Microsoft out-of-band security update for Internet Explorer. Microsoft released an urgent security update for Internet Explorer on all currently supported versions of Windows.
![]() |
Identity ProIdentity theft is on the rise. Your own computer may be one of the easiest ways for thieves to access your information! Search and secure your private information, including social security numbers, credit cards, drivers license, and even passwords. Find and secure your personal information (PI) before others get the chance! Identity Pro goes beyond current protection offered by anti-virus, anti-spyware, anti-spam, or anti-phishing, etc, to protect you where these programs don't. Automatically seek out and protect your important data. You'll be surprised at how much of your information is kept on your PC, from web forms to emails. Once you know what's there, you can delete or encrypt with ease. |
CIS Center for Internet Security. A non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
Nessus is a popular vulnerability scanner used in over 75,000 organizations world-wide. Use Nessus to audit business-critical enterprise devices and applications. Check your networks, servers and applications for potential security vulnerabilities.
ITsafe provides a free Warning Service to help protect home and small business users of computers and other devices from attack. IT Security Awareness For Everyone. UK Government's ITsafe Service.
How To Break Web Software - A look at security vulnerabilities in web software. Video- (Large, but worth, (a must), watching video).
Sysinternals File and Disk Utilities Harddrive links
Microsoft Security Assessment Tool (MSAT) is a risk-assessment application designed to provide information and recommendations about best practices for security within an information technology (IT) infrastructure.
Microsoft Baseline Security Analyzer. (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. More Microsoft links
Google Launches Encrypted Search Option. Are your Web searches safe from snoops? It's an issue that may not have been on many people's radar. Traditionally, the higher-profile issue for search engines like Google and Yahoo is that they maintain a record of users' search sessions for several months as part of a massive data collection the companies say is needed to help improve search results. Now Google is tackling a different slice of the privacy issue by launching a beta of its standard Google search that's encrypted with the same Secure Sockets Layer (SSL) technology used by many Web services including e-commerce sites and Google's own Gmail service. Web addresses that begin with the letters "https" are SSL-protected. More Search engines. Online Dictionary, Thesaurus. Acronym or abbreviation finder, etc.. More Google Knowledge. Google Information More Yahoo Knowledge. Yahoo Information
| How To Keep Your Laptop From Being Stolen |
Tinkernut Forum Video Tutorials These video will show you how to keep your laptop from being stolen and how to track it if it has been stolen. |
How to Track a Stolen Laptop | ||
LockItTight tracks the location of your computers. In addition, it saves screen and camera shots on our server. You can access these information from any computer. With LockItTight you’ll be able to easily secure your workstation and also monitor it’s usage.
Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service. This means that you can install Adeona on your laptop and go there's no need to rely on a single third party. What's more, Adeona addresses a critical privacy goal different from existing commercial offerings. It is privacy-preserving. This means that no one besides the owner (or an agent of the owner's choosing) can use Adeona to track a laptop. Unlike other systems, users of Adeona can rest assured that no one can abuse the system in order to track where they use their laptop. Adeona is designed to use the Open Source OpenDHT distributed storage service to store location updates sent by a small software client installed on an owner's laptop. The client continually monitors the current location of the laptop, gathering information (such as IP addresses and local network topology) that can be used to identify its current location. The client then uses strong cryptographic mechanisms to not only encrypt the location data, but also ensure that the ciphertexts stored within OpenDHT are anonymous and unlinkable. At the same time, it is easy for an owner to retrieve location information. Using Adeona only requires downloading and installing a small software client. Adeona is free to use.
| How Cybercriminals Steal Money | Google Tech Talks June, 16 2008 Neil Daswani. This session and learn how you can prevent today's most significant data security vulnerabilitiesthe kind that leave businesses open to fraud that ranges from capturing tens of millions of credit card numbers to stealing money from bank accounts to constructing next-generation botnets. We'll review how cross-site request forgery, cross-site script inclusion and SQL Injection attacks work and discuss their impact on Web 2.0, AJAX, mashup and social networking applications. We'll present industry-wide statistics on security vulnerabilities, cover emerging security trends and discuss the current state of security education. Google Tech Talks Channel at YouTube.
Anti-Virus Software Tools & Utilities |
|
| Crime: The Real Internet Security Problem | Google TechTalks
January 24, 2006
Dr Phillip Hallam-Baker is a leading designer or Internet security protocols and has made substantial contributions to the HTTP Digest Authentication mechanism, XKMS, SAML and WS-Security. He is currently working on the DKIM email signing protocol, federated identity systems and completing his first book, The dotCrime Manifesto which sets out a comprehensive strategy for defeating Internet crime. Google Tech Talks Channel at YouTube
Anti-Virus Software Tools & Utilities |
|
Breaking news and updates in Internet security
![]() |
| Despite Recent Threats American Infrastructure Is Still Vulnerable To Cyber Attack |
![]() |
| Pwn2Own Contest Puts Bounty On Browser Vulnerabilities |
![]() |
| AVG Makes Its First IPO Of $125 Million |
![]() |
| Amazon Gains New Cloud Security Partner |
![]() |
| HashDOS: Important Vulnerability Coming into the Spotlight. |
![]() |
| Mobile Security Will (Probably) Always Be More Difficult |
![]() |
| Widespread Xbox Live Phishing Scams Plague Gamers |
![]() |
| Facebook Gets Hacked! |
![]() |
| Online Game Service Steam Gets Hacked! |
"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."
"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
![]() |
| October Is National Cybersecurity Awareness Month |
Seecrets Delivery Services (SDS) will be free for personal users. An e-security suite of crypto e-mail, secure password manager, zip manager & For-Your-Eyes-Only content viewer. The unique e-mail security caters for the privacy of all web mail and POP3 users. SDS uses RSA 8192-bits public key cryptography and AES 256-bits. All symmetric encryption uses our Secrets Signature-Free technology. Keeping Your Secrets Secret, Encryption, For-Your-Eyes-Only Protection, Watermarking, Secure Delivery.
| Cryptography | ||
Common Weakness Enumeration (CWE) Now Available. CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Encryption with DeGPG Protect your files. DeGPG runs in the background on your server to provide access to GPG encrypted data to your web scripts. It will also work with GPG to encrypt and store data submitted via web forms. To give your web scripts access to encrypted data, you log in and enter the passphrase to decrypt the data. The data is decrypted and stored in memory till a web script needs to access it. In cases where your web script only needs, for example, and MD5 hash of the data, rather than the decrypted data itself, DeGPG can be instructed only to reveal the MD5 hash, and not the raw data. Additional data may be prepended or appended to the decrypted data before computing the hash.
Androsa FileProtector is a professional and freeware file encryption software that protects any type of file encrypting completely the content with the most advanced systems of cryptography.
SecuritySpace is proudly brought to you by E-Soft Inc., a privately owned Canadian consulting firm, with proven expertise in internet security and on-line services. We specialize in the following areas:
The Windows Memory Diagnostic Tests the Random Access Memory (RAM) on your computer for errors. The diagnostic includes a comprehensive set of memory tests. If you are experiencing problems while running Windows, you can use the diagnostic to determine whether the problems are caused by failing hardware, such as RAM or the memory system of your motherboard. Windows Memory Diagnostic is designed to be easy and fast. On most configurations, you can download thediagnostic, read the documentation, run the test and complete the first test pass in less than 30 minutes.
Sysinternals, (System Internals) host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. Have a look at the list of P3P software. PSP is a W3C standard for creating machine-readable privacy policies. The standard allows a website to create an XML version of its privacy policy so that it can be evaluated automatically against an individual's privacy preferences.
P3P Toolbox is a one-stop resource developed by the Internet Education Foundation in cooperation with the World Wide Web Consortium and a coalition of Internet industry leaders and public interest organizations to provide privacy officers and Webmasters with the information they need to make their Web sites P3P compliant. The site is no longer active and is being hosted here by Internet Education Foundation for archival purposes.
Infographic by WordStream Internet Marketing Software
Iconix eMail ID software download Iconix is committed to making it easy to identify legitimate emails. We are working closely with companies like Google and Iconix to give our users the best protection against fraudulent, phishing and suspect emails. If you are a Gmail user, it's easy to identify legitimate emails. You can simply enable an icon which will only show up when an email is from PayPal (or from our sister company, eBay). So when you receive an email from us, or our partners at eBay , you will see a key icon next to the message in your Inbox. Only legitimate PayPal emails have this icon so if you get an email claiming to come from PayPal and you don't see the icon, it's not from us. So please don't open it. To enable this feature in Gmail, go to 'Settings', 'Labs', then tick the Enable box next to the 'Authentication icon for verified senders' option and click on 'Save Changes'. This software download from Iconix can help reduce phishing by confirming whether you received a legitimate PayPal email. After Iconix eMail ID has been installed, you'll see an Iconix eMail ID icon (a gold lock with a tick) whenever you receive authentic emails from PayPal. It's free and it works with most of the major email services like Gmail, (Google Mail), MSN Hotmail, Yahoo Mail, Outlook Express, and many more. If your preferred email program, web mail provider or operating system. is not listed, click here and we will notify you when support is available. For more information, go to the Iconix website, How does the Iconix solution work? The Iconix solution couples our advanced technologies with authentication techniques such as Yahoo!'s Domain Keys and Microsoft's Sender ID to confirm the source of an email, and will support Domain Keys Identified Mail (DKIM), which is a joint effort between Cisco and Yahoo!, as it is adopted in the industry. This combined solution makes it very difficult for bad guys to spoof the identity of emails with an Iconix Truemark icon. Also see PayPal Support Club. Review and helpful links, coding examples, warnings, other shopping cart links, etc. PayPal is a on-link banking system that allows website owners to integrate shopping cart technology into their site. Find out more, includes links to helpful site about PayPal shopping cart technology.
PrivacyFinder is a privacy-enhanced search engine. Once you state your privacy preferences (low, medium, high, or custom), the search results are ordered based on how their computer-readable privacy policies comply with your preferences. A red bird indicates that the site has conflicts with your preferences while a green bird indicates compliance. The absence of any bird means that a valid computer-readable privacy policy, known as a The Platform for Privacy Preferences Project (P3P) policy, could not be located.
No Right Click Disable the right click on your pages to prevent users from "borrowing" images from your site and viewing your page source! . (BACK UP ALL FILES FIRST) Do a temporary copy upload and check the site works first, (as this does some more complex code changing onload), if the site functions OK then replace the normal site with the temp upload and retest... May only work with LINUX host) This can be a bit time consuming as if I remember correctly each image has to be Hot-Link prevented individually, and then if you add a new image this also has to be Hot-link protected. (I believe Hot-Link protection on the Host uses .htaccess) and this may be worth checking out as well.
CopyWipe is a utility for copying or securely overwriting (wiping/erasing) entire hard drives. CopyWipe can ease and expedite the transition to a new hard drive by copying the entire contents of one drive to another. CopyWipe can also help prevent confidential or private data from being recovered, by securely wiping the contents of a drive. A number of options are provided for wiping, most of which exceed governmental standards (such as DoD 5220.22-M, NAVSO P-5239-26, etc.); this allows the user to choose an optimal balance between security and duration of the wiping operation.
Stop Badwear. The "Badware" problem. We've all seen it happen: you or someone you know has downloaded something from the internet that seemed harmless enough at the time. Next thing you know, the computer has slowed to a crawl. Pop-up advertising starts to appear out of nowhere. Private information gets sent to some company you've never heard of. And the worst part? Trying to uninstall the software sometimes makes the problem worse. Find out more...
Sender Policy Framework. Sender Address Forgery. Today, nearly all abusive e-mail messages carry fake sender addresses. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished and they have to disclaim liability for the abuse, or waste their time sorting out misdirected bounce messages. You probably have experienced one kind of abuse or another of your e-mail address yourself in the past, e.g. when you received an error message saying that a message allegedly sent by you could not be delivered to the recipient, although you never sent a message to that address. Sender address forgery is a threat to users and companies alike, and it even undermines the e-mail medium as a whole because it erodes people's confidence in its reliability. That is why your bank NEVER sends you information about your account by e-mail and keeps making a point of that fact.
Auslogics System Information provides you with detailed information about your computer operating system and hardware, including installed devices, running processes and services, memory and CPU usage, drive properties as well as other technical details. The information can be viewed from the categorized interface or exported to HTML, HTML 5, XML or text format.
Falcon21 Home PC Security website!
Security Team Blog ( Security Team ) more Blog links
The Secunia PSI is the FREE security tool that is designed with the sole purpose of helping you secure your computer from software vulnerabilities.Free Internet Eraser is an Internet privacy software that protects your Internet privacy by permanently erase internet history and past computer activities. Even though, many of the tasks can be performed manually,
Advanced Windows Care - Freeware Advanced Windows Care v2 Personal is a comprehensive PC care utility that takes an one-click approach to help protect, repair and optimize your computer. It provides an all-in-one and super convenient solution for PC maintenance and protection. This fantastic program is available free of charge for private use. More Microsoft Windows Windows Vista. Windows XP, etc.
