Crescent City Networking » Security

Facebook typo squatting

Tom Kelchner — Wed, 28 Jul 2010 16:31:00 +0000

“Facebooik.com” – not good

A domain registered in a tiny town in Georgia is presenting fumble-fingered Facebook fans with few fun-filled hours of diversion:

It’s one of those interminable contest sites we’ve all come to know and love.

If you actually spend the 45 minutes it takes to click through this monster and sign up for everything that’s offered, your cell phone will probably be billed an amount close to the gross national product of a small third-world country.

An outfit named “Freebie Promos” owns the site and it’s been around since 2006.

That address in Austell, Ga., on Google Maps Street View, appears to be an intersection in a VERY rural little whistle-stop community.

Watch your typing.

Tom Kelchner

Community-Based Defense: Looking Outward, Moving Forward

MSRCTEAM — Wed, 28 Jul 2010 15:15:00 +0000

Two years ago, in front of a standing-room only crowd here at Black Hat, we introduced three new information sharing programs as well as the concept of Community-Based Defense. The underlying concept shared by all three programs was simple-collaboration will be key to preventing and defending against online crime going forward; no one company, individual or technology can do it alone. The call to action was bold-put aside competitive and philosophical differences and move beyond our individual boundaries to work together to help improve and protect the broader security ecosystem. The reaction-applause!

We all know Black Hat can be a tough crowd, and wearing the blue badge can at times amplify that - making the positive response really pleasant. But it wasn't altogether unexpected. Each of the then-new programs-the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR)-were fueled by, and designed to address, customer needs. And recognizing the collaborative nature of two of the programs, we'd spent months getting feedback and support within the community, from customers to vendors to researchers, to get into a position to make the announcements that day.

Today, the MSRC released its second annual progress report on those programs-"Building a Safer, More Trusted Internet through Information Sharing"-and we're excited to share the results.

Some highlights:

MAPP now has 65 members worldwide, providing protections for hundreds of millions of customers.
MSVR identified and privately coordinated vulnerabilities with 32 and 19 vendors in the first and second years of operations respectively.
Of the 349 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, there has been only one revision, which involved a reduction in risk assessment severity.

Speaking of the success and impact of MAPP, we couldn't be more thrilled with the announcement today that Adobe Systems Incorporated will begin sharing early warning details on their vulnerabilities through MAPP beginning this fall. Two years ago, there was broad feedback throughout the industry-from analysts, customers, and partners-that MAPP was a game-changer, shifting competitive advantage away from the bad guys (criminals, attackers) to the good guys (protection providers, customers). For the first time, protection providers were able to operate together on a massive scale, developing and preparing protections for their customers to be made available upon release of Microsoft security vulnerabilities -- and ahead of the exploits developed by attackers. Today, we believe the same game has been raised a level with Adobe helping to advance protection time, giving an upper hand to the global network of defenders in the battle against online crime.

Many of you have already read Matt Thomlinson's introduction last week of our new policy of coordinated vulnerability disclosure and Katie Moussouris' expansion on the concept and the need for reframing the community's approach and mindset from the subjective language of "responsible" to the collaborative label of "coordinated." I don't intend to rehash that here, except to say that we look forward to continuing the dialogue on this new policy at Black Hat and beyond. This move didn't happen overnight as we believe it is reflective of a broader groundswell within the community that's been underway for some time. We're encouraged by the overwhelming volume of support behind the shift as evidenced in Katie's post and in interactions and response since then.

Even with more concerted attention on community-based defense and this growing sense of shared responsibility throughout the security community, attackers will still continue to case systems and applications looking for vulnerabilities. The stakes are high and criminals won't relent. So today, we're also announcing the Enhanced Mitigation Experience Toolkit (EMET).

EMET is a free tool that provides a way for IT professionals to add some of the latest security mitigations -- such as DEP, mandatory ASLR and export address table (EAT) filtering -- to software to protect against exploits of vulnerabilities. It helps harden existing applications from current exploit techniques without requiring any recoding. Look for an SRD blog post in August announcing availability of the new toolkit on the Microsoft Download Center.

