It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9^th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

*Please note that this schedule is subject to change.

October 9^th, 2014

October 10^th, 2014

Today marks the next evolution in bounty programs at Microsoft as we launch the Microsoft Online Services Bug Bounty program starting with Office 365. In our mobile first, cloud first world, this is an exciting and logical evolution to our existing bug bounty programs.

Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward. For a list of eligible services and program terms, please visit http://www.microsoft.com/bountyprograms. Of course, any vulnerabilities discovered in any Microsoft products or services can and should be reported according to our Coordinated Vulnerability Disclosure guidelines to us by emailing [email protected].

We invite you to also read the Office 365 blog post here where our colleagues there discuss some of what they are hoping to see as a result of this program. Our goal with bounty programs is ultimately unchanged and that is to uncover issues and protect customers as quickly as possible and as always, partnering with the security research community offers us the broadest way to do that.

Happy Hunting!

Akila Srinivasan

This week, starting Thursday, we’ll be hosting our 13^th edition of BlueHat. I’m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we’ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.

For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft’s early mottos helped put “a computer in every home.” Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.

In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed “hallway track.” We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.

This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.

Beginning on Dec 12, 2013, we’ll begin this year’s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we’ll welcome some of the world’s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.

Finally, we’ll close out the conference with a thought-provoking track that I like to call the “Persistence of Trust,” where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become – a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches. 

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v13.

Day 1: Thursday, December 12

Microsoft Technical Fellow, Anders Vinberg, will open BlueHat’s first track, Threat Landscape. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we’ll set the stage with a talk from FireEye’s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware - specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets. Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.

After lunch, the Devices & Services track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft’s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we’ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.

Day 2: Friday, December 13

Taking into consideration the inevitable socializing from the night before, we’re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we’ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I’ll be the Day 2 keynote opening the track Persistence of Trust, at 12:30 noon. My talk will focus on security strategy at Microsoft, what we’re doing in terms of our defensive industry partner programs like MAPP, and of course, I’ll provide an update on our strategic Bounty programs. I’ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto’s coming extinction. From Bromium Labs we’ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.

As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance.  For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.

From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.

BlueHat is coming. Brace yourselves.

Katie Moussouris

Senior Security Strategist

Microsoft Security Response Center

http://twitter.com/k8em0

(that’s a zero)

Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi’s Wanted Dead or Alive, and it’s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.

Today, Microsoft is announcing the first evolution of its bounty programs, first announced in June of 2013. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can “sing along” to earn big bounty payouts than ever before.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.  The stronger the shield, the less likely any individual bug or arrow can get through. Learning about “ways around the shield,” or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug – hence, we are willing to pay $100,000 for these rare new techniques.

Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:

1. Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.

2. Offering researchers a $100,000 bounty to teach us new mitigation bypass techniques enables us to build better defenses into our products faster and to provide workarounds and mitigations through tools such as EMET.

3. Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will work whenever possible with our MAPP program and engage our community network of defenders to help mitigate these attacks more rapidly.

In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria for both programs are similar – but the source may be different.

To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we’ll accept an entry of technical write-up and proof of concept code for bounty consideration.

We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.

Katie Moussouris

Senior Security Strategist and karaoke MC

Microsoft Security Response Center

http://twitter.com/k8em0
(that’s a zero)

Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.

The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

If you have a new mitigation bypass technique that can defeat our latest platform-wide mitigations, or new defense idea, and would like to participate in our bounty programs, please see the official guidelines here. For a technical description of an exploitation technique that would have qualified, please read the SRD blog by Matt Miller and William Peteroy here. If you have an idea that’s in scope, please send in your whitepaper and proof of concept code to secure [at] Microsoft [dot] com.

We’re not done evolving our freshly minted bounty programs, which have now paid out over $128,000. Watch this blog for future developments as we continue to hone the biggest ongoing vendor bounty program in the industry.

Until then, our special thanks go to James: Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you’re also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!

Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center

http://twitter.com/k8em0
(that’s a zero)

Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs.  When we launched our bounty programs in June this year, we had a few strategic goals in mind:

• Increase the win-win between the hacker/security researcher community and Microsoft’s customers, and build relationships with new researchers in the process
• Receive more vulnerability reports earlier in the release cycle of our products, ideally during the beginning of the preview (or beta) period
• Learn about new exploitation techniques that can be used to defeat our platform-wide defenses, so we can build protections against entire classes of attack

Now that we have permission from the bounty program recipients to publish their names and bounty amounts, I’ll list them all here. You may have seen a few congratulatory and celebratory tweets; we wanted to officially acknowledge these security researchers who have helped our customers by participating in our bounty programs.

On behalf of over a billion customers, THANK YOU!
James Forshaw
Ivan Fratric
Jose Antonio Vazquez Gonzalez
Masato Kinugawa
Fermin J. Serna
Peter Vreugdenhil

I am also thrilled to highlight a few of our bounty program results:

Overall:

We’ve worked with so many bright security researchers through the years, and are thrilled that through the bounty programs, we received reports from researchers who had never reported to us directly before. This means we have even more great minds interested in working directly with us to help make our products more secure.

