Microsoft BlueHat Blog

  • Vista and Vigilance

    Halvar Flake, Sabre Security I have been told that I can write a blog entry for the BlueHat blog, with little or no editing, and now I sit here and have to make up something interesting to write about. I have a bit of a writers block today, caused...
  • Black Hat USA Spotlight: ATL Killbit Bypass

    There are only a few days left before Black Hat USA, and we, like most other speakers, are in the midst of the last-minute push to have all the materials finalized in time for our presentation. Our presentation this year, " The Language of Trust ," features...
  • Stainless steel bridge

    Hi! Manuel Caballero here. I had the pleasure of penetration testing (pen-testing) the previous versions of Microsoft Silverlight, and now, for the last three weeks, I’ve been playing around with the beta version of Silverlight 3. When I say, "the...
  • The Rapidly Evolving Exploitation Playground

    Hey there, Vincenzo and Fermin here! Next week we will be giving two talks at BlueHat . Vincenzo will be talking with Tim Kornau, Ralf Philipp Weinmann, and Thomas Dullien, about return-oriented programming and how to automate the creation of ROP payloads...
  • Token Kidnapping finally patched!

    Here I am again writing on MS BlueHat blog, this time about Token Kidnapping. The first time I talked about Token kidnapping was a long time ago and now after a year the issues detailed in the presentation are finally fixed. Let's see what happened...
  • Can I interest you in a glass of Berry Blue Kool-Aid?: A Recap of BlueHat v7

    Hello all, Nate McFeters here to give you a recap of all the fun at Microsoft BlueHat v7. If you don’t know me, I work for Ernst & Young’s Advanced Security Center and I also blog over at ZDNet’s Zero-Day Security Blog . You may have also seen me...
  • Snowpacalypse Now (I love the smell of briefings in the morning)

    Hi All, This is Dustin and Karl from the Microsoft Security Response Center (MSRC). Recently, we were fortunate enough to attend the Black Hat DC 2010 conference held in Washington, D.C. We wanted to share our personal highlights from this great conference and provide a bit of a weather report too.

     

  • Parser Central: Microsoft .NET as a Security Component

    During the past decade or so, a significant portion of the computer industry has set out in a quest for secure software. That this sizable force of smart people with all their resources and market power has not yet brought us a secure and safe computing...
  • Can we secure cloud computing? Can we afford not to?

    There have been many disruptive innovations in the history of modern computing, each of them in some way impacting how we create, interact with, deliver, and consume information. The platforms and mechanisms used to process, transport, and store our information...
  • Know thy Enemy

    I recently attended BlueHat for the second time and spoke about the SMS vulnerabilities Collin Mulliner and I discovered and exploited this summer. BlueHat is an interesting speaking venue because the audience consists entirely of Microsoft employees...
  • Dune Busting and Browser Fun at HITB – Dubai

    Hi, Billy Rios here, I was recently invited to speak at Hack in the Box (HITB) in Dubai. While at HITB, I participated in two different talks, but I’m going to focus on the talk Chris Evans and I co-presented: “Cross Domain Leakiness.” Chris Evans is...
  • The lighter side of the cloud

    Billy Rios here. I’m giving a talk this week along with Nate McFeters entitled, “ Sharing the Cloud with Your Enemy .” It’s a fun, realistic talk on security in the cloud. Why cloud computing? Cloud computing, software as a service, infrastructure...
  • Do you believe in ghosts?

    When I was a kid, I had nightmares every week. I still remember some of them vividly, particularly the ones where ghosts were involved. Not the typical ghosts from the movies , but ones that could not be seen, only heard and felt. Why would I be so frightened...
  • !exploitable Crash Analyzer Now Available

    At BlueHat v8 in October 2008, Dave Weinstein, Jason Shirk and Lars Opstad presented the topic of when it’s okay to stop fuzzing ( Fuzzed Enough? When It’s OK to Put the Shears Down ). As part of that presentation, Dave talked about a technique used within...
  • The Microsoft Security Community Videos: A Peek Behind the Curtain

    As mentioned in Sarah’s Black Hat post, we’re profiling some of our own internal security members and sharing their perspectives around Microsoft’s engagement in the security community.  Maarten Van Horenbeeck, Security Program Manager, Microsoft Security Response Center (MSRC) and Katie Moussouris, Senior Security Strategist, Secure Development Lifecycle (SDL), answer the following two questions:

    How did we become involved in security at Microsoft?

    What changes have we seen at Microsoft security over the years?

  • The EMET 2.0 Training Video has arrived!

    Hey there, I'm pleased to announce that the BlueHat team has partnered with the dynamic Microsoft Security Response Center (MSRC) Engineering duo of Andrew Roths and Fermin J. Serna on a training video previewing the new release, version 2.0, of the...
  • BlueHat v11

    Jeremiah Grossman here. BlueHat is one of my favorite conferences of the year, and it’s one of the few I’ve consistently kept coming back to. The organizers put together an amazing event with consistently top-quality content, where the attendees...
  • The year-end review – well, sort of :)

    Hey!

    It’s that time of year again for all of us to pack up and head out to the desert to reconnect, discuss, and plan for the future, or at least what we think will be the future of security. It’s hard to predict what the next year will bring as the security landscape is ever-changing. This is probably why most of us “grey beards” in the security industry mark the Black Hat/Defcon conferences as the de facto year in review/preview of the next year for the state of security. These conferences have defined a lot of security strategies for a number of people for years. But I digressJ; I started to talk about the year-end review for the security landscape.

    Looking back over the year, I am pleased to see that we have executed nicely on a couple of strategies we put into place to change the security landscape. The ones I am talking about are the three programs listed below that we launched last year around this time.

  • Software Security == People && Process && Technology

    Mark Curphey here. I run the Subscriptions Engineering Team in Server & Tools Online, where we build complex customer facing web sites like MSDN and TechNet, supporting millions of users. For the last 15 years, I have always held security roles, most...
  • Getting a business degree as part of Security Research?

    What a great time to start thinking of travel – the weather is fairing up, June is here, and fortunately for me, I have a chance to take the driver seat again at another BlueHat conference! This time it’s in Brussels and I’m really looking forward to...
  • BlueHat: Community Outreach

    Katie Moussouris here. I’m the newest Security Strategist here at Microsoft. I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team. I work in the group that is responsible for securing current and...
  • Getting Into Information Security Intelligence Gathering: A BlueHat v10 Retrospective from Speakers Ian Iftach Amit and Fyodor Yarochkin

    Ian: Having a mild case of "professional ADHD" is probably what got me started on this whole "cyber" thing. Having done research, development, integration and consulting in the past, I was starting to get too many unanswered questions in my mind when...
  • Gone is the era of yes/no questions

    It used to be easy to be in the security industry. All you had to do is develop products that needed to say “nay” or “yay” on a given content and “bless” it to be secure or not. That is so 2007… As we have been witnessing during a turbulent 2008 (and...
  • Collaborating on RIA Security

    Microsoft and Adobe frequently work together on security. At this year's BlueHat , we will come together to share our security research in the area of Rich Internet Applications (RIAs). While we independently place considerable thought and effort into...
  • Does Microsoft Change My Automatic Updates Settings?

    As a follow on to the WGA and Security Updates post by Dustin Childs, I wanted to address another common question we get regarding both security and non-security updates that customers receive from Microsoft through Windows Update or Microsoft Update. Customers sometimes feel that somehow the settings they chose in the update console have been changed. Most commonly, customers who have set the client to notify them before installing updates are now getting updates automatically without prompting.