For some of out Tech Ed Promotion. Jeff Alexander has recorded some Vodcasts/VideoBlogs/Etc.  He did save the best for last of course. Which means that he posted his interview with Me at: http://blogs.technet.com/jeffa36/archive/2008/08/31/teched-vodcast-interview-with-rocky-heckman.aspx 

This is probably his best post to date.

This year, we’re going to have a competition to find The Ultimate Expert, winner will score the v/cool HP TouchSmart IQ505a. We’ll also give away some HP iPAQ Travel Companions along the way. However, if you ask me, the real prize is being crowned The Ultimate Expert!

There are two ways to get involved:

Ask a Question: if you have a question that you want answered, mosey on over to CommNet and submit your question. The best questions will garner an HP iPAQ Travel Companion!

Compete as an Expert: if you think you should be in the running for the title of Ultimate Expert, have someone go over to CommNet, ask a question and nominate you to answer it. So, start blogging, emailing and spamming everyone you know, the only way to get a seat at the table is to be nominated. There could be a HP TouchSmart IQ505a with your name on it!

It’s that simple, we’re looking for Experts and Questions. What are you waiting for? GO!

So for our next Speaker Introduction we have Tom Hollander who graciously agreed to give a session at tech Ed after I begged him to share his awesome wisdom around how to create a secure development framework.

Bio:

Tom Hollander is a Solution Architect in Microsoft’s Solutions Development Centre in Sydney, responsible for driving the technical design and delivery of complex customer projects. Prior to joining this team, Tom spent over three years in Microsoft’s headquarters in Redmond working as a product manager in the patterns & practices team. In this role Tom helped deliver many patterns & practices deliverables including Enterprise Library, the Guidance Automation Toolkit and Web Service Software Factory. Tom is a frequent blogger on patterns & practices and architecture topics, at http://blogs.msdn.com/tomholl.

What did you want to be when you grew up?

At once stage I wanted to be a “real” architect, meaning someone that designs actual buildings.

What got you started in the IT Security Arena?

Being an a developer and an architect, I had no choice but to become interested in security.

What do you like most about your job?

Working with a fantastic team and seeing progress day by day.

If you had a magic wand that fixed things with a single flick, what are the top three things you’d fix about IT Security?

Ignorance and stupidity of (some) end users.

The SMTP protocol.

The need to establish different credentials on every system.

Is this your first time presenting at Tech Ed Australia / New Zealand?  If not, how many times have you presented down here?

No, I think it’s my 3^rd time.

What are you looking forward to presenting on most at Tech Ed this year?

All of the cool stuff I’ve learned from working on my current project.

If your audience only takes one thing away from your session(s), what would you like that to be?

That security needs to be top of mind every day for everyone in a development team.

What are you looking forward to most about Tech Ed Australia / New Zealand?

Going to New Zealand again J. Nothing against Sydney but I’m here every day!

I recently was in a bit of a conversation about Threat Modeling, it's future, and how it relates to Risk Management. The ensuing thoughts and gyrations in my head produced a bit of a post on how Threat Modeling, is actually 1/2 of a Threat Management process.  Which in itself is a subset of a well rounded Risk Management process. I posted the mini-essay on our ACE Threat Modeling blog. Check it out here.

As part of the Security Track, I like to get you some personal insight on the speakers we'll be having.  Lee, being the prompt and studios guy he is has answered some questions for us. 

What did you want to be when you grew up?

LH > Depends, when I was 5 I wanted to be a fire engine….I got my first computer around 1979 (a Commodore PET) and then a VIC-20 in 1981 - after that…..I wanted to write Computer Games, don’t know why and I never did……just seemed like a pretty cool way to make a living.

What got you started in the IT Security Arena?

LH > Luck, not Judgement. Took a job with IBM back in 1993 running Mainframe systems (DOS/VSE on VM systems if you’re interested) and just found myself lucky enough to be the ‘Security’ guy. Once you get into it…….it’s hard to get out ! J

What do you like most about your job?

LH > The Challenges…..it’s never easy and there is a constantly changing playing field. I also find the whole ‘cat n mouse’ aspect of IT security fascinating.

If you had a magic wand that fixed things with a single flick, what are the top three things you’d fix about IT Security?

