Sony, Are You Listening?

14-Year-Old Hacker Scoops Job At Microsoft After Being Caught Phishing Via Call of Duty Server.

An interesting little tidbit coming out of Microsoft today, with news that the Redmond outfit has offered a job to a young Irish boy who came to their attention though a Call of Duty: Modern Warfare 2 phishing scam.

The 14 year old who’s not been named has been given the opportunity by Microsoft to turn his back on more nefarious uses for his talent.

Microsoft is reported to be working with the 14-year-old Irish hacker who managed to stir up a little trouble with his Call of Duty: Modern Warfare 2 phishing scam alert. According to the managing director of Microsoft of Ireland, the company is helping the hacker “develop his talent for legitimate purposes.”

This move has obviously caused many to wonder why Sony didn’t take a similar stance over the infamous George Hotz affair.This is exactly what Sony should have done with George Hotz – given him a job as a security specialist, instead of suing him in court and getting its PlayStation Network and other Sony websites hacked day in and out.

For those not up to speed on the matter, Hotz was taken to court by Sony over his PlayStation 3 hacking exploits. After much media speculation and legal wrangling, the pair finally settled out of court, but could it all have been avoided? Even at the time many suggested Sony should have taken George Hotz onboard to use his undoubted talent instead of taking him to task. Perhaps they could have avoided the PSN hacking debacle?

Congrats to that young hacker, whose name was not disclosed. While the new prospect for the Dublin kid is not meant to be an example for other hackers to follow, companies do have to realize that there are many talented people among hackers. Why make an enemy when you can have them on your side?

Red Dragon's Cyberarmy

Chinese government officials have acknowledged the existence of a military unit dedicated to cyber warfare activity, according to intelligence sources. Chinese Defense Ministry spokesman Geng Yansheng said that the unit, called the "cyber blue team", is designed to "better safeguard the internet security of the armed forces".

Geng stated that the unit was organized in response to international threats to Internet security, and that China is still relatively weak in regards to cyber security and its ability to defend against cyberterrorism. Intelligence analyst Glenmore Trenear-Harvey says many in the intelligence field believe China has had a cyber offensive unit active for at least the last five years.

"They [China] may have acknowledged that they have set up this unit but they have been doing it for a long time, and they have been enormously successful in their attacks," Trenear-Harvey said.

China has recruited thousands of hackers for a cyber force tasked with infiltrating a multitude of computers to establish a large botnet which can be utilized to conduct denial of service (DoS) campaigns to disrupt targeted websites as well as conducting cyber espionage activity to pilfer sensitive information. "It is one of the greatest threats we have... But do remember that - the US and UK - are doing this in reverse and are very successful. It's an incredibly potent weapon which will certainly be utilized," Trenear-Harvey said.

According to a recent article by Joshua Philipp and Matthew Robertson, the Chinese have long seen a tactical cyber offensive capability as being a potentially powerful equalizer in their quest to attain superpower status and undermine the effectiveness of international political rivals.

The Chinese strategy extends well beyond potential military targets, posing a significant threat to the core industries and critical infrastructure systems a nation relies upon to sustain a healthy military presence. Attacks on private sector assets are seen as a central aspect of a successful Chinese cyber aggression strategy by eroding the industrial and technological superiority of an adversary over time.

Chinese hackers are not merely tasked with infiltrating established western economies, they are also conducting extensive operations in emerging economies (India, Brazil..etc) and extending their presence in regions fraught by political conflict and economic turmoil.

While numerous nations are involved in varying levels of cyber aggression, what makes the Chinese threat so much more palpable is the systemic nature and comparatively large scale of the state-sponsored cyber-offensive operations, as evidenced by attacks like Operation Aurora, Ghostnet, and most recently Night Dragon.

WebApp $ecurity expenditure.

Companies Spend More on Coffee Than Web App Security
A recent report by the Ponemon Institute, Cenzic and Barracuda Networks has produced a startling statistic: eight-eight percent of companies surveyed indicate they spend more on coffee than they do on securing Web applications.

In spite of this staggering revelation, seventy-four percent of the organizations surveyed still ranked Web application security as being equal to or more important than other security priorities. Clearly, organizations are struggling with Web application security issues.

"While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security.

