Handle:Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni
Hi everyone,
Maarten here - my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.
Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.
Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.
Why the MAPP program?
Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.
Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.
MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.
Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.
How does the MAPP program work?
Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.
Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:
We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners' ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.
Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.
Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.
How the MAPP program helps protect customers
The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.
For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.
Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.
The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.
Risks and limitations
We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.
In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.
But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.
Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.
We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.
The Value of MAPP
We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.
Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.
Cheers!Maarten Van HorenbeeckSenior Program Manager, Microsoft Security Response Center
The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)
And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.
Talk to you in July –
Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center.
In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.
Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!
With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.
The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.
The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.
The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.
For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:
- Complete entries must be received by midnight Pacific Time April 1, 2012.
- Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.
- For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.
- If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.
With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”
So, shall we play a game?
-Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center
Follow Katie on Twitter.
In the film Red Dawn,the United States was invaded by Communists, forcing ordinary citizens and soldiers alike to take up arms and fight for their freedom. Although fictional, it was an epic tale of cooperation against a common foe, not unlike the situation that corporations and governments find themselves in today, fighting shoulder-to-shoulder with users to fend off the Internet-based attacks of determined adversaries. According to the most recent reports from uscollegeresearch.org, as of June 2011, about 73 percent of U.S. and 65 percent of global Internet users had been victimized by cyber criminals, mainly via social engineering.
The theme of this year’s BlueHat was, fittingly, “We fight for the user.” Whether that user is within our own corporate infrastructure, or is a customer, it is more important than ever for us to stay focused on security by regularly improving our Security Development Lifecycle (SDL), honing our security response, and helping each user avoid social engineering attacks, a leading cause of computer compromise.
BlueHat v11 focused on bringing real-world security threats and issues to light by taking us on a journey that began with discussions about real attacks and adversaries, as witnessed by Context Security. Context Security has performed penetration testing simulating targeted attacks, as well as responded to many victims of industrial Internet espionage and crime. The picture it painted of the adversaries and the targets reinforced the overarching themes and lessons learned at the conference around appropriate risk management and secure product development. The approach must go beyond tools and code review, and into more advanced threat modeling that takes the entire ecosystem into account.
BlueHat, as always, was filled with many memorable talks, which focused on risks that leverage weakness at the seams of deployment, at the interfaces between components, between applications and infrastructure, and amid the relationships of the “trifecta” (the platform, the apps, and the app store), as described in Matias Brutti’s talk. While we as platform providers make our products more secure, we realize that they are not always deployed in ideal scenarios or configurations, and that we must work closely with intermediary vendors like OEMs who are in a position to make changes to specific devices that may decrease the effectiveness of some of our security measures. Andrew Cushman reminded us in his keynote address that in an age of transition toward “The Internet of Things,” where IP-enabled devices (e.g., cars, appliances, medical devices) begin to far outnumber traditional computers and mobile devices, we need to work with the ecosystem to help provide end-to-end security assurance.
Adam Shostack’s talk about the statistics of how malware actually gets onto Windows machines demonstrated that social engineering accounts for 45 percent of compromised systems, versus 0-day exploits, which represents less than one percent of all attacks. Fittingly, Adam works on a team within Microsoft that is dedicated to helping us improve both Microsoft and third party user interfaces. With the work of Adam’s team, we can help users make smart security choices when faced with decisions like “should I proceed to this webpage even though there is an error in its certificate?” when they might not know what a certificate is or begin to guess what it does. Further, the user might not know whether or not the certificate’s issuing certificate authority (CA) was compromised, resulting in fraudulent certificates used in attacks, as was the case with DigiNotar this year and Comodo prior to that.
Moxie Marlinspike wrapped up the conference with a thought-provoking presentation highlighting the journey through the compromise of certificate authority, Comodo, and subsequent consequences (or lack thereof). The fact that the CA system of trust is rigid and does not recover well in cases where CAs are compromised is an issue that we as an influential participant in the ecosystem must consider, even though we did not create the CA system itself. Moxie challenged the audience to envision a new model where trust is agile and the decision of who to trust is made (and can be revoked) by the user.
