The Edge : security

New Issue Identified with UAC in Windows 7

tonybradley — Wed, 04 Feb 2009 12:54:00 GMT

Soon after identifying a controversial design decision related to the default implementation of UAC in Windows 7, Beta tester Long Zheng identified another issue with UAC in Windows 7 that is of greater concern. In a nutshell, because of the inherent...(read more)

Webcast: Security Is Not Virtual

Essential Computer Security — Thu, 12 Jun 2008 13:23:34 GMT

Security Is Not Virtual: Auditing and Logging Considerations to Ensure Compliance and Protect Virtual Server Environments Featuring: Tony Bradley and Dr. Anton Chuvakin Tuesday, July 29 at 1:00 PM EDT (1700 UTC/GMT) Companies of all sizes and in all industries...(read more)

Webcast: Leveraging Web 2.0 Securely

Essential Computer Security — Thu, 12 Jun 2008 13:19:35 GMT

Leveraging Web 2.0 Securely How small and midsize businesses can benefit from Web 2.0 technologies and minimize risk Event Date: Thursday, June 19, 2008 at 11:00am PT / 2:00pm ET Speakers: Tony Bradley, CISSP, Microsoft MVP and Mark Guntrip, Sr. Product...(read more)

Let’s Talk Windows Vista Security

Essential Computer Security — Fri, 06 Jun 2008 12:37:14 GMT

On June 18th, I will once again be joining Windows guru and Microsoft Technical Fellow Mark Russinovich and others to panel a virtual roundtable discussion. This time, we will be talking about Windows Vista security. During this broadcast, we will cover...(read more)

Metasploit 3.1 Released

Essential Computer Security — Tue, 29 Jan 2008 05:44:46 GMT

Metasploit 3.1 was unleashed on the world today. According to the press release posted on the metasploit.com site, this “latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265...(read more)

Vista Declared Most Secure OS

Essential Computer Security — Sat, 26 Jan 2008 13:54:04 GMT

Microsoft’s Director of Security, Jeff Jones, published the One Year Vulnerability Report for Windows Vista, in which he demonstrates that Vista is the most secure OS ever measured (based on the criteria used to calculate the first year vulnerability...(read more)

Microsoft Unveils New Vulnerability Research Blog

Essential Computer Security — Mon, 07 Jan 2008 04:29:10 GMT

Microsoft recently created a new blog site designed to provide insight on emerging vulnerabilities. The blog, titled <a href=”http://blogs.technet.com/swi/”>Security Vulnerability Research & Defense</a>, provides detailed...(read more)

Annual SANS Top 20 Report

Essential Computer Security — Tue, 18 Dec 2007 13:06:03 GMT

Its that time again. The 8th Annual SANS Top 20 Report is out. Well, its the 8th annual report, but it hasn’t always been the top 20, and it hasn’t always been at the end of the year. The first one was a top 10 list released in June of 2000...(read more)

AutoComplete May Equal AutoCompromise

Essential Computer Security — Tue, 18 Sep 2007 15:07:28 GMT

It is very convenient to have your various usernames and passwords stored in your computer system. When you are logging into a web site or application, the information is automatically filled in for you so you don’t have to try to remember what...(read more)

Slow Month For Microsoft Security Bulletins

Essential Computer Security — Wed, 12 Sep 2007 02:45:21 GMT

Rarely (if ever- I’ll have to do some research and find out) does Microsoft have 2 back-to-back months of Security Bulletin floods. This month was no exception. In August, Microsoft released 9 Security Bulletins, 6 of which were deemed Critical...(read more)

Wireless Insecurity

Essential Computer Security — Mon, 10 Sep 2007 19:50:39 GMT

I have been talking for years about the relative insecurity of wireless networks. Companies and consumers alike buy and implement wireless technology for its convenience, without stopping to consider the security implications. If you can sit on your couch...(read more)

Is Your Password Secure?

Essential Computer Security — Wed, 05 Sep 2007 12:38:38 GMT

Your passwords are the keys that keep your personal information and sensitive data locked away. If you choose a password that is easy to guess, like your dog’s name, or your wedding anniversary, anyone who knows anything about you can guess it and...(read more)

The Weakest Link

Essential Computer Security — Fri, 31 Aug 2007 12:53:12 GMT

Andy Greenberg wrote an article for Forbes.com titled Accounting For Human Error, which illustrates how human beings, the users themselves, are the weakest link in the security chain. Enterprises spend millions, or even tens of millions of dollars on...(read more)

One Third Of Corporate Applications Vulnerable

tonybradley — Sun, 20 May 2007 21:52:00 GMT

According to a report from Danish security vendor Secunia, as many as one third of the applications in use on corporate networks are vulnerable to critical attacks. According to this SC Magazine article, Secunia sites deficiencies in commonly used vulnerability scanners as the culprit. Their point of view is that most vulnerability scanners are only designed to scan for vulnerabilities in the top 20 to 50 applications in use. More obscure products are not scanned and may have unidentified critical vulnerabilities, exposing the network to compromise or exploit. From a risk analysis perspective though, the approach of the vulnerability scanner vendors seems sound enough. The reason that a vulnerability scanner vendor might not bother to scan for an obscure application used by only a fraction of a percentage of corporations is the same reason that it is unlikely that an attacker would exploit it. Attackers are often lazy and use automated tools to identify targets. They tend to seek out exploits that can be leveraged or used against a wide variety of targets. While a flaw in an obscure program might be critical to the fraction of a percent of the companies that use that program, it is relatively unlikely that the average attacker would ever identify or exploit the flaw. I am not advocating simply ignoring these flaws. I do think companies should be aware of the vulnerabilities that affect their network and that steps should be taken to remove or mitigate weaknesses. I am just pointing out that vulnerability scanning and patching efforts should be invested first and foremost in the threats most likely to be exploited, which probably do not include these more obscure applications unless it is a fluke or a highly targeted attack.

