Malware, botnets and cyber criminals often behave very differently in specific countries, and have different goals or intentions. In Asia, for instance, trojans often target passwords to online games or services, whereas in Brazil, banking trojans are a larger issue of concern. It’s helpful for us to learn about country-specific threats, so we can relay concerns back to our product teams that have the ability to battle them.
In center, Mr. Kwangjin Park, Executive Vice President, Korea Internet & Security Agency (KISA) From left to right: Maarten Van Horenbeeck, Senior Program Manager, MSRC Mark McIntyre, Director, Government Security
Earlier this month, our team was honored by a visit of a delegation of KISA, the Korea Internet & Security Agency. KISA is a government agency that concentrates its work in three areas: Internet Promotion, Internet Security and Promote International Cooperation in the area of ICT and broadcasting. Their overarching goal is to make the Internet accessible, secure and useful to the people of Korea as well as to promote broadcasting and communications technology and services.
Korea is a special country when it comes to Internet use. It has a highly sophisticated, Internet-aware population with very high usage rates. In addition, much of their Internet use is mobile, with smart phones offering access to a large set of the population.
During our discussions, Mr. Park and his team presented to us the specific issues they are concerned about, and introduced some of their techniques to protect Korean internet users. Given Korea’s widespread use of the Internet for both public and private services, they have a thorough understanding of the need for clean and safe access to the Internet.
In Korea, their team manages the e-call center 118. This service is a hotline that provides toll-free, 24-hour Internet-related response services. Essentially, their trained team helps any Korean with issues such as a compromised machine, computer viruses and malware, spam, infringement of a user’s privacy, or any questions related to the use of the Internet. Wherever and whenever in Korea, a user can simply press 118 on his phone, and will be connected to a specialist to discuss the security issues he or she is experiencing. In addition, KISA operates a service that allows users to automatically forward spam to their team, which then investigates. Some years ago, Korea implemented stringent laws against spam, which they have the ability to enforce.
Microsoft has long recognized a need for expert assistance with security issues. Many years ago, we made a decision as well to support our customers for free regarding any malware issues, or problems during the deployment of security updates. In the US and Canada, this service is available by phone at 1-866-PCSAFETY. It is great to see this need acknowledged and to see KISA do this for Koreans at a national level.
From our end, we were happy to be able to provide KISA’s delegation with a briefing on how we are seeing many security issues in Asia, and Korea in particular, evolve. In particular, a lot of time was spent discussing how to combat malicious code and Distributed Denial of Service (DDoS) attacks, which is a common concern to Korea. In addition, we discussed Microsoft’s ability to share guidance and technical information to work together with KISA to further promote safe and secure internet access to Koreans.
감사합니다, Maarten
*Postings are provided "AS IS," with no warranties, and conferring no rights.*
BlueHat v10 is on the horizon and I’m happy to be able to announce the lineup. This year we’ll be hosting our annual conference on October 13-15 at the Microsoft campus here in Redmond and, with the success of last year’s con, we’re working overtime to make it the most robust, top-notch BlueHat yet. As always, we'll interlace talks from internal and external security subject matter experts. This year our themes include fuzzing, predators of the security ecosystem, next-generation infrastructure, risks associated with mobile technologies, and the web browser landscape.
We start this year with the BlueHat Executive Sessions on October 13, which offer condensed versions of select presentations delivered in a deeply technical style to Microsoft vice presidents, general managers, senior managers and chief security advisors. In conjunction with these Executive Sessions, this year we’re hosting the BlueHat Fuzzing Summit, a full day of content focusing on fuzzing tools and methods presented for and by our fuzzing SMEs. The following two days, October 14-15, feature the BlueHat General Sessions for our larger Microsoft IT pro and developer populations. As with each BlueHat in Redmond, our primary goal is to educate our own Microsoft residents to better understand how to build more secure products. The more we know about the realities of the security ecosystem, the better we can assess our own security realities.
As with past BlueHats, for which we’ve archived select content and provided access to the masses online, BlueHat v10 will keep this information sharing alive and well for those who cannot attend in person. We will also be providing the usual anecdotes and blog posts from current and past BlueHat speakers for your viewing pleasure, so keep an eye out on the BlueHat and EcoStrat Blogs for future updates!
Here’s a brief overview of the general sessions, which we’re calling BlueHat v10: A Security Odyssey. Full details will be available on the BlueHat TechNet site within the week.
