Security
Headlines
HeadlinesLatestCVEs

Headline

BlueHat v16 Schedule Announced

Over the summer we had overwhelming response to our BlueHat v16 call for papers. We would like to give a special thanks to all who submitted papers for consideration. The range of content and quality of content was exceptional. So with that, today we are happy to announce our schedule for the general audience portion of the conference.

msrc-blog
#vulnerability#web#ios#mac#windows#google#microsoft#linux#cisco#git#java#intel#backdoor#auth#zero_day

Over the summer we had overwhelming response to our BlueHat v16 call for papers. We would like to give a special thanks to all who submitted papers for consideration. The range of content and quality of content was exceptional. So with that, today we are happy to announce our schedule for the general audience portion of the conference.

Thursday, November 3rd, 2016

General Audience

TRACK

Time

Speaker

Company

Talk Subject

Keynote

9:00 - 9:50 AM

David Kennedy

TrustedSec/Binary Defense Systems

The Security Monty Python and the Holy Grail

Track 1- Opening

10:00 - 10:50 AM

Alex Weinert Dana Kaufman

Microsoft

Identity Protection at scale - A Year in the Trenches with Microsoft Identity Protection team

11:00 - 11:50 AM

Daniel Edwards Stirling McBride

Microsoft

What is Threat Intelligence?

Track 1- Threat Landscape

1:00 - 1:50 PM

Peter Hlavaty

Tencent

You didnt see it’s coming? “Dawn of hardened Windows Kernel”

2:00 - 2:50 PM

Genghis Karimov

Microsoft

Win32k Security Improvements: Past & Present

3:00 - 3:50 PM

Jessy Campos

ESET

Visiting the Bear Den

4:00 - 4:50 PM

Cooper Quintin

Electronic Frontier Foundation

I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan

Friday, November 4th, 2016

General Audience

TRACK

Time

Speaker

Company

Talk Subject

Track 1- The Cloud

9:00 - 9:50 AM

Satoshi Tanda

Crowdstrike

Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform

10:00 - 10:50 AM

Saruhan Karademir

Microsoft

Breaking Things Early: Designing Secure Containers

11:00-11:50 AM

Pete Loveless Fred Aaron

Microsoft

In-memory compromise detection as an Azure service

11:30 - 11:55 AM

Michael Scovetta Jan Vandenbos

Microsoft

Security of Open Source at Microsoft

Track 1- Exploit, Parry, Strike

1:00 - 1:50 PM

Haifei Li

Intel Security

Analysis of the Attack Surface of Microsoft Office from User’s Perspective

2:00 - 2:50 PM

Yunhai Zhang

NSFOCUS

How to Avoid Implement An Exploit Friendly JIT

3:00 - 3:50 PM

Daniel Bohannon

Mandiant

Invoke-Obfuscation: Powershell obFUsk8tion Techniques & How To (Try To) D"“e’Tec’T ‘Th’+‘em’

4:00 - 4:50 PM

David Weston Matt Miller Peleus Uhley

Microsoft/Adobe

A Year of Hardening Adobe Flash Player

Track 2- Discovery

9:00 - 9:50 AM

Alex Ionescu

Crowdstrike

Gaining Visibility into Linux Binaries on Windows - How to defend and understand WSL

10:00 - 10:50 AM

Andrea Allievi Richard Johnson

Microsoft/Cisco Systems

Harnessing Intel Processor Trace on Windows for Vulnerability Discovery

11:00-11:25 AM

Casey Smith

Veris Group ATD

Trusted Things That Execute

11:30 -11:55 AM

John Booth

Microsoft

Detecting Malicious Masquerading Processes

Track 2- Landscape Reaction

1:00 - 1:50 PM

Michiko Short

Microsoft

Windows Credential Protections: Where are we now?

2:00 - 2:50 PM

Stephen Hufnagel Sven Groot

Microsoft

Windows Subsystem for Linux (WSL)

3:00 - 3:25 PM

Jon DeHart

Microsoft

Redesigning the Edge with Just-In-Time Network Access

3:30 - 3:55 PM

Marianne Malle Patrick Estavillo

Microsoft

Ransomware Threat Landscape and Retrospect

4:00 - 4:50 PM

David Molnar

Microsoft

Fuzzing Cloud “Project Springfield”

Planning for the conference is well underway. This time around we have secured a little more space so that we can accommodate even more participants. For external community members this is an invite-only conference. The initial round of external invites will go out later today with details on how to register and the timeframe for response. The registration site is live for external participants.

