherein, Channel 9 videos are frequently indicated by the judicious proximal placement of a clickable, widescreen dude shot...

SDL Threat Modeling Tool 3.1

This is Thing One for the Security Software Development Lifecycle: the release of the Threat Modeling Tool, which helps engineers analyze the security of systems "... to find and address design issues early in the software lifecycle".

Have fun! Note that Visio 2007 is required.

Jeremy Dallman on the SDL

The Microsoft SDL Process Template for Visual Studio Team System is intended to ease adoption of the Microsoft Security Development Lifecycle. The template integrates the SDL directly into the software development environment, provides auditable security requirements and status, and demonstrates security return on investment.

Larry Larsen stopped by the Microsoft Security group and spoke with Jeremy Dallman about the SDL, and what it means for developers.

The Process Template is free, and can be downloaded from www.microsoft.com/SDL/.

SDL-LOB Phase 3: Implementation

Gentle reader, I have been remiss in not yet introducing you to the SDL-LOB. This is: the Microsoft Security Development Lifecycle for Line-Of-Business applications.

LOB applications are a set of critical computer applications that are vital to running an enterprise, such as accounting, human resources (HR), payroll, supply chain management, and resource planning applications. The corresponding SDL guidance is positioned exclusively for LOB applications or Web applications, and not for ISV/rich-client and/or server application development.

Eugene Siu, from Microsoft Information Security, describes some of the security pillars that are key in this phase, including code review, authentication, authorization and configuration settings. Also, he explains how penetration testing can complement your code review when bulletproofing your code against vulnerabilities.

SQL Detect

In this video, first posted in July 2009, Maqbool Malik of Microsoft Information Security describes aspects of the new Security Runtime Engine (SRE), with particular reference to one of the very clever tools to be included in it: SQL Detect.

This is a real-time mode SQL injection filter. When a request occurs in the application, the tool applies a variety of heuristics to the data, trying to identify possible attacks. Once the request is validated, it is allowed to proceed as normal.

See the Information Security Tools blog for more on such cool tools. Here is one professional website developer's description and assessment of "... a good combination of the Security Runtime Engine and the methods on AntiXss ...", and the Microsoft Anti-Cross Site Scripting Library V3.1 is available here.

Privacy Guidelines

"This document is a set of privacy guidelines for developing software products and services that are based on our internal guidelines and our experience incorporating privacy into the development process."

The SDL is one part security, one part privacy. The user-requested, experience-won "Privacy Guidelines for Developing Software Products and Services" (September 2008, 1.1MB download) addresses privacy as a core topic in its own right, based on the core principle that Customers will be empowered to control the collection, use, and distribution of their personal information.

After an extensive and, necessarily, somewhat legalistic Basic Concepts and Definitions section, the actual guidelines are partitioned into nine example scenarios, covering the range of considerations that we need to be aware of. These include server and software deployment and installation; storage and transfer of personally identifiable and anonymous data, both within and outside the company; and a separate section detailing the special privacy considerations and exceptions necessary when your website is accessed by children.

Live long, and have a Security Strategy.

Saturday, 19 September 2009

Dear Charlotte (Part 1 of 2)

A Love Letter

Charlotte Hatherley, King Tut's Wah Wah Hut, 18 September 2009.

Thank you Charlotte, for a wonderful evening; I had the time of my life.

When we arrived around 8:30, my wife Linda and I were greeted at the door by half of the other members of the Charlotte Hatherley Fan Club that I've started in my office, and his pal. Let me say right now, your fan base expanded this night.

I do hope you enjoyed our humble Glasgow venue, despite a couple of teething troubles getting the sound set up for you. In addition to being a great wee pub with its own special honey-flavoured lager and a great line in curry, King Tut's Wah Wah Hut is "a legendary showcase for new and emerging talent", local and otherwise. Tonight you were preceded by Uddingston's finest: the jazz influenced, piano led and bassy Nespresco, who were followed in turn by the very freshest cream of Auld Reekie's School of Art: the acclaimed, happy electro Futuristic Retro Champions. Their irresistibly singalong Jenna was, as always, such a feelgood highlight of their set - hope you had a chance to catch it.