October 14, 2010
Morning Block: Predators of the Security Ecosystem
Blasting us off on our security odyssey, Colonel Sebastian M. Convertino II will dive into the topic of computer and information security and discuss his role developing the full spectrum of the Air Force’s cyber warfare capabilities. BlueHat Alumni Ian Amit will then lead us on a cyberspace walk through CyberCrime and CyberWarfare and map out the key players amongst each in Cyber[Crime|War] - connecting the dots. The Cold War may be over, but Fyodor Yarochkin will show us how many secrets cyber-Sputnik sees in From Russia with…an insight on intelligence analysis of Eastern hacker culture. After we tune our mission control systems to listen across the many sub-cyberspace frequencies for threats, we'll shift gears and hear from our very own "Houston" who responds when "we have a problem." MSRC's Dustin Childs will do a deep-space dive into some actual MSRC case studies in Behind the Curtain of 2nd Tuesdays: Challenges in Software Security Response. In Nine Trends Affecting the Future of Exploitation, John Lambert will close out the track with the exploitation trends that will shape attacks, and therefore defense, over the next decade, showing us what we as a security species must do to evolve, survive, and thrive. We are only dipping our toes at the shore of a cosmic security ocean, and the water looks inviting…
Afternoon Block: Next Generation
Our Next Generation track kicks off with cyber-cosmonaut Dan Kaminsky, who will give us a peek into his Unified Theory of DNS Security. In another galaxy, not so far, far away, Matthieu Suiche will then introduce his MoonSols Windows Memory Toolkit in The Blue screen of death is dead. Matthieu will demonstrate how to get a crash dump of a running VM without causing a reboot or BSOD, a far cry from the blunt tools of security eons past. Vincenzo Iozzo, Tim Kornau, and Ralf-Philipp Weinmann will reprise their Black Hat USA talk, Everybody be cool this is a ROPpery, and show us how return-oriented programming, an advanced exploitation technique, is used to bypass most of our platform mitigations. That is, until Fermin J. Serna and Andrew Roths assure us that "our shields are indeed still up, Captain!" with the Enhanced Mitigation Experience Toolkit talk, showing how EMET's new features can actually defeat current attacks, such as ROP. Closing our Next Generation track, Grant Bugher will tour the upper stratosphere in Defensive Cloud Application Development, which will address the dual-sided coin of attacking cloud-based systems and security engineering for cloud application deployments. By the time this track wraps up, you will have mastered those anti-gravity boots required for high altitudes!
October 15, 2010
Morning Block: Risks Associated with Mobile Technologies
Having thoroughly recovered from your mind being blown by the incomprehensible vastness of space and "the cloud" from Day 1, we will then take you from the infinite to the infinitesimal in our last block covering mobile technologies. While technology hasn't quite gotten home computers down to atomic sizes, our current mobile technologies are putting more and more powerful machines into smaller and smaller packages. These micro machines puncture any semblance we ever had of a "perimeter," and they contain some of our most sensitive information. Mike Howard, first mate of the starship SDL, leads us through the perilous asteroid belt of mobile security in his keynote talk. Our own Geir Olsen will go deep on the key challenges that the mobile security model tackles and how its provisions work together in practice to enable trustworthy mobile computing in the Windows Phone 7 Security talk. Charlie Miller will be our mobile security Carl Sagan, guiding us deeper in our exploration of mobile security space by addressing what makes mobile exploit payloads unique in A Brief History of Attacks against iOS and Android. Next up, the out-of-this-orbit trio of Thomas "Halvar Flake" Dullien, Tim Kornau, and Ralf-Philipp Weinmann will converse with us in the language of the universe –mathematics – to demonstrate a framework of algorithms capable of locating a Turing-complete gadget set in A Framework for Automated Architecture-Independent Gadget Search.
Afternoon Block: The Web Browser Landscape
The browser is a lens through which we view the Web, and in many cases, the cloud. Pointing out where our lens is as warped as the first Hubble mirror, renowned Web security expert Jeremiah Grossman will demonstrate how browsers can be broken and used maliciously in Browser Hacks, Design Flaws, & Opt-In Security. Robert "RSnake" Hansen will remind us of our primitive human traits (of ingenuity and adaptability) by challenging us to design secure browsers for a hostile world (despite complex browser, OS, and network interoperability requirements) in The mixed blessing of browser security. Microsoft's own Mike Andrews and Brian Christian will then close out the block and give us an insiders' perspective on how we are evolving ever further to protect the search experience in Bing through malicious traffic detection in How Bing Protects Itself. What happens when Bing gets so intelligent it can tell the difference between a real user and an attack? You will have to see it to find out.
Looking forward to blast off as always,
- Celene
While MSVR’s core mission has stayed the same, in the two years since the program’s inception, the program has grown to take on other challenges as they’ve presented themselves. We’ve done so both because those challenges needed to be addressed and because the coordinated nature of MSCR was the best tool for the job. Some examples of those challenges include MSVR’s role in coordinating several large-scale cross-industry vulnerabilities identified by other external security researchers, such as the DNS Rebinding issue disclosed in 2009 by Dan Kaminsky. Microsoft and MSVR also faced a unique situation in coordinating the remediation of a vulnerability in Microsoft’s own code that affected vendors across the ecosystem as a result of the ATL Killbit Bypass vulnerability discovered by Ryan Smith and David Dewey. .