Keep watching here for more updates as we get closer to the event.

****Thursday, November 3rd, 2016 |** General Audience Thursday, November 3rd, 2016 | General Audience******KEYNOTE** **KEYNOTE****

9:00 - 9:50 AM | David Kennedy | TrustedSec and Binary Defense Systems

The Security Monty Python and the Holy Grail

In Monty Python, the search is clear – find the Holy Grail that can solve all of the world’s problems and bring world peace. While a comedy, we face the same issues with security. Today, the search continues for the Holy Grail of security. The way to defeat or make it significantly more difficult for attackers. Attackers hoard attack methods, researchers are releasing new bypass methods, users continue to click, and we still see an elevated rate of compromise. This talk focuses on the offensive and defensive strategies that work for both sides (the red and the blue). We dive into methods of how attacks today still continue to work, look at social-engineering methods, and look at what actually prevents us from getting into organizations.

The time is right for the red and blue to come together to pave a way for purple and the way to the Holy Grail.

****Track 1 - Opening** **Track 1 - Opening****

10:00 - 10:50 AM | Alex Weinert and Dana Kaufman | Microsoft

Identity Protection at scale - A Year in the Trenches with Microsoft Identity Protection team

Microsoft is one of the largest identity providers in the world. Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, including our new Azure Active Directory Identity Protection product, how we see fraudsters adapting to different protection systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

11:00 - 11:50 AM | Daniel Edwards and Stirling McBride | Microsoft

What is Threat Intelligence?

The new buzzword on the street is Threat Intelligence. What exactly is threat intelligence? How does a piece of data go from ordinary data to threat intelligence? This talk will first walk you through the process of taking data and producing Threat Intelligence and then how one might integrate such a data source into their service.

****Track 1 - Threat Landscape** **Track 1 - Threat Landscape****

1:00 - 1:50 PM | Peter Hlavaty | Tencent

You didnt see it’s coming? “Dawn of hardened Windows Kernel”

Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.

However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.

After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?

2:00 - 2:50 PM | Genghis Karimov | Microsoft

Win32k Security Improvements: Past & Present

Win32k is large subsystem of the Windows OS responsible for UI, graphics and input tasks. Having been part of most Windows releases, from Windows 3.x to Windows 10, the Win32k subsystem teaches a unique lesson in managing a large codebase through its natural growth, from the perspective of reliability and security. This talk chronicles the codebase through out the major releases; how macro and micro design decisions within the component translate to security risk; what famous attacks Win32k vulnerabilities were leveraged for. Most of the discussion will be dedicated to technical overview of Win32k-specific vulnerabilities and the mitigations for them.

3:00 - 3:50 PM | Jessy Campo | ESET

Visiting the Bear Den

Sednit, a.k.a. Fancy Bear/APT28/Sofacy, is a group of attackers operating since at least 2006 and whose main objective is to steal confidential information from specific targets. Over the past two years, this group’s activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. Technically speaking, Sednit is probably one of the best espionage group out there. Not only have they created a complex software ecosystem – composed of tens of different components –, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit. This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software. In particular, we will delve into technical details of their most impressive components:

  • DOWNDELPH, a mysterious downloader deployed in rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented.
  • XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit.
  • XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called “kernel”, it allows to build flexible backdoors with, for example, the ability to switch between various network protocols.
  • SEDKIT, a full-fledged exploit-kit, which depending on the target’s configuration may drop 0-day exploits or revamped exploits.

During our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.

4:00 - 4:50 PM | Cooper Quintin | Electronic Frontier Foundation

I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan

This report covers a campaign of phishing and malware which we have named “Operation Manul” and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword) to allegations of kidnapping.

Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. This talk will cover the report in detail. We will also go into detail about the often low-tech, unsophisticated attack methods which are commonly used against journalists and dissidents, and what security researchers and defenders at microsoft and elsewhere can do to stop these sorts of attacks and keep people safe from authoritarian governments.

