MSRC Ecosystem Strategy Team

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

Aloha from the Shakacon III, a security conference held each year in lovely Honolulu, Hawaii! Although I’m currently in a different region of the world, talking with a completely different segment of the security ecosystem, I wanted to take a few moments to reflect on the BlueHat Security Forum EU event recently held in Brussels, Belgium.

Celene’s EcoStrat blog post highlighted the collaborative nature of the event and described the amazing content that was presented to the group of key EU security stakeholders. While to be a part of building a new platform for technical information exchange was a success in itself, we all have different priorities. In order to effect change, we must understand each other and work together, across technologies, organizations, and country boundaries. With the building of better collaboration in this community, we all have taken one more step in helping to secure the planet as a collective.

I’ve mentioned in a previous EcoStrat post that the EcoStrat team strives to build bridges and help folks get over them. The BlueHat Security Forum EU event was an example of bridge-building in action. It was rewarding to introduce representatives from governments, industry, and enterprises, as well as individual participants to each other. Prior to the BlueHat Security Forum, this particularly diverse group had never been in the same room discussing current security threat landscapes, understanding together the realities of securing critical national infrastructures and corporate networks alike.

With such a diverse collection of attendees, participants naturally had a wide-range of security priorities. Concerns ranged from targeted attacks to ID theft, defending Web applications and supply chains, developing and deploying secure coding practices to policy development, political concerns within and outside of the EU, and the list goes on.

Certainly the message that there is no one magic solution to security was delivered. There is still so much work to be done. It will take defense-in-depth, secure coding, securing third-party applications and proprietary applications; it will take technology and people. We all understand that security can be likened to an arms race; every innovation we make in security is met by a very sophisticated collective of global malicious actors. We must be vigilant together; we must work together.

Mahalo for reading and here’s to another step towards achieving community-based defense.

Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
Program Manager 2 & BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Hey folks! I know this is typically the time of year when birds are chirping, the rain is supposed to be letting up, and those of you in the BlueHat network who are normally invited to attend the Spring BlueHat conference are asking yourselves, "Why did MSRC start doing the con only once a year?" The answer, of course, is pretty simple and complicated at the same time. Today marks the beginning of the next evolution of the BlueHat Security Briefings, with the launch of the BlueHat Security Forum taking place at the Microsoft Executive Briefing Center in Brussels, Belgium.

Following the success of the BlueHat Security Briefings, entering its 9^th iteration this October 22-23 at the Microsoft campus in Redmond, the BlueHat Security Forum EU event is an invitation-only gathering and network of select government and enterprise decision-makers from throughout the European Union.  Attendee country representation includes Austria, Belgium, Denmark, Finland, France, Germany, Italy, Norway, Sweden, Switzerland, and the UK.  Today’s Forum gathering in Brussels features lively presentations on the latest developments in information security from Microsoft leaders and external security researcher luminaries.

The primary objective of the BlueHat Security Forum is to build bridges between our Microsoft Security Leadership team, key Enterprise security stakeholders, and members of the security research community. The secondary objective is to participate in candid, actionable, and constructive dialogue with key enterprise customers that will help Microsoft produce enterprise-ready, value-laden products and services.  The BlueHat Security Forum planning team formulates discussion topics for these meetings based on current security hot topics, new research and trends.

Today's BlueHat Security Forum EU event agenda will address:

· E-crime attacks, the vulnerability economy and the global threat landscape

· Security in the cloud, DNS security, and the malware landscape

· Microsoft Security Response Center (MSRC) processes and integrating a Security Development Lifecycle (SDL)

And did I mention our stellar line up? J Presenters from Microsoft Trustworthy Computing include Andrew Cushman, Director of Trustworthy Computing Security; David Pollington, Director of Security, Europe; Vinny Gullotto, General Manager, Microsoft Malware Protection Center; Alex Lucas, Principal Security Development Lead; Mike Reavey, Director of MSRC; and from Global Foundation Services, Martin Rues, Director for Cloud Security, Microsoft & Scott Oxley, Lead Architect for Cloud Security, Microsoft. External presenters include Iftach Amit, Director, Security Research, Aladdin; Dragos Ruiu, CEO SecWest Conferences, Security Technology Specialist; Dan Kaminsky, Director of Penetration Testing, IOActive; and Scott Stender, Principal, iSEC Partners, Inc.

We are seeking to build upon the momentum of past events by showcasing how individual strategies can intersect to offer substantial benefits and positive-sum outcomes. As with the local BlueHat conference, we are looking to demystify global and regional security threats, and to create channels for productive information exchange on common threats between the security industry, governments and researchers. Future regional BlueHat Security Forums are planned for Asia in 2010 and LATAM in 2011.

Next up: save the date for BlueHat v9 this October 22-23 in Redmond. Stay tuned for more updates and information to come here and on the BlueHat Blog. Be sure to check out Iftach Ian Amit’s post also coinciding with the Forum, Getting a business degree as part of Security Research?

Bon chance!

Celene

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
EcoStrat's All-Stars

IRL:
TwC Security All-Star Guest Bloggers

Likes:
Security, Vulnerability Research & Science, Defense and Responsible Disclosure

Dislikes:
0-day, FUD

Marhaban! Maarten Van Horenbeeck here from the Microsoft Security Response Center (MSRC). This is the first time I have blogged here on EcoStrat. As a Security Program Manager with MSRC, one of the roles I have is to work with security researchers, and this often involves attending security conferences to meet with you. Two weeks ago, a couple of us in Trustworthy Computing (TwC) attended the Hack in the Box (HITB) security conference in hot and sizzling Dubai, United Arab Emirates.

There is a saying that "every word in Arabic either means itself, its opposite, or a camel." Working in the information security industry, I often use this to illustrate to my clients how a piece of code that one person considers a vulnerability, can very well be seen as valid functionality by another. As such, my Microsoft colleagues and I were very interested in learning more about other Arabic sayings that could be applied to the information security industry as a whole. 

Hack in the Box is a twice-annual conference, taking place in Dubai, UAE during April, and somewhat later in the year in Kuala Lumpur, Malaysia. Given our past experiences with the value of the talks at the conference, Microsoft was a Titanium sponsor of this event.

The Dubai conference is more intimate than the Malaysia one, but that is exactly what makes it a great way for local information security professionals to network and learn more about cutting edge security research that is taking place all across the world. Presenters ventured from as far as Indonesia, the United States, and Germany.

At Microsoft, I think we can safely admit that in order to pioneer security efforts, we were forced to make every single mistake in the book and learn from it. When I started with the company, I was fascinated to see that we are in fact very good at learning. When we deal with an issue, we like to understand how we can resolve similar issues more effectively in the future. As such, we don’t just attend conferences to learn, but to start up a conversation – we are interested in sharing our own experiences as well as touching base with others.

