http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-05-03 22:57:09 - Jeff Jones Security Blog : Today, I would like to call your attention to a new paper from Microsoft Corporate Vice President for Trustworthy Computing Scott Charney called Rethinking the Cyber Threat A Framework and Path Forward In my own opinion, this is a very important read more IMAGE http://www.secuobs.com/revue/news/218353.shtmlhttp://www.secuobs.com/revue/news/218353.shtml Secuobs.com : 2010-04-14 22:50:51 - Jeff Jones Security Blog - Hackers successfully compromised the Apacheorg servers this month and it has given me food for thought If you are working to improve software security, then you have to take the risk viewpoint that at some point, attackers will target one of your read more IMAGE http://www.secuobs.com/revue/news/212228.shtmlhttp://www.secuobs.com/revue/news/212228.shtml Secuobs.com : 2010-04-03 02:21:18 - Jeff Jones Security Blog - And they just keep on coming Yes, I really did get this SPAM today I am not making these up Chris Solomon aka Betty Herbert6 even offered me 40pourcents of the 100M that makes it seem more realistic, since any greedy auditor would clearly read more IMAGE http://www.secuobs.com/revue/news/208576.shtmlhttp://www.secuobs.com/revue/news/208576.shtml Secuobs.com : 2010-03-31 18:12:37 - Jeff Jones Security Blog - Miami Herald Hacking their way into home fax lines, inmates in Miami-Dade jails are racking up tens of thousands of dollars in collect calls billed to unsuspecting citizens Recent victims include a South Florida federal judge, a Miami Herald columnist read more IMAGE http://www.secuobs.com/revue/news/207437.shtmlhttp://www.secuobs.com/revue/news/207437.shtml Secuobs.com : 2010-03-31 02:22:16 - Jeff Jones Security Blog - Errata Security has released the results of their survey today, Integrating Security into the Software Development LifeCycle , finding that more than half of the participants said they included preventative security activities in the development lifecycle read more IMAGE http://www.secuobs.com/revue/news/207151.shtmlhttp://www.secuobs.com/revue/news/207151.shtml Secuobs.com : 2010-03-30 22:36:28 - Jeff Jones Security Blog - I do my work as standard user on Windows 7, just as I did with Windows Vista It is not a burden When I need to do an admin task, I put on my admin hat by switching to my admin account specifically and doing my admin thing and then logging read more IMAGE http://www.secuobs.com/revue/news/207062.shtmlhttp://www.secuobs.com/revue/news/207062.shtml Secuobs.com : 2010-03-30 21:03:56 - Jeff Jones Security Blog - Computerworld Apple yesterday patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 105 read more IMAGE http://www.secuobs.com/revue/news/207020.shtmlhttp://www.secuobs.com/revue/news/207020.shtml Secuobs.com : 2010-03-30 01:05:25 - Jeff Jones Security Blog - I love Tweetdeck and adopted it as my primary client on the same day I started using twitter http twittercom securityjones Recently I wanted to sync my view between my desktop and phone versions of Tweetdeck, so I created a Tweetdeck account read more IMAGE http://www.secuobs.com/revue/news/206659.shtmlhttp://www.secuobs.com/revue/news/206659.shtml Secuobs.com : 2010-03-25 19:36:56 - Jeff Jones Security Blog - Reuters - Hundreds of computer geeks, most of them students putting themselves through college, crammed into three floors of an office building in an industrial section of Ukraine's capital Kiev, churning out code at a frenzied pace They were creating read more IMAGE http://www.secuobs.com/revue/news/205473.shtmlhttp://www.secuobs.com/revue/news/205473.shtml Secuobs.com : 2010-03-24 00:05:52 - Jeff Jones Security Blog - So excited to go from here 35 year old laptop to here new laptop read more IMAGE http://www.secuobs.com/revue/news/204652.shtmlhttp://www.secuobs.com/revue/news/204652.shtml Secuobs.com : 2010-03-22 21:58:13 - Jeff Jones Security Blog - Wiredcom Computer hacker Albert Gonzalez deserves a quarter-century behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors read more IMAGE http://www.secuobs.com/revue/news/204141.shtmlhttp://www.secuobs.com/revue/news/204141.shtml Secuobs.com : 2010-03-19 20:09:28 - Jeff Jones Security Blog - Just found out today that there is a Church of the Jedi, that they ordain ministers and you can get married by them Sometimes people just amaze me with their awesomeness Seriously, the creativity and whackiness that we have as a race is something read more IMAGE http://www.secuobs.com/revue/news/203487.shtmlhttp://www.secuobs.com/revue/news/203487.shtml Secuobs.com : 2010-03-18 19:17:40 - Jeff Jones Security Blog - I wasn t really planning to do a Spam of the Day every day, but this one got through all of the filters today and I found it interesting enough to share This one combines the use of E-mail spoofing the E-mail from field used my own address, read more IMAGE http://www.secuobs.com/revue/news/203047.shtmlhttp://www.secuobs.com/revue/news/203047.shtml Secuobs.com : 2010-03-17 18:48:05 - Jeff Jones Security Blog - I am continually amazed at some of the email-based social attacks that I see, sent either to me or one of my friends and family Some are so outrageous, it is hard to believe anybody could fall for them, but on the other hand what if it were true that someone left me money isn t worth just one little check And therein lies the hook When someone is phishing, they just want a nibble Wondering how these scammers get their email targets It is not that hard have your friends read about E-mail address harvesting and advise them to think about this the next time they consider sharing their E-mail address on a web site or in a job posting I thought it might be fun and interesting to share some of the unwanted emails I see periodically This is a real one that was sent to my wife in mid-February From MRLAMIDO SANUSI Date February 13, 2010 1 12 57 AM PST Subject Your kind Attention Beneficiary, Call me at 2348080754902 for more information My Name Is Mr Lamido Sanusi I Am The Governor Central Bank Of Nigeria This Is To Notify You That Your Over Due Inheritance Funds Has Been Gazzeted To Be Released To You Via The Foreign Remmitance Department Of Our Bank Meanwhile, A Woman Came To My Office Few Days Ago With A Letter, Claiming To Be Your Representative And Sent By You If she is not your reprsentative or sent by you, kindly respond immediately reconfirming to me the following details to avoid any mistake Full name Full residential contact address Direct telephone number number Age and current occupation Copy of your identification if available However, We Shall Proceed To Issue All Payments Details To The Said Mrs Barbara Kleihans If We Do Not Hear From You Within The Next Three Working Days From Today Await for your prompt response YouRegards, Mr Lamido Sanusi Reply-To Note that Nigeria has recently started an aggressive campaign against Nigerian scams aka as 419 scams, IMAGE http://www.secuobs.com/revue/news/202658.shtmlhttp://www.secuobs.com/revue/news/202658.shtml Secuobs.com : 2010-03-16 21:18:19 - Jeff Jones Security Blog - WARNING WARNING WARNING Serious security folks might want to skip this one - Not quite a true computer security news item, you might be interested just for the entertainment value Spencer Pratt, Cyber Security Ninja-in-training In case you don t know, Spencer is an MTV star from the show The Hills He is also married to Heidi Montag, one of his co- stars from the