The short answer is YES!

However, I'm not going to be confined to a single breakout room like I was last year. (ESPNism: "You cannot stop him, you can only hope to contain him.") If you remember, we had such a huge amount of folks wanting to get into the session I did with the FBI that we had to turn some away (fire codes and all that). For my follow-up Q&A session, the room they gave us was incredibly tiny and many missed out on some great info. Based on your feedback, that's going to change....

I suggested to the all-powerful TechEd Content Team that we already have PUH-LENTY of the dreaded and feared Microsoft "Death by PPT" lectures going on, so my suggestion was that we need to breathe new life into the way we do sessions. As you remember, I just spent the past week sitting through a bunch of sessions at RSA 2008 and I started to get "tired head" really fast. (I do have to give major kudos to those of you who suffer as monotone speakers drone on while feeling the need to read every single bullet point they can put in a slide deck. I just don't see how you do it.)

To end the glut of monotonous breakout sessions, I submitted and was approved to do the following at TechEd 2008.....

The Tech-Ed 2008 Security Show

You have spoken and we have listened. You like your colleagues, yet do not feel compelled to shoulder-to-shoulder in cramped quarters with them. I am also a man of moderate girth and like my room. "Why don't you move more sessions to the Expo Hall like you did for Marcus Murray's hacker sessions last year, O Microsoft TechEd Masters?" Well, my IT Pro brothers...that's exactly where Kai is headed! I'm going to be delivering not one, not two, but FOUR sessions on the TechEd Online stage!!! You can pull up one of those sweet little beanbag chairs they had last year, and relax....and be prepared to be enlightened as we make this event fun again. "Okay Kai...I've got my beanbag chair...I've got wireless connectivity...and I'm sufficiently fueled with abundant amounts of sugary snacks and carbonated beverages....but what is this new Security Show you speak of?" Well take a read at the abstract, and then I'll tell you a little about each program:

Does Oprah talk about Botnets?! Gonna hear Tyra use the words "data leakage"? Come watch “The Security Show”, with your host, Kai Axford!! It's fun! It's cool!!

Join Kai as he interviews security experts onstage about today's hot topics, getting the audience involved in the action! This series sets a new standard for doing TechEd!! Come and get your money’s worth! Join us from 1:00PM to 2:00PM Daily!

(The following episodes are proposed and are still awaiting final approval):

• Episode 1 - Meet The Feds!
• We welcome the gun-toting cybercrime team of the FBI, as they sit down and discuss the threats that they are fighting today, provide best practices and techniques for stopping the bad guy, and give you some insight into the deep dark world of computer crime. Get the straight 411 from the guys who fight it daily!

Back by popular demand, I'll be bringing Agent Allyn Lynd from the FBI's Cybercrime Squad back to Orlando, so he can scare inform us as to what is going on in the criminal world. If you want to know about the "underground shadow economy" and who's doing what to whom, and how they're doing it, Agent Lynd is the guy to ask. My plan is to get Agent Lynd to give us an overview of the threat landscape and then take it the audience for questions.

• Episode 2 - Stopping James Bond
• Espionage. Secret squirrels. Ninjas. Call them what you will, but yesterday’s international spy is today’s insider threat. Join us for an in-depth discussion with some of the top counterespionage experts in the world, as we hear about how these bad guys are stealing your intellectual property right out from under your noses, and more importantly….how to prevent it.

Well, my original idea was to have a former KGB or GRU intelligence operative come and show us exactly how economic espionage is conducted. However, it's not like I can just call up the Kremlin and ask them to send someone over. The group I reached out to had previous commitments, so they were unable to send anyone. Then I thought, we've all seen how this stuff is done...it'd be nice to hear from the guys who fight this stuff. So I've got a guest speaker from a government organization that deals with this threat daily. They're going to come in and tell you the real deal and how you can protect yourself and your business.

• Episode 3 - Gates, Guards, and Guns
• Today we’re going to be joined by the folks responsible for helping keep the Microsoft IT environment free from physical harm. Believe it or not, physical security of the datacenter is just as important as the other layers of defense-in-depth. Join us as we talk about new topics in the area like IP video surveillance and the convergence of InfoSec and Physical Security. Bring your tin foil hats!

I did a whole webcast series on Defense in Depth and one of the areas we got a lot of questions on, was the area of physical security. As IT Pros we typically don't think much about this other then the whole "laptop lock" or reminders to lock the server closet. With the advent of IP surveillance and more and more stuff moving to a digital format, we need to be concerned not only with what is being captured, but where the captured data is being stored and transmitted. I'm hoping to get the guys who do protect the Microsoft campus to come in a talk about this very important aspect of security.

