BlueHat v10 is on the horizon and I’m happy to be able to announce the lineup. This year we’ll be hosting our annual conference on October 13-15 at the Microsoft campus here in Redmond and, with the success of last year’s con, we’re working overtime to make it the most robust, top-notch BlueHat yet. As always, we'll interlace talks from internal and external security subject matter experts. This year our themes include fuzzing, predators of the security ecosystem, next-generation infrastructure, risks associated with mobile technologies, and the web browser landscape.
We start this year with the BlueHat Executive Sessions on October 13, which offer condensed versions of select presentations delivered in a deeply technical style to Microsoft vice presidents, general managers, senior managers and chief security advisors. In conjunction with these Executive Sessions, this year we’re hosting the BlueHat Fuzzing Summit, a full day of content focusing on fuzzing tools and methods presented for and by our fuzzing SMEs. The following two days, October 14-15, feature the BlueHat General Sessions for our larger Microsoft IT pro and developer populations. As with each BlueHat in Redmond, our primary goal is to educate our own Microsoft residents to better understand how to build more secure products. The more we know about the realities of the security ecosystem, the better we can assess our own security realities.
As with past BlueHats, for which we’ve archived select content and provided access to the masses online, BlueHat v10 will keep this information sharing alive and well for those who cannot attend in person. We will also be providing the usual anecdotes and blog posts from current and past BlueHat speakers for your viewing pleasure, so keep an eye out on the BlueHat and EcoStrat Blogs for future updates!
Here’s a brief overview of the general sessions, which we’re calling BlueHat v10: A Security Odyssey. Full details will be available on the BlueHat TechNet site within the week.
October 14, 2010
Morning Block: Predators of the Security Ecosystem
Blasting us off on our security odyssey, Colonel Sebastian M. Convertino II will dive into the topic of computer and information security and discuss his role developing the full spectrum of the Air Force’s cyber warfare capabilities. BlueHat Alumni Ian Amit will then lead us on a cyberspace walk through CyberCrime and CyberWarfare and map out the key players amongst each in Cyber[Crime|War] - connecting the dots. The Cold War may be over, but Fyodor Yarochkin will show us how many secrets cyber-Sputnik sees in From Russia with…an insight on intelligence analysis of Eastern hacker culture. After we tune our mission control systems to listen across the many sub-cyberspace frequencies for threats, we'll shift gears and hear from our very own "Houston" who responds when "we have a problem." MSRC's Dustin Childs will do a deep-space dive into some actual MSRC case studies in Behind the Curtain of 2nd Tuesdays: Challenges in Software Security Response. In Nine Trends Affecting the Future of Exploitation, John Lambert will close out the track with the exploitation trends that will shape attacks, and therefore defense, over the next decade, showing us what we as a security species must do to evolve, survive, and thrive. We are only dipping our toes at the shore of a cosmic security ocean, and the water looks inviting…
Afternoon Block: Next Generation
Our Next Generation track kicks off with cyber-cosmonaut Dan Kaminsky, who will give us a peek into his Unified Theory of DNS Security. In another galaxy, not so far, far away, Matthieu Suiche will then introduce his MoonSols Windows Memory Toolkit in The Blue screen of death is dead. Matthieu will demonstrate how to get a crash dump of a running VM without causing a reboot or BSOD, a far cry from the blunt tools of security eons past. Vincenzo Iozzo, Tim Kornau, and Ralf-Philipp Weinmann will reprise their Black Hat USA talk, Everybody be cool this is a ROPpery, and show us how return-oriented programming, an advanced exploitation technique, is used to bypass most of our platform mitigations. That is, until Fermin J. Serna and Andrew Roths assure us that "our shields are indeed still up, Captain!" with the Enhanced Mitigation Experience Toolkit talk, showing how EMET's new features can actually defeat current attacks, such as ROP. Closing our Next Generation track, Grant Bugher will tour the upper stratosphere in Defensive Cloud Application Development, which will address the dual-sided coin of attacking cloud-based systems and security engineering for cloud application deployments. By the time this track wraps up, you will have mastered those anti-gravity boots required for high altitudes!