No matter the threat, whether attacks are random or targeted, whether the attacker is unskilled or sophisticated, we must attempt to protect our systems, data and users. When attacks do occur, we must hone our ability to detect, contain and recover from them quickly. Working with our partners and customers is the best strategy for dealing with and adapting to these threats.
Many thanks go to all the speakers, attendees, organizers, and volunteers for a memorable and enlightening BlueHat v11. We will continue to work together, shoulder to shoulder, defending our Internet neighborhoods from invasion, as we fight for the user in a Blue Dawn.
Senior SecurityStrategist Lead, MSRC Security Ecosystem Strategy Team
FollowKatie on Twitter at http://twitter.com/k8em0
Growth and change can come in big doses or small increments. That can be professional or organizational growth or technical or societal change. Since we started doing BlueHat waaay back in 2005, I’ve seen some significant change at Microsoft, experienced a fair bit of professional and personal growth, and witnessed stunning technical and social change.
This year I have a slightly different role in BlueHat.
As I reflect on this year’s BlueHat, there is a three letter (or occasionally four-) acronym that nicely tees up a number of topics – AFGO - Another Fun Growth Opportunity. Over the course of time, new attacks, new relationships, new positions, new technical or business challenges offer opportunities to expand our skills, tune our strategies, and take on new challenges. We see that despite the progress already made, there are still challenges ahead along with plenty of growing and learning available to the interested and the willing.
The BlueHat attendees are the interested and the willing. They come for the official program on attacks, threats, and technologies. More importantly, they come for the “hallway track”, the discussions that happen between like-minded security “apassionados”. This year’s program challenges the attendees to go beyond the easily understood remedies. Presentations on Targeted Attacks should give the attendees that visceral learning experience – AFGOs that challenge us to accept we have done great work and yet more remains in order to protect our infrastructure and intellectual property and that of our customers. Similarly, there are a number oftalks that explore the painful reality of “wait, I thought I did the right things” – You incorporated security into the development culture and operations, and yet your risk profile may still be higher than desired. Money spent and certifications earned don’t equal security – AFGO.
These days I find myself focused on two growth areas – one is anti-abuse as an engineering discipline and the other is the area of security policy.
Attackers are moving away from implementation errors such as buffer overflow attacks and towards abuse of the design seams of the networked system. This presents us with a more complex challenge that may not be as straightforward to eliminate with traditional security tools or testing. We must engineer anti-abuse solutions for Microsoft services that minimize customer impact and at the same time improve the customer’s trust experience and ease of use. We can do both, we have done it before. I see before us an opportunity for a second wave of security culture change within Microsoft as we harden our services to withstand abuse and enhance the user experience.
The helpful short hand I use to describe my work on Security Policy issues is that I am looking for solutions to non-technical security problems. I look to help governments and industry come up with reasonable, effective, and implementable policy/legislative/regulatory solutions to security problems. Talk about growth opportunities! Technical solutions are relatively straightforward, unemotional and fact based, while politics usually has to do with business model or personality. In the Office of Global Security Strategy and Diplomacy offers me an opportunity to leverage my technical background and bring my unique perspective to the strategy discussions of how countries and organizations manage the security risks at a global level.
Can’t wait to see you all at BlueHat.
Andrew CushmanDirector, GSSD, Microsoft Corporation
It seems like we only just had BlueHat v10, but already BlueHat v11 is less than a month away. Our schedule is ready, the banners are printed, and now seems like a great time to give some more detail on what’s coming up.
As you probably know already, BlueHat is an invitation-only conference where security experts get to mingle with Microsoft’s own security team and core product groups. I attended v10 as an outsider to Microsoft, but to see it come together from the inside has been even more gratifying. It is amazing to be part of the engine that brings these people together and helps us develop more secure products, allows us to build stronger relationships with the security community, and lets our development teams get a few precious moments of sunlight.