Google Responsible Disclosure: Focus on protecting end users. Vulnerability disclosure policies have become a hot topic in recent years. Security researchers generally practice "responsible disclosure ", which involves privately notifying affected software vendors of vulnerabilities. The vendors then typically address the vulnerability at some later date, and the researcher reveals full details publicly at or after this time. A competing philosophy, "full disclosure", involves the researcher making full details of a vulnerability available to everybody simultaneously, giving no preferential treatment to any single party. The argument for responsible disclosure goes briefly thus: by giving the vendor the chance to patch the vulnerability before details are public, end users of the affected software are not put at undue risk, and are safer. Conversely, the argument for full disclosure proceeds: because a given bug may be under active exploitation, full disclosure enables immediate preventative action, and pressures vendors for fast fixes. Speedy fixes, in turn, make users safer by reducing the number of vulnerabilities available to attackers at any given time. More Google information links
Skipfish (from Google) is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. SkipFish Documentation.A fully automated, active web application security reconnaissance tool. Key features:
The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. Support the open source community by providing a scalable, reliable, and fast collaborative development environment for open source software, docs, and standards that promotes best practices in open source software engineering." |
SkipFish Security Report example :- | |
![]() |
Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
SpoofStick is a simple browser, (Internet Explorer or Firefox), extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places, hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as phishing".
Identity theft. (Home Office Identity Theft website), Your identity and personal information are valuable. Criminals can find out your personal details and use them to open bank accounts and get credit cards, loans, state benefits and documents such as passports and driving licenses in your name.
The Identity and Passport Service was established as an Executive Agency of the Home Office on 1 April 2006. The Agency builds on the strong foundations of the UK Passport Service (UKPS) to provide passport services and in the future, as part of the National Identity Scheme, ID cards for British and Irish nationals resident in the UK. Foreign nationals resident in the UK will also be included by linking the scheme to biometric immigration documents.
National Identity Fraud occurs when a person's personal information is used by someone else without their knowledge to obtain credit, goods or other services fraudulently. It can even extend to securing a passport in their name.
Federal Trade Commission (Identity Theft)
On Guard Online Advice and tips from the US Federal Government about staying safe on-line.
Visit the UK Passport website issue UK passports to British nationals living in the UK. Our website is here to help you with your passport application.
Preventing Virtual Blight: my presentation from Web 2.0 Summit
Belarc Advisor builds a detailed profile of your installed software and hardware, missing a href="http://www.acomputerportal.com/microsoft_windows.html">Microsoft hotfixes, anti-virus status, CIS (Center for Internet Security) benchmarks, and displays the results in your Web browser. All of your PC profile information is kept private on your PC and is not sent to any web server.
OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.
Free Internet Window Washer is a free internet tracks eraser and privacy cleaner software. As you work on your computer and browse the Internet, you leave behind traces of your activity. The Windows built-in functions will not protect you, most of the tracks can not be erased with them. Therefore, anyone else can see what you have been doing on your computer. Furthermore, much of your activity information takes up valuable disk space, and recovering this space can be very beneficial.
Process Library resource is for anyone who immediately wants to know the exact nature and purpose of any and every single process that is - or should not be - running on your PC.
Security Config, your security portal. Here you can find all of the tools you need to secure your website, business, data, and everything else digital. Downloads ranging from: Anti Virus Software, Cookie Tools, Desktop Security, Email Security, Encryption , Enterprise Monitoring , Firewalls, Network Security, Password Software, SSH Tools and more.
New hacked site Google Search notifications in search results Added a new notification to our search results that helps people know when a site may have been hacked. We’ve provided notices for malware for years, which also involve a separate warning page. Now we’re expanding the search results notifications to help people avoid sites that may have been compromised and altered by a third party, typically for spam. When a user visits a site, we want her to be confident the information on that site comes from the original publisher.

Google Hacks 2.0 - video powered by Metacafe Also see Google Knowledge. Google Information
Microsoft Baseline Security Analyzer
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. Provides Geo IP resolution, credit card number detection, support for content injection, automated rule updates, scripting, as well as many more security methods. See more Website statistics. Hit Counters.Trackers
The ISO 17799 Information Security Portal. ISO17799, ISO 27000 and Computer Security News.
Consumer Direct, a telephone and online consumer advice service supported by the Department of Trade and Industry.
APACS - Association for Payment Clearing Services
National Lottery, (United Kingdom), scam (fraudulent) emails are increasing at an alarming rate.
Business Software Alliance. Help businesses avoid software licensing problems. We've designed the Anti-Piracy Information section to help users prevent software theft. BSA® one of the World's leading anti-software piracy groups is committed to providing support every step of the way. In 2003, across the EMEA region, the BSA handled 57,625 calls, followed up 7,929 end user leads and took legal action against 9142 companies. Learn about the types of software piracy, its penalties and find all the tools you need to make a difference: Asset Management Resources, Guide to Software Management, Reasons to Fight Software Piracy, Online Shopping Tips and much more. If you've already thought through the issues and now wish to report a company that uses illegal software, you can do so anonymously through our Online Reporting Tool. (Don't forget, when an organization is prosecuted, it is the company directors who face legal action.) Report Piracy Now
Red Flag Rule, (Federal Trade Commission), require financial institutions and "creditors" with "covered accounts" to establish identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate a customer-account holder has been victimized by -- or is engaged in -- identity theft.
The Windows Security Center, (Microsoft Windows®), which is already installed on your computer, monitors and enables you to manage important security settings on your computer, including a firewall, automatic updates, and the status of your antivirus software.
Microsoft Windows® Service Pack 2 A free software update pack for Windows XP, which is the operating system of many home PCs. Microsoft Windows® Service Pack 2 is commonly known as SP2 is designed to fix several bugs and vulnerabilities in Windows XP simultaneously, and give your PC better protection from viruses and hackers. How to get SP2 Also view Microsoft Windows®
BitLocker Drive Encryption is the final feature release name for the project previously referred to as "Secure Startup Full Volume Encryption." Some preliminary releases of Windows Vista®, still use the old project name in text strings and Windows® titles. This step-by-step guide uses the old project name where appropriate, such as referring to the user interface where it appears. Otherwise, the feature release name is used.
WinErrs Did you ever get an Illegal Operation 'or' Page Fault' error message when using Microsoft Windows® and wonder what it meant? WinErrs is a database of 1.554 (Microsoft Windows®), error codes and their definitions. These codes are extracted directly from (Microsoft Windows®), and are their descriptions.
Apple Product Security Mac OS X Security Apple Security Updates page More Apple Links
Hoax-Slayer is dedicated to debunking email hoaxes, thwarting Internet scammers, combating spam, and educating web users about email and Internet security issues. Hoax-Slayer allows Internet users to check the veracity of common email hoaxes and aims to counteract criminal activity by publishing information about common types of Internet scams. Hoax-Slayer also includes anti-spam tips, computer and email security information, articles about true email forwards, and much more. New articles are added to the Hoax-Slayer website every week.
Secunia PSI (Personal Software Inspector) scans your computer for seriously outdated software products that have been discontinued or require critical security updates from the vendor.
CAPTCHA™ is a program that can generate and grade tests that most humans can pass, but current computer programs can't pass. For example, humans can read distorted text, but current computer programs usually can't read such distorted text. This may be useful to confirm emails are genuine and other basic Diagnostics and Security checking.
WebScarab is a Web Application Review tool. It sprang from the designs of the people inhabiting the WebAppSec list run from SourceForge, for a powerful, free, open tool for reviewing web applications for security vulnerabilities. Not much of the original design has actually been implemented as envisioned. WebScarab started as a spider that could download all the pages on a site. It stayed that way for almost a year, before I decided to take lessons learned during the development of Exodus and implement them as part of WebScarab.
OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything here is free and open source. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all.
Security config Software to Protect your system.
Identity Finder - Freeware. Let us prove to you the power of our search capabilities for free. Simply download, install, and run the search. It will detect unprotected credit cards and passwords on your computer that are vulnerable to identity theft or fraud. Once found, you can permanently shred or encrypt the information with a password so identity thieves cannot steal them. Take the first step towards protecting your family, your employees, and your business; try Identity Finder today. Installation and removal are easy.
| PC Pitstop! |
GetNetWise. Accessing the Internet through a broadband or high speed Internet connection at home really enhances the online experience. However, broadband users should take extra precautions to secure their computer and their computer files. The speed at which information can be transferred to and from your computer and the fact that it stays connected to the Internet for long periods of time makes your it a more likely target for hackers than dial-up Internet users. By taking some basic precautions and using a few simple tools, you can do your part to protect cyberspace from hackers. At the same time, you'll also protect your computer and your information from theft, misuse and destruction. GetNetWise Main page
Information Virtual Private Network (or VPN). (Wikipedia), is a secure network connection that is layered on top of the Internet. This type of connection is used to move secure data to and from corporate networks safely, minimising the chance of these systems being "hacked or abused".
Secondary DNS , (SECDNS), provides redundant name service for a domain that you own, DNS is managed on your own nameserver(s). The servers providing Secondary DNS are located on separated networks to prevent any downtime. With Secondary DNS even if yours goes down, it will continue to resolve your queries. In the event of an attack the restoring of the secured DNS network will take place to keep websites on-line and useable.
Domain Name System Security Extensions (DNSSEC). (Wikipedia), is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality..
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
DNS How To DNS is the Domain Name System. DNS converts machine names to the IP addresses that all machines on the net have. It translates (or "maps" as the jargon would have it) from name to address and from address to name, and some other things. This HOWTO documents how to define such mappings using Unix system, with a few things specific to Linux.
SpoofStick is a simple browser add-on for Internet Explorer, that may help novice users to spot phishing scams that are linked from emails or web sites.
PhishFighting. Fight back and take down the Phishers. Enter phishers URL to Report it.
Reporting Spam SpamCop parses reported email, sending warning information to the internet service provider responsible for hosting the services used by the spammer (web sites and email sending sites). SpamCop also uses the information to generate SpamCop's free blocking list. Unfortunately, this is an ongoing battle. Spammers adapt quickly and persistently. Report spam and help SpamCop turn the tide. SpamCop makes this otherwise slow and technical task quick and easy. The SpamCop reporting service is free. More...
What is "mole" reporting? SpamCop Mole reporting was an experiment that presented many problems in the operations and integrity of SpamCop, so is mostly being disabled. Reports from users who choose to be mole reporters will count only in the statistics and aggregate counts. Reports are not sent and can only be viewed by SpamCop administrators. Mole reports do not count in the stats used to determine listing and delisting of IP addresses in the SpamCop Blocking List. As spam defenses and spammers become more sophisticated, many smart spammers have developed very sophisticated defenses against being detected. One of the spammer's strategies is to quickly and effectively remove anyone from their mailing lists who files a spam complaint (until they want to get revenge, and then the use these "remove lists" differently). This is generally (although not always) good for the person filing the complaint, but it is bad for spam defense in general, since these activists are the only ones identifying the problem. By removing the "trouble makers", spammers too often slip "under the radar" and appear to be legitimate senders, even though the majority (or entirety) of the victims don't want the mail (they are just the ones who don't bother to make waves). More...
Flash, aaaaagh! Is your school website flashy but safe? Most educational websites in the U.S. are using Flash applications that fail to adequately secure these pages. This is a growing problem for the Internet as vulnerable sites can be hijacked for malicious and criminal activity, according to a paper published in the International Journal of Electronic Security and Digital Forensics this month. More links about Flash
Surf Anonymous Free A ree Internet utility that anonymizes your web surfing by hiding your IP address, thereby protecting you from the vulnerabilities associated with it. Surf Anonymous Free can connect to our servers and gets the most stable, fresh and fast working IP location called proxy. Then it puts that information in your browser such as Firefox, Internet Explorer or Opera. Your real IP address and location will become inaccessible. So you can browse with completely concealed identity. It’s Easy, Fast, and Free.
Cloud Computing is a somewhat nebulous word to describe that modern users will "rent" or borrow online software instead of actually purchasing and installing it on their home computers. It is the exact same idea as people using Gmail or Hotmail services, except that cloud computing goes much further than simple email. Cloud computing is where entire businesses and thousands of employees will run their computer tools as online rented products. All of the processing work and file saving will be done "in the cloud" of the Internet, and the users will plug into that cloud every day to do their computer work. It is said that Could Computer suppliers buy computer systems by the container load. This help reduce cost because of Economies of scale. Software as a Service (aka "Saas" or "SaS"). Platform as a Service (aka "PaaS" or "PaS") . Software and Platform.
Cloud Security Frame. Cloud Security Frame at Shaping Software. This frame is especially important because we're using it to help us map out the Cloud security space for our patterns & practices Cloud Security Guidance project. it's helps us scope our project. The frame is basically a set of Hot Spots. We use the Hot Spots to find, organize, and share principles, patterns, and practices. We also use the Hot Spots to find pain points and opportunity or to organize key engineering decisions.
My Lockbox is a security software enabling you to password protect folders on your computer. The protected folder is hidden and locked from any user... More Harddrive Tools
More and more enterprises are realizing the importance of proactive security practices and those involved in critical infrastructure are no exception. One of the most effective ways to drive security improvements in critical infrastructure is through industry consensus. Microsoft has been deeply involved in collaborating with several critical infrastructure sectors to better understand their needs and to help improve their secure software development practices. A critical sector is financial services where Microsoft has had long term collaboration with BITS, a part of the Financial Services Roundtable, made up of major US financial institutions that are responsible for almost 93 trillion in managed assets.