MSVR has also assisted in reporting to vendors instances of zero-day attacks against their products, which were discovered as a result of the telemetry and other threat-detection resources built into the fabric of the MSRC’s response process. MSVR is not intended to serve as a CERT entity; however, we felt leveraging MSVR for these cases was imperative because a vulnerability affected code in both Microsoft and other vendor products.
So what have we learned? For starters, the security maturity of vendors across the ecosystem varies wildly, as you might expect. Sometimes just finding the right organizational entity or person inside a major corporation to report a vulnerability to can be the toughest part of the mission. In other instances, MSVR has had to take on the role not just of vulnerability reporter but also of response educator, as vendors were unaware or unsure of the best ways to communicate the information their customers needed about the vulnerability in their product. On more than one occasion, we encountered statements and questions similar to “what should we put in an Advisory?” -- or, even more challenging, the assertion that “we do not believe this issue warrants an Advisory or public release.” That second response in particular requires MSVR to painstakingly go through the merits of educating the vendor about why notifying customers is important. Touchy work, but worthwhile.
(Interestingly, in the last two years, it has become clear that nothing serves better as the universal vulnerability translator than calc.exe. Sometimes all the man-hours and time spent packaging up what appears to be a cohesive and solid vulnerability report to a vendor devolves to utter exasperation when the response received is “Not a vulnerability”… that is, until the follow-up response from MSVR is the PoC needed to pop calc. Shortly thereafter, it seems like we are suddenly cooking with gas in the MSVR-to-vendor conversation.)
We have also learned that engineering processes across the ecosystem are unique to each company, and each comes with its own challenges that can make engineering a fix complex. Consequently, the timelines vendors require to engineer a fix is unique relative to each vendor and each product in order for them to get it right. To put it more bluntly, a universal time-to-fix mandate from MSVR (or any other vendor) is just not realistic. The speed with which the vendor of a cloud service offering can move to address a cross-site scripting vulnerability doesn’t compare to the time required to address a vulnerability in client-side code in a more traditional boxed product. This statement still holds true even when it is the same vendor who is responsible for both boxed and cloud version of a vulnerable product.
Finally, it has become clear to us that sharing hard data with vendors about the risk posed to our mutual customers can be key to getting traction. Throughout the last year we have leveraged the MSRC’s telemetry-gathering capabilities, both internal to Microsoft and via our MAPP partnerships, to help provide clarity to vendors during situations in which we believed our mutual customers to be at real risk from zero-day vulnerabilities of which they may not have been aware. This has required us to communicate clear and validated data that vendors could use to better prioritize and expedite their engineering processes relative to the trade-offs that they have to make.
It has definitely been a wild ride over the last two years – interesting times indeed. Along the way, we’ve tackled many of same problems that security researchers face when reporting vulnerabilities to vendors, and we’ve learned valuable lessons that will continue to not only make MSVR better, but also that we can channel back to our colleagues in the MSRC. We’ve forged stronger relationships with other security response teams and vendors throughout the ecosystem as well as with the talented security researchers both internal to and outside of Microsoft.
We’re thankful to all of the researchers and MSVR partners, such as MMPC and various MAPP participants, who have chosen to work with us and provided us with needed assistance when called upon. The next two years will hold even bigger challenges and bigger opportunities for MSVR, and it will also come with challenges I am sure I cannot begin to conceive of yet. Interested? I definitely encourage you to check out the whitepaper. And if you’re here at Black Hat drop by the Microsoft booth and let’s talk.
Adrian Stone
Today on the MSRC blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated Vulnerability Disclosure. I wanted to provide some context and history on how this came about. This post is about changing the way we at Microsoft talk about some familiar disclosure concepts, and is meant as an introduction to how Microsoft would like to engage with researchers. We’re opening up a dialogue with the community here, and we welcome your feedback.
Responsible Disclosure (RD), Full Disclosure (FD) -- everybody has an opinion, and each believes that their way is the best way to keep users safe. For background, one general definition of RD as most vendors define it is that the issue is reported privately to the vendor *and no one else* until the vendor issues a patch. In contrast, proponents of FD provide all vulnerability details to everyone at the same time, a move designed to make vendors provide updates faster.
Needless to say, most vendors including Microsoft are in favor of RD, while finders fall across the spectrum from FD to RD. Ultimately, we are all part of a virtual security team with the common goal of making the Internet safer and protecting the people using it – it’s good to remind everyone that we’re on the same team, and we should keep the dialogue open, even when we disagree.