LH > Easy to say, hard to do……………….I would make the internet both the safest place to do business and completely uncensored :)

Is this your first time presenting at Tech Ed Australia / New Zealand?  If not, how many times have you presented down here?

LH > I’m afraid not ! this will be my 3^rd year presenting at TechEd :)

What are you looking forward to presenting on most at Tech Ed this year?

LH > Finally getting to talk about something new in the ISA product line up (Threat Management Gateway) :)

If your audience only takes one thing away from your session(s), what would you like that to be?

LH > Take a second look, don’t discount Microsoft as a security vendor based on old thinking – come with an open mind and we will be honest with you…..

What are you looking forward to most about Tech Ed Australia / New Zealand?

LH > A trip to the Gold Coast…………..oh wait……….it’s in Sydney, damn……….. :)

Stay tuned for more Speaker Bits coming soon...

Well it's that time of year again. We're just about to Tech Ed and we'll into the planning stages.  I have the honor of managing the Security Track again this year.  I thought I'd run my proposed track sessions past you and see what you thought.

SPEAKERS

• Laura Chappell
• Steve Riley
• Tom Hollander
• Mark Curphey
• Jamie Sharp
• Lee Hicken

SESSIONS

• Network Forensics: Reconnaissance and Attack Traffic Patterns
• Analyzing Questionable Network Applications
• Top Ten Analysis Skills for Troubleshooting and Securing Your Network
• Case Studies: Identifying Compromised Hosts
• Virtualization and Security: What Does It Mean for Me?
• Privacy: The Why, What, and How
• Wireless Security Today
• Secure Development Patterns: How not to screw yourself during development
• Microsoft Connected Information Security Framework (CISF)
• WM Architecture Security: SSCM: MDM
• Securing your mobile enterprise: WM Deep Dive
• Threat Management Gateway
• Stirling
• UAG/ILM
• 2007 Office Client Security

As you can see we have a lot of great speakers, and awesome presentations lined up. 

One of the security measures we are all becoming overly familiar with is the Password Reset Security questions used today.  So just what is a good way to use security questions? Recently I was asked to put together some recommendations around the use of Security Questions for resetting passwords.

There are two methods commonly in use at this time

· Pre-Canned Questions (PCQ)

· User Defined Questions (UDQ)

Pre-Canned Questions

From a usability perspective the Pre-Canned questions are a bit easier to deal with because the user only has to supply an answer, rather than come up with a question, and the answer.  However, from a security perspective, Pre-Canned questions are not as secure as User Defined questions.  Most of the questions in these Question Based Identification systems are well known: What is your mother’s maiden name, What is the name of  your first pet, What is the name of your first school, etc.

The problem with most PCQs is that they are designed around information that is either public domain or easy to social engineer out of someone.  There are some organisations that have taken the PCQ further and created very obscure questions that are not the common ones in most default Question Based identification system.  They ask information that hopefully only the real user knows, and that isn’t in the public domain somewhere.  However, even with these, close friends or astute attackers can still identify the answer such as ‘Who was the first person you kissed?’.

There is even some concern in conspiracy circles that the PCQ option is designed to collect demographic information that you would not otherwise normally give to a company.  

Implementation

The implementation is quite easy for PCQs.  There are simply 1-* questions that are defined and stored as part of the application meta-data.  During account creation the user selects the question(s) they want to have as their secret identification, and then supply an appropriate answer.  The answer should be stored as salted hashes, not the plain text answer to the question.

User Defined Questions

User defined questions are an order of magnitude more secure than PCQs.  The reason for this is that the attacker now does not know the kind of data they have to collect before-hand.  While they may still be able to discover the questions that the user defined by simply requesting a password reset from the account, they will hopefully then have to try and discover answers that can only be obtained by asking the legitimate user themselves.

In some circles UDQs are considered less friendly from a usability perspective.  After all, now the user has to think up a question as well as an answer.  It is expected that the answer to the question should be easy for them to come up with though.  There is also the possibility that when presented with the request for a question, that the user enters something they’ve seen on other sites such as ‘What is your mother’s maiden name?’.  At this point though, the strength (as judged by how easy it would be to determine the answer to the question) is in the hands of the user and it is their choice, and their risk if they decide to use a question with a publicly researchable answer.