Today, BITS announced the release of their Software Assurance Framework. The purpose of this framework is to document the importance of secure development and to provide guidelines that financial services organizations can use to implement these practices more fully. The framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices. This type of holistic, prescriptive, risk-based approach has been a hallmark of Microsoft’s SDL since inception back in 2004. The BITS Framework goes on to further cite the Forrester Consulting study which details the compelling economic (ROI) reasons to invest in a SDL program.
The framework was also designed to provide guidelines to software suppliers of the financial services industry in writing better, more secure software. BITS recognized the importance of making this an industry-wide effort which is why we are extremely pleased to see it was made available to the public. Microsoft has been a strong advocate for improving secure development practices with free information and tools for many years now. The BITS framework is another great example on the importance of prescriptive security versus descriptive security practices such as checklists.
Of note, this Framework was a collaborative effort that involved several financial services companies in conjunction with Microsoft. The BITS group contains some of the most experienced security people in the financial services industry working together to define clear guidance on the most critical software development best practices for financial services.
We encourage you to take a look at this important document and see how practices from Microsoft’s SDL have helped to make a difference in improving software security within the financial services industry
- Doug Cavit
Over the past few weeks, Microsoft has been reflecting on the ten year anniversary of the Trustworthy Computing initiative; thinking about the things that have led us to this point in our history and speculating about the future.
Obviously a big part of our work has been the creation and evolution of the Microsoft Security Development Lifecycle (SDL). In our case, security has evolved in large part because of the issues that we faced early on. As referenced in my previous post, the uphill battle we fought in the early years put a negative spotlight on our products and our ability to keep customers safe.
By learning from our weaknesses and from close observation of the evolving threat landscape, we were able to make progress against the challenges by employing an effective approach to developing more secure software. The most prominent and arguably the most important attribute of our evolution lies in our commitment to the SDL – a comprehensive approach for writing more secure code. Under the Microsoft Trustworthy Computing umbrella, the SDL is considered the most battle-tested and effective software security assurance process in the industry.
Clearly Microsoft products are not the only ones being targeted by cybercriminals. Today there is an industry dedicated to finding security vulnerabilities; motivated security researchers are in a race to discover the next big vulnerability in hopes of selling them on the open market. So how does Microsoft work with the industry to help build a safer, more trusted computing ecosystem? One way is by freely sharing our prescriptive guidance around the SDL methodology and tools so that other organizations can build more secure software.
We’ve noticed that IT dependent organizations are no longer satisfied with the latest “Top n list” of security practices; instead they are demanding prescriptive practices like the SDL that make deliberate value judgments on security practices based on real world effectiveness. We’re proud of our efforts here – no other software vendor shares their tools and resources to the extent that we have. We feel strongly that by sharing our best practices and tools, we can help organizations implement a version of the SDL that makes sense for them – regardless of what platform they use.
This insistence on effective security development processes can be found in the recent release of the BITS Software Assurance Framework. For those readers unfamiliar with BITS, it is the technology arm of the Financial Services Roundtable – an organization that includes members from major US financial services organizations. BITS is chartered with finding collaborative solutions to challenges in cybersecurity, fraud reduction and critical infrastructure protection for its member companies. Today, BITS will publicly announce that they have successfully incorporated many of the key elements contained within Microsoft’s SDL into the guidance they provide to their member institutions and their software vendors. Their recommendation of many of our security development practices is gratifying and a strong testament to how far we have come with software development security.
We’re also pleased to see a growing community of individuals and enterprises that are implementing secure development best practices; we feel there should be a venue where those ideas and methodologies can be shared. In an effort to make that venue a reality and sustain the momentum behind secure development processes, we are pleased to announce the first annual Security Development Conference in Washington D.C., May 15th – 16th, 2012.
This event will bring together experts from a variety of industries to Washington, D.C. for a two day conference that centers on the theme “Evolving from Principles to Practices” and will serve as a focal point for education and collaboration for security development professionals. By holding this conference we intend to emphasize the importance of more secure code as the critical first step to protecting against criminal activity. The conference will provide in-depth sessions, panel discussions, and professional networking opportunities that will help organizations develop and accelerate their own security development lifecycle processes.
For more information and registration details, I’d strongly encourage a visit to the conference website at www.securitydevelopmentconference.com
Hello all – Dave here…
As mentioned in previous posts, there are some interesting changes afoot regarding security in Visual Studio 11. Here is the next installment of the series by Tim Burrell outlining more of the work done by Security Science and the talented folks on the Visual Studio team…
-----------------------------------------------------------------------------------------------------------------------
Microsoft is actively developing Visual Studio 11 and continually looking for ways to improve security-related functionality in the software. We previously noted that we are updating the on-by-default /GS compiler switch, which provides protection against some memory safety bugs such as buffer overflows. This post will provide additional information on those changes.
You may recall that /GS buffer overrun protection places a cookie on the stack between local variables and critical security-critical metadata such as the return address.
The integrity of the GS cookie is checked at the end of the function, prior to the return address being used to return to the caller; if the cookie has been corrupted then execution is terminated rather than carrying on and transferring control to a now suspect return address in memory.
Note that this kind of protection is designed to catch the traditional overflow scenario – i.e. modification of consecutive bytes – and this is indeed by far the most common type of stack corruption bug. However it does not protect a scenario such as:
If the attacker can control the value of ‘n’ above then he can corrupt a single TCHAR character, leaving any GS cookie untouched:
In reviewing those Microsoft Security Response Center (MSRC) cases due to stack-based corruption that were not covered by the existing /GS mechanism, we noted one error that stood out as being more common than others: misplaced null terminators. A typical code sequence might be something like:
The ManipulateString() function correctly writes data within the bounds of the string ‘buf’– but fails to keep track of the final length ‘cch’ of the resulting string. The instruction that null-terminates the string could therefore write outside the bounds of the string buffer without corrupting the GS cookie.
Compile the code above using the Visual Studio 11 Developer Preview tools and you will see that the generated code includes an extra check:
The compiler has inserted range validation code for the null-terminating instruction to guard against an out-of-bounds write to memory, roughly equivalent to:
A couple of questions arising from this are:
1. “What is the __report_rangecheckfailure() function?”
2. “When/how often does this range validation happen?”
The __report_rangecheckfailure() is similar to the existing __report_gsfailure() function; it just terminates the program to prevent further execution in a state that we know is about to become untrustworthy. We will come back to this in more detail in a later post.
With respect to how often such range validation happens, it is targeted precisely at the code pattern for which there is historical data indicating the highest risk of a bug being present, namely an assignment to a single array element where:
- The array element size is 1 or 2 bytes, i.e. typically a string.
- The value being written is zero, i.e. to catch the null terminator case.
- The array is declared to be of fixed known size (note that this could be a local or global array so not restricted to the stack).
In addition, for the compiler to be able to insert the instruction guarding against a range violation, it needs to know the size of the array. So an additional requirement in Visual Studio 11 Developer Preview is that the array assignment instruction involves an array of locally and statically declared size. By means of illustration, the following would not lead to a range check being inserted:
As always this is a trade-off. By targeting these extra checks as described above, Visual Studio 11 by default provides extra protection for a limited set of bugs that history tells us are the most common kind of stack-corruption bugs not covered previously by /GS, while minimizing performance and codesize impact by keeping the number of such checks low overall.
And of course /GS continues to provide the familiar cookie-based protection against traditional stack overflows.
The /GS compiler switch is one of many security enhancements being looked at for Visual Studio 11 and is but one small part of the Security Development Lifecycle (SDL) process and methodology for developing secure software, which includes much more than just using specific compiler switches – read more and find additional resources related to SDL here.
Tim Burrell, MSEC Security Science.
Pop security quiz: What’s the most secure way to store a secret?
a) Encrypt it with a strong symmetric cryptographic algorithm such as AES, using a 256-bit key.
b) Encrypt it with a strong asymmetric cryptographic algorithm such as RSA, using a 4096-bit key.
c) Encrypt it using a cryptographic system built into your platform, like the Data Protection API (DPAPI) for Windows.
Have you made your choice? The correct answer is actually:
d) Don’t store the secret at all!
Ok, it was a trick question. But the answer is valid: thieves can’t steal what you don’t store. Let’s apply this principle to the action of authentication – that is, logging into a web site. If a site never stores its users’ passwords, then even if the site is breached, those passwords can’t be stolen. But how can a site authenticate users without storing their passwords? The answer is for the site to store (and subsequently compare) cryptographic hashes of the passwords instead of the plaintext passwords themselves. (If you’re unfamiliar with the concept of hashes, we recommend reading http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx#hash_values before continuing.) By comparing hashes rather than plaintext, the site can still validate that the user does indeed know his or her password – otherwise, the hashes wouldn’t match – but it has no need to ever actually store that password. It’s an elegant solution, but there are a few design considerations you’ll need to implement to ensure you don’t inadvertently weaken the strength of the system.
The first design issue is that simply hashing the passwords alone isn’t enough protection: you also need to add a random salt to each password before you compute its hash value. Remember that for a given hash function, an input value will always hash to the same output value. With enough time, an attacker could compute a table of plaintext strings and their corresponding hash values. In fact, many of these tables (known as “rainbow tables”) already exist and are freely downloadable on the Internet. Armed with a rainbow table, if an attacker could manage to gain access to the list of password hashes on the web site by any means, he could use that table to easily determine the original plaintext passwords. When you salt hashes, you take this weapon out of the attackers’ hands. It’s also important to generate (and store) a unique salt for every user – don’t just use the same salt for everyone. If you did always use the same salt, an attacker could build a new rainbow table using that single salt value, and eventually extract out the passwords.
Figure 1: Comparing salted hashes
The next important design issue to take is to be sure to use a strong cryptographic hash algorithm. MD5 may be a popular choice, but cryptographers have demonstrated weaknesses in it and it’s been considered an unsafe, “broken” algorithm for years. SHA-1 is stronger, but is beginning to show cracks and now cryptographers recommend avoiding SHA-1 as well. The SHA-2 family of hash algorithms is currently considered the strongest, and is the only family of hash algorithms approved for use in Microsoft products per the Microsoft Security Development Lifecycle (SDL) cryptographic standards policy.
Instead of hardcoding your application to use SHA-2, an even better approach would be to implement a “cryptographic agility” that would allow you to change the hash algorithm even after the application has been deployed into production. After all, cryptographic algorithms go stale over time; cryptographers find weaknesses and computing power increases to the point where brute force approaches become feasible. Someday SHA-2 may be considered just as weak as MD5, so planning for this eventuality early may save you a lot of trouble down the road. An in-depth look at hashing agility is beyond the scope of this post, but you can read more about a proposed solution in the MSDN Magazine article Cryptographic Agility. And just as the SDL mandates the use of strong cryptographic algorithms in Microsoft products, it also encourages product teams to use crypto agility where feasible so that teams can more nimbly migrate to new algorithms in the event that a current strong algorithm is broken.
So far, we’ve talked about what to hash (the password and a random unique salt value) and how to hash (using a cryptographically strong hash algorithm in the SHA-2 family, and preferably configurable to allow for future change), but we haven’t talked about where to hash. You might think that performing the hashing on the client tier would be a significant improvement in security, since you’d only need to send the hash over the wire to the server and never the plaintext password itself. However, this doesn’t buy you as much benefit as you’d think. If an attacker has a means of sniffing network traffic, he could still intercept the call and pass the hash to the server himself, thus spoofing the user and taking over his session. At this point, the hash essentially becomes the plaintext password. The only real benefit to this approach is that if the victim is using the same password on multiple web sites, the attacker won’t be able to compromise the victim’s account on those other sites as well, since knowing the hash of a password tells you nothing about the password itself. A better way of defending against this attack is just to perform the hashing on the server side, but to ensure that the password and all credential tokens such as session cookies are always transmitted over SSL/TLS. We’ll explore the topic of secure credential transmission (and other aspects of password management such as password complexity and expiration) in future blog posts.
By following a few simple guidelines, you can help to ensure that your application’s users’ credentials remain secure, even if your database is compromised:
I remember the security situation at Microsoft in 2001 and 2002 like it was yesterday. Perhaps no other couple of years will be so indelibly etched into my brain as those two. 2001 was not so good, but 2002 was a heck of a lot better! Given 2001, this was not a difficult achievement for 2002! So, let me start at the beginning…
In late 1999, a small band of us formed a small security team (as in “threats,” not as in “features”) to help raise software security awareness across the company. We had no name for a long time, until the vice president in Windows at the time, Dave Thompson, decided to call us the Secure Windows Initiative (SWI). Our charter was to start reviewing Windows code in depth looking for security bugs, but having a small number of people reviewing something the size of Windows was clearly not going to work. So, we moved to a “Security Bug Bashes” model where we would deliver security education in the morning to a small development group within Windows (e.g., networking, terminal services, IIS, IE, etc.), and then for the rest of the day we would have the engineering team go look for security bugs. It was fun and we found bugs. But the most important point was raising awareness. It really didn’t matter how many bugs were found—the key was to make people aware of the security issues and reduce the chance that mistakes would be made in the future.
The downside of the bug bashes was that even though they were more effective than the original SWI charter, they still didn’t scale very well and they were very labor-intensive. Still, the security bug bashes continued for about another eighteen months.
