It has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.
Fraud and Abuse: A Survey of Life on the Internet Today --> WATCH IT ON DEMANDEllen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft
Kowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.
Social Authentication --> WATCH IT ON DEMANDAlex Rice, Product Security, Facebook
Over the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.
Scriptless Attacks: Stealing the Pie Without Touching the Sill --> WATCH IT ON DEMANDMario Heiderich, Dr.-Ing, Ruhr-University in Bochum, Germany
Removing JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.
Sh*t My Cloud Evangelist Says… Just Not My CSO --> WATCH IT ON DEMANDChris Hoff, Senior Director and Security Architect, Juniper Networks
In front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…
Don't Stand So Close to Me: An Analysis of the NFC Attack Surface --> WATCH IT ON DEMANDCharlie Miller, Systems Software Engineer, Twitter
Near-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.
Building Trustworthy Windows Store Apps --> WATCH IT ON DEMANDDavid Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, Microsoft
The Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.
Why UEFI? --> WATCH IT ON DEMANDMatthew Garrett, Senior Software Engineer, Nebula
The Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.
Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation --> WATCH IT ON DEMANDPatrick Jungles, Security Program Manager, Microsoft
Credential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.
Why Johnny Can't Patch: And What We Can Do About It --> WATCH IT ON DEMANDDavid Seidman, Senior Security Program Manager, Microsoft
Microsoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.
Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.
Emily AndersonSecurity Program Manager, MSRC, Microsoft
BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event. It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.
The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.
We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.
One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.
Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.
There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.” Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.
Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program. As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense. As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges -- and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.
So to those who came before, thank you, and to those who will come after, enjoy the view. I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.
Katie MoussourisSenior Security Strategist, MSRChttp://twitter.com/k8em0
The days are getting shorter, the holidays are getting nearer, and looming on the horizon is a trio of 12’s – it’s almost time for the 12th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.
Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.
Day 1: Thursday, December 13
We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today. Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.
After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.
Day 2: Friday, December 14
We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft's global online services.
Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.
Thanks –
Emily AndersonSecurity Program Manager, MSRC
Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.
Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security. But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.
Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries. Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC. Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.
In seven weeks we will gather together at our 12th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft. We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.
Where does this working relationship with this community -- and the future of security research -- go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.
Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.
Katie MoussourisSenior Security Strategist LeadMSRC
As we wrap up the first BlueHat Prize contest, we wanted to share what we learned while running the first competition, from a major vendor, offering a large cash prize for defensive security research. Not only did we get to motivate the development of technical mitigation technology, but we also achieved some valuable non-technical goals as well.
We’ll announce the winners in this post, so scroll down if you can’t wait.
Bonus #1: We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.
Some of the contestants were certainly well-known names in the security research community; some were people we had never heard of before. Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve.
Bonus #2: We aligned some of the top “offensive security” minds to work with us on defense – with excellent results.
I often say that some of the best defenders come from the “offense” side of the security equation. I believe that you truly have to understand how to break into systems in order to devise effective plans for how to defend those systems. One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before. We are very happy that the security community responded positively to our challenge, and some great minds chose to participate.
With those positive bonus outcomes we will not wait any longer to announce the winners. For an in-depth technical analysis of the winning entries, with the contest judging criteria applied, please see Matt Miller’s blog post on the SRD blog.
Vasilis Pappas wins $200,000 for his idea, kBouncer – an efficient and fully transparent ROP mitigation technique.
Ivan Fratric wins $50,000 for his idea, ROPGuard – a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime.
Jared DeMott wins an MSDN subscription, valued at $10,000, and was also surprised on stage live with a check for $10,000 cash for his idea, /ROP – a system that lowers the effect of address space disclosures and mitigates known ROP exploits.
So what is next for the BlueHat Prize?
Check the BlueHat Prize website in the next several weeks for an updated page that will include information on the other contest entries. These beautiful minds all deserve the thanks and attention of the security community, and we are excited to provide them with a venue to showcase their defensive security ideas.
One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both.
