IRL: TwC Security All-Star Guest Bloggers
Likes: Security, Vulnerability Research & Science, Defense and Responsible Disclosure
Dislikes: 0-day, FUD
Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.
There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.
Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.
The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.
At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.
Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.
This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.
After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M
icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.
Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.
While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.
Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.
Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.
Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.
At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.
Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.
[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]
*Postings are provided "AS IS" with no warranties, and confers no rights.*
Hey, Steve here. Just finally settling back in after traveling a bit, meeting up with different parts of the security ecosystem. It was good to get out and see firsthand events like CanSecWest, and most recently Black Hat Amsterdam where I met with security specialists in and around the EU. Now that I am back in the States, I have caught up on my reading. I came across this article about what the US Air Force did to ensure that every computer delivered to them was in a set and secure configuration. This is a great approach and, if you can do it, I highly recommend it because the alternative is to bolt on security at the end, and that is always costly and not fool-proof.
There is, however, a part of the article that is unclear. The article talks about how Microsoft was pressured into releasing special Windows XP versions for only the Air Force and government agencies. This is just not true.
Anyone can build their own “locked down” versions of Windows XP. They are available to anyone and everyone, not just government agencies or the Air Force. The security guidelines used as the basis of these configurations are publicly available as part of the Security Compliance Management Toolkit Series. By the way, I recently reviewed the section about securing Windows XP. These guides have been offered for some time and they are pretty good.
Regular home consumers and system administrators of enterprise IT shops can use these guides to help increase protections for themselves and their environment as part of a defense-in-depth strategy. If enterprise IT shops use these guides as a baseline for providing preconfigured workstations to their customers, or if they later configure the workstations via scripts or Group Policy Object (GPO)s to the secure baseline outlined in the guides, they would reduce a significant risk point to the enterprise by not introducing unsecure workstations to their secure environment.
A workstation can be adjusted or not adjusted depending on its use or need. This also helps with the task of configuration management as anything in the environment would be configured to an established, secure baseline that is current with security updates. Anything else is a deviation and should be segmented or investigated often to assess its security.
Another thought for Enterprise IT shops is that they use these publicly available guides to work with their procurement process, or directly with desktop hardware suppliers, to ensure that any workstation delivered or purchased comes preconfigured to this secure baseline. This saves time and worries for the IT staff because by following these guidelines, any machine joining a network is already in a semi-secure state. I say semi-secure because IT staffs would still need to ensure that the workstation has all the latest and greatest updates from Windows Update, or a corporate managed update provisioning server like WSUS..
By following these hardening guidelines, some of the security basics will be taken care of, like enforcing complex passwords by the operating system. This saves time and effort when trying to secure one's own systems. Every little bit does help.
As I said earlier, these security configuration guides are public and located here: Security Compliance Management Toolkit Series. We would love to hear feedback on the guides. You can contact the team that created them directly at firstname.lastname@example.org.
'Till next time,