IE11 Preview Bug Bounty:

During the first 30 days of the IE11 preview period we received several vulnerabilities that qualified for a bounty, in contrast to the first 30 days of the IE10 beta, when we did not receive any bulletin-class reports. The Preview period is a great time for us to receive these reports because we can address these issues earlier. Oftentimes, researchers typically do not report these findings until after code was released to manufacturing. With these submissions, we will be able to address these vulnerabilities earlier in the process providing a more secure version of Internet Explorer

As the leaves turn colors and the temperatures cool off, I’m happy to be sharing the bountiful harvest of our programs, started as seeds planted in early summer. It’s been a great first three months of Microsoft’s bounty programs, and we’re overjoyed that our programs have been met with great participation and enthusiasm from the hacker community.

Stay tuned for more news coming soon!

Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center
http://twitter.com/k8em0  (that’s a zero)

A little more than a month ago, we announced some new initiatives for the Microsoft Active Protections Program (MAPP). One of those announcements was “MAPP for Responders.” The initial response has been extremely positive, so we wanted to provide more information on how we are moving this program forward.

Since the announcement, we’ve been working towards launching two initiatives as a single beta with a limited set of customers and partners. The first is the pilot of the MAPP Scanner service that we previously announced.  The second initiative is a beta of a completely new automated knowledge exchange platform. We alluded to this platform in our first post and want to give some additional details on this project.

Simply put, this is a distributed platform that runs as a web service that provides the ability to automate the sharing and consumption of threat information in machine readable formats. As mentioned before, the platform supports the STIX and TAXII open specifications developed by MITRE, but it has been designed to support any message exchange services and message formats that partners decide to implement. This helps to accomplish multiple goals, but here are two highlights:

First, the platform will empower the industry by facilitating the sharing of threat information and enabling knowledge exchange scenarios that do not exist today. As a platform, customers and partners will have the flexibility to share and consume data with granular control.

Second, the platform has been designed to be extremely extensible, with a modular plugin architecture that will allow for an unlimited number of services to be built on top of and supported by it.

Figures 1 – 3 illustrate some of the sharing scenarios enabled by the platform:

Figure 1 Publisher Subscriber

Figure 2 Peer to Peer

Figure 3 Hub and Spoke

We have designed this platform to integrate into existing environments acting as an interchange point between both external and internal services and data formats. The platform enables real-time information sharing, and because the data is machine-readable, organizations can choose to automatically push the data into their network protection systems.

I mentioned a limited beta with qualified customers and partners and wanted to list some of the criteria for participation. In addition to being able to sign required agreements and having a dedicated incident response team, participants in the initial beta will be required to provide a feed of threat data into the system. The beta will operate in phases with each lasting approximately 3 months. We expect to conduct three to four phases, expanding to more participants as we progress.

Many customers have already contacted us concerning participation and we will be following up with all of you very soon. For those enterprise customers who are interested in finding out more, the best path is to talk to your Microsoft Technical Account Manager (TAM). Other incident responders can send a note to [email protected].

Keep an eye on this blog for future updates and announcements. We expect this work to go on for several months and are looking forward to input from participants to help shape the future of automated knowledge exchange.

Regards,

Jerry Bryant
Senior Security Strategist Lead
Microsoft Trustworthy Computing

Hi everyone,

Some of you may recall the launch of the Microsoft Active Protections Program (MAPP) back in 2008, when we began giving antivirus vendors security bulletin information early, so that they could develop and test signatures for vulnerabilities and be ready to release them when our bulletins were published. MAPP was our answer to a common phrase used back then: “Update Tuesday, exploit Wednesday.” This was a time when exploit writers had developed full automation for reverse engineering our security updates and building exploits. Security vendors received information at the same time as everyone else and had to then develop and test signatures before applying the updates. MAPP gave the security vendors, the “good guys,” a head start against the “bad guys.” In the years since its inception, MAPP has been successful in allowing these vendors to release protections when we release the updates so that our customers have the time they need to test and deploy them.

Along the way, MAPP has also become a key part of our incident response process when we find new exploits in the wild. During these incidents, we are able to help MAPP partners quickly build protections for our common customers by providing them with detailed detection guidance. In most cases, this allows for a significant level of protection for customers while we are working to address the issue with a permanent fix.

Since the program launched, there has been little external change to how it operates. Internally, we have made slight adjustments to how the program is managed but by and large, it is the same program it was in 2008 and the same program our partners still say is essential to their operations. For example:

“The MAPP program helps Trend Micro in strengthening further, its defenses against cyber criminals. This timely information sharing works great in providing our customers the best and accurate protection with least false positives,” said Raimund Genes, CTO, Trend Micro.

“The data from MAPP has proven to be a valuable source of information ahead of the curve allowing us to better deliver faster protection against 0-day vulnerabilities to our customers.” -- Peter Szabo, Senior Threat Researcher, SophosLabs Canada

“MAPP provides us with advanced notification of vulnerabilities, as well as actionable information that allows us to even more quickly build protection for our customers. This saves us significant cycles, and MAPP’s valuable information sharing fully supports our threat-centric approach to cybersecurity.” - Matt Watchinsksi, Vice President of Vulnerability Research, Sourcefire

Even with this level of success, we are always evaluating our programs. Today, we are introducing a few changes based on the changing threat landscape and feedback from our partners.

MAPP for Security Vendors

First, in order to have a clear definition of the existing MAPP program and be able to convey how the new programs differ, we are now calling what the world today knows as MAPP, “MAPP for Security Vendors.” Here is an outline of how the traditional MAPP program will look going forward:

The MSRC has a history of gathering and acting on feedback from our customers and partners. For example, the Software Update Validation Program (SUVP) allows qualified enterprises to test our security updates in a non-production environment and give us feedback on those updates before we release them. This partnership with our customers extends our internal testing to include many of the custom applications enterprises run in their networks.