Other findings from the survey include:
  • 66 percent test less than 25 percent of these applications for vulnerabilities
  • 62 percent cited data protection as impetus for Web app security
  • 51 percent cited compliance as the top reason for securing Web apps
  • 51 percent listing compliance as a key driver for Web application security
  • 41 percent reported having over 100 Web applications or more
"The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it's insufficient and an attack will reach you that can fly past a network firewall," Judge stated. With cloud becoming popular everyday WebApp security is going to be a big challenge for service providers.


Office 365

"BPOS seems history, welcome Office 365"

Recent hype about Office 365 drawn my attention a lot. So i thought of digging some information about the service. In first place one must ask "what is Office 365" ?

Well the answer is pretty straight forward and simple. It is a subscription service that combines the familiar Microsoft Office Web Apps with a set of web-enabled tools that are easy to learn and use, that work with your existing hardware, and that come backed by the robust security, reliability, and control you need to run your business.

Why Office 365 ?

Because of the Unique Selling Proposition of Office 365
Powered by Microsoft Exchange Online

Office 365 gives you access to email, calendar, and contacts from virtually anywhere, at any time, on desktops, laptops, and mobile devices*—while it helps to protect against viruses and spam.

Work from virtually anywhere
Work from almost anywhere and get automatically updated email,calendar, and contacts on the devices you use most, including PCs, Macintosh computers, iPhone, Android phones, Blackberry smartphones**, Windows Mobile, and Windows Phones*.

Easy-to-manage email

Get professional, easy-to-manage email. Office 365 provides each user with a 25-gigabyte (GB) mailbox and lets them send email messages up to 25 megabytes (MB). Connect with Microsoft Outlook 2010 or Outlook 2007 and use all of the rich Outlook functionality you already know and use, whether you are connected to the Internet at home or in the office or you are working offline.

Simplify scheduling
Easily schedule meetings by sharing calendars and viewing them side by side, so user can see their colleagues’ availability and suggested meeting times from user's calendar. Access users email, calendar, and contacts from nearly any web browser while keeping the rich, familiar Outlook experience with Microsoft Outlook Web Application.

Business-class security

Help protect your organization from spam and viruses with Microsoft Forefront Online Protection for Exchange, which includes multiple filters and virus-scanning engines.

Highly competitive pricing structure
Microsoft plans to offer Office 365 to businesses with less than 25 employees for $6 per user per month; larger companies will pay between $2 and $27 per user a month. Remember money always matters.

Earlier Microsoft launched SharePoint, Exchange and Lync as online services in 2009, calling it the Business Productivity Online Suite, or BPOS. Customers are currently sending and receiving 167 billion messages every day from its cloud services (Ref:- Kurt DelBene, president of Microsoft's Office Division)

Now with Office 365 a new cloud-based version of a suite of productivity tools that combines SharePoint, Exchange, Lync (formerly Communications Server), and both the Office Web applications and the Office Pro Plus desktop client. Dubbed Office 365, the suite goes into beta today (sign up here).
BPOS seems history, welcome Office 365.
Chris Capossela, senior vice president of Microsoft's Office Division said Microsoft has created what it feels is a highly competitive pricing structure, because it really wants to capture the small business market. Microsoft is including single sign-on access all of these services, Capossela said. Enterprises also have the option to get Microsoft Office Professional Plus desktop software on a pay-as-you-go basis. Microsoft is opening a limited Office 365 beta program in seven languages and thirteen countries around the world.
Hope Office 365 retain the familiar client experience that everyone knows and loves with a rich back-end.

Tech's not originate in Redmond

These technologies may not have been Microsoft originals, but today they bear the Redmond stamp :)

Microsoft, unfairly or not, has a reputation for taking over others innovations . But i still love the fact of what Microsoft did with these technologies and pushed the envelope to take these technologies to a whole new level which others cannot match. Below are the few examples:

Windows Azure
First, let's be clear. We're hearing good things about Windows Azure from third parties who have their choice of cloud providers. But let's face it -- Google and have been in this space so long it makes the entire cloud concept seem old.

Search has been around for years. Before Yahoo! and Google took over, there was Alta Vista and others. Once Google turned simple search into a massively intertwined business, Microsoft wanted in -- badly. And thus was born a Microsoft ad network, enterprise search and now Bing, a fresh stab at the problem. Many people might not aware of this but internet community conclude BING=Bing Is Not Google.

Windows GUI
This one is almost too obvious. Bill Gates, looking for the next innovation in OS, used Mac fundamentals as the basis of Windows 1.0. On the flip side, Gates had multitasking long before Steve Jobs!