More details on each of these announcements can be found at our Black Hat Press Site: http://www.microsoft.com/presspass/events/blackhat/.

Every Black Hat is different, but year after year one of the highlights of the show for Microsoft is continuing the conversation with researchers, partners and customers, and then acting on it. This is a community that is bound together by a common purpose-that is to improve the security landscape. It used to be enough to expect others to make that happen; but today, no one is exempt from helping to ensure the safety of the Internet. We're in this together, and we're better together. If you're at the show, pay us a visit at the booth or say hello when you see us; in any case, we look forward to hearing from you and continuing this work together.

Dave Forstrom, Director, Microsoft Trustworthy Computing

Mariposa bot creator arrested in Slovenia

Tom Kelchner — Wed, 28 Jul 2010 13:56:00 +0000

The Register is reporting that police in Slovenia have arrested a 23-year-old man, who went by the handle Iserdo, and charged him with writing and selling the code that has been used to create the Mariposa botnet.

Iserdo and two other suspects were taken into custody in Maribor, Slovenia, two weeks ago in the wake of an investigation by the FBI, Spanish Guardia Civil and Slovenian police, officials said.

The Mariposa bot crime kit, which was sold for $500-$1,300 on underground sites, was used by operators to create the botnet of 12-million computers used to steal banking credentials as well as other online crime.

The authorities have taken down Iserdo’s web site as well as the main Mariposa command-and-control servers.

Story here: “Mariposa mastermind arrested in Slovenia”

In March, the Guardia Civil in Spain arrested three people in connection with the Mariposa botnet as part of an investigation that began in 2009.

Sunbelt Blog story here: “Spain arrests three, shuts down Mariposa botnet”

Tom Kelchner

Don’t pay to read public domain content on your iPad

paperghost — Wed, 28 Jul 2010 10:59:00 +0000

There are large amounts of videos on Youtube right now advertising a site called Bestpadmedia(dot)com. Although some are being whacked by Youtube due to “terms of use violation” there’s still a lot of them online. The videos claim the site allows you to “download hundreds of eBooks, comic books and more to the iPad”. I’ve seen clips over the last few days reference everything from Marvel and DC Comics to Disney, videogames and, er, Dennis Hopper.

Click to Enlarge

If a website wants money from you upfront but gives no indication of how they give you the content (while promising “no software to download, no databases to wade through”), put your credit card away and forget about it. If the site promises media such as TV or movies you can guarantee all you’ll end up with is a download of free P2P software.

Similarly, websites that offer up “thousands of free downloads” for devices like iPads without indicating how this is done will usually take your money then redirect you to a free source of public domain material – which also means the innocent content provider has to field complaints from angry “customers” of the original site. A telltale sign is when a site offers vague information, or contradictory claims saying they have “no direct database”, while also claiming a database is “added to daily”. Like this:

Click to Enlarge

Click to Enlarge

Note that they mention comics from Marvel and DC, yet there is absolutely no mention of licensing – Marvel and DC don’t roll like that. Comics seem to feature heavily in promotion of the site, whether through Youtube vids or the splash of Wolverine on the website itself.

Click to Enlarge

Click to Enlarge

Sure enough, it seems Bestpadmedia has been dissected in detail – it seems they simply link to free content websites, placing a banner at the top of the frame to make it look like the content is theirs. Of course, once the end-user realises they’re paying for public domain material, the complaints go to the owner of the public domain sites.

Here’s an interesting example of how the site starts linking to new content sources as old ones block them, along with the warning message displayed by the site epubbooks(dot)com who understandably weren’t too pleased about becoming the new fall guy.

Legal threats? Yep, those are in the mix too along with a curious attempt to convert the critic into an affiliate. The good news is that the site uses Clickbank for payments, which means you should be able to get your money back within 60 days.