Friday, November 4th, 2016 | General Audience Friday, November 4th, 2016 | General Audience******Track 1 - The Cloud **Track 1 - The Cloud****

9:00 - 9:50 AM | Satoshi Tanda | Crowdstrike

Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform

Virtualization software has been extensively used for security research, and countless of analysis systems based on virtualization technology (VT) have been invented for more than a decade. Regardless, there is no suitable hypervisor as a platform to develop such VT-based analysis systems on Windows. Lightweight hypervisors for Windows lack support of modern platforms, and comprehensive, consumer-oriented hypervisors and emulators are either overly intricate to quickly take advantage of VT or excessively slow for day-to-day usage. This talk presents HyperPlatform, a thin hypervisor designed as a VM-exit filtering platform for Windows. Using Intel VT-x and extended page tables, this platform provides researchers ability to flexibly handle a new class of system events and rapidly implement hypervisor-based tools with high compatibility and efficiency. In this talk will also introduce some HyperPlatform-based tools with live demo against real exploits demonstrating various example application scenarios of HyperPlatform.

10:00 - 10:50 AM | Saruhan Karademir | Microsoft

Breaking Things Early: Designing Secure Containers

In Windows Server 2016, we introduced Windows Server Containers – a modern way to deploy software. This allows our internal and external customers to leverage the Windows platform in the new ‘cloud’ architecture model of microservices and continuous integration. Along with Windows Server Containers, we also introduced Hyper-V Containers, which has a strictly enforced isolation boundary that’s purpose-built for hostile multi-tenant scenarios. Hosting and utilizing containers is a large part of Azure’s future strategy, including components such as the Azure Container Service and AzureML. The Windows Container platform also lays the foundation of many future features in client and server Windows. Because of the critical nature of this feature, WDG Security Assurance embedded its members into the development process of Windows Containers. This new approach integrated security knowledge into the design and implementation of the features themselves, moving the bar for how security teams should collaborate with feature teams. In this talk, we will discuss the architecture of Windows Containers and highlight the differences between the Hyper-V containers and Windows Server Containers. This will include a comparison of the threat model between the two flavors as well as a deeper look at the changes made to Hyper-V. In addition, we will present the details about our embedded security partnership with the feature teams that helped build Containers. We will show the resulting impact of this collaboration by diving into specific design changes. This will include changes in the user model of Windows Containers as well as the Xenon storage subsystem.

11:00 - 11:50 AM | Pete Loveless and Fred Aaron | Microsoft

In-memory compromise detection as an Azure service

Security analysis of Azure crash dumps is a new Azure threat detection service, and in this talk we’ll explore some of the most sophisticated malware it’s found. We’ll present an overview of how our service runs in Azure, and explain where the dumps we’re analyzing come from. We’ll explain in detail some of the key behavioral attributes our service looks for in order to detect malicious activity, for example: PEB locator functionality used in shellcode to access core Windows APIs, reflective injection using reflective loaders, custom PE or stripped MZ headers, and process hollowing. We’ll describe a few examples of malware we’ve found that demonstrate the very behaviors and attributes our service is designed to detect. Finally, we’ll discuss ways in which the security community can collaborate with us to help us build even better detections that help Azure and Azure customers defend against security threats.

11:30 - 11:55 AM | Michael Scovetta and Jan Vandenbos | Microsoft

Security of Open Source at Microsoft

Microsoft uses a vast and increasing number of open source components to deliver products and services to customers. These components provide enormous value, but introduce some significant security risk. During this session, we’ll cover the following challenges and how we’re addressing them: * How exposed are Microsoft products and services to vulnerabilities present in open source components? * What security work should engineers be doing when using open source? * Which metrics can be used to indicate the risk inherited when using an open source component? * How well do available security tools find actionable vulnerabilities? * How can machine learning and related approaches be used to identify security risk across many projects, including detection of intentional backdoors in open source components? * How do we handle responsible disclosure when critical vulnerabilities are found in open source components? We’ll conclude with a demo of some tooling available today and present a few of the notable vulnerabilities found through the processes created.

********Track 1 - Exploit, Parry, Strike** **Track 1 - Exploit, Parry, Strike****

1:00 - 1:50 PM | Haifei Li | Intel Security

Analysis of the Attack Surface of Microsoft Office from User’s Perspective

In this presentation, I will talk about the unexplored attack surface on Microsoft Office from real-world user’s perspective. Specifically, I will examine the real-world scenarios about how an Office-based threat is delivered into a personal computer or an organization, and what could happen when an Office file is opened. I will also share the details of the weird issues I’ve found, as case studies. I hope this talk will shed some light on a better, practical security detection & defense against Office-based threats, which is quite important for the overall enterprise security.

