Wednesday, August 23, 2017

Microsoft perspective on cyber resilience

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

In the wake of recent ransomware outbreaks, I wanted to understand how impacted firms have evolved their thinking on cyber resilience planning and implementation. I asked the Detection and Response Team at Microsoft, who help our customers proactively and in real time to respond and recover from cyberattacks, to share their experiences. I’ve included below a few anonymized customer scenarios the team shared with me, which point to the acute need for a cyber resilience plan.

What follows is a reference framework of Microsoft capabilities which can help our customers become more agile in the face of modern attacks. In other words, this post is about mapping the road to cyber resilience.

Why cyber resilience matters

Organizations globally are highly dependent on technology to conduct personal and business-related tasks. As of the end of Q1CY2017, there were over 3.7B Internet users worldwide and this population is growing. As Internet adoption is growing, the attack surface is growing. The current cybersecurity threat landscape creates a real risk to people and assets. Therefore, organizations should maintain a balance between allowing access and managing risk. Commonly, enterprise organizations approach cybersecurity by implementing tools and technologies and personnel for “protection” and “incident response”. While this is important, the root purpose of implementing cybersecurity tools and technologies is business continuity. Enterprise organizations should also be thinking at a strategic level about the “big picture” of how to fortify their critical systems, IT infrastructure, and data centers to stay resilient in the face of human errors and cyberthreats that cause downtime. This is where a cyber resilience strategy comes into play. Organizations need to build a cyber resilience strategy and execute a cyber resilience program specifically tailored to their business needs to ensure business continuity in the event of a security incident.

According to Accenture’s “State of Cybersecurity and Digital Trust”, while 75% of all survey takers say they have high cybersecurity confidence levels, only 37% claim they have confidence in their organization’s ability to monitor for breaches and 36% claim confidence in their ability to minimize disruptions. According to Gartner, the average cost of downtime is USD $5,600 per minute—over USD $300,000 per hour. Human error is the most common contributor to downtime. Some studies conclude that human error accounts for 75% of downtime.

With organizations more reliant on IT than ever before, it is important to acknowledge business continuity and disaster response (BCDR) as a vital component to the entire organization, instead of as an issue that has implications for IT teams only. Every enterprise organization needs to be prepared to handle outages caused by unforeseen events. Downtime of critical applications and services could lead to a stop in productivity and operations, lost revenues, and lower customer confidence in the organization. A strong cyber resilience plan effectively executed can help organizations’ computer systems, IT infrastructure and data centers withstand impact from cyberthreats and human error.

Cyber resilience scenarios

There are many news stories about organizations who have suffered from cyberattacks and/or data breaches. Developing a strategy and taking actions in support of cyber resilience may help reduce the extent and cost of recovery from damage due to such incidents.

Example #1 – Ransomware infecting multiple organizations globally:

Recent ransomware attacks in the first half of 2017 have highlighted the need to be able to access critical IP, systems, and infrastructure even when it’s locked down by ransomware. WannaCry ransomware impacted multiple industries and companies worldwide, including automobile manufacturing plants that had to halt production for some time. Regardless of the motivation of the attack, clearly it resulted in unplanned downtime and recovery costs to impacted companies.

A key takeaway is ransomware can impact any type of organization. Keeping computer systems patched and up-to-date, backing up data regularly, having fully tested disaster recovery plans in place, and providing education on cyberthreats (e.g. phishing and ransomware) to direct employees and contractors can help to at least reduce the extent of damage from such an incident.

Example #2 – Data breaches continue to impact US healthcare industry:

Cyberattacks continue to measurably impact the healthcare industry since cybercriminals who successfully gain access to medical data could use it for conducting fraud or identity theft for lucrative purposes. Also, the personal data often includes information on a patient’s medical history, which may be used in targeted spear-phishing attacks. As of August 9, 2017, the US Department of Health and Human Services’ HIPAA Breach Reporting Tool website – often called the “wall of shame” – showed a total of 2,018 breaches since 2009. The number of individuals affected by health data breaches also has surged in recent years, from 31.5 million as of May 30, 2014, to about 175 million as of August 9, 2017.

There are three key takeaways from these trends and statistics. The first is that healthcare personnel and patients need to be alert to and inform their IT organization of suspicious communications (fraud/phishing emails) and identity theft incidents as much as possible. Another takeaway is that personal health and identification information should not be exposed without an express requirement to share (e.g. for a patient to offer proof of identity for a medical examination or procedure). Further, the use of data classification and information protection solutions can help reduce the impact of exposure by protecting sensitive information across its lifecycle.

Example #3 – Human error led to client information exposure for financial services firm:

Financial services and banking industries, despite putting in place relatively tighter monitoring and controls over their infrastructure and data than other industries, continue to be impacted by data breaches. In early 2017, a financial services firm inadvertently left exposed to the public a database containing sensitive information on thousands of its clients. The company claimed that the incident was due to human error by a 3rd party vendor.

A key takeaway is that it is important for organizations to hold accountable all contractors with access to the organization’s network and data. For instance, this was a major issue that came to light even with the outbreak of the Petya ransomware, in that 3rd party contractors failed to follow organizational cybersecurity policies, which was a root cause of the crisis.

Considerations for a cyber resilience program

To enhance the ability for computer systems, IT infrastructure, and data centers to withstand damages from human error, cyberthreats, and cyberattacks, we suggest enterprise organizations consider a cyber resilience program that leverages the combination of people, processes, and cloud services.

People:

Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber resilient mindset. This includes not only adhering to IT security policies around identity-based access control, but also alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.

Processes:

Organizations should consider implementing several processes for an effective cyber resilient posture. Some of these can be implemented as IT security policies. Suggested processes include the ones listed in the table below.

Cloud services:

To maintain cyber resilience, the suggested processes should be performed on a regular basis based upon the threshold of the business to handle risk and its ability to operationally execute the processes through a combination of human efforts and technology products and services.

Fortunately, cloud service based architectures can be used to rapidly reconstitute on-premises infrastructure or fail over to a mirrored infrastructure. A key consideration when adopting cloud services is to look at how the provider conducts their assessments and look for 3rd party audits and certifications as examples of how they are performing.

Cloud services such as Microsoft Azure and Office 365 can serve at least as a first step towards helping customers with their cyber resilience needs.

Process

Description

Microsoft Services

Early warning and alerting system Organizations should receive early warning and alerts on suspicious or investigation-worthy electronic information.

Azure:

Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources, which can be used for eDiscovery.

Office 365:

eDiscovery in Office 365 can be used to search for content in Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and sites, and Skype for Business conversations.

Incorporate cyber incidents into disaster recovery and business continuity planning Incorporate cyber incidents into your existing disaster recovery and business continuity planning, and characterize or assign a higher likelihood to these incidents than to traditional acts of nature.

 

Azure:

If you are looking to implement disaster recovery for all your major IT systems—without the expense of secondary infrastructure, Microsoft offers a variety of architectures available to help organizations design and implement secure, highly-available, performant, and resilient solutions on Azure.

Office 365:

Office 365 offerings are delivered by highly resilient systems that help to ensure high levels of service. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or an incident within a Microsoft data center that renders the entire data center inoperable).

Platform hardening Lock down platform against hacking attempts.

Azure:

From a platform hardening perspective, Microsoft performs our own internal assessments through penetration testing and red teams. Microsoft uses Red Teaming to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of Microsoft Azure and Office 365. We strive to provide a robust cloud platform that customers can depend on for accessing critical applications and data in a secure manner.

Office 365:

Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.

Protect against email cyberthreats Implement security policies for detecting and protecting users from opening email based web links and attachments that are suspicious or malicious (e.g. phishing).

Office 365:

Office 365 Advanced Threat Protection helps protect mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.

Control access Limit access to data and applications, to reduce risk.

Azure:

Azure Multi-Factor Authentication helps safeguard access to data and applications, and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—and allow customers to choose the method they prefer.

Office 365:

Multi-Factor Authentication for Office 365 helps secure access to Office 365. It increases the security of user logins for cloud services above and beyond just a password. Users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

Detect and defend against rogue systems Apply conditional access-based security defenses to systems that have gone rogue

Azure:

Conditional access in Azure Active Directory enables you to enforce controls on the access to apps in your environment based on specific conditions. With controls, you can either tie additional requirements to the access or you can block it. The implementation of conditional access is based on policies. A policy-based approach simplifies your configuration experience because it follows the way you think about your access requirements.

