As part of the quest to help "secure the planet", our team travels over this planet a lot, and I wanted to highlight a few of the interesting security gatherings I've been to lately.
September brought sunshine and the Executive Women’s Forum (EWF). An all-women’s security event was completely refreshing and a great contrast to the usual technology scene. In addition to the great technical content, it’s always a treat to discourse with others who see computer science as a social science, Mary Anne Davidson’s blog post about synthesis had some great insights:
One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology.
Hey, those are social sciences (except for biology, although its neighbor epidemiology counts). She also mentions strategy which is a subject close to my heart. :-)
Additionally, I had a chance to break bread with former colleagues and friends from around the planet. I got to hear from women starting their own companies or in amazing roles at their organizations -- women whom I would want as mentors, colleagues and partners. It was also eye-opening in terms of the old school/new school debate among women decision makers, the parallels we see in the male-dominated environments, centered around the question of whether it's possible to solve security ecosystem problems through regulation. The security ecosystem is like the weather – you can’t predict or control it – but you want to be prepared for it. EWF presents an opportunity to continue educating and networking with this community about the risk environment and how to mitigate threats, concurrent to ongoing policy, privacy and regulation initiatives.
One of my personal goals is to (paraphrasing a line on a favorite greeting card) "build bridges and help people get over them." One of those goals was realized when, in October, the Microsoft Security Response Center (MSRC) and friends went down to the Southern hemisphere for some mmmm BA-Con. Even better than bacon, was the gathering of some mavericks, if you will, including Argentinean security superstars and underground up-and-comers. The conference was the culmination of years of conversations and grassroots community partnerships between traditional "rivals": Core Security, well-known in the attack tool community, in alignment with our team and other protection providers.
An interesting trend we’ve noted, alongside traditional security conferences, we are starting to see the development of "micro-communities" thriving around the world with different parts of the security ecosystem overlapping. Just as Black Hat has its Defcon, the security conferences worldwide are realizing the value of leveraging different and respected security communities. BA-Con has ekoparty Security Conference and Xcon has XKungfoo, both great examples of diverse communities collaborating. Mary Anne’s post talks about the risks of a lack of "biological diversity”. By contrast, the collaboration between these communities provides illustrations of diversity from a social science perspective: language, organizational affiliation, age.
Each year, we also have the pleasure of *not* traveling, and welcome members of the security community here to the Microsoft Corporate Campus for BlueHat. Ask the BlueHat network of past speakers or catch some great blog posts recently, one of the most interesting watering holes in software security is @BlueHat. Thanks to all who have helped us grow from a friendly little hacker con to a platform to educate the broader security community with the BlueHat: SDL Sessions, to give back to the developer population by releasing developer tools, and for building more relationships toward community-based defense.
A lot of people are surprised that we don't make a bigger deal out of BlueHat by inviting the press in. Even though BlueHat is a great story, that's not primarily how we see it. It is a network, a voice for the community, a platform to launch people, research and ideas. The interactions are different, somehow more open and sincere when folks don’t have a press audience or "preconditions". The good stuff and paradigm shifts that come out of BlueHat in the form of new awareness, collaborations and security innovations, will pay off for years to come. We aren’t willing to risk the platform for a press story.
There is a lot of excitement that we are making the BlueHat: SDL Sessions public! That's right; you don’t have to come to BlueHat to watch a great day of security content! Thanks for the feedback and stay tuned for BlueHat: SDL Sessions releasing on TechNet, we’re working on getting them up as soon as we can. And the rumors are true: TwC will release a tool to the public within the fiscal year.
As a part of the MSRC, a big part of our team life these days has been releasing MS08-067* out-of-band. With the update, we are all more secure. That means that a many of your security colleagues worked 24 by 7 to get this out to you as quickly as possible.
Throughout my travels, a common theme in these experiences are the opportunities for shared goals and cooperation from organizations and people usually seen on different sides: security researchers and software engineers, Macs and PCs, browser developers and browser hackers, vendors and competing vendors from the infrastructure to the cloud. BlueHat has demonstrated that well-chosen strategies, while easy to overlook, offer substantial benefits and positive outcomes. It is a great example of "reaching across the aisle" to create those multivendor solutions.
Next: around the world in 14 days. Really!
Sarah
Security EcoStrategist
* As with all security updates, MS08-067 is a free download with no check for Windows Genuine Advantage. For details and a link to the software for your operating system, click here to go to the Microsoft TechNet Security page.
*Postings are provided "AS IS" with no warranties, and confers no rights.*
You've probably heard that we released an out-of-band Security Bulletin for a vulnerability in Windows (MS08-067). By now you have probably also heard of the Microsoft Active Protections Program (MAPP). Let me take a moment to talk to you about how they worked in concert for this issue. As announced at Black Hat in August, prior to release of the monthly security updates, MAPP members receive technical details on vulnerabilities in order to speed the development of protections. Due to the unique threat from this vulnerability and because the issue was released out-of-band, we decided to not only share the information in advance but to also make our security engineers behind the SVRD Blog available for questions with MAPP partners.
