Windows 7 roadshow coming to six US cities in March

I’m very excited to announce a new Windows 7 roadshow during March 2010. Truesec, a security consulting and education firm based in Sweden with a new US office, is hosting the roadshow in six cities in the United States. I’ll deliver the opening keynote, highlighting security improvements in Windows 7. John Arwidmark and Mikael Nyström will speak about deployment, migration, and management. Finally I’ll end the day with some thoughts about what I’d like to see in future versions of Windows.

Your $495 registration fee for this full-day seminar includes five presentations, breaks, and lunch. Here’s our itinerary:

• Chicago, IL — 16 March
• Washington, DC — 17 March
• New York, NY — 18 March
• Raleigh, NC — 30 March
• Atlanta, GA — 31 March
• Houston, TX — 1 April

Register soon to reserve your seat! I’m looking forward to meeting new and old friends.

I’m presenting at CloudCamp Seattle

CloudCamp is coming to Seattle on Wednesday 3 February 2010. My first experience at a CloudCamp was in Phoenix last year. I love its unique format and am excited to join another Camp. It starts with several five-minute “lightning talks”; the Seattle event will have four, and I’ll deliver a rapid overview of cloud security in Amazon Web Services. After the lightning talks is a panel, followed by two breakout “unsessions.” The unsessions are attendee-driven; I’ll focus on general cloud security/compliance and AWS specifics, so come prepared with your toughest questions. Registration is free; donations accepted, too. Hope to see you there!

SIIA webinar: Cloud security for dummies

Good day, everyone. The Software and Information Industry Association (SIIA) is hosting a webinar about cloud security on Tuesday 19 January 2010 at 12:30 PM EST/9:30 AM PST. I’m one of the panelists. Here’s a brief blurb and the participants:

Cloud webinar series: Cloud security for dummies
Security and cloud computing have come a long way in just a few years. Understanding these issues becomes vital as cloud computing expands into government and the large enterprise. New trends — like the emergence of private clouds — are changing the way companies think about their security strategy. In this webinar, you’ll hear persepectives from service providers, platforms, pure-play firms, and other players in the cloud security space.

Moderator:
Lars Ewe, Chief Technology Officer, Cenzic
Panelists:
Deb Banerjee, Director of Engineering, Symantec
Jim Cavalieri, Chief Security Officer, Salesforce
Steve Riley, Sr. Technical Program Manager, Amazon Web Services

Event price for SIIA members: free
Event price for non-SIIA members: US$50.00

Please join us if you can!

More on ADFS with Amazon EC2

Thanks to those who wrote to me with ideas about using ADFS to federate with Windows instances running in Amazon EC2. My original post was picked up by a couple other blogs, which I’d like to acknowledge here:

• ADFS / WIF on Amazon EC2 by Eugenio Pace (part of the ClaimsID Project)
• A repost on Kim Cameron’s Identity Weblog

As part of a joint project between Amazon Web Services and Microsoft, I’m proud to announce the release of a whitepaper written by David Chappell that explores these federation scenarios in more detail. David begins his paper with an additional scenario — your Amazon EC2 resources are placed in an Amazon Virtual Private Cloud (VPC) and joined to your own corporate domain; here, there’s no use of ADFS. Then he illustrates the two scenarios I mentioned before, and shows how it would work with both ADFS 1.1 and ADFS 2.0.

Soon we’ll release a companion step-by-step guide that walks you through the steps required to build these federation scenarios in a lab. From this you’ll gain the skills and experience necessary to implement them in your production environment. I’ll announce here and on the AWS blog when the guide is available for download.

Windows Server 2008, ADFS, and Amazon EC2

As I’ve talked with customers who have deployed or plan to deploy Windows Server 2008 instances on Amazon EC2, one feature they commonly inquire about is Active Directory Federation Services (ADFS). There seems to be a lot of interest in ADFS v2 with its support for WS-Federation and Windows Identity Foundation. These capabilities are fully supported in our Windows Server 2008 AMIs and will work with applications developed for both the “public” side of AWS and those you might run on instances inside Amazon VPC.

