Earlier this week, Microsoft pulled a security patch for the Mac version of Microsoft Office.  According to Microsoft, the patch was made available erroneously and was still being tested.

In today's world of so called 'zero-day' exploits, and a daily onslaught of security horror stories in the news media, companies need to act more proactive manner in order to protect their customers.  Far too often, 'security' in a project schedule means roadblocks, delayed timelines, and more work.  If you look at what ends up happening all too often, however, it can be more costly over the long term to try to fix it later.

Developers need to learn, adopt, and use as part of their everyday work secure programming techniques.  Project teams also need to know to engage security architects in the early stages of a project to ensure that security is built into the project from the beginning.

If companies that produce the software, operating systems, and hardware that are always in the news as a security "horror story" truly took security as a priority, we would be less likely to see the deluge of vulnerabilities we see today.

Tuesday marks the release of Sony Online Entertainment's third expansion for EverQuest II, Echoes of Faydwer.  Sadly, I'm in line to get this as soon as it's available.

I say "sadly" with a sarcastic smirk on my face.  SOE creates some of the most fantastic MMO's (Massively Multiplayer Online games) out there and their games are hugely addictive.  Some people have lost their spouses, jobs, and such from getting a tad too hooked with these types of games (in case you were wondering, I'm a fan, but not that much of a fan!).

The thing that gets me with SOE's games isn't as much the actual gameplay itself, though I do like the sense of accomplishment as I finish quests, gain levels, get new equipment and so on.  What always amazes me with each new expansion is the amazing artwork SOE's artists put into it.  I move my character into a new area and just stop in wonder to see the scenery (some screenshots: 1, 2, 3, 4, 5, more).

What is special about Echoes of Faydwer is that is brings back to EverQuest II, the popular continent of Faydwer from the original Everquest.  Faydwer wasn't my favorite continent in EverQuest, but seeing some familiar sights with their EverQuest II twist is something I'm looking forward to.

As with any expansion pack, there are other changes beyond just new territory to explore.  There is a race (the Fae) available, a deity system, new tradeskills, new quests, and plenty to keep players busy until the next expansion.

Last week, outgoing Microsoft co-president Jim Allchin told a reporter that he was comfortable with his seven year old son using Vista, Microsoft's upcoming operating system, without antivirus software installed.  He feels Vista's lockdown features are capable and robust enough to handle whatever anyone would throw at it.

I'm not really sure what to make of that.  Windows doesn't exactly have a stellar record with regards to security.  Some say it is poor architecture, some say the popularity of Windows makes it an attractive target.  It's rare these days when a week goes by when there isn't some new security problem making the rounds that doesn't involve Windows.

Antivirus companies can't be too pleased with the suggestion that antivirus software is no longer needed.  Of course Microsoft hasn't exactly had a warm relationship in recent months with companies such as Symantec and McAfee complaining Microsoft has been shutting them out of Vista.

If Microsoft proves Vista is as solid with regards to security as they think it is, I'll be happy for them.  While I do maintain a Windows PC in my home for my indulgence in PC games, I will certainly be keeping my antivirus software installed and up-to-date thank you very much.

Over the past week, customers of a couple of well known companies were hit with unpleasant surprises -- a trojan on their new media players.

In Japan, McDonald's gave away MP3 players as prizes that were unfortunately preloaded with a variant of the QQPass password stealing trojan.

Apple Computer also ran into an issue with some of their latest iPods being shipped with the RavMonE Windows virus.

These incidents certainly weren't the first and they will no doubt be the last.  Our electronic gadgets are becoming more interconnected than ever before -- MP3 players, cell phones, PDAs, remote controls, and other devices are increasingly being engineered to plug into your PC for updates, content, and configuration.

Examples such as the above are isolated cases.  Reputable companies like these have no desire to steal your passwords or infect your computer with a virus.  It is a good idea, however, to be aware of where you get a device from -- is it used, is it in the original packaging, is it from a reputable company, is there a telephone number for support?  Making sure your antivirus definitions are up to date before you plug a device in is a good idea too!

News.com has an article discussing a Ponemon Institute finding that "78 percent of IT professionals in the United States claim that their companies have suffered unreported insider-related security breaches."

The fact that companies don't report security breaches is nothing new.  Security breaches indicate a preventative measure the company has put in place has not worked and companies not wanting to advertise the failure is understandable.

The article goes on to say, "The Ponemon report contradicts the general impression that fired and disgruntled employees represent the greatest risks. Instead, accidental data leaks frequently occur because employees lack enough knowledge about preventive measures or because of employee carelessness."  Yikes!

Internally at Sun, we have an internal Security Awareness Program that I participate in that targets hot button issues as well as general security awareness training.  The latest revision of the training program that we call Keep IT Safe! was not mandatory for all employees, though previous versions have been.  Outside the regular training, we write articles and even include cartoons to highlight issues such as laptop theft, something that is making news almost weekly it seems lately.

