It’s like a joke that never gets old. I’ve written about Oracle’s terrible approach to product security before (here, here, here, and here are a few examples… bonus: this). Now security legend Jericho has written this outstanding timeline of exactly what Oracle has failed to do in the security arena. He should have subtitled it “Bring Me the Head of Mary Ann Davidson”. Well worth a read.
Category Archives: Security
I was recently asked a really good question: how can you disable the “Play on Phone” functionality in Exchange 2007 Unified Messaging? PoP is a handy feature because it lets you use a simple UI in Outlook or OWA to get your voice mail on any phone that your UM server can dial out to. For security reasons, though, some organizations want to prevent people from placing outbound calls to potentially untrusted numbers (like, oh, I don’t know, this).There’s no direct way to do this from the UI, but you can accomplish it with a bit of trickery: set the OutCallsAllowed attribute on the IP gateway used by the UM server (set-UMIPGateway MyUMGateway -OutCallsAllowed $false will do the trick.)
Why does this work? This flag tells the UM server to never send SIP INVITE messages to the gateway for the new call. If there are no gateway objects with the property set to true, then UM will not attempt to place any outbound calls. PoP is the only Exchange UM feature that will result in new outbound SIP INVITE messages; call transfers use the SIP REFER message, so the automated attendant and call answering features will still work. However, this doesn’t disable the PoP user interface, so users will still see the buttons; they just won’t work when clicked.
Good news for all you feds out there: Vista’s BitLocker Drive Encryption was just certified by NIST as meeting the FIPS 140-2 standard. If you don’t know what this means, you probably don’t care. If you do know, check out some of the other certificated products on that page– there’s some pretty neat stuff lurking there.
But you probably knew that already.
A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.
There are a lot of skeptical comments over at the WSJ blog. However, a friend of mine who is a well-known figure in the security community said this in e-mail:
…we did a similar chocolate bar or $2 pen hand out in London to collect passwords. Our gathering password rate was 84%. We then contacted each security domain (we asked for their related email address to send them a free voucher entry for more candy bars). We asked the domain administrators (ISPs, businesses, etc.) to simply review the list and send back the percentage of correct collected passwords. Our response rate from the domain administrators was only 30% or so…I can’t remember the exact number…but it was less than half and more than a quarter. The ones that did respond confirmed that over 60% were the actual passwords.
To this day, if I hadn’t participated in the survey and collected the results myself, I would not have believed it.
So, clearly if you want to fish for passwords, your odds of getting something useful in exchange for a chocolate bar and a few minutes of face time with a good-looking woman are pretty darn good. Scary!
Great post by Michael Howard today:
A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won’t name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, “What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft’ in the reply.” Two weeks later, the guy phoned me and said…
I won’t tell you what they said; for that, you’ll need to read Michael’s article. I promise that it’s worth your time.