BlueHat v11 will take place on Microsoft’s Redmond campus on the 3rd and 4th of November, and this year our focus is a field that’s seen a lot of expansion in the last twelve months, and not just for Microsoft: web apps and the cloud. We’ll also explore the current threat landscape, taking in tales of real-world attacks by determined adversaries from world-class experts in national defense and corporate anti-espionage. As criminals and adversaries refine their attacks, we are once again bringing some of the sharpest minds in security together to help us shore up our defenses, as we come together as a community to fight for the user.
Here’s a quick overview of the speakers we have lined up over the two days. Full details for the conference and schedule are available on the BlueHat web site.
Day 1: Thursday,November 3rd – BlueHat v11
We will begin the first day of BlueHat v11 with Andrew Cushman of Microsoft, who will give a short presentation on his experience with BlueHat over the years. Then there will be an exclusive conversation with Shawn Henry of the FBI. Mark Raeburn, CEO of Context, will share insights on current and evolving threats from his experience as an ethical hacker-for-hire, as well as a first-responder to actual compromises. The morning sessions will conclude with Mark Oram, Principal Security Program Manager at Microsoft, and a special session on what Microsoft is doing to fight for the user.
The afternoon track will be dedicated to Web Application Security. Jeremiah Grossman, former speaker at BlueHat, will give an overview of the current state of Web Application Security and provide some statistical data on website compromises. Then Mario Heiderich will present the up-to-date talk on cross-site scripting attacks and mitigations, especially in HTML5 implementations. Finally, we will conclude with a presentation from Joe McCray on Web Application Firewalls, their drawbacks and the importance of designing secure web applications that don’t make security assumptions.
Day 2: Friday,November 4th – BlueHat v11
Day two will kick off with David Treadwell, Director of Cloud Services at Microsoft, presenting an overview from his perspective on Cloud Security. Rich Lundeen, Jesse Ou, and Travis Rhoades of Microsoft will give an informative presentation on new (and not so new) web application attacks that can also be exploited if the backend systems are cloud based. Jared Pfost, formerly of Microsoft, will share some insights on the value of security. As companies are driving towards the ease and ubiquity of the cloud, it is vital to understand the security implications involved regarding financialsdata security, and the required effort to ensure that your company is investing its security resources in the best place possible. John Walton of Microsoft will conclude this track with an innovative approach to thinking about cloud security. John’s talk abandons the “Get it right the first time” attitude when thinking about a security implementation, opting instead for exploring and addressing the implementation with the assumption that your system is already breached -- that you are already vulnerable. This talk will challenge you to think of what YOU will do next.
The final track of BlueHat Redmond v.11 will investigate the sometimes surprising deployment context of Microsoft’s products and services, as well as present some interesting ways users can be compromised. Alex Plaskett, a researcher at MWR in the UK, will share research that he and his team have performed on the Windows Phone platform and how it compares to other mobile platform security models, while taking a closer look at what types of vulnerabilities are introduced by OEM software. Matias Brutti of IOActive will present data on the interactions between the platform, the applications, and the app stores -- the security trifecta that puts mobile devices and users potentially at risk. Moxie Marlinspike will conclude BlueHat with his insights on SSL and the Certificate Authority system and potential directions of authentication and authorization systems that could help to create a more robust model moving forward.
Cheers,Noelle MurataSecurity Program Manager, MSRC
Today on the MSRC blog, Matt Thomlinson announced the BlueHat Prize, the first and largest incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense. While you can get the details of the contest on the new program’s website, I’m going to talk about some of the factors that went into the making of the BlueHat Prize, and why we think defensive security technology is a crucial place for vendors like Microsoft to invest.
Microsoft decided to offer large cash awards for innovations in runtime mitigation technology (a $200,000 grand prize, followed by a $50,000 second prize), both to acknowledge the value of defensive security work, as well as to encourage more security experts to start thinking about mitigations.