Office 365:

Device Health Attestation (DHA) for Office 365 enables enterprises to raise the security bar of their organization to hardware monitored and attested security, with minimal or no impact on operation cost. You can use DHA to assess device health for:

  • Windows 10 and Windows 10 Mobile devices that support TPM 1.2 or 2.0.
  • On-premises devices that are managed by using Active Directory with Internet access, devices that are managed by using Active Directory without Internet access, devices managed by Azure Active Directory, or a hybrid deployment using both Active Directory and Azure Active Directory.
Vulnerability assessment Learn about vulnerabilities in order of severity to be able to focus mitigation efforts on those presenting the most risk to the organization

Azure:

The vulnerability assessment in Azure Security Center is part of the Security Center virtual machine (VM) recommendations. If Security Center doesn’t find a vulnerability assessment solution installed on your VM, it recommends that you install one.

Software updates and patching Continuously patch vendor software as new updates become available to help reduce probability of attack or at least mitigate damage incurred.

 

Azure:

Hosting applications in Microsoft Azure not only alleviates management of systems for companies. It also helps with system updates and keeping servers up to date. As new security vulnerabilities are identified, Microsoft will automatically apply updates to Microsoft Azure roles (if configured to do so). Admins can choose to have Microsoft keep their roles (instances) up to date and apply these updates when they are available, thereby eliminating a tremendous administrative effort for the company.

Office 365:

Microsoft Office 365 ProPlus software can receive updates automatically from the Internet or from an on-premises location (based on organization’s preference).

Identification-based access control Protect access to applications and resources end-to-end: across the corporate datacenter and into the cloud.

 

Azure:

Microsoft identity and management solutions enable you to centrally manage identities across your datacenter and the cloud:

  • Azure Active Directory cloud identity and access management solutions – get single sign-on to thousands of cloud apps and access to web apps that you run on-premises with Azure Active Directory Premium. Built for ease of use, Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.
  • Azure Active Directory B2C – cloud identity service allows you to connect to any customer. Governments and enterprises worldwide are using this service to serve their applications to their citizens and customers with fully customizable experiences, while protecting their identities at the same time.

Office 365:

Office 365 uses Azure Active Directory cloud based user authentication service to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

  • Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.
  • Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.
  • Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.
Regular data backups Back up data in case your organization is impacted by ransomware or other cyberthreats.

Azure:

Azure Backup enables protection for hybrid backups via prevention, alerting, and recovery features.

Office 365:

OneDrive for Business is an integral part of Office 365, and provides place in the cloud where you can store, share, and sync work files. It also allows for incremental restoration of files.

Protection of administrative credentials Secure administrative credentials from compromise and misuse.
  • Microsoft Cloud Services, including Azure and Office 365, are built on a foundation of trust and security. The following and many other principles apply to our cloud services:
  • Microsoft provides you security controls and capabilities to help you protect your data and applications.
  • You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.

How Microsoft partners with the ecosystem

Cyber resiliency is not a problem we can address alone. Our commitment is to make sure our products work with technology our customers already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. Through our technology partner network, we can offer proactive vulnerability tools as well as more feature rich solutions like application firewall and threat detection to customers. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer cyber resiliency needs and industry regulations. Microsoft has been working with the Center for Internet Security (CIS) to demonstrate that our operating systems and most recently, our cloud platform, Azure, have been hardened against cyberthreats. We are working towards getting Azure to pass the CIS Benchmark requirements. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Also, Microsoft is actively working to align our offerings with the SANS Critical Security Controls set of recommendations, which organizations use to prepare for the most important actual threats that exist in today’s Internet world.

Summary

Developing and executing a cyber resilience program is not trivial – it is a journey, not a destination. It requires organizational focus, commitment, and effort. For additional, detailed guidance on this topic, stay tuned for a white paper to be published later this year.


Ann Johnson, Vice President
Enterprise & Cybersecurity

Ann Johnson leads Enterprise & Cybersecurity at Microsoft. Her organization empowers global enterprises to confidently move to the cloud by modernizing their architectures for maximum business agility and security. Ann is a recognized industry leader with a proven track record for building and leading high-performing global enterprise software go-to-market teams. Ann has a background in cybersecurity, infrastructure and storage and is a frequent speaker on topics of online banking fraud, information security, healthcare security, mobile security, workforce diversity, privacy and compliance. She currently serves on the board of the Security Advisor Alliance and as Board Advisor to the biometric security firm HYPR.



from Microsoft Secure Blog Staff

[SANS ISC] Malicious script dropping an executable signed by Avast?

I published the following diary on isc.sans.org: “Malicious script dropping an executable signed by Avast?“.

Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos” (“I hereby request the products budget”). There was one attached ZIP archive: PanilhaOrcamento.zip… [Read more]

[The post [SANS ISC] Malicious script dropping an executable signed by Avast? has been first published on /dev/random]



from Xavier

Tuesday, August 22, 2017

"Charts Like This is Why Information Security is Failing"

I recently saw this chart being shared on LinkedIn. I do not who developed the chart, nor is this a personal attack, but it is approaches like this why information security will never succeed. People were promoting this chart as a great reference on how to secure critical data. The overall approach is to identify … Continue reading Charts Like This is Why Information Security is Failing

from lspitzner

[SANS ISC] Defang all the things!

I published the following diary on isc.sans.org: “Defang all the things!“.

Today, I would like to promote a best practice via a small Python module that is very helpful when you’re dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake on them. Many automated tools and scripts are processing documents to fetch links. Even if the original document does not provide dynamic links, many applications will detect them and change them to real links… [Read more]

[The post [SANS ISC] Defang all the things! has been first published on /dev/random]



from Xavier

Who’s Blocked by Bad Guys?

Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, they deploy a .htaccess file to achieve this. Today, I found a phishing kit related to a bank (ANZ) with such protection. But, in this case, the attackers took the time to comment out the blocked IP addresses and user-agents. Note that they also prevent other malicious traffic (like bots) to reach them. Very interesting! Want to know who’s blocked? Have a look at the file:

<Limit GET POST>
order allow,deny
deny from 209.85.32.23 # totaldomaindata (checkmark)
deny from 66.205.64.22
deny from 98.247.136.154
deny from 178.25.218.88
deny from 98.247.136.154
deny from 63.229.4.212
deny from 66.135.207.155
deny from 66.77.136.153
deny from 64.122.169.98
deny from 54.217.8.129
deny from 38.100.21.113
deny from 96.47.226.21
deny from 54.197.81.106
deny from 68.168.131.216
deny from 65.17.253.220
deny from 78.151.209.28
deny from 66.135.207.155
deny from 207.102.138.158
deny from 209.139.197.125
deny from 66.77.136.153
deny from 66.77.136.123
deny from 72.64.146.136
deny from 124.178.234.95
deny from 67.15.182.35
deny from 203.68. # taiwan academic network
deny from 218.58.124. # china jpg giftsite spammer
deny from 218.58.125.
deny from 62.194.7. # NE spambot
deny from 85.17.6. # netherlands
deny from 194.213. # czech norway sweden etc
deny from 64.27.2.18 # SEO masked as SE
deny from 64.27.2.19 # SEO masked as SE
deny from 212.187.116. # clown from Netherlands siphoning bible site
deny from 84.87. # clown from Netherlands siphoning bible site
deny from 222.252. # vietnam spammer
deny from 203.160.1. # vietnam spammer
deny from 82.60.1. # spamming Italy block
deny from 68.46.186.93 # clown on comcast
deny from 65.254.33.130 # unknown spain bot
deny from 82.131.195. # hungarian BS bot
deny from 217.153. # poland
deny from 202.108.252. # repeated merch spam!
deny from 82.208. # czech russia romania etc
deny from 193.47.80.41 # BW sucking bot
deny from 66.234.139.194 # bogus crawler
deny from 80.96. # romania
deny from 66.232.98.76 # unknown bot
deny from 38.112.6.182 # cosmixcorp.com
deny from 82.165.252.147 # unknown Java BW waster
deny from 67.79.102.28 # blacklisted spammer
deny from 220.181.26. # sohu bot
deny from 64.62.136.196 # unknown stealth bot
deny from 62.163. # netherlands
deny from 195.113. # czech
deny from 213.185.106. # nigeria
deny from 213.185.107. # nigeria
deny from 67.184.49.166 # blacklisted IP
deny from 219.95. # malaysia
deny from 66.221.106.76 # mydropbox.com
deny from 81.93.165. # norway bot
deny from 81.223.254. # austrian bs bot
deny from 87.123.74. # patwebbot
deny from 62.193.213. # french BS bot
deny from 86.120. # romania
deny from 86.121.
deny from 86.122.
deny from 86.123.
deny from 86.124.
deny from 86.125.
deny from 86.126.
deny from 86.127.
deny from 220.194.54. # BS bandwidth wasting bot
deny from 210.51.167. # BS bot
deny from 204.14.48. # stealth bots webhost etc
deny from 66.180.170.47 # development bot
deny from 217.160.75.202 # bot rips way too fast
deny from 84.12.54.237 # unknown clown UK
deny from 65.19.154.24 # stealth bandwidth hog
deny from 216.32.73.122 # stealth bot
deny from 63.160.77.236 # stealth bot
deny from 12.44.181.220 # unknown bot
deny from 12.44.172.92 # stealth bot
deny from 139.18.2. # findlinks bot
deny from 70.85.193.178 # unknown bot
deny from 82.80. # israel
deny from 82.81.
deny from 213.180.128. # poland
deny from 213.180.129.
deny from 213.180.130.
deny from 213.180.131.
deny from 66.150.55.230 # findwhat.com stealth bot
deny from 67.15.175.114 # unknown bot
deny from 217.113.244.119 # spanish SE
deny from 194.224.199. # private spanish server
deny from 81.19.66. # russia
deny from 213.176.126. # iran
deny from 208.223.208.181 # security-lab1.juniper.net
deny from 208.223.208.182
deny from 208.223.208.183
deny from 208.223.208.184
deny from 208.223.208.185
deny from 67.167.114.21 # BS law-x.com scraper site bot
deny from 194.44.42. # ukraine
deny from 209.203.192. # Expedite Marketing
deny from 209.203.193.
deny from 209.203.194.
deny from 209.203.195.
deny from 209.203.196.
deny from 209.203.197.
deny from 209.203.198.
deny from 209.203.199.
deny from 209.203.200.
deny from 209.203.201.
deny from 209.203.202.
deny from 209.203.203.
deny from 209.203.204.
deny from 209.203.205.
deny from 209.203.206.
deny from 209.203.207.
deny from 64.62.175. # unknown bandwidth sucker
deny from 219.136.171. # china unknown bot
deny from 216.150.24.122 # sonicleads.com spambot
deny from 216.150.24.123
deny from 210.14.32. # annoying philipines spammer
deny from 220.132.126. # taiwan useragent = 3
deny from 66.194.6. # websense.com bandwidth waster
deny from 12.17.130.27 # sitesucker
deny from 65.164.129.91
deny from 207.155.199.163
deny from 208.252.91.3
deny from 198.54. # south africa scams, spam, etc
deny from 66.132.132.63 # securityspace.com
deny from 81.18.32. # nigeria
deny from 81.18.33.
deny from 81.18.34.
deny from 81.18.35.
deny from 81.18.36.
deny from 81.18.37.
deny from 81.18.38.
deny from 81.18.39.
deny from 81.18.40.
deny from 81.18.41.
deny from 81.18.42.
deny from 81.18.43.
deny from 81.18.44.
deny from 81.18.45.
deny from 81.18.46.
deny from 81.18.47.
deny from 192.115.134. # Israel, hacker heaven
deny from 65.11.200.242 # direct revenue bot
deny from 65.75.128.30 # fotopages.com
deny from 204.8.168. # gator.com
deny from 204.8.169.
deny from 204.8.170.
deny from 204.8.171.
deny from 64.152.73.
deny from 66.111.48.80 # spambot from russia
deny from 68.211.2.61 # clown using site copier on books
deny from 64.42.84.70 # addresses.com spambot
deny from 67.127.13.70 # clown hitting with gethtmlcontents3 from secure site
deny from 80.230. # israel
deny from 80.250.32. # nigeria
deny from 80.250.33.
deny from 80.250.34.
deny from 80.250.35.
deny from 80.250.36.
deny from 80.250.37.
deny from 80.250.38.
deny from 80.250.39.
deny from 80.250.40.
deny from 80.250.41.
deny from 80.250.42.
deny from 80.250.43.
deny from 80.250.44.
deny from 80.250.45.
deny from 80.250.46.
deny from 80.250.47.
deny from 69.28.130. # quepasa.com
deny from 213.8. # israel
deny from 64.42.105. # unknown speed bot
deny from 141.85. # romania
deny from 128.238.55. # polybot
deny from 67.68.89. # unknown masking bot
deny from 66.36.242.25 # unknown bot
deny from 81.199. # israel nigeria etc
deny from 195.111. # hungary
deny from 192.115.106. # clown from Israel speed downloading
deny from 204.94.59. # brandimensions.com bandwidth waster
deny from 12.209.181.242 # speed ripping unknown agent
deny from 217.73. # romania ukraina russia etc
deny from 217.218. # iran
deny from 217.219. # iran
deny from 216.53.84.61 # mail.mccarter.com
deny from 169.132.149.100 # www.mccarter.com - new jersey law firm
deny from 213.226.16. # bulgaria
deny from 216.252.167. # idiot from Ghana demands free merch for many emails
deny from 65.102. # WebContent Internatioanl
deny from 216.163.255.1 # rpa.metlife.com bored employees
deny from 67.127.164.125 # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from 69.61.12.100 # spambot from servershost.net
deny from 69.61.12.101
deny from 66.246.43.167
deny from 64.124.14. # markmonitor.com
deny from 38.144.36.11 # allresearch.com
deny from 38.144.36.12
deny from 38.144.36.13
deny from 38.144.36.14
deny from 38.144.36.15
deny from 38.144.36.16
deny from 38.144.36.17
deny from 206.28.72. # gettyimages.com bandwidth waster
deny from 206.28.73.
deny from 206.28.74.
deny from 206.28.75.
deny from 206.28.76.
deny from 206.28.77.
deny from 206.28.78.
deny from 206.28.79.
deny from 209.73.228.160 # allresearch.com
deny from 209.73.228.161
deny from 209.73.228.162
deny from 209.73.228.163
deny from 209.73.228.164
deny from 209.73.228.165
deny from 209.73.228.166
deny from 209.73.228.167
deny from 209.73.228.168
deny from 209.73.228.169
deny from 209.73.228.170
deny from 209.73.228.171
deny from 209.73.228.172
deny from 209.73.228.173
deny from 209.73.228.174
deny from 209.73.228.175
deny from 158.108. # thailand university
deny from 168.187. # kuwait ministry of communications
deny from 168.188. # korea university
deny from 66.207.120.221 # net-sweeper.com
deny from 66.207.120.222
deny from 66.207.120.223
deny from 66.207.120.224
deny from 66.207.120.225
deny from 66.207.120.226
deny from 66.207.120.227
deny from 66.207.120.228
deny from 66.207.120.229
deny from 66.207.120.230
deny from 66.207.120.231
deny from 66.207.120.232
deny from 66.207.120.233
deny from 66.207.120.234
deny from 66.207.120.235
deny from 167.24. # usaa.com and wastemylife.com p3p client
deny from 192.118.48.247 # icomverse.com (Israel, hacker heaven)
deny from 192.118.48.248
deny from 192.118.48.249
deny from 67.209.128. # clown from TX, wastes bandwidth, abusive feedback
deny from 12.148.209. # NameProtect.com bandwidth waster
deny from 12.148.196. # NameProtect.com bandwidth waster
deny from 212.19.205. # clown from Netherlands impersonating Webcrawler!
deny from 206.190.171.172 # markwatch.com bandwidth waster (4 IPs)
deny from 206.190.171.173
deny from 206.190.171.174
deny from 206.190.171.175
deny from 211.157.