2001 was not a good year for Microsoft security because of CodeRed and Nimda, two worms that affected Internet Information Server 4.0 and 5.0. CodeRed was the result of a one-line error in some code running by default in IIS4 and 5. In hindsight, the code should not have been installed by default. Nimda was the more sophisticated of the two worms because it used more than one vulnerability to compromise systems.
While all this was happening, David LeBlanc and I were mid-way through creating the first edition of Writing Secure Code. We had written the book because the same security-related questions were being asked time and time again and we wanted a reference we could point people to. Little did we realize that Writing Secure Code would later become a runaway bestseller.
As 2001 wound down and Writing Secure Code was finally sent to the printers, I got an email from Loren Kohnfelder, who was one of the security leads in the .NET Framework. Loren is best-known for defining what is now commonly referred to as Public Key Infrastructure (PKI). You can read his 1978 thesis on the topic here. Loren was also one of the protagonists behind the STRIDE threat modeling mnemonic.
Loren told me that the .NET Common Language Runtime (CLR) team had uncovered a small number of security bugs during the final development phase of the project, and he was really concerned. We decided to do a bigger version of a bug bash; but rather than lasting only one day, it would be done when it was done. “Done” meant the rate of incoming security bugs approached zero. This became known as the “.NET Security Standdown,” and we even had T-Shirts made with the date of the start of the event. On the day the event was to start, the Pacific Northwest got a huge snow storm and the Microsoft Redmond campus was closed, so we started the standdown a few days later.
The standdown was a great success, thanks to Brian Harry and his team, who managed the process brilliantly. We reeducated the .NET engineering team, we found and fixed bugs, but most important, in my mind, we introduced the concept of reducing attack surface (i.e., limiting the amount of code exposed to untrusted users). That’s where the concept of AllowParticallyTrustedCallersAttribute (APTCA) came from and why we flipped ASP.NET to run in much lower privilege.
December 2001 saw the release of Writing Secure Code, and Doug Bayer and I had a lengthy meeting with Bill Gates to explain security vulnerabilities in detail. Clearly he was concerned by the worms of 2001 and wanted to learn more. At the end of the meeting I gave Bill a copy of Writing Secure Code.
At the end of December 2001, the .NET Standdown was over and we had learned a great deal about rallying the troops to a common security cause. But there was much more work to do!
In light of the success of the .NET work, we decided to aim our sights at Windows .NET Server (as it was called back then). Following the .NET model, we started in February and would be done when we were done. For the most part, that ended up being late March for most teams within Windows.
This became known as the “Windows Security Push.”
As everyone knows by now, Bill sent his famous Trustworthy Computing (TwC) memo to the company in January 2002, right as we were planning the security work for Windows. His memos are rare, and this one signaled the start of something big within the company.
During the push, we had three streams of education: I handled all the Windows developers, Jason Garms worked with all the program managers and architects, and Chris Walker trained all the testers. Steve Lipner and Glenn Pittaway led much of the day-to-day process management, keeping in constant communication with upper management.
One practice we borrowed from the security bug bashes was that we always had a senior person from management kick off the training. At one of my sessions, I had Rob Short, VP of Windows Base (Kernel down to the metal) open the day. Rob’s a tall, lean Irishman with a thick Irish accent, and there’s something he said that has stuck with me forever. He said, “There is nothing special about security; it’s just part of getting the job done.” Whenever I deliver a security talk to new engineers within Microsoft or am onsite with a customer, I always recite Rob’s words, because they are so incredibly true.
The Windows Security Push begat the SQL Server Security Push, the Exchange Security Push, and the Office Security Push. Slowly but surely things started to change across the company. Engineers and managers “got it.”
A key element of all the pushes was to reduce the default attack surface of the products. That’s why Windows Server 2003 (note the name change) had a reduced functionality browser, no Web server installed by default, and much more.
One thing that is not commonly known about the pushes is that a lot of documentation was written about the security implications of various technologies. Much of that learning ended up in the second edition of Writing Secure Code; the book ballooned from 500 pages to over 800 pages, and much of that was detail we learned and fine-tuned throughout 2002. A great example is the chapter concerning the security implications of internationalization and globalization. The text in the book is derived from a whitepaper written by the globalization team within Windows after they had gone through the push process and had looked at their important corner of Windows with a fresh security perspective.
The pushes were just the start, however. Real change came only when we implemented the Security Development Lifecycle (SDL). As I have said many times, you can’t build some software and then have a security push. It just doesn’t scale and, frankly, having a push at the end is too late. We needed something that was “part of the process,” and that is how the SDL was born.
There was a wrinkle along the way, however. In 2003 we saw Slammer affect SQL Server and Blaster affect Windows. Because one of the effects of Blaster was blue-screened computers, product support saw a huge increase in support calls. Many of us manned the phones to help out. Raymond Chen, a lead developer on the Windows shell team, and I were seated next to each other, and he wrote about it in his blog.
Blaster led to a lengthy and intense effort known as “Springboard,” led by Rebecca Norlander, Matt Thomlinson, and John Lambert. The end result of the process was Windows XP SP2, in which we not only found and fixed security bugs but also added numerous critical defenses to Internet Explorer, DCOM, and RPC. We also enhanced and enabled the Windows Firewall and added data execution prevention (DEP), and we made it easier for users to enable automatic updates by prompting them right after setup.
Microsoft has come a long way in the last ten years, and I am incredibly proud to have been a part of this watershed time. Much has changed. The SDL is now seen as industry-leading and is in use by many software developers outside of Microsoft. My role has changed too: I now work with our customers and partners as part of the Microsoft Americas Services Cybersecurity team to help them adopt SDL practices as they recognize the need for an increased focus on security.
It’s been an amazing ten years. We still have much to do, however. And no one knows that more than the incredibly talented people across Microsoft helping bake security into our products and our partners’ and customers’ products every day.
Michael Howard
Principal Cybersecurity Architect
January marks the ten year milestone of Bill Gates' memo on Trustworthy Computing. When I think about “where was I when…” the email hit my inbox, several memories come to mind that I thought I’d share. Back then I was the Director of Security Assurance, a position that encompassed both the Microsoft Security Response Center (MSRC) and the Secure Windows Initiative that focused on improving the security of Microsoft’s products before they shipped. We had had our share of problems in those days as attackers had released worms – Code Red, Nimda – against our products and customers.
On January 12th 2002, Michael Howard, Jason Garms, Glenn Pittaway and I were working long days and nights preparing for the February start of the Windows Server 2003 security push. We were prioritizing component development groups, identifying tools that we’d tell groups to run, and working to finalize the four-hour security training class that we planned to present to a total of about 8500 people during the week of January 28, 2002.
One of our big concerns was how the employees would react. We knew that our managers up to senior and group vice president had approved our idea of conducting the security push, and we knew that the team commitments were on the calendar. But if the individual employees and lower-level managers weren’t on board with the idea, the process could crater badly.
Bill’s Trustworthy Computing mail appeared in the midst of this hard preparatory work. I won’t say we would have failed to get the employee engagement we needed if Bill hadn’t sent his mail – after all, we’d lived through Code Red, NIMDA, and some very embarrassing vulnerability reports against Windows XP, and developers and managers were aware of the negative customer perception. But I do know that Bill’s mail made a difference. We told developers, program managers, and testers to sit through four hours of training in a cramped (950-person) meeting room and pay attention, and they paid attention. We told them to review code and find security bugs rather than working on features, and they found and fixed security bugs. We gave them, what I know with ten years hindsight were, immature and flaky tools and processes, and they swallowed hard and used them effectively to find more security bugs. And to this day, I believe a lot of their willingness to do those things was not only because their managers said to do them, but because Bill and Craig Mundie (then Microsoft’s Chief Technology Officer and today Microsoft’s Chief Research and Strategy Officer) had said they were important to do – important for our customers and important for Microsoft.
We’ve done a lot to make our software and services more secure in the last ten years. The Security Development Lifecycle (SDL) evolved from the security push and today we’re recognized for our leadership because we share SDL process and tools with the broader software development community. But the security pushes of 2002 were the beginning. And Bill’s commitment and the way it mobilized the company were the key to that beginning.
Steve Lipner
Senior Director of Security Engineering Strategy
Trustworthy Computing
Hello all – Dave here…
In chatting with our colleagues in the MSEC Security Science Team, there were a number of interesting topics that weren’t covered in our previous Code Analysis blog post – information that would help contribute to the understanding of security features and functionality in Visual Studio 11. So after some discussion, we have decided to release a series of posts covering this important work – everyone benefits from a better understanding of future technology offerings.
So with that, I again turn the blog over to Tim Burrell to elaborate!
_______________________________________
(Note – this blog post describes a feature in an unreleased product; this feature may be changed prior to final product release.)
Microsoft is actively developing Visual Studio 11 and continually looking for ways to improve security-related functionality. As part of this we are updating the /GS compiler switch, which is on-by-default and enables a basic level of code generation security features, with some enhancements beyond the now familiar cookie-based stack overflow protection. We’ll provide some more detail on these in a later post.
The Security Development Lifecycle (SDL) includes a number of recommendations beyond the scope of /GS where the compiler is able to assist secure software development. These range from specific code generation features such as using strict_gs_check to security-related compiler warnings and more general recommendations to initialize or sanitize pointers appropriately.
For the first time we intend to provide a central mechanism for enabling such additional security support via a new /sdl switch. The impact of /sdl is twofold:
- /sdl causes SDL mandatory compiler warnings to be treated as errors during compilation.
- /sdl enables additional code generation features such as increasing the scope of stack buffer overrun protection and initialization or sanitization of pointers in a limited set of well-defined scenarios.
This dual approach reflects our conviction that secure software is best achieved by the combination of detecting and fixing code bugs during the development process together with the deployment of security mitigations that will significantly increase the difficulty of exploiting any residual bugs.
The /sdl compiler switch is disabled by default, and can be enabled easily in the Visual Studio UI by opening the Property Pages for the current project, and accessing the Configuration Properties -> C/C++ -> General options.
The features enabled by the /sdl switch are a superset of those enabled by /GS i.e. enabling /sdl enables everything included in /GS. We will be providing more background and in-depth details of the additional /GS and /sdl features in future posts. For now we note that they include:
The following SDL mandatory compiler warnings are enabled and treated as errors:
|
Warning |
Command line switch |
Description |
|
/we4146 |
A unary minus operator was applied to an unsigned type, resulting in an unsigned result |
|
|
/we4308 |
A negative integral constant converted to unsigned type, resulting in a possibly meaningless result |
|
|
/we4532 |
Use of “continue”, “break” or “goto” keywords in a __finally/finally block has undefined behavior during abnormal termination |
|
|
/we4533 |
Code initializing a variable will not be executed |
|
|
/we4700 |
Use of an uninitialized local variable |
|
|
/we4789 |
Buffer overrun when specific C run-time (CRT) functions are used |
|
|
/we4995 |
Use of a function marked with pragma deprecated |
|
|
/we4996 |
Use of a function marked as deprecated |
If a developer wishes to opt in to most of the /sdl functionality but exclude a given warning ID (suppose C4146 for example) then this can be achieved by using the /wd switch to disable that specific warning under C/C++ -> Command Line -> Additional Options in the Visual Studio UI:
Additional /sdl code generation features will be covered in more detail in later posts.
Microsoft strongly recommends using the /GS switch as in previous Visual Studio releases; the new /sdl switch in Visual Studio 11 presents an opportunity for greater security coverage both during and after development: stay tuned for more details on specific security benefits of using /GS and /sdl in Visual Studio 11.
Of course the Security Development Lifecycle (SDL) is an entire process and methodology for developing secure software and as such includes much more than just using specific compiler switches – read more and find additional resources related to SDL here.
Tim Burrell, MSEC security science.
We’ve talked before on this blog about SAFECode – an organization of IT vendors who have come together to share and document best practices in software security.
SAFECode has published a number of papers on best practices in software and supply chain security – most recently an update to “Fundamental Practices for Secure Software Development” released earlier this year. The SAFECode web site is a great resource for vendor-independent guidance on software security.
Today, SAFECode announced that Siemens has become the eighth SAFECode member joining Adobe, EMC, Juniper, Microsoft, Nokia, SAP, and Symantec. Siemens, headquartered in Berlin and Munich Germany, is a supplier of products for use in industry, healthcare, energy and infrastructure. Software security is an important matter for Siemens, and they will bring SAFECode great expertise in control systems often used in critical infrastructure.
As the Microsoft representative to the SAFECode board and the board’s chair, I’m delighted to welcome Siemens to SAFECode. I’m looking forward to SAFECode releasing new products that take advantage of the expertise Siemens brings.
Steve Lipner
George Pulikkathara here.
Every now and then we get asked by conference attendees or someone at a company who is evaluating the SDL for adoption at their company, “How well known is the SDL within the IT industry?” or “Where can I find video summaries of your SDL tools or whitepapers?”, or my favorite, “Who else is using the Microsoft SDL?”
Well, today, Microsoft launched a new SDL “Industry Talk” wall on the Security Development Lifecycle (SDL) website. This wall was designed to publically share some of the great evidence Microsoft has generated and continues to generate surrounding awareness and adoption of the SDL.