I’d like to get a better sense of how you might use ADFS. When you state that you need “federation,” what are you wanting to do? I imagine most scenarios involve applications on Amazon EC2 instances obtaining tokens from an ADFS server located inside your corporate network. This makes sense when your users are in your own domains and the applications running on Amazon EC2 are yours.

Another scenario involves a forest living entirely inside Amazon EC2. Imagine you’ve created the next killer SaaS app. As customers sign up, you’d like to let them use their own corpnet credentials rather than bother with creating dedicated logons (your customers will love you for this). You’d create an application domain in which you’d deploy your application, configured to trust tokens only from the application’s ADFS. Your customers would configure their ADFS servers to issue tokens not for your application but for your application domain ADFS, which in turn issues tokens to your application. Signing up new customers is now much easier.

What else do you have in mind for federation? How will you use it? Feel free to join the discussion. I’ve started a thread on the forums, please add your thoughts there. I’m looking forward to some great ideas.

(Reposted from the AWS blog, where I’ll be writing from time to time.)

What are the odds?

Offered for your perusal.

The terrorists have won

By now you’ve read plenty about the idiot who tried to blow up an airplane yesterday, and probably have gotten your blood in a boil over the TSA’s detestable reactions. Although there seems to be some reaction among a few folks in the general population that all the security theater insanity has got to stop, alas there are enough sheeple who seem convinced that you can never have too much security. And since these people unfortunately get to vote, and reliably vote for headline-grabbing politicians who care more about the limelight than learning how to respond to real threats, I predict that soon you’ll encounter two more layers of security theater next time you fly. First, the question “What color would you like those rubber gloves?” will no longer be just a joke. Second, billions of dollars will be wasted on whole-body imaging equipment at airports nationwide. Someday this will be you:

Rather than engage in the difficult and successful yet invisible work of meaningful risk assessment, thorough threat investigations, and disrupting the funding of terrorist organizations and their wanna-be copycats, our elected representatives and their political appointees take the easy path: they stoke the fears of a worried, ignorant public. Attention, DHS: piss off.

Speaking in New York, Thursday 10 December 2009

It’s great to be back on the road. One of the things I always enjoyed about my previous job was the travel — meeting new people, exploring new destinations. I’m glad that my work at Amazon Web Services continues in that vein.

I’ll be in New York and New Jersey later this week for customer meetings. I was invited to speak at the meeting of the New York IT Security User Group on Thursday evening, 10 December. I’ll give a general talk on cloud computing, followed by a more detailed talk on cloud security and AWS security. If you’re in the area, please come — the event is open to all.

Venue information
AXA Financial Building
1290 6th Avenue (nee Avenue of the Americas)
New York 10104
map

NYITSUG event details (no registration necessary, however)

Come to the Microsoft office on the 6th floor
We start at 6:00 PM

___________________
Presentation abstracts

Fear the cloud no more
Suddenly, it seems, the simple network diagram symbol for the Internet has become a major component for providing infrastructure platforms and service offerings. Unlike the application service provider days of the late 1990s, cloud computing is here to stay. It’s already gained much traction for specialty computing purposes, yet many IT shops remain wary. Moving compute and storage out of your own data center and into someone else’s, mingled among many others, seems daunting at first. Common questions arise around security, manageability, performance, and reliability. Think about it, though–these are the same concerns you’ve always had. Nothing about the cloud requires that you jettison everything you’ve learned during your career. The cloud is a logical next step in the evolution of computing, and when integrated with corporate IT removes much of the burden and allows a business to concentrate on its core functions. Steve Riley will explore common concerns, dispel several myths, and help you learn how your business can benefit from the cloud.