deny from 211.74.
deny from 64.14.202.182
deny from 213.219.11.19
deny from 193.220.178. # abusive crawler from Benin
deny from 24.77.178.1 # abusive OK cable user
deny from 68.65.53.71 # unknown user (java1.4.0_03) slowly crawling whole site!
deny from 198.26.120.13 # unknown .MIL user (keeps hitting one page over and over!)
deny from 63.148.99. # Cyveillance.com bandwidth waster
deny from 65.118.41. # Cyveillance.com bandwidth waster
deny from 192.116.85. # abusive crawler, no ref, no ua, Israel?
deny from 62.119.21. # sweden including picsearch.com bot
deny from 80.179.100. # Israeli bot
deny from 80.248.64.50 # guestbook spambot
deny from 64.106.213. # some clown in Jersey, Russian name, hammering links page
deny from 62.220.103. # Iran
allow from all
</Limit>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^-?$ [NC,OR] # blank user-agent
RewriteCond %{HTTP_USER_AGENT} "addresses\.com" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "agnitum" [NC,OR] # firewall sw from Cyprus
RewriteCond %{HTTP_USER_AGENT} aipbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alkaline [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "almaden" [NC,OR] # IBM unknown crawler
RewriteCond %{HTTP_USER_AGENT} amfibi [NC,OR] # spanish SE
RewriteCond %{HTTP_USER_AGENT} "anarchie" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} anonymous [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "applewebkit" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "art-online" [NC,OR] # France SE
RewriteCond %{HTTP_USER_AGENT} arikus [NC,OR] # voxel.net webhost
RewriteCond %{HTTP_USER_AGENT} "aspseek" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} baidu [NC,OR] # chinese language SE
RewriteCond %{HTTP_USER_AGENT} "blackbox" [NC,OR] # HTML to JPG converter
RewriteCond %{HTTP_USER_AGENT} "bordermanager" [NC,OR] # Novell network controller iow workers goofing off
RewriteCond %{HTTP_USER_AGENT} botswana [NC,OR] # Unknown Agent
RewriteCond %{HTTP_USER_AGENT} "bravobrian" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} bruinbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} btbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "caddbot" [NC,OR] # classified ad bot
RewriteCond %{HTTP_USER_AGENT} ccubee [NC,OR] # czech crawler
RewriteCond %{HTTP_USER_AGENT} cfetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cfnetwork [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} cjnetworkquality [NC,OR] # cj.com bot
RewriteCond %{HTTP_USER_AGENT} claria [NC,OR] # gator.com
RewriteCond %{HTTP_USER_AGENT} combine [NC,OR] # swedish harvester
RewriteCond %{HTTP_USER_AGENT} contactbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} convera [NC,OR] # convera.com
RewriteCond %{HTTP_USER_AGENT} ConveraCrawler [NC,OR] # convera.com
RewriteCond %{HTTP_USER_AGENT} cosmos [NC,OR] # xyleme.com bot
RewriteCond %{HTTP_USER_AGENT} cowbot [NC,OR] # korean naver bot
RewriteCond %{HTTP_USER_AGENT} cuill [NC,OR] # www.cuill.com
RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} dattatec [NC,OR] # argentina bot
RewriteCond %{HTTP_USER_AGENT} deepak [NC,OR] # research bot from California
RewriteCond %{HTTP_USER_AGENT} dloader [NC,OR] # unknown downloader
RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d " [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^download" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} diamond [NC,OR] # gator.com
RewriteCond %{HTTP_USER_AGENT} dtaagent [NC,OR] # bot grabs too fast
RewriteCond %{HTTP_USER_AGENT} dumbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} easydl [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambots
RewriteCond %{HTTP_USER_AGENT} "Educate Search" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} ejupiter [NC,OR] # pathetic SE
RewriteCond %{HTTP_USER_AGENT} entrieva [NC,OR]
RewriteCond %{HTTP_USER_AGENT} exava.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} experimental [NC,OR]
RewriteCond %{HTTP_USER_AGENT} expired [NC,OR]
RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} faxobot [NC,OR] # faxo.com
RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "fast firstpage retriever" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "fetchbook\.info" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} findexa [NC,OR] # norway SE
RewriteCond %{HTTP_USER_AGENT} findlinks [NC,OR] # german experimental bot
RewriteCond %{HTTP_USER_AGENT} findwhat [NC,OR]
RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} FlickBot [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Franklin Locator" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} gais [NC,OR] # Chinese SE
RewriteCond %{HTTP_USER_AGENT} gazz/ [NC,OR] # Japanese language bot
RewriteCond %{HTTP_USER_AGENT} geobot [NC,OR] # spain bot
RewriteCond %{HTTP_USER_AGENT} gethtmlcontent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} girafabot [NC,OR] # girafa.com SE thingy
RewriteCond %{HTTP_USER_AGENT} giveramp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} gonzo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "green research" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} "green research, inc." [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} gulper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} harvest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} hloader [NC,OR] # unknown downloader
RewriteCond %{HTTP_USER_AGENT} hoowwwer [NC,OR] # finnish SE
RewriteCond %{HTTP_USER_AGENT} html2jpg [NC,OR] # HTML to JPG converter
RewriteCond %{HTTP_USER_AGENT} htmlparser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "http generic" [NC,OR] # Unknown agent
RewriteCond %{HTTP_USER_AGENT} httpclient [NC,OR] # OD Webdown
RewriteCond %{HTTP_USER_AGENT} httprequest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} ia_archiver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ichiro [NC,OR] # Japanese language bot (see gazz)
RewriteCond %{HTTP_USER_AGENT} "ie plagin" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "ie plugin" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} imagefetch [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "Industry Program" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "^internet explorer$" [NC,OR] # BS agent
RewriteCond %{HTTP_USER_AGENT} ineturl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} innerprise [NC,OR] # innerprise.net
RewriteCond %{HTTP_USER_AGENT} irlbot [NC,OR] # research bot
RewriteCond %{HTTP_USER_AGENT} ithenticate [NC,OR] # iThenticate spybot
RewriteCond %{HTTP_USER_AGENT} iupui [NC,OR] # Unknown research (spam?) bot
RewriteCond %{HTTP_USER_AGENT} java [NC,OR] # generic textbook bots
RewriteCond %{HTTP_USER_AGENT} jetbot [NC,OR] # Unknown private SE
RewriteCond %{HTTP_USER_AGENT} joedog [NC,OR]
RewriteCond %{HTTP_USER_AGENT} k2spider [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} kuloko [NC,OR] # kuloko.com
RewriteCond %{HTTP_USER_AGENT} lanshan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lcabotaccept [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} larbin [NC,OR] # unknown (spambot)
RewriteCond %{HTTP_USER_AGENT} lapozz [NC,OR] # BS hungarian bot
RewriteCond %{HTTP_USER_AGENT} law-x [NC,OR] # scraper site bot
RewriteCond %{HTTP_USER_AGENT} linksmanager [NC,OR] # linksmanager.com spambot
RewriteCond %{HTTP_USER_AGENT} linkwalker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} lmcrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lmqueuebot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} loopimprovements [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "lwp\:\:simple" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "lwp-trivial" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Mac Finder" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "missauga" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "missigua" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} madlyrics [NC,OR] # Winamp downloader
RewriteCond %{HTTP_USER_AGENT} marvin [NC,OR] # danish/whoever bot
RewriteCond %{HTTP_USER_AGENT} microsoftprototypecrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} minirank [NC,OR]
RewriteCond %{HTTP_USER_AGENT} miva [NC,OR]
RewriteCond %{HTTP_USER_AGENT} mizzu [NC,OR] # Mizzu Labs bot
RewriteCond %{HTTP_USER_AGENT} mj12 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} majestic [NC,OR]
RewriteCond %{HTTP_USER_AGENT} mogren [NC,OR] # russian bot
RewriteCond %{HTTP_USER_AGENT} "mozilla\(ie compatible\)" [NC,OR] # BS agent
RewriteCond %{HTTP_USER_AGENT} MSIECrawler [NC,OR] # IE's "make available offline" mode