Select organizations have offered small cash rewards to security researchers who found and reported security vulnerabilities in their products. As more vendors began offering bug bounties for individual vulnerabilities in their products, many people speculated that Microsoft would follow the trend. Before considering such an approach , we conducted an analysis of the data we have relative to security researcher motivations; current prices in the existing white, grey, and black markets for vulnerabilities and exploits; and of course, what finders of Microsoft vulnerabilities typically do with their discoveries.
What we found can be summarized as follows:
1. Motivation: Researchers have many other motivations other than money, including recognition (either public or just among their peers).
2. Prices: The prices for vulnerabilities sold to the white market do not even come close to the amounts offered by the grey and black markets. By “white market,” we mean either vulnerability brokers who give the details to the vendors privately to get the issues fixed, or the bug bounties offered directly by some vendors. By “grey and black markets,” we are referring to those who purchase the vulnerabilities and exploits for offensive use, and specifically don’t give the vendors info to help get the vulnerabilities fixed. No organization who rewards bug bounties for vulnerabilities in their own products, nor white market vulnerability brokers, offer prices intended to “compete” with the grey and black market prices.
3. Disclosure: 90 percent of security researchers who privately report Microsoft vulnerabilities to us choose to report them to Microsoft directly, rather than seeking monetary payment via a white market vulnerability broker.
With that in mind, Microsoft respects researchers’ choices in whether or not they seek individual payment for vulnerabilities they find, and the means certainly exist for them to do so if they wish. If researchers do sell their vulnerability findings, we hope they choose white market vulnerability brokers to provide Microsoft the opportunity to fix the issues before details are made public and risk to customers is amplified.
So if money doesn’t appear to be the driving motivation for the majority of researchers who are willing to report issues privately in Microsoft products, why did we decide to offer a huge cash reward for defensive security research? Because we believe that the existing security research economy has been exclusively focused on offense for too long.
As a company, Microsoft believes that the best way to secure our products is not through reactive measures, but instead to invest in secure development throughout the product lifecycle, and in overall platform defense technology.
Rather than compete with the existing white market vulnerability economy, we decided to start something no one has ever done before, and introduce a new economic factor and incentive where none existed. While Microsoft continues to invest in improving the security of our products via our Security Development Lifecycle, and address individual vulnerability reports via our security response process, we are simultaneously looking to the horizon both in our vision of securing our platform, and the ways we reward the security researcher community.
We hope other vendors who would like to seek the help of the global talent pool of security researchers will also consider this model of investing in and rewarding innovations in defensive security technology. We also hope that current and future generations of security researchers will be inspired to look at the defensive side of the equation when designing new offensive techniques, thanks to the BlueHat Prize. In our experience, some of the best defenders come from the offense side of security.
I’m Katie Moussouris, and THIS is what a “security strategist” does at Microsoft. Now you know. :-)
You can follow me on Twitter: http://twitter.com/k8em0
Together with my colleagues Jeff Williams and Holly Stewart from the Microsoft Malware Protection Center (MMPC) I am here at the 23rd Annual FIRST conference in Vienna, Austria this week.
FIRST is the Global Forum for Incident Response and Security Teams, an organization that aims to bring together computer security incident response teams from government, industry and education. FIRST is at the root of a number of standardization efforts in security, such as the Common Vulnerability Scoring System (CVSS). Its main strength, though, is that it offers incredible networking opportunities for people in the security community to find each other and collaborate on protecting internet users.
Microsoft is proud to be a Platinum sponsor of the FIRST conference, and looks forward to our continued collaboration with the valuable members of this community.
This week also marks the 3-month anniversary of an exciting project we embarked upon with many of the national incident response teams that are present here this week.