The term Coordinated Vulnerability Disclosure was first introduced to me by Jake Kouns of OpenSecurityFoundation.org, when we spoke at great length after I was on a panel at RSA on Responsible Disclosure. WeldPond (AKA Chris Wysopal, CTO of Veracode) recently tweeted: “We need to start calling working with the vendor ‘Coordinated Disclosure.’ I agree that "Responsible" is too loaded.”
The concept of making the name more descriptive makes perfect sense to me, since the term “responsible” can be subjective to so many. Even the ISO draft standard that was originally titled “Responsible Vulnerability Disclosure” is now called “Vulnerability Disclosure,” signaling that researchers, vendors, and (gasp!) even policy makers agree that the old term is more subjective.
The intention of RD was that it was designed to be a fair way to negotiate between researchers and vendors around vulnerability reporting and resolution. However, that has resulted in much debate, between vendors and finders. So, how do we move past this debate towards providing a better solution?
Responsible Disclosure should be deprecated in favor of something focused on getting the job done, which is to improve security and to protect users and systems. As such, Microsoft is asking researchers to work with us under Coordinated Vulnerability Disclosure, and added some coordinated public disclosure possibilities before a vendor-supplied patch is available when active attacks are underway. It uses the trigger of attacks in the wild to switch modes, which is an event that is objectively observable by many independent sources.
Make no mistake about it, CVD is basically founded on the initial premise of Responsible Disclosure, but with a coordinated public disclosure strategy if attacks begin in the wild. That said, what’s critical in the reframing is the heightened role coordination and shared responsibility play in the nature and accepted practice of vulnerability disclosure. This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge.
Here are the simple tenets of Coordinated Vulnerability Disclosure as we envision them.
Step 1: Keep it Private, Keep it Safe
● Reporting: Report the issue to the vendor, or to a CERT-CC or some other coordinator you trust who will report to the vendor privately, or sell it to a service that will.
● Communication and timelines: Under CVD, just the same as in RD, finders and vendors should try to agree to a timeframe for fixing the issue. Complex cases may take longer to fix, and Microsoft will be as transparent about our investigation with finders as we can be, to let them know where we are in the investigation and resolution process. We appreciate finders being flexible when we share information with them about why a fix may take longer than the finder thinks it should.
● Status updates: Also as in traditional Responsible Disclosure, under CVD Microsoft will provide timely updates and target dates for resolution so that a finder is aware of the case status.
● Alternative to FD when a vendor is not responding at all: In some circumstances, a vendor may be unwilling or unable to respond to a vulnerability report, which is what advance security advisories are for – advisories published with limited details and no Proof of Concept, plus mitigations and workarounds. Finders can try that before resorting to publishing full details if they can. Some vulns won’t lend themselves easily to this method, but the point is to try.
Step 2: Hurry Up and Wait
Vendors and many finders know there has to be a balance between speed and quality. For Microsoft, even a 1% test failure rate could affect millions of our customers, so we take testing for functionality impact as seriously as we do the testing to make sure the update comprehensively addresses the vulnerability.
Ideally, both vendors and finders should work diligently to find a solution that will keep customers safe. If finders are only interested in working on the attack, that’s ok too, as long as they give the vendor a chance to do their investigation, engineering and testing.
Working together on the update, sharing ideas, and testing each other’s ideas is sensible.
Step 3: Coordinated Public Disclosure
Coordinate public release happens, ideally, when the vendor releases the update. In the case of publicly verifiable active attacks, details may be released prior to an update being released, with emphasis on giving details to protection providers.
For finders who still believe that Full Disclosure is the best way to protect users, we respectfully disagree, but we still want to work with you if you’re willing. We’d encourage folks who support FD to still contact us, as we can then attempt to coordinate release of information with protections that are available. Of course, we still don’t think this is the best method, because the vast majority of customers will only be protected with an update – but we believe that even this level of coordination is definitely better than none at all.
For example, CVD is how we will now handle things when we’re the finders. When Microsoft finders discover issues in third party products, they can use the Microsoft Vulnerability Research Program (MSVR) to report the issues to the vendor. If attacks start in the wild, we may potentially release vulnerability details through the Microsoft Active Protections Program (MAPP) to AV/IDS/IPS providers, or issue a third party killbit in the case of vulnerable Active X controls. We would in all cases coordinate with the affected vendor whenever possible.
So that is Coordinated Vulnerability Disclosure in a nutshell - a renaming of Responsible Disclosure that provides expectations and a process for Microsoft and researchers to work together without either party clouding the discussion with a term that is easily misinterpreted, even in cases where disclosure philosophies may not be entirely in sync. We even want to work with Full Disclosure proponents whenever possible to arm protection providers ahead of attackers.