RewriteCond %{HTTP_USER_AGENT} MSFrontPage [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} msrbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} msproxy [NC,OR] # discontinued proxy software
RewriteCond %{HTTP_USER_AGENT} msx [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} mvaclient [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "my session" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} "NASA Search" [NC,OR] # bogus clown on comcast
RewriteCond %{HTTP_USER_AGENT} netresearchserver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} netsprint [NC,OR]
RewriteCond %{HTTP_USER_AGENT} netwhat [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nextgensearch [NC,OR] # BW waster
RewriteCond %{HTTP_USER_AGENT} nusearch [NC,OR] # spider OD
RewriteCond %{HTTP_USER_AGENT} nutch [NC,OR] # experimental bot
RewriteCond %{HTTP_USER_AGENT} ocelli [NC,OR] # www.globalspec.com
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} omniexplorer [NC,OR] # useless bot
RewriteCond %{HTTP_USER_AGENT} "onsinn.de" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} outfoxbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nameprotect [NC,OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} naver [NC,OR] # Korean robot
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} netcaptor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} nicebot [NC,OR] # stealth bot
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD
RewriteCond %{HTTP_USER_AGENT} nobody [NC,OR] # Unknown Agent
RewriteCond %{HTTP_USER_AGENT} noxtrum [NC,OR] # spanish private server
RewriteCond %{HTTP_USER_AGENT} NPBot [NC,OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} "\ obot" [NC,OR] # Unknown bot
RewriteCond %{HTTP_USER_AGENT} "^obot$" [NC,OR] # Unknown bot
RewriteCond %{HTTP_USER_AGENT} openfind [NC,OR] # taiwan bot
RewriteCond %{HTTP_USER_AGENT} panopy [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} patwebbot [NC,OR] # bs bot from germany
RewriteCond %{HTTP_USER_AGENT} peerfactor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} pipeline [NC,OR] # cable account based SE
RewriteCond %{HTTP_USER_AGENT} plink [NC,OR] # stealth bot
RewriteCond %{HTTP_USER_AGENT} "program shareware" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} plantynet [NC,OR] # Korean bot
RewriteCond %{HTTP_USER_AGENT} "poe-component-client" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "polybot" [NC,OR] # cis.poly.edu
RewriteCond %{HTTP_USER_AGENT} psbot [NC,OR] # Picture Downloader
RewriteCond %{HTTP_USER_AGENT} picsearch [NC,OR] # Picture Downloader
RewriteCond %{HTTP_USER_AGENT} qarp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} qcreep [NC,OR] # quepasa in disguise
RewriteCond %{HTTP_USER_AGENT} quepasa [NC,OR] # SouthAmerican bot
RewriteCond %{HTTP_USER_AGENT} "safari" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^sew$" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} rampybot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} research [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sbider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} schibstedsok [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "scientec.de" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} scspider [NC,OR] # SpamBot
RewriteCond %{HTTP_USER_AGENT} scumbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} search-o-rama [NC,OR]
RewriteCond %{HTTP_USER_AGENT} searchsight [NC,OR]
RewriteCond %{HTTP_USER_AGENT} searchwarp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} seekbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} seznambot [NC,OR] # czech bot
RewriteCond %{HTTP_USER_AGENT} shim-crawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} siphon [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sitemapper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sitesell [NC,OR]
RewriteCond %{HTTP_USER_AGENT} skywalker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sleuth [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SlySearch [NC,OR] # SlySearch spybot
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} societyrobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "sohu agent" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} sohu-search [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} sonicquest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} spider_pro [NC,OR] # innerprise.net
RewriteCond %{HTTP_USER_AGENT} spiderku [NC,OR]
RewriteCond %{HTTP_USER_AGENT} spiderman [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sproose [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sqworm [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} stackrambler [NC,OR] # russian bot
RewriteCond %{HTTP_USER_AGENT} steeler [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} SurveyBot [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} szukacz [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} tcf [NC,OR]
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "test/0" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test1" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test 1" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test rig" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "tsw bot" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} terrawiz [NC,OR] # India SE
RewriteCond %{HTTP_USER_AGENT} trademark [NC,OR] # bandwidth waster trademarktracker.com
RewriteCond %{HTTP_USER_AGENT} transgenikbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Turnitin [NC,OR] # Turnitin spybot
RewriteCond %{HTTP_USER_AGENT} twiceler [NC,OR] # www.cuill.com
RewriteCond %{HTTP_USER_AGENT} twotrees [NC,OR] # willow internet crawler
RewriteCond %{HTTP_USER_AGENT} "under the rainbow" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} "unknown origin" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} unchaos [NC,OR] # SE that spams web logs
RewriteCond %{HTTP_USER_AGENT} url2file [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} usyd-nlp [NC,OR] # research spider
RewriteCond %{HTTP_USER_AGENT} "vb openurl" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} visvo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} votay [NC,OR]
RewriteCond %{HTTP_USER_AGENT} voyager [NC,OR]
RewriteCond %{HTTP_USER_AGENT} w3crobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} w3mir [NC,OR] # site copier
RewriteCond %{HTTP_USER_AGENT} wbdbot [NC,OR] #sky.siraza.net
RewriteCond %{HTTP_USER_AGENT} weasel [NC,OR]
RewriteCond %{HTTP_USER_AGENT} weazel [NC,OR]
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} webclipping [NC,OR] # bandwidth waster webclipping.com
RewriteCond %{HTTP_USER_AGENT} webbug [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webcollage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webindexer [NC,OR] # development bot
RewriteCond %{HTTP_USER_AGENT} webpix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webrace [NC,OR] # crawler
RewriteCond %{HTTP_USER_AGENT} webspider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} websquash [NC,OR] # SEO
RewriteCond %{HTTP_USER_AGENT} "wells search" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "wep search" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} wget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} wise-guys.nl [NC,OR] # Clown in NL
RewriteCond %{HTTP_USER_AGENT} "www.abot.com" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} xirq [NC,OR]
RewriteCond %{HTTP_USER_AGENT} yottashopping [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zao/ [NC,OR] # experimental Japan crawler
RewriteCond %{HTTP_USER_AGENT} zedzo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zspider [NC,OR]
RewriteCond %{HTTP_REFERER} iaea.org [NC,OR] # spam bot
RewriteCond %{HTTP_REFERER} wizard.yellowbrick.oz [NC,OR] # spam bot
RewriteCond %{HTTP_REFERER} brandimensions [NC,OR] # bandidth waster
RewriteCond %{HTTP_REFERER} imgurl= [NC,OR]
RewriteCond %{HTTP_REFERER} imgrefurl= [NC,OR]
RewriteCond %{REMOTE_ADDR} ^193.95.([1-2][0-9][0-9]). [NC,OR] # slovenia etc
RewriteCond %{REMOTE_ADDR} ^203.147.([0-4][0-9]). [NC,OR] # thailand
RewriteCond %{REMOTE_ADDR} ^80.87.([3-9][0-9]). [NC,OR] # ghana russia etc
RewriteCond %{REMOTE_ADDR} ^80.88.(1[0-5][0-9]). [NC,OR]
RewriteCond %{REMOTE_ADDR} ^203.87.(1[2-9][0-9]). [NC,OR] # philippines
RewriteCond %{REMOTE_ADDR} ^218.(1[0-9][0-9]). [NC,OR] # china korea
RewriteCond %{REMOTE_ADDR} ^211.([1-9][0-9]). [NC,OR] # china korea
RewriteCond %{REMOTE_ADDR} ^66.150.55.(2[2-3][0-9]). [NC,OR] # findwhat.com stealth bot
RewriteCond %{REMOTE_ADDR} ^64.110.([4-9][0-9]). [NC,OR]
RewriteCond %{REMOTE_ADDR} ^64.110.(1[0-8][0-9]). [NC]
RewriteRule .* - [F,L]
Options -Indexes