Microsoft employees had two presentations lined up for this event. Mark Curphey, the director of Microsoft's Information Security Tools team, had a keynote presentation on security tools and technology for effective risk management. Mark focused on how most security tools and technology available to effectively manage risk can only be described as primitive in comparison to those used in most other areas of risk management, such as online gaming or healthcare. From my own experience as a security consultant, I can echo his finding that Microsoft Office Excel is often the most effective tool risk managers have at their disposal.

This is a gloomy situation, given the amount of risk most organizations are exposed to, but a broad sigh of relief was voiced by the audience when Mark clarified his team is working here at Microsoft on solving just that issue.

After Mark's talk, Ian Hellen from Microsoft's Security Assurance team and I spoke to several attendees who wanted to learn more about how M

Billy Rios, one of our resident security engineers, delivered a fascinating presentation on the concept of trust relationships in Web applications, and more specifically how a disparity exists between the security models implemented in Web applications, and those implemented by the browsers that host those applications. In addition, he collaborated with Chris Evans from Google to share with the audience some of their experiences with cross-domain issues and practical man-in-the-middle attacks on SSL.

While there was too much content at the conference for me to discuss in depth here, I will mention some of the other highlights.

Roberto Preatoni from WabiSabiLabi, one of our guests at BlueHat 6, presented on cyber warfare. He refuted Marcus Ranum’s 2007 statement at HITB Malaysia that cyber warfare is an overrated issue, by calling out several examples of contemporary cyber war. He illustrated how it may not just affect nation-states but its conflicts of interest can affect industries and individual corporations as well.

Reverse engineers in the audience welcomed Sebastian Porst from Zynamics. He spoke about REIL, their Reverse Engineering Intermediate Language, and more specifically how it can be used to optimize static binary code analysis. They actually used one of our vulnerabilities, the Windows Server Service vulnerability patched in MS08-067 (read more about it here and here) to illustrate how their tool works. This was definitely a topic many of our own engineers are deeply interested in.

Another well received talk came from Wes Brown of IOActive. He provided a good primer on analyzing malicious code, and gave it a twist by describing how languages, Unicode, and even culture all make a difference and make the reverse engineer’s work just a wee bit more difficult.

At the end of the conference, Microsoft sponsored the sunset Post-Conference Reception, which allowed for more valuable networking opportunities.

Sometimes dealing with security incidents and vulnerabilities can feel like marching across a desert. Confidentiality is an unspoken requirement, and often you can only rely on your own senses, knowledge and intuition. It is a great thing that just like in Dubai, there are watering holes where we can come together and rely on each other implicitly, sharing information and improving the state of the art in our business. Thanks, Hack in the Box, for a great conference, and we’ll see you next time. Ma’a salama.

[Editor's note: check out the BlueHat Blog for another Microsoft perspective on HITB-Dubai]

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

Hey, Steve here. Just finally settling back in after traveling a bit, meeting up with different parts of the security ecosystem. It was good to get out and see firsthand events like CanSecWest, and most recently Black Hat Amsterdam where I met with security specialists in and around the EU. Now that I am back in the States, I have caught up on my reading. I came across this article about what the US Air Force did to ensure that every computer delivered to them was in a set and secure configuration. This is a great approach and, if you can do it, I highly recommend it because the alternative is to bolt on security at the end, and that is always costly and not fool-proof.

There is, however, a part of the article that is unclear. The article talks about how Microsoft was pressured into releasing special Windows XP versions for only the Air Force and government agencies. This is just not true.

Anyone can build their own “locked down” versions of Windows XP. They are available to anyone and everyone, not just government agencies or the Air Force. The security guidelines used as the basis of these configurations are publicly available as part of the Security Compliance Management Toolkit Series. By the way, I recently reviewed the section about securing Windows XP. These guides have been offered for some time and they are pretty good.

Regular home consumers and system administrators of enterprise IT shops can use these guides to help increase protections for themselves and their environment as part of a defense-in-depth strategy. If enterprise IT shops use these guides as a baseline for providing preconfigured workstations to their customers, or if they later configure the workstations via scripts or Group Policy Object (GPO)s to the secure baseline outlined in the guides, they would reduce a significant risk point to the enterprise by not introducing unsecure workstations to their secure environment.

A workstation can be adjusted or not adjusted depending on its use or need. This also helps with the task of configuration management as anything in the environment would be configured to an established, secure baseline that is current with security updates. Anything else is a deviation and should be segmented or investigated often to assess its security.

Another thought for Enterprise IT shops is that they use these publicly available guides to work with their procurement process, or directly with desktop hardware suppliers, to ensure that any workstation delivered or purchased comes preconfigured to this secure baseline. This saves time and worries for the IT staff because by following these guidelines, any machine joining a network is already in a semi-secure state. I say semi-secure because IT staffs would still need to ensure that the workstation has all the latest and greatest updates from Windows Update, or a corporate managed update provisioning server like WSUS..

By following these hardening guidelines, some of the security basics will be taken care of, like enforcing complex passwords by the operating system. This saves time and effort when trying to secure one's own systems. Every little bit does help.

As I said earlier, these security configuration guides are public and located here: Security Compliance Management Toolkit Series. We would love to hear feedback on the guides. You can contact the team that created them directly at secwish@microsoft.com.

'Till next time,

Steve

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

I recently returned from the second iteration of the SOURCE Boston computer security conference, and I must say, it was both an intimate conference of less than 250 folks and a high-caliber gathering. As with other conferences that the Microsoft Security Response Center (MSRC) co-sponsors, we see these forums as opportunities that highlight relevant research and showcase how individual strategies can intersect to offer substantial benefits and positive-sum outcomes.

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

For those of you not familiar with SOURCE, the conference combines business technology and application security tracks over three jam-packed days of presentations from experts in the field. This was the first time that a Security Start-Up Showcase (for all of you VCs/Start up folks out there not taking this economy to heart ;), Discussion Groups, and a Product Education Track were added to the already buff line-up. The attendee make up was approximately 35 percent Security Professionals, 30 percent Executives (Chief Officers), 10 percent Independent Security Researchers, 10 percent Administrators, 10percent Press, and the remainders were Students/Other.