2:00 - 2:50 PM | Yunhai Zhang | NSFOCUS

How to Avoid Implement An Exploit Friendly JIT

JIT compilation is widely used in modern software to improve performance nowadays. For example, all popular web browsers implement JIT compilation in their JavaScript Engine. So, are those implement of JIT compilation secure enough? The answer seems to be NO. This talk will discuss several mitigation bypass techniques that abusing JIT compilation to exploit. After demystifying the details of each technique, some guidelines will be proposed based on the root cause of those issues.

3:00 - 3:50 PM | Daniel Bohannon | Mandiant

Invoke-Obfuscation: Powershell obFUsk8tion Techniques & How To (Try To) D"“e’Tec’T ‘Th’+‘em’

The very best attackers hide their PowerShell commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.

This talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. As I share these techniques I will emphasize the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied independently or collectively to any PowerShell command. These layers include: 1) directly manipulating PowerShell and .Net cmdlets, functions and arguments, 2) string manipulation applied to single commands or entire scripts, and 3) PowerShell command input parameters that enable one to hide command line arguments from appearing for powershell.exe.

Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not or can not enable these features. Therefore, I will provide techniques the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Additionally I will discuss ways to perform remote downloads via SendKeys and ComObjects. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line detection mechanisms.

4:00 - 4:50 PM | David Weston, Matt Miller and Peleus Uhley | Microsoft/Adobe

A Year of Hardening Adobe Flash Player

Adobe Flash Player has become a preferred target for browser-based attacks over the past year and a half. In response to this shift, Adobe, Microsoft, and Google have collaborated on hardening Adobe Flash Player to make it more difficult for attackers to find and exploit Flash Player vulnerabilities. In this presentation, we’ll analyze the timeline and trends related to attacks against Flash Player and describe the hardening improvements that have been made along the way. We’ll show how attackers have responded to these improvements and conclude with a summary of what the landscape looks like today.

****Track 2 - Discovery** **Track 2 - Discovery****

9:00 - 9:50 AM | Alex Ionescu | Crowdstrike

Gaining Visibility into Linux Binaries on Windows - How to defend and understand WSL

The release of the Windows Subsystem for Linux (WSL) brings exciting new changes to the Windows ecosystem – the ability to run unmodified Linux ELF Binaries in an environment that provides a 75%+ system call compatibility layer with the Linux Kernel API/ABI, access to sockets, the file system, pipes, and a private driver/IPC bus mechanism, all while leveraging the DrawBridge “Pico Process” research. At the same time, today’s defense products and engines are not adapted to this reality. Forensically difficult to understand, poorly internally documented outside of some technical blog posts, and unusual-by-design (ELF binaries utilizing a kernel driver for I/O, leveraging poorly understood NTFS features), WSL is a great place for future attackers to invade, if the blue team doesn’t get there first.

This presentation will expose some of the difficulties in dealing with WSL processes for forensics, IR, and endpoint detection and response. It will also call out certain undisclosed risks and actual vulnerabilities, regarding file system EoP attacks, mitigation bypasses, system call vulnerabilities, and bugs regarding Windows handle usage. As future Windows releases increase the capabilities of WSL, it’s important to address these issues systematically with fuzzing, SDL processes, and a better understanding of the risks and interactions between NT and Linux. Finally, we’ll provide ideas & suggestions for how security-minded vendors and administrators can get some visibility into WSL.

10:00 - 10:50 AM | Andrea Allievi and Richard Johnson | Microsoft/Cisco Systems

Harnessing Intel Processor Trace on Windows for Vulnerability Discovery

This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works including the various filtering modes and output configurations.

This year we designed and developed the first opensource Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT) Performance Monitor timer register, bypassing the TLB and cache through managing physical memory, and more. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes and then discuss how we’ve harnessed this branch tracing engine for guided fuzzing.

This year we have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.

11:00 - 11:25 AM | Casey Smith | Veris Group ATD

Trusted Things That Execute

As organizations are embracing the new whitelisting model, it becomes imperative to understand what applications you trust. Solutions such as AppLocker, and DeviceGuard go a long way to provide increased defense. However, attackers can leverage existing, default, signed tools to execute arbitrary code. This talk will describe multiple utilities that have been discovered to execute code in unexpected ways. The methods we use do not rely on exploitation at all. In fact they follow recommended patterns for developers. The purpose of this talk is to inform defenders, as well as provide insight into uncovering these patterns at scale.