- Katie Moussouris
Senior Security Strategist, MSRC
As we inch closer to Black Hat in Vegas this year, we wanted to kick off the ten-day countdown to our first BlueHat Prize contest winners’ announcement with an invitation to those attending Black Hat. Microsoft is conducting a survey at our Black Hat booth to find out what the security community thinks are the most important industry-wide security issues that need answers. Whenyou participate in the survey at our booth, we’ll enter you into our BlueHat Prize Question Sweepstakes for a chance to win $5,000 USD*!
We will give away $5,000 twice per day at random drawings at our booth On July 25 and July 26, – once around lunch and once at the end of each day, for a total of $20,000 USD in cash.
The official rules are found here, but here are some highlights:
• The only way to enter this contest is to visit the Microsoft booth in person at Black Hat and submit a question.• Only one entry per person is allowed (we’ll scan your conference badge, so no funny business!).• Valid entries in the sweepstakes must be a defense-oriented security question that could potentially be used in a future BlueHat Prize contest.• The issue you submit should be industry-wide, e.g., “Design a defense technology or strategy to defend against social engineering.” or “What would be the best approach to defend against DDoS?”
While we may not use the specific defense-oriented questions gathered in this sweepstakes, the survey will help us shape a future BlueHat Prize contest with the input from the broader security community. We know not everyone makes it to Black Hat, but we do think there is a decent sampling of various security industry representatives there, so as a survey it works as adecent sample set. If you’d like to let your thoughts be heard, even if you are not at Black Hat, feel free to join the conversation on Twitter with the hashtag #BlueHatPrize.
As for when we will announce what the next BlueHat Prize contest will be, stay tuned for that news on this blog after Black Hat. For those of you attending Black Hat in person this year, start thinking about what you believe is the biggest industry-wide security issue that needs a great defense. Microsoft may use your idea in our next BlueHat Prize contest, and you mightwin $5000!
Katie Moussouris
*No Purchase Necessary. Open only to registered event attendees 14+.Game ends 7/26/12. For additional details, see Official Rules posted on-site at the Microsoft booth.
When we announced the BlueHat Prize on August 3, 2011, we did something that no major vendor had ever done before – offer a large cash prize for defensive security research. While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities. These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform.
We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely. Interestingly, about half of the entries poured in during the last few days – and even the last few hours and minutes— of the contest entry period. Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline. One thing we learned from this experience was not to set future contest deadlines for midnight on a Sunday!
Getting down to business, here are the names of the three finalists, in alphabetical order:
Jared DeMott
Ivan Fratric
Vasilis Pappas
We will award the prizes to the winners at a 10 p.m. ceremony at our researcher appreciation party on July 26, 2012. We have notified the finalists that they have made it to the finals. The finalists won't know who won which prize - the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD – until we reveal it to them and the world live on July 26.
You can read a little about each of them and their proposed solutions on our BlueHat Prize contest site. After the contest is over, we’ll also be putting up the names and abstracts of the other contestants, so stay tuned for that update sometime after Black Hat.
For now, please join us as we congratulate all the contestants, and especially the three finalists. We appreciate their hard work, and are excited that we can help showcase their ideas that can help make advancements in platform-level security defense.
Handle:Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni
Hi everyone,
Maarten here - my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.
Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.
Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.
Why the MAPP program?
Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.
Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.
MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.
Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.
How does the MAPP program work?
Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.
Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:
We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners' ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.
Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.
Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.
How the MAPP program helps protect customers
The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.
For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.
Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.
The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.
Risks and limitations
We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.
In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.
But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.
Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.
We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.
The Value of MAPP
We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.
Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.
Cheers!Maarten Van HorenbeeckSenior Program Manager, Microsoft Security Response Center
The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)
And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.
Talk to you in July –
Senior Security Strategist, Microsoft Security Response Center.
In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.
Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!
With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.
The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.
The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.
The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.
For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:
- Complete entries must be received by midnight Pacific Time April 1, 2012.
- Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.
- For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.
- If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.
With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”
So, shall we play a game?
-Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center
Follow Katie on Twitter.