In much the same way, we are implementing MAPP Validate as part of MAPP for Security Vendors, which will allow qualified security vendors to give feedback on our detection guidance before distributing it to the broader MAPP community. This is a community-based initiative that will help to streamline the development and use of detection guidance in order to facilitate faster and higher quality protections for customers.

Next, our partners say they are getting clear business value from the one-day head start we give them to develop protections. But sometimes, building, testing, and deploying quality signatures takes additional time. So, on top of streamlining and improving the quality of detection guidance, we are expanding the signature development window from one to three business days for MAPP partners who meet certain stringent criteria. For example, partners must have at least a two-year track record of completing the reporting requirements of the program and a demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly. Entry-level MAPP partners will still only receive information one day early. As always, we take customer security very seriously. Any partner found to have leaked information, either inadvertently or knowingly, is subject to removal from all parts of the program or, depending on the outcome of an investigation, subject to entry-level status only.

MAPP for Responders

Across the industry, it is recognized that targeted attacks are one of the primary threats to enterprises, governments and other entities. Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Microsoft intends to contribute to this effort by sharing threat indicators such as malicious URLs, file hashes, incident data and relevant detection guidance. Employing a “give to get” model, the community will benefit when data they provide is enriched by aggregating it with data from others.

How is MAPP for Responders different from MAPP for Security Vendors? At a high level, the former targets detection and remediation while the latter is all about developing protections. The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy.

Effective knowledge exchange requires automation and a common format. To accomplish this, we plan to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications. As open specifications for the formatting and transport of information, STIX and TAXII are starting to see broad adoption. Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it. As such, we will also seek to build transforms for other commonly used formats. This effort is currently in development and we intend to launch a pilot in the near future.

MAPP Scanner

The MSRC employs some of the brightest engineers in the industry, the sort who build tools such as !exploitable, OffVis, and EMET. MAPP Scanner, currently in a closed pilot program, is a content-based vulnerability scanner developed by our security engineers to aid in investigating incidents. We are introducing MAPP Scanner as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability.

MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.

Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered. It also aids in the efficiency of investigations which speeds up the process of identifying and deploying the appropriate protections.

Going Forward

As with Microsoft’s other security initiatives, such as the BlueHat Prize and our new bounty programs, the mission for MAPP is simple: mitigate entire classes of attack and protect customers. We have a long history of working across many different communities to drive this mission and will continue to do so. We also have a lot of other initiatives we are working on so going forward, you can expect to hear more announcements from us impacting this space.

Jerry Bryant
Senior Security Strategist

Microsoft Trustworthy Computing

With about one week to go before we all gather at Black Hat in Las Vegas, we’re getting inquiries about precisely how the promised Live Mitigation Bypass Bounty judging at Black Hat will work. For most of the world, it works best when you get a good spot at the Microsoft booth (#301) around noon each day, so you can clearly see the excitement as some of security’s best and brightest look to pop built-in Windows 8.1 preview mitigations in truly novel ways. Will one or more talented folk qualify for the $100,000 bounty on new exploitation techniques? We’re as eager to find out as you are.

Perhaps you intend to be the first person EVER to qualify for the largest ongoing bounty for new attack techniques offered by any company so far. In that case, allow us to tell you more about the machine you’re looking to win. (In addition to $100,000, we’ll give anyone able to demonstrate a truly novel mitigation bypass the very computer on which they’ve demonstrated it.) The specifications for the machines at the booth on Wednesday and Thursday are as follows:

The Specs
The machine: Lenovo ThinkPad X1 Carbon Touch
The host OS: Windows 8 (x64)
The guest OS: Windows 8.1 Preview (x64)
  - Using default settings
  - Using local account
Guest RAM: 4GB
Guest processors: 4
Guest networked via dedicated Network Interface Card

The Live Bounty Experience
If you’re planning to try your hand at getting $100,000 from Microsoft, show up at the booth a little before lunchtime on the day of your choosing. We recommend coming by 12:30 PM, since the lunch hour starts at 12:45 PM. 

Bring your exploit (with source code) and a copy (electronic or print, as you prefer) of the white paper detailing the new exploit technique, as described in the guidelines. We’ll walk you through some basic qualifying questions listed in the guidelines -- things like making sure you don’t live in a country that is subject to US trade embargoes, and that you don’t work for Microsoft (or live with or are a close family member of someone who works here).  As long as you’re over the ripe old age of 14 and have met all compliance requirement outlined in the guidelines, we’ll let you have a go at the $100,000 bounty. Minors should bring a parent or legal guardian to sign all the paperwork and accept the money on their behalf.

Two of our judges will be on hand as you demonstrate your bypass technique to the cheering throngs. If you’re successful at the live demo portion of the event, you and the judges will be whisked away to de-brief in the private Judging Suite upstairs, where they’ll examine your work more closely and ask any relevant questions while you enjoy a well-earned break from the chaos. (It is possible we’ll be tweeting with excitement at this point, just because.) They will review your whitepaper as well in the suite, and the final qualification will come AFTER the judges have a chance to discuss the bypass privately with you. 

Once the bypass and your eligibility are fully confirmed, we’ll tweet out confirmation (from @k8em0 and @msftsecresponse) to a breathlessly waiting world. The press will be eager to meet you, and our customers will be grateful that you decided to use your intellect for the greater good of helping to protect over a billion computers worldwide.