The owner of Feedbooks(dot)com, whose site was being linked to from Mypadmedia until the complaints started coming in estimates roughly 250 people paid for this service. That’s a lot of money for content that you should be able to access for free. When in doubt, Google the content you're looking for first - Project Gutenberg is an excellent place to start.

Christopher Boyd

Work-at-home spam with some twists

Tom Kelchner — Tue, 27 Jul 2010 21:09:00 +0000

The spam bucket is a great place to go looking for net ugliness. And when you’re in this business, that’s business as usual. Here’s a new one:

Today we checked out a spam email contained random letters and characters and a link in the middle of the body:

OK, we’ll bite (don’t try this at home.) We’ll see what sexycake555@hotmail.com is selling:

The link leads to a web site moneymakermother.com (domain registered June 10, address information withheld) that tries to look like a television station web page featuring the “Clearwater Job Report,” clearly drawing on the fact that I’m coming at it from Clearwater Florida.

“Work At Home Mom Makes $8,795/Month Part-Time” is the headline they want you to see.

Coupla problems with the page though:

-- There’s no “Daily News 7” around here
-- The links on the top of the page (“Sign in” etc.) aren’t links, they’re just text.)

And the best one: The weather box:

A high temperature in the 60s this time of year in Florida? Riiiiiiiight!

Here’s the real forecast from weather.com: how about highs the 90s:

The MoneyMakerMother page has lots of testimonials and a form for you to fill out to get your “FREE STARTER KIT.” You “Only Pay The $9.95 S&H Fee!”

So, somebody’s making $9.95 selling shipping and handling to suckers. They’ll do direct deposit too, so, you can give them your bank account information.

Riiiiiiiight!

Tom Kelchner

Privacy bills in U.S. Congress in brief

Tom Kelchner — Tue, 27 Jul 2010 13:57:00 +0000

Congressional staffers have posted a very well-written summary of the two Internet privacy bills working their way through the U.S. Congress. It provides a nice birds-eye-view of what the two bills are trying to accomplish without the usual reams of supporting information and point-counterpoint verbiage.

The memorandum was prepared by the staff of the Committee on Energy and Commerce subcommittee on Commerce, Trade, and Consumer Protection, which held hearings last week on the two.

Three key paragraphs sum up the issues and the balancing act between preserving consumer privacy and allowing fair commercial use of information that the Congressmen are struggling with:

“There is no dispute that the reasonable collection and use of consumer information offer benefits to businesses, consumers, the marketplace, and society generally. Companies must collect information to process transactions and conduct day-to-day operations. Moreover, authentication, fraud prevention, and background checks are all activities that rely on consumer information. In addition, marketing databases help companies identify new sales leads, improve customer service, develop new lines of products, and make marketing more efficient.

“However, numerous consumer groups, privacy advocates, academics, companies, and others have raised privacy concerns about the collection and use of consumer data. Most recently, 17 consumer groups outlined their concerns and renewed their call for a comprehensive consumer privacy law in a letter to the Federal Trade Commission (FTC) on July 14, 2010. Privacy concerns range from being subjected to unwanted marketing to being denied goods or services based on a profile. In addition, the sale of targeted customer lists that characterize consumers as risk takers or gullible may expose consumers to increased risks of fraud. The use or misuse of sensitive information such as health information also could embarrass consumers, impact their employment, or lead to other problems. Other concerns have also been raised that consumers will unknowingly be “boxed” into categories based on past behavior and that their choices, and the information presented to them, will be limited as a result.

“Transparency is another issue raised by many stakeholders. Data collection practices are complex, varying from entity to entity. Even when choices are offered to consumers, they may be difficult to use, require the payment of fees, or only partially address the collection or use of information.”

The hearing process has just begun for these two. Stake holders on every side of the issue have been contributing to the discussion. The next step will be a new draft or drafts with revised wording reflecting the compromises. We’ve seen no estimate of how long that might take.

The bills:

-- The Best Practices Act (HR 5777), introduced July 19 by Rep. Bobby L. Rush (D-Illinois). (Text here.)