So if you are considering adopting the Microsoft SDL or know of someone who is looking for a single resource for what the Industry is saying about the SDL, look no further.
By the way, the “Industry Talk” wall was built using HTML5 technology which gives users an exciting new way of experiencing and consuming SDL information. This means you’ll need an HTML5 compliant browser such as Internet Explorer 9 or any of the latest browsers to view the content. Enjoy.

Hello All -
As many of you already know, the SDL team at Microsoft has a strong relationship with our colleagues in the MSEC Security Science team - these guys are on the front line of tool development for the SDL, and are always looking for new ways to take the security technologies they produce and make them broadly available. With that in mind, I am quite pleased to turn over the blog to Tim Burrell to let you know about some new developments on the code analysis front.
- Dave
___________________________
At the recent BUILD Conference, the Visual Studio Code Analysis team presented some great new features of Microsoft Visual Studio 11 C++ Code Analysis. We thought we’d highlight a couple of the security aspects.
This is the first time that Code Analysis has been made available in an Express edition of Visual Studio – a reflection of Microsoft’s commitment to helping secure the software ecosystem beyond just our own software. It is also testament to the value that we believe such static analysis tools have to offer to every developer today. This value comes in many forms, mainly deriving from the fact that it’s way cheaper to fix a bug early on during development:
The Security Science team with the Microsoft Security Engineering Centre (MSEC) worked closely with the Visual Studio Code Analysis team to ensure that the Visual Studio Developer Preview includes as many of the SDL mandatory C/C++ Code Analysis warnings as possible. These are the security-related warnings that Microsoft considers critical to fix for internal C/C++ software development.
Choosing which warnings to include in Microsoft Visual Studio 11 Express is a balancing act between giving all developers access to these warnings and not overloading people with so many warnings that they just ignore them. We’ve tried to select the best combination of high severity / low noise. We are keen to hear your feedback on your experience of using Code Analysis in Express.
Of course the Security Development Lifecycle (SDL) is an entire process and methodology for developing secure software and as such includes much more than just fixing a given set of warnings – you can read more and find additional resources related to SDL here.
As we alluded to at the start, code analysis covers more than just security bugs – indeed the distinction between security and reliability can sometimes be a subtle one: the bug that manifests as a crash today (a reliability issue?) could turn out to be controllable by an attacker tomorrow (a security issue). We highly recommend running Visual Studio Code Analysis to help develop secure and reliable applications.
Tim Burrell, MSEC Security Science
Hello all,
Today we are excited to announce that some enhancements have been made to three of our free Security Development Lifecycle (SDL) tools - Threat Modeling, MiniFuzz, and RegExFuzz.
As many of you know, tools can be an invaluable asset when it comes to implementing a Security Development Lifecycle process in any organization. Over the years, Microsoft has made many of its security development tools available for free here. We hope these new enhancements will provide greater flexibility and enable you to effectively implement an SDL process in your organization.
Threat Modeling Tool v3.1.8
The Threat Modeling Tool is used in the SDL Design Phase to find security problems before coding begins. Through beta testing we obtained valuable input on what changes could be made to improve the tool. In this new version, we focused on stabilization of the Visio 2010 and Team Foundation Server (TFS) 2010 support that was provided as part of the beta release, and fixed bugs that were discovered.
Thank you to all of our beta testers who reported issues in the forum as well as through the select beta program. Your input was critical to improving the tool and customer experience.
> Learn more or download the tool
MiniFuzz Tool v1.5.5
The MinFuzz Tool provides basic file fuzzing capabilities that can be applied by developers, testers and even those with limited experience with fuzz testing as part of the SDL Verification phase. In this new version of the tool, we have included support for Team Foundation Server (TFS) 2010, fixed stability bugs and made it easier to control target application shutdown.
> Learn more or download the tool
RegExFuzz Tool v1.1.0
The RegExFuzz Tool provides regular expression fuzzing capabilities that can be applied during the SDL Verification phase to check that regular expression evaluation times are not exponential. Regular expressions with very long evaluation times can lead to DoS attacks. In this new version, we focused on bug fixes requested from field use of the tool. A readme document has been added to the download which documents the fixes, remaining known issues, and planned future enhancements.
> Learn more or download the tool
As the threat landscape continues to evolve, we remain committed to freely sharing our secure engineering best practices and security tools with the broader community. We hope you find our tools useful and, as always, we welcome any comments or feedback you may have.
Regards,
Monty LaRue [SDL Team]
Hi All. Doug here,
In April 2011 Forrester Research wrote a new study on Application Security. This study, titled Application Security: 2011 & Beyond led by Dr Chenxi Wang, Lead Analyst at Forrester Research, provides valuable research, insights and recommendations for security and risk professionals. We have since made this study publically available in hopes of creating greater awareness around the importance of secure application development.
The report observes that sufficient resource allocation to address application security remains a significant issue for businesses - Even though secure application development is considered a top priority by IT professionals and web application hacking continues to be the number one source of data breach incidents.
Part of the challenge is getting development organizations to undergo the culture shift required to making risk management and mitigation in application development a priority. Dr Wang’s report shows that organizations who do make the investment in secure application development are realizing positive returns. (More information about return on investment can be found in our recent blog post and in the MidAmerican case study).
There are several great recommendations in the paper which provide cost effective and incremental steps towards better application security. They include demanding better quality and security from vendors, acceptance testing for 3rd party software, disabling unused default accounts, building a secure operational environment around the application, and effective bug reporting and handling.
Additionally, one of the key recommendations identified in the paper is to implement a secure application development program, such as Microsoft’s Security Development Lifecycle. Take a look to see the latest information and tools that Microsoft makes freely available.
We encourage you to read this study and use it to think about how you can leverage the changing IT environment, such as the introduction of mobile technology and applications, to help provide the catalyst to enable change in your application development culture to improve application security.
Hi, Michael Howard here.
One very low-cost and low-friction SDL task that has high impact is removing (and not adding) banned functionality. The most common examples of banned functionality include various C runtime functions, such as strcpy(), strcat(), strncpy(), sprint(), gets() and their evil brethren; and weak crypto algorithms, such as DES, MD4 and SHA-1.
Over the years, I have shepherded the banned API requirement through the SDL, making updates along the way. One of the biggest changes in recent years (other than adding memcpy() to the list) is a separation of ‘required banned’ functions and ‘recommended banned’ functions. The reason for this change is some functions are a ‘clear and present danger’ and should never be used in any code. Ever. E.V.E.R! This is the SDL ‘required banned’ list.
Other C runtime functions pose less of a risk; but in high-risk code, or code with a very high attack surface, they should be considered for removal, and certainly not added to new code in the first place. This is the SDL ‘recommended banned’ list.
We have created an update to the original banned API and recommended replacements list. That updated text is here and the header file is here.
Feel free to leave a note if you have a question of comment
- Michael
Hello all, this is Monty LaRue posting with some SDL related tools news. Microsoft has recently released an updated version of the Web Application Configuration Analyzer (WACA). While this tool isn't intended to satisfy specific SDL requirements, it is valuable for performing best practices checks on your web application’s configuration. The checks span the Windows, IIS, ASP.NET, and SQL Server aspects of a deployment and are derived from standards that Microsoft uses to harden production servers. WACA is a good complement to the Attack Surface Analyzer tool which is applicable within the SDL Verification Phase.
You can find more details about each of these tools on the Microsoft Download Center: Web Application Configuration Analyzer and Attack Surface Analyzer Beta.
Hi All – Doug here…
Earlier this year, Microsoft worked with Forrester Consulting and Dr. Chenxi Wang, Lead Analyst on secure application development, to survey the current state of application security amongst 150 of the largest corporations in the US and Canada. I talked about it in February when we first published it on this blog. The report turned out to have a lot of very interesting data, some of which we’ve discussed previously when we published State of Application Security - A Forrester Consulting Thought Leadership Paper Commissioned by Microsoft on our website.
Microsoft is hosting a webcast on Monday, May 23 at 11 am PDT with Dr. Wang talking about the results and her recommendations based on the information in the study. I will be following her presentation with a brief presentation of my own discussing similar benefits that we’ve seen in our interactions with other organizations. The two presentations will demonstrate that the SDL, as an end to end process that engages all the relevant parties within an organization, can have a significant impact.
The current security and compliance environment is driving many organizations to look at their own secure application development practices. The results from this study and the information in the webcast can help provide key parts of the business rationale for starting a secure application development program that is about more than just compliance. The findings of this study are very clear that there is a business benefit in not only doing better application security but also in the ROI of changing the corporate culture around software development. This is a great opportunity to get your business decision makers to hear the facts and to help you make your case.
Come listen and have an opportunity to ask questions. You can sign up here, Business Insights Webcast: State of Application Security: Key Findings.
Adam Shostack here. Lately, I’ve been focused on how we bring the engineering of usable security into the SDL. When I say usable security, I mean that for those times when we need to ask a user for input on something only they know. (For example, are you connecting to a coffee shop network or your work network? Are you trying to print to a printer you’ve never used before?) We want to ensure that those questions enable users to make security decisions in accordance with their preferences and goals. So if you’re coming here to read about what’s made it into the SDL, stop now. But if you’d like some insight into how we update and improve the SDL, and some insight into something we might add, read on.
Remember that, at Microsoft, the SDL is a collection of proven practices that integrate effectively into the software engineering process. One of the key elements there is that the practices are proven to be effective without an expert in the room. We know from our Experiences Threat Modeling at Microsoft that
rolling out a mandate too early can have unfortunate consequences, and we dread the idea of doing that again.
So as we think about usable security engineering, we’ve made some great steps forward. We have guidance that’s in use in some of our product teams. We’ve surveyed the engineers who are using it and they find it effective at producing better interfaces with less debate or churn. What we don’t (yet) have is really crisp entry and exit criteria or tool support, and those are important gates to bring something into the SDL.
All of that is background and context for some work that we’d like to share for your use and feedback. It’s a pair of new mnemonics for important things to consider as you’re building security user experiences. We hope you’ll agree that user interfaces should be NEAT:
For more details, and even a second mnemonic, we suggest you look in the attached two pager by myself and my colleagues Rob Reeder and Ellen Cram Kowalczyk.
All that said, we think this is pretty NEAT, and we wanted to share it and ask for your opinion and feedback. Please give us your thoughts in the comments, or by email to tux@microsoft.com
Jeremy Dallman here with another release of free SDL documents. Today we are making available a library of templates to help you get started with the more thought-based SDL practices or activities.
One of the big questions we faced early at Microsoft and are now hearing again as more companies of all sizes start to adopt the SDL in their own organizations is “How do I [insert SDL practice or process activity].” Most frequently, these questions are specifically talking about the SDL practices that cannot be addressed with tools and are more process-oriented or thought-based.
As these questions started coming in from other companies, we started digging into some of our internal archives for the documents we used early-on at Microsoft. Most of these documents have since been incorporated into web forms or our internal SDL management dashboards. However, we discovered that they served as very useful templates for other companies. Now we want to let other SDL organizations look at them and put them to good use as well!
Today, we are releasing a small library of templates for SDL practices that can help you address:
… as well as a .ZIP that contains all of the templates in a single package.
These documents are published under the same Creative Commons license as our other SDL documents. Please put them to use in their default form (without edits), as templates to modify/customize for your unique needs, or simply as a catalyst for brainstorming and creating your own documents. The goal is to help you accelerate implementation of the SDL practices and gather valuable security information about your projects.
We are glad to share these pieces of the Microsoft SDL with the ecosystem and look forward to hearing about how they were used in your own SDL projects.
Jeremy Dallman here to let you know we have released our annual update to the Microsoft Security Development Lifecycle Process Guidance – version 5.1 (SDL 5.1). SDL 5.1 is now available for download (.docx format) as well as updated online in the MSDN library.
This public update of our internal SDL process guidance documentation is intended to provide transparency into how we implement the SDL at Microsoft. The changes in SDL 5.1 continue to demonstrate that the Microsoft SDL is continuously evolving to address new attacks, implement new protections, and improve the security of Microsoft products early in the software development lifecycle.
If you are just beginning your investigation or implementation of the SDL, we encourage you to first read the Simplified Implementation of the SDL paper and some of the additional resources we make available on the Microsoft SDL website. The SDL 5.1 guidance may be a useful resource for organizations whose processes align with Microsoft’s processes or are looking for detailed information on how Microsoft implements the SDL practices.
What is new in the SDL 5.1 documentation?
Since this is a “dot” release, the number of updates is smaller. We have tagged each change within the paper so they can be easy discovered by searching in document for “New for SDL 5.1”, “Promoted requirement for SDL 5.1”or “Updated for SDL 5.1”). The updated content in the MSDN library includes all updates automatically.
Comments or questions? You can either leave them in the Comments section below or visit the SDL Process Forum to ask questions and discuss your own implementation of SDL security practices in your organization.
Hi All – Doug here…
We recently had the opportunity to get an inside look into a large company’s journey addressing a web application security incident that led to a deep analysis and change in how a development organization builds security into their software development process.