On March 17th, our colleagues at the Microsoft Digital Crimes Unit (DCU) publicly announced their successful effort to take down the notorious Rustock botnet. At the time, Rustock was estimated to have consisted of close to a million infected computers, and it was capable of sending billions of spam messages each day. These messages included advertisements for fake prescription medication, which can in some cases, be dangerous.
Microsoft has a great security group, but as a single company, we quickly realized that we would not be able to reach out to every infected customer worldwide. However, many countries have stood up Computer Security Incident Response Teams (CSIRTs), which are exactly intended to process this type of information and protect constituents. Over the last few months, we have worked with several of these organizations to further advance our joint goal of protecting and cleaning infected Rustock machines worldwide.
We would like to thank the following CSIRT partners for their contribution so far in this takedown effort:
ArCERT, ArgentinaCERT.AT, AustriaCert.BE, BelgiumCERT-BR, BrazilCERT-EE, EstoniaCERT-FI, FinlandCERT.LV, LatviaCERT-UA, UkraineCNCERT, ChinaFederal Office for Information Security (BSI), GermanyGovCERT.nl, The NetherlandsGovCertUK, United KingdomHKCERT, Hong KongINTECO CERT, SpainJPCERT/CC, JapanMYCERT, MalaysiaPISA CERT, PakistanPublic Safety Canada – CCIRC, CanadaCERT-SA, Saudi ArabiaThaiCERT, ThailandTwCERT/CC, TaiwanEach of these organizations has tirelessly worked with us over the last months to reach out to affected service providers and consumers in their constituency and ensure they were aware of tools that existed to remediate infected machines. In fact, they are part of a much larger group of organizations in the CSIRT community, some of which preferred to not be publicly called out for their efforts at this time. Microsoft values collaboration and the insights these organizations continue to provide to us on this significant challenge, which we are tackling, together.
Within the United States, Microsoft also works with a community of Internet Service Providers. In addition, anyone who owns a network range can subscribe to Smart Network Data Services (SNDS), which makes this information available to any legitimate network administrator.
If you would like to learn more about these and other efforts of Microsoft to clean the Internet of botnet activity, you can find more information at support.microsoft.com/botnets.
Cheers,
Maarten Van HorenbeeckSenior Program Manager, MSRC
Today on the MSRC Blog, Matt Thomlinson announced three new efforts to provide more transparency into Microsoft’s vulnerability disclosure process. These included a Coordinated Vulnerability Disclosure (CVD) at Microsoft procedures document, the first release of MSVR Advisories on vulnerabilities that were discovered by Microsoft and fixed by affected vendors, and an internal employee disclosure policy.
The vulnerability disclosure debate has continued over the years with all sides seeking the best way to protect users. We believe the best way to improve software security is through comprehensive Security Development Lifecycle (SDL) programs that build security into software from the very beginning. For vulnerabilities that remain after software is released, we feel that disclosure of vulnerability details should be done in a way that allows vendors an opportunity to address the issues without amplifying risk.
In our experience as finders and coordinators, we know that disclosing vulnerabilities to a vendor can be a complex process. This is why we developed the Microsoft Vulnerability Research (MSVR) program as a way for our employees to report vulnerabilities they find to affected vendors.
We understand that there are differing approaches to vulnerability disclosure. Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.
We’ve listened to the security community, including security researchers, vendors and CERTs, in documenting our approach to disclosure. We’d like to thank the following people for reviewing our Coordinated Vulnerability Disclosure at Microsoft document. If you have comments or opinions, we'd like to hear from you. Please follow us on Twitter at @msftsecresponse or me at @k8em0.