show PREDICTION Next year at RSA Conference 2011, Spencer and Heidi will do a keynote IMAGE http://www.secuobs.com/revue/news/202317.shtmlhttp://www.secuobs.com/revue/news/202317.shtml Secuobs.com : 2010-03-10 01:34:12 - Jeff Jones Security Blog - Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues For example, take a look at the page Vulnerability Report Ubuntu Linux 910 on secuniacom 910 is Ubuntu Karmic Koala, released on October 29, 2009 and you ll see a couple of interesting summary statistics as shown here imageimage Looks good, eh However, if you take a look at the CVE tracker, you get a view that is a bit different image You can see the Risk Color Key, but it is about what you d expect Red is High or Critical, orange is Medium and yellow is Low The asterisk means that this is a package maintained by Canonical instead of a 3rd-party I didn t bother to do a count, but I can see that the number of needed fixes is somewhat larger than zero, however, I did not see an RED High vulnerabilities, so I did check on more thing I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database ie, http nvdnistgov I spot-checked a few CVE-2009-4537, kernel, Orange Medium by Canonical, High 78 by CVSS CVE-2009-4565, sendmail, Orange Medium by Canonical, High 75 by CVSS CVE-2010-0408, apache2, Orange Medium by Canonical, Medium 50 by CVSS CVE-2010-0433, openssl, Orange Medium by Canonical, Medium 43 by CVSS CVE-2007-5901, krb5 kerberos , Yellow Low by Canonical, High 100 by CVSS There were 474 CVE entries, so I didn t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS IMAGE http://www.secuobs.com/revue/news/200041.shtmlhttp://www.secuobs.com/revue/news/200041.shtml Secuobs.com : 2010-03-07 06:25:28 - Jeff Jones Security Blog - msprimeIf you are a Microsoftie, then I m sure you have a Prime card in your wallet, purse or on the bottom of a junk drawer somewhere However, do you always use it when you could Do you even know which restaurants in the area accept it I eat at Cucina, Cucina in Issaquah a lot, but didn t realize that it took the Prime card Even after I discovered that, I ve probably eaten there a dozen times without remembering So, to help myself and share with all of you, I went through the restaurant search function on wwwmicrosoftprimecom not the cleanest site in the world for finding just what you want and extracted the restaurants in Snoqualmie and Issaquah that offer some sort of Prime benefit Okay, this is probably not of much interest to you unless you live near the Snoqualmie or Issaquah area in Washington, but if you do, you can download the 1-pager from this post on wwwsnoqqercom IMAGE http://www.secuobs.com/revue/news/199075.shtmlhttp://www.secuobs.com/revue/news/199075.shtml Secuobs.com : 2010-03-02 19:57:27 - Jeff Jones Security Blog - I thought it might be useful to share some of the key resources related to Microsoft news at RSA to make it easy to find Will update with more details later RSA Conference 2010 Microsoft RSA Presspass Newscenter http wwwmicrosoftcom presspass events rsa Press materials http wwwmicrosoftcom presspass events rsa Materialsaspx Image gallery http wwwmicrosoftcom presspass events rsa ImageGalleryaspx Video gallery http wwwmicrosoftcom presspass events rsa VideoGalleryaspx Microsoft Blog - Scott Charney Advancing End to End Trust, An Update from RSA 2010 Operation b49 Microsoft Blog - Cracking Down on Botnets End to End Trust Web Site End to End Trust Home http wwwmicrosoftcom endtoendtrust E2E Trust Vision http wwwmicrosoftcom mscorp twc endtoendtrust vision E2E Trust RSA 2010 http wwwmicrosoftcom mscorp twc endtoendtrust conferenceaspx IMAGE http://www.secuobs.com/revue/news/197242.shtmlhttp://www.secuobs.com/revue/news/197242.shtml Secuobs.com : 2010-02-27 22:20:28 - Jeff Jones Security Blog - Let s do a little experiment right now and see what we find First, go to ROTTEN TOMATOES Top Rentals and check out the top rentals Next go to Netflix Popular New Releases all page Notice anything Read the full details, with screenshots for those of you without a Netflix login, at Netflix Popular New Releases Not So Much IMAGE http://www.secuobs.com/revue/news/196302.shtmlhttp://www.secuobs.com/revue/news/196302.shtml Secuobs.com : 2010-02-25 08:38:35 - Jeff Jones Security Blog - Print This week, the Microsoft Digital Crimes Unit DCU took legal action in cooperation with other tech industry members and Microsoft s Trustworthy Computing team TWC to decapitate and severely limit the activity of the spam botnet Waledac, one of the 10 largest botnets in the US and a major distributor of spam globally The action, codenamed Operation b49, involved months of investigation and culminated in a request by Microsoft for an ex parte non-public temporary restraining order TRO allowing the domains believed to be responsible for commanding and controlling the Waledac botnet to be cut off from the Internet On Monday, February 22, the US District Court for the Eastern District of Virginia issued that order and in the intervening days, the order was sealed while the registry operator VeriSign took the action to sever the domains That severance has taken place and I m happy to report that Waledac traffic has been disrupted significantly and we continue to work to further reduce the remaining traffic To see Waledac impact for yourself, check out http wwwsudosecurenet waledac indexphp image More details from the DCU team on the Microsoft Blog Cracking Down on Botnets Jeff IMAGE http://www.secuobs.com/revue/news/195411.shtmlhttp://www.secuobs.com/revue/news/195411.shtml Secuobs.com : 2010-02-16 21:39:30 - Jeff Jones Security Blog - IMAGE I registered securityjones a while back on wwwtwittercom, but have not really done anything with it up to now Yesterday, I finally decided it was the right time to jump in with both feet and spent the evening adding myself as a follower to many of the folks I know within the security community hi jjx and rmogull Though I've been relatively quiet on my blog for the past several months, I'm going to start writing much more frequently again in addition to tweeting So, if my security research and opinions are sometimes interesting to you, you may wish to follow me on twitter The RSA Conference is coming up in a couple of weeks and I expect to be communicating pretty frequently from the show, keynotes and expo floor IMAGE http://www.secuobs.com/revue/news/192428.shtmlhttp://www.secuobs.com/revue/news/192428.shtml Secuobs.com : 2009-12-31 01:43:47 - Jeff Jones Security Blog - cleanup-email-64 Having taken some time off over Christmas, I've been taking care of some Home Admin tasks that have been on my todo list for a while I decided to document these on another blog site, wwwhomeserverhubcom, where I post more hobby and personal stuff Essentially I have two top level tasks 1 Consolidate your E-Mail Accounts and 2 Clean up the Clutter, with several sub-tasks broken out Read the whole article at End of Year E-mail Clean Up IMAGE http://www.secuobs.com/revue/news/176917.shtmlhttp://www.secuobs.com/revue/news/176917.shtml Secuobs.com : 2009-11-13 05:23:36 - Jeff Jones Security Blog - sdl-shield-transparent With more and more business customers deciding between client, cloud, or both for their computing environments, security guidance must be dynamic and evolve along with the community Because security and privacy are key concerns affecting adoption of cloud computing, the industry has an opportunity to assure customers