-- A discussion draft of a bill that would “require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual” submitted May 3 by Congressman Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.). Boucher is Chairman of the House Committee on Energy and Commerce Subcommittee on Communications, Technology and the Internet and Sterns is Ranking Member. (Text here. )

Summary memo here.

Earlier Sunbelt Blog coverage here: “Is there a privacy law in the making for the U.S.?”

Tom Kelchner

Malware removal alliance begins organizing effort

Tom Kelchner — Mon, 26 Jul 2010 15:21:00 +0000

We just got an email from Dave Mook who is part of an effort to organize the Alliance of Qualified Malware Removal Boards (AQMRB).

Alliance membership will be free. Members will be reviewed every six months.

Boards in the alliance will have the right to display an official AQMRB badge:

Groups seeking membership must:

- Have been in existence for at least two years.
- Have an acceptable use policy and/or terms of use agreement
- Be on a paid hosting account.
- Have fully equipped/dedicated malware removal help and support section readable to all users and guests.
- Have malware removal staff who are trained by or have graduated from an acknowledged malware removal school or university
- Offer malware removal help free of charge for non-commercial users.
- Provide assistance to customers within 24 hours.of their post for help.
- Display no web links to illegal or copyright-protected software.
- Host no ads which will lead to malicious content.
- Not serve pop-ups or pop-under ads.
- Fill out an application and include a complete list of malware removal staff, including a list of the schools or universities where the staff received training.

Requests for alliance membership may be directed to the secretary of the alliance here: applications@aqmrb.com

Tom Kelchner

Imageshack spam leads to Zbot infection

paperghost — Mon, 26 Jul 2010 10:14:00 +0000

Over the weekend, spam started appearing in mailboxes that claimed to be Imageshack registration notification.

That’s great, but I hadn’t registered - and certainly not with that username / password combination. A quick Google for the Forsight domain (pre compromise) reveals it to be an art gallery, so it is unfortunate that either by accident or design the bottom of the spam mail says the following:

Visiting the link in the mail would bring end-users to the following fake “install to continue” message:

Click to Enlarge

Installing the file would land the unsuspecting victim with a Zbot infection, not the best way to spend your weekend. Detections for this particular file are good (39/42 on VirusTotal) – the site owners have apparently removed the executable, but there’s still some iframe activity taking place so it’s probably best to avoid the URL for the time being.

One final thing to note – the “Please update your flash player” graphic the attackers are using? They’re serving up an image from the Coca Cola website.

Click to Enlarge

The text in the box seems to match the overall stylings of the Coca Cola website – it’s unlikely they’ve been compromised and had this graphic placed there, but we’ve reached out for clarification anyway and will update should we hear anything back.

We detect this file as Trojan.Win32.Generic!BT. While coverage is good for that particular file across most AV products, there’s a good chance we’ll see updated “Imageshack” mails going out with fresh links, files and exploits so please: if you don’t remember signing up to something, don’t let curiosity get the better of you and simply delete the email.

Christopher Boyd

Some tragic news

Sunbelt Software Blog — Sun, 25 Jul 2010 22:00:00 +0000

(Picture credit - AP)

Readers of this blog may recall Julie Amero, the substitute teacher who narrowly escaped four felony charges.

Now, things have certainly taken a turn for the worse. Her husband, Wes (pictured above), is diagnosed with terminal lung cancer. Wes is a really good man -- one of the many quiet, caring men that shoulder the burdens of this world with stoic and sometimes tragic courage. He has stood by Julie through thick and thin and it's just horrible to see this happening.

A recent benefit netted some cash, which is helpful. But it's cancer, and it's pretty devastating on the finances...

He recently sent me this email and gave me permission to post it:

I wish I could be sending this e-mail on a cheerier subject, but that isn't the case. It's always harder to tell bad news to the ones you love the most. As you have heard, I have terminal cancer with an original life expectancy of about one more week ( at best ). But following true to course, I never listen to anyone or anything when it comes to something that I don't want to hear. I've never backed down from a good fight in my life and I'm not about to start now. I am going to beat this horrible disease.