October 15, 2010
Morning Block: Risks Associated with Mobile Technologies
Having thoroughly recovered from your mind being blown by the incomprehensible vastness of space and "the cloud" from Day 1, we will then take you from the infinite to the infinitesimal in our last block covering mobile technologies. While technology hasn't quite gotten home computers down to atomic sizes, our current mobile technologies are putting more and more powerful machines into smaller and smaller packages. These micro machines puncture any semblance we ever had of a "perimeter," and they contain some of our most sensitive information. Mike Howard, first mate of the starship SDL, leads us through the perilous asteroid belt of mobile security in his keynote talk. Our own Geir Olsen will go deep on the key challenges that the mobile security model tackles and how its provisions work together in practice to enable trustworthy mobile computing in the Windows Phone 7 Security talk. Charlie Miller will be our mobile security Carl Sagan, guiding us deeper in our exploration of mobile security space by addressing what makes mobile exploit payloads unique in A Brief History of Attacks against iOS and Android. Next up, the out-of-this-orbit trio of Thomas "Halvar Flake" Dullien, Tim Kornau, and Ralf-Philipp Weinmann will converse with us in the language of the universe –mathematics – to demonstrate a framework of algorithms capable of locating a Turing-complete gadget set in A Framework for Automated Architecture-Independent Gadget Search.
Afternoon Block: The Web Browser Landscape
The browser is a lens through which we view the Web, and in many cases, the cloud. Pointing out where our lens is as warped as the first Hubble mirror, renowned Web security expert Jeremiah Grossman will demonstrate how browsers can be broken and used maliciously in Browser Hacks, Design Flaws, & Opt-In Security. Robert "RSnake" Hansen will remind us of our primitive human traits (of ingenuity and adaptability) by challenging us to design secure browsers for a hostile world (despite complex browser, OS, and network interoperability requirements) in The mixed blessing of browser security. Microsoft's own Mike Andrews and Brian Christian will then close out the block and give us an insiders' perspective on how we are evolving ever further to protect the search experience in Bing through malicious traffic detection in How Bing Protects Itself. What happens when Bing gets so intelligent it can tell the difference between a real user and an attack? You will have to see it to find out.
Looking forward to blast off as always,
- Celene
*Postings are provided "AS IS," with no warranties, and conferring no rights.*
The days are getting shorter, the holidays are getting nearer, and looming on the horizon is a trio of 12’s – it’s almost time for the 12th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.
Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.
Day 1: Thursday, December 13
We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today. Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.
After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.
Day 2: Friday, December 14
We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft's global online services.
Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.
Thanks –
Emily AndersonSecurity Program Manager, MSRC
CanSecWest is a laid back conference – with only one track, it allows an attendee to attend every presentation. In addition, it’s well known for the Pwn2Own competition, a yearly hacker standoff in which researchers get their shot at compromising devices equipped with the latest in Web browsers and operating system security mitigations. If the attacker is able to pwn (“perfect own”) the machine, they win a cash prize and a new device to take home.
This year had a special focus on mobile devices, with most of the prize money allotted to that category. Vincenzo Iozzo and Ralf Weinmann each left the competition with a brand new Apple iPhone. Even multiple problems with airport strikes and construction couldn't keep Vincenzo away.
Charlie Miller proved himself to be a true "Michael Jordan" showing up at his very own slam dunk contest by pwning a fully patched installation of Safari on a MacBook Pro. Microsoft also did not escape unscathed. Peter Vreugdenhil came, saw, and then gave our team homework by unleashing an exploit that tipped over Internet Explorer 8 on Windows 7. Kudos to Peter, and thank you for making us aware of this issue privately. We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete.
After he was finished with the Pwn2Own contest, Charlie Miller gave a great talk on the result of his extensive fuzzing. Interestingly, the fuzzer he built used only five lines of Python code. After three weeks of fuzzing, he was able to determine a couple dozen potentially exploitable bugs in different applications. Just imagine if he had used seven lines of code in his fuzzer...
Matthieu Suiche gave another great presentation on analyzing Mac OS X physical memory. All of us battling the post-lunch fatigue immediately perked up when he began his demo and ended with plain-text passwords.