• Episode 4 - A Conversation with Steve Riley
• You know him! You love him! Now hear the wisdom of Microsoft security visionary and world traveler, Steve Riley, as he pontificates on all things security. Steve has delivered some of the best sessions in TechEd history, with his informative and engaging style. You’ll be shocked and amazed, but you won’t be sorry you joined us.

A lot of you are familiar with Microsoft's Mr. Riley and the unique views he brings to the world of information security. I'm going to try and get him to come and join us for a chat, but in the event that he has some prior commitments, rest assured we're going to have someone that you want to hear. We want to be sure it's worth your time! It will absolutely not be some guy up there pitching some Microsoft product to you. If you want that, I'll need to re-direct you to the other sessions.

My goal for these episodes is ZERO PERCENT Powerpoint and 100% discussion and audience Q&A!!!!

Please let me know if this is a feature you'd be interested in. We're looking to build the business case to develop it, and the best way to do that is for you, our customers, to let us know.

Also, if any of you want to deploy RMS now but can't because there's currently no Mac support, I especially need to know. Thanks!

This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed:

• Microsoft Windows Vista
• Microsoft Windows XP SP2
• Red Hat Enterprise Linux Desktop (v. 5 client)
• Red Hat Enterprise Linux WS (V. 4)
• Ubuntu 6.06 LTS Desktop
• Apple Mac OS X 10.5 (Leopard)
• Apple Mac OS X 10.4 (Tiger)

For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities as well as the highest number of High severity vulnerabilities while Windows Vista users experienced the fewest and the fewest High severity vulnerabilities.

Here is the chart breaking down all of the OSes by NVD severity ratings:

Download the attached paper for full details.

Share this post :

Well, I've been in the Xbox Live team for the past 3 days and my head is swimming!  I had never thought about all the work that goes into keeping Xbox Live up and operational, but now that I'm here and get to see it, it's pretty remarkable.  There is a large team working around the clock to make sure that gamers around the world can get on their Xboxes and have a troublefree experience whenever they want to.

Anyway, I'll have more to post down the road, but right now I'm still focusing on getting my feet underneath me so I can start contributing.

Hi, Charlie Miller here.  I was asked to come out to BlueHat to participate in a panel discussion about the vulnerability economy and selling exploits and such.  Hopefully the folks who sat through us arguing for an hour got something out of it.  I enjoyed it.

When I'm not out shining a light onto the dark world of exploit sales, I'm usually spending my time looking for bugs in software, particularly with fuzzers.  BlueHat was a great opportunity for me to talk to some guys on the Microsoft fuzzing team.  BlueHat’s reason for being is to bring Microsoft employees together with security researchers, or "hackers".  It can be a really interesting dynamic because traditionally, we are rivals.  People like me try to find and exploit vulnerabilities, and people at Microsoft try to eliminate vulnerabilities or make them harder to exploit.  One thing for sure, it’s definitely easier and more fun to be on the attacking side than the defending side!  But anyway, the funny thing about BlueHat is that there are guys like me trying to figure out how Microsoft people work, how they test their software, how they run their fuzzers, and so on, in order to think of better ways to attack their software--while people from Microsoft are trying to figure out how researchers think, to better defend their software.  It's great fun and everyone benefits, I think.

Hello all, Nate McFeters here to give you a recap of all the fun at Microsoft BlueHat v7.  If you don’t know me, I work for Ernst & Young’s Advanced Security Center and I also blog over at ZDNet’s Zero-Day Security Blog.  You may have also seen me on the conference circuit, as I’ve spoken recently at such prestigious events as Black Hat and ToorCon.  This time around though, I wasn’t brought in to speak at a conference; Microsoft had Rob Carter (also from EY’s ASC) and I come in to discuss some recent vulnerabilities that we’ve discovered with a few third-party vendors with whom Microsoft has tight relationships.  Actually, that’s worth a shout out to Katie Moussouris for being awesome and putting Rob and I in touch with the proper people to get our issues fixed AND bringing us in to BlueHat for our efforts.

Coming to Seattle is always a treat for me.  The hacking/security research community is represented in Seattle like no other place that I’ve been to.  Of course, Seattle did not let me down once again!  On Wednesday, I got a chance to attend the iSec Partners party, celebrating the opening of their new Seattle office, so congrats to all those guys.  After the iSec party, I rolled over to the BlueHat speaker’s party with Billy Rios (former EY ASC guy, now a Microsoft employee, and a BlueHat Speaker) and got a great opportunity to drink free beer and hang out with some industry leading figures, such as Alex (kuza55), Fukami, Sowhat, and Manuel Caballero.

After a long first night, I took care of some work-related stuff and relaxed most of Thursday… that is, until the BlueHat party.  It was a great premise: Put a bunch of hackers in a bar and feed them free booze until closing time… the night before the big show!  Good thing these guys are professionals!

