Microsoft recently posted a great story discussing on how Microsoft started SDL(Security Development Lifecycle) in the Windows XP era and how it was adopted by software industry. After Windows XP was affected by various worm and virus attacks, Microsoft even stopped the development of Windows and focused on improving the security of the OS. Thus, in February 2002 the entire Windows division shut down and diverted all of its developers to security. Everyone was given training to outline expectations and priorities — threat modeling, code reviews, available tools, penetration testing — all designed to modify the default behavior of the system to make it more secure. Their room at the Microsoft Briefing Center was filled to its 950-person capacity twice a day for five days as Lipner and his team worked their way through. Bill Gates’ trustworthy computing memo was the turning point in Microsoft’s history to focus on software security. ...

Read More →

  At Microsoft’s Federal Executive Forum, an annual event where people from around the federal government gather together to discuss how technology can be used to improve their workflow and others. As we are seeing in the other industries, Cloud computing is a hot topic among Federal agencies too. The popular public cloud services from Amazon, Salesforce, etc, does not suit their needs. As agencies explore moves to the cloud, many may have solutions already in place, and they need a partner who can help them leverage those, lower security risks and reduce training and implementation costs. In some cases, agencies may often be looking at some new combination of private cloud or even public or dedicated community cloud for government. Our hybrid cloud gives complex government environments the flexibility of working with us on their terms and within their architecture choice. Instead of coming to the table with predisposed ideas of what is best ...

Read More →

Microsoft announced the new security bounty programs last year and it have now paid out over $253,000 over to various security experts around the world. In October last year, Microsoft announced their first ever $100,000 bounty for James Forshaw for finding a new class of attack technique on Microsoft’s products. Recently, Microsoft awarded another $100,000 bounty for Yu Yang (@tombkeeper) from NSFOCUS Security Labs. The following researchers have submitted a qualifying vulnerability or new mitigation bypass techniques to Microsoft as part of the Microsoft Security Response Center (MSRC) Bounty Programs. We thank them greatly for their participation and for working with us to help keep customers safe. Yu Yang (@tombkeeper), NSFOCUS Security Labs Mitigation Bypass variants – $100,000 Yu Yang tweeted the following, @k8em0 In order to express my thanks for your congratulation, maybe I should submit more. — Yang Yu (@tombkeeper) February 15, 2014 Source: Microsoft via: Neowin ...

Read More →

We have seen many different fields in which Microsoft’s revolutionary Kinect was being used, this one is quite different. Microsoft’s Kinect is now being used in Korean border by the military to monitor the demilitarized zone. If there was any human intrusion, Kinect will automatically notify the army men about it. Even though the current implementation uses first gen Kinect, they are now planning to upgrade to Xbox One Kinect which will able to detect heart rates and heat maps for more accurate tracking. Self-taught South Korean programmer Jae Kwan Ko developed a Kinect-based software system to monitor the DMZ (Demilitarized Zone), which separates the two countries. It was deployed at the border last August, but its existence wasn’t made public until recently. According to news site Hankooki (via tipster Sang), the Kinect-based system identifies objects crossing the DMZ. It can discern the difference between animals and humans. If the ...

Read More →

According to the latest report from NSS Labs, Microsoft’s Internet Explorer emerged as the safest web browser against social engineering attacks. Your browser is your first line of defense against social engineering attacks such as phishing and socially engineered malware. It is always recommended to use a safest browser like latest version of Internet Explorer. Here are the NSS Labs findings: The browser is the first line of defense against multiple web-based threats; however, with a maximum historical protection rate of just 80 percent, the browser should not be the only line of defense. Products that do not provide the bulk of their protection in the earliest hours of an attack are not meeting the security requirements of today threatscape. Microsoft Internet Explorer continues to provide the best combination of malware and phishing protection. The application reputation technologies used by browsers from both Microsoft and Google provide a significantly safer ...

Read More →

Microsoft has released a tool called EMET which is a free tool available for Windows 8, Windows 7, Windows Vista, and Windows XP. The Enhanced Mitigation Experience Toolkit (EMET) is a utility designed to help users block hackers from gaining access to their systems through common attacks. EMET enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps protect your computer from new or undiscovered threats until they can be addressed through formal security updates. Once installed, EMET works quietly in the background without interrupting your computer use. Like any security tool, EMET doesn’t guarantee that you’ll never have any problems, but it does make it much harder for an attacker to succeed. You can download EMET here. ...

Read More →

Microsoft announced the new security bounty programs few months back and it have now paid out over $128,000 over to various security experts around the world. Yesterday, Microsoft announced their first ever $100,000 bounty for James Forshaw for finding a new class of attack technique on Microsoft’s products. Read more on it below. Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps. Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission ...