Not all roles in disclosure have been covered here, so stay tuned for more as we gather feedback from the community. I would like to thank the following people and organizations for their review on this concept, and I welcome further comments on this by the community, including researchers, vendors, coordinators, and users. -Katie Moussouris
Jake Kouns, Open Security Foundation
Steve Christey, CVE Editor, MITRE
Avishai Avivi, Juniper Networks
Bruce Monroe, Intel PSIRT
Pete Allor
Toshio Miyachi, JPCERT Coordination Center
Brian Martin, Tenable Network Security
Art Manion, CERT Coordination Center
Damir Rajnovic (Gaus), Cisco
Dan Kaminsky, Chief Scientist, Recursion Ventures
Mike Caudill, Cisco PSIRT
Jeremiah Grossman, WhiteHat Security
Jayson Jean, iDefense-VeriSign
Ryan Permeh, McAffee
Cassio Goldschmidt, Symantec
Arturo ‘Buanzo’ Busleiman, Buanzo Consulting / ArCERT and ONTI Security Advisor
Andy Steingruebl, PayPal
Dino Dai Zovi, Independent Security Researcher, Trail of Bits
Chris Wysopal, CTO Veracode
G'day Mate!
I have always wanted to say that. I am here at the AusCERT 2010 conference in the beautiful Gold coast, Australia. I am here with my fellow ecostrat colleague Karl Hanmore presenting our talk on “Engagement between National/Government CERTs and the vendor community; benefits and challenges”. This talk is going to highlight some of our experiences engaging and collaborating on multiple levels with governments around the globe. We are also going to talk about some key ideas and frameworks that can make the collaboration process between government and vendors more effective. We are also announcing some pilot programs for governments that we hope will help push the collaboration efforts to the next level with regards to shared information levels.
In dealing with governments around the world, the same questions seem to come out in conversations:
We here at Microsoft understand that most governments are placed in unique positions when it comes to dealing with vulnerabilities within technologies. On one hand, governments have the responsibility to protect their critical infrastructure and government assets from vulnerability attacks. Some of these critical infrastructures are so important to people's lives that any disruption would cause a negative impact that would be felt widely. On the other hand, governments serve as the entity to coordinate defensive actions between both private and public sectors to ensure that their constituents are protected as much as possible from computer based attacks. In order to do both of these roles effectively, they need access to critical information as early as possible to assess, plan and execute actions to protect people.
Looking at past internet based attacks, the trends are pointing to an increase in complex multi-dimensional computer attacks. We believe that governments will see increased demands for swifter responses to vulnerabilities that threaten public assets. The need for information to aid in quicker and thorough risk assessments will be paramount. However, the need to provide this information in a structured, repeatable and secure manner will be the key for success. So we are looking to use some of our well established government focused programs such as the Security Cooperation Program (SCP) to aid in providing two new pilot programs aimed to help governments. Microsoft is moving ahead with the offering of 2 programs aimed at sharing key technical information on Microsoft vulnerabilities and strategies to aid in securing critical infrastructure:
In the long run, Microsoft hopes that through these pilot programs we can gain valuable insight on ways to improve our collaboration efforts to aid in protecting the greater ecosystem at large.
That’s all from “down under”
Steve
*Postings are provided "AS IS" with no warranties, and confers no rights.*
As a follow on to the WGA and Security Updates post by Dustin Childs, I wanted to address another common question we get regarding both security and non-security updates that customers receive from Microsoft through Windows Update or Microsoft Update. Customers sometimes feel that somehow the settings they chose in the update console have been changed. Most commonly, customers who have set the client to notify them before installing updates are now getting updates automatically without prompting.
Before I go into details, I want to take a second to describe the differences between Windows Update (WU), Microsoft Update (MU) and Automatic Updates (AU). Windows Update was first developed to provide updates for Windows operating systems. Later, we introduced Microsoft Update to add the ability to offer updates for other Microsoft products such as Office and Windows Live. Automatic Updates is a feature that allows you to configure your computer to automatically download and install updates from either service. For more information, please see the Windows Update FAQ.
So, does Microsoft change your Automatic Update settings? No. Your settings are not changed by Microsoft unless you consent to do so.
The Windows Update team has seen this question several times and has blogged about it in the past. The team identified the following scenarios where your AU settings can be changed. Note that all of them require some action from you:
In addition, third-party products may change AU settings when installed, though this not a common practice. In some cases malware may attempt to change settings or block WU/MU entirely.
We always recommend that you configure your systems to receive Automatic Updates to ensure that you have the latest security and reliability updates for your Microsoft software. If you believe that your settings have changed without your consent or possibly due to malware on the system, please contact the Microsoft Customer Service & Support team for assistance.
Thanks!
Jerry Bryant
Hey Everyone,
As I’m sure you are all well aware by now, the second installment of the BlueHat Security Forum: Buenos Argentina Edition shipped on March 18, 2010, and was a resounding success. For those of you first hearing about this BlueHat Forum, the event itself was an exclusive, invitation-only gathering of 100 select business decision-makers and security researchers from across Latin America.