 

[The post Who’s Blocked by Bad Guys? has been first published on /dev/random]



from Xavier

Thursday, August 17, 2017

Microsoft Security Intelligence Report Volume 22 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at www.microsoft.com/sir.

This new volume of the report includes threat data from the first quarter of 2017. The report also provides specific threat data for over 100 countries/regions. As mentioned in a recent blog, using the tremendous breadth and depth of signal and intelligence from our various cloud and on-premises solutions deployed globally, we investigate threats and vulnerabilities and regularly publish this report to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

In this 22nd volume, we’ve made two significant changes:

  • We have organized the data sets into two categories, cloud and endpoint. Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility.
  • We are sharing data from a shorter time period, one quarter (January 2017 – March 2017), instead of the typical six months, as we shift our focus to delivering improved and more frequent updates in the future.

The threat landscape is constantly changing. Going forward, we plan to improve how we share the insights, and plan to share data on a more frequent basis – so that you can have more timely visibility into the latest threat insights. We are committed to continuing our investment in researching and sharing the latest security intelligence with you, as we have for over a decade. This shift in our approach is rooted in a principle that guides Microsoft technology investments: to leverage vast data and unique intelligence to help our customers respond to threats faster.

Here are 3 key findings from the report:

As organizations migrate more and more to the cloud, the frequency and sophistication of attacks on consumer and enterprise accounts in the cloud is growing.

  • There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017).
  • The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017.

Cloud services such as Microsoft Azure are perennial targets for attackers seeking to compromise and weaponize virtual machines and other services, and these attacks are taking place across the globe.

  • Over two-thirds of incoming attacks on Azure services in Q1-2017 came from IP addresses in China and the United States, at 35.1 percent and 32.5 percent, respectively. Korea was third at 3.1 percent, followed by 116 other countries and regions.

Ransomware is affecting different parts of the world to varying degrees.

  • Ransomware encounter rates are the lowest in Japan (0.012 percent in March 2017), China (0.014 percent), and the United States (0.02 percent).
  • Ransomware encounter rates are the highest in Europe vs. the rest of the world in Q1-2017.
    • Multiple European countries, including the Czech Republic (0.17 percent), Italy (0.14 percent), Hungary (0.14 percent), Spain (0.14 percent), Romania (0.13 percent), Croatia (0.13 percent), and Greece (0.12 percent) had much higher ransomware encounter rates than the worldwide average in March 2017.

Download Volume 22 of the Microsoft Security Intelligence Report today to access additional insights: www.microsoft.com/sir.



from Microsoft Secure Blog Staff

[SANS ISC] Maldoc with auto-updated link

I published the following diary on isc.sans.org: “Maldoc with auto-updated link“.

Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you add links to external resources like URLs, Word will automatically update them without any warning or prompt… [Read more]

[The post [SANS ISC] Maldoc with auto-updated link has been first published on /dev/random]



from Xavier

Wednesday, August 16, 2017

[SANS ISC] Analysis of a Paypal phishing kit

I published the following diary on isc.sans.org: “Analysis of a Paypal phishing kit“.

They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new fake pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archive containing a very nice phishing kit targeting Paypal. I took some time to have a look at it… [Read more]

[The post [SANS ISC] Analysis of a Paypal phishing kit has been first published on /dev/random]



from Xavier

Monday, August 14, 2017

"The 2017 NCSAM Planning Kit - Your October Awaits"

This October is the 14th National Cyber Security Awareness Month, otherwise known as #NCSAM or #CyberAware month. Organized by the National Cyber Security Alliance (NCSA), this is aglobal eventfocusingon cyber security. This is also a great opportunity for organizations to promote security awareness throughout their organization, regardless of size, location or industry. As the 2017 &hellip; Continue reading The 2017 NCSAM Planning Kit - Your October Awaits

from lspitzner

Tuesday, August 8, 2017

The world of eroding privacy: tips on how to stay secure

At the intersection of limes, teenagers, and privacy

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

We will come to limes later in this blog, and they are relevant. But let me begin with one defining statement: I am the parent of a teenager, and the year is 2017.

As the parent of an age group that is best described as unpredictable on good days, one thing is consistent. Research has shown us that this generation does not have the same expectation of privacy as my generation. I remember vigorously debating in a college class my inherent right to privacy as protected by the 4th Amendment. Regardless of whether my argument was flawed or simply not factual, my fundamental belief was I had a legal privacy right, and no institution or government could impede upon it.

My teenager and his friends appear to have a different belief, illustrated by their vigorous use of social media to publish their photos, food, routine life events, even to share their entire belief systems. Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, has covered the topic of teens, social media, and privacy in the past. His conclusion is that teens desire privacy, but they also have a need to safely share with each other using their own language and coding. In 2014, Fast Company compiled and commented on varied research regarding teenagers, young adults and expectations of privacy. Whilst one study concluded “online privacy is dead,” other studies determined it truly depends on how you define privacy. Teenagers may not care if their Facebook friends or Twitter followers know their religion or gender identity, but they certainly care if their parents monitor their social feeds. Teenagers and young adults have grown up in the digital age, so they are much more likely to understand how to set and control privacy settings on their devices and accounts – and they do so to segment their audiences. When I conducted my own informal study and asked my teen if a government agency, that suspected him of wrong doing or associated him with an unlawful activity, could search his phone or computer, the reply was “get a warrant.” So is this generation really any different from prior generations on expectations of privacy? Or, do the differences lie in the complexity of the information sharing platforms to which they feel dependent and entitled? And, how do these beliefs and values shape privacy regulation and laws, and intersect with security in the modern digital era? Are there learnings we can adopt from the next generation’s implementation of technology and privacy controls?

Now about those limes…I have a Twitter account (@ajohnsocyber). I opine about cybersecurity, post about my beloved Chicago Blackhawks and Dallas Cowboys, engage in animated communication with coworkers and friends and advocate for animal fostering and LGBTQ rights. I also have a Facebook account – mainly to catch up with far away family and share pictures. I have a LinkedIn profile too, but it’s for work and I am a purist about my posts there. So, I have an on-line footprint. That online footprint will tell you the names of my dogs, things about my belief system, expose my awful attempts at humor, and my preference for seedless Persian Limes on the occasions when I need something to accompany a cocktail. The Persian limes were a recent addition based on a Twitter conversation with two people I haven’t actually met IRL, so you can say my social interactions are fruitful. The point of all of this is that I share enough for someone to assemble a fairly detailed profile of me from my social media footprint and with it, attempt to social engineer or password hack me. Yet I willingly give up some of my privacy to interact with other humans in cyber space. As a security professional, I should know better, right? Well, not necessarily. All social media use does not lead to a path of hacker victim, and I am fully aware of which information to share and which to protect and how.

My social sharing is guided by some core principles:

  • The Internet is perpetuity. My digital footprint is unlikely to go away in the foreseeable future.
  • Hackers will keep hacking, and even the best defenses can’t always prevent persistent and sophisticated attempts. Think back to the relentless attempts on Brian Krebs in 2016.
  • Multi-factor authentication  (MFA) on my personal and professional accounts is a must.
  • Most of the information I choose to disclose is already available in some way either via public record or through friends with no special instruction for secrecy.
  • I can concurrently assert my right to privacy, and my privilege to waive that right.
  • I encrypt sensitive personal data.
  • I have provisioned defense in depth controls and alerts for critical information.

Because in reality, our hyper-connected world of powerful search engines, and abundant compute and storage, make it possible for reams of data about your entire life to be mined by anyone with a strong desire and a credit card. Oddly though, the majority of breaches still start with a phish rather than a targeted social engineering attack. In fact, phishing is the number one delivery method of malicious software. Compromises of sensitive data are most often tracked back to: weak authentication, poor data classification/encryption policies, lax privilege management, absent or weak admin controls and lack of user education on phishing. We can opine all day about privacy and the need to hold sensitive information close to increase security, but in today’s society, from our youth to the millions of adults using social media, including many of the top cyber professionals in the world, very little is truly private.

Add to this a climate of perpetual information sharing and consumption and you can pretty much throw privacy expectations out the window. What you can and should do – personally and professionally – is make certain you distinguish the personal and private from that which is critically important and know your options to protect each. For technology, consumers deploy basic security hygiene, strong passwords and regular updating. Organizations have additional responsibilities to educate users, patch, use all available access controls and invest in proven detection solutions as well as human hunters so that the now. This way, all but inevitable breaches can be detected quickly.

Because, guess what, notwithstanding the controls required by regulations, the right to be forgotten or have data forgotten in our ever-connected world maybe a right, but it needs your active participation if there is to be anything left to debate.



from Microsoft Secure Blog Staff

"US Security Awareness Summit - After Action Report"

The SANS Security Awareness Summit is an annual event that brings together security awareness professionals and industry experts from around the world to address the human security challenge. This year was the largest event ever, bringing together well over 200 people. As we just finished up the event, I wanted to share with you some &hellip; Continue reading US Security Awareness Summit - After Action Report

from lspitzner

Monday, August 7, 2017

[SANS ISC] Increase of phpMyAdmin scans

I published the following diary on isc.sans.org: “Increase of phpMyAdmin scans“.