I'm feeling like I've been run over by a bus, but hey, even some of them survive. The doctors and some good friends are making me comfortable with lots of drugs, but sometimes I feel like Alice in Wonderland, you know the song - ( one pill makes you larger and one makes you small, but the ones that mother gives you don't do anything at all) . I'm down to fighting weight now (195 lbs), I've lost almost 50 lbs and everyone says I look good, and I figure that they are saying that in the context for a guy that's supposed to be dead now. Their words of encouragement help me through some of the the really tough times because I need to stay alive for Julie, I don't think she will last long when I'm gone even though she seems to listen to me when I tell her that she must continue to live on in the aftermath of my death. She is handling this like a trooper, but there is only so much she can handle. She can never work again, and we are in the final stage of appealing her social security case, but that will only go so far when and if she gets it. Her spirits are middling and the benefit that Herb is putting on will help ease her mind about being left behind with a ton of hospital and doctor bills.

I haven't posted a new blog or opened up a new PayPal account, they just have not been on the top of my list of things that HAVE to be done. Herb has worked very hard on putting this benefit together and I might add ALL on his own. The money he will raise will most certainly help out with the bills, but I doubt very much that a meal at $10.00 dollars a head will generate the kind of funds that are needed to settle these hospital and doctor bills. I talked with him last night and again this morning. He said that you are doing something on your end, but that you needed a PayPal account and a blog. The only PayPal account we have is Julies, and there is still an icon on her blog page about half way down that works. The link is below, and any and all contributions would be graciously accepted and appreciated, and after all, the money will be spent to keep her solvent and not end up having to sell the house just to pay off my bills. I have saved enough money to pay off the house when I die, but I didn't see this cancer thing coming.

Alex, I feel terrible about having to ask for money. I wasn't raised that way, but I wasn't raised to think about dying of cancer either. So if you have contacts that are still willing to contribute to Julie, please do what you can to help her out (again).

If you can contribute, please do. The original PayPal account for Julie's defense fund is still active, and donations can be made here.

Alex Eckelberry

Black Hat 2010

MSRCTEAM — Thu, 22 Jul 2010 14:50:00 +0000

BH Landscape

Next week, many of us here will be heading down to Las Vegas for Black Hat. The MSRC, and other teams in Microsoft, have been attending Black Hat for years. In fact, we've been sponsoring the show for the last eight years-the last five as a platinum sponsor. Some might ask why? It's funny, I can actually remember back in my days as an officer protecting networks in the U.S. Air Force, questioning why Microsoft had such a presence at the show. As much as I'd like to say it's because of the weather (after all, most of us are over here in the rainy Northwest), or because it's the largest security conference out there (it's not), or even better, because we so look forward to getting our next Pwnie Award-the truth is it's none of the above. Well, maybe just a bit on the Pwnie. But the reality is that to us, Black Hat has always been a reflection of, and driven by, the community-likeminded people from all walks of life and professions with a shared interest in advancing the state of security. They come together to share ideas, advance thinking, network and collaborate, and ultimately learn from one another. We feel connected to that and always look forward to being a part of it.

So with the show fast approaching, I've taken some time to reflect on where the Microsoft Security Response Center is currently and where we see ourselves going with respect to security. Specifically, I've been thinking a lot about three areas: 1) our work to address vulnerabilities in our software, 2) our work with the security community and 3) our philosophy on vulnerability disclosure. Given the fact that each of these topics have recently garnered interest and fueled discussion in the community and media, I thought I'd share my thoughts.

Vulnerabilities and Time to Fix

Some will say that we take too long to fix our vulnerabilities. But it isn't all about time-to-fix: Our chief priority with respect to security updates is to minimize disruption to our customers and to help protect them from online criminal attackers. These customers own and operate a diverse ecosystem of nearly a billion systems worldwide. It's humbling to think about the responsibility this entails and yet we embrace the challenge. Even in the face of that, our overall track record shows the window of vulnerability is being reduced and we have additional plans to improve.