The BlueHat Security Forum events are a separate entity from the BlueHat Security Briefings you will find in Redmond. Whereas the goal of the BlueHat Security Briefings is to educate our own FTEs on emerging threats by inviting a targeted mix of the external security community to participate as presenters and active attendees, the mission behind the BlueHat Security Forum events is to pair Business Decision Makers (BDMs) with the local responsible finder community as a means to build relationships in the region. So where the Redmond events are about bringing the security community to our Microsoft developers and security teams, the Forum events are bringing the BlueHat ideals into the regional hotbeds we’re seeking to legitimize by leveraging the local security communities to one another. Make sense? Cool. J
As Mike mentioned live from the event, we managed to successfully align with the local subs by partnering with Microsoft’s Security Week (a TwC week-long event seeking to increase Security and Privacy perception; every day of the week has a different audience target). Our agenda featured lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries. NSAT Scores and attendee testimonials were truly phenomenal, so we are not really sure how we can go up from here which is a good problem to have! Check them out:
The BlueHat Security Forum allows me to build a valued relationship with Microsoft
193
The information discussed in this meeting will contribute to my company’s future technology plan
178
My relationship with Microsoft has improved or been strengthened as a result of the BlueHat Security Forum
189
Considering all aspects, I am satisfied with this BlueHat Security Forum meeting
194
· The BlueHat forum in Buenos Aires was a very interesting event, with many good talks, and it gave me the opportunity to meet/see again/exchange ideas with interesting people: the organizers of ekoparty (Argentina), H2HC (Brazil) and of course the staff from MSRC (in particular Damian Hasse). – Carlos Sarruate, CORElabs
· Very interesting topics; very interesting audience. Bring BlueHat to more places outside the US. – Anchises de Paula, iDefense
· Do it for 2days! – Domingo Montanaro, iSight
· Create more BlueHats in other locations (like Brazil) and increase the frequency! – Rodrigo Rubira Branco, H2HC Conference Co-founder
· My objectives were to learn, interact, and talk to participants….I succeeded on these goals. – Celso Hirata, ITA
· The BlueHat Forum in Buenos Aires last week showed not only how important, but also, how strong is the security community in Latin America, especially in Argentina.
Bringing people from other countries from Latam and places all over the world is huge, not only to exposing these people to what's happening in their region, but, allowing them to see and meet people who live in a different security realty, yet, so similar to us all.
On the flip-side, these same key people from the ecosystem had the opportunity to see how strong and well established, the security community is in Latin America.
The way the conference has been structured was key to accomplish what many people have been trying to do for a while, which is to close the gap between all parts involved with information security.
As I have mentioned before on the brief blog post during the conference, I hope this is the first of many BlueHat events in Latam. Keep up the good work! ---Luiz Eduardo, yStS Conference Co-founder
Thanks to the village that made this happen. We plan to replicate this formula every spring in conjunction with the Fall BlueHat Security Briefings in Redmond from here on out.
Cheers,
Celene
CanSecWest is a laid back conference – with only one track, it allows an attendee to attend every presentation. In addition, it’s well known for the Pwn2Own competition, a yearly hacker standoff in which researchers get their shot at compromising devices equipped with the latest in Web browsers and operating system security mitigations. If the attacker is able to pwn (“perfect own”) the machine, they win a cash prize and a new device to take home.
This year had a special focus on mobile devices, with most of the prize money allotted to that category. Vincenzo Iozzo and Ralf Weinmann each left the competition with a brand new Apple iPhone. Even multiple problems with airport strikes and construction couldn't keep Vincenzo away.
Charlie Miller proved himself to be a true "Michael Jordan" showing up at his very own slam dunk contest by pwning a fully patched installation of Safari on a MacBook Pro. Microsoft also did not escape unscathed. Peter Vreugdenhil came, saw, and then gave our team homework by unleashing an exploit that tipped over Internet Explorer 8 on Windows 7. Kudos to Peter, and thank you for making us aware of this issue privately. We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete.
After he was finished with the Pwn2Own contest, Charlie Miller gave a great talk on the result of his extensive fuzzing. Interestingly, the fuzzer he built used only five lines of Python code. After three weeks of fuzzing, he was able to determine a couple dozen potentially exploitable bugs in different applications. Just imagine if he had used seven lines of code in his fuzzer...
Matthieu Suiche gave another great presentation on analyzing Mac OS X physical memory. All of us battling the post-lunch fatigue immediately perked up when he began his demo and ended with plain-text passwords.
Tavis Ormandy and Julien Tinnes from Google played around with the Linux and Windows kernels in their talk, organizing a party at ring 0. Luckily, we had been invited a while back, and we’re happy to say Microsoft customers are currently protected against each of the attacks they presented.