PMA (or “phpMyAdmin”) is a well-known MySQL front-end written in PHP that “brings MySQL to the web” as stated on the web site. The tool is very popular amongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common finding in many penetration tests to find an old PMA interface left by an admin… [Read more]

[The post [SANS ISC] Increase of phpMyAdmin scans has been first published on /dev/random]



from Xavier

Thursday, August 3, 2017

Top 5 best practices to automate security operations

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group. And by Vidhi Agarwal, Senior Security Program Manager, Microsoft Security Response Center (MSRC). 

Within the information security community, one of the emerging areas of focus and investment is the concept of security automation and orchestration. Although the topic is not necessarily new, it has taken on increased importance due to several industry trends. Before diving into the industry trends, we should first define exactly what security automation and security orchestration mean.

Security automation – the use of information technology in place of manual processes for cyber incident response and security event management.

Security orchestration – the integration of security and information technology tools designed to streamline processes and drive security automation.

Industry trends driving the need for increased automation and orchestration

There are two primary trends driving the focus on the automation and orchestration of security event management and incident response. First, there are simply not enough skilled security professionals to support the need. A recent cybersecurity jobs report found that there will be 3.5 million unfilled cybersecurity positions by 2021.

The second industry trend driving further investments in security automation and orchestration is based on the volume, velocity, and complexity of attacks. As shown in Figure 1 below, our information environments are extremely complex and vast. They are also often beyond the capabilities of a human to perceive, visualize, calculate, and understand the interconnections. Therefore, it is difficult to accurately project risk in different scenarios. The velocity at which attacks transpire is also driving the need for automation. Based on recent examples from the Microsoft Global Incident Response and Recovery Team, we have seen situations where attackers move from an initial endpoint infection via a phishing email, to full domain control within 24 hours. Lastly, the sheer volume of cyberattacks and security events triaged daily by security operations centers continues to grow, making it nearly impossible for humans to keep pace.

Figure 1 Sources include https://nvd.nist.gov, Verizon Data Breach Report & Microsoft Incident Response Data

Security automation and orchestration at the Microsoft Cyber Defense Operations Center

Daily, the Microsoft Cyber Defense Operations Center (CDOC) receives alerts from a multitude of data collection systems and detection platforms across the 200+ cloud and online services. The key challenge they face is taking the huge volume of data on potential security events and reducing them down from thousands of high fidelity alerts, to hundreds of qualified cases that can be managed daily by the cyber defenders in the Microsoft CDOC. Automation solutions include the use of machine learning and custom software tools to handle an increasing number of events, without relying on a commensurate growth in headcount. It also accelerates Microsoft’s ability to identify those cases which need human intervention to remediate and evict adversaries fast.

Figure 2 The Cyber Defense Operations Center’s data scientists and analysts work 24×7 protecting, detecting, and responding to attacks

Microsoft Cyber Defense Operations Center workflow automation framework and engineering addresses all aspects of the job of a security responder and includes the following components:

  • Automated Ingestion: With an increasing number of specialized detection platforms across host, network, identity, and service detections, CDOC has an automated ingestion process leading to a single case management system for triage and investigations.
  • Stacking: Compression of alerts from thousands to hundreds of cases includes automated stacking based on time window or objects such as IP address, host name, user or subscription ID. In certain cases, alerts are aggregated or de-duplicated to reduce the noise coming to the SOC.
  • Enrichment: Often defenders need to go to multiple tools and databases to get contextual information. Adding contextual metadata to alerts from systems such as asset management, configuration management, vulnerability management and logs such as application logs, DNS and network traffic logs save defenders triage time and reduces overall Mean Time to Resolve (MTTR). Furthermore, this data helps the automation system make decisions and enable appropriate actions.
  • Decisions: Based on conditional logic, the automation engine determines what workflow would be invoked to initiate the desired action.
  • Actions: Actions such as such as send e-mail, create a ticket, reset password, disable a VM, block an IP address, run a script to initiate processes in other tools and systems are automated.

Based on the degree of automation implemented, there is a corresponding reduction in MTTR and an ability for a defender to close more cases. The automation maturity model below highlights the automation journey for the Microsoft CDOC. Not all scenarios will need to be at Level 5. Each level accrues, achieving automation goals your organization may have.

Figure 3: The automation maturity model and automation journey, Copyright Microsoft Corporation

Measuring automation success

The goal for any security operations center automation efforts is to reduce Mean Time to Detect and Mean Time to Remediate while not having a linear growth in headcount with the growth in business. The key is to not only measure automation results and SOC efficiency, but to also gain insights to determine where automation efforts need to be spent to improve the security posture of your organization. Some fundamentals to measure include:

  • Noise Reduction: Most Security Operations Centers struggle with the signal-to-noise ratio. A key measure for this is the stacking ratio that measures the compression from alerts to cases and is an indicator of reduction in triage activity needed.
  • Automate High Fidelity Signals: It is critical to ensure that automation efforts are spent on high fidelity alerts and the right response processes. Measuring detection efficacy by determining true positive and false positive alerts enables a continuous feedback loop and improvement in detection signals. Understanding false negatives identifies monitoring and security response gaps.
  • Address Top Offenders: It is common for security response teams to be drowned in repetitive signals and the same tasks repeatedly. Identifying and tracking top offenders over time provides insights on what needs to be further automated or prevented through better monitoring, controls and engineering solutions.
  • Automation Outcomes: Validating the outcomes for automation efforts is essential to right size efforts. With increased automation teams seeing that their TTx (Time to Detect, Triage, Remediate and others) goes down and the SOC investigator efficiency increases, as the number of cases each defender can successfully resolve goes up.

Security automation and orchestration best practices

Recently, we had the opportunity to share the lessons we have learned working with our customers and from the Microsoft Cyber Defense Operations Center at RSA Asia Pacific and Japan 2017. These best practices include:

  • Move as much of the work as possible to your detectors. Select and deploy sensors that automate, correlate, and interlink their findings prior to sending them to an analyst.
  • Automate alert collection. The SOC analyst should have everything they need to triage and respond to an alert without performing any additional information collection, such as querying systems that may or may not be offline or collecting information from additional sources such as asset management systems or network devices.
  • Automate alert prioritization. Real time analytics should be leveraged to prioritize events based on threat intelligence feeds, asset information, and attack indicators. Analysts and incident responders should be focused on the highest severity alerts.
  • Automate tasks and processes. Target common, repetitive, and time-consuming administrative processes first and standardize response procedures. Once the response is standardized, automate the SOC analyst workflow to remove any human intervention where possible.
  • Continuous Improvement. Monitor the key metrics we discussed earlier in this article and tune your sensors and workflows to drive incremental changes.

Microsoft is committed to our customers’ success and has applied these best practices not only internally within the CDOC but also into our Advanced Threat Protection offerings to help enterprises stay ahead of cyberattacks. In addition, our recent acquisition of Hexadite will build on the successful work already done to help commercial Windows 10 customers detect, investigate and respond to advanced attacks on their networks with Windows Defender Advanced Threat Protection (WDATP).

Microsoft’s Advanced Threat Protection offering will now include artificial intelligence-based automatic investigation and remediation capabilities, making response and remediation faster and more effective.

In addition, Azure Security Center offers advanced threat detection capabilities that utilize artificial intelligence to automate and orchestrate detection and response for a customer’s Azure workloads. This makes it easier for Azure customers to not only identify and respond to attacks against their cloud assets, but it also provides intelligent recommendations to help prevent future attacks.

Read more about the work Microsoft is doing to automate and orchestrate security workloads by learning about the capabilities within WDATP, Azure Security Center and Microsoft Security.

 



from Microsoft Secure Blog Staff

Wednesday, August 2, 2017

5 Reasons why Microsoft should be your cybersecurity ally

When you think about cybersecurity, does Microsoft come to mind? Probably not.