The Microsoft Security Response Center (MSRC) receives more than 100,000 e-mail messages per year at secure@microsoft.com - that's nearly 275 per day or 11 per hour. This is filtered down to approximately 1,000 legitimate investigations per year. Once a vulnerability has been confirmed, a comprehensive examination is undertaken to ensure that the reported vulnerability is addressed, other vulnerabilities that might exist in related code are identified and addressed, and no new vulnerabilities or bugs are introduced during this process.

But why don't we commit to fixed timelines? Because it is important to consider the overall customer risk when focusing on updating software for security issues. Most security updates released by the MSRC will be rapidly deployed to hundreds of millions of systems worldwide helping to protect customers from attacks in a very short timeframe. And the software being updated is being used by hundreds of thousands of applications on all sorts of hardware in all sorts of scenarios. So it is imperative that the update has been rigorously engineered and tested in order to avoid creating any type of disruption to these systems. During this time, the MSRC monitors for signs that the vulnerability, or variants, are being used in active attacks. The MSRC does this by using comprehensive telemetry systems as well as data and information provided by customers and partners around the world, and the rest of the industry. This approach helps Microsoft balance between the potential urgency of releasing an update for a particular vulnerability and ensuring high confidence that the update will address the vulnerability, all of its variants and maintain the functionality and stability that customers expect from the affected products.

Many times the issue that the finder reported is an indication of other similar vulnerabilities in that area of code. And the original issue may not be the most complicated, or even the most likely to get used in attacks. Microsoft tries to address vulnerabilities and all of their variants in as few updates as possible because they cost enterprise customers time, effort and money to re-assess and deploy multiple updates for issues that could potentially be addressed in a single update. The time it takes to complete a comprehensive examination helps to ensure the number of security updates Microsoft releases and needs to re-release is kept to a minimum, thus reducing the costs and potential disruption to enterprise customers' operations. Due to the increase in quality that Microsoft has achieved over the last five years, some enterprise customers deploy security updates with little or no testing, and hundreds of millions of consumers continue to use the Automatic Update client on their systems to ensure that they stay protected automatically.

For the majority of issues, we are able to release high quality and comprehensive security updates to customers well before any indication of attacks, and well before they are disclosed publicly. However, there are exceptions. In some cases attacks result, and when that happens, we have to compress testing to release updates quickly. Also, when there are attacks, we release workarounds in days that can block these attacks even without the updates. Usually these take the form of a "FixIt" that can protect customers with one click or be easily deployed throughout the enterprise.

However, there are cases that take much longer. In fact, last year at Black Hat there was a security event dealing with a vulnerability in a library called "ATL" or "Active Template Library." That issue affected not only multiple Microsoft product versions, but also several 3^rd party products and services. It took over a year to coordinate that release, and in the end, even the finders themselves understood and commented that with the complexity involved, taking over a year wasn't unreasonable. When seemingly simple security issues, such as a memory corruption bug, affect multiple different products, the coordination and calibration can drive longer timelines so no product, or customers of those products are left behind. And there have also been cases that are such deep architectural changes that they can take multiple years to fully resolve or may not be able to be resolved in some of our older products. Usually these issues result from new threats emerging that product designs or assumptions couldn't anticipate. Changing those assumptions for products that have been in market for several years does take time and coordination so customers and applications can work effectively with them.

Focusing on resolving security issues has and will always be a priority for us. And work to improve our processes will continue, but we must always strike a balance between timeliness and quality.

Working with the Security Community

The topic of how well Microsoft works with the security community is important to me personally, and to my team. Years ago, this was a very valid concern. I can remember being on the outside of Microsoft and watching researcher discussions noting how Microsoft wouldn't engage or was unresponsive. We've made dramatic changes on this front since the inception of Trustworthy Computing. At Microsoft we recognize, and appreciate, the unique value that security researchers play in identifying issues and helping the entire computing ecosystem improve from a security perspective. We also thank many in the community for their collaborative work over the years, and for nearly a decade we have demonstrated our commitment to working with them in an honest and transparent manner. We may not always agree on the severity and the amount of time it should take to develop and test an update that has to work with hundreds of millions of computers, but we do believe we're fair and open when working with researchers. It's not in our interest or the interest of our customers to behave any differently.