Another fascinating talk was delivered by Halvar Flake and Sebastian Porst from Germany. These Zynamics Care Bears introduced a plug-in for their products which allows investigators to crowd-source reverse engineering, helping to put defenders on better footing when dealing with new pieces of malicious code. This is a great effort and we look forward to seeing others build on the work they are putting in place today. Too bad they couldn't find a full-size Care Bear outfit.
Our Office team also attended. Tom Gallagher and David Conger gave a great presentation on how they dealt with Office specific vulnerabilities.
The work they did includes building a sandbox for less-trusted documents, and implementation of a validator for any content being loaded into the parser, and theirs was a great talk for those intending to protect word processing applications and other office productivity tools.
The conference dinner on Thursday night was also a great time to get to know people. What we first thought was a bomb scare actually ended up just being a horrible comedian on stage. But once that was done, there were a lot of great conversations to be had with people from all over the world throughout the industry. It is always helpful to get feedback from our customers as to what we are doing right and what could be improved.
As usual, we spent a lot of time talking to our partners in the research community, and we’d like to thank Dragos for setting up another great CanSecWest. See you next year, Vancouver!
Cheers, Maarten and Dustin
We have near 100 attendees with us here today from across Latin America. Countries including Brazil, Argentina, Mexico and Peru are represented. Attendees span local and regional business and industry, government, academia, CERTs and security researcher communities. The thematic focus will range from e-crime attacks, the vulnerability economy and the regional threat landscape, cloud security, mobile security, embedded devices, social networks and the web 2.0 community, and last but surely not least, the Microsoft Security Response Center processes and integration of a Security Development Lifecycle. To learn about out the presenters taking the podium today, check out Celene’s announcement post for a deeper look.
In our continued efforts to evolve BlueHat and keep content innovative and relevant, we’ve taken an idea from our friends at H2HC and kicked off our event by hosting a panel entitled “Hackers and you”. We have invited Ivan Arce, co-founder of Core Security Technologies; Rodrigo Rubira Branco, Hacker to Hacker Conference (H2HC) organizer; local security researcher and previous BlueHat speaker, Manuel Caballero; You Sh0t the Sheriff (YSTS) conference organizer, Luiz Eduardo; Felix ‘FX’ Lindner, head of Recurity Labs and PH-Neutral fame; Damian Hasse, Principal Security Development Manager of the MSRC/MSEC; and Nico Waisman of Immunity to contribute their thoughts around the term “hacker” – what it means to be one, how it differs throughout regions, and how to keep “hackers” part of an effective enterprise security team. The panel was moderated by our own Andrew Cushman, senior director of Trustworthy Computing at Microsoft, and offered a variety of unique insights. There was a ton of good commentary, Rodrigo mentioned how the security researcher community really drove broad awareness and vendor responsiveness. FX spoke about how understanding a system is the best way for strong defense and highlighted approaches such as the Elevation of Privilege (Eop) card game produced by our SDL team. From the MSRC perspective, Damian shared how he’s made an effort to keep an active “hacker mindset” as part of an effective security team within Microsoft. Ivan closed the commentary by highlighting how BlueHat provides a platform for seemingly disparate groups of attendees to effectively engage where they may not otherwise have the opportunity to do so with typical formal communication methods. He encouraged all attendees to look to their neighbors in the audience and take advantage of such experiences to seize and create strategic, mutually beneficial opportunities.
We have strategically partnered with Security Week, a Microsoft hosted event put on by the local Microsoft office in the region. This partnership allows us to bring security and privacy information to local IT Pros, BDMs and Policy Makers. So far this Security Week Buenos Aires installment has reached more than 500 people, providing over 40 presentations throughout the course of the week.
If you haven’t seen the recent posts by BlueHat Security Forum members, check out Manuel Caballero and FX’s insights and stay tuned for future updates. Nothing like bringing the legitimate security space of Latin America together and creating a melting pot of new ideas and relationship-bridging! This might even beat the lomo! J
- Mike
RSA got its name from the very roots of what protects our data on the Internet. Rivest, Shamir and Adleman are a trio of cryptographers whose findings still underpin the vast majority of today's Internet and e-commerce transactions. Their public-key RSA algorithm is used to protect just about any information that is transferred securely across the Internet. It is one of the most widely used public key algorithms and applies in those cases where you don’t have the ability to exchange a unique password with every party you wish to communicate with in advance.
It is of no surprise then that RSA started 19 years ago as an event that focused heavily on cryptography. Over the years, it gradually changed, and today it is much wider in scope, with an especially remarkable vendor area. While this is not the place where we run into most of the security researchers we work with on a daily basis, it is a great venue to learn what is happening on the vendor end of things.
