Microsoft Spy Document

There has been a lot of hoopla about the sharing of a document referred to as “Microsoft Spy”. The actual title is Microsoft Online Services – Global Criminal Compliance Handbook. The real interesting thing here is that this normally sensitive information is out there on the Internet. However the document just confirms the existence of procedures used a Microsoft to respond to things such as subpoenas and court orders.

A good thing about this Microsoft Spy document is that they give a great overview of Microsoft services, along with the type of information Microsoft collects and how long they keep it. Some of the services listed include email, instant messaging, newsgroups, and Xbox. Registration records are kept for 30 days. Email contents are restricted to emails the user decides to keep on Microsoft servers.

Microsoft always seems to be logging IP addresses. This includes the normal ones such as the IP address of the author of content uploaded to their site. However this also includes the IP address of anybody who posts a comment online. The other surprising fact is that Microsoft will keep a history of the last 10 IP addresses from which you accessed their Windows Live services. Is that big brother watching me now?

This hubbub about the Microsoft record retention is nothing special. They are merely complying with the Electronic Communications Privacy Act (ECPA). There are times when a company is required by law to turn over records. If you have a subpoena or court order, Microsoft will give you the basic info it collects. And if you got a search warrant, Microsoft will turn over all the information it keeps. As long as you realize this and act accordingly, I don’t think you have anything to get excited about.

Dangerous Programming Bugs

The MITRE teamed with SANS to compile a list of the top dangers in programming errors. These are holes that developers make which allow hackers to exploit the code. Let's look at some examples.

It is no surprise that SQL injection vectors from not checking input would be high on the list. Buffer overflows are also no big surprise. But have you thought about improper paths for directories specified by users? Who would have thunk it?

Here is a problem that I have seen in a peer's code: They hard code authentication info in the code. WTF? And here is one that I am sometimes guilty of. Putting too much sensitive info in an error message.

I think my next project is to demonstrate an example of one of these attack vectors.

Protection Against the Zero Day

Zero day threats are becoming a common hack. How do you protect yourself against such holes? You follow best practices and lock down your system. Let's describe specifically what that means.

Don't use a debit card. You put your account at risk. Instead use credit cards. And pay off their balance each month. Check out all weird activity on your statements, even if they are small. Crooks may be testing the waters.

Consider signing up for ID Theft protection. Download and install Microsoft security updates for your Windows operating system. Do the same thing for other software you use. Install and configure both antivirus and antispyware software on your PC.

Don't type your social security number anywhere online. Use strong passwords for everything. Do not click on ads. Skip the porno sites. Lock down Windows. Don't click any links in email. Use a spam blocker.

These things may seem like common sense. Make sure you employ these practices. It will minimize the chance of you being exploited. You will encounter less pain. And that's a good thing.

Zero Day and the Visanet

I skimmed through a book called Zero Day Threat. They define such as threat as one that is so new that not protection against it exists yet. In other words, this is a virus that takes advantage of a hole that has not been patched yet. The most interesting part of the book was the details on the Visanet system. This is set of processing centers that handle Visa charge transactions.

The authors visited one of the Visanet processing centers. It was a "nondescript" building. That makes sense. You don't want to advertise where you processing centers are. Three are 4 such processing centers around the world that make up the Visanet.

The Visanet centers are located in the Western USA, the eastern USA, Europe, and Asia. Locations are nice and spread out to keep the transactions running. Each transaction consists of 1500 bytes. The total transaction takes about 2 seconds to complete. These processing centers do a massive volume of transactions per second. Good stuff.

Next time I plan to talk about precautions you can take to guard against a Zero Day Threat.