Throughout the years we've seen researchers saying that if vendors really valued their work, we'd compensate them directly for the vulnerabilities they discover. That's a trend that's continued in recent weeks. We absolutely value the researcher ecosystem, and show that in a variety of ways. The most well-known is the fact that we acknowledge the researcher's work in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update. And that's just the tip of the iceberg. We also work to make sure we can support the community's development by sponsoring and supporting nearly 50 security conferences in over 20 countries each year.

Probably the community effort that started more of the deeper relationships we've built with researchers is our own little "hacker" conference we host at Redmond each year, called "BlueHat Security Briefings." Launched in 2004, this conference is aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas, social networking and ultimately improving the security of Microsoft products. Key to the success of BlueHat and its benefit to our customers is the direct question-and-answer access that researchers get with the specific owners of the technology they're researching. In many cases, some of our direct competitors have sat on our stage at Microsoft and talked about problems in our products, directly to the folks that develop and manage them. And they've been able to get feedback on their research from the same folks as well.

The Shift to Coordinated Vulnerability Disclosure

If there's one area that has had had staying power in terms of driving polarized debate in the broader security community-as manifested in mainstream and social media this past month-it's in how to disclose vulnerability details. Ideally, updates for those vulnerabilities are available for all customers before details are broadly available. This allows us to protect the end-users because they just get the updates automatically, and large Enterprises can analyze, prioritize and deploy updates to hundreds of thousands of systems quickly. When communication breakdowns and disagreements happen, resulting in vulnerability details disclosed by researchers before we release an update, those details are then used by criminals to attack our customers. The worst situation is when vulnerabilities aren't disclosed to the vendor at all, because then there's very little hope of broad protections ever getting released for all customers.

Because of this range of situations, we also see a range of philosophies. Of course, Microsoft always supported the position that the best way to disclose issues is in a coordinated fashion, where details of the vulnerability are released in conjunction with an update that is broadly available for customers. This is known as "Responsible Disclosure." The term itself can be subjective because if either party doesn't abide by those terms, it is implied that they themselves are "irresponsible." Debate on this very issue of responsibility is understandable; however, it is important to remember that in the end we are dealing with customer safety issues - and we should all take that seriously. It is unfortunate these debates can make us lose focus on what is really important - protecting people using the Internet from harm.

Today, Matt Thomlinson, the general manager of Security at Trustworthy Computing, introduced a new disclosure philosophy Microsoft is adopting called Coordinated Vulnerability Disclosure http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx . Katie Moussouris, senior security strategist on the MSRC Ecosystem Strategy team, provides more information and insight on the necessity of this shift in disclosure philosophy and practice on the MSRC Ecosystem Strategy Team Blog http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx. You'll see from her post, we're not alone in acknowledging it is time for a change. Other vendors and researchers from the broader community of defenders are supportive and will be instrumental in making this shift a reality. So read the post, provide your feedback and then join us in making this an industry wide shift.

Now back to the catalyst for this post-Black Hat. We're just a few days from the event itself and we'll likely see more themes develop once it kicks-off. But I hope the thoughts I've shared here provide some insights into our point of view on recent discussions in the community.

The realities of today's threat landscape point to a world that has shifted from a variety of participants with various motives to one of two sides-those who intend to harm or commit crime and those who intend to prevent harm and fight crime. As an industry and community, philosophical differences or competition aside, we should be in this together. Our own welfare as individuals and a collective community is at stake with unseen criminals who show no indication of backing down. It's our hope that this effort to shift to a shared responsibility of coordination and collaboration is something that is carried beyond Black Hat as we progress and evolve as a global community of defenders.

Hope to see you at Black Hat!

Mike Reavey
Director, MSRC