Although there were more talks that sparked my interest than I was able to attend, I did attend some very insightful tracks. One such talk that appealed to me was a panel called The Partial Disclosure Dilemma hosted by Ryan Naraine with SME’s like Dan Kaminsky, Ivan Arce, Katie Moussouris, Dino Dai Zovi, and Alexander Sotirov. For a deeper dive on this subject from the only vendor on the panel, check out Katie’s blog and hear her stress how, "We need more collaboration between those who say the sky is falling, and those upon whom the sky will fall." Throughout this two hour showdown it was apparent that sometimes finding a vulnerability and creating an update is only part of the picture. Often, there has to be a coordinated fix with other vendors and the solution has to then be deployed to protect critical infrastructure. While folks could agree to disagree on the bulk of disputed points, for the most part everyone believed that the industry has got to move forward trusting each other with a more productive and transparent process, whether it be through more peer review among researchers or other communicative and joint mediums. I got a moment of pleasure hearing David Mortman speak out from the audience to say, "I apply MS Patches right away because I know they are going to work and not break anything." W00t!

An earlier talk on How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process painted a clear picture of the different ways we find variants and work on mitigations and workarounds as part of the Microsoft response process. This talk answered the fascinating question of, "How come some of your in-band updates take a long time, but sometimes you can produce an out-of-band update in a matter of days?" Dave Midturi, Jonathan Ness, and Mark Wodrich dove into some great case studies that showcased in-band updates versus out-of-band updates to answer that ever popular question. For those of you that missed it, I strongly suggest checking it out in the next couple weeks, once it is available on the con site, so you can see first-hand what goes into a Microsoft Security Update, and how out of some 200,000 non-spam e-mails that come in to secure@microsoft.com per year result in approximately 70 bulletins.

All in all, there was a broad range of topics covered that left me simultaneously scared, inspired and contemplative–and I think that sums up exactly what I’m looking for in a security con. And as an added bonus, the con was hosted harbor side in Beantown, not far from Mike’s Pastry cannoli and some good old fashion American history; tea anyone?

-Celene Temkin

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

CanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It’s a cozy little security con that brings together security researchers from all parts of the security ecosystem.  Like a PhNeutral or a BlueHat, one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We’ll be presenting new security innovations and new tools, we’ll be watching Pwn2Own closely for possible hacks, and we’ll be happy to discuss our industry best practices in the hallway track. 

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

Security gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller’s “The Evolution of Microsoft's Exploit Mitigations” and Jason Shirk and Dave Weinstein’s “Automated Real-time and Post Mortem Security Crash Analysis and Categorization” demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.

Again this year, CanSecWest features the Pwn2Own contest – a contest that pits researchers against technologies to see whether technology or human wins. It’s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem – it’s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams’ efforts. You can’t hide from the truth (wishing doesn’t make it so) and every issue is an opportunity to learn and improve.

We recognize that all vendors’ products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft’s security engineering efforts, both relative to our competitors and in an absolute sense.

The security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story – and an additional measure the security community could use to evaluate vendors’ products - is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.

By the end of the contest, co-sponsor Tipping Point will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit).  One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.

Although innovative contests put some of us in a place that is not always comfortable, it’s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues.   It’s yet another example of the “team of rivals” strategy.  Let the contest begin!

-Sarah

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

As the newest member to the EcoStrat Team, I guess I will start with the basics. I am Adrian Stone. I have now been in the Microsoft Security Response Center (MSRC) almost four years. My current job you ask? I work to make sense of the random and controlled chaos that is the MSRC. If my team and I do our jobs right, we often find nuggets of gold buried in the middle of it all. I have often joked that MSRC is like a box of chocolates. You never know what you’re going to get from one day to the next:

Handle:
StoneZ

IRL:
Adrian Stone

Rank:
Senior Security Program Manager Lead

Likes:
Predictive Analytics, Game Theory, Databases, Sports Cars, NFL Football, Direct People

Dislikes:
Losing, Liars, Posers, No Talent Clowns

A new 0-day released into the wild?

A hard engineering security issue that affects vendors throughout the ecosystem?

Someone “hacked” your password and stole your MSN Messenger Account?

Aliens are reading your e-mail from the planet Remulak?

Yeah, my team gets them all. And we engage the right people and the right parts of the MSRC process to handle the issue.

I manage the part of the team that is responsible for reading every e-mail that comes into the secure@microsoft.com e-mail address, which is usually the entry point for vulnerabilities that are responsibly disclosed to us by external security researchers. In 2008, we reached a new benchmark of 75% of the vulnerabilities we received being reported to us by responsible disclosure. The vast majority of those reports were sent to secure@microsoft.com. On average, we receive around 200,000 legitimate e-mails a year, including reports that range from the very real security issue to the absolutely bizarre. Of course, this number does not include the SPAM that still requires individual verification to make sure that filtering hasn’t caused us to miss a potential report, which can easily happen with foreign language Unicode based text.

If we grow complacent or aren’t digging into a report, we run the risk of missing a potential security issue. Often times we will engage with the security researcher to ensure we understand the concern or the type of issue from their point of view. There are no auto responders in our world. I can attest to the fact that a person with a qualified security background is sorting through it all 365 days a year. Mining these e-mail reports in all their various languages and the data contained within them is invaluable to help ensure, that like a field medic, we accurately assess and assign the right priority and engage the right product teams within the company to investigate the issue more deeply. As if all of that wasn’t enough to keep us focused, we also monitor various other resources for signs of issues that may impact the security of Microsoft’s customers.

Another component of my team is responsibility for the MSRC’s infrastructure and data analysis to make sure that what we learn about a vulnerability report, and the corresponding fix, can be leveraged to improve future products through the efforts of our colleagues in the Security Development Lifecycle (SDL) Team.

Ultimately my team serves as the bookends to the process driven by the Security PMs and the Release Team that starts with vulnerability disclosure and ends with what most of our customers see as the monthly security bulletin release.

I also serve as Editor and Chief of our security bulletins and advisories. It’s that part of my job that most of our customers see in the end result of in their day to day operations. The security bulletins and advisories serve as the vehicle by which we notify our customers of a newly uncovered vulnerability in our products and the steps that they can take to remediate the issue. Just as security vulnerabilities are an issue that span across the industry, so are the use of bulletins and advisories to communicate the issues. Sometimes though calling something a bulletin or an advisory is where the similarities in communication begin and end. The rest in between can be anyone’s guess.

Understanding the content of a security bulletin or advisory can vary wildly from one vendor to another. When comparing one vendor to another, the accuracy and the level of the depth about the underlying vulnerability and the potential mitigations and workarounds can vary relative to the vendor. The data sets and terminology may be completely different. For example what one vendor may call a remote code execution issue may be referred to as a remote elevation of privilege vulnerability by another. This could leave a customer asking: "Are these things the same or aren’t they? Which one is worse?"

