We start off this episode with Agent Lynd explaining to us the danger of botnets and who these bot pimps are targeting. We see that some of these bad guys are using these “zombie networks” to commit extortion (or face the wrath of my botnet doing a DDoS against your business.) Good stuff.
Allyn goes a bit further by providing us with a real-world case study. He can’t provide names, since this case is currently under investigation. It’s a network intrusion case where the offending company was consistently undermining and low-balling the victim on all of their contract bids. Think this can’t happen to you? Maybe it already is. This company only realized it after losing over $160 Million in contracts. Since I’m want to ensure you’re protected against this stuff and not just scaring you….Allyn provides 3 easy things that you can do to help mitigate this risk.
Enjoy Part 2 and I’ll get started on editing Part 3 today!
The other day an office mate asked, "Do you twitter?" Sorting through the various snarky remarks that immediately popped to mind, I replied that I didn't think anyone would find my routine bits all that interesting. He suggested otherwise: that it would be a convenient place to record quick ideas. So I am now indeed twittering. Check out the link on the right of this blog. For those using an RSS/ATOM aggravator, you'll want http://twitter.com/statuses/user_timeline/15237105.rss.
I converted my office fileserver to Windows Server 2008 (WS2008) a while back and I've never been happier - WS2008 is my favorite product ever. Nicely modular, pretty much everything turned off by default and some great tools for enabling just the components your need for a particular role.
There is one more step I've been wanting to take and that is to enable the Hyper-V role and convert my fileserver over to just one virtual machine on the box, so I can set up other VMs on the same box. Today, I was excited to see Microsoft Releases Hyper-V on CNET. Here is a summary of the key links (note that it is only available for the 64-bit versions of WS2008):
Check back with my and I'll let you know how things go and share any tips I have for what to do or not do, as well as my review of how easy/hard it is.
Regards ~ Jeff
Well, I've been in the Xbox Live team for the past 3 days and my head is swimming! I had never thought about all the work that goes into keeping Xbox Live up and operational, but now that I'm here and get to see it, it's pretty remarkable. There is a large team working around the clock to make sure that gamers around the world can get on their Xboxes and have a troublefree experience whenever they want to.
Anyway, I'll have more to post down the road, but right now I'm still focusing on getting my feet underneath me so I can start contributing.
Hello everyone, this is Robert "RSnake" Hansen. It’s been a while since I’ve talked with the BlueHat folks but only because I’ve been busy behind the scenes working on some cool stuff with the Microsofties. I was pleasantly surprised to hear I am now allowed to talk about one of the things I have helped work on. David Ross mentioned it in a blog post he wrote some time ago, but it has come a long way from that point. He called it “XSS-Focused Attack Surface Reduction goodness” for lack of a better term, but now I think we’ve happily settled on a shorter and more memorable name - “XSSFilter.”
In Internet Explorer 8.0, users will be protected from the vast majority of real world XSS attacks. David spent a lot of time analyzing the most common variants and has built a tool to isolate and protect against those attacks for the vast majority of Internet users out there. The tool protects against reflected XSS in particular, and not against the lesser common DOM or persistent XSS varieties. XSSFilter is certainly not a panacea and it’s still recommended that developers follow good programming practices, but this comes as welcome news to me personally and the vast majority of Internet users who will be protected from an attack they probably couldn’t even spell. And best of all, it will be by default – asking consumers to install security plug-ins has never worked well. Taking it out of the consumer’s hands is a huge leap forward.
I’ve been talking about browser security for quite a while in my speeches and on my site – we can’t expect programmers to fix all their flaws, especially in legacy applications. The browser is one of the few important choke points on the Internet, where client side issues can be heavily mitigated and we can begin to get ahead of the problem. Indeed, XSS is a prime example of what can happen when attackers start using the browser as a conduit for attacks against web applications and consumers. Since we know it’ll be a long time (or maybe even never) until we see every critical web application protecting itself, this is a great short term stop-gap for the vast majority of XSS issues against the Internet Explorer browser.
Only time will tell how attackers move and adjust to these changes, but in the near term, I’m happy to have played a small part in adding one more weapon in the fight to protect consumers.
After a whirlwind trip to beautiful Honolulu, Hawaii to give the Day 2 keynote at ShakaCon, I am finally back to reality here at Microsoft. More on that shortly, from another blog...
Right here, right now, BlueHat video interviews with the speakers are available. From "Bad Sushi: Beating Phishers at Their Own Game" with our own Billy Rios to "Token Kidnapping" with Cesar Cerrudo of Argeniss -- get an exclusive sneak peek into what really happened at BlueHat v7.
Or play a game with your friends: How many times do Dan Kaminsky and I say "RickRoll" during his interview? Submit your answer in the comments of this blog. First correct answer will receive a prize if you come see me, Mike Reavey, and Captain Steve Adegbite at Black Hat this July! Be sure to also see Billy Rios, Bryan Sullivan, Bruce Dang, and David Weston.
Aloha!
Katie Moussouris, Security Strategist
Hi, Charlie Miller here. I was asked to come out to BlueHat to participate in a panel discussion about the vulnerability economy and selling exploits and such. Hopefully the folks who sat through us arguing for an hour got something out of it. I enjoyed it.