Tavis Ormandy and Julien Tinnes from Google played around with the Linux and Windows kernels in their talk, organizing a party at ring 0. Luckily, we had been invited a while back, and we’re happy to say Microsoft customers are currently protected against each of the attacks they presented.
Another fascinating talk was delivered by Halvar Flake and Sebastian Porst from Germany. These Zynamics Care Bears introduced a plug-in for their products which allows investigators to crowd-source reverse engineering, helping to put defenders on better footing when dealing with new pieces of malicious code. This is a great effort and we look forward to seeing others build on the work they are putting in place today. Too bad they couldn't find a full-size Care Bear outfit.
Our Office team also attended. Tom Gallagher and David Conger gave a great presentation on how they dealt with Office specific vulnerabilities.
The work they did includes building a sandbox for less-trusted documents, and implementation of a validator for any content being loaded into the parser, and theirs was a great talk for those intending to protect word processing applications and other office productivity tools.
The conference dinner on Thursday night was also a great time to get to know people. What we first thought was a bomb scare actually ended up just being a horrible comedian on stage. But once that was done, there were a lot of great conversations to be had with people from all over the world throughout the industry. It is always helpful to get feedback from our customers as to what we are doing right and what could be improved.
As usual, we spent a lot of time talking to our partners in the research community, and we’d like to thank Dragos for setting up another great CanSecWest. See you next year, Vancouver!
Cheers, Maarten and Dustin
*Postings are provided "AS IS" with no warranties, and confers no rights.*
BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event. It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.
The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.
We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.
One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.
Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.
There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.” Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.
Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program. As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense. As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges -- and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.
So to those who came before, thank you, and to those who will come after, enjoy the view. I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.
Katie MoussourisSenior Security Strategist, MSRChttp://twitter.com/k8em0
PacSec had a lot of the Japanese security scene in attendance (the local powerhouses are pretty sharp and savvy) along with international researchers and past BlueHat speakers, Charlie Miller and Alex Stamos. Take a minute to check out archived presentations from our own Tony Lee introducing the SIRv7 and Jason Shirk discussing fuzzing strategies. But the biggest interest concerned mobile code threats such as malware and how the perimeter defenses are fading away as a viable protection. This seems to be a hot topic everywhere, so hot that the just wrapped-up BlueHat v9 con had an entire track dedicated to mobile security, and in June 2010, at the annual FIRST Conference, how the perimeter defenses are fading away will be the theme for the whole conference.
It’s a cyclic state when it comes to the effectiveness of protections. I remember back in the 80s and 90s when the firewall was going to fix it all. But like everything in life, things evolve and the firewall became a part of a complex mesh of other technologies created to evolve with the threats.
This cyclic and evolving process is something we know a lot about here in Microsoft. The continued security evolution built the MSRC process and the Security Development Lifecycle (SDL). This is how we had to react to threats.
Visiting POC 2009 and PacSec, I got more of a sense of how people outside Microsoft evolve and react; most created either more complex processes or bought more technologies. As I was sitting at POC 2009 watching the presentations, I saw the same theme here as well. It seems that with the evolution of threats, security people everywhere are throwing up more complex processes and technologies. But what happens when the complexity we have created outstrips the problem? I can see that we are always going to have the technological challenges of new threats.
For instance, Conficker, a new threat that helped every security professional evolve due to the complex nature of the threat. However, something else happened with Conficker that really turned on a light in my head. Conficker took advantage of old threats and long-standing security best practices. The fact that Conficker used these old threats and was still widely successful in exploiting our complex processes and technologies is interesting.
I couldn't help asking myself this question, could it be that due to our complexity that we have failed to take into account past experiences? I don’t think so. I think what we may have done is forgotten one or two primary focus security factors. Those factors are “people” and “process”. People management for security is a key tenet of any type of security plan. This fact has been proven everywhere and in every topic including computer security.
If your plan does not take into account an understanding of the human factor and what it means to your security process, you are missing an important point. Understanding the “people” factor will help you in the next important part of the security plan, which is the process part.