MidAmerican Energy Holdings Company is a global leader producing energy from diversified fuel sources for the U.S. and U.K. consumer markets with approximately 6.9 million electricity and gas customers worldwide. In mid-May 2008, the MidAmerican Energy website was under attack from a botnet titled banner82. Botnets are networks of compromised computers controlled by hackers known as “bot-herders” and have become a serious problem in cyberspace.
The company has a long tradition of customer service so this was a very important issue to them. They surveyed industry best practices and chose the Microsoft Security Development Lifecycle (SDL) as their preferred process for developing secure software and changing their engineering practices.
This story is captured in a new case study that takes you through the entire story of the cyber-attack and steps to resolution. Important issues show up like the need for executive support and how to get everyone onboard as MidAmerican raised security development as a central focus for their internal development group moving forward. The case study validates the need to make deep changes when necessary within the software development culture versus performing “security around the edges”. Other important insights detail how an aggressive timeline created focus and gave everyone a clear goal. The case study reports on how the company was able to significantly reduce the number of vulnerabilities and meet their security goals while setting the company up for long term success.
What we found particularly interesting was that after they went through this experience, MidAmerican was not only creating more secure applications but they also found something they hadn’t counted on. The SDL’s process requirements and the resultant engineering culture shift had brought together the entire development organization with QA in a way they hadn’t seen previously. Together they engaged in the SDL process and as a result there were fewer security bugs that were found and needed to be fixed late in the process – when it is most expensive. MidAmerican saw a real productivity gain out of their development organization, not just better application security. These ROI results mirror the key findings from the recent Forrester Consulting thought leadership paper as well as the Aberdeen Group research report. You might also want to take a look at the SDL Progress Report as it provides much of the same information that MidAmerican used to make their decision to implement the SDL.
Check out this fascinating real life story that we often don’t get to hear.
Hello all - Dave here...
I wanted to take a few moments to alert you to a new publication from Trustworthy Computing entitled "The SDL Progress Report." This work has been in progress for a number of months and incorporates data and analysis from various groups in our organization. We hope you find valuable information on secure development lessons learned at Microsoft, how we've applied security science, and the correlation between holistic security processes, risk reduction, and organizational efficiency.
If we have learned one prevailing truth over the years, it's that security threats aren't static - as a result, our work developing secure software and evolving the SDL to stay ahead of complex attacks will never be done. We believe our SDL tools and processes add value and should be shared broadly with the security ecosystem - a collective effort is needed to meet the threat to computer users worldwide.
The first section of the document focuses on the history of the Microsoft SDL from its earliest days -highlighting important milestones in the development of the SDL process. As we collated material for this section of the document, it wound up being an interesting history lesson; starting with Bill Gates' original TwC memo in 2002, it pinpoints the inclusion of many of the processes and technologies over time that make up the SDL as it is practiced today.
For example, some of the theoretical underpinnings of the threat modeling process (most notably STRIDE), are based on a paper written by Praerit Garg and Loren Kohnfelder in 1999. We would be remiss if we failed to include a "tip of the hat" to the security researcher community. We noticed increased use of fuzzing techniques to find vulnerabilities starting in the late '90's. In keeping with the "use what works" philosophy here, we integrated fuzzing in the early days of the SDL - we remain aggressive advocates of fuzz testing to this day.
In the second section of the document, Matt Miller did an excellent job at illustrating our ongoing commitment to security science. In addition to going into detail on some of the mitigation techniques required by the SDL, the security science section exposes some interesting data about the adoption of these techniques by a section of the ISV community.
We surveyed 41 popular applications in use worldwide to assess the use of technologies like ASLR and DEP. In addition, we did a further analysis to look at the use of these technologies in four European countries - France, Germany, Russia and the UK. I'd encourage you blog readers to take a look - the results are eye-opening. For example, ASLR usage across the sample set of 41 apps is mixed - 34% enabled full support, 46% partially enabled support and (unfortunately) 20% did not enable ASLR support in their applications. Lots of great data, lots of insightful analysis...
As mentioned above, one of the goals in writing this paper was to illustrate the point that using a holistic development process is more than just a good idea - application of security process in a holistic fashion leads not only to risk reduction, but also leads to increased organizational efficiency. Two recent studies published by Forrester Research and the Aberdeen Group lend credence to that assertion.
The Forrester Consulting thought leadership paper (Full Disclosure: a Microsoft sponsored study) concludes that end to end approaches to security reduce risk and increase ROI; and those using SDL (or SDL-like processes) report notable ROI gains relative to those organizations who don't take a coordinated approach.
In addition, Aberdeen Group (independent research) found that the average investment in holistic security processes is $400k - while the average cost to fix a critical vulnerability after application deployment, hovers around $300k per vulnerability. It requires no great intellectual feat to conclude that a deliberate approach to finding and fixing vulns pays for itself very shortly after the first critical vulnerability in a development project is found and fixed, prior to release. Finally, the companies Aberdeen surveyed reported a 4x return on annual investment for those that take a deliberate approach to achieving application security.
Two things struck me as I worked with Matt and others on the creation of this report.
First, from a defender standpoint, I believe that the days of "easy find" vulnerabilities are over. Mind you, I am not saying that there are no easy vulns still out there - I know the security researcher community will continue to find problems based on some failure of process, tooling or human error. That said, Microsoft is seeing an uptick in the number of attacks that are unique and complex. For example, the attack against IE8 at the CanSecWest "Pwn2Own" competition required exploitation of three individual vulnerabilities - and two of those had already been fixed using the SDL for IE9. It was a very innovative approach - that helps to illustrate my point. We're seeing more complex "edge cases" - not the traditional stack overflows that we were seeing five years ago.
Second, I remain convinced that "list based" approaches to security (while initially helpful) are not a good long term bet for development orgs concerned about security. Until recently, claims about the effectiveness of holistic approaches were based on anecdotal data and gut feel. I think over time, IT orgs will be confronted with the need for something more than the typical "How do I stack up against Process X?" or the latest security popularity contest. Consequently, the adoption of dynamic end to end security processes - like the SDL - that track the threat environment and adjust process and technology accordingly, will increase.
Thanks for reading - download the report and sound off about what you think!
Dave
P.S. Stay tuned for more details on how the SDL is helping real organizations with IT security challenges.
P.P.S. Follow our Twitter feed http://twitter.com/msdl for more information on SDL related releases, events and news!
Hi, Michael here.
Last week, SAFECode released a large update to the “Fundamental Practices for Secure Software Development” paper. The paper helps software development teams create more secure software.
Not only did SAFECode members overhaul the paper’s technical content, the group also added Common Weakness Enumeration (CWE) references and details about verification tools and techniques to determine if a development team is adhering to the practices.
In my opinion, the paper is unique and important in that it describes what SAFECode members are doing in practice to raise the security bar; it’s deeply pragmatic and not a theoretical or academic document.
SAFECode is also actively seeking public comment on the paper, especially in the verification sections. If you know of specific tools or techniques to help determine if a software development team is adhering to the practices, please let us know.
Solomon Lukie here, blogging from the Microsoft booth at RSA 2011.
Last month we released a new tool, Attack Surface Analyzer BETA, for use by IT Developers during the verification phase of the SDL and for IT Departments to profile the aggregate attack surface change when deploying applications within their organization.
I’m the owner of the tool and currently at the Microsoft booth giving demonstrations and discussing usage scenarios for Attack Surface Analyzer BETA. The response has been overwhelming so I’ll be hosting a quick intro to the tool and Q&A session in the Microsoft Theatre at noon tomorrow.
If you’re in the exposition hall tomorrow drop past the Microsoft theatre, which is adjacent to the Microsoft booth and if you have your badge scanned you’ll be entered in a raffle for a Microsoft Zune or XBOX 360 Kinect bundle.
Doug Cavit here to talk about a presentation I’m giving at the RSA Conference featuring findings from a Forrester Consulting thought leadership paper we recently released.
We’re often asked, “What is the real return on investment for putting a secure application development program in place?” The conventional wisdom is that doing secure application development is more expensive than not doing it, the probability of getting hacked is low and most organizations really don’t have the time or resources to do it right. In other organizations secure development is recognized as important; but in practice, corners are cut and only a few of the activities called for in holistic security processes are actually completed. There are many examples of the failure of these philosophies in the news.
We have thought about this for quite a while now; and we’ve concluded that the Microsoft SDL process does in fact provide return on investment beyond the costs of implementation. To date though, we haven’t systematically looked outside the company to confirm our belief that holistic processes do benefit an organization’s bottom line.
We worked with Forrester Research to refine our thoughts and to test our premises with 150 Fortune 1000 companies. Forrester found that most of the companies in the study do not use a holistic security development process. However, of those that did have a process (such as the Microsoft SDL), many saw improvements in overall ROI – especially when compared with those using ad hoc solutions or “checklist” approaches.
This report gives insight into current application security development practices, exposes gaps in common processes and discusses the issues that can arise from not using a comprehensive approach to secure software development. Additionally, the report provides guidance on potential process improvements and suggests ways to measure development security ROI. The report can be found here: Forrester Consulting State of Application Security Thought Leadership Whitepaper.
At 4:10 pm on Tuesday, February 15, I’ll be exploring this topic area more in depth in the Microsoft booth at RSA. If you’re at the RSA Conference, stop by and let us know what you think!
Hi, Michael here.
A couple weeks back we released a beta version of the Attack Surface Analyzer tool. Hopefully, you’ve downloaded and looked at it by now!
This tool is one of many tools we use as part of the SDL to help software developers make their products more secure. But we didn’t always have a tool like this; we used a collection of tools to measure various attack surface elements, such as open ports or services running by default. Clearly running lots of little tools is tedious, so we created the attack surface analyzer tool.
In the rest of this article, I’d like to spend some time explaining how we’ve refined the attack surface analysis process at Microsoft over the years.
Prior to working on the SDL, I worked on the IIS4, 5 and 6 teams and one of the items I created in 2000 was a simple checklist for web server administrators to use to lock down IIS4 and IIS5 servers. The checklist was not required for IIS6, but more on this later.
In 2002, Steve Lipner asked me how I would measure security progress in Windows .NET Server (it later became Windows Server 2003.) His question was totally open-ended, so I thought about it for a while. After a couple of days, I told him I thought that designing products as securely as possible and writing code that’s as secure as possible were lofty goals and we need to also think about not exposing features to attackers that are not commonly used. I had created some metrics that became known as the Relative Attack Surface Quotient or “RASQ.” Yes, many people tried to find ways of deriving RASCAL or RASQAL acronyms, but none succeeded!
The data elements we measured included:
· Open ports
· Named pipes
· RPC endpoints
· Null Sessions
· Installed Services
· Services running default
· Services running as SYSTEM
· IIS web directories (including sample apps)
· Users
· Etc.
Enumerating all these elements took about a dozen tools. The output of each tool was tallied to create a graph like this that showed the RASQ for each version of Windows since Windows NT4 through Windows XP. Smaller is better.
Notice the delta from “Windows NT 4 SP6a + Option Pack” to “Windows NT 4 SP6a + Option Pack + IISChk” and “Windows 2000” to “Windows 2000 + IISChk.” IISChk is the checklist I mentioned, and the “Option Pack” is IIS4. Clearly, part of a checklist’s goal is to reduce attack surface.
I think the most telling delta is from “Windows 2000 + IISChk” to “Window Server 2003.” The default install of Windows Server 2003 has a smaller attack surface than the default install of Windows 2000 after the checklist is applied. This was a watershed moment for Microsoft Windows, and the biggest change was IIS was no longer installed by default.
As the SDL started to evolve, we invented the slogan “Secure by Design, Secure by Default.” The first clause means “get the design and code secure” and the last clause means “the product will never be 100% secure, so reduce the product’s attack surface.”
Once development teams inside Microsoft saw the value of a reduced attack surface: fewer security bulletins and lower severity bulletins, it was obvious we had to streamline how we measured attack surface. So the attack surface analysis tool was born in our group. This tool is a standard tool run by all teams as part of their SDL requirements.
An important success factor to using this tool is to run it often, preferably on every build, to make sure you catch anything that might unnecessarily increase attack surface.
Next week at the RSA Conference 2011 in San Francisco, Bryan Sullivan and I will present a paper entitled, “[AND-108] Stop Exposing Yourself: Principles of Attack Surface Analysis and Reduction” that explains the process of attack surface analysis and provide guidance for reducing attack surface without annoying your customers.
So, if you’re at the conference, please stop by. Even if it’s just to say “hi!” or see a demo of the new tool.
Speaking of demos, one of the team members that created the tool, Solomon Lukie, will be at the Microsoft booth at the RSA Conference giving hands-on demos and explaining the tool’s value.
And speaking of the RSA Conference, Scott Charney, corporate vice president of Trustworthy Computing at Microsoft, will present a keynote session on Collective Defense: Collaborating to Create a Safer Internet. Scott will highlight computing trends and discuss the reality of evolving cyber threats. He will share Microsoft’s vision about how we can collectively work together to improve security protections for all Internet users. The keynote will be at 9:00 am on Tuesday, February 15, in North Hall D, Moscone Center (KEY-101).
Follow @MSFTSecurity on Twitter for news and information and @msdl for SDL info.