Security and compliance in the cloud
Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Staying safe online–my contribution to JustAskGemalto

Gemalto has launched a consumer education program called JustAskGemalto featuring advice and short videos by many folks in the information security industry. I was interviewed a few weeks ago about staying safe online. The video is now available on JustAskGemalto’s YouTube channel.

Index of insider threats

Saw this article the other day about insider threats. It describes the growth of attacks by insiders, largely motivated by the downturn in the economy. For your statistical reading pleasure, I’ve reformatted the numbers following the Harper’s Index pattern.

Survey participants in London and New York: 600
Departing workers who took sensitive information with them: 40%
Portion who would provide this information if it would help to find another job: 1/3
Percentage of employees who are aware of the illegality of stealing information: 85%
Portion of this population who do it any way: 1/2
Percentage who believe it will be useful it some point in the future: >50%
Percentage who find it easier to pilfer information this year: 57%
Percentage last year: 29%
Percentage who claimed they would take company info if fired tomorrow: 48%
Percentage who would download company/competitive information if their jobs are at risk: 39%
Portion of workers who have lost loyalty to their employers because of the recession: 1/4
Percentage of those who take information “just in case”: 64%
Percentage who would use the information in future job negotiations: 27%
Percentage who would use the information as tools in their new jobs: 20%
Those who would take customer and contact details: 29%
Plans and proposals: 18%
Passwords and access codes: 13%
Product information: 11%
Percentage of workers who would strive to find the redundancy list: 32%
Percentage of those who would bribe a co-worker in the human resources department: 43%
Who would use their own IT-granted access rights: 37%
Who would use personal contacts of those in the IT department: 30%

Links to my Windows Connections presentations

Several of you have asked for copies of my presentations from the autumn 2009 Windows Connections. Because I’m using the online tool Prezi, I don’t have traditional slides to give you. I have, though, shared the presentation files for everyone to see. The links are below.

Thanks again for coming to the talks. And be sure to look for my Windows-related guidance for using Amazon Web Services. I’ll announce here and on the AWS blog when each paper is published.

• Fear the cloud no more
• Introduction to the AWS cloud
• Securing the AWS cloud
• Managing your AWS cloud

I’m presenting at CloudCamp Phoenix

This Saturday, 24 October, CloudCamp is coming to Phoenix. CloudCamp follows a unique format, I’m pretty excited to participate. It starts with several five-minute “lightning talks”; the Phoenix event will have five, and I’ll deliver a rapid overview of cloud security in Amazon Web Services. After the lightning talks is a panel, followed by two breakout “unsessions.” The unsessions are attendee-driven; I’ll focus on general cloud security/compliance and AWS specifics, so come prepared with your toughest questions. Hope to see you there!

CloudCamp information
CloudCamp Phoenix details
Register for CloudCamp Phoenix

Puget Brass in concert

Last year I joined a British brass band here in Seattle, called Puget Brass. I’m a long-time French horn player; since British brass bands don’t have French horns, I learned to play the baritone horn. Our first concert of the 2009-2010 season is this weekend. We’re performing a mix of traditional and contemporary pieces. If you’re local to Seattle, or traveling here, and would enjoy some high quality cultural entertainment, I’d love to see you come.

Date — Sunday 25 October
Time — 2:00 PM
Location — Plymouth Congregational Church, 1217 6th Ave (at University St), 98101 (map)

Payroll attackers add themselves

As a follow-up to my earlier post recommending a procedure for discovering and removing payroll fraud, I’d like to point out an article in yesterday’s Threat Level:

A payroll-processing firm that was breached by hackers last month is warning customers about a new breach, after some clients noticed phantom employees popping up on their payrolls.

New Jersey-based PayChoice sent a message to customers Thursday indicating that thieves appeared to have stolen customer login IDs and passwords by exploiting a vulnerability in the website feature for changing a password, WashingtonPost.com reports. PayChoice said it disabled the change-password feature until it could fix the vulnerability.