Sitting down at PacSec and POC 2009, I see that we have a firm grip on the technological-advancement front. The presentations at both conferences were excellent technically and on the cusp of new developments. But I still believe that a more focused approach on the “people” factor of computer security would do more to enhance the security than technology advancements will.
Here at Microsoft we are looking in that direction as we look at the technological enhancements coming to the continent of Africa. Here is a place where we will have the chance to stress a focus on the ”people” aspect while building up the processes to take advantage of the new technologies afforded the populace. Hopefully you’ll be seeing more of this model in future posts from me as this new initiative develops. But for now make sure to look at the “people” factor as you create, modify or react to problems in the security landscape. It may surprise you what fresh new perspectives and solutions it gives you.
- -Steve
One of the questions I am often asked is regarding security updates for Windows systems that fail the Windows Genuine Advantage (WGA) check. In other words, who gets security updates? It’s an understandable question, and it has a very clear answer.
"Security updates are available to all systems."
It is just that simple. If Microsoft has provided a security update, you can install it on your system. This is still true even if your system fails the WGA validation check. There are also no WGA checks for service packs, update rollups, and important reliability and application compatibility updates. Paul Cooke, a Director in the Windows Client group, also stated this last year in his Windows Security Blog. On Windows Vista and Windows 7, available security updates can be accessed through Windows Update in Control Panel. On Windows XP, systems that fail a WGA check can still access security updates through Automatic Updates.
Keeping all Windows systems current on their security updates is a big part of keeping a healthy Windows ecosystem. After all, Conficker and Blaster don’t check for WGA. If you don’t have the right security updates, they just compromise your system and then spread to other systems. While a large part of my job is responding to vulnerability reports, it is always better to have proactively helped users stay secure.
So if you have ever wondered, now you know. You can always get security updates regardless of WGA validation. We at the MSRC are completely committed to ensuring our security updates go out to as many of our users as possible. So install those security updates without fear, and if you happen to run into me at a conference and want to hear everything else I do, just let me know. It is a story I love to tell. Just make sure you have an hour or two to spare. :-]
- Dustin
Guten Morgen! Joe Hemmerlein hier vom Microsoft Security Response Center (MSRC). I just returned from Germany earlier this month, where I spent some time mingling with security researchers. It's customary that we share a bit of our experience at security conferences right here, on the EcoStrat blog - and this is my first posting.
Outside temperatures were around the freezing point in Berlin during the 26th Chaos Communication Congress (26C3), which is organized by the German Chaos Computer Club (CCC) and considered to be the European Hacker Con.
It’s only natural that physical borders start to blur when hackers from all over the world come together to participate in such a unique happening – 4 days and nights between Christmas and New Year – to work on projects together, give and attend talks, and have fun while suffering from collective deprivation of sleep. There is strong consensus that the latter is fought best through the influence of Club-Mate (dubbed "hacker soda" by some) which is a carbonated Yerba maté-based drink brewed in Germany. Club-Mate is the prime ingredient in the venue’s most favorite cocktail, Tschunk. This year’s conference motto, "Here Be Dragons", is a reference to historic seafaring folks who explored the unknown looking for new continents, treasures, and maybe even dragons.
The focus this year was on wireless telephony, net neutrality, the Internet protocol, and some cryptography – certainly relating to areas where Microsoft is active, but without any specific focus on our products. The titles of my personal top-five talks were Using OpenBSC for fuzzing of GSM handsets, cat /proc/sys/net/ipv4/f█ckups, Exposing Crypto Bugs through reverse engineering, WikiLeaks Release 1.0, and Security Nightmares; the latter of which was presented in German and simultaneously interpreted for non-German-speaking folks! Sessions could also be watched via a stream or listened to via the internal telephony system thanks to the 26C3 Phone Operation Center.
