June 20, 2008 (IDG News Service) Microsoft's June security updates were bad news for online criminals who make their living stealing password information from online gamers.

The company's Malicious Software Removal Tool -- a program that detects and removes viruses and other undesirable programs from Windows machines -- zapped game password-stealing software from more than 2 million PCs in the first week after it was updated to detect these programs on June 10.

One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

[ Read he entire article here at Computer World ]

Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide.  The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /"Indigo".)  It shows you how to build secure services using WCF.  It's a compendium of proven practices, product team recommendations, and insights from the field.  It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos.  Most importantly it frames out the Web services security space and shows you how to be effective with WCF.

patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF

(Forewords by Nicholas Allen and Rockford Lhotka.)

Download the Guide

· Guide Download: http://www.codeplex.com/WCFSecurityGuide

Contents at a Glance

· Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

· Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

· Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

· Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

Chapters

· Ch 01 - Security Fundamentals for Web Services

· Ch 02 - Threats and Countermeasures for Web Services

· Ch 03 - Security Design Guidelines for Web Services

· Ch 04 - WCF Security Fundamentals

· Ch 05 - Authentication, Authorization and Identities in WCF

· Ch 06 - Impersonation and Delegation in WCF

· Ch 07 - Message and Transport Security in WCF

· Ch 08 - WCF Bindings Fundamentals

· Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)

· Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)

· Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

· Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

· Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

· WCF Security Checklist

· WCF Security Guidelines

· WCF Security Practices at a Glance

· WCF Questions and Answers (Q&A)

· How Tos

· WCF Security Resources

External Contributors/Reviewers

· Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam

Microsoft Contributors / Reviewers

· Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

More Information

· Guide site: http://www.codeplex.com/WCFSecurityGuide

· Project Site (Online KB): http://www.codeplex.com/WCFSecurity

· Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier

In a June 2007 report, the U.S Government Accountability Office (GAO) described cybercrime as “having significant economic impacts and a threat to U.S. national security interests”:

· A 2005 FBI survey estimated that U.S. businesses lost $67.2 billion because of cyber crime.

· The estimated losses associated with identity theft in 2006 are $49.3 billion.

As software becomes the target for criminals, it is more critical than ever to make security an integral part of the software development process. Ever since Bill Gates’ 2002 Trustworthy Computing memo Microsoft has been infusing security into its software development lifecycle with the goal of protecting customers by reducing the number and severity of vulnerabilities in code.

Introducing: The Microsoft Security Development Lifecycle (SDL)

The Microsoft SDL is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. . It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server.

Go to www.microsoft.com/sdl to learn more about the Microsoft SDL and how you can leverage SDL resources and best practices to “bake security in” to your software applications.