Internet Explorer
Netscape wowed the world with its browser, then branched out into other areas such as mail and collaboration. Microsoft feared the browser was to some extent a platform, and that it could disrupt the Windows franchise. Microsoft bought a browser, tweaked and bundled it with Windows 95. Despite anti-trust losses, Microsoft still won this game.

SQL Server
Sybase in the late '80s was a rising database star, and Sybase SQL Server ran on larger systems. Microsoft wanted to bring this kind of solid relational product to a PC-based platform, so Microsoft, Sybase and Ashton-Tate formed an alliance. The code would be ported to PC servers, and Ashton-Tate would rejigger dBase to front-end SQL Server. But dBase was so fundamentally different it couldn't work with SQL, leaving only Sybase and Microsoft. When Windows NT arrived, Microsoft split from Sybase, but kept components that remain the basis of SQL Server today.

Stac Electronics built a utility that doubled the capacity of your hard drive through compression. Microsoft tried to strike a deal to embed a version of Stacker within Windows, but Stac said no, so Microsoft went ahead and wrote its own data-compression tool called DoubleSpace. Unfortunately, the Microsoft version violated Stac's patents. Can you say lawsuit? Microsoft lost, but instead of just paying Stac off the $120 million it was ordered to pay, Redmond invested in the company and paid royalties to Stac, which ultimately folded.

Virtualization is the hottest thing to happen to computing since Dell laptop batteries started catching fire. Microsoft was late to the market with Hyper-V and crafted a strategy eerily similar to VMware, with PC- and server-virtualization tools. However, through its partnership with Citrix, and Microsoft's own Windows Server Terminal Services, Redmond is also arguably a virtualization pioneer.

Windows Sever
Novell became a powerhouse through network OSes that mostly supported print and file services. Microsoft saw this huge market and made a move with Windows NT. IT pros loved NetWare, but Microsoft had advantages: deep relationships with CEOs and CTOs, and the fact that NT was a true partner of the Windows client, sharing an interface and many core functions.

Microsoft Word
The WordPerfect word processor came out around 1980, and as the decade progressed it became as dominant as Lotus 1-2-3 and Ashton-Tate dBase were back in their day. Microsoft wanted an application and OS, and WordPerfect was an obvious target. Microsoft Word came in 1983, and subsequent versions promoted compatibility -- even keystroke compatibility -- with WordPerfect. We all know who ultimately won this war.

The Xbox may be the hippest console out there, but Microsoft was way late to the video game business.

AV in the Cloud: Affectation?

Although identified by Gartner as a top ten IT strategy for 2011, cloud technology has yet to realise its full potential in corporate IT departments – the promise of increased flexibility and scalability provided by the cloud is offset by ongoing concerns about the security of corporate data. So it is ironic that the cloud represents one of the most exciting and promising new channels for the development and use of anti-malware software.

A good fit for IT security

Cloud computing is an effective method for performing a number of IT security tasks associated with protecting users. First of all, cloud computing allows parallel data processing, i.e. it is ideal for tasks which can be divided into several parts and processed simultaneously, thus getting quicker results. This is crucial for current antivirus products.

In order to analyse a suspicious program it must be checked against lists of malicious and security software as quickly as possible. If this does not yield results, it must be compared to the signatures of known threats, its code must be scanned for dangerous instructions and its behaviour must be examined in an emulator. All of this research can be performed in parallel. Some processes can even be divided into even smaller parts, for example, database searches. Cloud analysis has a great advantage over analysis performed on a local machine as it allows all of the required detection technologies to be used, having first distributed them between several computers for analysis, thus providing faster and more qualitative research. Additionally, cloud data processing is ideal for reducing the load on a local machine.

Data processing using cloud services also contributes to the accumulation of extremely valuable information. This feature is also important in combating IT threats. The harvested information is necessary for the immediate neutralisation of all known threats, as well as for the detailed analysis of new malicious programs and the development of antivirus solutions.

There must be a continuous exchange of data between the cloud and the numerous local machines running security products. Local computers provide information about current threats which are analysed and neutralised using the cloud’s enhanced computing power, providing a continuous stream of information. Should a new threat appear on just one local machine, protection can be developed immediately and delivered to the other computers connected to the cloud. The bigger the cloud in terms of the number of local machines connected to it, the higher the security level.

Making the right antivirus decision

Antivirus products should incorporate all of the above mentioned advantages of cloud computing: rapid, deep, parallel data processing, reduction of load on local computers and constant accumulation of valuable information about IT threats.

