Goodbye 2008- Hello 2009! Over the past year we, the MSRC EcoStrat team and all-up TwC Security have been a lot of places, seen a lot of people, and picked up a lot of t-shirts J. On the road, we work hard to create more opportunities for technical information exchange in strategic ways. One way is by co-sponsoring security conferences in various geographic hotbeds to support the de-mystification of global threats and security threats through education. Another way is by presenting candid talks and having open conversations in order to create channels for productive information exchange on common threats between the security industry, governments and researchers.
Most recently, members of TwC Security were in Berlin at the 25th Chaos Communication Congress, CCC (25C3). CCC is not a purely security-oriented conference; it touches on topics that are relevant to society in general, i.e., voting, cryptography, ethics, privacy, et cetera, which makes its reach truly unique. Among others, Bruce Dang and Dave Tamasi were joined by Joe Hemmerlein (Netherlands) as Microsoft representatives. From our perspective, many of the attendees of this con seem to be huge fans of Linux/*BSD and open source software in general.
Bruce Dang had the opportunity to present his talk on “Methods for Understanding Targeted Attacks with Office Documents” which was well-received. To hear quotes like: “The crowd loved this guy” and “Bruce Dang’s talk and the conversation afterward was one of the highlights of the Congress for me,“ is exactly the kind of stuff we like to write home and tell Mom about. (Use your favorite search engine to query “Bruce Dang CCC talk” to read more great community feedback about Microsoft at CCC, or visit the MMPC blog for more stories about surprising EU community supporters.)
Several folks approached Bruce post-session and applauded Microsoft’s transparency levels, along with the technical level of his presentation . Sure, there were the standard “What’s it like to work at Microsoft?” inquiries, but most responses were how impressed people where that Microsoft hires people to do this kind of work. Apparently one guy even walked up to Bruce and Dave, completely unsolicited, to say, “you have shattered my perception of Microsoft." Wow, you can’t buy publicity like that!
Along with the great comments, we also received some promising recommendations for where our attention and support could have even more impact -we’re all ears as we are always looking for ways to foster different communities.
Overall, the Microsoft experience at CCC was quite positive; attendees recommended a stronger Microsoft presence, continuing to speak about security research at a deep technical level. We’ve even been receiving e-mails saying that “we changed the audience’s perception of Microsoft.” Sweet, sweet music to our ears!
At the end of the day it sounds like the pizza in Berlin wasn’t half bad, especially when served with one of the best hacker conferences in the world. We also learned some interesting local facts, for example, about a German “ethics hotline.” Say, for example a researcher at CCC has a question about how ethical it is to hack a website, server, whatever. With the handy ethics hotline, simply dial up and ask! Ich bin ein ethical Berliner!
*Postings are provided "AS IS" with no warranties, and confers no rights.*
As we head into this new year, predictions abound in the security ecosystem for 2009. The security industry talking heads all have opinions; there are no shortage of issues to be concerned about; more malware, more targeted attacks, better phishers and more vulnerabilities in all software and hardware. The responsibility of trying to secure the planet (together) feels so massive when every region, every country, every platform, every browser has different issues.
I'll end this blog post with my own prediction, but first some catching up on some of what's happened since my last post.
At the close of 2008, I got to see some of our good friends and friendly rivals at the Vendor Security Information Exchange briefings in the UK. Thanks to the good folks there for including my presentation with CSS Shanghai colleague, Daniel Wang, on the realities of the Chinese security threat landscape. As with the rest of the world, China is experiencing a rise in malware and attacks from inside and outside the firewall.
From the UK we traveled to China for the XCon Security Conference in Beijing. We were delighted by the talent and the hospitality as we discovered new sights and new foods. We even explored back rooms of a hot pot restaurant with friends and colleagues in Beijing. Bravo for a great security confabulation in China. Many thanks for inviting Microsoft to participate with a Windows7 security overview by Chris Peterson, director of security assurance, Microsoft Trustworthy Computing (TwC).
I arrived back in Redmond just about the time there was a vulnerability discovery from some of our friends in China. This resulted in releasing out-of-band security update MS08-078. Mike Howard has a great write-up on his blog that goes into fantastic detail about why this vulnerability was so tricky and another reminder that multiple defenses are critical. As with all security updates, MS08-078 is a free download with no check for Windows Genuine Advantage. As much as we like to release our updates on a predictable cycle, we like to keep our customers and partners protected from publicly known vulnerabilities even more.
Please take the time to install this update.
And now back to my own prediction. For 2009, it's not gloom and doom. I predict that in 2009, the security community will pull together like never before.
While we know that vulnerability counts are increasing and malicious actors aren’t going anywhere – we also know that we have trust and community in our security ecosystem. With this foundation and awareness, we can work together, as a community of defenders, to limit our exposure and come together to discuss our alternatives. Small first steps include decreasing overall risk by deploying security updates in a timely manner, providing awareness and defense-in-depth mitigation measures, combined with meaningful technical information exchanges.
As the threats increase across the board, now more than ever, the Microsoft EcoStrat team is working to build and leverage our coalition of defenders. Microsoft has proven time and time again, the economic theory, that it costs less to get right the first time than to fix it later. In the MSRC, we see the cost to teams and the company when we have to ship a fix to hundreds of millions of users. We want to help others learn from our experiences.
Together, researchers, protection providers and governments are realizing that we are safer because we collectively know more, we talk more and trust more. We are participating in multi-vendor solutions, collective initiatives to unite and educate our security communities while actively listening to our partners in the ecosystem.
Here’s to a great 2009 and striving together to predict, to prevent, to protect.
Have you seen the BlueHat SDL content up on Technet? Dennis Fisher, from TechTarget, says to “Think of it as the technical equivalent of those free online courses from MIT.”
Reality Check! More SDL goodness – Our own Steve Lipner was interviewed on Gary McGraw’s “Reality Check Security Podcast Series”
Upcoming – look for more ‘stories from the front lines’ from our TwC brothers and sisters who also travel to security conferences in the name of TwC Security.
Upcoming – Tool Release! Stay tuned for more information from CanSecWest Vancouver 2009.