Heeerrre's IT Blogwatch, in which the Black Hat conference embarrasses Microsoft. Not to mention a catchy psyop...
Microsoft Corp. stepped into the lion's den last week when it sent some top engineers to the Black Hat USA hacker conference here. Their mission: to convince the toughest security audience in the world that Microsoft's upcoming Windows Vista will be more hacker- and malware-proof than any other operating system and that the company is committed to security. The result: a reception that was mixed but bordering on positive from corporate security executives and security researchers. Many of them said they are impressed by Microsoft's stated commitment to security but are withholding judgment until Vista gets into corporate IT shops later this year.
George P. Alexander Jr. explains the new lifecycle:
Microsoft banks on the Secure Development Life Cycle model from now on when it comes to the development of all its products ... Frankly, I thought Black Hat was just a place for Microsoft to perform demo after demo. But then, last week's invitation to around 3000 security pros to crack Vista sounded very bold. As you might have thought before and during Black Hat, giving a demo to an audience is no big deal. Anyone can do it. But then, putting Vista out in the open for everyone to tear apart is a totally different matter altogether. I think I'll be keeping an eye on this for some time.But Ben Brooks has bad news for Redmond:
A polish “researcher” found a way to hack the security using what is being called a Blue Pill, which was successful so long as she clicked an I accept button on a Windows security warning. She went on to say that most users click through these with out thinking due to the frequency that they pop up. In Microsoft’s defense (mark the date), what else are they supposed to do they already warned people right? Well they could patch the problem, which they say they are doing, they could require that a password be typed in ala Mac OS X style…but they don’t ... It would appear that the new Security Development Lifcycle is not doing so well its first time around.
N_Lien leans toward the silver lining:
We can be happy that this was found before the release of Vista and not after it, but that does leave the question as to whether other equally serious issues are hiding inside Vista.
I do have to congratulate Joanna Rutkowska from COSEINC for finding the hack. Has it even been a week since Microsoft challenged the hacking community to break Vista's security?
So what? Microsoft has actively encouraged the worlds security experts to try and hack the new operating system and sure there were always going to be vulnerabilities but the good thing about this method is that they can find the major security holes before the product goes gold. Windows has always had issues with security and this time Microsoft seems keen on getting it right and this is a new method for Microsoft and I think it’s a positive step.
Joanna Rutkowska (for it is she) writes:
I sincerely believe that Blue Pill technology will (very soon) allow for creating 100% undetectable malware, which is not based on obscurity of the concept. And I already stressed this in the description of my talk here and here. The working prototype I have (and which I will be demonstrating at SyScan and Black Hat) implements the most important step towards creating such malware, namely it allows to move the underlying operating system, on the fly, into a secure virtual machine. The phrase "on the fly" is the most important thing about Blue Pill - it makes it possible to install a blue pill based malware without restarting the system and without any BIOS or boot sector modifications ... I will be showing a simple example of how it could be used to create a network backdoor on Vista x64.Buffer overflow:
Around the Net
- Dave Miner: DHCPv6 Client project on OpenSolaris
- Robert Young: Why Murdoch Won’t buy YouTube
- Ed Foster: The Long Arm of the EULA
- Mike, Techdirt: Senate Patent Reform Plan: Some Good, Plenty Of Bad
- Ken Fisher: Apple unveils new "Mac Pro" towers
- Jerri Ledford: Recovery shouldn't mean the VA lets its guard down
-
C. J. Kelly: And now, another message from our sponsor: The Department of Homeland Security
- Douglas Schweitzer: With aggressive worm hitting phones, time to look for solutions!
And finally... Whatever you think of the Israel/Hezbollah conflict, you have to laugh at this [hat tip: Mailgeek]
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.