But this night was yours, and from the moment you came on stage, cursing like a trooper against those equipment problems, then like a trooper, playing through it all regardless, I felt in awe; the presence of rock royalty.

Dreamatis Personae

Supported by The Crimea’s lead guitarist Andy Norton on bass / guitars, and the brilliant Alex Thomas (Squarepusher, etc) on drums, you flew rapidly through a quartet of new songs: Colours, Full Circle, New Worlds, Little Sahara.

I sang along with you on all but the last of these, having stalked these songs continuously on the internet for many months, checking for posts and torrents several times each day, until I'd build up about half an album's worth...

My amazing wife Linda is very well trained. Her slight frame flew back and forth repeatedly at the front of the stage, ensuring that I would at the end of the evening, with zero effort on my part, have literally dozens of great photographs of not only "my girl" as she calls you, but also your accompanying musicians, in fast and fluent action.

"Those were new songs, this one's older. Wounded Sky," you announced, as I yelled "Oh, yes, please!" recognising a personal favourite. The softer tone continued back into your new material with the intro to forthcoming single Alexander, followed by Straight Lines, then back out for a trio of older favourites, Behave, Sister Universe (wondrous surprise!) and - after leaving the stage and teasing us with feedback for a few minutes - the brilliantly rocking and immortal, kilogram plus of perfect pop-rock, Summer.


My beautiful wife Linda, dedicated companion and veteran of many a Yes gig, is very well trained, as I might have mentioned already. Knowing my memory for a setlist, she made sure to snap the one on the stage front. Not to mention snaffling it the very second the gig ended (erm, yeah, sorry about that...)

The encore continued with pace through another couple of new songs, the masterfully hook-laden White, and the beautiful Cinnabar, finally ending with your first ever solo single, 2004's tribute to Kim Wilde.

You were so very gracious during signing after the show, where I waited at the end of the line, to have my earlier purchase New Worlds autographed. It was particularly pleasing to see half of the other members of the Charlotte Hatherley Fan Club that I've started in my office, and his pal, clutching a just-bought copy of Grey Will Fade and queued up for signing!

My devoted wife Linda is very well trained. Who else would have pestered you repeatedly, against my disingenuous protestations, so that I could have a couple of pictures beside "my girl"?

After The Garage And Mr Chips

We were still playing New Worlds on the car stereo, as we pulled in to the Barrbridge McDonald's 24-hr drive through, around 2am (it's a long story, but see para header for a hint). Linda remarked that the CD lyrics could have been printed a little more clearly, for lighting conditions such as these, while I tried to explain how I love your music for the music - though your lyrics are certainly a lot better than most, they're not part of my infatuation with your work. See, it's all about the choppy chords, creative fills, beautiful original melodies, and the geeky patterns hidden behind all that.

So, next time: exactly how I fell for Charlotte, in excruciating detail.

All photographs copyright © 2009 by Linda Kerr.

Wednesday, 16 September 2009

Security 101: Part 3

An Introduction To The Microsoft Security Development Lifecycle (SDL) (Concluded)

Just before we jump into the second half of this introductory article, did you know that the Microsoft Security Development Lifecycle has its own blog? Written by an 8-strong team of SDL / security development managers, this is probably the best place available to keep up to date with the latest news regarding the lifecycle itself, and the tools and resources available to help us with its integration and day-to-day use.

Phase 3: Implementation

"During the implementation phase, the product team establishes and follows best practices for development then enforces the best practices during software development."
  • Specify tools
  • Enforce banned functions
  • Static analysis
Take tools, for example. There is available, a constantly expanding array of second- and third-party tools which can help secure development; build tools, code analysis and coverage tools, and so on. Microsoft use and recommend a set of FXCop security rules (actually different sets, depending on your development environment version). It's one aspect of best practices, to keep up to date with what's available in these areas. Similar remarks apply to the available guidelines on the use of these tools.

Choice of a managed code language and environment is another such aspect. When this is not an option, one way in which Microsoft has tried to reduce the vulnerable surface area, has been to ban certain frequently exploited APIs - such as unsafe string buffer handling functions - in unmanaged C or C++ code. Published lists of such recommendations are available.

Rules to prevent SQL injection attacks are also included in this development phase. In a similar vein, JavaScript developers should generally avoid the use of the eval() function!