During this meeting, we outlined technical details on this update and allowed for more in-depth questions on the information provided. We did this to ensure full understanding of the issue so that timely protections could be provided. We are happy to say it worked nicely, and that most MAPP partners had protections out shortly after the bulletin published and the rest should have their protection available by end of day. If you have questions about which partners have protection, see the links to their pages here.
This is a great example of the kind of community-based defense we discussed at Black Hat and I’m pleased to see us working together to collaboratively protect the ecosystem.
For more information about this release see the MSRC Blog here: http://blogs.technet.com/msrc/default.aspx
Steve “Capt Steve” Adegbite
It’s October! And for those who remember Black Hat 2008 in Las Vegas, this means the programs we announced have launched. These programs include the Microsoft Active Protections Program and the Microsoft Exploitability Index, which begin with today's October Security Bulletin Release. Microsoft Vulnerability Research is also continuing to run a formalization of our ongoing efforts as responsible researchers in the community.
Following the announcement, there was a discussion on the Daily Dave security mailing list, where folks wanted to ask us more questions than were asked after we announced our three security programs at Black Hat 2008. We responded, asking folks to send their questions our way.
We didn’t answer some questions from the thread about future product development and our relationships with specific researchers. However, below are answers to questions about the three specific programs announced at Black Hat to make sure folks understand them fully.
We appreciate the feedback on these programs. They are all focused on increasing collaboration and information sharing to tilt the advantage in the favor of the defenders of networks as they combat attackers.
So, here are the questions, and the answers:
Questions about Microsoft Active Protections Program (MAPP)
1. Can you fully define 'offensive' or 'attack' software? Is a security assessment tool that does not exploit categorized as such? Consider a tool like nmap or Nessus, would that discount Fyodor or Tenable?
Of course, absolute definitions in this space are challenging. However, an example of pure offensive or attack software is any software that weakens for a prolonged or permanent state, the security integrity of a system to either exploit it or pilfer it (steal data, credentials, toe holds for further exploitation (rootkits)). Tools like MPack would be one example I would categorize as pure attack tool. With that said Nessus or Nmap (tools many of us here have used when doing security consulting) would not be considered pure offensive/attack tools.
2. What if a company makes multiple products, some aggressive and some passive? eEye or Tenable would be examples, where each has defensive products designed to act as IDS/IPS as well as assessment tools.
We would still allow such a company, provided they met the criteria, in the MAPP. They would still have to abide by the criteria that states that "protections" built with MAPP data must be held until the security update is publicly released. This ensures that someone doesn't get the signature and reverse engineers it to discover the issue being updated then releases Proof-of-Concept (PoC) on it. Now, I think where you are going is that there is a potential that the same company can use this information in their assessment products prior to the release of the security update. This is correct but it would be a violation of the MAPP agreement, and if discovered, we would terminate their membership. However, early on we realized that assessment tools play a big role in the enterprise and consumer security space. We will continue to work on this area. Right now, we’re focused on giving customers better active protections as they work to deploy our security updates.
3. What about companies that clearly make defensive products, but also have other questionable activities? Consider TippingPoint which has an IPS solution, but also does the ZDI Initiative, where they share (sell) vulnerability information to their clients.
We would evaluate their defensive business first and do a risk analysis of other activities to ensure that it does not harm the same customers we are trying to protect. This is not a "pure" solution but it is a real world one due to the nature of some security firm’s business practices. If at any point any MAPP member is found engaging in activities that hurt our customers, they will be removed immediately.
4. If an organization is found to have leaked information inappropriately, what are the consequences? Being kicked out of the cartel seems like a given, but by potentially putting millions of computers at risk prematurely, would Microsoft also pursue the company legally?
The company would be removed from the MAPP immediately. I can't speak on any legal action but I can imagine our legal department would review the matter. Also, please remember that one of the key operational goals of MAPP is to provide information “just-in-time.” Therefore, any negative actions only have a short window before the updates themselves are released for customers.
5. Would Microsoft comment and give a rough number of companies that have been accepted into MAPP to demonstrate the interest?
The MAPP has been receiving a fair amount of application as you can guess. We are still processing and getting people officially in, so no definitive numbers are available yet. Rough guesses are still matching up to what I said on the stage of about 20 to 40 companies by launch.
Questions about Microsoft Vulnerability Research (MSVR)
6. Are these people finding third-party vulnerabilities also looking at Microsoft products?
Yes. The people looking for third-party vulnerabilities are primarily in our security engineering teams, and they do look for vulnerabilities in our own products, along with conducting other security research and response activities. Some vulnerability finders within Microsoft are in other teams with other responsibilities, such as in various product teams.
7. Is this done using automated tools (proprietary or otherwise), by hand or a mix?
A mix. An overall goal of MSVR would be to not only help increase security by finding instances of vulnerabilities that are present in third-party software, but also in sharing methods we’ve learned in how to uncover these vulnerabilities. So if we can identify an opportunity, we will also share the principles and methodology we’ve developed as part of the Microsoft Security Development Lifecycle (SDL), which can include tools and manual techniques.