As far as qualifying for the BlueHat Bonus for Defense (up to an extra $50,000 for a defensive idea to go with your new exploitation technique), we’d gladly accept the whitepaper from you that describes that idea. We won’t be doing live qualifications for that portion in Vegas, however, since we’d need to judge those submissions against a range of factors such as application compatibility, among others, in order to determine a bounty there.  If we do get a qualifying defensive submission as part of your entry – we’ll notify you of the good news via secure [at] Microsoft [dot] com as soon as we can.

Happy hunting --

Katie Moussouris
Senior Security Strategist, MSRC
http://twitter.com/k8em0 (that’s a zero)

We’re three weeks into our new world of bounties for Microsoft products now, and as the clock ticks down on one program, we’re prepping for some live excitement with one of the others.

First, the Internet Explorer 11 Preview Bounty is entering its final 10 days; the bounty period for that program closes on the 26^th of July. We’ll gladly accept submissions of vulnerabilities found after that, but the bug bounty for individual IE vulnerabilities will be over. The two platform-wide bounty programs will continue to be available and ready to pay out up to $100,000 for a truly novel exploitation technique, and up to a $50,000 bonus for defense.

So far, we’ve received many submissions and were able to notify the first bounty recipient last week. We have several more that have qualified for bounties and we're excited to see so many great submissions.   Other finders are in the process of being notified via secure [at] microsoft [dot] com. After the close of the bounty period, we’ll post an acknowledgement page saluting all those finders who wish to be publicly identified. Meanwhile, our triage team is bracing for a last rush of vulnerability submissions as we approach the final days of the IE-specific bounty program; we’re keeping them fed and hydrated as best we can.

For those of you interested in examples of what the judges are looking for when it comes to awarding the bounties, here they are, from the judges themselves. To qualify for the highest bounties, we look at the severity of the issue, as well as the overall quality of the submission to determine the bounty amount.

Memory Corruption: Most memory corruption vulnerabilities that are found in Internet Explorer have the potential to enable remote code execution and therefore are likely to qualify for the $1,100 bounty.  For example, the memory corruption vulnerabilities that were addressed in MS13-055 represent the types of vulnerabilities that would qualify (e.g. CVE-2013-3115). 

To qualify for the $11,000 bounty, we must receive a submission that proves that a vulnerability is exploitable for remote code execution. This means the submission must include a functioning exploit that is able to bypass all relevant mitigations and run arbitrary code (such as executing calc.exe). In addition, the submission must include a whitepaper that describes the root cause of the vulnerability. If the technique used to exploit the vulnerability is truly novel, then we would award the $100,000 Mitigation Bypass Bounty in addition to the $11,000 IE 11 Preview Bug Bounty.

Design Issues: We’ve been receiving a lot of submissions that, while extremely clever in their own right, do not meet the bar as an “Important or higher severity design-level vulnerability.”  In order to qualify for a design-level bounty, an issue will need to match up to what we’ve historically ranked at these levels.  Execution of arbitrary code qualifies, of course, but in the design-level space these issues aren’t as common. 

More common are the Important-severity information disclosure bugs we tend to call “Cross Domain,” or in modern industry parlance, “Universal XSS” or “Same Origin Policy Bypass” bugs.  These are issues where a malicious page can, generally without caveat, reach out into a different security context and grab information it should not have access to. A good example would be CVE-2008-2947, fixed in MS08-058.

Of course, one place to seek some of the best and brightest security researchers at the end of July is in Las Vegas, at Black Hat – and what better place for the spectacle of live pwnage? That’s why on 31 July and 1 August, at around noon each day, we’ll be judging live mitigation bypass attempts at the Microsoft booth. Even if you don’t have a new exploitation technique to try out yourself, stop by for what I call the “exploit art walk” – because those who have the skills to bypass the latest platform defenses are true artists, and a rare breed.

If you think you’ve got what it takes, show up at the booth – we’ll have the guidelines posted, or you can read them at that link – or reach out to me via Twitter to let us know your plans.

What happens in Vegas could earn you $100,000.  See you there.

Katie Moussouris
Senior Security Strategist, MSRC
http://twitter.com/k8em0 (that’s a zero)

When Microsoft decided to offer not one but three new bounties, paying outside researchers directly for security research on some of our latest products, we put a lot of thought into developing those bounty programs. We developed a customized set of programs designed to create a win-win between the security researcher community and Microsoft’s customers, by focusing on key data about what researchers were doing with vulnerabilities they found in our products.  We monitored trends, and made the decision to jump into the vulnerability and exploit market in a specific, deliberate way.

I’d like to share some highlights of the programs thus far. I’ll also expand on our strategic goals (and non-goals) for the programs, as they relate to the vulnerability and exploit marketplace.

So Far, Sooooo Good! The Data Supports Our Hypothesis

The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened.  I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)

We have other researchers who have qualified for bounties under the IE11 program as well, and their notifications will be coming from secure [at] Microsoft [dot] com this week and beyond. We plan to add an acknowledgement page on our bounty web site, listing the researchers who would like to be publicly recognized for their contributions to helping us make our products more secure, so look for that page to appear linked from www.microsoft.com/bountyprograms in the near future.

Some key results we can share thus far, based on the data we have just two weeks into the new bounty programs:

• More Submissions, Earlier - We received more vulnerability reports in the two weeks of the bounty programs than we normally would during an average month. This data shows that our strategy for getting more vulnerability reports earlier in the release cycle is working.
• Attracting New Researchers - Researchers who have rarely if ever reported directly to Microsoft before our bounty programs are now choosing to talk directly to us. This data shows that our strategy for attracting security researchers we normally wouldn’t hear from directly is working.

