So, in conjunction with the BlueHat team, I am pleased to announce that the SDL team will be organizing the sessions for the second day of the fall BlueHat conference. The BlueHat SDL sessions will be laser-focused on not just describing vulnerabilities but also solving them. Every attendee should leave every presentation with a clear idea of exactly what he or she needs to do to protect themselves from the threat that was discussed during the session.

The sessions will begin, appropriately, with the topic of secure design. Danny Dhillon of EMC and the SDL team’s own Adam Shostack will each present their organization’s approach to threat modeling. As a bonus, Adam will also be demonstrating the new SDL Threat Modeling tool that you might have heard about last week.

Next up is Matt Miller, a recent and very welcome addition to the Microsoft Security Science team. Matt has a fantastic presentation on the evolution of buffer overflow attacks and on the corresponding development of overflow mitigations. From there we will switch gears to look at some managed code implementation issues: iSEC Partners’ Scott Stender and Alex Vidergar will demonstrate coding techniques to mitigate elusive concurrency vulnerabilities in web applications.

At this point we will have covered the Design and Implementation phases of the SDL; where better to go from here than Verification? One of the most important activities in the Verification phase is fuzzing, and we have a trio of security experts from the Microsoft Security Science team to talk about it. Jason Shirk, Lars Opstad, and Dave Weinstein will answer three of the most common fuzzing questions: How should I fuzz? When have I fuzzed enough? And what do I do now that I’ve fuzzed?

Finally, we will wrap up the Verification phase talks with a return appearance to BlueHat by Stach & Liu’s Vinnie Liu. Vinnie will compare different approaches to security verification – static code analysis, blackbox analysis, and manual code review – and make recommendations as to when each approach is best used.

Even if you can’t make it in to BlueHat in person, you can still watch the sessions via streaming media on TechNet. Additionally, webcast interviews with the speakers – condensed “Cliff’s Notes” versions of their full presentations – will be posted on Channel 9. And we’ll be continuing the BlueHat tradition of inviting speakers and other industry notables to guest blog about their topics and the latest security trends. More information on all of these resources will be posted here when it becomes available.

http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx#3122377

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

Normally I delete spam from my comments, and have occasionally deleted mindless ranting criticism (I encourage vigorous discussion of ideas, but won't allow personal attacks). However, this guy's comment is just...weird.

• What's a "montize buddy Scott"? I know lots of Scotts, and once even admired a particular "Montgomery Scot." But "montize"? Maybe it's a new kind of malt.
• I don't believe I'm perpetuating any data scams, none that I know of, anyway. If any of you, my readers, feel that I'm scamming your data, I guess I haven't concealed that fact well enough. Oops, sorry! We'll have to add another item to the constantly-growing list of data breaches.
• While it's true that some of my conference appearances aren't free, no one is certainly forced to buy any of my "educational acts." A lot of my presentations you can download for free!
• I never look in tunnels for my supplies, they're too dark and you can never be totally certain of what you're getting.

Thanks, dodacrazy, for a good Thursday morning laugh!

To put yourself in the running, please respond via comment to the following question: Why do you attend Interop? What does interoperability mean to you?

The first two to comment on the blog with a response will receive the code to register FREE for conference sessions at Interop. Make sure you leave your e-mail address with your comment to collect the code!

MI5 has concluded that there is no easy way to identify those who become involved in terrorism in Britain, according to a classified internal research document on radicalisation seen by the Guardian.

[...]

The main findings include:

• The majority are British nationals and the remainder, with a few exceptions, are here legally. Around half were born in the UK, with others migrating here later in life. Some of these fled traumatic experiences and oppressive regimes and claimed UK asylum, but more came to Britain to study or for family or economic reasons and became radicalised many years after arriving.

• Far from being religious zealots, a large number of those involved in terrorism do not practise their faith regularly. Many lack religious literacy and could actually be regarded as religious novices. Very few have been brought up in strongly religious households, and there is a higher than average proportion of converts. Some are involved in drug-taking, drinking alcohol and visiting prostitutes. MI5 says there is evidence that a well-established religious identity actually protects against violent radicalisation.

• The "mad and bad" theory to explain why people turn to terrorism does not stand up, with no more evidence of mental illness or pathological personality traits found among British terrorists than is found in the general population.

• British-based terrorists are as ethnically diverse as the UK Muslim population, with individuals from Pakistani, Middle Eastern and Caucasian backgrounds. MI5 says assumptions cannot be made about suspects based on skin colour, ethnic heritage or nationality.