Technology is a great thing and having your firewalls, IDS/IPS, antivirus software, and so on is important in keeping a company secure.  Employees, however, are a critical piece of the security puzzle.  An employee, for example, that doesn't understand why it may be bad to forward his internal email that may contain confidential information over the Internet to his Yahoo email account while he's on vacation is a potential news headline in the making.

Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) as they are increasingly being sold as by vendors, can be a challenge to manage.  On the scale of a large enterprise, the task of managing an IDS/IPS can be so daunting that some companies don't bother at all with the technology.

IDS/IPS is a fairly young technology.  Vendors tend to put a lot of hype in the number of vulnerabilities they detect but gloss over things like false positives (something the IDS alerts you to but turns out to not be an actual attack), scalability, reports, and how to avoid having to staff one or more people to just sit in front of a monitor all day to watch the events being generated.  Some vendors have had some success with artificial intelligence (AI) and other techniques to make the detection smarter, but they are often exchanging one aspect of managing an IDS/IPS for another problem.

In Sun IT, we explored managing our own IDS.  We piloted a few products and ended up arriving at the conclusion that our time would be better spent elsewhere instead of wading through the sea of events generated across several IDS sensors.

Since we recognized the value of having an IDS, rather than just avoiding it altogether, we opted to outsource the management of the IDS to someone else.  We have many talented people within our internal security group, but they have plenty to do already and leveraging someone that had managing an IDS as part of its core competency just made sense.

Managed service providers are able to leverage existing tools on the market or build their own to correlate events, create reports, and keep your sensors up to date.  On top of that, they also provide an another level of screening by a human prior to a security event being raised to your own staff for investigation so that you're spending time working on what's important.

Sun offers managed operations services for a variety of needs including Intrusion Detection.  If you are interested, be sure to check them out!
 

My first computer was a Commodore Vic 20.  Along with just being facinated with learning everything I could about what made it work, I played games with it.  Ditto with my Apple II+ that later replaced it.

Computer gaming has changed over the years.  Games had laughable graphics (if any at all) by today's standards and were fairly simplistic.  Today, some computer games have budgets that rival Hollywood movie budgets.

With the proliferation of computers into more homes, computer gaming became far more mainstream.  It has taken another leap over the past several years with the Internet becoming more of a mainstay in the average household.

I used to play what I refer to as "the flavor of the month" types of games.  I'd get a new game, play it for a month at most, then set it aside.  The replayability was lacking and many games are just a little too formula driven for their own good to be fun for very long.

With online gaming, things have changed in a big way.  Not only are you able to play against human opponents instead of the sometimes less than challenging computer players in some games, but you can also enter a game world that is never finished.  Sure, "traditional" computer game developers will often release patches to fix bugs for a time and if the game is successful maybe create an expansion pack, but that is nothing compared to what some online gaming companies are doing.

While I still do pickup a more traditional computer game now and then, I have loved playing MMORPG's -- Massively Multiplayer Online Roleplaying Games.  While there is usually a subscription fee, they are amazing.  They have amazing graphics and huge game worlds where you can interact with thousands of other players from anywhere.  Rather than being something I quickly grow tired of, I've played some of these for well over a year.

My latest favorite, that I have played for over a year now, is Sony Online Entertainment's (SOE) EverQuest II.  While my wallet hasn't exactly appreciated the computer upgrades needed, the game is breathtaking.  SOE's developers, designers, and artists created a world that is amazingly realistic and highly addictive to play.  EverQuest II already has two expansion packs, with a third on the way that will reintroduce some fan favorite content from the original EverQuest (which is still going strong and has twelve expansions at last count).

Online gaming is here to stay and if you do enjoy computer gaming and haven't checked it out, be sure to.  Many MMO companies offer free trials of their games so you aren't roped into something forever that just isn't for you.

Another week, another vulnerability in Microsoft Office.  News.com and The Register have news articles today about a zero day vulnerability in Microsoft Word 2000 referred to by Secunia as "extremely critical".

I would be foolish to suggest that Sun's StarOffice or the open source OpenOffice software it is based on are bug free, but I did smile when I realized there was another bullet I'd dodged.  OpenOffice is free, handles Microsoft file formats, and is ready for prime time if you haven't tried it out.

Another thing in the news today was an article from News.com that I was feeling some sympathy for.  It seems CA's antivirus software wrongly detected a Windows 2003 file as malicious and removed it, causing some servers to crash and fail to boot.  That is a definite "oops" moment!

Well, here I am ... blogging.  I never thought I would see this day, but with a little nudge from my manager here I am.  Granted, no nudging is required to get me to play with a new gadget such as the roller weblogger software that provides the framework for this blog, but I do tend towards the introverted side.

Come November 2006, I will have been at Sun Microsystems for 10 years.  During that time, my focus has been on network security where I've dabbled in Intrusion Detection (ok, a little more than dabbled maybe), system auditing, log management, secure email, standards, incident response, security awareness, and even became a CISSP.  That may not be all I did, but give me some slack -- it's been 10 years!

In the weeks and months to come, I plan to share some of my experiences in my job here at Sun and maybe a thing or two else if I'm so inclined.