Mind the Gap – It’s Not about Being the Highest Bidder

Vulnerabilities and exploits affecting many vendors’ products have been trafficked for years in the white, grey, and black markets. For us, the distinction in the markets hinges on the intended use of the vulnerability or exploit that is purchased.  There is also a price difference, generally speaking, with significantly higher prices often paid on the black market.

Our goal was not to directly compete with the black (or even grey) market. Rather, our goal was to attract those researchers who are currently willing to sell in the white market, and get them to come forward directly to us a lot earlier.

To us, the “white market” means that the buyers typically purchase the information for defensive use. The buyers in this category are typically either the affected vendor itself (via bounty programs), or a white-market vulnerability broker who uses the information for their protection services or threat reports.

Three years ago we examined data concerning what those researchers who like to get vulnerabilities fixed were doing when they found vulnerabilities in Microsoft products. Back then, most of them were still choosing to come directly to us, even though white market brokers were already offering cash. That trend has changed over the past couple of years: more vulnerabilities are being held back by the researchers waiting for the various markets to start paying, typically after our code is released to manufacturing (RTM).

Note that the data may be very different for other vendors’ products. Each vendor should do their own analysis on their vulns and how they are traded in the various existing markets to determine for themselves if a bounty program is right for their products and their customers.

The following graphic shows the gap in the existing vulnerability and exploit market that our new bounty programs are filling. Note that our deepest security investments are still in the pre-release stages, with the Security Development Lifecycle (SDL) helping to reduce or eliminate security issues before code is released even for preview. (You can’t pen-test or bounty your way to security, so having a robust Security Development Lifecycle is the key to long term improvements in the overall security of any vendor’s products.)

It’s not about offering the most money, but rather about putting attractive bounties out at times where there are few buyers (if any). For our products, that tends to be during the preview (or beta) period.

Trying to be the highest bidder is a checkers move, and we’re playing chess. Stay tuned for more announcements coming soon regarding other moves we’re making in the realm of industry collaboration to help protect customers. In the meantime, we’re looking forward to more high-quality submissions to our bounty programs, and we’ll share more data on how the programs are working out as we go.

Hope to see you in Las Vegas at Black Hat in just a few weeks, where we will be doing LIVE judging of Mitigation Bypass Bounty submissions at our booth on July 31 and August 1, noonish.

Katie Moussouris
Senior Security Strategist, MSRC
http://twitter.com/k8em0 (that’s a zero)

Two weeks ago, Microsoft made an important evolutionary step in our work with the security community when we announced our first-ever bounty programs for security issues. One week ago, the Windows 8.1 Preview and Internet Explorer 11 Preview became available for download, and the doors officially opened for bounty-eligible submissions to secure [at] Microsoft [dot] com.

What a great week this has been!! We wanted to share how it’s going, provide some important reminders regarding eligibility of entries, and flag some key dates coming up.

• Submissions: We’ve received a few submissions to date for the IE 11 Preview Bug Bounty and the Mitigation Bypass Bounty. The investigations are underway, and we should be able to hit our target of letting those researchers know if they qualify for a bounty by next week.
• Important Reminders: We've gotten questions about previously submitted vulnerabilities or previously presented techniques, and whether we will pay a bounty for them. The short answer is “no," but we’ll find a way to recognize the researchers who came to us before we offered cash. :-) Remember, all qualifying entries should be new, and not previously reported to Microsoft or to a vulnerability broker. We’re also working to incorporate expanded information on the Mitigation Bypass Bounty into our FAQ. For now, please read the guidelines for the Mitigation Bypass Bounty and BlueHat Bonus for Defense, and the IE 11 Preview Bug Bounty.
• Key Dates: There are about 3 weeks left to submit to the IE 11 Preview Bug Bounty program (open until July 26, 2013). And just 4 weeks from now, on July 31 and August 1, we will feature some LIVE Mitigation bypass bounty judging at the Microsoft booth at Black Hat Las Vegas, sometime around noon. For those of you who like to make some noise as well as some cash, that’s the place to do it!

One last note on how our programs are working so far:  Some entries are coming from familiar researchers, and some are coming from researchers who had historically only reported issues via white market vulnerability brokers, after our beta period was over.  This means that our strategy to attract researchers to report issues directly to us earlier in the release cycle is working already, just one week in to the new programs! Everyone wins – the researchers, our engineers, and especially our customers.

I’m excited by the positive response and participation in Microsoft’s first bounty programs. Keep the submissions coming, and hope to see some of the lions of the security industry come out for Black Hat to show their skills, live at our booth. You know who you are. ;-)

Katie Moussouris
Microsoft Security Response Center
http://twitter.com/k8em0 (that’s a zero)

As we announced last week, Microsoft is now offering $100,000 bounties for new exploitation techniques that can bypass our latest platform-wide defenses and up to $50,000 bonus bounties for defense ideas. We’re also offering (from now until July 26) bounties of up to $11,000 for critical security issues in Internet Explorer 11 Preview. Please see our main site for an overview of the three new bounty programs and our official guidelines. And don’t miss the SRD blog for a technical deep dive on what would make a good entry.

