Congratulations to Microsoft. They just announced their one-year birthday for security.

Yes, you read that right. One year of security.

I will try to refrain from any snarky commentary and just join in the celebration. Ok, just one nit: Windows was released in 1985, twenty-five years ago. That sounds like 24 years without security. Even if you go with a “modern” history of Windows you have to start with 95, which was released in…oh, I forget. Must have been around 1996. Seriously, though, I am reminded of a meeting I had with Microsoft around 2004 where the security team said they considered themselves only three years old with less than a dozen staff. That would put them in the XP release generation. They were not essential, however, and that brings me back to the party today.

Happy one-year!

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Whoa, 34 million threats sounds like a lot. That’s almost a 10% failure rate, or 10 threats not removed per customer. Why were they not removed?

Sorry, this is a time to celebrate, not worry…but I still wonder so I went to the MMPC Blog for more information, as suggested.

No detail on the failures is provided. Instead I found data that shows Russia and China have far fewer copies of Security Essentials installed than the other “non-US countries” (that’s an official Microsoft designation, I didn’t make it up).

Quick birthday quiz: how many “non-US countries” are there in the world? 195 – 1 (US country) = 194.

With fewer copies installed the MMPC Blog says China and Russia have many more machines attacked than other “non-US countries”.

Security Essentials is installed all over, but the threats it’s protecting PCs against are far from globally uniform. For example, if you compare the graph of installations above to the chart of machines where Security Essentials detected exploit attacks below, you can see that while China is relatively low on the install base list and Russia came in at number 10 by install base, users are relatively more likely to be attacked via exploits.

Interesting point, except for the fact that I see another possible outcome.

Brazil has the highest level of Security Essentials installed (nearly a million more than the next highest) and yet is only slightly behind China in machines attacked. Same for the United Kingdom.

So if you add Brazil and the UK together you get about the same number of machines attacked (799,763) as China and Russia (841,159) despite having many more systems running Security Essentials. Which tells us what exactly? Will the percentage of attacks go down if more systems have Security Essentials? And back to my original point, why aren’t some infections removed; what does “machine attacked” really mean?

The MMPC blog says attacks are different by region, which could be a big clue.

The Autorun threat family has pulled away from Conficker in Brazil, and the widespread Bancos threat, which is unique to Brazil, entered the top 5. In China, exploit families like ShellCode and CVE-2010-0806 continue to dominate. In the United States, Renos has taken over the top spot from Wimad, the new top rogue threat is FakeSpyPro, and the Java runtime exploits of CVE-2008-5353 are a major problem.

I also wonder if the high rate of deployment in Brazil reflects the giant new Microsoft data-center, or are they talking only about end-user systems.

Happy Birthday!

Just when you thought it was safe to start your assessment of a cloud, ISACA releases yet one more methodology, which I will call the CCMAAP. The introduction on the ISACA site to CCMAAP is not very clear about how this fits with other assessment projects. It gets called a program, tool, template and road map all in the first sentence.

Objective—The cloud computing audit/assurance review will:

* Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security
* Identify internal control deficiencies within the customer organization and its interface with the service provider
* Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.

It looks quite useful for anyone already using COBIT or wondering how COSO works with a cloud. The first thing that jumps to my mind is that the COBIT mappings look very sparse. Page after page of audit questions have no COBIT reference. Even the CSA has only a few questions without a COBIT reference.

The SF Chronicle has been reporting on full body scanners lately. They say 28 airports in the US are scheduled to get them by the end of the year:

The agency is accelerating use of the scanners after the U.S. said Nigerian Umar Farouk Abdulmutallab tried to blow up a Northwest Airlines flight on approach to Detroit Dec. 25 by igniting explosives in his underpants. The 1,000 scanners due at airports by the end of next year will put the devices at more than half the security lanes at major U.S. airports.

Privacy is more than just a theoretical concern, however. allAfrica calls this “Now Showing at MMIA: Nude Images of Passengers“

The 3D full-body scanners procured for thorough body check of passengers at the nation’s major airports for security reasons are now being abused by security officials from the Federal Airports Authority of Nigeria (FAAN), THISDAY can confirm.
They use the machines, installed in the wake of the Farouk AbdulMutallab affair, to watch the naked images of female passengers for fun.

Passengers are not required to use the scanners, despite the TSA investment. A medical-software consultant quoted in the SF Chronicle makes it clear that she will always opt out.

Powell said she will continue to allow extra time before her flights to find the line that won’t force her to walk through the body scanners, even if they are upgraded [with privacy enhancements]. The devices are still capable of transmitting and storing images, she said, and that “is scary.”

Updated to add (28/10/10):

I now make it a regular habit to opt out of the scanners. Each time I am asked “you realize this will take longer” and I say yes. I am not dissuaded.

Given delays I am subjected to during travel another delay is no big deal. Losing my privacy is a big deal. Being subjected to harmful rays also a concern. So, yes, I realize it will take longer but I don’t mind.

Once I was asked to explain myself to management. A weary-looking woman pulled out a pen and paper pad while another TSA agent slowly ran his hands down my legs. She said “I am required to document your reason.” She stared at me with the look of “this better be good”.

“Privacy” I said.

She paused. Then she asked “That’s it? Your reason is privacy?”

“Yes, privacy” I repeated.

She grew a large smile and said “Wow, that’s easy! Great. Some are so long.” Then she let out a small laugh and said “Have a nice day” as she walked away.

Indeed. Nice day.