The company discovered the problem after some of its payroll customers noticed bogus employee names being added to their payroll lists, in an attempt to get the companies to pay those “employees” through bank accounts controlled by the fraudsters.</blockquote

Newly published: Amazon Virtual Private Cloud scenario paper

One of the coolest new features of AWS is Amazon Virtual Private Cloud. With Amazon VPC you can securely extend your corporate network into the cloud. You can maintain ownership and control of the information, you can provide the IP address range, you can control access and security using your existing tools and products. An IPsec tunnel-mode security association protects the data communications between your network and your Amazon VPC cloud. You can join your Amazon EC2 Windows instances to your domain and manage them with System Center.

I’ve written a paper that describes several scenarios that fit well with Amazon VPC. Please give it a read. And if you’ve not yet tried AWS, perhaps this will give you a few ideas of projects that fit with your IT plans.

Whitepaper: Extend your IT infrastructure with Amazon VPC

Oklahoma lawmakers violate privacy of women

Absolutely unconscionable. In a blatant play to shame women away from perfectly legal medical procedures, the Oklahoma legislature passed a law that will collect and publish personally identifiable information about each woman who receives an abortion in that state. What’s included:

1. Date of abortion
2. County in which abortion performed
3. Age of mother
4. Marital status of mother (married, divorced, separated, widowed, or never married)
5. Race of mother
6. Years of education of mother (specify highest year completed)
7. State or foreign country of residence of mother
8. Total number of previous pregnancies of the mother

Not included is the woman’s name, but given the number of small towns in Oklahoma, deducing her identity will be easy. Also not included is the name of the father. One could surmise this is to conceal the identity of randy state politicians, but that would be…um…correlation without causation, no? (Riiiiiiiiiight.)

I really don’t understand why people continue to vote for politicians who actually think laws like this are good ideas. This law is going to cost taxpayers a quarter of a million dollars every year. What public benefits will the state’s residents receive? Certainly not any increase in public safety. If anything, one potential outcome of the law might be an increase in lynchings — wingnuts might very well locate, harass, even kill anyone they can identify on the list.

Stupid.

There’s an effort to kill the law. Let’s hope it succeeds.

Your opinion: external out-of-office replies

Earlier this evening I sent an email to a list of acquaintances. Along with the expected NDR or two, I received several out-of-office replies. This surprised me: I assumed most people realize sending out-of-office replies beyond their organization creates vulnerabilities. Now I’m curious about how pervasive the practice might be. So, dear reader, please answer this poll about whether you or organization uses external replies and what your opinion is of them:

.
I think they’re dangerous. They frequently offer plenty of information for a bad guy to cause a lot of mayhem. Here’s a sample:

Good day. During 26-31 December 2009 I’m on vacation with my extended family enjoying the sun and triple-bogeying my way to the 19th hole in Cayman Islands. I’ve left my mobile phone at home, too. If you need any assistance, please contact Alice. I’ll answer your emails and calls when I return. –Bob

So what have we learned about Bob?

• Bob is far away from home for six days.
• Bob and his family departed the day after Christmas, so his house is probably full of brand new loot.
• Some of bob’s sibling’s families, and his parents, are also away from home. Their houses are probably full of new presents, too.
• Bob’s shiny new smartphone is sitting on his kitchen table, next to the keys for his wife’s attractive new BMW parked in the driveway.
• Bob must have a lot of money, why else would he go to the Caymans?
• Bob’s a major golf nut, but most likely he’s better at drinking than driving.
• Bob probably left his computer on. I’d bet his bank password is “golfgolf.” (Bob must work in sales.)
• Bob is a moron.

Now I certainly never let fear motivate decisions of mine, but I’ll admit that external out-of-office messages worry me. Internal replies don’t: it’s reasonable to trust one’s colleagues and internal replies help people understand why your emails are delayed. The risk created by external replies outweighs their usefulness, though. If Bob were smart, he would have individually informed business associates about his short absence so they’d know when to expect pending work to resume. Blasting details about your empty house to anyone who pings your mailbox is just stupid.