As you can see this leaves the customer trying to decipher the different nuances in terminology, technical documentation, and the content itself. Eventually all of the information in its various forms is digested by customers to perform and execute on a Risk Analysis and Risk Remediation Plan. This is often a very manual task requiring cross referencing of vulnerability identification numbers and comparing differing and competing scoring systems. At best, it is time consuming; at worst, it can be a total pain if you are dealing with a heterogeneous computing environment supported by different vendors. We constantly leverage focus groups and mine the feedback on our security bulletin and advisory content that we receive from customers and partners to optimize and improve its usability. While this helps us and our customers with respect to the information we provide, it unfortunately does not address the various nuances from vendor to vendor for the customer.

This brings me to a project that I am involved in that has been started by ICASI members: to create an industry-wide Common Vulnerability Reporting Framework (CVRF) with regards to how we present vulnerability data and articulate security related issues. The CVRF end goal is to present a form of extensible XML framework that can be easily parsed by both humans and tools. The benefit for both vendors and customers is that some of the ambiguity is removed for consumers of the data. The structure can be leveraged by vendors to help streamline the data recording they need internally to help identify and develop updates to address security vulnerabilities. While the project is still in its infancy, it is awesome to see it getting traction and the various members working together to solve a problem that, prior to my coming to Microsoft, was the bane of my existence as a Security Analyst. I wish I could say I escaped it when I received my card key to the building, but the truth is it now occupies my thoughts as a member of the MSRC for a very different set of reasons. Now it regularly presents challenges for my team in how we manage the flow of our vulnerability data within the company and externally with partners like Microsoft Active Protections Program (MAPP) members. It is important to note that CVRF is not intended to replace various scoring methods to determine the impact of vulnerabilities, but rather to serve as a common framework to structure many of the data elements that can be used by such scoring systems. I can definitely see how CVRF will help us get even better and of course, through this process, we’ll continue our engagement in CVSS and the CVSS SIG. Hopefully, if we do it right, there will be a little more order and a little less chaos in the security ecosystem. That can be as valuable and as rare as refined gold on some days.

Later,

-A

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Sveika! Hey Steve here, been a while since I posted on the EcoStrat blog. With all the security events that happened during the latter half of 2008, I have been very focused on working with the security update releases and Microsoft Active Protections Program (MAPP).

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

You are probably wondering what an EcoStrat guy has to do with security updates and other technical deliverables. Well, I want to take a moment to explain why this makes sense. Before taking on the role of working with the monthly security release team and the MAPP program team, I primarily worked with the partner outreach team, managing ecosystem changes through industry partnerships. The partner outreach team’s goals/focus, within the scope of the EcoStrat team, is to work with industry to establish partnerships and initiatives to protect consumers. One of the most visible results is the MAPP initiative. This is a program that works with the security industry ecosystem to create an effective conduit for inbound and outbound information flow.

This was a large effort to affect ecosystem change externally, but what about internally? Microsoft is a large company that has an interesting culture and ecosystem of its own with developers, technology evangelists, security engineers, program managers, marketers, etc...

It became very clear that external ecosystem changes weren’t going to be enough without an effort focused on internal ecosystem changes as well. We needed a number of ways to effectively drive internal change with information we were getting from the external ecosystem while still following one of our core tenets to focus primarily on efforts that protect customers. One way we can do that is by releasing monthly security updates. Within the Microsoft Security Response Center (MSRC), we have an exceptional security release team that manages this large and complex effort. The team’s main focus is to make sure quality security updates are delivered to customers in a consistent manner. We noticed that a way to accomplish this was to become what we call “change agents.” Change agents influence change on a large scale most of the time without the formal authority to do so. This made sense as the release team manages the monthly release via a process that doesn’t have them building/owning any binary packages for release. They effectively were driving ecosystem changes just internally. So it made sense to have someone bridge both the internal and external sides of ecosystem change efforts.

So I’m grateful, and excited, to be in a position to work on both sides of the coin to effect change.  And, I get to work with folks currently managing MAPP and the security release every month to help make these changes possible. Their good work also makes it possible for me leave Redmond and engage directly with the community in crucial industry events. Just recently, I had the chance to jump back into my partner outreach role within the EcoStrat team and had the chance to travel.

I am starting to really understand the need to be multicultural in the job we do here on the EcoStrat team. Many times it’s the cultural differences that sometime make or break the security messages we are trying to get across. This is one reason why this team travels a lot to target every place that Microsoft technologies are prevalent. It’s also the number one reason why I pick myself up and out of the day-to-day operations to understand these differences.

Last month, I got to put back on my FIRST Steering committee hat, and I traveled to the beautiful but cold city of Riga, Latvia. The FIRST Steering Committee has four meetings a year to get work done for its members. We usually use the technical colloquiums (TC) as good times to get together and partake in the great “watering hole” activities described in Andrew Cushman’s last blog.

The TC is organized by a local host. The local host for this one was Trans-European Research and Education Network Association (TERENA) computer security incident response team (TF-CSIRT). TERENA is an organization that focuses on offering a forum to collaborate, innovate and share knowledge in order to foster the development of internet technology, infrastructure and services for the research and education communities. They present and train at the TC server to educate security teams, highlighting new techniques to deal with relevant computer security issues. Usually I get to just sit back and enjoy the presentations but his time was a little different. The majority of the presentations were centered on the latest Conficker worm. Not familiar to you? Well, cruise on down to the following Microsoft Conficker page and relevant posts on the MSRC and MMPC blogs.

Being the lone Microsoft guy and a member of the Steering Committee was very interesting to say the least. After this conference, I personally know almost every European CERT or CSIRT contact after fielding some good and frank questions about Conficker.

Like I said, I spent most of the day fielding questions about Conficker and Microsoft’s actions to help security teams in their effort to protect consumers from this threat. Microsoft has a robust process when it comes to our response to issues so I was well prepared with information that went above and beyond the out-of-band security update that was released for this issue back in October (MS08-067)

Although the frank questioning felt like on-the-spot cavity cleaning, I was extremely happy to have the chance to clear up some of the myths and give some actionable information to these important security stakeholders. It also allowed me to understand information that the MSRC usually doesn’t get a chance to receive first hand. Also, having a response guy from Microsoft at FIRST allowed the security teams to understand that we are taking the problem seriously. One internal ecosystem change that was supported came about from feedback from this trip. One clear feedback item was to make sure that we had a single authoritative source/place for Microsoft efforts on Conficker. This information added more key data points to indicate that the teams in Microsoft managing the Conficker efforts were doing the right thing in moving forward with creating a single place for outlining Conficker resources. This is just one example of using external information to aid in driving change to help the greater ecosystem at large.

