Dies UAC give you a rash ?

It does me !!!

It's not that it isn't a good idea - it is. But I really wish I could train it or over ride it.

Maybe in a future Windows version - in the mean time, I'm trying Tweak UAC which provides a "Quiet Mode" for UAC.

[ Click HERE to get Tweak UAC ]

Note: UAC is a Security feature. Strictly speaking "Quiet Mode"  reduces your system's security.

Please checkout the first videos in my new Web Developer's Security Video Series.

http://www.asp.net/learn/security-videos/

I'm hoping to do 100 Videos this year !

PLEASE SEND YOUR REQUESTS !!!

T

Check out this 2 day security brain fest. It happens to be right after Black Hat in Vegas. See you there ?

The LifeCycleSecurity conference was started to provide a venue where professionals in the Application Security industry can learn from each other's experiences.  We will be addressing security from the server to the browser. 

Application Security : We will have topics that address how professionals are creating systems that are resistant to attacks against the web application layer and the systems that support these web applications.

Browser security: With the increase in attacks against browsers such as malware and other attack vectors, protecting your users is more important than ever.  This is increasingly being done with content filtering devices.  The Lifecyclesecurity conference will include several tracks that address techniques that are being used to protect against these browser / content based attacks.

http://www.lifecyclesecurity.com/

While at TechEd 2008 I got to spend some time in the "Fish Bowl" with Georgeo Pulikkathara.

Georgeo interviewed me on Microsoft's Secure Development Lifecycle (SDL) and my upcoming Developer Security Activities.

Please [ click HERE ] to check out Georgeo's blog post and [ Click HERE ] to have a listen to the show.

June 20, 2008 (IDG News Service) Microsoft's June security updates were bad news for online criminals who make their living stealing password information from online gamers.

The company's Malicious Software Removal Tool -- a program that detects and removes viruses and other undesirable programs from Windows machines -- zapped game password-stealing software from more than 2 million PCs in the first week after it was updated to detect these programs on June 10.

One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

[ Read he entire article here at Computer World ]

Baseline Magazine [ Click HERE ] has outlined the 5 Big Security Threats that Anti-virus software and firewalls MISS.

1 Trusted Users and Partners

2 Web Application Vulnerabilities

Gartner estimates that 75 percent of today’s attacks are carried out through the application layer.

Many of these application attacks are conducted through quickly coded Web applications, with little or no security baked in.

Yet these Web apps are often connected to some of the most sensitive databases businesses own.

3 Missing Devices

4 Custom Malware

5 Social Engineering

[ CLICK HERE to read the whole article. ]

Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide.  The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /"Indigo".)  It shows you how to build secure services using WCF.  It's a compendium of proven practices, product team recommendations, and insights from the field.  It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos.  Most importantly it frames out the Web services security space and shows you how to be effective with WCF.

patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF

(Forewords by Nicholas Allen and Rockford Lhotka.)

Download the Guide

· Guide Download: http://www.codeplex.com/WCFSecurityGuide

Contents at a Glance

· Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

· Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

· Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

· Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

Chapters

· Ch 01 - Security Fundamentals for Web Services

· Ch 02 - Threats and Countermeasures for Web Services

· Ch 03 - Security Design Guidelines for Web Services

· Ch 04 - WCF Security Fundamentals

· Ch 05 - Authentication, Authorization and Identities in WCF

· Ch 06 - Impersonation and Delegation in WCF

· Ch 07 - Message and Transport Security in WCF

· Ch 08 - WCF Bindings Fundamentals

· Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)

· Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)

· Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

· Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

· Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

· WCF Security Checklist

· WCF Security Guidelines

· WCF Security Practices at a Glance

· WCF Questions and Answers (Q&A)

· How Tos

· WCF Security Resources

External Contributors/Reviewers

· Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam

Microsoft Contributors / Reviewers

· Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

More Information

· Guide site: http://www.codeplex.com/WCFSecurityGuide

· Project Site (Online KB): http://www.codeplex.com/WCFSecurity

· Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier

With more than 100 million Web applications deployed in the world, perhaps fewer than 5 percent of are being tested for security vulnerabilities. We offer three simple steps to help you secure your Web applications

Read Here - Enterprise Systems | Three Steps to Web Application Safety

The PHP 5.2.6 release (download here) corrects at least four documented security flaws of varying severity

In a June 2007 report, the U.S Government Accountability Office (GAO) described cybercrime as “having significant economic impacts and a threat to U.S. national security interests”:

· A 2005 FBI survey estimated that U.S. businesses lost $67.2 billion because of cyber crime.

· The estimated losses associated with identity theft in 2006 are $49.3 billion.

As software becomes the target for criminals, it is more critical than ever to make security an integral part of the software development process. Ever since Bill Gates’ 2002 Trustworthy Computing memo Microsoft has been infusing security into its software development lifecycle with the goal of protecting customers by reducing the number and severity of vulnerabilities in code.

Introducing: The Microsoft Security Development Lifecycle (SDL)

The Microsoft SDL is the industry-leading software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process. . It has led Microsoft to measurable and widely-recognized security improvements in flagship products such as Windows Vista and SQL Server.

Go to www.microsoft.com/sdl to learn more about the Microsoft SDL and how you can leverage SDL resources and best practices to “bake security in” to your software applications.