Web Development

The current MSDN documentation for this area of the SDL contains many additions labelled "(New for SDL 4.1)", and it is interesting to see just how many of these relate to web development - it's a very high proportion. This is still more interesting in the light of a recent SANS Institute Report, which found that most organisations presently focus on OS patching, whereas 60% of all attacks are on web apps.


Trustworthy Computing mandated that the default configuration for a software package, landing on a user's desk (or lap!) for the first time, should be a secure configuration. However, users also need the ability to mess with their security settings, for example to change their defaults to something that better suits their particular environment. Documentation of the security settings, in both configuration and deployment, therefore becomes a deliverable, allowing such decisions to be made in a safe and informed way.

Phase 4: Verification - Fuzz is the Buzz

"The verification phase is the point at which the software is functionally complete and is tested against security and privacy goals outlined in the requirements and design phases."
  • Dynamic/Fuzz testing
  • Verify threat models and attack surface
To ensure that code meets the security and privacy targets set in earlier phases, we require thorough security and privacy testing, and a security push, followed by a privacy review of the release candidate. Here we are concerned with the classic CIA of information - Confidentiality, Integrity, and Availability.

Only the test process is capable of guaranteeing that the system will remain secure in the wild, and one key to this process, given some emphasis in the MS scheme, is Fuzzing. Once again, there are tools available which will randomly generate more test data than you ever wanted to see, and do it intelligently and with expert knowledge of the type of channel: command line, file, database, URL, script, image, and so on. That's what fuzzing's all about. There are RPC fuzzers. There are ActiveX fuzzers (yuk). I could go on...

This SDL blog article contains a link (.zip) to a simple file fuzzer, suitable for use by novices. It also has another to the "BinScope Binary Analyzer", which MS teams have used in one form or another since 2002. This little beauty checks for loads of security-related stuff in your binaries, and integrates well with both VS2008 and Team Foundation Server. That, and the price tag (it's free), should just about sell it.

Phase 5: Release

"The release phase is when you ready your software for public consumption, and you create plans for post release servicing of the software."
  • Response plan
  • Final security review
  • Release archive
The product is subjected to a final security review, and a final privacy review, prior to its release. The results of these activities are fed into a Response Plan - that's the plan of action implemented when post-release vulnerabilities are discovered.

[Don't you mean "if"? - Ed.] [Only joking. - Ed.]

The privacy review may take its structure from a preset SDL Privacy Questionnaire. It may require validation by a privacy advisor or legal representatives, and the drafting of a privacy disclosure statement or statement of compliance.

The Final Security Review should be a timely (say 4-6 weeks before release) and comprehensive review of known threat model vulnerabilities.

Response Planning

Even when your release is into a world containing no particular threats to your new system, such threats can emerge later. And similarly, the privacy goalposts can be moved by the emergence of some new privacy advocacy. In short, you have to plan for contingencies.

Know and document publicly who is responsible for dealing with the different types of issues that may arise. Have a policy in place to handle cases where these issues involve third-party code components rather than your own.

Don't forget to lock all the doors, and cancel all the holidays.

Response: Examples

For examples of security response at Microsoft, visit the Microsoft Security Response Center (MSRC) Website: http://www.microsoft.com/security/msrc/default.aspx

Next time, and for the remainder of this series of articles, I'll be looking at some particular vulnerabilities, some quite public and occasionally spectacular, and their responses. I'll also be covering various security- and SDL-related tools and other resources. This is where it starts to get really interesting...

Wednesday, 9 September 2009

How To Get Phished

Too Much Information

Bosnia and Herzegovina, Croatia, Macedonia, Montenegro, Slovenia and Serbia, including the autonomous provinces of Vojvodina and Kosovo, were until 1991 all grouped together under a single country name, Yugoslavia.

They had one Air Force, in which my friend was a jet fighter pilot. Around the time of the great breakup, he moved to Scotland. Here he spent some time as a local council gardener, before starting, along with two boring accountant types (their own words), his own Computer Systems sales company.

With that background, you'll be unsurprised to hear, he was indisputably the most eccentric member of that group. And so yesterday, I was equally unsurprised to receive the following MSN message from him(1):


Here we go, I thought. He's Photoshopped my face into some German watersports pictures, or something similar. That crazy guy, always SHOUTING, this type of nonsense is just absolutely typical of him!