My Trip wasn’t all fun J

There was the 3 ½ days worth of Steering Committee (SC) meeting to decide various organizational things. One major topic was the 2009 Annual FIRST conference (AGM) in Kyoto, Japan. The AGM gives us the opportunity to meet and share presentation on a number of security topics. The logistics of putting on a large conference are mind boggling in my opinion. I am glad to say, I will enjoy watching our own Andrew Cushman figure out some of these issues firsthand as he was named the 2010 Program chair for the 2010 Annual First conference.

I love the fact that Microsoft makes a point to work with the security community at large and truly values community-based defense. Our consistency and trusted relationships make it much easier to have the conversations at the proverbial “watering holes” to get messages across to the security ecosystem that we do care and take the job of securing customers at all level as our main priority.

Now that I am settling back into a groove, I look forward to heading out and doing more in my EcoStrat role. Stay tuned for more from me as I travel to CanSecWest and Black Hat Europe.

Later...

Steve “Capt Steve” Adegbite

Share this post :

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – "change is constant" and "the more things change the more they stay the same."

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Over the last years my outreach efforts expanded beyond the security researcher part of the security ecosystem to include CERTs and other guidance providers, as well as security organizations and companies. My most recent past and future activities give a view.

Before we get into the trip report, though, I want to spend just a second on a couple of guiding principles and introduce some vocabulary.

I attend a lot of conferences around the world. A number of years ago, I started referring to them as “watering holes” – like watering holes security conferences are the places in the ecosystem that attract a diverse population focused on a common need. The most interesting conferences are the ones with the best “hallway track” – the ones that attract the most diverse and most interesting attendees also typically generate the most interesting hallway (or after hours) discussions.

My objective in attending conferences is twofold. I want to foster community support, help make connections between Microsoft and different parts of the ecosystem, and make bridging connections between parts of the ecosystem that might not otherwise mingle. Secondly, I want to stimulate conversation about shared problems, ensure attendees understand what Microsoft is doing and promote discussion about collaborative solutions.

In December, I was in Sao Paulo at the DISI 2008 – Dia Internacional de Segurança em Informática; an event co-hosted the Brazilian Army and FIESP – the Industry Federation of the State of Sao Paulo. This conference was interesting because of the community it brings together and the challenges unique to Brazil. I presented last year and delivered an embryonic call to action for community-based defense. I was very pleased to be able to return a year later and give an update that showed Microsoft’s progress. I pointed to programs like the Microsoft Active Protections Program (MAPP), the Industry Consortium for Advancement of Security on the Internet (ICASI), the Exploitability Index and Microsoft Vulnerability Research (MSVR) to demonstrate that we are walking the walk.

January found me in California at a Bay Area security confabulation whose theme was “Partnerships: finding ways to energize a common defense.” The attendees came from across the industry and the security ecosystem. I found the hallway track(s) exceptionally valuable and especially enjoyed the discussion and presentations on cloud computing security. I presented on ICASI, and gave a behind the scenes look at its goals, formation, and current state. Microsoft, along with Cisco, IBM, Intel, and Juniper formed ICASI in 2008 to drive excellence and innovation in security response and to promote effective industry collaboration to address the rising tide of multi-vendor security issues.

Also in January, I volunteered (and was accepted J) to be the Program Chair for the 2010 conference organized by the Forum for Incident Response and Security Teams (FIRST). I’m a relative newcomer to the FIRST family and realize I have a fair amount to learn – the education starts at the next Steering Committee meeting in Miami and continues at the FIRST 2009 conference this June in Kyoto. I am very pleased by the warm reception and the opportunities this group has to influence and drive positive ecosystem change.

I also took on a new role within TwC Security in January. I handed over responsibility for the monthly security update releases to Mike Reavey in order to better focus on understanding and addressing emerging security threats. The new job is completely different, yet very much still the same. You’ll continue to see me at conferences around the world, I’ll continue to be active in the industry and ecosystem and I’ll continue to promote dialog about the changing threat landscape and what Microsoft can and should do to strengthen Community Based Defense.

-Andrew

Share this :

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Handle:
C-Lizzle

IRL:
Celene Temkin

Rank:
BlueHat Project Manager

Likes:
Culinary warfare, BlueHat hackers and responsible disclosure

Dislikes:
Acts of hubris, MySpace, orange mocha Frappaccinos!

Goodbye 2008- Hello 2009! Over the past year we, the MSRC EcoStrat team and all-up TwC Security have been a lot of places, seen a lot of people, and picked up a lot of t-shirts J. On the road, we work hard to create more opportunities for technical information exchange in strategic ways. One way is by co-sponsoring security conferences in various geographic hotbeds to support the de-mystification of global threats and security threats through education. Another way is by presenting candid talks and having open conversations in order to create channels for productive information exchange on common threats between the security industry, governments and researchers.

Most recently, members of TwC Security were in Berlin at the 25^th Chaos Communication Congress, CCC (25C3). CCC is not a purely security-oriented conference; it touches on topics that are relevant to society in general, i.e., voting, cryptography, ethics, privacy, et cetera, which makes its reach truly unique. Among others, Bruce Dang and Dave Tamasi were joined by Joe Hemmerlein (Netherlands) as Microsoft representatives. From our perspective, many of the attendees of this con seem to be huge fans of Linux/*BSD and open source software in general.

Bruce Dang had the opportunity to present his talk on “Methods for Understanding Targeted Attacks with Office Documents” which was well-received. To hear quotes like: “The crowd loved this guy” and “Bruce Dang’s talk and the conversation afterward was one of the highlights of the Congress for me,“ is exactly the kind of stuff we like to write home and tell Mom about. (Use your favorite search engine to query “Bruce Dang CCC talk” to read more great community feedback about Microsoft at CCC, or visit the MMPC blog for more stories about surprising EU community supporters.)

Several folks approached Bruce post-session and applauded Microsoft’s transparency levels, along with the technical level of his presentation . Sure, there were the standard “What’s it like to work at Microsoft?” inquiries, but most responses were how impressed people where that Microsoft hires people to do this kind of work. Apparently one guy even walked up to Bruce and Dave, completely unsolicited, to say, “you have shattered my perception of Microsoft." Wow, you can’t buy publicity like that!

Along with the great comments, we also received some promising recommendations for where our attention and support could have even more impact -we’re all ears as we are always looking for ways to foster different communities.

Overall, the Microsoft experience at CCC was quite positive; attendees recommended a stronger Microsoft presence, continuing to speak about security research at a deep technical level. We’ve even been receiving e-mails saying that “we changed the audience’s perception of Microsoft.” Sweet, sweet music to our ears!