that web applications running on cloud platforms can operate in a safe and trusted environment Microsoft has made a series of moves to take its secure development best practices beyond its borders to the broader developer community This has included a body of guidance, an SDL Optimization Model, the creation of a network of certified service providers through the SDL Pro Network and a no-cost SDL Threat Modeling tool All of these, plus subsequent releases of SDL programs, tools, guidance and technologies have better enabled software developers and industry partners to build security and privacy directly into software applications and provide their users with a more trusted computing experience Yesterday at the Tech Ed Conference in Berlin, Germany, Microsoft announced two new SDL offerings Security Considerations for Client and Cloud Download a whitepaper from the SDL team that discusses security issues associated with client and cloud applications, and the steps Microsoft has taken to evolve SDL to address those security issues in Microsoft services SDL 41a, expanded to include Agile Development processes Download the latest SDL process guidance that includes SDL for Agile Development, a streamlined approach that melds Agile methods and security Comprehensive yet flexible, the SDL for Agile guidance includes all SDL requirements, but provides guidance on how to apply them even for very short release cycles Let me briefly expand on each of these Security Considerations for Client and Cloud -------------------------------------------- As the computing industry considers Cloud Computing, customer are concerned with how data will be protected In a September 2009 online survey of IT Pros, about 51pourcents cited security and data privacy concerns as the biggest impediment to adopting cloud services In Security Considerations for Client and Cloud, Microsoft takes a look at security from the point of view of development organizations that may be considering hosting their application with a 3rd-party infrastructure ie cloud provider security-cloud-stack If you are to host your well-coded application on a 3rd-party infrastructure, at a high level, you should be asking questions of potential cloud providers concerning two general areas of security Operational Security and Compliance If you have regulations governing your industry eg healthcare , what does the provider do to make sure you are in compliance What have they done to demonstrate their operational security Security Features and Service Level Additionally, different providers may offer different cloud security features eg supporting certain types of authentication and different security service levels in their SLA Ask for details to ensure that you know exactly what they will provide you from a security perspective as your partner in delivering services to your customers Of course, fundamentally, application software, whether traditional or for the cloud, still needs a structured security development process such as SDL So, make sure you are using a structured security development process like SDL for your application What You say you have a 2 week release process and use an Agile development process No problem, read on SDL for Agile Development ------------------------- If you are using an Agile development process, you are not alone Agile development methods are being adopted more and more frequently in enterprises around the world According to a recent independent analyst report, 85 percent of technology industry professionals have adopted Agile development methods at some level of maturity Note if you are not familiar with Agile development and would like to know more, you may want to read a bit more on http wwwagilemanifestoorg Wikipedia defines it as Agile software development refers to a group of software development methodologies based on iterative development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams The term was coined in the year 2001 when the Agile Manifesto was formulated also Notable early Agile methods include Scrum 1995 , Crystal Clear, Extreme Programming 1996 , Adaptive Software Development, Feature Driven Development, and Dynamic Systems Development Method DSDM 1995 These are now typically referred to as Agile Methodologies, after the Agile Manifesto published in 2001 If you take a look at Bryan Sullivan s SDL Blog post concerning SDL for Agile, he gives a great description of how the team approached the task of taking the comprehensive SDL requirements and processes and organizing the guidance into an Agile-friendly structure that can be flexibly applied to long or short agile development projects I ll give a quick summary of his post If you look at the Security Development Lifecycle and how it is described by phases, you can see that it was originally developed to integrate with the spiral-based product development process used by Microsoft to develop Windows and other business products Though there are many differences between spiral and Agile methodologies, two key differences stand out to me Agile development methodologies don t have defined phases, and Agile releases tend to be much shorter, in some cases only a week or two sdl-agile-transparentTo address these differences, SDL for Agile breaks the SDL into three categories of requirements every-sprint requirements, the requirements so important that they must be completed every iteration one-time requirements, the requirements that only have to be completed once per project no matter how long it runs and bucket requirements, the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint SDL for Agile also provides guidance for adapting many of the core SDL activities to Agile Threat modeling is a perfect example a team could easily spend an entire week-long sprint performing threat modeling, but this may not be the best use of their time SDL-Agile describes how a team can spend an appropriate amount of time modeling new features as well as how to build up a baseline of threat models for existing functionality To get the full SDL for Agile guidance, download SDL 41a, expanded to include Agile Development processes, and read through the new sections on Agile Final Thoughts -------------- As the computing industry evolves, Microsoft continues to invest in security and privacy fundamentals and ensures its software development processes, best practices and technologies extend from Client to Cloud environments The release of SDL for Agile and the cloud security white paper highlights Microsoft s continued efforts to meet the changing needs of the development community and ultimately will help create a more trusted online computing experience Best regards, Jeff IMAGE http://www.secuobs.com/revue/news/160396.shtmlhttp://www.secuobs.com/revue/news/160396.shtml Secuobs.com : 2009-09-17 05:09:30 - Jeff Jones Security Blog - Those of you that have been reading my blog a while know that part of my interest in security metrics is in trying to find ways to measure if Microsoft efforts to improve fundamental in security products is bearing fruit Central to the Microsoft efforts is the Security Development Lifecycle process One of the cool efforts that has been happening over the past couple of years is that the SDL team read their blog has been taking tools and technology that was developed internally to support the Microsoft SDL process and releasing it, cost free, to the community so that the tools could be leveraged by all types of