Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.” Continue reading Microsoft’s Trustworthy Computing Program Turns 10

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites. Continue reading Windows 8 Offers New Password Features

BYOD can give administrators a headache.

More and more organizations are finding their employees using personal devices to access company data. Without some measure of control, those workers can create serious security problems for their employers.

As much as some administrators would like to block the use of personal devices in the workplace, that’s unlikely to happen for a number of reasons. For example, many employees are already using their own devices at work, as a recent survey by IDC shows. That poll found that 95 percent of workers use one personally purchased device on the job. Continue reading What Should Be in Your BYOD Policy?

Users of practically every supported version of Windows, whether desktop or server, 32 bit or 64 bit, and even the low attack surface Windows Server Core should immediately review Microsoft Security Bulletin MS11-100 and begin testing and deployment of this patch as soon as possible. The patch, covered in KB2638420 addresses four vulnerabilities in the Microsoft .NET Framework, including 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4. Three of the four were privately reported, while the last one has been publicly disclosed. Continue reading Microsoft Releases Critical, Out Of Band Update

Despite the claims of one CEO of a major global high tech company, many workers believe their internal email is important enough to scrutinize when they should be kicking back and being jolly during the holiday season.

In a poll of some 1000 people with full-time jobs in the United Kingdom, surveyors found that nearly half of the workers (46 percent) intend to check their office email either frequently (15 percent) or intermittently (31 percent) during yuletide. About a third of the sample (34 percent) said they’d totally resist the temptation to check their email during their stay at home during the festive period. Continue reading Santa Checks His List; Everyone Else Their Email

For those of you who haven’t heard of Loggly, Loggly is cloud based service for complete application intelligence for app developers.  Loggly uses log data to collect, analyze, troubleshoot and monitor your applications. They are a heavy user of Amazon’s Web Service hosting, and recently experienced a truly stellar outage of massive proportions. You can read about that on a Loggly blog post here which I encourage you to do. However, I am not here to talk about lessons learned about hosting and availability, and putting eggs in consolidated baskets. Nor am I planning to talk about on premise versus hosted, and the perceived dangers of the cloud. It’s what happened to Loggly and how they went unaware of the impending freight train heading their way that I want to discuss, because there are some great lessons to learn from that little subset of their blog post. Continue reading Lessons Learned from the Loggly Outage

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that: Continue reading Yes, My Email Account Was Compromised

How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate  password every month, for example?

You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.

Continue reading Google States What Needs To Be Said

Small and medium-sized businesses face many of the same threats that large companies do when it comes to their email systems. Some of the common problems that email administrators face are:

• Spam delivered via email
• Viruses and malware delivered via email
• Email messages that contain inappropriate content
• Information leaks. Continue reading 5 Tips for Better Email Security

Organizations that want to see that their employees have the tools to get their jobs done often allow them to use their own devices to do it. While that policy can set the teeth of many administrators on edge, it’s fast becoming a fact of life in the workplace.

One of the prime culprits behind the popularity of BYOD—Bring Your Own Device—is Apple’s iPhone. Not only did it become a favorite among the rank and file workers in many companies, but also among the top brass in many of them, too. That made it difficult for IT departments to keep the smartphones from invading their domains. Continue reading Why the iPhone should be the BYOD of choice for administrators