At the end of the day it sounds like the pizza in Berlin wasn’t half bad, especially when served with one of the best hacker conferences in the world. We also learned some interesting local facts, for example, about a German “ethics hotline.” Say, for example a researcher at CCC has a question about how ethical it is to hack a website, server, whatever. With the handy ethics hotline, simply dial up and ask! Ich bin ein ethical Berliner!

-Celene Temkin

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

As we head into this new year, predictions abound in the security ecosystem for 2009. The security industry talking heads all have opinions; there are no shortage of issues to be concerned about; more malware, more targeted attacks, better phishers and more vulnerabilities in all software and hardware. The responsibility of trying to secure the planet (together) feels so massive when every region, every country, every platform, every browser has different issues.

I'll end this blog post with my own prediction, but first some catching up on some of what's happened since my last post.

At the close of 2008, I got to see some of our good friends and friendly rivals at the Vendor Security Information Exchange briefings in the UK. Thanks to the good folks there for including my presentation with CSS Shanghai colleague, Daniel Wang, on the realities of the Chinese security threat landscape. As with the rest of the world, China is experiencing a rise in malware and attacks from inside and outside the firewall.

From the UK we traveled to China for the XCon Security Conference in Beijing. We were delighted by the talent and the hospitality as we discovered new sights and new foods. We even explored back rooms of a hot pot restaurant with friends and colleagues in Beijing. Bravo for a great security confabulation in China. Many thanks for inviting Microsoft to participate with a Windows7 security overview by Chris Peterson, director of security assurance, Microsoft Trustworthy Computing (TwC).

I arrived back in Redmond just about the time there was a vulnerability discovery from some of our friends in China. This resulted in releasing out-of-band security update MS08-078. Mike Howard has a great write-up on his blog that goes into fantastic detail about why this vulnerability was so tricky and another reminder that multiple defenses are critical. As with all security updates, MS08-078 is a free download with no check for Windows Genuine Advantage. As much as we like to release our updates on a predictable cycle, we like to keep our customers and partners protected from publicly known vulnerabilities even more.

Please take the time to install this update.

And now back to my own prediction. For 2009, it's not gloom and doom. I predict that in 2009, the security community will pull together like never before.

While we know that vulnerability counts are increasing and malicious actors aren’t going anywhere – we also know that we have trust and community in our security ecosystem. With this foundation and awareness, we can work together, as a community of defenders, to limit our exposure and come together to discuss our alternatives. Small first steps include decreasing overall risk by deploying security updates in a timely manner, providing awareness and defense-in-depth mitigation measures, combined with meaningful technical information exchanges.

As the threats increase across the board, now more than ever, the Microsoft EcoStrat team is working to build and leverage our coalition of defenders. Microsoft has proven time and time again, the economic theory, that it costs less to get right the first time than to fix it later. In the MSRC, we see the cost to teams and the company when we have to ship a fix to hundreds of millions of users. We want to help others learn from our experiences.

Together, researchers, protection providers and governments are realizing that we are safer because we collectively know more, we talk more and trust more. We are participating in multi-vendor solutions, collective initiatives to unite and educate our security communities while actively listening to our partners in the ecosystem.

Here’s to a great 2009 and striving together to predict, to prevent, to protect.

Sarah

Release notes:

Have you seen the BlueHat SDL content up on Technet? Dennis Fisher, from TechTarget, says to “Think of it as the technical equivalent of those free online courses from MIT.”

Reality Check! More SDL goodness – Our own Steve Lipner was interviewed on Gary McGraw’s “Reality Check Security Podcast Series”

Upcoming – look for more ‘stories from the front lines’ from our TwC brothers and sisters who also travel to security conferences in the name of TwC Security.

Upcoming – Tool Release! Stay tuned for more information from CanSecWest Vancouver 2009.

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Silver Surfer

IRL:
Mike Reavey

Rank:
Director, MSRC

Likes:
Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities

Dislikes:
Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns

We’ve just released the November Security Bulletins and that also marks the one-month point after the release of the initial Exploitability Index in October. As a result, we’ve had a several questions from customers on “how’s it working?” Well, so far, based off the results from October, and feedback from Microsoft Active Protections Program (MAPP) partners who help check our work before release – it seems to be going pretty well.

October was a large release, with 12 Security Bulletins resolving 21 vulnerabilities, one of those being an out-of-band release.

First – our main measure for success is to make sure we avoid rating something in the index “lower” than it actually should be once under full public review. This is our main concern because it means that customers would be at an increased level of risk than we communicated by the index. The good news is, one month after release, we’ve not had any issues that fall into this category. This also means, that for the four vulnerabilities we gave our lowest ratings, we haven’t seen functioning exploit code in the first 30 days. These include:

- MS08-058 - CVE-2008-3474 - Cumulative Security Update for Internet Explorer

- MS08-058 - CVE-2008-3476 - Cumulative Security Update for Internet Explorer

- MS08-061 - CVE-2008-2251 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

- MS08-065 - CVE-2008-3479 - Vulnerability in Message Queuing Could Allow Remote Code Execution

There were also four security vulnerabilities where we anticipated consistent and functioning exploit code would be released publicly (excluding CVE-2008-2947, which was public at bulletin release), and for which this prediction came true. These include:

- MS08-059 – CVE-2008-3466 – Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution

- MS08-062 – CVE-2008-1446 – Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution

- MS08-066 – CVE-2008-3464 – Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege

- MS08-067 – CVE-2008-4250 – Vulnerability in Server Service Could Allow Remote Code Execution (this was the out-of-band-release)

For each of the aforementioned issues, functioning exploit code was released publicly within the first two weeks. Customers using the index to help make deployment decisions would have been able to anticipate this, prioritize these updates over others, and roll them out within their environment. Before we had the Exploitability Index and providing this additional layer of analysis, these security bulletins would have had no special indication that attacks were likely.

This is probably the most significant impact the index can have, as we’ve always said it’ll never be 100% accurate, but that the goal is to give valuable information to help customers make prioritization decisions.

For the remaining five issues that were rated “1 – Consistent Exploit Code Likely,” we’ve not seen functioning exploit code posted publicly. While this may seem like we’re wrong in the prediction, we actually feel pretty good about this.

Let me explain: Some customers express concern that when we released the Exploitability Index, by observing the environment, we’d be changing it. Basically, they were worried that we’d raise the amount of exploit code present in the ecosystem by highlighting the issues most likely to have exploit code developed.

So even though we think it’s likely that functioning exploit code could be released for the remaining seven, the fact it hasn’t means that we’ve not significantly changed the threat environment in a negative way. And we haven’t told customers to worry less about a given vulnerability when in fact, they should have. In fact, it may even be that the increased attention led to faster deployments to protect against these vulnerabilities and that in turn made these less attractive.