developers I say all types and that s true, though in some cases the tools either do more or were designed to work primarily with Visual Studio projects Tools like MiniFuzz, though, can be used to fuzz applications regardless of the development tools used Today the SDL team are making available BinScope Binary Analyzer and MiniFuzz File Fuzzer as no cost downloads We put together a couple of demo videos also You can find them on edgetechnetcom on this links BinScope video, MiniFuzz video or you can watched the embedded videos directly in this post below BinScope Binary Analyzer ------------------------ The BinScope Binary Analyzer is an SDL-required security tool that has been used by Microsoft teams since the early days of the SDL It analyzes your binaries for a wide variety of security protections with a very straightforward and easy-to-use interface At Microsoft, developers and testers are required to use this tool in the Verification Phase of the SDL to ensure that they have built their code using the compiler linker protections required by the Microsoft SDL The analyzer performs a diverse set of security checks These checks include GS flag is being set to detect stack-based buffer overflows SafeSEH flag is being set to enable and ensure safe exception handling NXCOMPAT flag is being set to enforce data execution prevention NX DYNAMICBASE flag is being set to enable Address Space Layout Randomization ASLR NET Strong-Named Assemblies are being used to ensure unique key pairs and strong integrity checks are in place Known good ATL headers are being used Up-to-date compiler and linker versions are being used minimum Visual Studio 2005 SP2 Reports on dangerous constructs that are prohibited discouraged by the SDL eg read write shared sections, global function pointers Watch this video to get an overview and see a demonstration of BinScope in action Get Microsoft Silverlight MiniFuzz File Fuzzer -------------------- The MiniFuzz File Fuzzer is a very simple fuzzer designed to ease adoption of fuzz testing by non-security people who are unfamiliar with file fuzzing tools or have never used them in their software development processes A less capable and non-graphical version of this tool was originally published on the CD that came with the book The Security Development Lifecycle by Steve Lipner and Michael Howard Since that tool was effective at finding quality bugs, we wanted to offer it more widely along with our other SDL tools, improve the user experience, and provide integration with Visual Studio and Team foundation Server Because we have found fuzzing to be effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle SDL With the release of the MiniFuzz File Fuzzer, we have made a simple file fuzzer available to assist developer efforts to find and address more security bugs in code before it ships to customers Simply provide the tool with a set of correctly formed files to serve as templates, and it will generate corrupted versions for testing The effectiveness of fuzz testing can be increased by providing more variation in the template files Watch this video to get an overview and see a demonstration of BinScope in action Get Microsoft Silverlight Resources and Other Information ------------------------------- These tools are not the first ones that the SDL team has made available Check out the SDL Tools Repository to download BinScope Binary Analyzer and MiniFuzz File Fuzzer, as well as other tools like FxCop, the SDL Process Template for Visual Studio Team System, the SDL Threat Modeling tool, CATNET and the Anti-XSS library Best regards Jeff IMAGE http://www.secuobs.com/revue/news/141653.shtmlhttp://www.secuobs.com/revue/news/141653.shtml Secuobs.com : 2009-07-28 04:23:25 - Jeff Jones Security Blog - model-doc-cover I am extremely excited to announce that Rich Mogull and I believe we are ready to publish two key deliverables for Project Quant today and make them available for download The first is what I ve referred to in the past as the model, which is the culmination of the first phase of Project Quant The second is our summary and analysis of the patch management survey results, which I discuss in this other post Below is an excerpt from the model report executive summary and you can download the full report at http securosiscom research publication project-quant-metrics-model-report Developing an Open Patch Management Metrics Model This report includes the findings of the Project Quant patch management research project Project Quant is dedicated to the development of a refined, unbiased patch management metrics model The goal is to provide organizations with a tool to better understand their patching costs, and to guide improvements through an operational efficiency model capable of capturing accurate and precise performance metrics It was developed through independent research, community involvement, and an open industry survey Key Findings There is no public platform-independent, industry-standard patch management process framework As a result, Project Quant developed a superset framework to encompass most patching activities within any organization, regardless of technology asset under review It includes ten phases with forty steps Based on survey responses, organizations are generally mature in managing desktop operating system and server operating system patches, but process maturity quickly falls off for other technologies and platforms Staff time dedicated to patch management activities represents the majority of patch management costs, and thus the model was designed to focus heavily on granular patching activities Patching across multiple platforms and business activities is a very complex process, and although the Project Quant model is extremely detailed, most organizations should focus on the key metrics identified through the model Summary and Next Steps This release includes a detailed patch management process framework and metrics model to enable organizations to quantify and optimize their patch management processes This is Version 10 of the model future work will continue refinement, generate sample use cases, and assess it s functionality in various user environments The next step is to engage end-user organizations in focused interviews to determine how their processes and maturity align with the model and survey results The model can then be adapted for use in industry benchmarking IMAGE http://www.secuobs.com/revue/news/125538.shtmlhttp://www.secuobs.com/revue/news/125538.shtml Secuobs.com : 2009-07-28 04:23:25 - Jeff Jones Security Blog - survey-report-dover I am extremely excited to announce that Rich Mogull and I believe we are ready to publish two key deliverables for Project Quant today and make them available for download I describe the other one, Measuring and Optimizing Patch Management an Open Model , in another post Below is an excerpt from the survery summary and analysis and you can download the full report at http securosiscom research publication project-quant-survey-results-and-analysis Key Findings As part of the Project Quant community effort to develop a well-defined patch management cost model, the project team fielded a survey of patch management questions covering aspects of the patch management process While we believe this survey, due to self-selective participation, is biased towards companies with active patch management efforts, the results were informative in that context Key findings from the survey