Talks at RSA can be divided in two categories: massive keynotes that attract a large audience and discuss some of the bigger topics of the day, and smaller breakout sessions that cover very specific issues and can be as technical as most of the more technical conferences. Breakout sessions are often accompanied by even smaller meetings, the ad hoc peer-to-peer sessions that are set up and bring together likeminded folks wanting to discuss a topic more in privacy and with a few beers.
A big thing for Microsoft was the presence of our corporate vice president of Trustworthy Computing, Scott Charney. He presented on the Microsoft vision for end-to-end trust: getting to a safer, more secure Internet. Scott’s talk exposed the interesting dilemma of choosing between two things that matter to us all: anonymity and accountability on the Internet. Talking to some of the attendees after his talk, I understood that they were especially intrigued by the U-Prove technology, which was announced during his talk. U-Prove allows people to disclose only minimal identifying information to applications and services when they access them using an ID-Token. This technology helps bridge that gap, and bring us closer to an Internet where attackers can get caught and individuals can maintain their anonymity.
Other interesting keynotes dealt specifically with that accountability question: how do we, as individuals, corporations, or nations deal with cyber attacks? Interestingly from that point of view was a large government presence. Any black hats in the audience would have felt intimidated in presentations by Howard Schmidt, the newly appointed US Cybersecurity Coordinator, and Janet Napolitano from the Department of Homeland Security.
Going back to the roots of the conference, I also really liked the Cryptographer’s Panel. Earlier on in the conference, whilst prowling the conference book store, I had picked up a little novel with a rather interesting title, “Tetraktys”. It turned out to be a very interesting read that fit in with the conference crowd perfectly, covering a young graduate that roves across lost temples, chases secret societies, and most aptly, attempts to prevent the factoring of the RSA protocol. To my surprise, the author’s name popped up as moderator of the panel. Ari Juels did a great job on the panel getting several cryptographic pioneers, Whitfield Diffie, Martin Hellman, Ronald Rivest, Adi Shamir, and Brian Snow (of NSA fame) to tell their often-amusing stories. Quite interesting was Brian Snow’s recommendation on slowing down the current SHA3 selection process. Given the rapid evolution in common hash functions such as MD5, this is of particular interest to us. An interesting discussion also erupted at the end about academic versus government research in cryptography. This inspired a lively war of words, a must see!
The breakout sessions also did not disappoint. Much more practically focused than the keynotes, several of them focused on modern malware and rootkits, and how they really pose a threat. While many did not directly cover product vulnerabilities, RSA presentations do tend to bubble up what the researcher community is looking at, and left us with some interesting ideas. While the cloud and the advanced persistent threat were readily present with many presenters, some of the more intriguing ones covered the backdooring of active code runtime applications and the time artifacts left on the file system when editing or viewing files.
I especially liked F-Secure’s discussion on the evolution of rootkits. They went back to Pakistani Brain, an old memory-resident boot-sector infecting virus, and showed how many of its techniques are very similar to those of more modern rootkits. This was especially interesting to me, as Brain’s reputation was one of the things that initially brought me into the information security community!
Microsoft actually had a pretty large presence at RSA. Katie Moussouris and Bryan Sullivan presented on the various tools Microsoft has written while building the Security Development Lifecycle. If you are interested in BinScope, MiniFuzz or the SDL Threat Modeling Tool, check out the preview of their presentation at the RSA web site. It was actually a big conference for the SDL team- Adam Shostack also launched a creative endeavor to threat modeling. Elevation of Privilege is a card game, designed to help anyone developing software get started threat modeling. Read more on how to play the game at the SDL blog.
On Wednesday, Katie also showed off her second hat, joining into a lively debate on the future responsible disclosure. Together with her work in the SDL team, she’s also been a long standing member of the MSRC, developing quite a bit of Microsoft’s own disclosure policies.
Alas- circumstances caused me to miss the latter deliberation. Jonathan Ness, Bruce Dang, and I also presented a break-out session at the same time on Wednesday, covering the changes in five years of content-based attacks. These are the targeted attacks you may often hear about that exploit vulnerabilities in common productivity applications or PDF readers. We got great feedback from the audience, and got lucky! An interested audience member had set up a peer-to-peer session to discuss some of the things we reviewed and we had a great follow-up discussion with attendees that had similar interests.
Needless to say, some of these discussions went way into the evening. One of the great things of RSA is how varied the audience is. While most attendees are either customers or developers of security software, this community has incredibly clever individuals! Probably the best evenings of the conference were spent with some of the lead developers behind the many security products, talking about the principles behind their software. In recent years I have sometimes felt that many of the security products released were too complex and prone to deployment issues. It was refreshing to see that many vendors are going back to the roots, applying numbers, big but reliable numbers, to solving hard security questions.
See you at CanSecWest!
-Maarten