August 30, 2008
Announcing Loadfest 2008!
Stuart Crawford over at IT Matters asked me to post some information about the upcoming Loadfest 2008 being held in Calgary. I am proud to be part of the event, and think you should come out if you have any interest on the new upcoming technologies coming out of Microsoft, Scorpion Software and Popcorn Technologies.
September is just around the corner, making it a perfect time for you to get the inside scoop on new technologies like Windows Server 2008 and Hyper-V, Small Business Server, SharePoint Server, Response Point and other leading Microsoft technologies at Loadfest 2008!
Loadfest 2008 will be a free event for IT Professionals, IT Directors, System Engineers and Microsoft Partners who are looking to connect with their peers whilst gaining valuable hands-on experience with some of the latest & greatest products from Microsoft.
To register, navigate to the following URL: https://www.clicktoattend.com/invitation.aspx?code=130019
Join leading Microsoft Partners and employees as they share their experiences with these new technologies! In addition having an opportunity to network with your peers, you’ll be able to attend special breakout sessions, see some great demos, and have a chance to win prizes! Don't miss out on this awesome experience to gain an advantage on these Microsoft solutions! Join us at Loadfest 2008 on September 27th!
Notable Speakers and Presentations
Rodney Buike from Microsoft is making the trip out from Toronto to show IT Professionals in Calgary when is coming with relation to Microsoft technologies. Get the technical brief on Small Business Server 2008, especially now that it is been released. Also, Rodney will show us Hyper-V and Windows Server 2008. Get 3 hours of technical training on SBS and Windows Server. Play with these great products and ask technical questions to the people that can answer the questions you have.
Are you curious about Response Point? Come and see Microsoft’s latest small business telephone system! Jeff Loucks is a Microsoft MVP with Response Point and he will be delivering a technical demonstration on Response Point during Loadfest 2008.
Lunch is sponsored by our friends at AuthAnvil and Scorpion Software. This technical lunch and learn will show you the technical side of AuthAnvil and how to deploy a higher level of security for your networks and clients. Dana Epp (Microsoft MVP) is sponsoring our luncheon and he will be available to address questions and talk technical about AuthAnvil.
Popcorn Technologies will be giving a demo on MOSS (SharePoint Server) and how to fit MOSS into your environments.
In addition to some hands-on experience, you’ll also see some great presentations. Here’s a quick list of some of the sessions that you’ll see during the day:
8:30 AM – Meet & Greet
Popcorn Technologies (6016 3rd Street SW, Calgary, AB)
September 27th from 8:30 AM to 5 PM (Mountain)
Hope to see some of you there!!
August 27, 2008
How to break into a PIN locked iPhone
So if you are a fan of the iPhone and have it all synced to your Exchange server, I want to pass a word of caution to you.
Firstly, you SHOULD be locking your iPhone with a PIN. Not doing so makes it easy for anyone to look at your emails, contacts and calendar. It's another layer of defense which costs you nothing. Please use it.
However, I am sad to report that even if you do use it, the current PIN security in iPhone 2.0.2 is flawed. If you have used the "Favorites" feature in the phone, it is possible to break into the phone. :(
Here are the steps to do so:
This seems like a pretty interesting attack vector. I would have never expected the Emergency mode in an iPhone to be used so easily in this way.
Apple is aware of the security hole, and this will be circling around the Internet shortly. So keep those iPhones close until an update is available!!
UPDATE: Vlad reminded me to mention that if you DO lose your iPhone... make sure you wipe it. Ahhh the powers of Exchange!!! :-) Thanks for the tip Vlad.
August 26, 2008
Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World
At the last BlackHat conference, there was an interesting presentation by some folks at Microsoft on new strategic initiatives from Microsoft to "Rock Your World".
If you haven't had a chance to see the presentation, consider checking out the slidedeck (link above). There is some interesting insight into Microsoft Vulnerability Research, the Microsoft Active Protections Program and even the new Exploitability Index recently announced.
Good stuff. Happy reading!
August 25, 2008
Where is my MMC Snapins for SBS 2008??
