Roger Halbheer on Security » Vulnerabilities

10 Years of Trustworthy Computing at Microsoft

Roger Halbheer — Thu, 12 Jan 2012 10:33:15 +0000

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

Oh, you are joining a desktop company? Why?
A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities. We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

A Security Comparison: Microsoft Office vs. Oracle Openoffice

Roger Halbheer — Tue, 19 Apr 2011 09:40:25 +0000

Actually, there is not much to say about this. It is a blog post by CanegieMellon called A Security Comparison: Microsoft Office vs. Oracle Openoffice and just does what it says. However, I do not particularly like the security comparison of products built solely on vulnerabilities as this shows only one side of the equation – an important one but only one.

For all the ones still claiming that Open Source software creates less vulnerabilities, here you find the some stats on Office:

Interesting, hmm….

Roger

Six “New” Attack Vectors

Roger Halbheer — Fri, 18 Feb 2011 13:23:08 +0000

Reading this article Six New Hacks That Will Make Your CSO Cringe made me think as it has a few fairly interesting approaches:

Fake Phone Networks: I am wondering how much work it takes to do it. If the effort is not too high, I am not (yet) too worried about it. But still, for targeted espionage, it might be scary.
Hacking Your Phone to Hack Your Computer: This is kind of obvious but scary. If I look at things like this Phone Security: Lose your Passwords on iPhone in a few minutes, the phone is most probably an interesting attack vector
Denial of Service Against Your Desktop: We have never seen this yet but one of the reasons, why we do our best to deliver high-quality updates
Cloud-Based Warfare: A lot of talk about this but I am not sure, how big this threat is today. Using the Cloud power and capacity is definitely something the criminals are looking at.
Breaking Open Your Android Phone: To me that’s actually the same as 2
Stealing Corporate Secrets Through Weak Systems: Nothing new

At least there are a few things which made me thing…

Roger

Security Intelligence Report v9 is online

Roger Halbheer — Wed, 13 Oct 2010 15:46:05 +0000

Usually I blog intensively on the release of the Security Intelligence Report. However, this time I am out of office and have just little time to give you insight. We spent a lot of work to make it more comprehensive and give you a more stable view over quite some time. So there is a great opportunity to see trends regarding different figures like the Malware Infection Rates.

Additionally we re-designed the website. This is the most comprehensive report in the industry, so you should look into it: Security Intelligence Report

Roger

How to Detect a Hacker Attack

Roger Halbheer — Thu, 30 Sep 2010 12:33:03 +0000

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

Suspiciously high outgoing traffic for dial-up and ADSL

Look out for strange looking files in the root directories of your drives and/or too much disk activity.

If your personal firewall is reporting blocking large packets of data from the same IP address

A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

Switch on your firewall
Keep your software updated
Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger

Stuxnet: Future of warfare? Or just lax security?

Roger Halbheer — Mon, 27 Sep 2010 16:29:36 +0000

What is your view?: Stuxnet: Future of warfare? Or just lax security?

Roger

Advisory for the ASP.NET Vulnerability

Roger Halbheer — Sun, 19 Sep 2010 10:30:54 +0000

We are basically asking the industry to follow a Coordinated Vulnerability Disclosure and are therefore not in favor of public vulnerability disclosure as it puts the industry unnecessarily at risk.

Recently there was a vulnerability in ASP.NET publically disclosed. We released an advisory and you should look into implementing the suggested workaround: Vulnerability in ASP.NET Could Allow Information Disclosure.

UPDATE: A very good description by our SWI Team: Understanding the ASP.NET Vulnerability

Roger

The Importance of Application Security

Roger Halbheer — Tue, 24 Aug 2010 14:56:14 +0000

I think I told the story thousands of time and everybody knows it but I will do it the 1001^st time now . When I joined Microsoft and became what is the Chief Security Advisor for Switzerland today, we had an airlift for Windows Server 2003. The Product Manager in Switzerland asked me to keynote the event as security became (and still is) one of the core pillars of our servers. Therefore we decided to talk about a new initiative then called Trustworthy Computing. I talked about it and said that Trustworthy Computing has to be an industry initiative and the Security Development Lifecycle something for everybody developing software. During the break, I was then told that this remark is just a way to put the blame on the others instead of us – I am more convinced than ever: It has to be an industry initiative, no matter which development model you choose.

A few years later, we launched SAFECode in partnership with EMC, Juniper, SAP, and Symantec. The goal of SAFECode was and still is to enable experience sharing on how to develop secure code. There are more partners in the meantime – you can find them here. The strange thing happened during the initial press conference. An analyst spoke up and said: “Well, with these companies coming together and sharing experience and information, don’t you just drive the attackers to the companies not being part of SAFECode?”. Well, so what? Any organization can join and/or leverage what we do as everything on our Security Development Lifecycle is freely available and SAFECode published quite some paper on that subject, too. A lot of the tools, the methodology – everything. Free! Download it, use it, go for it!

The reason why I am writing this, is the latest discussions around the Insecure Library Loading, where we published an advisory Insecure Library Loading Could Allow Remote Code Execution. To me it shows one of the biggest challenges in the industry. It is not about securing the platform. We invested a lot of energy in making Windows the most secure operating system out there. Besides applying SDL and a lot of other processes, we included technology like ASLR, DEP and others to make it harder to exploit vulnerabilities. We have probably the best incident response in the industry. But the applications remain a challenge. This is true on Windows (like this case shows) as well as on other platforms. Securing the OS is one thing. Security the application ecosystem on top is a completely different story.

Therefore, there is a clear call to action: If you are developing software, go ahead and use any methodology to engineer security into your product from the ground up. Use SDL or any other process, which helps you to get there – but do something. If you want to get help to implement it, there is the SDL Pro Network, which can assist you (this is not for free then )

It is simply irresponsible not to do it as soon as you application is used broader than “just” on your own PC.

Roger

Assessing the risk of the August security updates

Roger Halbheer — Tue, 10 Aug 2010 19:07:45 +0000

This month it is pretty important to read the Security Research and Defense blog post: Assessing the risk of the August security updates

It might help you to get an overview on the biggest release ever

Roger

Microsoft and Adobe: Collaboration Against Threats

Roger Halbheer — Wed, 28 Jul 2010 16:37:49 +0000

You know my opinion on collaboration between countries, on public-private-partnerships as well as on collaboration between companies.

Since quite a while we run a program called MAPP – the Microsoft Active Protections Program, where we share vulnerability information with security vendors to help them to get signatures out to our joint customers the moment we release a security update.

Additionally, we know form our data (see the Security Intelligence Report) that PDF is the most exploited file format. Therefore I think it is a great signal that Adobe will join the MAPP program to tighten our joint collaboration.

It is another clear signal that we are up for action to address the security challenges in the ecosystem.

Roger