I was recently asked a really good question: how can you disable the “Play on Phone” functionality in Exchange 2007 Unified Messaging? PoP is a handy feature because it lets you use a simple UI in Outlook or OWA to get your voice mail on any phone that your UM server can dial out to. For security reasons, though, some organizations want to prevent people from placing outbound calls to potentially untrusted numbers (like, oh, I don’t know, this).There’s no direct way to do this from the UI, but you can accomplish it with a bit of trickery: set the OutCallsAllowed attribute on the IP gateway used by the UM server (set-UMIPGateway MyUMGateway -OutCallsAllowed $false will do the trick.)
Why does this work? This flag tells the UM server to never send SIP INVITE messages to the gateway for the new call. If there are no gateway objects with the property set to true, then UM will not attempt to place any outbound calls. PoP is the only Exchange UM feature that will result in new outbound SIP INVITE messages; call transfers use the SIP REFER message, so the automated attendant and call answering features will still work. However, this doesn’t disable the PoP user interface, so users will still see the buttons; they just won’t work when clicked.
Good news for all you feds out there: Vista’s BitLocker Drive Encryption was just certified by NIST as meeting the FIPS 140-2 standard. If you don’t know what this means, you probably don’t care. If you do know, check out some of the other certificated products on that page– there’s some pretty neat stuff lurking there.
Nice to see that noted security guru Crispin Cowan has a blog.
But you probably knew that already.
A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.
There are a lot of skeptical comments over at the WSJ blog. However, a friend of mine who is a well-known figure in the security community said this in e-mail:
…we did a similar chocolate bar or $2 pen hand out in London to collect passwords. Our gathering password rate was 84%. We then contacted each security domain (we asked for their related email address to send them a free voucher entry for more candy bars). We asked the domain administrators (ISPs, businesses, etc.) to simply review the list and send back the percentage of correct collected passwords. Our response rate from the domain administrators was only 30% or so…I can’t remember the exact number…but it was less than half and more than a quarter. The ones that did respond confirmed that over 60% were the actual passwords.
To this day, if I hadn’t participated in the survey and collected the results myself, I would not have believed it.
So, clearly if you want to fish for passwords, your odds of getting something useful in exchange for a chocolate bar and a few minutes of face time with a good-looking woman are pretty darn good. Scary!
Filed under FAIL, Security
Great post by Michael Howard today:
A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won’t name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, “What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft’ in the reply.” Two weeks later, the guy phoned me and said…
I won’t tell you what they said; for that, you’ll need to read Michael’s article. I promise that it’s worth your time.
From Steve Riley’s blog, news of a new IPsec diagnostic tool that you can use to troubleshoot IPsec configuration problems. I haven’t tried it yet, but I definitely plan to in my copious free time.
I had no idea you could do this, but it turns out that it’s possible to dual-boot both Linux and Windows Vista on the same machine while retaining Windows Vista’s ability to encrypt disk data using BitLocker. Cyril Voisin’s blog has the details; basically, you install Linux, then install Vista, then use the Vista Boot Manager to enable Linux booting from the Vista boot loader, then turn on BitLocker.
This just in from Secunia:
Multiple vulnerabilities have been reported in IBM Lotus Notes, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information and by malicious people to bypass certain security mechanisms or compromise a user’s system.
One of the reported vulns is in the Notes ECL mechanism. I’m really interested to see the details, although these vulns are fixed in 7.0.3 and 8.0.
Matt Blaze, world-famous cryptographer and security expert, has a blog. Drop by and see what he thinks of the electronic voting machines used in California.
Man, what was Apple thinking? Turns out all iPhone applications run as effective UID 0. What a boneheaded decision, at least from a security point of view. Too bad Steve Jobs didn’t hire me when he had the chance.
At long last, the secret is out: Microsoft now has a solution toolkit to help companies make sure that their sensitive data is properly protected on mobile PCs. Last week at TechEd, they formally announced the Data Encryption Toolkit for Mobile PCs, which combines a thorough analysis of the BitLocker and Encrypting File System features of Windows with a set of prescriptive instructions on how to use BitLocker and/or EFS to protect your company’s data. There’s also a nifty tool, the EFS Assistant, that you can deploy to automatically scan for files that should be protected, then encrypt them with EFS.
3Sharp was responsible for the entire document set; I worked with David Mowers on the security analysis and wrote the planning and implementation guide, and Paul Flynn wrote the bulk of the EFS Assistant administrator’s guide. It’s great to have this toolkit out in the world, because I really believe it will help people avoid mishaps like what happened to TJX (so far, they’ve spent $20 million in 1Q 07 alone, with more to come!)
Yesterday Apple released a beta version of Safari for Windows. Later the same day, David Maynor released information on six bugs (4 denials of service and 2 remote code execution bugs) that he’d found. What a nice way to welcome a new browser to the Windows platform 🙂
More to the point, this highlights how much things have changed in the Windows security world. It’s hard to write a secure browser. Microsoft has put an enormous amount of energy and effort into securing IE 7 and the components that use it. Are there still security flaws in it? Probably (in fact, almost certainly). However, IE7 is still, literally, years ahead of Safari in that respect. There are no shortcuts to building secure applications, as Apple is now learning.
Michael Howard has posted a great postmortem and lessons-learned piece on the animated cursor vulnerability recently patched in Windows. I love to see this kind of open discussion of how Microsoft’s security development lifecycle (SDL) is working in practice, and where MS feels that it can be improved. You don’t often see this level of disclosure from major IT vendors, and I think the industry (and our security) would be more robust if it became more common.
What do you do with an old PC? Most of us just give it away; if you’re mindful of privacy issues, you might format the disk first. There have been lots of recent cases where organizations have failed to properly clean disks of confidential information before decommissioning the disks and selling or giving them away. The BitLocker Drive Encryption feature of Windows Vista can help solve this, though– when you decommission an encrypted volume, you can remove the keys (as detailed in this column) and render the volume permanently unreadable. Sweet!
Microsoft updated their BitLocker FAQ, which now answers every question you’ve ever had about BitLocker (plus some you probably haven’t.)