The recipe of communication seasoned with chaos to taste, and baked into the form of a Congress, again resulted in a unique blend of talks in the categories of society, hacking, making, science, culture and community. These categories merely give you an abstract idea of how diverse the field of hacking can be; contrary to common belief, hacking isn’t exclusively about breaking, it’s more about approaching the world in a curiously creative manner and a holistic view of how stuff works (or fails). Loads of hackers and häcksen, the latter being a German pun on the words hacker and hexe (which is German for witch), were just waiting to demonstrate and work on projects together, and discuss matters of – well - hacking. That tesla coil you built for a science project brings down your ethernet unless you use a specific packet size? How to make a tesla coil sing the Ghostbusters theme? Responsible disclosure vs. full disclosure? Different designs and materials for RepRap 3D printer extruder nozzles you’ve been experimenting with? Dismantling conspiracy theories over a couple of beers? All it takes is an open mind, some level of determination and creativity, and you’ll leave the con not only having made new friends, but also with many new ideas on what to do until the next con. Not only did I spend time attending talks or catching up with fellow hackers on the progress of projects, there was also plenty of quality time in talking shop with researchers, colleagues and other experts on the status quo and recent developments in security response.
Unfortunately, tickets sold out within a mere 12 hours. For those who didn’t get tickets or couldn’t make it to Berlin in the first place, Dragons everywhere was an experiment that allowed locations in Berlin or somewhere else on this planet to hook up to the congress network via VPN for remote participation. As most of the talks were recorded and released under a Creative Commons license for everyone to download legally, please excuse me now while I play catch-up! J See you next time!
-Joe Hemmerlein, Security Program Manager
Tomorrow, Steve Adegbite, Katie Moussouris and I will give the first ever Microsoft Security Response Center (MSRC) talk at Black Hat, Las Vegas. Yes, Microsoft has presented at Black Hat before, and actually has a pretty long history of participating in this con, but this is the first time the MSRC itself has hosted a talk.
So what’s the big deal?
Well, as you may have heard, we’ve announced a couple new programs this week (See Microsoft’s Virtual Press Room) that mark a real shift in how we approach the issue of security. This talk will disclose all the juicy details of all three programs (yes, there’s a third program...Katie will tell you all about it!), include demos of the vulnerability information we will share as part of the Microsoft Active Protections Program Steve’s created, show you what our “Exploitability Index” looks like, and give you all the context you’ll need to understand the how’s, why’s, and where’s that led us up to this stage!
While saying we want to help “secure the planet” is a bit assuming, the reality is that we realize no one can address evolving security threats alone. One of the key themes of the talk, and indeed one of the key themes of our continued commitment to taking Trustworthy Computing to the Internet, is that through collaboration and shared intelligence, the security industry can better anticipate, respond and work together to address threats. This talk will illustrate how these innovative programs come together to help enhance security through collaboration and information sharing.
So if you’re here on the ground, come join us tomorrow at 3:15 in Roman Ballroom. And, of course, if you’re unable to catch us at the conference, the best bet is to follow us on Twitter:
http://twitter.com/mreavey
http://twitter.com/SteveAdegbite
http://twitter.com/k8em0
- Mike Reavey
Update: Room #.
Handle:EcoStrat's All-Stars IRL: TwC Security All-Star Guest Bloggers Likes: Security, Vulnerability Research & Science, Defense and Responsible Disclosure Dislikes: 0-day, FUD
Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.
There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole.
Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.
The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.
At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.
Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.
This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.
After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M
icrosoft deals with application security issues. We understood from them that there is a lot of internal software development taking place in Dubai to support business processes, and many of the attendees asked questions about how they could make their own applications more secure. We talked to them about the Microsoft Security Development Lifecycle (SDL), which is our standardized approach to software security. If you have similar interests, you can read more about it here.
Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.
While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.
Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.
Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.
Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.
At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.
Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.
[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]
The air was thick with adrenaline and action as the teams battled each other for the top spot at Microsoft’s Defend the Flag (DTF) training at Black Hat USA. The heat of Vegas seems a fitting place for such contests, pitting attacker against victim, in a race among teams to prevail as the strongest, the fiercest, the most tenacious defenders of their systems. Unlike Capture The Flag (CTF), the scoring is done exclusively on defensive capabilities. Teams are simultaneously attacking other teams’ systems, while trying their best to keep their own up and running. Take no prisoners, capture no flags – it’s a binary battle to either win or lose, and it’s all about how you play the game.