8. What disclosure policy do you adhere to, and is it published?
Our goal is to follow the OIS guidelines, found here: http://oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf .
9. Once the vulnerability is fixed, vendors frequently issue advisories or mention the fix in a changelog and credit the person/company who reported it. Can you cite a single example of this? If not, why not?
Yes we can. Engineers at Microsoft had been reporting vulnerabilities to third-party vendors long before MSVR was founded. MSVR is both a formalization of how we handle vulnerabilities that are casually found during the course of someone's normal work (as was the case for years), as well as an expansion of research focus to third-party software specifically to look for vulnerabilities. Before MSVR, finders at Microsoft either reported the issues they found to the vendor directly, or asked the MSRC to help them do so. They are individually credited in the affected vendor's advisories. Try searching for Tom Gallagher in some ISVs security bulletins.
Question about Microsoft Exploitability Index
10. If there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for Microsoft, how can Microsoft accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)?
This question makes a good point, and that is, much of the Exploitability Index accuracy is based off of who is doing the work versus a strict scientific methodology. We realize there’s a chance we might not be 100% right all the time. However, we’ve done a few things to try and make sure this index is accurate enough to help realize its goal of giving more actionable information to customers to prioritize their deployment. First, it’s most relevant for the first two weeks to 30 days after release. Meaning, exploitation science may change, and there may be private methods under discussion, but for customers making deployment decisions, it should provide enough information to help make a more informed prioritization than before. Second, we do have the folks from the Security Vulnerability Research and Defense (SVRD) team working on the vulnerability from its initial report, until the release, and they’ll be assessing exploitability as part of their normal process. That’s not all, as we’ll also be following methodologies discussed at BlueHat conferences so using similar approaches which the community uses when analyzing our updates. And finally, we’ll leverage the community established through MAPP to check our work before we release the index. With three layers of people and processes, we expect Exploitability Index to provide valuable information to customers in their decision making.
This question makes a good point, and that is, much of the Exploitability Index accuracy is based off of who is doing the work versus a strict scientific methodology. We realize there’s a chance we might not be 100% right all the time. However, we’ve done a few things to try and make sure this index is accurate enough to help realize its goal of giving more actionable information to customers to prioritize their deployment.
First, it’s most relevant for the first two weeks to 30 days after release. Meaning, exploitation science may change, and there may be private methods under discussion, but for customers making deployment decisions, it should provide enough information to help make a more informed prioritization than before. Second, we do have the folks from the Security Vulnerability Research and Defense (SVRD) team working on the vulnerability from its initial report, until the release, and they’ll be assessing exploitability as part of their normal process.
That’s not all, as we’ll also be following methodologies discussed at BlueHat conferences so using similar approaches which the community uses when analyzing our updates. And finally, we’ll leverage the community established through MAPP to check our work before we release the index. With three layers of people and processes, we expect Exploitability Index to provide valuable information to customers in their decision making.
- Mike Reavey
Hopefully by now you’ve seen the lead in to BlueHat v8 blog post, the official announcement post, and perused the spiffy, revamped BlueHat page. I’m truly amazed to see how the content has shaped up as we approach the final countdown to BlueHat v8: C3P0wned on October 16-17. It’s thrilling to see what was once a little hacker con turn into a platform to educate developers and execs with an end-to-end story. Day one of BlueHat will focus on security issues facing the ecosystem while Day two leverages the Security Development Lifecycle (SDL) to discuss the full cycle of proactive security and "baking security in," so to speak.
BlueHat is first and foremost about educating all the Microsoft "cooks in the kitchen" so we can better understand the security space and ship more secure products. This time, Microsoft will share some of that education with the world. The BlueHat team will post publicly, for the first time ever, a day of BlueHat content. You can also count on speaker video interview podcasts, anecdotes and archives to be on the site as well.
This is the fifth BlueHat I’ve had the pleasure of being a part of. I can’t help but get nostalgic, as I’ve seen the con continue to grow and pick up momentum. Microsoft and the ecosystem continue to endure some pretty significant threats, such as the recent DNS issue, ActiveX issues, etc. In addition, issues including blended threats and other vulnerabilities that affect multiple vendors demonstrate that complex threats are increasing. Understanding these trends give us a strategic call to action. We can leverage BlueHat to bring vendors, researchers, ISV’s, CERT’s (and others) together to understand complex issues and to create recipes for collaboration. It’s not just Microsoft working with other vendors on issues, but Microsoft working with the overall security community to meet these challenges.
Even other companies are taking the time to create BlueHat-like conferences and events at their own facilities to help their own employees sharpen their security skills. The good folks at eBay host Red Team eBay where their security team members can meet and exchange ideas with industry experts. It’s beyond encouraging to witness other companies leading with their best foot forward in creating a melting pot of security information exchange.
I can’t wait for BlueHat v8 and I encourage you all to follow the virtual trail on the BlueHat Blog and SDL Blog leading up to and during the event.
-Celene Temkin