Cloud for the enterprise

Amazon Web Services is coming to Los Angeles and New York with half-day afternoon events especially for enterprises. I’ll be there, speaking about security and concluding with some remarks on how the cloud is changing delivery of IT services. Click on one of the links below to register. The events are free — hope to see you there!

Los Angeles – Thursday 15 October – Sofitel Hotel, 8555 Beverly Blvd, 90048
New York – Monday 19 October – Marriott Downtown, 85 West St at Albany St, 10006

Reasons to attend

• Gain a deeper understanding of Amazon Web Services, including best practices for architecting and securing applications in the cloud
• Learn how AWS can help you quickly and cost-efficiently scale IT infrastructure capacity to meet growing business needs without incurring resource costs when demand is low
• Hear enterprise customers talk about their experiences and successes with Amazon Web Services

Who should attend

• Technology and business stakeholders of enterprise companies, including CTOs, CIOs, VPs, directors, program and product managers, architects, administrators, lead engineers, and IT managers

Agenda

12:30pm – 1:30pm: Doors open; partner and solutions expo
1:30pm – 1:40pm: Opening statements
1:40pm – 2:20pm: AWS overview by Dr. Werner Vogels, Amazon CTO
2:20pm – 3:20pm: Customer presentations and Q&A
10 minute break
3:30pm – 4:00pm: Security in the AWS cloud
4:00pm – 4:40pm: Architecting enterprise applications in the cloud
4:40pm – 5:00pm: Getting started with the AWS cloud
5:00pm – 7:00pm: Networking and cocktail reception

Who’s on your payroll?

Do you know for certain that everyone on your organization’s payroll is actually employed by your company? Are you sure? Payrolls have long been tempting targets for attackers. It’s where the money is. Anyone with sufficient access to the payroll database could secretly add a buddy or two; probably no one would notice. The buddies kick a bit of their “paychecks” back to the sleazy employee. This could happen to organizations of all sizes — to avoid detection, people scamming small companies keep their payouts low, while those pilfering from large organizations can get away with greater amounts.

A few days ago we learn that payroll processing and software firm PayChoice got attacked:

In a Sept. 28 e-mail sent to customers, PayChoice indicated that the hackers had obtained e-mail addresses as well as login IDs and at least parts of passwords for account holders using the OnlineEmployer.com web site.

The hackers wasted no time in using the information to trick the customers into relinquising the remainder of their passwords. Customers…received targeted phishing e-mails telling them they needed to download a plug-in to continue using the OnlineEmployer web site. The e-mails referenced the customer’s log-in username and part of their password.

The plug-in, however, was actually a password-stealing Trojan [TrojanDownloader:Win32/Bredolab.X]. When customers clicked on a link in the e-mail taking them to a site hosting the plug-in download, the site searched for vulnerabilities to exploit in the user’s browser and other applications that would allow it to install the malicious software onto their machine. The malware exploits the Internet Explorer browser as well as Adobe Flash and Adobe Reader applications.

While not the same as inserting fraudulent entries into the payroll database, it shows that attackers aren’t exactly stupid about picking their victims. Phishing attacks urging victims to download and run malware are nothing new. I’ve told the story many times about how attackers used a similar tactic in 2004 to siphon money out of the online accounts of e-Gold customers:

Win32.Grams was directly spammed to potential victims, in the form of an attachment containing an encoded Visual Basic script with a .vbe extension… When run, the VB script downloads a file from http://onestopgpt.com/media.exe (no longer available), saves it as svhost.exe and executes it.

Because the trojan automates the burden of siphoning money from the accounts and does it from the victim’s own computer, this method of account looting bypasses all authentication methods employed by the banking institutions, and is therefore expected to become very popular – however, due to tagging of certain browser fields, the automated sessions can still be detected by the financial institutions using backend analysis systems (for example, the Corillian Fraud Detection System).

