4 days ago
What’s new in the MSRC Report Abuse Portal and API
The Microsoft Security Response Center MSRC has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report Abuse Portal and API, which will significantly improve the way we handle and respond to abuse reports.. https://msrc.microsoft.com...#microsoft
10 days ago
Toward greater transparency: Unveiling Cloud Service CVEs
Welcome to the second installment in our series on transparency at the Microsoft Security Response Center MSRC. In this ongoing discussion, we discuss our commitment to provide comprehensive vulnerability information to our customers.At MSRC, our mission is to protect our customers, communities, and Microsoft, from current and emerging threats to security and privacy.. https://msrc.microsoft.com...#microsoft
20 days ago
Mitigating SSRF Vulnerabilities Impacting Azure Machine Learning
Summary On May 9, 2024, Microsoft successfully addressed multiple vulnerabilities within the Azure Machine Learning AML service, which were initially discovered by security research firms Wiz and Tenable. These vulnerabilities, which included Server-Side Request Forgeries SSRF and a path traversal vulnerability, posed potential risks for information exposure and service disruption via Denial-of-Service DOS.. https://msrc.microsoft.com...#microsoft
1 month ago
Improved Guidance for Azure Network Service Tags
Summary Microsoft Security Response Center MSRC was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose.. https://msrc.microsoft.com...#microsoft
18 yr. ago
Welcome to the BlueHat blog site!
BlueHat 3 just completed last week, and all I can say is WOW. Great speakers. Great presentations. Packed audience. You can read the session abstracts and speaker bios here to see what Irsquo;m talking about.OH I should introduce myself. Where are my manners Irsquo;m Kymberlee Price, a Security Program Manager at Microsoft.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
18 yr. ago
Bluehat v3 first thoughts
Hi, Irsquo;m Brad Sarsfield bradsa; Im the SQL guy here. One of the interesting things about me and my team is that I own the slammer component in SQL Server, so by that very nature quite a large part of my job description is to ensure and I quote that never ever happens again.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
18 yr. ago
BlueHat Blog quoted in press
The BlueHat blog has been up less than 24 hours, and it was quoted this morning in an article by Robert McMillan on InfoWorld. That article has already hit . Some of the comments are pretty funnyhellip;I canrsquo;t wait for the speaker podcasts and channel9 video to go live so people can hear directly from the BlueHat speakers. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
18 yr. ago
18 yr. ago
Exploiting Web Applications
Over the next few days well all be writing about the BlueHat sessions Today Im excited to have a chance to tell you more about the Exploiting Web Applications presentation made by Caleb Sima, CTO and co-founder of SPI Dynamics at BlueHat 3 on March 9th. Listen to a podcast interview with Caleb here.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
18 yr. ago
David Litchfield’s BlueHat talk
Brad Sarsfield here again. Id like to share with you my thoughts on David Litchfields BlueHatv3 talk. David Litchfield is the Chief Research Scientist at Next Generation Security Software NGS and spoke to a 600 standing room only crowd at Bluehat 3 on March 9th. David took us through his thoughts on the current state of the database security world and talked about his current areas and focus of his research.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
18 yr. ago
Where can you learn more?
The BlueHat team has been getting a lot of questions from both inside and outside of Microsoft asking if we are going to publicly post video or audio recordings of the BlueHat presentations, or if we are going to hoard the BlueHatty goodness and keep the presentation details all to ourselveshellip; A totally valid question since all of our BlueHat presentations from 2005 and 2006 are fantastic and things any developer or IT Pro could benefit from seeing.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
18 yr. ago
BlueHat Hackers?
BlueHat HackersThere have been some misconceptions recently around both security researchers we bring in for Blue Hat, and security consulting companies that also help us make our products. Ive even seen the phrase Blue hat hackers thrown around.
While it was terribly flattering and somewhat amusing to the BlueHat team to see the incredible talented consultants working with us to secure our products referred to as BlueHat Hackers, there really is no such thing.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
18 yr. ago
Channel 9 Bluehat video
You asked for it. You got it. In addition to inviting a number of community members this year we also had channel 9 come to BlueHat and they created a video for your viewing pleasure.The 39 minute video contains interviews with the presenters talking about their presentations, background and research.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
18 yr. ago
BlueHat v.4 -- shipped!
Sarah Blankinship here. Irsquo;m in the Security Technology Unit STU, a group responsible for product security at Microsoft. One of the STUs charters is securing products we have and have not shipped yet.So what is BlueHat A hacker conference A way to lure unsuspecting researchers to Microsoft
The . comments and speculation about our real motivation for hosting hackers at Microsoft are ever entertaining, however BlueHat is about providing a consistent forum for presenting cutting-edge research, for understanding issues that affect both Microsoft and the entire industry, and great way to inform and educate our developer population.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
BlueHat v5: The Paradox of Innovation
BlueHat is Microsoftrsquo;s own little hacker con. We host it twice a year ndash; the sessions today were all about innovation in security research.What did we learn That Microsoft cannot solve the security problem, but we can raise the bar substantially to the point where finding bugs in Microsoft products is hard, and building reliable exploits even harder.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
BlueHat: An MSRC Perspective
Hello everyone,This is Christopher Budd. As Andrew noted in his posting yesterday, on Thursday we had our Spring 2007 BlueHat Security Briefings. I had a chance to attend, along with several of my colleagues from the MSRC and Sarah was kind enough to let me do a guest post to share some thoughts on BlueHat from the standpoint of someone involved in security response.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
BlueHat: Community Outreach
Katie Moussouris here. Im the newest Security Strategist here at Microsoft. I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team. I work in the group that is responsible for securing current and future Microsoft products.My background is application security, having come from Symantec by way of the stake acquisition.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
Announcing: BlueHat v6!