include Most companies were driven by compliance regulation, usually more than one regulation applied Process maturity was generally high for operating systems, but low for other asset types such as applications and drivers see chart Companies tend to utilize multiple vendor and 3rd-party tools in their patch management process 40pourcents of companies depend on user complaints as one factor for patch validation survey-chart Combining these Results with Security Trends I am also a contributor for the Microsoft Security Intelligence Report, where I look at vulnerability trends across the industry One of the trends we ve observed over the past several periods is that vulnerability research, as well as malicious attack trends, seem to be increasingly focused on non-OS software applications, drivers and so on Combining this trend with the Project Quant survey findings, we have increasing risk in non-OS software such as applications lower patch management maturity for non-OS software These two finding together identify an clear call to action for administrators to review their patch management processes for ways to increase their ability to manage software assets beyond workstations and general servers Download the full report at http securosiscom research publication project-quant-survey-results-and-analysis Regards Jeff IMAGE http://www.secuobs.com/revue/news/125537.shtmlhttp://www.secuobs.com/revue/news/125537.shtml Secuobs.com : 2009-07-11 22:30:16 - Jeff Jones Security Blog - I ve been busy doing analysis for the next article in my ciocom Firefox series of articles, looking at vulnerability disclosures during 2007 and 2008 and I stumbled upon a little factoid that I had not previously noticed no single version of Firefox was available for the full year of 2008 In retrospect, I should have known this would happen, given the Mozilla policy of supporting the predecessor version for 6 months after a new release Here is what the timeline looks like firefox version timeline In my interactions with customer councils, I ve found that enterprise administrators expect longer support lifecycles and much longer transition times than those shown here On the other hand, maybe it is different for IT departments managing browsers in the enterprise than it is for other applications I m curious, what are your thoughts on this Regards Jeff IMAGE http://www.secuobs.com/revue/news/119370.shtmlhttp://www.secuobs.com/revue/news/119370.shtml Secuobs.com : 2009-07-11 22:30:16 - Jeff Jones Security Blog - rsa2009 keynotes fri RSA Conference 2009 Webcasts Day 4 Keynotes Friday There is only a relatively small group of people that stay all the way to the end of the RSA Conference to see the final Friday keynotes, but they were worth the wait I can honestly say the two afternoon keynote sessions were my favorite ones of the whole week Why How about this Dr Hugh Thompson of People Security and the Hugh Thompson Show and firewall legend Bill Cheswick do a rap video sing it with me now There were patches, breaches, lots of data leakage thompson and cheswick rapping click photo to open video After the introductory rap video, Hugh had some great guests that talked a real life identity theft incident that happened last year where a hacked Facebook account was used to get Facebook friends to urgently send money to help their friend who was stuck in London with no money to get home Watch the video, I m sure you ll enjoy it Regards Jeff IMAGE http://www.secuobs.com/revue/news/119369.shtmlhttp://www.secuobs.com/revue/news/119369.shtml Secuobs.com : 2009-07-11 22:30:16 - Jeff Jones Security Blog - rsa2009 keynotes fri RSA Conference 2009 Webcasts Day 4 Keynotes Friday There is only a relatively small group of people that stay all the way to the end of the RSA Conference to see the final Friday keynotes, but they were worth the wait I can honestly say the two afternoon keynote sessions were my favorite ones of the whole week See my previous post Cheswick and Thompson Securin Ain t Easy Rap Video RSA 2009 about the first keynote And the final keynote Jamie Hyneman and Adam Savage of the Mythbusters television show These guys are great If you ve never seen an episode on the Discovery Channel, then check out a few of the clips on the Mythbuster Youtube landing page To give you a flavor of the interview, here is an actual question asked of Adam and Jamie by host Bill Duane What is the coolest thing that you ve ever blown up The question comes near the end of the video, fyi mybusters rsa click photo to open video Jamie and Adam also brought along a video collage they had put together with some goof reel stuff and what they referred to as explosion porn It was fun to watch, but unfortunately, that video clip was not allowed to be in the webcast Still I think you ll enjoy the segment, which is about 35 minutes long Regards Jeff IMAGE http://www.secuobs.com/revue/news/119368.shtmlhttp://www.secuobs.com/revue/news/119368.shtml Secuobs.com : 2009-07-11 22:30:16 - Jeff Jones Security Blog - Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Rich and I realized that we need a standard patch management cycle so that we can break apart the different parts of the project, so that they can be considered separately and in detail Rich has researched several other patch management cycles, and posted a graphic that represents a tentative granular cycle that enables us to move forward Clicking on the image will take you to the Project Quant project page and Rich s original post, which also provides a brief description for each component shown on the graphic PatchManagementCycle 1 Also, I want to make sure that you know the Project Quant Forum pages are up and active Thanks to DS, Dutch, Daniel, Allen and others that have shared their expertise on the initial thoughts thread IMAGE http://www.secuobs.com/revue/news/119367.shtmlhttp://www.secuobs.com/revue/news/119367.shtml Secuobs.com : 2009-06-25 04:33:46 - Jeff Jones Security Blog - After launching yesterday, the Beta for Microsoft Security Essentialshas filled up – see the screenshot below This first Beta was limitedto 75,000 participants within some targeted geographies and it isencouraging to see this target achieved in such a short timemse-beta-fullIMAGEhttp://www.secuobs.com/revue/news/113423.shtmlhttp://www.secuobs.com/revue/news/113423.shtml Secuobs.com : 2009-06-24 04:14:35 - Jeff Jones Security Blog - mse-i1 Though I have not been directly involved with Morro or anyother anti-malware products, I am excited to see Morro MicrosoftSecurity Essentials, http://wwwmicrosoftcom/security_essentials/reach the next stage of development by releasing as a Beta packageI personally think that Microsoft Security Essentials is a significantstep forward in helping make the Internet a safer and more trustedexperience for the average user That may seem strange, given how longthe industry has been around and given that there are already severalfree antivirus solutions available, for those that have even a slighttechnical interest in finding themI’ve shared my experience and opinion in the past about how thebusiness anti-malware industry drives vendors to optimize towardsbusinesses and away from consumers, so I won’t dig into that, but I dothink there are some key points worth reviewing1 Barriers exist for “home user” protection Unfortunately, manybarriers to quality PC protection remain for consumers, both in matureand emerging markets where many threats originate If you are