Jeremy Dallman here to introduce our second paper aligning SDL practices with compliance activities. Last year we released the SDL and HIPAA whitepaper. This time, we chose the Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA-DSS) commonly used by merchants, payment card processors, and application developers equipping those industries. These two sets of requirements create industry standards to protect how cardholder data and payment applications store, process or transmit data as part of authorization or settlement. Today, I would like to announce the release of a new whitepaper:
SDL & PCI DSS/PA-DSS: Aligning the Microsoft SDL with PCI DSS/PA-DSS Compliance Activity
Every day, consumers use electronic payment systems to complete purchases in physical stores and on the internet. These transactions must reference and store personal data. Because this data is being stored, it is crucial that it is handled securely at every point in a transaction. This involves not only the merchants and payment card processors, but the entire IT system used to support the merchants, authorize the purchases, and store the information. The risks to consumers are profound, and have resulted in new regulations - designed to ensure technology is being used correctly to protect personal information. Although the PCI DSS goes to great lengths to protect the physical and network infrastructure surrounding the payment card industry, our increasingly digitized world requires software protections as well. It is no longer enough to only rely on perimeter defenses. The process of creating more secure applications is what the Microsoft SDL is designed to address.
Recent studies have shown that organizations are spending on compliance tasks in lieu of security – however compliance and security don’t have to be at odds. As merchants and software developers are being asked to meet PCI DSS requirements, it is important to find ways to align proactive, risk-based security practices with compliance activities. We saw this need and realized that we should evaluate the application of the Microsoft SDL alongside some of these regulatory activities.
This paper shows how the Microsoft SDL can help meet some of the requirements of PCI DSS and PA-DSS. It addresses two primary scenarios—1) building new PCI DSS compliant software and 2) custom software integration (e.g. a Point of Sale system in a retail store). Each of these scenarios illustrates a common intersection between software security and PCI DSS or PA-DSS requirements. Our goal is to show where software security can both assist in attaining regulatory compliance with PCI DSS and ensure that the software created for these industries are written and deployed with security as a priority to mitigate risk, using the Microsoft SDL as a guide.
Similar to our first paper, the expected audiences for this paper are business decision-makers, compliance managers, software developers, IT consultants, and systems integrators who are working within or on behalf of organizations that must meet PCI DSS requirements. This paper is not intended to advise organizations of their legal requirements and responsibilities. It is assumed that the reader understands the laws and regulations mentioned in this paper and how those laws and regulations apply to their organization.
The paper is broken into easy-to-digest sections that we hope are both readable and practical in application:
Reading section:
· Overviews of the Microsoft SDL and both PCI DSS and PA-DSS
· A scenario-based review of SDL applicability to parts of the PCI DSS and PA-DSS
Appendix (three “rip out” tables for reference)
· One table mapping SDL Practices to the PCI DSS Requirements
· A second table mapping SDL Practices to PA-DSS Requirements
· The Simplified SDL spreadsheet for reference.
We realize that aligning security practices with compliance activities will vary across organizations; we hope this paper will ease the task of integrating secure software development activities with PCI DSS regulatory requirements.
As always, we welcome your questions and feedback.
PayPal Support Club. Review and helpful links, coding examples, warnings, other shopping cart links, etc. PayPal is a on-link banking system that allows website owners to integrate shopping cart technology into their site. Find out more, includes links to helpful site about PayPal shopping cart technology. Report eBay spoof emails to spoof@ebay.com Report spoof PayPal emails to spoof@paypal.com
| Yoggie Internet Security Systems at CES 2009 | ||
| Yoggie main website |
| Emerging Security Vulnerabilities & the Impact to Business | Google Tech Talks November, 12 2007 He has published extensively in these areas, frequently is invited to give talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University , and earned a bachelor's in computer science with honors with distinction from Columbia University. Open Web Application Security Project (OWASP) is not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Security Focus a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been our primary focus. The SecurityFocus website now focuses on a few key areas that are of greatest importance to the security community. |
|
Hacktivism is the writing of code, or otherwise manipulating bits, to promote political ideology. Taking Lessig's message to heart, hacktivism believes that proper use of code will have leveraged effects similar to regular activism (or civil disobedience). Fewer people can write code, but code affects more people. myWiseOwl
Security Protector Free security utility enables you to protect your PC by disabling some features like: use of the MS-DOS command prompt in Windows and real mode DOS applications from within the Windows shell.
| Hacking Tip: How To Use Proxies TinkerNut YouTube Channel | ||
|
Proxies are great for surfing the web anonymously. This video will show you how to set up them up and use them. Foxy Proxy (FireFox) More Browser Links Proxy Switchy (Google Crome) More Browser Links IP Hider Tutorial on using IP Hider, YouTube Video More Webmaster Tools |
Tor Project is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor Project protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.
PC WIZARD is a powerful utility designed especially for detection of hardware, but also some more analysis. It's able to identify a large scale of system components and supports the latest technologies and standards. This tool is periodically updated (usually once per month) in order to provide most accurate results.
CPU-Z is a freeware that gathers information on some of the main devices of your system. Name and number. Core stepping and process. Package. Core voltage. Internal and external clocks, clock multiplier. Supported instructions sets. All cache levels (location, size, speed, technology).
System Monitor. This software lets you keep your eye on system resource usages of your PC. It currently supports 27 kinds of information including CPU, Memory, Network, and detailed HDD usages.
My Lockbox is a security software enabling you to password protect folders on your computer. The protected folder is hidden and locked from any user and application of your system and also from the net. To access the protected folder you have to provide a valid password.
Diag Plus Diagnose registry problems from DOS. From WindizUpdate (62NDS Solutions Ltd.) More Hardware links
AIM Encryption Certificate Generator You can use this tool to generate a security certificate file that you can import into AIM. You can then have encrypted conversations with any other member who also has imported a security certificate. The certificates produced by this tool are generated on demand, and no two certificates will share the same private key. This means that the certificates produced here are much more secure than the one certificate being mass distributed at AIM Encrypt - Free Security Certificate for AIM
AIM Encrypt - Free Security Certificate for AIM! Encryption certificate. Why do I want AIM Security? AIM is known to not have the best security, or any for that matter. If someone on your network is using a "packet sniffer" or other type of traffic analyzing tool they can see your AIM conversations and read them word for word. AIM Security using SSL Certificates makes your conversation appear much like trash to anyone analyzing what you type much like "Sw43jg73js7HSkg8Skeq3k65" instead of "Hello Friend". This certificate encodes the message so only the sender and the receiver can read the message. But still please use common sense and don't send credit card numbers, etc. over IM, this should only make you about "this" much safer on the internet, and make you feel cool having a padlock next to your name
SSL, Secure Socket Layer. This is a system used to protect secure information, for example credit card, bank account details, etc. Most sites that use this system will have URL's that start with https:// ,( note the "s" ), instead of the normal unprotected http://
The sites that use SSL, Secure Socket Layer may also display a small padlock image in the Task Bar. You should not send private or sensitive information of any type without using the SSL, Secure Socket Layer method.
The Secure Sockets Layer protects data transferred by using encryption enabled by a server's SSL Certificate. Uses a public key and a private key. A public key is used to encrypt, (note that some systems may have different levels of encryption but this should not be any less than 128 bit encryption), information and a private key is used to decipher it. When a browser points to a secured domain https://, a SSL handshake authenticates the server and the client and establishes an encryption method and a unique session key.
The GNU Privacy Guard. GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application. OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 2440. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991. PGPdump Interface OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Apache-SSL SSL 3.0 specification, Netscape. RSA security
Get Safe Online will help you protect yourself against internet threats. The site is sponsored by government and leading businesses working together to provide a free, public service.
Bank Safe Online sets out simple steps you can take to help keep safe online. We also provide you with updates on the latest scams, and enable you to report any suspicious emails or websites to us direct.
Hotspot Shield protects your entire web surfing session; securing your connection at both your home Internet network & Public Internet networks (both wired and wireless). Hotspot Shield protects your identity by ensuring that all web transactions (shopping, filling out forms, downloads) are secured through HTTPS. Hotspot Shield also makes you private online making your identity invisible to third party websites and ISP’s. Unless you choose to sign into a certain site, you will be anonymous for your entire web session with Hotspot Shield. We love the web because of the freedom that it creates to explore, organize, and communicate. Hotspot Shield enables access to all information online, providing freedom to access all web content freely and securely. Secure your entire web session and ensure your privacy online; your passwords, credit card numbers, and all of your data is secured with Hotspot Shield. Standard antivirus software protects your computer, but not your web activities.
proXPN What proXPN does... upgrades your internet connection with VPN encryption secures all types of connections from DSL and cable to 3G gives you 100% private access to the internet get an IP address in the USA, UK, or NL With proXPN nobody* can... see the websites you visit hijack your passwords, credit cards, or banking details intercept and spy on your email, IMs, calls, or anything else record your web history run traces to find out where you live |
IP Camera Viewer. Set up a FREE IP camera monitoring system within minutes! IP Camera Viewer is an alternative to the flimsy software that is shipped with most network IP cameras. Keep an eye on your home, office, parking area or anywhere you have a IP camera. View video from multiple cameras simultaneously. More than 1500 different IP camera models are supported including Axis, Canon, Cisco, D-Link, Foscam, Linksys, Mobotix, Panasonic, Pixord, Sony, Toshiba, Vivotek and many more. Virtually all USB cameras work with IP Camera Viewer. IP Camera Viewer allows you to individually configure video properties such as the resolution and frame rate for each camera. You can also set image properties such as saturation, brightness, contrast for USB and IP Cameras. Arrange multiple IP cameras in the preview layout you want. What if your camera is mounted upside-down or its preview is tilted a bit? With IP Camera Viewer you can adjust the orientation of your camera preview. You can also adjust the coverage area with support for PTZ (Pan/Tilt/Zoom) enabled network cameras. IP Camera Viewer lets you digitally zoom on an image, even if your camera doesn't support zoom. IP Camera Viewer is absolutely FREE and ideal for both personal and business purposes! - by DeskShare Also see WebCam Links
Advanced WindowsCare Repair and fix windows with 1-click. Slow down, freeze and blue-screen crash are over. Advanced WindowsCare thoroughly examines the Windows system, accurately detects the bottlenecks for slowing down and crashing, fixes these problems and repairs Windows. All work will be done with 30 seconds and 1 click. The intuitive interface makes Advanced WindowsCare the perfect tool for Non-IT professionals
Free Internet Window Washer is a free privacy cleaner to remove internet tracks and computer activities. It can erase Window®:s temp folders, run history, search history, recent documents, browser's cache, cookies, history, typed URLs, autocomplete memory, index.dat files, and more. You can also easily erase the tracks of up to 100 popular applications. It also provides you option to clean the data more securely so that they could not be recovered.
Home Office Identity Fraud Steering Committee What is Identity theft? Your identity and personal information are valuable. Criminals can find out your personal details and use them to open bank accounts and get credit cards, loans, state benefits and documents such as passports and driving licenses in your name.
CIFAS, (Credit Industry Fraud Avoidance Scheme), the UK's Fraud Prevention Service. CIFAS is a not for profit membership association solely dedicated to the prevention of financial crime. CIFAS provides a range of fraud prevention services to its members, including a fraud avoidance system used by the majority of the UK's financial services companies.
Card Watch raises awareness about all types of plastic card fraud in the UK, and provides information to prevent fraudulent use of credit cards, debit cards, cheque guarantee cards and charge cards.
The Council of Better Business Bureaus and BBB OnLine Complaint System. The BBB does not take sides in a dispute. The BBB works to facilitate communication between the company and the consumer, to help both sides come to a satisfactory resolution to the complaint. In many cases, dispute resolution, including mediation and arbitration, may be available to help resolve the dispute.
The European Telecommunications Resilience and Recovery Association (ETRA) is a European forum for discussion, debate and information. Based in the UK it aims to extend understanding of the relationship between telecommunications, information assurance, security, disaster management and corporate governance.
WARPs (Warning Advice and Reporting Points). WARPs are part of the Centre for the Protection of National Infrastructure Security information sharing strategy to help combat the increasing risk of electronic attack on our information systems.
Center for the Protection of National Infrastructure. Information sharing strategy to help combat the increasing risk of electronic attack on our information systems.
Security Focus a mainstay in the security community. From original news content to detailed technical papers and guest columnists, we’ve strived to be the community’s source for all things security related. SecurityFocus was formed with the idea that community needed a place to come together and share its collected wisdom and knowledge. At SecurityFocus, the community has always been our primary focus. The SecurityFocus website now focuses on a few key areas that are of greatest importance to the security community.
Securityvulns Computer Security Vulnerabilities. Reports on Vulnerabilities in software and hardware :-securityvulns.com vulnerabilities newsline
Iirongeek. Adrian Crenshaw's Information Security site (along with a bit about weightlifting and other things that strike my fancy). Articles and tutorials.
CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
The National High Tech Crime Unit :- National unit formed in April 2001 comprising personnel from the National Crime Squad, the NCIS, and from HM Customs & Excise. It works in conjunction with computer crime units in UK police forces.
National crimes quad police UK The National Crime Squad works at the heart of tackling serious and organised crime.
Internet Crime Complaint Centre :- An American organisation which is a partnership between the FBI and the US National White Collar Crime Center. Its mission is to address fraud committed over the Internet and it includes a reporting mechanism through which people can alert authorities to a suspected criminal or civil violation.Computer Crime and Internet-Related Crime The Metropolitan Police Service.