Implementation

The UDQ approach requires the ability for the system to accept and store the questions the user enters.  Normally the questions would have to be stored in plain text, or through reversible encryption.  The latter being the recommended option.  The answers however would be stored as salted hashes of the actual answer the user entered during account creation.

Asking the Questions

Once a choice has been made about which type of questions to use, asking them is another matter.

There are several ways to ask the questions:

1. Ask a single static question which was defined or selected by the user during account creation

2. Ask a single question randomly chosen from a battery of questions defined or selected by the user at account creation.

3. Ask more than one question randomly chosen from a of battery of questions that was defined or selected by the user at account creation

Option 1 is the worst from a security standpoint as the attacker only has to obtain one piece of information.  But it is the best from a usability and system design standpoint as the user only has to supply one answer, or question/answer at account creation time.  It also remove the random question chooser from the design of the application.

Option 2 is a better choice from a security perspective.  However, the user has to define multiple answers or question/answer pairs at account creation, and the system has to store multiple answer or question/answer pairs for each user. 

Option 3 is the best from a security standpoint.  This introduce the most problems for an attacker to deal with.  Not only do they have to know all the possible questions that will be answered, but their answers too.  This option represents the worst usability though.  Not only do users have to define 1-* answer or question/answer pairs as in option 2, but they have to enter multiple answers during the reset process.  From a system implementation perspective it is not much more complicated to implement than Option 2.

In either case, the most important part about Question Based Identification is that the answers, and potentially the questions themselves, be something that is not publicly available (i.e. driver’s license number), and that is very difficult to social engineer (i.e. TFN, SSN ).

Alternatives / Additions

Some sites prefer to bypass questions altogether and send the user a link to a secure reset web site instead.  This is acceptable, but you are relying on the fact that the person requesting the reset, is the only person able to access that email account and that they are the legitimate owner of the account.

In order to have multiple levels of authentication you might want to extend the question based system to implement an emailed link to a secure web site for password reset after asking the security questions.  So in this case, once the user answer the security question(s) appropriately, they are emailed a life-limited link that will take them to a secure site where they will enter a new password. 

*-Never ever send usernames and passwords to a user through email

Email them a life-limited link to a secure (SSL/TLS) site to enter their new password instead.

Just note that the email notification can be problematic if the link email is caught in a spam filter, or if the users is shopping remotely and cannot access their email at the time. (not everyone has web based email or knows how to use it)

Recommendations

Based on a security first perspective, tempered with usability, Option 2 discussed above is preferred. Option 3 is the best security choice, but it is not as usable. Option 1 is not recommended.

Option 2 provides the added security of using UDQs, with decent usability by asking 1 question at a time during reset.  The user only has to define multiple questions and answers during account creation.  If there is text on the page explaining that this is done to protect their money, they should be accepting of it.

When option 2 is combined with an Email Link, it provides a secure reset capability.  It would be a question of usability and confidence in the requestor being able to get to their email during the password reset process.

Best Practices for Users around Security Questions

When you are asked to either define these kinds or questions, or just define the answers to standard questions...be creative.

The most common problem with a lot of these systems is that they ask information that anyone can discover with a quick Internet search, or by watching the victim for any amount of time.  For example, it would be very easy to discover my mother's maiden name. So when presented with this kind of question, supply a totally nonsensical answer. 

Q: What is your mother's maiden name? 
A: Purple Sunday

Be patient and creative if a site asks you to define multiple questions and their answers.  Remember, this is to prevent someone from compromising your account.  It may seem a bit frustrating to have to go through this, but consider the alternative. If someone was able to easily guess this information, and reset your password...they can do whatever YOU can do on your account. 

Ok, so this is a bit of a rant but it's been something that has been a very irritating topic for a few years now; dropped calls on mobile phones.

In the not-too-distance past, we used to talk about trying to get computers to reach a point of 'Dial Tone Reliability'.  This was a reference to the fact that in the past, with copper based, 'Plain Old Telephone Service' (POTS), when you picked up the phone you always got a dial tone. Even when the electricity went off, the phone would still work.  This was the pinnacle of reliable technology.  The phrase is still used today as a benchmark for reliability by WebEx and Oracle and several others in their advertising. Well I guess if you can't join them, infiltrate them and beat them into submission. Hence my affinity for Killer Coding Ninja Monkeys.