• Most UK terrorists are male, but women also play an important role. Sometimes they are aware of their husbands', brothers' or sons' activities, but do not object or try to stop them.

• While the majority are in their early to mid-20s when they become radicalised, a small but not insignificant minority first become involved in violent extremism at over the age of 30.

• Far from being lone individuals with no ties, the majority of those over 30 have steady relationships, and most have children. MI5 says this challenges the idea that terrorists are young men driven by sexual frustration and lured to "martyrdom" by the promise of beautiful virgins waiting for them in paradise. It is wrong to assume that someone with a wife and children is less likely to commit acts of terrorism.

• Those involved in British terrorism are not unintelligent or gullible, and nor are they more likely to be well-educated; their educational achievement ranges from total lack of qualifications to degree-level education. However, they are almost all employed in low-grade jobs.

Changing Behavior

1. Educate yourself.
At least every 6 to 12 months, surfers should browse the educational information provided by their operating system and security vendors and subscribe to any security-related newsletters they might offer. According to David Perry, familiarity with the latest threats, dangers, and recommended safety tips will allow surfers to make safe choices. “Until you know what’s out there, you’re just flying blind. Without an education, you’re wide open”.
2. Avoid suspect sites.
While criminals can infect even mainstream Web sites, sites such as gambling sites, adult Internet sites, and illegal file-sharing sites are far more likely to carry malicious code. Web sites that offer “something for nothing” frequently recoup their losses by infecting visitors’ PCs.
3. Lose Your Comfort Zone.

Recommended Technology

4. Use an updated virus scanning suite.
The most important component of any threat mitigation system is a virus scanning suite. In addition to detecting and removing known viruses and malware, modern virus scanning suites provide additional protections against new attacks by disabling their known protocols. For example, Trend Micro™ Internet Security encrypts keyboard traffic, protecting personal data from keyboard logging programs that might go unnoticed. Users should update their scanner and virus definitions as frequently as possible to ensure the best possible coverage.
5. Upgrade your OS and browser.
In addition to offering more features, Microsoft’s Internet Explorer version 7 and the latest Mozilla Firefox are both substantially more secure than previous-generation browsers. Users of older browsers should upgrade immediately to take advantage of increased security. Similarly, Windows Vista and Mac OS X are more secure than their predecessors, and users of older operating systems should consider upgrading, as well.
6. Disable scripting and “widgets.”
Many Web-based attacks use various scripting languages to run infectious programs in a browser or use downloadable “widgets” to execute infections locally. By disabling scripting and avoiding downloadable widgets wherever possible, surfers disable these common attack vectors.
7. Rate your Web pages.
Some available services rate the risk of Web pages in search results, allowing surfers to avoid unwanted content and hidden threats before viewing the pages. Rating applications (e.g., Trend Micro TrendProtect™) consume few system resources and run unobtrusively, so they are suitable for any Web-enabled personal computer.
8. Ask your provider.
Commerce companies, banks, and credit card associations are all interested in computer security, and many offer additional features. For example, Visa’s Verified By Visa program requires cardholders to enter a second password to identify themselves during a transaction, while businesses in Poland require cell-phone confirmation of credit card purchases. While nothing will be 100 percent effective, any additional security measure provided by a trusted source will increase protection, and surfers should adopt as many as possible.

This article provided for your reading pleasure by Trend Micro.

Some of the major obstacles we face with 802.1X center around creating a smooth end user experience.  We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.”  (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.

• Conduct regular security assessments of Web-based applications. The universities first need to determine how many Web-based applications they have and then make provisions to regularly update their lists of applications.  They then need to develop and implement procedures for regularly conducting security reviews of their critical Web-based applications.

• Develop a university-wide policy and associated procedures for updating Web servers, which are computers that host Web-based applications. Software vulnerabilities are constantly being discovered and publicized, and the universities need to develop or enhance: (1) procedures for identifying vulnerabilities relevant to their Web servers, (2) a timeline for reacting to notifications of newly discovered Web server vulnerabilities, and (3) a process for determining whether to apply a software update, establish another control to address the Web server vulnerability, or accept the risk of not updating the software.
• Ensure that security is built into the process for developing Web-based applications. According to ASU, UA, and NAU officials, none of them have university-wide security standards for developing applications. According to an IT best practice, building security into the development process is more cost-effective and secure than applying it afterwards.
• Provide training to application developers so that they are aware of common Web-based application vulnerabilities and methodologies that can be used to avoid them. None of the universities have a training program that is mandatory for all users and geared toward an individual's role within the university.