So tonight while talking to Sean he pointed out a kick ass feature of SBS 2008 I never even noticed during all the betas I was working with in the last year.
It is called the "Windows SBS Native Tools Management" tool, and is available in the "All Programs->Windows Small Business Server" menu. What makes this tool cool is that it uses the familar MMC interface we all know and love in SBS2003.... with access to all the native tools you probably work with on the server on a regular basis.
I was pleased to see the certificate store easily accessible along with IIS7 configuration. This will make our Customer Service team happy as when dealing with customers with self signed certs, it will be easier to step them through it!! And... we can easily build snapins for the console, just like we have in the past for SBS 2003.
Great job Microsoft. And thanks for the tip Sean!
August 10, 2008
The Developer Highway Code
If you follow my blog you know one of my favortie books is "Writing Secure Code" from Michael Howard. Another good book written by a fellow Microsoftie is "The Developer Highway Code". Written by Paul Maher, this handbook captures and summarises the key security engineering activities that should be an integral part of your software development processes.
The book introduces several concepts for secure coding, including:
The nice thing is that Microsoft has made this freely available as a PDF download from their UK MSDN site. You can download it here.
August 09, 2008
Uh oh. You know you are in trouble when...
... Microsoft PSS emails you on an open case and includes this in their response:
We use internal methods, which are undocumented for security reasons, of retrieving this information.
So much for the new open APIs they wrote for Vista and Windows Server 2008. Not all that open after all. *sigh*
August 08, 2008
Death Star Threat Modeling
Oh man this is kewl.
If you are unsure about what threat modeling is, and want to learn about it, check out these videos from a presentation Brian Williams did at HOPE. The concepts of threat modeling explained using Star Wars references... simply awesome!
August 07, 2008
Protecting the BitLocker bits in Vista
So last night my MVP lead (Sasha) was in town and a bunch of MVPs got together to break bread and converse on all things geek. During the dinner there was discussion about the effectiveness of BitLocker, and the risks against the Cold Boot attack that Princeton published in a paper back in February. There is even an excellent video that shows this attack in action for those that don't know about it.
In short, due to a characteristic of memory called “DRAM remanence”, it is possible to attack disk encryption technology like BitLocker and blow past the very safeguards it provides. Cryptographic systems are only as secure as the protection of the keys, and the research at Princeton shows how easy systems like BitLocker, FileVault and TrueCrypt can be beaten.
Now to many, including most of the MVPs around the table last night, that's a theoretical attack which isn't practical. I beg to differ. And I will tell you why.
A few weeks ago at the HOPE (Hackers On Planet Earth) conference in New York, the source code for the tools for this attack were released. And I have personal knowledge of at least one laptop which has since been compromised using this attack in the field.
Although not a very practical attack, this is indeed real. So closing your Vista Enterprise or Ultimate laptop and letting go to sleep under the belief that you are protected is a fallacy. So I thought I would explain a few things you CAN do to reduce this risk and protect your encrypted systems.
First off, you need to understand the balance and trade offs between security and usability and how to assess risk to your information assets protected with technical safeguards like BitLocker. A great starting point is to check out Russ Humphries' MSDN blog post on the subject. He includes pointers to the best practice guidance in the Data Encryption Toolkit, which is where Microsoft explains these things.
Secondly, you have to understand the basic premise of this attack. It relies on how DRAM remanence works. You can configure BitLocker in Advanced Mode to use hibernation rather than sleep, and you should really do that. When using sleep mode, Vista will not encrypt the RAM contents, exposing the encryption keys BitLocker uses to the Princeton attack. This means that any laptop sleeping in its bag at the airport is fair game.
If you use hibernation, the system is effectively turned off, and with no power to the RAM there is no chance of information disclosure risk with key residual data even existing on the chips. Even if someone seized the machine, they wouldn't be able to recover the keys as during resume from hiberation, the BitLocker credentials will need to be provided BEFORE the keys will be loaded into memory.