Read More →

At  Blackhat 2013 conference, Microsoft discussed about improved security capabilities in Windows 8.1. Windows 8.1 now features the ability to enable devices to be fully locked down by IT, remote security options for BYOD devices and more. Group Program Manager for Windows Security & Identity summarized the whole thing as below. #1 Trustworthy Hardware Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork. The Trusted Platform Module: TPM is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool for the enterprise, ...

Read More →

Microsoft Security Research & Defense blog today revealed about the new Xbox Live Avatar awards for security experts. These custom Xbox Live avatar items will be awarded to anyone who completes any track of the BlueHat Challenge. You can win all three avatar items “hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat. The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at bhchall@microsoft.com. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started. The Challenge is designed to appeal to a wide range of people, so if the first ...

Read More →

NSS Labs, a independent security research and testing organization has released its 2013 Browser Security Comparative Analysis.  The analysis shows that IE10 blocks more socially-engineered malware than any other browser.  Technologies built into IE10 such as SmartScreen and Application Reputation are partially responsible for IE10′s effectiveness against malware.  Independent research now shows that IE10 black 99% of malware and has fewer vulnerabilities than any other browser on Windows. IE10 uses multiple levels of protection to deliver the most secure browser to users: Protection from socially-engineered attacks By imitating or compromising trusted web sites, malware authors try to trick users into sharing personal information or downloading and executing malicious software.  To help protect users from these socially-engineered attacks, Microsoft uses a combination of URL filtering and application reputation.  SmartScreen URL filtering and Application Reputation provide the best protection available against malware attacks. Protection from attacks on web sites Even “good” web ...

Read More →

Microsoft is offering what it calls a ‘Bounty Program’ to finding exploits and vulnerabilities for Windows 8.1.  Google has had a similar program for its Chrome web browser for quite some time now, though not offering as much money.  This programs is a win-win for Microsoft and consumers, as exploits do not get out into the wild and Microsoft has a more secure OS and browser. Microsoft is now offering direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. In 2002, we pioneered the Trustworthy Computing initiative to emphasize our commitment to doing what we believe best helps improve our customers’ computing experience. In the years since, we introduced the Security Development Lifecycle (SDL) process to build more secure technologies. We also championed Coordinated Vulnerability Disclosure (CVD), formed industry collaboration programs such as MAPP and MSVR, and created the BlueHat Prize to encourage research into ...

Read More →

The Zues botnet, which controlled around 3.6 million PCs in the US and many more around the world, is taking a bit longer than Microsoft thought to clean up. Microsoft sized control of the botnet in earlier this year by attacking its Command and Control servers in Pennsylvania and Illinois. The botnet was being used primarily to steal banking details of infected users so their accounts could be emptied, and was also sending Facebook spam. Now Microsoft has won a court order on the 28th November to allow the company and its financial-services partners to continue to administer command-and-control servers for two Zeus botnets. "This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware," Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit said. Besides the Zues botnet, over ...

Read More →

Microsoft Security Essentials, the free virus and malware protection software from Microsoft failed to pass the recent AV-TEST. In Windows 8, Microsoft has replaced the Security Essentials with Windows Defender which will be turned on by default for all the users. According to recent AV-Test,  the effectiveness of Security Essentials in finding zero-day malware attacks, viruses, worms, and Trojan horses dropped from 69% to 64%, compared to industry average of 89%. It also had a 90% detection rate for malware and it is also below the 97% for the industry average. In order to get “AV-Test Certified”, protection suite should pass 11 out of 18 available tests and in the Sep-Oct study Security Essentials failed to pass it. I hope Microsoft improves its security situation soon. via: Infoweek ...

Read More →

With a billion users security has been a top priority for Microsoft for some time now, as evidenced by Kaspersky’s Top 10 list of products with security vulnerabilities, which do not contain a single Microsoft product. In fact topping the list is Adobe’s Flash, which is rather worrying for an Internet facing application. Similarly Oracle’s Java also presents a significant risk to PCs, as the wave of cross-platform exploits this summer has shown. Next on the list is Apple, with another Internet facing application, Quicktime, which also presents a risk to Windows PCs. With the Windows OS layer now very well protected, it seems Windows users can protect themselves rather well by uninstalling apps like Flash, Java and Quicktime, a strategy which Microsoft itself promotes in the Metro side of Windows 8. See Kaspersky’s report “IT Threat Evolution Q3 2012” here. Via Hothardware.com ...

Read More →