A few things to keep in mind when submitting entries to the new bounty programs:

• Please email your submissions and questions to secure [at] microsoft [dot] com.
• Our new bounties are available for new attack techniques and defenses that work on Windows 8.1 Preview, and critical vulnerabilities in IE 11 Preview. Please download our new OS and browser preview versions here.
• If you’re coming to Black Hat Las Vegas on July 31 and August 1 2013, please join us for live judging of Mitigation Bypass Bounty entries at the Microsoft booth both days. Watch this blog for details.

Good hunting everyone – in the spirit of helping us make our products more secure!

Katie Moussouris
Senior Security Strategist, Microsoft Security Response Center
on Twitter, http://twitter.com/k8em0 (that’s a zero).

Our Philosophy

At the heart of our community outreach programs, we’ve always had the same philosophy: help increase the win-win between Microsoft’s customers and the security research community. We have evolved and deepened our relationships with this community since the earliest days of Microsoft’s outreach. In the early 2000’s, Microsoft had to go through what I call “the five stages of vulnerability response grief.” This is a process that all vendors must invariably go through in order to reach the “Acceptance Stage,” which includes working in a collaborative way, with security researchers and good old-fashioned hackers. We may not always have 100% philosophical alignment, but we always want to keep a dialog open with the research community to further the common goal of protecting customers.

This philosophy is reflected in a new strategy designed to increase protections through outreach in the security community. The new programs we are announcing today are critical components in delivering this strategy. Other programs focused on detection and protection will follow soon.

Today’s new programs continue our focus of direct investments in the research community, calling upon the clever hackers of the world to work with us on strengthening our platform-wide defenses.

Our New Bounty Programs

Today is an inflection point for Microsoft, as well as the security industry. For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft’s customers and the security researcher community.

Full details for the new bounty programs and a fantastic technical deep-dive by our esteemed panel of judges (headed by Matt Miller and David Ross) can be found on SRD's blog.

In short, we are offering cash payouts for the following programs:

• Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
• BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
• IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.

The Mitigation Bypass Bounty and the BlueHat Bonus for defense are designed to operate together and to focus on our latest version of the Windows platform. Our platform-wide mitigations (DEP, ASLR, and so forth) are part of “the shield” that increases costs to attackers by making it difficult to reliably exploit individual vulnerabilities. Annual exploit competitions, like pwn2own, have been one way that Microsoft and other vendors have learned about these new techniques.  We decided that we didn’t want to wait for the next competition to learn about more of these new exploitation techniques – we want to know about them before they are used to target our customers.  For Microsoft, learning about mitigation bypasses on our latest platform, or “holes in the shield,” helps us better protect against entire classes of attacks and can help us move the state of security in our products by leaps, rather than by small increments that a traditional bug bounty alone would.

Why is the IE 11 Preview bug bounty only open for 30 days? Because we felt we could fill a gap in the vulnerability marketplace to the benefit of researchers, Microsoft engineers and our customers. While we work closely with white market vulnerability brokers like HP’s Tipping Point Zero Day Initiative and iDEFENSE’s Vulnerability Contributor Program, many of these organizations don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing. Learning about these vulnerabilities earlier is always better for us and for our customers.

The IE 11 Preview Bug Bounty is a way for Microsoft to provide incentives for the researcher community to come forward with their vulnerability reports directly and privately to us. The timing for our IE 11 Preview Bug Bounty allows for the vulnerability reports to arrive before the software is widely deployed by customers.

Together, the new bounty programs are designed to work collectively to encourage the security research community to report vulnerabilities in the latest browser and exploitation techniques across the latest platform to Microsoft as early as possible. 

Our Future

While we’re not the first vendors to enter the exploit and vulnerability market, we do expect that the landscape for our products and customers will shift as the ecosystem adjusts to this new approach. We’ll be running these new bounty programs, learning and adjusting, much like other vendors who have waded in to the vulnerability marketplace before us. We’ll announce the evolution of these programs as we develop them further and will share some of the highlights as we go.

From Microsoft’s early days of outreach; days of throwing Black Hat’s first big researcher appreciation party; to inviting hackers to Redmond for the first BlueHat conference in 2005; to hiring security researchers to pen test our products before release; to sponsoring or attending over 30 hacker conferences a year worldwide; to awarding more than $260,000 USD in cash and prizes to the three BlueHat Prize winners for defensive mitigation ideas–we have been investing in the research community in many ways. These new programs are an evolution of that investment.

One last note: It may not have escaped your notice that paying directly for vulnerability and exploit information is not the only way to work with an ecosystem to discover these kinds of issues. Stay tuned for more updates from our team in the coming weeks, especially in the realm of industry collaboration. With the strategic bounty programs announced today and the industry collaboration program enhancements to come, Microsoft will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs.

Our Thanks & gr33tz

Those who have worked on these programs know that it takes a village to raise a bounty —especially when it involves creating a new approach that is a true strategic shift.  It’s not something any one person can do alone and requires investment and thinking from many people. It’s impossible to include everyone involved, but these are the folks I could grab for a photo, plus a couple photobombs from friends…Thanks for your help, past, present, and future. Together, we are miners for hearts of Blue Gold.