The highlights of the talks for me were:

1.)         Getting to see Alex (kuza55) discuss browser insecurities to a packed audience.  This guy has some really progressive stuff, but what really stuck to me was Alex’s mature understanding of the greater picture, which was truly impressive, even more so from a 17-year-old.  He discussed the need for more transparency from vendors on the standards that the browsers depend upon… nowhere was this more interesting than in the case of Cross-site Cooking and his FindMimeFromData attack.  Alex explained how dangerous the lack of understanding of these technologies are, and how, unless the security community is given more of the bigger picture, we can expect these issues to lay dormant until discovered, and of course, we have no guarantee that it will be a good guy finding it.

2.)         Watching Billy Rios’ and Nitesh Dhanjani’s phishing discussion, which was by FAR the most entertaining and enlightening talk that I’ve ever seen.  The talk was basically a recap of research that Billy and Nitesh got involved in over a year ago, where basically they joined up to the phishing community and realized that it’s not just about phishing, it’s really about identity theft.  They discovered that phishing was just one means of supply to fill the demand for identities in the identity theft ecosystem.  They were able to discover phishing sites, the kits that phishers use, and the sites where phishers sell stolen identities… truly unbelievable.  The saddest thing was realizing just how tech un-savvy these phishers truly are, and then further realizing how huge an impact they’ve caused to the Internet.  If you have not seen this talk, you should absolutely go catch it at Black Hat Vegas. If you have, I’m sure you’ll be seeing it again.

3.)         Manuel Caballero discussed something that originally didn’t catch my attention.  It initially sounded like the same research that’s been put into cross-site scripting attack frameworks, which basically involved using XSS to create a bi-directional communication channel between victim and attacker for exploitation of XSS.  Then I realized what Manuel was really talking about.  Resident scripts have put the fear of God into me.  Whereas a normal cross-site scripting attack vector is great for the site that was cross-site scripted, it stopped there; it couldn’t follow you off-domain.  Manuel’s can.  Scary. 

After the presentations, I was fortunate enough to get included in the IOActive Limo Race after party.  I’ve never been involved in an event that led to as many hilarious pictures as that one.  Specifically, the pictures of Dan Kaminsky, David Hulton, and Andrew Cushman are priceless.  Thanks to Josh Pennell and all the IOActive crew for putting that on -- it was outstanding fun.

All of that and I closed off the week by coming home to Chicago and proposing to my long-time girlfriend, Melissa Radocha (she said yes, thank God!), so it was probably one of the best weeks of my life.  Sorry to all of the media guys like Ryan Naraine and Rob McMillan who I’m sure wanted to join me, but keep in mind, I wasn’t here for media coverage… I just got lucky to steal an exclusive by having some research that Microsoft was interested in!  J

-Nate

------------------ 

Editor's Note:  The BlueHat planning team wishes to extend our heartfelt congratulations to Nate and Melissa!

BlueHat is not just an event, it’s a community, a network based on relationships developed over time, an integral part of our engineering science and outreach security efforts at Microsoft. As part of the team 'shipping' BlueHat, I spent some time in the speaker lounge – the room where speakers, community and Microsoft folks gather and meet during the conference. It was both fascinating and surreal and we look forward to bringing you more commentary about the event along with video podcasting via the blog in the coming weeks.

BlueHat is rewarding to me because our team is able to help virtual teams form out of traditional rivalries.  Observing Adobe’s response team in discussions with Fukami – a Flash researcher notoriously at odds with the company. Participating in lively discussions about Mark Dowd’s latest research paper. Watching ”aha!” moments happen as product teams and researchers from all over Microsoft met with the researchers focusing on their products. CERTs, major guidance providers and security researchers breaking bread together. Community members (such as, several members of the TESO board of directors) greeting each other in person for the first time, after knowing each other virtually, for years. Legendary researchers in the community engaging in dialog with new up-and-comers like Alex K.

BlueHat also brings home how much security work is ahead of us and the how the asymmetry between attack and defense continues to widen. Bryan Sullivan’s talk highlighted that although we have made outstanding progress securing the operating system, we now have to make that same outstanding progress in the Web space. An environment with development cycles measured in weeks versus years, and one that presents challenges to the application of the traditional SDL. Billy Rios and Nitesh Dhanjani kept us entertained while confirming that phishing is easy, prolific, money-driven and not as funny as your father’s maiden name. All the panelists reminded us that researchers continue to look for vulnerabilities and there are many 3^rd party attack vectors, apart from the OS and core shipped components, even including security products.    

We recognize the need for community-based defense (researchers, guidance providers, CERTs, etc.) as we continue to introduce new folks into the BlueHat network. Thank you to all of the speakers, guests and passionate supporters of BlueHat– we look forward to continuing to evolve and add value to this important community.