Guest on IMI TechTalk Radio Show

tonybradley — Sun, 11 Feb 2007 04:13:00 GMT

Tom D'Auria invited me back to talk more computer security on his IMI TechTalk radio show. I appeared on the show in November of 2006 to promote my book, Essential Computer Security. We did not get to cover all of our questions in the time allotted, so I will be back on the show on Sunday, February 18th. This show will focus on wireless network security, avoiding becoming a victim of a phishing attack, botnets, and the importance of backing up data. Of course, I will also promote my book again.

To listen to the show, you can tune in to KFNX AM 1100, broadcast out of Phoenix, AZ, at 5pm EST on Sunday, February 18. If you aren't in the Phoenix area, you can also listen to the live simulcast of the show on the KFNX web site. Or, as an alternative, you can download an MP3 recording of the entire show after the fact from the IMI TechTalk web site.

Internet Explorer Protected Mode

tonybradley — Tue, 06 Feb 2007 13:33:00 GMT

In Vista, Internet Explorer gets the benefit of some added security. Using WIC (Windows Integrity Control), Vista treats files and processes associated with Internet Explorer as Low integrity as long as it is running in Protected Mode. Internet Explorer Protected Mode is enabled by default and ensures that the Low integrity objects associated with Internet Explorer are unable to write to, act on, or otherwise interact with any objects higher than Low integrity- which is most of the system. For more information, you can read this article I posted on my About.com Internet / Network Security site: Internet Explorer Protected Mode

Windows Integrity Control

tonybradley — Mon, 05 Feb 2007 14:56:00 GMT

With Vista, Microsoft introduced a new security concept to help protect your computer. Rather than relying on discretionary controls, like NTFS file and folder permissions which users can assign and change, Vista also has new mandatory controls. WIC, or Windows Integrity Control (also referred to as MIC, or Mandatory Integrity Control in some circles), assigns an integrity, or trustworthiness, level to each object and uses the integrity levels to control interactions between the objects. The integrity levels are assigned by the operating system and supercede, or override, the dicretionary permissions to protect the computer system. WIC is used throughout the system, but is arguably most noticeable in the Internet Explorer Protected Mode which protects the Vista operating system from malicious web content in Internet Explorer. For more details about WIC, check out this article I submitted to SecurityFocus: Introduction to Windows Integrity Control.

Security Options for Windows Vista

tonybradley — Wed, 24 Jan 2007 17:29:00 GMT

With Windows Vista set to be unleashed on the consumer market in about a week, there is going to be a need for security and antivirus products. Although Vista is the most secure version of the Windows operating system yet, that doesn't mean it is impenetrable. Users still need to take basic security precautions. According to a report on Information Week, a number of vendors, including Microsoft, are providing free downloads or trial versions of their Vista-compatible security products. You can check out these products if you need antivirus and desktop security for your Vista PC:

Radio and TV Appearances

tonybradley — Sun, 14 Jan 2007 13:40:00 GMT

In recent months I have been contacted more frequently by the media, mostly as a result of marketing efforts for my latest book, Essential Computer Security. I was invited to guest on the IMI-TechTalk radio show at the end of November, and this past week I was invited to guest on the local Detroit Fox News morning show to discuss computer security with anchorman Alan Lee and promote my book.

Shaken, Not Stirred

tonybradley — Wed, 10 Jan 2007 11:12:00 GMT

If you wanted to test the security of your headquarters housed in a volcanic crater on a remote island, who better to check it out than James Bond? Microsoft apparently used similar logic to validate and test the security measures built in to the new Vista operating system. According to a report at the Washington Post, Microsoft called in the NSA. Tony W. Sager, the NSA's chief of vulnerability analysis and operations group, is quoted as saying "Our intention is to help everyone with security."

Both Microsoft and the NSA are a little hush-hush about the specifics of the help (spy organizations tend to work that way), but the article describes how the NSA used one group to be the 'bad guys' trying to break in and the other group acted as the 'security administrators' to protect the Vista network. The effort seems to be a win-win. Microsoft gets a product that has been run through the gauntlet and should be stronger and more secure as a result. The NSA gets an intimate look at the inner-workings of Vista and its security measures so that they can get a head start on developing ways to covertly penetrate or monitor the 'bad guys' (assuming Bush hasn't already issued an un-Constitutional directive that they go ahead and just plant keystroke logging software on every computer in the United States...just in case).

In the end, everyone (except the bad guys) has a vested interest in ensuring Vista is secure. It will be used by hundreds of millions of home, corporate and government organization users. By virtue of its market share, a weak Windows operating system can adversely impact the economy, as companies and individuals spend time and money to clean up and repair compromised systems, or even national security, as the Windows operating system could provide an attack vector to affect the critical infrastructure of the country. Vista is by no means impervious to attack, but we shall see as time unfolds whether the NSA's involvement has helped to make Vista a more secure operating system.