National Crime Prevention Council's (NCPC) mission is to prevent crime and build safer, more caring communities.
Terrorist Activity Report Them Here (FBI) Federal Bureau of Investigation. Stop and report terrorists United States of America
CRIMESTOPPERS United Kingdom. Call anonymously with information about crime.
MI5 the official website of the UK Security Service (MI5) are responsible for protecting against threats to United Kingdom National Security, such as terrorism and international terrorism. If you know something about a threat to National Security. STOP and report terrorists.
Blocking Unwanted Parasites with a Hosts File and other security tips.
| Preventing Virtual Blight | ||
| Follow, Nofollow. Index, Noindex |
Fraud :- Attention Footie fans! Following discussions with the European Commission FIFA has agreed to accept more ticket payment methods in the next stages of ticket allocation for the 2006 World Cup in Germany. Watch out for the latest scam - an e-mail that pretends to come from FIFA, telling you that you've got a ticket to the World Cup. It carries a mass-mailing worm. The advice, as always, is not to open attachments in such e-mails, (use anti-spam software), and to ensure that your Anti-Virus Software Tools & Utilities protection is up to date.
SPIM & SPIT (SPIM, SPam using Instant Messaging), is another new spamming technique, the difference in this case being that the spam is delivered through Instant Messaging rather than email. It's not as common as email spam. According to a report from Ferris Research, 500 million IM spam were sent in 2003, twice the level of 2002. As it becomes more common, spim could affect businesses in the same way that email spam does now, creating security problems and costing time and money. SPIM stands for Spam over Internet Telephony. It's essentially like spam email, only rather than getting unwanted messages in your inbox, they're left on your voicemail. It can happen if you're using a phone connected to the Internet, something more and more people are choosing to do. VoIP, ( Voice over Internet Protocol ), addresses or may hack into a computer used to route VoIP calls. And, because calls routed over IP are much more difficult to trace, there's a far greater potential for fraud.
Yahoo Security information and advice
Yahoo Hacking. Social Engineering, Phishing information (Faux is a French work used to describe something made to resemble something else. The original French word means false, fake, imitation or artificial.)
Yahoo Reporting Password Scams
Free PC Scan Windows Registry Repair
PC Security Software PCSecurityShield. Protection Range. Anti-virus, Firewall, Privacy Defender, Spam Shield, Popup Blocker, Delete files PERMANENTLY, etc...
Department of Trade and Industry Notes
SiteAdvisor. We test the Web to help keep you safe from spyware, spam, viruses and online scams.
APNIC Spammers & hackers : Using the APNIC Whois Database to find their network | Spam | Hacking
Twitter updates from Guardian CLEAR ID / GuardianCLEARID.
!exploitable, (pronounced "bang exploitable") Crash Analyzer, (!exploitable Crash Analyzer - MSEC Debugger Extensions). A plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems. The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. More Microsoft Windows Links.
Web Master Tools and Utilities
Scurity wonks.org Forum
Alliance of Security Analysis Professionals (ASAP).
Keylogger Hunter - Detects Keyboard Monitoring Programs
Help maximize your security with the Internet Explorer High Encryption Pack.
| 5 Steps for Preventing Employee Fraud | ||
| What you can do to avoid it. By Abby Johnson Did you realize that a typical organization loses up to 5 percent of its annual income to fraud? This information is one result of an annual survey of Certified Fraud Examiners conducted by the Association of Certified Fraud Examiners. As reported in the video these losses could be very harmful to small businesses. |
UBCD4Win Bootable CD Repair/Restore/Diagnose etc for Windows®.
DomainKeys: Proving and Protecting Email Sender Identity (Information by Yahoo) Email spoofing, (and Phishing) - the forging of another person's or company's email address to get users to trust and open a message - is one of the biggest challenges facing both the Internet community and anti-spam technologists today. Without sender authentication, verification, and traceability, email providers can never know for certain if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user experience.
DNSSEC, (DNS Security ExtensionSecuring the Domain Name System).
Brit holds the 'key to the Internet. (Reboot the web if it Goes down) From Yahoo News. The CommunityDNS is made up of a team of specialists that created a security system, known as DNSSEC, (DNS Security ExtensionSecuring the Domain Name System).
Net Tools is a comprehensive set of host monitoring, network scanning, security, administration tools and much more, all with a highly intuitive user interface. It's an ideal tool for those who work in the network security, administration, training, internet forensics or law enforcement internet crimes fields.
Phishing. A lot of Major banks, Credit Card operators, e-Commerce Sites, Visa, PayPal, (PayPal Support Club), and eBay, (also many other websites), have suffer from Phishing. This is where people were directed to a fraudulent website that is identical to the companies' sites in the hope that they will supply details so they can be used illegally.
Anti-Phishing Working Group - Committed to wiping out Internet scams and fraud.
Phishing Report The Phish Report Network (PRN) was established to address the growing problem of phishing. As the industry's first anti-phishing aggregation service, PRN enables companies to better protect consumers against online fraud.
Know your Enemy: Phishing Behind the Scenes of Phishing Attacks. The Honeynet Project & Research Alliance.
FireFox Browser A Mozilla project, empowers you to browse faster, more safely and more efficiently than with any other browser.
Internet Watch Foundation Site Index (Legal issues. Reports illegal and offensive Internet Issues.)
SafeSurf Creating a Safe Internet Without Censorship Help Us Accomplish This Goal.
EFF is a nonprofit group of passionate people & lawyers, volunteers, and visionaries working to protect your digital rights.
Copyscape Search for copies of your page on the Web. Defend your site a against plagiarism.
Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules") (As Approved by ICANN on October 24, 1999)
http://www.icann.org/udrp/udrp-rules-24oct99.htm or http://www.icann.org/udrp/udrp-rules-24oct99.htm
Domain Name Transfer's ICANN Inter-Registrar Transfer Policy.
UKReg Domain Name Dispute Policy
Nominet Disputes account all registrations in the .uk Top Level Domains.
Domain Name law (Sedo)
eSecurity4Britain Inform, educate and provide protective measures to ensure small businesses can use the internet to operate their businesses - with security.
7Safe is an Information Security services firm offering a diverse portfolio of services including security training & certification, penetration testing, computer forensics and risk management (including BS 7799).
Police United Kingdom UK Police Service portal.
Ofcom is the independent regulator and competition authority for the UK communications industries, with responsibilities across television, radio, telecommunications and wireless communications services.
Association of Certified Fraud Examiners The ACFE is an anti-fraud organization and provider of anti-fraud training and education. Tthe ACFE is reducing business fraud world-wide and inspiring public confidence in the integrity and objectivity within the profession.
Check premium rate numbers ICSTIS, Independent Committee for the Supervision of Standards of the Telephone Information Services- the premium rate services regulator.
Also view our Scams and hoaxes. Fraud warnings. Virus Attacks.
SquareTrade eBay User Support. Trouble with a transaction? SquareTrade can help you resolve issues independently or through professional mediation.
eBay Safe Harbor - SafeHarbor is eBay's safety resource and protective arm, and should be used for eBay fraud issues only. Fraud reports and insurance claims may be filed through Safe Harbor.Federal Trade Commission - As part of an international group of consumer protection agencies, the FTC monitors an online complaint site called econsumers.gov. Although they do not resolve individual consumer problems, complaints are used to help investigate fraud, and can lead to law enforcement action.
National Fraud Information Center - The NFIC helps consumers distinguish between legitimate and fraudulent promotions in cyberspace and route reports of suspected fraud to the appropriate law enforcement agencies.
Mobile Industry Crime Action Forum. An organisation set up by the United Kingdom mobile telecommunications industry, including mobile handset manufacturers, to address the issues of mobile phone theft.
Security Focus Magazine (Phishing Forensics)
Federal Trade Commission (Anti-Phishing)
Better Business Bureau (Anti-Phishing)
Patents: Commission proposes rules for inventions using software
Wireless Security Issues from our page WAP, WML, Wireless Markup Language, Wireless links, Wi-Fi, BlueTooth, radio links.
Safe Options Safe Options is the UK's leading online security store. Buy Safes, Lockers, Convex Mirrors and Key Cabinets online from our UK security store. We supply fire safes and security safes to both Business and Home Safe Users Buy Safes on 30 Day terms - available for recognised UK institutions FREE DELIVERY OF SAFES and LOCKERS ON THE UK MAINLAND* (*Ground Floor with easy access except N.Ireland and Islands)
Homeland Security Threat Monitor (United States of America). A small Windows application that runs in your system tray, showing the current terrorism threat level. It periodically checks to make sure the information is up to date by contacting the Department of Homeland Security web server. Establish an emergency preparedness kit and emergency plan for themselves and their family, and stay informed about what to do during an emergency.
The Open Web Application Security Project released a helpful document that lists what they think are the top ten security vulnerabilities in web applications.
Host Files. You can begin blocking ads and help keep yourself from being tracked by using the Hosts file with Windows and other operating systems.
Microsoft Diagnostics and Recovery Toolset. 30 day evaluation of the Microsoft Diagnostics and Recovery Toolset. This product provides powerful, intuitive tools that help administrators recover PCs that have become unusable, and easily identify root causes of system issues. This toolset is part of the Microsoft Desktop Optimization Pack.
eBay Help about how to spot a Spoof emails
Reporting eBay Account Theft, If you feel your account has been compromised, please report it.
Cut down eBay monopoly and the sale of counterfeit goods. Sign this petition There is a massive silent minority, out there, that have suffered injustice or have lost money through eBay and their sister company PayPal. It is silent because there is no one and nowhere where one could place a complaint.New PayPal phishing scam uncovered The email, which purports to come PayPal, claims that the recipient's account has been the subject of fraudulent activity. However, unlike normal Phishing emails, there is no internet link or response address. Instead, the email directs the recipient to call a phone number and verify their details. When dialled, users are greeted by an automated voice saying: "Welcome to account verification. Please type your 16 digit card number." Once the credit card details are entered, the scammer is free to steal the credit information for their own use. Spyware analysts SophosLabs are warning users not to respond to the email. Graham Cluley, senior technology consultant at Sophos said "Though it's an American telephone number, the fact that PayPal is used globally means that anyone could potentially be tricked into making the call." More SpyWare Removal Links.
PayPal Support Club. Review and helpful links, coding examples, warnings, other shopping cart links, etc. PayPal is a on-link banking system that allows website owners to integrate shopping cart technology into their site. Find out more, includes links to helpful site about PayPal shopping cart technology.
Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject, client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner.
KRyLack File Checksum Tool is a free utility that can generate a MD5, SHA-1, HAVAL, MD2, SHA-256, SHA-384, SHA-512 hash from a file. A Hash (Checksum) is a sort of digital fingerprint, uniquely identifying each file. These are common hashes that are used to verify the integrity and authenticity of files. The software allows you to verify the Hash to ensure the file integrity is correct with the matching file or create new checksum for your important data. Many download sites list the MD5 hash along with the download link. Application is portable and does not require any installation.
AccessChk Designed to help Windows administrators see "what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. Part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
Ipillion is a resource to those who care about Internet security and want to protect themselves from brute force attacks, comment or email spam, port scanning, etc. Here you can find your ip address do a reverse DNS lookup to find the ip address of a website, or check if a particular IP address previously attacked other Internet users. Where is the IP located? Our IP Address Location Service provides the answers. More Web Master Tools
Make sure you check out Video Scams. Video Cons. Video Cheats. Votebots Don't get conned or ripped off on YouTube, or other video publishing sites.
Also read Methods of Internet adverting
Click Fraud Protection and Click Fraud Security
Scams and hoaxes. Fraud warnings. Virus Attacks
Backup/File Compression Data Recovery
Protect your Usernames and passwords. Protect your system
Disaster Recovery Planning. (Also Undelete Files) So how good is your Disaster Recovery Planning?
Anti-Virus Software Tools & Utilities
Web Master Tools and Utilities
Forums. Computing Forums. Webmaster Forums, Programming Forums
Terrorist Activity Report Them Here (FBI) Federal Bureau of Investigation. Stop and report terrorists United States of America
CRIMESTOPPERS United Kingdom. Call anonymously with information about crime.
MI5 the official website of the UK Security Service (MI5) are responsible for protecting against threats to United Kingdom National Security, such as terrorism and international terrorism. If you know something about a threat to National Security, STOP and report terrorists.
Police United Kingdom UK Police Service portal.
Web Masters. Click Here Now to start making money. A Great opportunity to make some money. Receive 50% by offering your users Ton's of Keywords on A Great Portal websites. Our Affiliate Program Pays you 50% on Level 1 of Every Sale of our Text Link both searchable and static Text Link!
Compare Bargains. Discounts and special offers. Compare Bargains Domain Name for Sale, URL, for Sale. http://www.comparebargains.com A domain name to make money from.
A Computer Portal. Freeware, Shareware. Download software. Computer languages and Programming code. Including PERL Scripts and Java Scripts. Webmaster Tools. Internet Marketing, Website promotion. Hardware Help from BIOS to Windows and UNIX.
® © ™ are owned by respective authors and websites. There may be a charge for some software. Google™ is a trademark of Google Inc, These pages are not endorsed by Google or any other Company. Always perform an Anti-Virus Check on any Software