A full list of all the vulnerabilities, Bulletin Severity Ratings, and Exploitability Index ratings, along with “how we’ve done” is listed below. As always, you can find the Exploitability Index on the Security Bulletin Summary page each month. You can even find additional supplemental information by referencing our Frequently Asked Questions and How to Use the Exploitability Index on several Microsoft Web sites.

We’ll continue to watch how we’re doing in providing this information, make an effort to engage more with the community to help us check our work.

However, one month in, based on the data and feedback from customers, it looks like the Exploitability Index is panning out to be a very helpful tool for customers.

- Mike Reavey

Share this post :

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Security Blanki

IRL:
Sarah Blankinship

Rank:
Senior Security Strategist Lead

Likes:
Vuln wrangling, teams of rivals, global climate change - the hotter the better

Dislikes:
Slack jawed gawkers (girls are geeks too!), customers @ risk, egos

As part of the quest to help "secure the planet", our team travels over this planet a lot, and I wanted to highlight a few of the interesting security gatherings I've been to lately.

September brought sunshine and the Executive Women’s Forum (EWF). An all-women’s security event was completely refreshing and a great contrast to the usual technology scene. In addition to the great technical content, it’s always a treat to discourse with others who see computer science as a social science, Mary Anne Davidson’s blog post about synthesis had some great insights:

One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology.

Hey, those are social sciences (except for biology, although its neighbor epidemiology counts). She also mentions strategy which is a subject close to my heart. :-)

Additionally, I had a chance to break bread with former colleagues and friends from around the planet. I got to hear from women starting their own companies or in amazing roles at their organizations -- women whom I would want as mentors, colleagues and partners. It was also eye-opening in terms of the old school/new school debate among women decision makers, the parallels we see in the male-dominated environments, centered around the question of whether it's possible to solve security ecosystem problems through regulation. The security ecosystem is like the weather – you can’t predict or control it – but you want to be prepared for it. EWF presents an opportunity to continue educating and networking with this community about the risk environment and how to mitigate threats, concurrent to ongoing policy, privacy and regulation initiatives.

One of my personal goals is to (paraphrasing a line on a favorite greeting card) "build bridges and help people get over them." One of those goals was realized when, in October, the Microsoft Security Response Center (MSRC) and friends went down to the Southern hemisphere for some mmmm BA-Con. Even better than bacon, was the gathering of some mavericks, if you will, including Argentinean security superstars and underground up-and-comers. The conference was the culmination of years of conversations and grassroots community partnerships between traditional "rivals": Core Security, well-known in the attack tool community, in alignment with our team and other protection providers.

An interesting trend we’ve noted, alongside traditional security conferences, we are starting to see the development of "micro-communities" thriving around the world with different parts of the security ecosystem overlapping. Just as Black Hat has its Defcon, the security conferences worldwide are realizing the value of leveraging different and respected security communities. BA-Con has ekoparty Security Conference and Xcon has XKungfoo, both great examples of diverse communities collaborating. Mary Anne’s post talks about the risks of a lack of "biological diversity”. By contrast, the collaboration between these communities provides illustrations of diversity from a social science perspective: language, organizational affiliation, age.

Each year, we also have the pleasure of *not* traveling, and welcome members of the security community here to the Microsoft Corporate Campus for BlueHat. Ask the BlueHat network of past speakers or catch some great blog posts recently, one of the most interesting watering holes in software security is @BlueHat. Thanks to all who have helped us grow from a friendly little hacker con to a platform to educate the broader security community with the BlueHat: SDL Sessions, to give back to the developer population by releasing developer tools, and for building more relationships toward community-based defense.

A lot of people are surprised that we don't make a bigger deal out of BlueHat by inviting the press in. Even though BlueHat is a great story, that's not primarily how we see it. It is a network, a voice for the community, a platform to launch people, research and ideas. The interactions are different, somehow more open and sincere when folks don’t have a press audience or "preconditions". The good stuff and paradigm shifts that come out of BlueHat in the form of new awareness, collaborations and security innovations, will pay off for years to come. We aren’t willing to risk the platform for a press story.

There is a lot of excitement that we are making the BlueHat: SDL Sessions public! That's right; you don’t have to come to BlueHat to watch a great day of security content! Thanks for the feedback and stay tuned for BlueHat: SDL Sessions releasing on TechNet, we’re working on getting them up as soon as we can. And the rumors are true: TwC will release a tool to the public within the fiscal year.

As a part of the MSRC, a big part of our team life these days has been releasing MS08-067* out-of-band. With the update, we are all more secure. That means that a many of your security colleagues worked 24 by 7 to get this out to you as quickly as possible.

Throughout my travels, a common theme in these experiences are the opportunities for shared goals and cooperation from organizations and people usually seen on different sides: security researchers and software engineers, Macs and PCs, browser developers and browser hackers, vendors and competing vendors from the infrastructure to the cloud. BlueHat has demonstrated that well-chosen strategies, while easy to overlook, offer substantial benefits and positive outcomes. It is a great example of "reaching across the aisle" to create those multivendor solutions.

Next: around the world in 14 days. Really!

Sarah

Security EcoStrategist

* As with all security updates, MS08-067 is a free download with no check for Windows Genuine Advantage. For details and a link to the software for your operating system, click here to go to the Microsoft TechNet Security page.

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Cap'n Steve

IRL:
Steve Adegbite

Rank:
Senior Security Program Manager Lead

Likes:
Reverse Engineering an obscene amount of code and ripping it up on a snowboard

Dislikes:
Not much but if you hear me growl…run

You've probably heard that we released an out-of-band Security Bulletin for a vulnerability in Windows (MS08-067).  By now you have probably also heard of the Microsoft Active Protections Program (MAPP). Let me take a moment to talk to you about how they worked in concert for this issue.  As announced at Black Hat in August, prior to release of the monthly security updates, MAPP members receive technical details on vulnerabilities in order to speed the development of protections.  Due to the unique threat from this vulnerability and because the issue was released out-of-band, we decided to not only share the information in advance but to also make our security engineers behind the SVRD Blog available for questions with MAPP partners.

During this meeting, we outlined technical details on this update and allowed for more in-depth questions on the information provided. We did this to ensure full understanding of the issue so that timely protections could be provided. We are happy to say it worked nicely, and that most MAPP partners had protections out shortly after the bulletin published and the rest should have their protection available by end of day.  If you have questions about which partners have protection, see the links to their pages here.

This is a great example of the kind of community-based defense we discussed at Black Hat and I’m pleased to see us working together to collaboratively protect the ecosystem.