You can also make it more difficult for unauthorized users to exploit this attack vector by limiting their ability to perform warm reboots in an effort to keep the keys in memory. Using Group Policy there is a setting under the Windows Security Policy called “Shutdown: Allow system to be shut down without have to log on”. If you disable that, they are going to have to do a hard power cycle which will again go through the system post and require the BitLocker credential before keys will be loaded into memory. To be clear, this won't prevent the attack... it just makes it more difficult. And there is nothing wrong with another layer of defense that costs you nothing to deploy. :-)
So I hope that helps. use a PIN credential for BitLocker. Hibernate instead of sleep. Don't let unauthorized users perform warm reboots. You will significantly reduce the risk against the Princeton Cold Boot attack, and let BitLocker do what it was designed to do in the first place. Offer more protection to the data assets on the disk, and make it more difficult for attackers to access the protected information.
Remember, security is about risk mitigation... not risk avoidance. BitLocker does a great job, and this guidance will help mitigate the most obvious attack vector against the system.
Hope it helps.
August 03, 2008
"There are no rewards for just doing your job". Amen Vlad!
I was catching up on my RSS feeds today, and came across a REALLY interesting post by Vlad on work ethics, and it really rang true to me. He had some great insights, including...
There is no award for doing what you’re expected to. Meeting expectations is.. well.. a requirement to remain employed. If you sit on that line you will be the first one gone. Hate to break it down like that but it’s the truth. People who do the bare minimum do not get promoted, they do not get raises, they do not get bonuses.
The sad reality is, in this day and age, there are way too many people that skate by in their jobs, doing only what is expected of them to get their job done. I conducted two interviews last week where both candidates had more than 5 different positions with no less than 5 different companies in only 5 years. This 5-5-5 scared the hell out of me. They were "no hires" as I simply didn't want to deal with people who jump ship all the time, doing the minimum they can to then get somewhere bigger and better. And the sad reality was that neither of these candidates did ANYTHING to be proud of... anything that stood out as amazing work.
It's a fine balancing act. Staff typically don't have the same incentives as the owner. Their interests, goals and commiments do not always align with the business owners... and we can't MAKE them do so. It is part of the corporate culture that defines how staff respond to the organization. And that culture is forged by the leadership in the company.
In the last company I built, we worked at the speed of Silicon Valley and literally burnt out our staff. They loved the environment, and you could see the commitment seep out of every crevice in the organization. But everyone was over worked, all for the opportunity to build an extrodinary company that they could be proud of. Well, that and the chance to cash out on their stock options when we went public. And although we had fun, that was balanced with a hectic and stressful environment that many people just wouldn't want to keep up long term. Actually, many of that team moved on to roles in new organizations that don't run at that pace.
This time around while building my latest company, I took a different approach. Staff have normal business hours. Deadlines are reasonable, and far from the hectic type of schedules we used to have... all for the benefit of a more balanced lifestyle while still delivering consistent results. The opportunity to show excellence and provide extraordinary results is really in the hands of the staff... by their choices. They are deciding the corporate culture DESPITE our leadership. That makes it even more important that our hiring process picks the right candidates.
I think Vlad summed it up really well with the quote that...
Somewhere between stupidity (working harder than those around you) and insanity (knowingly working harder knowing that no raise or bonus is guaranteed) there is a little thing called work ethic and that is what elevates the excellence of the team, the company and the solutions we deliver.
That's a rare find these days. It's not easy to get staff that have that sort of work ethic. That passion. That devotion to excellence. We need more "Sheldon"s in the world, especially in our industry.
So if you are an employee of a software or IT company, take heed. Want to get noticed? Don't just do what is expected of you. Go beyond your job description and truly create an environment of excellence in everything you do. Help your company succeed by influencing more productive results in whatever it is you do. And not just once so you can receive a reward. Make it be part of WHO you are. Something that defines you.
And if you are a leader of such a company... take notice. See if this is a character trait, or just someone trying to get noticed to get a quick bump or benefit. Make sure your staff know its appreciated when they have a CONSISENT work ethic. That doesn't mean you buy them off. But let them know you notice. And reward that loyalty when the time is right.
Great post Vlad.