I forgot about it until today, when I noticed him logging in. It had been a recognisably genuine message from a known, reliable source; so I clicked on the first link.

Hello, what's this?

"Reported Web Forgery!" replied FireFox(2).

Remarkably, I'd already become so convinced that the original MSN message was real, that I then took note of the warning, and still clicked through (using the handy "Ignore this warning" link at the bottom right); fully expecting to discover some new Web 2.0 mashup or spoofing technique he'd recently mastered, and wanted to show off. What I found instead was a login screen. Only then did the proverbial penny drop!

The slightly ungrammatical prompt wasn't really a giveaway, since of course English isn't my friend's first language. It was just the fact that I was being asked to provide my login details, without having any clear understanding of exactly why these would be needed in order to show me, what I'd assumed was going to be, a few vaguely dirty and not-very-funny pictures.

Well, no thanks...

I tried contacting my friend by phone, but there was no answer. Using MSN, I then got him to identify himself by answering a couple of questions, after which I conveyed that his MSN account was compromised, and he should change his password.

Later, after researching - ok, Googling - the issue, I went through the handshake protocol again, this time advising an immediate and full antivirus scan. The exploit already seems to have quite a number of variations, some of which might be more malicious than others.

As an example of social engineering, this exploit owes much of its near-success with me, to sheer luck. The style of the SHOUTING, the rest of the message, and the implied content, all of these were just so absolutely typical of the person that the message purported to be from. That was a pure coincidence: nobody else I know could even conceivably have sent that particular message. Still, it reinforces the need to be on guard - at all times.

(1) Obviously I've mangled the actual content, including the site address!
(2) The same operation in IE8 gave no such warning.

Sunday, 6 September 2009

New Porcupine Tree Leaked

The Incident

After this, things will never be the same again.

Edited 23 Sep 2009 to add: Fame (and chart success) at last!

About bloody time! The new Porcupine Tree album, The Incident, has finally leaked all over the hinterpipes.

I won't lie to you Marge, but having already pre-ordered the £60 Limited Deluxe Edition Box Set some months ago, I felt just a little entitled - and what's more, thanks to that meddling 3-strike buffoon Lord Mandy, very motivated indeed - to fire up ye olde Bit Torrent client, and deeply to inhale(1).

This is fantastic. Steven Wilson's songwriting skills have taken an upturn from the band's previous outing, the Grammy-nominated Fear of a Blank Planet. There's great stylistic variation among both the fourteen parts of the main 55-minute song cycle on CD1, and the four "bonus" songs on CD2. Most noticeably he has averted his course ever further away from the lure of predictable, empty commercial formulae, writing solidly and innovatively, and perhaps benefiting from a confidence boost after the recent release of his own momentous solo effort, Insurgentes.

Drummer Gavin Harrison and bassist Colin Edwin are both typically understated, though perhaps not apparently so. Gavin has won Modern Drummer magazine's readers' poll, "best progressive drummer of the year", in 2007, 2008 and 2009. He plays rock percussion in a very jazz-influenced mode, so even his restrained playing can sound quite busy. Colin is also reined-in with Porcupine Tree, compared with his solo work: prohibited from using both hands on the fretboard, using the Chapman Stick, and so on.

Ambience comes courtesy of ex-Japan keyboard player Richard Barbieri, whose accompaniments add texture and continuity to the song arrangements. And there are plenty of harmony vocals too, which means lots for "fifth member" John Wesley to do, as he joins them once more on tour.

Steven's production work is slick as a Steely Dan - unsurprisingly, as this is his favourite part of the creative endeavour - and doggedly old school. The Grammy nomination garnered by FOABP was for his masterful surround-sound mix. Since then, he has begun the job of remixing classic King Crimson into surround sound releases. One more compelling reason to go for the deluxe package here!

Now, if only there was a comparable demand for the new Charlotte Hatherley, we could all stop worrying about the future of great songwriting.

(1) Please support your favourite artists by always making legal purchases of their official releases!

Thursday, 3 September 2009

Poetry Corner

Broken Haiku available too - phone for a quotation

A software developer one day
Thought limericks might be his forte
But he'd no patience for