We've been going down hill ever since the mid 90's when this statement became popular. Computers have become more unreliable because we are rushing to market, and trying to cram every feature into the software that we possibly can.  There has been a lot of focus on secure development but what has happened to the Availability, leg of the Confidentiality, Integrity, and Availability triangle?

This is especially a problem now with mobile phones. The tighter the integration with computers, the worse they are getting. It doesn't matter which model you have, or which OS is running on it, they crash on a regular basis.  They have to be reset, and updated almost weekly if not daily. In most cases, making phone calls appears to be optional. Mobile phones, yes including the Apple iPhone, are now unreliable compared to the Dial Tone Reliability we used to have. 

15 years ago there was no such thing as a dropped call.  True, we've gained many many benefits from mobile phones like being reachable anytime (including when we should be enjoying time with our families, and sleeping) and anywhere (well almost except for the dead zones and out of service areas, in secured buildings, etc.) including in the car so we can now become a traffic hazard while we make our calls.  In the past, when you needed to make a call, you picked up a phone and the call always went through. Now you hit speed dial or use your voice command and pray the planets are aligned.

If you weren't near a phone, you waited until you got to one rather than becoming a traffic hazard.  Was it really such a bad thing to wait for 10 minutes before you called someone? I know most of us could use that extra 10 minutes to sort out what we want to say rather than making brash knee jerk statements. But now we don't have to worry about it because there's a good chance that we'll be out of a coverage area, or that the call will get dropped. 

With the advent of VoIP invading offices and even homes around the world, we have corrupted simple, reliable technology.  When you combine VoIP with unstable mobile phone calls, and then trying to get something like Skype into the mix, your chances of making a successful phone call fall below 60%. (based on my experience).

Now that we are connecting our phones to our computers with all kinds of connectivity and SIP options, what happens to making a simple phone call? Now, we're entering a situation where if you are using your PC to make calls through your VoIP system, you have to boot your PC to make emergency calls.  Think about that, now, in order to call an ambulance, you not only have to count on the reliability of the new phone software and VoIP network but your PC as well.  So how do you feel about it now?

Great so now we have devices that can take pictures, play music, manage our calendars (since our memory is shot now), email, SMS, keep our contacts together and sometimes make phone calls. I'd be happy with reliable phone calls. After all isn't that the main function of a phone? Don't sacrifice the primary function of the device for bells and whistles. Make sure the phone part works first, then add email and stuff. The main purpose of the phone has been corrupted and lost in the mess that is the All In One Device now.

Look, I love my job, and I work for this company because I feel they are actually doing far better work than others out there. But I think the entire industry needs to take a step back. Slow the hell down. There is no such thing as Dial Tone Reliability anymore because the IT Industry has killed it. It may not be sexy to have a 12 button analog phone wired to the wall and a piece of paper with names and numbers on it, but at least I could always make a call with it.

Well recently I put together the Inaugural Security Camp Oz (SCO) 07.  It is a community driven event for the IT Security community.   We held it in Wagga Wagga at the Charles Sturt University campus. SCO is a FREE two day event for IT Security Professionals of all platforms.  Even though a Microsoft guy put it together, it wasn't a "Microsoft" event. We invited speakers from all areas to present.

We had great speakers and some great sessions over the two days.  Here's the list (also available at http://www.securitycampoz.com )

Hello everyone!!

Well it's Tech Ed Eve for me.  I'm Ready to head up and Make My Mark!

I wanted you all to know about the Threat Modeling Hands On Lab.  It almost didn't make it but Kyle and Corey from HynesITe did a great job of getting it loaded at the last minute.  So if you see them walking around, thank them! :-) 

Now here's the good part! I'm going to be giving away some prizes for the first 50 people to complete the Threat Modeling HOL. It's just a small token of my appreciation for you taking the time out to do SEC08 Threat Modeling Hands On Lab!  The first 50 people ( 50 in Australia and 50 in New Zealand). will get a prize.

There is a catch though.  The goodies haven't arrived on site yet.  So I came up with a plan. When you complete HOL SEC08, the attendants will give you one of my business cards.  On the back is a number like AU34, and a code.  Just email me that number and code, and I will mail you one of the prizes as soon as they arrive.  Hopefully they'll be here by the time Tech Ed New Zealand comes along and I'll have them there, but if not, we'll do the same thing in NZ.