the“free IT support” for your family and friends, then you already knowwhat I’m talking aboutMy Mom’s PC came bundled with trial security bundle where differentcomponents were fully enabled for some months, while other protectionswere partially enabled and yet other components required an upgrade tobe enabled Bottom line Customers are confused by trials and annualsubscription renewals, in many cases believing their PCs are coveredwhen in fact their subscriptions have expired and they are notprotectedAnd also, let’s be frank, certain members of my family are just nevergoing to pull the trigger on some of the online subscriptions that areavailable, even if they could figure out which ones are legitimate andwhich ones are actually disguised malware or unwanted software Andupgrades or updates Please2 Threats continue to grow and evolve E-mail threats continue togrow and evolved and since many of these are now blended threatsinvolving web sites and some aspects of social engineering, they areeven becoming more platform agnostic By some measures, over 97% ofe-mail messages sent over the Internet fall into the “unwanted” andunsolicited categoryOf course, since my Mom and yours are more aware of security issuesthan they were 10 years ago, malware developers have begun heavilyleveraging “fake security software” and social techniques to targetconsumers and get them to voluntarily deploy their unwanted softwareBy providing an easy to find, easy to deploy solution from a knownbrand like Microsoft, Microsoft Security Essentials can help providesome basic, well, essentials to help fight this issue3 Too Many Users Need More Protection Ultimately, the evolution ofthreats and the barriers for home users combine to create a situationwhere many users need more protection This is not just a threat tothose users, but represents a threat to the broader ecosystem whenthese systems are at risk of catching and spreading malwareKey PrinciplesI’ve talked with the product teams about their driving principles andI think they are spot on for what home users need:* Essential Features that are necessary to enable a safer and moretrusted Internet experience* Real-time and scan detection and cleaning* Live Kernel Behavior monitoring leveraging technology acquiredfrom Komoku* Improved anti-stealth functionality – ‘rootkit revealer’ stylescanning* Rootkit removal* Standalone boot scanning boot to a preinstall environment toscan while completely inactive* Frequent Dynamic Signature updates* Dynamic update capability no wait for next “full signature”release* Heuristics with pre-execution program emulation* Ability to quickly address false positives with the dynamicupdate capability* Easy to Get, Easy to Use* Will be easy to find from a trusted location on microsoftcom* No cost, not trials or expirations* Smart default configurations including a dark hours updateschedule* Daily updates* Quiet Protection* Lightweight design, tuned for performance* CPU throtting* Fewer interruptions – no “information only” UI, only when actionis needed* Deep and Broad Research Team* Led by Vinny Gullotto long time personal colleague back to ourdays at McAfee* One of the best, most experienced anti-malware research teams inthe industry, built up by Vinny over the past few years Truly,though Microsoft has been in this space a short while, the teammembers that Vinny has assembled have been helping make theInternet safer for pretty much foreverFinal CommentsLet me emphasize that this is just a Beta, so hopefully there will bewarts Yes, I say hopefully, because the purpose of a Beta is to get alot of folks engaged to find those warts and report them so that theycan be fixed before the product is released Having said that, my nextstep is to install Morro on my home computers tonight and see if I cantalk my Mom through installing it on her home machine 2000 miles awayThose two experiences should give me some great feedback that I canfeed to the Microsoft Security Essentials team to help improve theBeta for final release I’ll likely share those experiences with youhere on the blogI also ask you to try it out and share your thoughts and feedback withme I have a fair amount of product management experience and I’mhappy to distill your various feedback down into some corerequirements and then deliver it directly to the product teamThis is that latest in a series of steps over several years that Ithink is helping make tangible progress for making the Internet saferand more trusted for many users:* Lots of security improvements in Windows XP SP2 Remember the daysbefore pop-up protection was introduced into IE6 in XP SP2Remember when you kept the personal firewall turned off* Windows Defender Breaking ground for Essentials, Defender helpedraise the bar even it it’s Beta stage* Defense-in-depth security features in Windows Vista and theupcoming Windows7 Say what you want about Windows, securityresearchers and data are showing that it raised the security barBest regards ~ JeffIMAGEhttp://www.secuobs.com/revue/news/112919.shtmlhttp://www.secuobs.com/revue/news/112919.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - I am a couple of articles into my series:* Can Mozilla Support Claims of Firefox Being the Most Secure WebBrowser, and* Can Mozilla Support Claims of Firefox Being the Most Secure WebBrowser Part 2In part 2, I probed Mozilla’s usage of an ‘at risk’ chart to claimthat their customers were only exposed to unpatched vulnerabilitiesfor nine days in 2006 With some quick research, I came up with enoughvulnerabilities to show that Firefox users were vulnerable tounpatched security flaws for at least 285 daysEarlier this week, Brian Krebs over at the Washington Post contactedme about part 2 His original article, published at the beginning of2007, formed the basis for Mozilla’s security marketing claims on theFirefox security page and he asked if I realized he had only chartedCritical or High severity issues I had not realized that, though Ihad read the article very closely and noted that he talked aboutseverity on the IE issues and provided a table, he didn’t mentionseverity ratings when discussing the Firefox issues In fact, he onlyprovided a pointer to the one Firefox issue, which the NVD rated asMedium severity I had the one example to go on and I definitelydidn’t map the methodology to just high severity issuesHowever, I want to respect Brian’s feedback, so I went back andchecked severity ratings and I found that the issues I did list were:* 1 vulnerability rated High in the NVD http://nvdnistgov* 6 vulnerabilities rated Medium in the NVDAs noted above, CVE-2006-1993, the one vulnerability which I believeBrian counted against Firefox in the original 2006 report was one ofthe Medium severity vulnerabilities in the NVD, though rated Criticalby MozillaI also pointed out to Brian that I didn’t try to be exhaustive in myrevised ‘at risk’ chart, as I was looking for just enough examples toshow the large disparity between the Mozilla security marketing claimsand reality However, given the deeper scrutiny and Brian’s blogposting, I think I should take another lookSo, back to the drawing board to dig a bit deeper and come up with arevised list:CVE-2006-0748High/CriticalApr 13, 2006 – Apr 21, 2006CVE-2006-1993Medium/CriticalApr 23, 2006 – May 2, 2006CVE-2006-2788High/ Critical –not fixed in FF10Jan 1, 2006* – Jun 1, 2006CVE-2006-4253High/CriticalAug 12, 2006 – Sep 14, 2006CVE-2006-4561High/ no MFSAAug 14, 2006 -CVE-2006-5462Medium/CriticalSep 