11:30 - 11:55 AM | John Booth | Microsoft

Detecting Malicious Masquerading Processes

Every year thousands of organizations are victims of cyber-attacks leading to potential misuse of their resources, loss of billions of records and damage to their reputation. The attacker will typically run malicious code on victim machines to collect data, control the machine or for other common purposes. One way to achieve this is to drop a malicious binary with a name similar to that of a common process; the attacker intent is to go unnoticed by the analyst human eye. Another option is to inject malicious code into an existing process making the malicious code appear to be running as part of a legitimate process. In this talk, we will discuss a method to scan a large amount of windows process creation event data to detect some of the attacker tactics above. We suggest a scoring model to decide which processes to present to the analyst as suspicious, and show how we’ve applied this work to internal and customer data.

********Track 2 - Landscape Reaction** **Track 2 - Landscape Reaction****

1:00 - 1:50 PM | Michiko Short | Microsoft

Windows Credential Protections: Where are we now?

To understand how to protect against credential theft & lateral traversal attacks (Pass-the-Hash), we need to understand the conditions required for credential theft. Then it is easy to see how the various Windows and Domain Controller features address various parts of the problem.

2:00 - 2:50 PM | Stephen Hufnagel and Sven Groot | Microsoft

Windows Subsystem for Linux (WSL)

The Windows Subsystem for Linux (WSL) allows for execution of unmodified Linux binaries by emulating a Linux kernel interface on top of the Windows NT kernel. This talk will discuss the security models around WSL and techniques used for security testing. For the security model, we will cover the interaction between traditional Windows processes and processes running in the WSL, how WSL emulates the Linux security model, and how WSL processes interact with devices managed by NT. We will also describe the fuzzers used for testing, pen testing, and vulnerabilities found.

3:00 - 3:25 PM | Jon DeHart | Microsoft

Redesigning the Edge with Just-In-Time Network Access

With the development of built-in application layer security on the rise, so must come advances in network security. The antiquated model of edge based access control via firewall is proving to be more taxing on network administrators and less maintainable as asset footprint increases. In order to combat this, network security must be brought back down to the host layer, and firewalls must be re-engineered to act as central command for users and groups while taking advantage of standard OS security functionality. This talk will conceptually discuss the opportunity to replace edge firewalls with request based ACL changes managed by a centralized logic engine.

3:30 - 3:55 PM | Marianne Malle and Patrick Estavillo | Microsoft

Ransomware Threat Landscape and Retrospect

In 2016 alone, ransomware campaigns have become even more prominent, showing more activity than was seen in the past few years. For this BlueHat session, we will share some key summaries about what has happened in the ransomware threat landscape over the last 10 months, and how it continues to be a growing problem for customers. As part of this, we will focus a portion of the presentation on a deep-dive on top ransomware families which have been steadily on the rise for the past months. We will also explore methods of delivery, variant updates, and behaviors that these threats exhibit. At the end of this talk, we will also share insight about current research and response efforts, as well as future plans on our fight against ransomware versus ransomware infection, how we can mitigate against these threats and recommendations when faced with these types of threats.

4:00 - 4:50 PM | David Molnar | Microsoft

Fuzzing Cloud “Project Springfield”

Fuzzing is an effective method for finding security bugs, but getting results is tricky because it needs expertise, machine power, and process changes to deploy. “Project Springfield” packages Microsoft’s best practices, combined with a decade of research into machine reasoning and “Whitebox fuzzing,” into a cloud service that makes it easy to rapidly deploy fuzzing across an organization. Come hear how Microsoft customers and internal teams have embraced the cloud to gain scale, speed, and unique technology for finding serious security bugs – and how you can do he same. Learn lessons from building and operating a fuzzing platform that aims to help everyone, everywhere, test their security critical code. The talk will start with an overview of the Project Springfield cloud platform, including a demonstration of the web front end and an SDK for integration. The talk will then focus on a guided discussion of future directions for fuzzing - we want to hear from attendees what they need and what would work for them! Attendees will come away with a Project Springfield account to let them experiment with cloud fuzzing at home.

About BlueHat About BlueHat

Our sixteenth BlueHat Security Conference is set for November 3-4, 2016 at the Microsoft Conference Center here in Redmond. BlueHat is a unique opportunity for Microsoft engineers and the security community to come together learn about the current threat landscape and challenge the thinking and we actions we do in security. This past January saw 1,000 participants from around the world engage in this forum.

Phillip Misner,

Principal Security Group Manager, MSRC

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default