Here are 5 reasons why enterprises should consider partnering with Microsoft on cybersecurity:

1. Strong Commitment to Cybersecurity

  • Significant security investments. Microsoft invests over $1 billion annually on security. Microsoft has invested significantly towards building security into our core technologies like Windows, Office, and Azure, and in making strategic acquisitions of security technologies that enhance the investments customers have already made in Microsoft. We operate the Microsoft Cyber Defense Operations Center (CDOC), a 24×7 cybersecurity and defense facility with leading security experts and data scientists that protect, detect, and respond to threats to Microsoft’s cloud infrastructure, products and devices, and internal resources.
  • Microsoft powered by Microsoft. We use our own hosted cloud and security solutions. Microsoft runs its business on the same multi-tenant cloud services as our customers, including those from highly regulated industries and governments.
  • World class security talent and expertise. Our dedicated engineers, researchers, forensics experts, threat hunters, and data scientists work together to make our products and services better for you. The global incident response team works around the clock to help our customers respond and recover from breaches, and our team of Executive Security Advisors, including former CISOs, leverage extensive real-world experience to partner with customers on planning and implementing sound security programs.

2. Holistic Security Approach

Microsoft takes a three-fold security approach for customers to enable their business’ digital transformation.

  • A Comprehensive Platform – Microsoft’s platform looks holistically across all the critical end-points of today’s cloud & mobile world. By building security into Microsoft products and services from the start, we can deliver a comprehensive, agile platform to better protect your organization, move faster to detect threats, and respond to security breaches across even the largest of organizations. The platform serves as the framework for protecting enterprise organizations in four ways:
    • Identity and Access Management: protect users’ identities and control access to valuable resources based on user risk level
    • Threat Protection: protect against advanced threats and help you recover quickly when attacked
    • Information Protection: help ensure documents and emails are seen only by the people you authorize
    • Security Management: gain visibility and control over your security resources, workflows, and policies, as well as recommendations on improving your security posture
  • Vast Intelligence – Our intelligence, which is built upon a massive amount of security related-signals from the consumer and commercial services that we operate on a global scale, powers Microsoft solutions to enable you to protect, detect, and respond to threats more effectively. Each month we:
    • Scan 400 billion emails across outlook.com and Office 365 for phishing and malware
    • Process 450 billion authentications across all cloud services
    • Execute 18+ billion Bing webpage scans
    • Update 1+ billion Windows devices

Using the tremendous breadth and depth of signal and intelligence from our various on-premises and cloud solutions deployed globally, we investigate threats and vulnerabilities and regularly publish the Microsoft Security Intelligence Report (SIR) to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

  • Broad Partnerships – We’re committed to being a leader in this space, but security is not a problem we can address alone. Our commitment is to make sure our products work with technology you already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer needs and industry regulations.

3. Trust-aligned Corporate Mission

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As our CEO, Satya Nadella, stated, “Businesses and users are going to embrace technology only if they can trust it”, and therefore we want to make sure our customers can trust the digital technology that they use, backed with the assurances they need. We’ve made investments in privacy and control, compliance, and transparency, and especially those features that matter the most to our customers.

For example, for our cloud services, we are committed to: helping you have control over your data, enabling you to comply with applicable laws, regulations and key international standards, and being transparent with you about the collection and use of your data. Last, but not least, we are committed to safeguarding your data from hackers and unauthorized access using state-of-the-art technology, process and certifications.

To learn more about Microsoft’s commitment to security, privacy, compliance, and transparency of our products and services, visit the Microsoft Trust Center at www.microsoft.com/trustcenter.

4. Leadership in Cybersecurity Best Practice Sharing

Microsoft collaborates extensively with governments and organizations around the world in sharing industry standards, providing guidance on cybersecurity best practices, and engaging in protecting critical infrastructure sectors.

For example, even before the launch of the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), Microsoft provided a response to the RFI and subsequently, NIST used our recommendations of focusing on protect, detect, respond, and recover functions in the NIST CSF. Microsoft’s deep engagement with the Framework has allowed us to be agile in adopting it for our enterprise risk-management program, to inform and influence our security risk practices. It is also a key component in how we track security assurance and communicate about security maturity.

Additionally, the Microsoft Security Development Lifecycle (SDL), established as a mandatory policy in 2004, has been designed as an integral part of the software development process at Microsoft. Combining a holistic and practical approach, the SDL introduces security and privacy early and throughout all phases of the development process. The industry has accepted practices aligned with the SDL, and we continue to adapt it to new technologies and changes in the threat landscape. Microsoft has developed guidance papers, tools, training and resources to help organizations understand and adopt the SDL.

We are committed to disseminating such best practices (NIST CSF, SDL, etc.) internationally also.

5. Deep Customer Interaction

The Enterprise Cybersecurity Group (ECG) inside of Microsoft has been deeply engaging with customers across the globe to educate them on Microsoft’s cybersecurity approach and services. To further help customers with their cybersecurity strategies, ECG partnered with a variety teams (Digital Crimes Unit, Cyber Defense Operations Center, Digital Risk and Security Engineering team, Cloud & Enterprise Security, Windows Security, and others) to launch a cybersecurity executive briefing center (EBC) experience. This invitation only program is designed to provide an executive level security experience for our customers’ CISOs and their teams.

Key benefits of the EBC experience for customers:

  1. Attendees receive a comprehensive overview of Microsoft’s cybersecurity products and services aligned thematically to the Protect, Detect, and Respond framework, a common approach followed by enterprise organizations.
  2. They meet face-to-face with Microsoft security experts and leaders from engineering, product management, threat intelligence, cyber security services, information security and risk management, and more to learn about approaches, ask questions, and provide feedback in real time.
  3. Attendees learn how to improve their cyber security posture and come away with a stronger relationship with Microsoft as a trusted advisor and partner.

To learn about Microsoft’s security strategy and solutions, visit: www.microsoft.com/security.



from Microsoft Secure Blog Staff

Friday, July 28, 2017

Lazy BlackHat Presentations Crawler

Many infosec professionals joined Las Vegas to attend the BlackHat security conference. As I’m not part of those lucky people so I’m waiting for the presentations (they are published when the talk is completed). But I don’t have time to lose sitting in front of my computer and pressing F5… So let’s crawl them automatically…

#!/bin/bash
curl -s https://www.blackhat.com/us-17/briefings.html\ 
| egrep 'https://www.blackhat.com/docs/us-17/.*\.pdf' \
| awk -F '"' '{ print $4 }' \
| while read URL
do
  F=$(basename $URL)
  if [ ! -r $F ]; then
     curl -s -o $F $URL
     echo "Scrapped $f"
   fi
done

Quick and dirty but it works…

[The post Lazy BlackHat Presentations Crawler has been first published on /dev/random]



from Xavier

[SANS ISC] TinyPot, My Small Honeypot

I published the following diary on isc.sans.org: “TinyPot, My Small Honeypot“.

Running honeypots is always interesting to get an overview of what’s happening on the Internet in terms of scanners or new threats. Honeypots are useful not only in the Wild but also on your internal networks. There are plenty of solutions to deploy honeypots with more or less nice features (depending on the chosen solution). They are plenty of honeypots which can simulate specific services or even mimic a complete file system, computer or specific hardware… [Read more]

 

[The post [SANS ISC] TinyPot, My Small Honeypot has been first published on /dev/random]



from Xavier

"NIST Has Spoken - Death to Entropy, Love Live the Passphrase!"

NIST has spoken, and I could not be more excited. For years the security community has inflicted one of the most painful behaviors to date, the dreaded, complex password. I've watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords &hellip; Continue reading NIST Has Spoken - Death to Entropy, Love Live the Passphrase!

from lspitzner

Friday, July 21, 2017

TLS 1.2 Support added to Windows Server 2008

This post is authored by Arden White, Senior Program Manager, Windows Servicing and Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft we are announcing that support for TLS1.1/TLS 1.2 on Windows Server 2008 is now available for download as of July 18th, 2017. We’re offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment and in recognition of the extended lifetime of Windows Server 2008 under the Windows Server Premium Assurance offering.

This update for Windows Server 2008 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
July 18, 2017 Microsoft Catalog
August 15, 2017 Windows Update/WSUS/Catalog Optional
September 12, 2017 Windows Update/WSUS/Catalog Recommended


from Microsoft Secure Blog Staff