Since the trojan uses the victim’s established SSL session and does not connect out on its own, it can bypass personal and corporate firewalls and evade IDS/IPS devices. Anti-virus engines may detect some trojans, but signature-based solutions will always have a lag time, and will never reach 100% detection. At the time of this writing, only 5 out of 9 virus scanners tested detected the trojan file.

Back to payroll attacks. If you think your organization isn’t vulnerable, think again. A few months ago I received an email from someone whose IT department hired a consultant to investigate potential insider attacks. The writer mentioned the consultant must have been to a seminar of mine, because the first thing he did was recommend a procedure I’ve long advocated: periodically run manual payrolls.

Announce the date in advance so everyone can be ready. On that date make no direct deposits of paychecks. Instead, employees must appear at a designated location in person, with valid employee ID, to claim paper checks. Give yourself a week to complete the process. Any checks remaining in the box have been going to people who no longer — or never did — work for you.

Jesper has frequently recommended this too; a few years ago he got a call from someone who followed the advice and was shocked to see what remained. How much? “Significant,” was all the customer would say. The customer I mentioned above wrote that the consultant discovered excess payments “in the six-figure range.” Multiply that by a few years and you’ve got a seriously expensive scam.

Contact your HR and payroll department this week and arrange for your organization’s manual payroll. I recommend you perform one annually.

Raising the bar: URLZone trojan evades fraud detection

One of the tools in the good guys’ arsenals is the fact that the bad guys haven’t been very skilled coders. Not anymore: they’re getting very, very good. DarkReading describes how Finjan uncovered URLZone:

URLZone doesn’t just dupe users into giving up their online banking credentials. Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim’s bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim’s on-screen bank statements so the person and bank don’t see the unauthorized transaction.

“The Trojan was smart enough to be able to look at the [victim's] bank balance,” says Yuval Ben-Itzhak, CTO of Finjan. “This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

“But in this attack, everything happens from the victim’s computer. This is more sophisticated than anything we’ve seen in the past.”

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website — either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they’re difficult to detect.

Once the victims are infected with the URLZone Trojan, it sets up the victim’s machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: “The balance must be positive, and they set a minimum and maximum amount” based on the victim’s balance, Ben-Itzhak says. That ensures the bank’s anti-fraud system doesn’t trigger an alert, he says.

Here’s more evidence that as attackers grow their sophistication, defenses that counter yesterday’s attacks become useless. Would smartcard or token-based two-factor authentication have stopped URLZone? Nope. What about out-of-band transaction authentication, perhaps with mobile phone text messages? If the process were built correctly, yes — more than just an OTP, the banking application might require the phone holder to reply to the SMS with what the transaction amount is expected to be.

People are starting to lose trust in computers and the Internet. While waiting for the bus today one of my fellow riders struck up a conversation about the funky colorful shoes I found in Auckland during TechEd 2008. The conversation turned to what our jobs are, and when I mentioned information security, several folks at the bus stop started peppering me with questions. Conversations continued on the bus for the entire ride. People don’t understand the criminal element, can’t figure out how to determine what’s trustworthy and what isn’t, and generally seem apprehensive about doing anything on the Internet. This is becoming a very difficult problem to solve; rampant disregard for the devastation wrought by identity theft, warrantless government wiretapping, and presidential ruminations about “taking down the Internet” aren’t doing anything to help. I’m not even sure National Cybersecurity Awareness Month will be all that effective.

We have got to redouble our efforts to remove the coolness factor from computer attacks. It’s no longer hacking, folks. Drop that term from your vocabulary. Start talking about attacks conducted by criminals. Don’t idolize notorious bad guys. And demand that officials start requiring accountability. Honestly, there’s nothing you can do to prevent the misuse of your PII; in America, you generally don’t even own your PII. We need strong laws to finally convince the holders of your personal information (read: financial institutions) that prohibit all sales, laws that are backed by massive fines. Right now, it’s cheaper for institutions to deal with breaches than to keep them from happening. The only way to fix this is to change the economics.