Just to set expectations, no the prize is NOT a Zune. Sorry.... But it is something that should help you with your software security efforts.

Just as an FYI, the code on the cards, is in Hex.  I only say this because if you send me the number, if you know it's in hex, then you won't be tempted to think any of the characters are something like L, I or O.

Oh man.... Get this, when you register at Tech Ed, pick up a TechNet sticker!!! and WEAR IT!

If you do, you could win some pretty cool prizes randomly throughout Tech Ed, including these COOL Halo 3 Hooded Jumpers! Now I just have to figure out how *I* can get one! Check out Deeps' blog post about the jumpers! http://blogs.technet.com/itproaustralia/archive/2007/07/30/halo-3-hooded-jumpers-at-tech-ed-2007.aspx

Well the good news, for most, is that Tech Ed Australia, and Tech Ed New Zealand are SOLD OUT.  You can still put your name on the wait list for a spot though.  So this means that the events will ROCK! 

I, of course, would like to accredit this to the awesome speakers in the Security Track this year.  Then again, I’ve heard similar sentiments from about every track owner. J

The Ask The Experts evening gives you a chance to chat with the speakers in a more personal, or even humane, environment.  They tend to loosen up and chat more in a relaxed environment as opposed to being in the auditorium environment.  

For Australia:

ATE is on Wednesday 8 August after dinner from 7.15pm – 9pm in the main expo hall.

For New Zealand:

ATE is on Monday 13 August 6.30pm – 8.00pm in the Market Place on level 4 of the SKYCITY Convention Centre

There will be 10 topic areas (see below) that align to the TechEd tracks where delegates can meet the speakers in a 1:few setting as well as three 1: many spaces where we will run a panel discussion on three hot topics (see below). 

Topic areas: Architecture; BI & Database, Unified Comms, Mobility and Messaging, Connected Systems, Dev Tools, Technology & Business Applications, Office System, Windows Server Infrastructure, Security, Identity & Access, Web Development & Infrastructure, and Windows Client & Management.

Panel subjects: Un-computing Panel; Technologies, Platforms, Products; The ‘Soft Stuff’

All of the speakers are expected to be there so that the attendees get a great experience. J Apparently in New Zealand we get Expert Hats but I’m sure we’ll be identifiable even without them.  

So this is your chance to talk to the likes of Steve Riley, Kai Axford, Jamie Sharp, Tim Smith, Lee Hickin, Orin Thomas (Security MVP), and yours truely, over a few beers.  Take advantage of the oppertunity.

Some of you may have seen Daniel doing a tour of the User Groups around Australia.  He has been giving talks on how to understand what really causes system crashes, and what all that junk is in a Crash Dump file.  He actually knows what happens to those crash dumps when they get sent to Microsoft. :-)  Anyway, we talked him into coming to Tech Ed and we even gave him his own Chalk Talk / Cabana session. 

So if you have ever experienced a crash, and want to know how to read the results to find out what's actually happening, or just want to find out what all that stuff means, come talk to Daniel at Tech Ed. If you've been having particular troubles with systems crashing, you can even schedule 1:1 time with him and show him some of your crash dumps so he can de-mystify them for you. 

Take advantage of this oppertunity to talk to one of the foremost experts in figure out 'why things go wrong'.

Well I was polishing my UAC session for Tech Ed this year. It occurred to me that there are bound to be a lot of actual questions about it.  So what I thought I'd do is ask you for your questions.

So tell me, what do you want to know about UAC? Post your questions here and I'll include them (or all that are applicable) in my session at Tech Ed. Just post replies to this post and we'll keep track of the ones you want answered.

Here's your chance to ask a question without having to raise your hand in front of everyone. :-)

Several people have asked me about Jesper not being in the line-up.  As with all of the best laid plans of mice and men, sometimes fate conspires against us.  Jesper isn't able to attend this year because quite simply, he's got a lot on at his day job.  Having had a bit of a busy schedule myself I can completely understand that. 

He sends his best wishes to everyone and apologizes for not being able to come but real life got in the way.  I can say though that he was pretty bummed about it.  Those of you that know Dr. J, he loves his SCUBA diving and we have some great dive spots down here.

Oh well, Maybe next year.  We'll leave a light on for you Jesper.