!exploitable Crash Analyzer

!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploit ability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. The best part of the deal is that both Windbg & !exploitable Crash Analyzer are free. Bang exploitable can be downloaded from here.

The History of the !exploitable Crash Analyzer began when it was first released publicly at the CanSecWest conference.

Roots in Fuzzing

The technology and research that eventually became the !exploitable Crash Analyzer came out of the investment that Microsoft has made in fuzzing technology. Preceding the launch of Windows Vista, there was a 14 month fuzzing effort totaling over 350 Million iterations. Upon examining crashes from the fuzzing effort, a number of observations were made about similarities in crashes.

One of the nice benefits of fuzzing is that it eliminates any need to determine “is the problematic code reachable by an attacker”. Because the malformed data is provided in the same way that an attacker would provide it, we know that if we are able to generate an issue during fuzzing, a real attacker would in all likelihood be able to reach the same code.

Another observation was that a single issue in code could be reached via multiple vectors, creating crashes that appeared to be different, but with the same root cause. By grouping crashes together which occur in the same area of code, the number of crashes that need to be looked at can be dramatically decreased.

In the diagram below, shown the results from 2 weeks of fuzzing with 4 different fuzzers against 1 parser, which found 57 crashes, and VERY LITTLE overlap between fuzzers:

When the same 57 crashes are run through !exploitable Crash Analyzer, and grouped for similarity, we see that there are 15 unique issues, reducing the number of crashes to look at nearly 4-fold, and Fuzzers A and B found all but 2 of the issues, showing what fuzzers really give the best coverage for this application.

However, even when grouping similar crashes, there is a need to perform a rough-cut triage of the severity of the crashes found. The !exploitable Crash Analyzer was built to address these needs. Because of this, the tool assumes that the information in the faulting instruction is controlled by an attacker – the normal case when assessing results of fuzzing runs.

Implications when applied to others crashes

Once we move beyond fuzzing, the assumptions built into the tool make the results less reliable. Unlike this fuzzer generated crashes, we really don’t actually know whether the crash was caused by information that could be controlled by an attacker. Even in this case, the stack trace hashes let us group similar issues. But one have to add an implicit caveat to the exploitability ratings provided by !exploitable: “If an attacker controlled the source data to the faulting instruction…”.

What does this mean for the developer? Effectively, it means that we don’t know whether or not we simply have a problematic coding issue or bug versus a true security vulnerability. A coding issue or bug becomes a security vulnerability only when an attacker is able to reach it, generally by providing invalid data. It may be that the problematic code cannot be reached by an attacker, in which case we merely have a bug. It may be that there are code paths (which we may or may not have found) that expose the problematic code to attacker controlled data. Or it may be that a yet to be implemented feature will expose the issue. But for the software developer, especially when these coding issues are found early in development, the knowledge that there is a potentially problematic issue in the code should be enough to get the fix created and implemented or made available for users to install as appropriate.

How Exploitable is Exploitable?

Even in the cases where the crash was caused by data supplied by an attacker, we don’t know how much control the attacker has. For example, if we look at a faulting memory copy, it’s possible that the attacker could control the destination address, the source address, the move length, or some combination of all three. Inside of the !exploitable Crash Analyzer, we assume that the attacker has control of all three. While this is probably not the case, we are willing to accept the over-assessment of risk in this case because the coding issue is considered severe enough that the ensuing false positive rate is something we consider acceptable.

When analyzing a crash, !exploitable is looking at the details, and categorizing the severity based on reasonably coarsely grained heuristics. You can read the output of !exploitable as “This is the sort of crash that experience tells us is likely to be exploitable”, and for the software developer, that should be all of the information that is necessary. It’s well beyond the scope of the tool to figure out how an exploit could be delivered; that sort of analysis tends to require highly skilled humans.

Moreover, even in the case where a vulnerability is exploitable, exploit mitigation built into the compiler and the platform may be sufficient to prevent actual exploitation. This doesn’t mean that the root problem shouldn’t be fixed, any more than having airbags and wearing your seat belt means it is acceptable to not repair your brakes. But it does mean that sometimes the end user is protected, even if everything else went wrong.

The Target Audience

Fundamentally, this is a defensive tool, aimed at the software developer, especially those without deep expertise in security threats. By grouping common issues, identifying cases where multiple code paths flow to the same underlying issue, and providing a rough cut of the security implications of individual crashes.

Check the video where Jason Shirk & Larry Larsen discuss about the tool.