Armed with a suite of defensive techniques taught by our delivery partners, iSEC Partners, and Immunity’s latest CANVAS exploit framework, the players have the basics for what can be deemed a security pick-up game of 21. The training is delivered over two days, with day one a hands-on tutorial lab focusing on attack techniques and learning how to use the exploit framework in the morning, taught by Dave Aitel and Bas Alberts of Immunity. The afternoon of day one was taught by Brad Hill and Andrew Becherer of iSEC Partners, applying host hardening, forensics, and incident response techniques. Day two is an all-up melee-style competition, where the class is divided into teams of three or four players each. Each team has both attackers and defenders, and roles are switched throughout the day to make sure everyone gets to experience firsthand the power of modern-day attack tools, and the thrill of successfully beating back an onslaught at the front lines.
Some may wonder why we are teaching students how to use an exploit framework as part of this course. If the point is on defense, why take up time with any offense? It is to provide the appropriate framework for students (mostly IT Professionals who are new to security) to internalize the threats they face each day. Rather than spread FUD, we show a real modern commercial-grade toolkit to demonstrate just how easy it is for attackers to take advantage of unhardened systems that haven’t been updated. It is the best way to drive the point home beyond a shadow of a doubt: patch or perish; harden or get hacked.
Besides, we are not teaching new exploit techniques, but rather showing what is already widespread and publicly available. From a lock picking debate in the 1800’s regarding revealing the tricks and tools of the trade:
“Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.”
Since we know that roguery abounds, and that attacks are becoming much more sophisticated and innovative, we must keep pace by understanding their trade. We must learn how to use their tools and tricks in order to educate the next generation of Windows defenders.
But here’s the real twist – DTF doesn’t allow updating! That’s right, we throw a monkey wrench into the works by taking away one of the most effective security measures available. We toss the students into shark-infested waters and expect them to swim to safety. How? By employing defense in depth measures. Why? Because this is too often the real world reality in deployed networks. Either IT Pros can’t apply updates right away due to testing requirements, or they can’t update at all due to the risk they deem to critical infrastructure. This is the real-world dilemma, and DTF provides the tools to help IT Pros manage it in a heart-thumping, fist-pounding, tooth-grinding race to the finish line.
As the points stacked up on Day two, the tension mounted to a palpable pulse. Team “Defenders” held an early lead throughout the morning, with Team “OneEqualsOne” taking second place over Team “DivideByZero”, until “DivideByZero”’s Windows Server 2003 was pwned so badly that it had to be rebuilt from scratch. The afternoon brought new challenges, as each player had to switch out of the roles they had grown comfortable with in the morning – attackers now had to defend, while former defenders took on the attack role within each team.
There was also a bonus round with a physical twist, where each team had to play out the scenario that an intruder had gotten physical access to their systems. Each team hardened their systems as best they could, and then physically left them in the hands of the other teams, while they in turn attacked their opponents’ systems. When each team returned to home base, they had to figure out what their opponents had done during the physical access (planted Trojans, disabled firewall rules, etc.) and recover control of their systems.
It was a dead heat, with each team within 25,000 points of each other, out of a possible 300,000. Team “OneEqualsOne” almost took the lead until the physical challenge left them without a firewall enabled for a few critical minutes.
The fine line between security and functionality was tested by all teams, until finally a winner prevailed with Team “Defenders”. Their prize? A sense of what to do when they are under attack (which they really are, every day), the knowledge of how to harden their systems in the first place, and copies of CANVAS for each team member to take back to their real networks to make sure they have taken the right steps toward defending their actual flags.
Making our stand against attackers is something we must do with the help of the very attack tools that we are up against as defenders. Whether it is CANVAS, Core IMPACT, or MetaSploit, the tricks of the trade are growing more sophisticated and easier to use each day. Defend The Flag is a program that can help educate the legions of Windows defenders, even in the face of tough choices when it comes to their ability to run the latest and greatest versions of all software. In the hands of a defender, these are part of a necessary suite of tools and techniques to help tip the balance to keeping systems and networks secure.
In a world where roguery abounds, we as defenders must be doubly prepared to meet the challenges as they arise.
- Katie Moussouris
For more on this and Black Hat, join the conversation at http://twitter.com/k8em0
Update Title: 10:13am