18, 2006 – Nov 7, 2006* NVD entry associates CVE-2006-2788 with bugzilla entry 321598,disclosed on 12/27/05 However, 220816 is marked as a solvedduplicate, which was first opened as an issue 9/30/03 Adding to themix, MFSA 2006-38 appears to associate bug 330897 with thevulnerability This may actually be more than a single issue, but I’mcounting them as one under CVE-2006-2788It turns out that this was a very interesting exercise for me Two ofthe issues included above that were rated Critical by Mozilla wereonly listed as Medium in the NVD, including the one covered by BrianWith that insight, my original chart which included only NVD-ratedHigh and Medium severity issues doesn’t seem unreasonable as amethodologyIn fact, I found nine other vulnerabilities that have:* been rated Medium in the NVD* don’t have a rating from Mozilla, because there has been no MFSAissued* each of them have been public for more than a yearNow, given that Mozilla has not acted on any of these for such a longtime, it is probably safe to assume that they would not rate any ofthese NVD-Medium issues as Critical and I will exclude them from mychart revision But, for completeness, they are: CVE-2005-2114,CVE-2005-2395, CVE-2005-4685, CVE-2005-4809, CVE-2006-0496,CVE-2006-2613, CVE-2006-4310, CVE-2006-6585 Discuss amongstyourselvesHere is the updated ‘at risk’ chart using only High or Criticalseverity rated issues:ff-2006-risk-updatedThat seems like a bit more than nine days to me Pick any two andremove them the lighter red areas are the two longest, to help youvisualize it and it is still quite a few more than nine daysSince I had originally only planned the 2006 ‘at risk’ as the firststep in the discussion, I think it is probably time to move on to thenext Mozilla claim I want to dig into In Part 3 in the series, thestatements I want to probe are:“We count every defect distinctly We count the ones that Mozilladevelopers find in-house We count the things we do to mitigatedefects in other pieces of software, including Windows itself andother third-party plugins We count memory behaviour that we thinkmight be exploitable, even if no exploit has ever beendemonstrated and the issue in question was found in-house”Look for discussion in Part 3 early next weekBest regards ~ JeffIMAGEhttp://www.secuobs.com/revue/news/104855.shtmlhttp://www.secuobs.com/revue/news/104855.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - Summaries from previous months:* Jan09 Security Bulletin SDL Benefit SummaryWhen I do analysis and reports on Microsoft products, I typically lookfor where the Security Development Lifecycle SDL has helped toprovide improvement and provide some stats on that This year, Idecided to try and do this monthly to make it easier for me that whenI do it all at onceThis report is my attempt to capture and share that information Ihope you find it usefulFebruary Summary================First, here is a summary of the 8 vulnerabilities addressed inFebruary, which were addressed in a five updates MS09-002, MS09-003,MS09-004, and MS09-005VulnerabilityAny WindowsSDL BenefitCommentNon-Windows ProductCVE-2009-0075C-NAReduced severity IE-ESC, ModularityIE-ESC on Servers, No IE on CoreCVE-2009-0076C-NAReduced severity IE-ESC, ModularityIE-ESC on Servers, No IE on CoreCVE-2009-0098noneExchange 2000, 2003, 2007CVE-2009-0099Fewer vulnsNo vuln in ExCh2007Exchange 2000, 2003CVE-2008-5416InoneAffects all versions equally - ImportantSQL, WMSDE, WyukonCVE-2009-0095noneAffects all versions equally - ImportantVisio 2000, 2003, 2007CVE-2009-0096noneAffects all versions equally - ImportantVisio 2000, 2003, 2007CVE-2009-0097Fewer vulnsNo Vuln in Visio 2007 - Important on othersVisio 2000, 2003Four of the eight vulnerabilities fixed in February had some level ofSDL Benefit Only 3 of the 8 vulnerabilities affected a Windowsplatform:* MS09-002, the IE update, addressed two vulnerabilities* MS09-004, the SQL update, addressed one vulnerability* Note that WMSDE ships with WS2003 to support UDDI* Note the WYukon ships with WS2008 and Core to supportvarious servicesThough I am primarily focusing on Windows components in this monthlysummary, I do note that the 2007 versions of both Exchange and Officehad fewer vulnerabilities compared with earlier releasesSDL Vulnerability BenefitThis section summarizes the vulnerabilities and any corresponding SDLbenefit for Windows and Windows components Because of interest inbrowsers, I’ll also break out Internet Explorer separatelyInternet ExplorerProductVulnerabilitiesNot AffectedLesser severityAny IE2IE6, all020IE7, XP or Vista200IE7, WS2003 or WS2008202IE7 WS2008 Core020Windows including IEProductVulnerabilitiesNot AffectedLesser severityAny Windows3Windows XP SPx210Windows Vista210Windows Server 2003302Windows Server 2008302WS2008 Core120Here is the key for this table:* The first non-header row counts all vulnerabilities thataffected any version of Windows – 3 this month* For each product row, the second column counts how many affectedthat product and the third column reflects how many did not affectthat version – column 2 and 3 should always add up to the totalfrom the first row 3 this month* The last column counts how many vulnerabilities had the severitymitigated to some degree* The numbers in parentheses are the deltas from last monthFor products where different versions of built-in applications couldbe installed eg IE6 or IE7, I am taking the worst cast value andcounting when any of the versions are affectedUpdate ScenariosI also want to take a look at how updating is impacted or not It islikely that two versions may have the same number of updates, thougheach mitigates differing numbers of vulnerabilities or differentlevels of risk For example, a single update might address oneModerate issue on WS2008 while the same update addresses two Criticalissues on WS2003Companies have differing patch policies, so for the sake ofillustration, I am going to assume a very simple update policy:* Critical or Important – will be rolled out immediately* Moderate or Low – will be deferred until a periodic roll-up updateperhaps annual or semi-annualInternet ExplorerProductUpdatesDeployedDeferredAny IE1IE6, all000IE7, XP or Vista11 2C0IE7, WS2003 or WS2008101 2MIE7, WS2008 Core000Windows including IEProductUpdatesDeployedDeferredAny Windows2Windows XP SPx12CWindows Vista12CWindows Server 200321I2MWindows Server 200821I2MWS2008 Core11IUsing this table, I’ll look at two fictional company scenarios:* Company A: Has a Windows XP and Windows Server 2003 environment* Company B: Has a Windows Vista and Windows Server 2008 environment* Company C: Has a Windows XP, Vista, Server 2003 and Server 2008environment* Company D: Uses only servers implemented using Windows ServerCoreCompany A has to potentially roll out one update for all clientmachines in February if IE7 is deployed and one update for servermachinesCompany B has to roll out one update for all client machines inFebruary and one update for server machinesCompany C has to roll out one update for all client machines inFebruary and one update for server machinesCompany D has to roll out one update for its Windows Server Coremachines2009 Year-to-Date Summary=========================In addition the the monthly summary, I am going to try and keep arunning count of the year-to-date values as well I am doing the mathin these table by hand and I am trying to be careful, but I apologizein advance for the errors I will likely make before the