When I'm not out shining a light onto the dark world of exploit sales, I'm usually spending my time looking for bugs in software, particularly with fuzzers. BlueHat was a great opportunity for me to talk to some guys on the Microsoft fuzzing team. BlueHat’s reason for being is to bring Microsoft employees together with security researchers, or "hackers". It can be a really interesting dynamic because traditionally, we are rivals. People like me try to find and exploit vulnerabilities, and people at Microsoft try to eliminate vulnerabilities or make them harder to exploit. One thing for sure, it’s definitely easier and more fun to be on the attacking side than the defending side! But anyway, the funny thing about BlueHat is that there are guys like me trying to figure out how Microsoft people work, how they test their software, how they run their fuzzers, and so on, in order to think of better ways to attack their software--while people from Microsoft are trying to figure out how researchers think, to better defend their software. It's great fun and everyone benefits, I think.
Hello all, Nate McFeters here to give you a recap of all the fun at Microsoft BlueHat v7. If you don’t know me, I work for Ernst & Young’s
Coming to
After a long first night, I took care of some work-related stuff and relaxed most of Thursday… that is, until the BlueHat party. It was a great premise: Put a bunch of hackers in a bar and feed them free booze until closing time… the night before the big show! Good thing these guys are professionals!
The highlights of the talks for me were:
1.) Getting to see Alex (kuza55) discuss browser insecurities to a packed audience. This guy has some really progressive stuff, but what really stuck to me was Alex’s mature understanding of the greater picture, which was truly impressive, even more so from a 17-year-old. He discussed the need for more transparency from vendors on the standards that the browsers depend upon… nowhere was this more interesting than in the case of Cross-site Cooking and his FindMimeFromData attack. Alex explained how dangerous the lack of understanding of these technologies are, and how, unless the security community is given more of the bigger picture, we can expect these issues to lay dormant until discovered, and of course, we have no
2.) Watching Billy Rios’ and Nitesh Dhanjani’s phishing discussion, which was by FAR the most entertaining and enlightening talk that I’ve ever seen. The talk was basically a recap of research that Billy and Nitesh got involved in over a year ago, where basically they joined up to the phishing community and realized that it’s not just about phishing, it’s really about identity theft. They discovered that phishing was just one means of supply to fill the demand for identities in the identity theft ecosystem. They were able to discover phishing sites, the kits that phishers use, and the sites where phishers sell stolen identities… truly unbelievable. The saddest thing was realizing just how tech un-savvy these phishers truly are, and then further realizing how huge an impact they’ve caused to the Internet. If you have not seen this talk, you should absolutely go catch it at Black Hat Vegas. If you have, I’m sure you’ll be seeing it again.
3.) Manuel Caballero discussed something that originally didn’t catch my attention. It initially sounded like the same research that’s been put into cross-site scripting attack frameworks, which basically involved using XSS to create a bi-directional communication channel between victim and attacker for exploitation of XSS. Then I realized what Manuel was really talking about. Resident scripts have put the fear of God into me. Whereas a normal cross-site scripting attack vector is great for the site that was cross-site scripted, it stopped there; it couldn’t follow you off-domain. Manuel’s can. Scary.
After the presentations, I was fortunate enough to get included in the IOActive Limo Race after party. I’ve never been involved in an event that led to as many hilarious pictures as that one. Specifically, the pictures of Dan Kaminsky, David Hulton, and Andrew Cushman are priceless. Thanks to Josh Pennell and all the IOActive crew for putting that on -- it was outstanding fun.
All of that and I closed off the week by coming home to
-Nate
------------------
Editor's Note:
BlueHat is not just an event, it’s a community, a network based on relationships developed over time, an integral part of our engineering science and outreach security efforts at Microsoft. As part of the team 'shipping' BlueHat, I spent some time in the speaker lounge – the room where speakers, community and Microsoft folks gather and meet during the conference. It was both fascinating and surreal and we look forward to bringing you more commentary about the event along with video podcasting via the blog in the coming weeks.
BlueHat is rewarding to me because our team is able to help virtual teams form out of traditional rivalries. Observing Adobe’s response team in discussions with Fukami – a Flash researcher notoriously at odds with the company. Participating in lively discussions about Mark Dowd’s latest research paper. Watching ”aha!” moments happen as product teams and researchers from all over Microsoft met with the researchers focusing on their products. CERTs, major guidance providers and security researchers breaking bread together. Community members (such as, several members of the TESO board of directors) greeting each other in person for the first time, after knowing each other virtually, for years. Legendary researchers in the community engaging in dialog with new up-and-comers like Alex K.
BlueHat also brings home how much security work is ahead of us and the how the asymmetry between attack and defense continues to widen. Bryan Sullivan’s talk highlighted that although we have made outstanding progress securing the operating system, we now have to make that same outstanding progress in the Web space. An environment with development cycles measured in weeks versus years, and one that presents challenges to the application of the traditional SDL. Billy Rios and Nitesh Dhanjani kept us entertained while confirming that phishing is easy, prolific, money-driven and not as funny as your father’s maiden name. All the panelists reminded us that researchers continue to look for vulnerabilities and there are many 3rd party attack vectors, apart from the OS and core shipped components, even including security products.
We recognize the need for community-based defense (researchers, guidance providers, CERTs, etc.) as we continue to introduce new folks into the BlueHat network. Thank you to all of the speakers, guests and passionate supporters of BlueHat– we look forward to continuing to evolve and add value to this important community.
It’s our planet – let’s secure it!
Sarah Blankinship
Senior Security Strategist