For more information about this release see the MSRC Blog here: http://blogs.technet.com/msrc/default.aspx

Steve “Capt Steve” Adegbite

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Handle:
Silver Surfer

IRL:
Mike Reavey

Rank:
Director, MSRC

Likes:
Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities

Dislikes:
Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns

It’s October! And for those who remember Black Hat 2008 in Las Vegas, this means the programs we announced have launched. These programs include the Microsoft Active Protections Program and the Microsoft Exploitability Index, which begin with today's October Security Bulletin Release. Microsoft Vulnerability Research is also continuing to run a formalization of our ongoing efforts as responsible researchers in the community.

Following the announcement, there was a discussion on the Daily Dave security mailing list, where folks wanted to ask us more questions than were asked after we announced our three security programs at Black Hat 2008. We responded, asking folks to send their questions our way.

We didn’t answer some questions from the thread about future product development and our relationships with specific researchers. However, below are answers to questions about the three specific programs announced at Black Hat to make sure folks understand them fully.

We appreciate the feedback on these programs. They are all focused on increasing collaboration and information sharing to tilt the advantage in the favor of the defenders of networks as they combat attackers.

So, here are the questions, and the answers:

Questions about Microsoft Active Protections Program (MAPP)

1. Can you fully define 'offensive' or 'attack' software? Is a security assessment tool that does not exploit categorized as such? Consider a tool like nmap or Nessus, would that discount Fyodor or Tenable?

Of course, absolute definitions in this space are challenging. However, an example of pure offensive or attack software is any software that weakens for a prolonged or permanent state, the security integrity of a system to either exploit it or pilfer it (steal data, credentials, toe holds for further exploitation (rootkits)). Tools like MPack would be one example I would categorize as pure attack tool. With that said Nessus or Nmap (tools many of us here have used when doing security consulting) would not be considered pure offensive/attack tools.

2. What if a company makes multiple products, some aggressive and some passive? eEye or Tenable would be examples, where each has defensive products designed to act as IDS/IPS as well as assessment tools.

We would still allow such a company, provided they met the criteria, in the MAPP. They would still have to abide by the criteria that states that "protections" built with MAPP data must be held until the security update is publicly released. This ensures that someone doesn't get the signature and reverse engineers it to discover the issue being updated then releases Proof-of-Concept (PoC) on it. Now, I think where you are going is that there is a potential that the same company can use this information in their assessment products prior to the release of the security update. This is correct but it would be a violation of the MAPP agreement, and if discovered, we would terminate their membership. However, early on we realized that assessment tools play a big role in the enterprise and consumer security space. We will continue to work on this area. Right now, we’re focused on giving customers better active protections as they work to deploy our security updates.

3. What about companies that clearly make defensive products, but also have other questionable activities? Consider TippingPoint which has an IPS solution, but also does the ZDI Initiative, where they share (sell) vulnerability information to their clients.

We would evaluate their defensive business first and do a risk analysis of other activities to ensure that it does not harm the same customers we are trying to protect. This is not a "pure" solution but it is a real world one due to the nature of some security firm’s business practices. If at any point any MAPP member is found engaging in activities that hurt our customers, they will be removed immediately.

4. If an organization is found to have leaked information inappropriately, what are the consequences? Being kicked out of the cartel seems like a given, but by potentially putting millions of computers at risk prematurely, would Microsoft also pursue the company legally?

The company would be removed from the MAPP immediately. I can't speak on any legal action but I can imagine our legal department would review the matter. Also, please remember that one of the key operational goals of MAPP is to provide information “just-in-time.” Therefore, any negative actions only have a short window before the updates themselves are released for customers.

5. Would Microsoft comment and give a rough number of companies that have been accepted into MAPP to demonstrate the interest?

The MAPP has been receiving a fair amount of application as you can guess. We are still processing and getting people officially in, so no definitive numbers are available yet. Rough guesses are still matching up to what I said on the stage of about 20 to 40 companies by launch.

Questions about Microsoft Vulnerability Research (MSVR)

6. Are these people finding third-party vulnerabilities also looking at Microsoft products?

Yes. The people looking for third-party vulnerabilities are primarily in our security engineering teams, and they do look for vulnerabilities in our own products, along with conducting other security research and response activities. Some vulnerability finders within Microsoft are in other teams with other responsibilities, such as in various product teams.

7. Is this done using automated tools (proprietary or otherwise), by hand or a mix?

A mix. An overall goal of MSVR would be to not only help increase security by finding instances of vulnerabilities that are present in third-party software, but also in sharing methods we’ve learned in how to uncover these vulnerabilities. So if we can identify an opportunity, we will also share the principles and methodology we’ve developed as part of the Microsoft Security Development Lifecycle (SDL), which can include tools and manual techniques.

8. What disclosure policy do you adhere to, and is it published?

Our goal is to follow the OIS guidelines, found here: http://oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf .

9. Once the vulnerability is fixed, vendors frequently issue advisories or mention the fix in a changelog and credit the person/company who reported it. Can you cite a single example of this? If not, why not?

Yes we can. Engineers at Microsoft had been reporting vulnerabilities to third-party vendors long before MSVR was founded. MSVR is both a formalization of how we handle vulnerabilities that are casually found during the course of someone's normal work (as was the case for years), as well as an expansion of research focus to third-party software specifically to look for vulnerabilities. Before MSVR, finders at Microsoft either reported the issues they found to the vendor directly, or asked the MSRC to help them do so. They are individually credited in the affected vendor's advisories. Try searching for Tom Gallagher in some ISVs security bulletins.

Question about Microsoft Exploitability Index

10. If there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for Microsoft, how can Microsoft accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)?

This question makes a good point, and that is, much of the Exploitability Index accuracy is based off of who is doing the work versus a strict scientific methodology. We realize there’s a chance we might not be 100% right all the time. However, we’ve done a few things to try and make sure this index is accurate enough to help realize its goal of giving more actionable information to customers to prioritize their deployment.

First, it’s most relevant for the first two weeks to 30 days after release. Meaning, exploitation science may change, and there may be private methods under discussion, but for customers making deployment decisions, it should provide enough information to help make a more informed prioritization than before. Second, we do have the folks from the Security Vulnerability Research and Defense (SVRD) team working on the vulnerability from its initial report, until the release, and they’ll be assessing exploitability as part of their normal process.

That’s not all, as we’ll also be following methodologies discussed at BlueHat conferences so using similar approaches which the community uses when analyzing our updates. And finally, we’ll leverage the community established through MAPP to check our work before we release the index. With three layers of people and processes, we expect Exploitability Index to provide valuable information to customers in their decision making.

- Mike Reavey

*Postings are provided "AS IS" with no warranties, and confers no rights.*