Andrew Cushman here.BlueHat is back in Redmond, as BlueHat v6: The Vuln Behind The Curtain opens September 27th and 28th. Once again we have two days of great security content that covers the spectrum of issues in security. The BlueHat speakers, both leading external security researchers and internal Microsoft engineers, will pierce the security veil of virtualization and process isolation.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
Pay no attention to that vuln behind the curtain
Adam Shostack here, guest blogging for the BlueHat blog.As you may have seen from Andrew Cushmanrsquo;s post, the theme of this BlueHat is ldquo;The Vuln Behind the Curtain.rdquo; I really like this theme, because itrsquo;s part of a maturing in the way wersquo;re dealing with security issues. Irsquo;m not going to claim Microsoft is perfect, but wersquo;re doing a pretty good job at pushing downwards the number of vulnerabilities and updates our customers need to deal with.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
Microsoft, Mobile, and Security
Ollie WhitehouseArchitect, Advanced Threat Research, Symantec Corporation
So if you had told me that one day I would be invited to Microsoft to talk about a subject Ive now been involved in researching on and off for over six years and something I must say that has burned in my belly with passion for most for most of it, I would have said unlikely.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
BlueHat: Malware, Isolation and Security Boundaries: It’s Harder than it Looks
Mark Russinovich here from BlueHat.This is the first time that Microsoft has used internal speakers at its BlueHat security conference and Im excited to be one of them. When I was approached with the invitation to present a session, I immediately thought of all the fun topics Id like to talk about.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
Vista and Vigilance
Halvar Flake, Sabre SecurityI have been told that I can write a blog entry for the BlueHat blog, with little or no editing, and now I sit here and have to make up something interesting to write about. I have a bit of a writers block today, caused by being tired, jetlagged, and already halfways on my way to the airport for my flight back.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
The new security disclosure landscape
Rain Forest Puppy rfpwiretrip.netSecurity disclosure has always been a contested topic, pitting those that find the bugs against those that are responsible for the bugs. In the days before security disclosure became a formal topic, those people who gave credence to some sort of moral compass often sought to follow a gentlemans code that typically involved an earnest attempt to disclose the problem to the vendor and give the vendor a chance to fix it.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
BlueHat, Day 2: Morning of Mobile, Afternoon of Cool Tools
Hello world Katie Moussouris here at BlueHat. Yesterdays talks certainly set the bar high. We saw topics range from Mark Russinovichs clarification of security boundaries to Halvar Flakes automated malware classification to Roberto Preatonis discussion of his exploit marketplace project, better known as WabiSabiLabi.I spent the day recording audio podcasts with each of our BlueHat speakers, getting a brief inside look at each fascinating topic look for these in the near future on the technet website.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
17 yr. ago
Podcasts and Peppermints
BlueHat v6 has wrapped and all the researchers have gone home or have theyAround here, the buzz sparked by our guests and in-house BlueHat speakers is very much still humming. The side-meetings between researchers and Microsoft teams that I first blogged about during my first month here are continuing to be a huge benefit.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
16 yr. ago
Going big and going home, or Your r00ts are showing.
Welcome back to the BlueHat blog Tuesday afternoon, as the taxi carrying Bruce Dang, Dave Dittrich, and I hurtled hurly-burly from Logan airport, I could almost hear my own ldquo;welcome backrdquo; to my home town of Boston. This was a homecoming heralded by screeching taxi brakes as we popped the most awesome though surely less than legal U-turn on Mem Drive into the driveway of the conference hotel hosting SOURCE Boston.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
16 yr. ago
Saddle up for Web App Security, or XSSive Force
Bryan Sullivan here, making a guest appearance here away from my usual home on the SDL blog.Itrsquo;s great to see BlueHat showing some love to the Web app sec community. Im thrilled that BH is expanding on its tradition of inviting some of the best and brightest Web app sec minds by dedicating the entire morning to layer 7 issues.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
16 yr. ago
Processing Power to the People
Hey everyone, h1kari here. Katie invited me to do a guest post on the BlueHat blog and so I thought Irsquo;d rant a little bit on some ideas Irsquo;ve had with how crypto best-practices relate to other areas of security that may hit closer to home for you guys. My current interests are in finding areas of computing that would be a lot more useful if they could only be run faster, so Irsquo;d like to hear from you about your experiences and what takes up all the idle time on your processors.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
16 yr. ago
Effective Software Security: Making the most of tools
Hello My name is Vinnie Liu. I am a BlueHat speaker, and the Managing Director at Stach amp; Liu, a security consulting firm whose primary practice area includes helping organizations establish effective application security programs. A key component of every application security program is the use of tools and experts. In this post, we discuss the relative strengths and weaknesses between tools and experts, and by doing so, we also learn how these software security resources are best applied in an organization looking to become more proactive with their secure software development lifecycle.. https://msrc.microsoft.com...#microsoft #microsoft_bluehat
16 yr. ago
Announcing: BlueHat v7!
Hey, Andrew Cushman here.BlueHat v7 May 1st and 2nd has another great lineup of leading external security researchers and internal Microsoft engineers. This springs event is titled Up High, Down Low, Too Pwned and has two themes web application insecurity and architectural security challenges. We kick it off Thursday with the exec day, then follow that on Friday with the general sessions for engineering, support and sales teams.. https://msrc.microsoft.com...
#microsoft #microsoft_bluehat