L-R: David Seidman, Gerardo di Giacomo, Mark Oram (via avatar), Mike Reavey, Dustin Childs, Leah Lease, Rob Chapman, Neil Sikka, Jacqueline Lodwig, Brandon Caldwell, Katie Moussouris, Nate Jones, Sweety Chauhan, Emily Anderson, Claudette Hatcher, Cynthia Sandwick, Stephen Finnegan, Manuel Caballero, Ben Richeson, Elias Bachaalany, David Ross, Cristian Craioveanu, Ken Johnson, Mario Heiderich, Jonathan Ness. Not pictured: Christine Aguirre, Danielle Alyias, Michal Chmielewski, Chengyun Chu, Jules Cohen, Bruce Dang, Jessica Dash, Richard van Eeden, Michelle Gayral, Cristin Goodwin, Angela Gunn, Joe Gura, Dean Hachamovitch, Chris Hale, Kyle Henderson, Forbes Higman, Andrew Howard, Kostya Kortchinsky, Jane Liles, Matt Miller, William Peteroy, Georgeo Pulikkathara, Rob Roberts, Matt Thomlinson, David Wheeler, Chris Williams. Behind the camera: Jerry Bryant.

Katie Moussouris
Senior Security Strategist, MSRC
on Twitter, @k8em0 (that's a zero)

The global adoption of computing continues to draw attackers toward ever-richer targets. The latest data from the Microsoft Security Intelligence Report shows that although industry-wide vulnerability disclosures are down (and computer defenses are improved), exploit activity has actually increased in many parts of the world. See the Microsoft Security Intelligent Report (SIR) v14 for more details.

In order to counter this growing global threat, it’s imperative that we grow the pool of talented cyber security professionals who can help our internet-dependent societies. Business - as well as governments - are looking to recruit talented individuals into their cyber security workforce, and we can’t find enough qualified individuals to solve some of our most pressing problems. Driven by continued internet adoption (doubling to 4 billion internet users by 2020), the number of cyber security jobs will steadily increase and this demand for cybersecurity talent will continue to grow.

To help meet this need, Microsoft is proud to be a Platinum Plus sponsor of the Cyber Security Challenge UK.  Cyber Security Challenge UK is a non-profit organization funded primarily through sponsorships with a specific goal of bringing new talent into the cyber security force. The program focuses on identifying & developing participants of all ages who are not yet cyber security professionals, having them compete for prizes ranging from internships at a sponsor company, full Masters-level college scholarships and paid memberships in professional organizations.

To learn more about the Cyber Security Challenge UK, please visit https://cybersecuritychallenge.org.uk.

Matt Thomlinson,
General Manager, Trustworthy Computing Security
Microsoft Corporation

It has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.

• Fraud and Abuse: A Survey of Life on the Internet Today --> WATCH IT ON DEMAND
  Ellen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft

  Kowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.

• Social Authentication --> WATCH IT ON DEMAND
  Alex Rice, Product Security, Facebook

  Over the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.

• Scriptless Attacks: Stealing the Pie Without Touching the Sill --> WATCH IT ON DEMAND
  Mario Heiderich, Dr.-Ing, Ruhr-University in Bochum, Germany

  Removing JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.

• Sh*t My Cloud Evangelist Says… Just Not My CSO --> WATCH IT ON DEMAND
  Chris Hoff, Senior Director and Security Architect, Juniper Networks

  In front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…

• Don't Stand So Close to Me: An Analysis of the NFC Attack Surface --> WATCH IT ON DEMAND
  Charlie Miller, Systems Software Engineer, Twitter

  Near-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.

• Building Trustworthy Windows Store Apps --> WATCH IT ON DEMAND
  David Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, Microsoft

  The Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.

• Why UEFI? --> WATCH IT ON DEMAND
  Matthew Garrett, Senior Software Engineer, Nebula

  The Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.

• Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation --> WATCH IT ON DEMAND
  Patrick Jungles, Security Program Manager, Microsoft

  Credential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.

• Why Johnny Can't Patch: And What We Can Do About It --> WATCH IT ON DEMAND
  David Seidman, Senior Security Program Manager, Microsoft

  Microsoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.

Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.

Emily Anderson
Security Program Manager, MSRC, Microsoft

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event.  It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.

The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.

We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.

One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.

Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.

There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.”  Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.

Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program.  As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense.  As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges -- and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.

So to those who came before, thank you, and to those who will come after, enjoy the view.  I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.

Katie Moussouris
Senior Security Strategist, MSRC
http://twitter.com/k8em0

The days are getting shorter, the holidays are getting nearer, and looming on the horizon are a trio of 12’s – it’s almost time for the 12^th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.

Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.

Day 1: Thursday, December 13

We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today.  Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.

After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.

Day 2: Friday, December 14

We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft's global online services.

Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.

Thanks –

Emily Anderson
Security Program Manager, MSRC

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.

Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security.  But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.

Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries.  Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC.  Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.

In seven weeks we will gather together at our 12^th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft.  We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.

Where does this working relationship with this community -- and the future of security research -- go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.

Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.

Katie Moussouris
Senior Security Strategist Lead
MSRC

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

As we wrap up the first BlueHat Prize contest, we wanted to share what we learned while running the first competition, from a major vendor, offering a large cash prize for defensive security research. Not only did we get to motivate the development of technical mitigation technology, but we also achieved some valuable non-technical goals as well.

We’ll announce the winners in this post, so scroll down if you can’t wait.

Bonus #1: We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.

Some of the contestants were certainly well-known names in the security research community; some were people we had never heard of before. Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve.

Bonus #2: We aligned some of the top “offensive security” minds to work with us on defense – with excellent results.

I often say that some of the best defenders come from the “offense” side of the security equation. I believe that you truly have to understand how to break into systems in order to devise effective plans for how to defend those systems. One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before. We are very happy that the security community responded positively to our challenge, and some great minds chose to participate.

With those positive bonus outcomes we will not wait any longer to announce the winners. For an in-depth technical analysis of the winning entries, with the contest judging criteria applied, please see Matt Miller’s blog post on the SRD blog.