end of theyear Point them out and I’ll correct them ;-SDL Vulnerability Benefit YTDLooking at the tables below, I find some interesting key pointsalready after February:* Out of 6 possible Windows vulnerabilities,* Windows Vista - two have not affected Windows Vista and oneadditional one had a reduced severity* Window Server 2008 – 1 did not affect Windows Server and 3additional had a reduced severity* Windows Server Core WSC – 3 did not affect WSC and oneadditional had a reduced severity, meaning that 66% of possibleWindows vulnerabilities either didn’t affect or had reducedseverity on WSCInternet ExplorerProductVulnerabilitiesNot AffectedLesser severityAny IE2 +2IE6, all02 +20IE7, XP or Vista2 +200IE7, WS2003 or WS20082 +202IE7 WS2008 Core02 +20Windows including IEProductVulnerabilitiesNot AffectedLesser severityAny Windows6 +3Windows XP SPx5 +210Windows Vista4 +22 +11Windows Server 20036 +302 +2Windows Server 20085 +313 +2WS2008 Core3 +13 +21Here is the key for this table:* The first non-header row counts all vulnerabilities thataffected any version of Windows – 6 this year* For each product row, the second column counts how many haveaffected that product and the third column reflects how many havenot affected that version – column 2 and 3 should always add up tothe total from the first row 6 this year* The last column counts how many vulnerabilities had the severitymitigated to some degree* The numbers in parentheses are the deltas from last month’scumulative totalsUpdate Scenarios YTDLooking at the Update deployment summary below compared to thevulnerability summaries above, there are some interestingobservations:* Windows Vista, Windows Server 2008 and Windows Server Core did nothave to immediately roll out 2/3 of the Updates so far this yearThis is a solid benefit* Though the same number of Updates were “applicable” for somedifferent versions, the severity policies as applied resulted infewer being deployed immediately in some casesWindows including IEProductUpdatesDeployedDeferredAny Windows3Windows XP SPx22C1M2C0Windows Vista22C2MWindows Server 200332C1M1I2MWindows Server 200831I2M2MWS2008 Core21I2MUsing this table, I’ll look at two fictional company scenarios:* Company A: Has a Windows XP and Windows Server 2003 environment* Company B: Has a Windows Vista and Windows Server 2008 environment* Company C: Has a Windows XP, Vista, Server 2003 and Server 2008environment* Company D: Uses only servers implemented using Windows ServerCoreCompany A has rolled out a total of three updates out of 3 possibleyear-to-date – one on clients, one on servers and one on both Onebrowser update could be deferred for server machinesCompany B has rolled out a total of two updates out of 3 possibleyear-to-date – one on clients and one on servers One update could bedeferred Additionally the browser update could be deferred for servermachinesCompany C has rolled out a total of three updates out of 3 possibleyear-to-dateCompany D has rolled out one update out of 3 possible year-to-dateOne update did not apply to Windows Core and the other could bedeferred because of reduced severity________________________________Regards ~ JeffIMAGEhttp://www.secuobs.com/revue/news/104854.shtmlhttp://www.secuobs.com/revue/news/104854.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - sirv5-cover This morning, we released the latest version of theMicrosoft Security Intelligence Report SIRv6, examiningindustry-wide software vulnerability disclosures, Microsoftvulnerability disclosures and exploits, malicious software malware,and potentially unwanted softwareI am one of the primary contributors to the SIRs, so naturally I thinkyou should download it immediately and read it cover to cover ;-However, I understand that some of you may not wish to read a 150 pagetechnical analysis document, except as a way to fight off insomniaBecause of that, if you go over to the main SIR page atwwwmicrosoftcom/sir, there is also a "Key Findings" document that ismuch more concise and provides a nice summary of the findings fromeach sectionFor my section, on Industry and Microsoft vulnerability disclosures,I'll be posting up some brief PowerPoint screencasts over the next fewdays where I'll talk through my findings while showing some prettygraphsRegards ~ JeffIMAGEhttp://www.secuobs.com/revue/news/104853.shtmlhttp://www.secuobs.com/revue/news/104853.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - rsa2009-keynotes-tuesThe RSA Conference team has done an excellent job of making videosavailable this year for those that could not attend the conferencelive Plus, like watching your American Idol on your DVR, you caneasily skip past the parts you find boring and just focus on theexciting stuffRSA Conference 2009 kicked off with a video honoring Edgar Allen Poeand tying Poe to cryptography, which led into an awesome dual violinperformance that I thoroughly enjoyed do not skip the openingceremony videoThe keynote webcasts for Tuesday cover:* Opening ceremony Poe video et dual violin performance* Art Coviello, RSA/EMC* Enrique T Salem, Symantec “An Environment of IncreasingComplexity and Risk”* Scott Charney, Microsoft “Moving Towards End to End Trust: ACollaborative Effort”* The Crypotographer’s Panel* Whitfield Diffie* Martin Hellman* Ron Rivest* Adi Shamir* Bruce Schneier* Lieutenant General Keith B Alexander, NSA/CSSIf you care ;- I particularly recommend and point you to thefollowing:* The Opening Ceremony video – I just liked it* Scott Charney’s webcast if you have an interest in End to EndTrust, as he does a good job of laying out why it is needed andwhy it must be solved as a collaborative effort by the entireindustry* Martin Hellman on the Cryptographer’s Panel, which follows up on athem I loved last year read RSA Crypto Panel: Martin Hellman on001% Events concerning Low Probability High Impact eventsClick on the Webcast image above, or here to go to the webcast pageIMAGEhttp://www.secuobs.com/revue/news/104852.shtmlhttp://www.secuobs.com/revue/news/104852.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - rsa2009-keynotes-wedThe RSA Conference team has done an excellent job of making videosavailable this year for those that could not attend the conferencelive Plus, like watching your American Idol on your DVR, you caneasily skip past the parts you find boring and just focus on theexciting stuffAgain, if you haven’t watched it, I encourage you to watch theOpening ceremony from day 1The keynote webcasts for Wednesday:* Melissa E Hathaway, National et Homeland Security Council* Panel Discussion, Information Governance* John Chambers, Cisco Systems* Dave DeWalt, McAfee* Brian Smith, PhD, TippingPoint* James Bamford, Author of “The Shadow Factory”IMAGEhttp://www.secuobs.com/revue/news/104851.shtmlhttp://www.secuobs.com/revue/news/104851.shtml Secuobs.com : 2009-06-02 14:44:04 - Jeff Jones Security Blog - rsa2009-keynotes-thuThe RSA Conference team has done an excellent job of making videosavailable this year for those that could not attend the conferencelive Plus, like watching your American Idol on your DVR, you caneasily skip past the parts you find boring and just focus on theexciting stuffAgain, if you haven’t watched it, I encourage you to watch theOpening ceremony from day 1The webcast keynotes for Thursday:* Brian J Truskowski, IBM Global Technology Services* Philippe Courtot, Qualys* Dave Hansen, CAIMAGEhttp://www.secuobs.com/revue/news/104850.shtmlhttp://www.secuobs.com/revue/news/104850.shtml