[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Software Notebook: Hackers to get a good look at Vista


July 31, 2006

Microsoft engineers will detail new security approaches in Windows Vista 
at an important tech conference later this week. But when it comes to 
grabbing attention, it won't be easy for them to top another session at 
the conference.

Its title: "Subverting Vista Kernel For Fun And Profit."

No, this is not your ordinary industry confab. In a first for Microsoft, 
the company will present at the Black Hat Briefings -- an annual gathering 
in Las Vegas where hackers, researchers, government officials and 
corporate technology specialists unveil and analyze emerging computer 
security threats.

Microsoft's full day of sessions on Windows Vista reflects its effort to 
improve security in the upcoming operating system and cut down on the bugs 
that have made previous versions of its flagship program notoriously 
vulnerable to online attacks.

The company will be showing the audience some of the key changes it has 
made in Windows Vista security, and seeking feedback from researchers on 
where it could still improve, said Stephen Toulouse, security program 
manager with Microsoft's Security Response Center.

Toulouse called it an extension of Microsoft's ongoing interaction with 
security researchers. Among other things, the company has held a series of 
its own events with researchers.

"We want people to look at our assumptions and challenge them if they 
think they're wrong," he said.

"At the same time, we want to show them that we've listened to the 
feedback they've provided us over the past several years. That's really 
what the presentations focus on."

For conference organizers, one original appeal was the timeliness, with 
Windows Vista scheduled to come out in the fall, said Black Hat Briefings 
Director Jeff Moss, the Seattle-based security expert who founded the 
conference. Microsoft has since delayed Windows Vista's retail debut until 
early next year.

"It doesn't have quite the impact that it was going to have if it was 
right before the release," Moss said. "But I still think it's really 
important, because this is the next generation, and these are the people 
who helped design it."

The conference is expected to draw about 3,000 people. It doesn't promise 
to be an easy crowd for the company, but Moss said Microsoft's efforts to 
improve security in recent years have improved its standing.

"I think in the past they would have been more ridiculed, but they seem to 
be following through on their statements" about security, Moss said. "They 
made some pretty bold statements, but they've been backing it up with a 
lot of money and a lot of effort, a lot of energy."

Windows Vista is the first version of the PC operating system to be 
developed entirely under the "Trustworthy Computing" initiative that Bill 
Gates launched in early 2002, after a series of high-profile 
vulnerabilities in Microsoft programs.

The company says it has overhauled its process of developing software to 
emphasize security.

In addition, Windows Vista will come with a series of new technical 
approaches and designs to protect against malicious programs such as 
viruses and spyware, which can otherwise install and run on a computer 

"We want it to be the most secure version of Windows ever, and the 
security researchers are going to help us do that," Microsoft's Toulouse 

Microsoft cautions that it won't be possible to completely thwart online 
threats, given the complexity of software development and the changing 
tactics of attackers. And other experts say that the level of security in 
Vista won't be clear until it's released and widely used.

"You won't know until it's out there," said Bruce Schneier, chief 
technical officer at Counterpane Internet Security. "Is the code better 
quality? Will there be fewer vulnerabilities? Who knows? ...  They're 
doing this, they're doing that. Did they do it right? Who knows?"

Schneier described Black Hat as "a very hostile Microsoft audience."  But 
he said it's critical for Microsoft to take part in such events, to get 
feedback that can help secure its products.

"They have to engage the hacker community -- they can't ignore them,"  
Schneier said.

"I think they deserve a lot of credit for it, because it's hard."

Black Hat is commonly called a hacker convention, but that word often 
doesn't have the negative connotations in technology circles that it does 
in popular culture -- instead referring to someone who modifies a system 
or finds ways to infiltrate computer programs, but not necessarily with 
malicious intent.

The phrase "black hat" describes a criminal or malevolent hacker, but its 
use in the conference name refers to the subject of the sessions, not the 
attendees or speakers. "We're briefing on what the black hats are up to," 
Moss explained.

Many of the researchers who attend Black Hat practice what's known as 
responsible disclosure, giving companies such as Microsoft a chance to 
patch flaws before details of the problem are public.

The "Subverting Vista Kernel For Fun And Profit" session is about a 
technology called Blue Pill, developed by security researcher Joanna 
Rutkowska of Singapore-based security firm COSEINC.

Rutkowska says she has come up with a way to insert "undetectable"  
malicious code into the Vista kernel -- the place that controls the 
interaction between hardware and software -- by taking advantage of 
technology that essentially divides a computer system so it can run 
multiple operating systems.

Despite the title of the session, Rutkowska said in an e-mail that she 
won't be providing the level of detail that would let someone subvert the 
Vista kernel on their own, if they weren't already able to figure it out.

She said she hopes to spur the industry and processor vendors to try to 
mitigate the threat, and she noted that nothing about Windows Vista makes 
it more susceptible than other operating systems to a Blue Pill attack.

But past Black Hat Briefings haven't been without controversy. Last year, 
Cisco Systems went to court seeking an injunction after a researcher, over 
its objections, gave a presentation at Black Hat on a way to exploit a 
flaw in Cisco's router software.

At the same time, in the world of hacker conventions, Black Hat 
traditionally has more corporate involvement and a less renegade 
reputation than Def Con -- a gathering in Las Vegas immediately after 
Black Hat that accepts only cash for admission, to avoid having any 
records that could be subpoenaed.

Moss, who sold Black Hat to CMP Media last year, runs Def Con 
independently. Microsoft isn't scheduled to present at Def Con, although 
Toulouse said people from the company will attend.


Microsoft will be putting Windows Vista under the scrutiny of hackers, 
researchers and other computer security experts Thursday at the Black Hat 
Briefings in Las Vegas. Coming up this week in the Seattle P-I:

Wednesday: A detailed look at Microsoft's new security initiatives in 
Windows Vista, and its remaining challenges, on the eve of the company's 
Black Hat presentations.

Friday: From Las Vegas, coverage of Microsoft's Black Hat appearance.

SeattlePI.com: Follow the news from Black Hat starting Wednesday at Todd 
Bishop's Microsoft Blog.

Software Notebook is a Monday feature by P-I reporter Todd Bishop. He can 
be reached at 206-448-8221 or toddbishop [at] seattlepi.com

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.