Vasilis Pappas wins $200,000 for his idea, kBouncer – an efficient and fully transparent ROP mitigation technique.

Ivan Fratric wins $50,000 for his idea, ROPGuard – a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime. 

Jared DeMott wins an MSDN subscription, valued at $10,000, and was also surprised on stage live with a check for $10,000 cash for his idea, /ROP – a system that lowers the effect of address space disclosures and mitigates known ROP exploits. 

So what is next for the BlueHat Prize?

Check the BlueHat Prize website in the next several weeks for an updated page that will include information on the other contest entries. These beautiful minds all deserve the thanks and attention of the security community, and we are excited to provide them with a venue to showcase their defensive security ideas.

One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both.

 - Katie Moussouris

Senior Security Strategist, MSRC

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

As we inch closer to Black Hat in Vegas this year, we wanted to kick off the ten-day countdown to our first BlueHat Prize contest winners’ announcement with an invitation to those attending Black Hat. Microsoft is conducting a survey at our Black Hat booth to find out what the security community thinks are the most important industry-wide security issues that need answers. When
you participate in the survey at our booth, we’ll enter you into our BlueHat Prize Question Sweepstakes for a chance to win $5,000 USD*!

We will give away $5,000 twice per day at random drawings at our booth On July 25 and July 26, – once around lunch and once at the end of each day, for a total of $20,000 USD in cash.

The official rules are found here, but here are some highlights:

• The only way to enter this contest is to visit the Microsoft booth in person at Black Hat and submit a question.
• Only one entry per person is allowed (we’ll scan your conference badge, so no funny business!).
• Valid entries in the sweepstakes must be a defense-oriented security question that could potentially be used in a future BlueHat Prize contest.
• The issue you submit should be industry-wide, e.g., “Design a defense technology or strategy to defend against social engineering.” or “What would be the best approach to defend against DDoS?”

While we may not use the specific defense-oriented questions gathered in this sweepstakes, the survey will help us shape a future BlueHat Prize contest with the input from the broader security community. We know not everyone makes it to Black Hat, but we do think there is a decent sampling of various security industry representatives there, so as a survey it works as a
decent sample set. If you’d like to let your thoughts be heard, even if you are not at Black Hat, feel free to join the conversation on Twitter with the hashtag #BlueHatPrize.

As for when we will announce what the next BlueHat Prize contest will be, stay tuned for that news on this blog after Black Hat. For those of you attending Black Hat in person this year, start thinking about what you believe is the biggest industry-wide security issue that needs a great defense. Microsoft may use your idea in our next BlueHat Prize contest, and you might
win $5000!

Katie Moussouris

Senior Security Strategist, MSRC

*No Purchase Necessary. Open only to registered event attendees 14+.Game ends 7/26/12. For additional details, see Official Rules posted on-site at the Microsoft booth.

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

When we announced the BlueHat Prize on August 3, 2011, we did something that no major vendor had ever done before – offer a large cash prize for defensive security research. While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities. These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform.

We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely. Interestingly, about half of the entries poured in during the last few days – and even the last few hours and minutes— of the contest entry period. Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline. One thing we learned from this experience was not to set future contest deadlines for midnight on a Sunday!

Getting down to business, here are the names of the three finalists, in alphabetical order:

Jared DeMott

Ivan Fratric

Vasilis Pappas

We will award the prizes to the winners at a 10 p.m. ceremony at our researcher appreciation party on July 26, 2012. We have notified the finalists that they have made it to the finals. The finalists won't know who won which prize - the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD – until we reveal it to them and the world live on July 26.

You can read a little about each of them and their proposed solutions on our BlueHat Prize contest site. After the contest is over, we’ll also be putting up the names and abstracts of the other contestants, so stay tuned for that update sometime after Black Hat.

For now, please join us as we congratulate all the contestants, and especially the three finalists. We appreciate their hard work, and are excited that we can help showcase their ideas that can help make advancements in platform-level security defense.

- Katie Moussouris

Senior Security Strategist, MSRC

Handle:
Cluster

IRL:
Maarten Van Horenbeeck

Rank:
Senior Program Manager

Likes:
Slicing covert channels, foraging in remote memory pools, and setting off page faults

Dislikes:
The crackling sound of crypto breaking, warm vodka martni

Hi everyone,

Maarten here - my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.

Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.

Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.

Why the MAPP program?

Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.

Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.

MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.

Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.

How does the MAPP program work?

Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.

Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:

• A detailed technical write-up on the vulnerability;
• A step-by-step process that they can follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability;
• Information on how to detect the vulnerability, or exploitation thereof (e.g. event log entries, or stack traces);
• A Proof-of-Concept file that is in itself not malicious, but contains the specific condition that will trigger the vulnerability. Partners can leverage this file to test detection signatures they develop using the step-by-step process we provide.

We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners' ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.

Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are  exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.

How the MAPP program helps protect customers

The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.

For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.

Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.

The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.

Risks and limitations

We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its  NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.

But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.

Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.

We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.

The Value of MAPP

We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.

Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.

Cheers!

Maarten Van Horenbeeck
Senior Program Manager, Microsoft Security Response Center

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)

And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.

Talk to you in July –

Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center.

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes:
Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

- Complete entries must be received by midnight Pacific Time April 1, 2012.

- Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

- For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

- If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”

So, shall we play a game?

-Katie Moussouris

Senior Security Strategist, Microsoft Security Response Center

Follow Katie on Twitter.