Microsoft thanks the following people for reviewing our Coordinated Vulnerability Disclosure procedures document:
Bryan Burns, Distinguished Engineer, Juniper Networks
Arturo 'Buanzo' Busleiman, Independent Security Consultant
Steve Christey, CVE Editor, MITRE
Dave Dittrich, Security Engineer/Researcher, Applied Physics Laboratory, University of Washington
Jussi Eronen, Infosec adviser, CERT-FI
Ian Glover, President, Council of Registered Ethical Security Testers (CREST)
Jake Kouns, CEO, Open Security Foundation
Zach Lanier, Intrepidus Group
Marc Maiffret, Chief Technology Officer, eEye Digital Security
Art Manion, CERT Vulnerability Analysis Team
Steve Manzuik, Director of Security Research, Leviathan Security Group
Charlie Miller, Independent Security Evaluators
Toshio Miyachi, Board Member, JPCERT Coordination Center
Bruce Monroe, Senior Information Security Specialist, Intel
Mike Prosser, Symantec Product Security Team
Ryan Permeh, Manager of Product Security, McAfee
Marsh Ray, Senior Software Development Engineer, Phonefactor
Russell Smoak, Sr Director / GM Security Research and Operations, CISCO Services
Chris Wysopal, Chief Technology Officer, Veracode
Handle:Mando Picker IRL: Dustin Childs Rank: Security Program Manager Likes: Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins Dislikes: Using "It's hard" as an excuse, quitting when it gets tough, banjos
Hello All,
I enjoy telling stories. Perhaps, in a former life, I spent time as a bard telling stories of Robin Hood and Maid Marian as I travelled from town to town. Perhaps I just spent too much time playing The Bard’s Tale on my Tandy 1000 back in the day. Either way, I enjoy telling stories to people. It’s even better when I get to tell stories that relate to my job. Recently, I was given the opportunity to tell some stories at BlueHat V10, and that presentation is now online for the world to see. One area of my job that always piques people’s interest is the challenges we face on a day-to-day basis. These are the stories I chose to highlight in the Bluehat V10 presentation, and unlike most old bard’s tales, these stories actually happened.
Of course, stories always have a greater impact when they make a point. In each of the case studies I talk about, something went wrong. And let’s face it, if I’m involved, it means something has already gone wrong. That doesn’t mean that someone was at fault, just that things did not go exactly as we expected.
When I was originally approached about presenting something, I immediately thought of a few themes I wanted to highlight about what goes on in MSRC. First, few people understand the scope that we deal with every day. I may joke about rebooting countries (just watch the video of the presentation), but it’s really not much of a hyperbole to say that. The actions I take and decisions we make have far reaching consequences, so we take them seriously.
I also hoped to highlight the number of moving parts we have in any given security update. In addition to all of the work I do, there are developers, testers, engineers, product groups, communications people, security gnomes, operations personnel, release partners, independent security researchers, and the list just keeps on going (sorry if I left you off). My job is to ensure all of these folks work together toward the common goal of addressing each issue and protecting our customers. I’m not asking for your sympathy here (though I’ll gladly take it), but most people have little understanding of the massive amount of coordination and work it takes to release five new lines of code across 22 platforms in 36 languages.
So how do we manage to make all of this happen the second Tuesday of every month? Well, there are 3 P’s that exist here that really drive us to success:
· Passion – Everyone I work with is very passionate about security and protecting customers. Let’s face it, if we weren’t passionate about this, we wouldn’t last long in the sixth worst job in science. And hey, we actually did buy a customer’s laptop just to get repro (and that wasn’t the first time).
· Process – We’ve done this before. And each time we do it, we learn more and apply those lessons toward doing it better the next time.
· Pragmatism – Although we might not get everything 100% perfect 100% of the time, we realize we can go back to those first two P’s to cover us when something goes a bit askew. Release Tuesday is huge for us, but it’s not the end of anything; just a major milestone. We actively monitor the ecosystem to make sure everything is behaving the way it should.
Well, I hope you enjoy the presentation and the stories I tell in it. If nothing else, it provides a framework for understanding what’s behind that little bundle of joy we deliver every second Tuesday. And if you happen to find me wandering in Skara Brae and would like to hear any more stories, we can head over to ye old tavern where I will spin a few yarns for you. I might even be the one buying. :-]
Cheers!DustinMSRC