It’s our planet – let’s secure it!

Sarah Blankinship

Senior Security Strategist

Cesar Cerrudo of Argeniss here. I was thinking what to write about in this blog post and I decided that this would be a good opportunity to acknowledge Microsoft security efforts by highlighting Microsoft improvements, and also to compare how security is currently handled by the other big software vendors.

While I don't like some Microsoft policies and how some security issues are handled by Microsoft sometimes, Microsoft is currently the software vendor that cares the most about security, and this can be seen in the increased security of their software. It has improved a lot in the last few years. Of course nobody is perfect, and Microsoft software will continue to have security vulnerabilities, but they will continue improving.

My team and I have been finding and reporting hundreds of vulnerabilities to major vendors for the last 6 years, so I guess I have some experience in the subject.

Let’s talk about two of the biggest software vendors. I’m not going to mention their real names. Let’s just say they are Vendor A and Vendor B.

First we have Vendor A. This vendor talks more than it acts. They are always talking about how much they train developers in security, how much they care about security, how they use these wonderful products that find all security issues, and even make and serve coffee while doing it, and blah, blah, blah. But reality is far different from what they say.

Let’s take an example: You report X vulnerability in Y functionality to them, and they will take their time to fix it (and it could take a couple of years sometimes). Furthermore, they just fix the X vulnerability in Y functionality. They don't investigate whether the same vulnerability is present in Z functionality. But that's not all, they only fix your reported attack vector. They don't look for other attack vectors. But wait, that's not all -- the developer will produce a fix that can't even prevent a variation of the reported attack and this fix goes straight to production. I really wonder how this vendor determines when a fix is ready to go into production, since not enough testing seems to have been done.

Nobody seems to notice that the fix sucks, then when the fix is ready, the vendor will inform you they have produced a fix for the vulnerability in software version 1a, 2a, and 2b, and that they will release it at some future date. When the fix is released, you test the fix in the corresponding versions and then you realize that there is no fix at all in version 1a and that the fix on version 2a and 2b only works when trying to exploit the vulnerability in the exact way you reported. If you change the exploit slightly, then the fix doesn't work, so you contact them again.

You go through the same process one more time, and then a new fix is released. With the new fix, you find out again that the fix in version 1a is not present, and the fix in version 2a works well, but the fix on version 2b still doesn't work with exploit variations. The same process goes on again and again, until some day after 2, 3, or 4 fixes, the vulnerability is finally fixed on all the affected software versions.

Unbelievable, eh? Well, that is how Vendor A is currently producing security fixes. Vendor A is clearly many years behind Microsoft when it comes to security.

Let’s talk now about Vendor B. This vendor has a lot of experience producing software, and like Vendor A, it is one of the big vendors. Vendor B seems to produce good fixes for security vulnerabilities, but they have a bigger problem. It seems their developers are not very familiar with security.

For instance, the latest version of one of their most popular software packages still has stack overflows that you can find in 5 minutes. It also has everything open by default, and by changing just one byte in software protocol packets you can easily crash the software.

You can tell that some developers don't really get security and that they have the final decision when to produce a fix. If you report a vulnerability related to some functionality that's accessible to all users by default, and that can be abused to perform evil actions, they will just respond that the functionality is used by their customers and that it can't be abused. And that's it, developers don't realize that their competitors’ software has restricted the same functionality by default for security reasons a long time ago. Vendor B doesn't seem to have a security response team, since most of the time, reports are handled directly by developers or software managers. I could continue with more examples, but I think you get the picture. What is weird is that Vendor B some time ago acquired an important security consulting company that had really skilled people. I wonder why these people are not helping to improve their own software security, instead of doing cool research on new attacks on software from other vendors and providing external consulting services in order to help other companies. Weird.

Again Vendor B is clearly many years behind Microsoft when it comes to security.

I have criticized and pointed out Microsoft security problems many times and I will continue doing it when it's necessary, but I really think that Microsoft is ahead by many years in security, compared to other vendors. Microsoft is leading security efforts in the software industry.

I have seen Microsoft make huge improvements over time. Some Microsoft products’ previous versions had dozens of vulnerabilities, but now the newest version has almost no vulnerabilities. I haven't seen that in any other products from other vendors, and this is something really amazing that nobody seems to notice.

I think other vendors will improve over time and that Microsoft is indirectly helping them with the knowledge and research it generates. By looking at Microsoft, these other vendors could get an idea on how to get better at security.

BlueHat is another innovative way Microsoft has developed to improve security. If you have something to say that will help to improve security in its products, then Microsoft will listen to you.

As I always say: “Vendor A and Vendor B are very lucky because they never had a worm.”

-Cesar