This week, I’m writing this column from a Las Vegas hotel room. I’m here to attend BlackHat 2011 and Defcon 19, the annual conferences to which hundreds of people flock each year to learn more about all things hackable. Both were originally founded in the 1990s by Jeff Moss.
Defcon has retained much of its original “leet hax0rs,” anything-goes atmosphere (although it’s now attended by plenty of law enforcement personnel and well-known security researchers along with the underground contingent).
BlackHat has morphed into a big business, attracting speakers from government agencies and major universities, charging premium rates for admission and holding additional conferences all over the world.
In years past, there was always a big focus at BlackHat on hacking Microsoft Windows. Presenters delighted in demonstrating the latest and greatest exploits that could bring the mighty Microsoft to its knees. Talk after talk, we’d hear about all the reasons Redmond’s progeny provided hackers, crackers, and attackers with low-hanging fruit so easy to pick that it was almost no challenge at all. But I’ve begun to notice a gradual but significant change.
This year’s schedule includes some of the same:
- Easy and Quick Vulnerability Hunting in Windows
- Windows Hooks of Death: Kernel Attacks through User-Mode Callbacks
- Microsoft Vista: NDA-less The Good, the Bad, and the Ugly
But it’s interesting to note that so many of this year’s presentations deal with other technologies:
- War Texting: Identifying and Interacting with Devices on the Telephone Network
- Killing the Myth of Cisco IOS Diversity: Towards Reliable, Large-Scale Exploitation of Cisco iOS
- Hacking Google Chrome OS
- Overcoming (Apple) iOS Data Protection to Re-enable iPhone Forensics
- Apple iOS Security Evaluation
- Hacking Androids for Profit
- Exploiting the iOS Kernel
This shift in focus brings up a couple of different possibilities. It could be that Microsoft is getting better at security, resulting in fewer serious vulnerabilities for researchers to find and discuss. Or it could be that nobody cares about the Microsoft vulnerabilities so much anymore, because they see Windows as irrelevant in the so-called “post PC world.”
Defenders of Microsoft’s honor have long argued that one big reason so many viruses and attacks are discovered for Windows — as opposed to Mac OS X or Linux — is because attackers naturally prefer to target the OS that has the greatest market share, so as to get more bang for their buck. It was a form of security through obscurity, rather than proof that the other operating systems were inherently more secure. The corollary to that is that if the other operating systems grew popular, they would become more attractive targets and attackers would start to exploit them more. Is that what’s happening now?
Maybe it’s a little bit of both. It would be hard for anyone to deny that the newer versions of Windows are more secure than their predecessors. According to Microsoft’s Security Intelligence Report for 2010, malware infection rates for Windows XP systems were four to five times greater than for Windows 7 machines. Windows Vista still had double the infection rate of Windows 7. It’s obvious that each version of Windows has gotten progressively more secure.
Microsoft has made a concerted effort over the past several years to address security concerns about their products. Their Trustworthy Computing Initiative was detailed in a whitepaper written by Craig Mundie in 2002 and laid out principles for making Windows computing more trustworthy based on the four pillars of security, privacy, reliability, and business integrity. The company has also made efforts to instill in developers the SD3 concept of a security development lifestyle that incorporates these mandates: Secure by Design, Secure by Default, and Secure in Deployment.
Both Vista and Windows 7 include a number of security technologies that earlier versions of Windows lack, including User Account Control (UAC), Address Space Layout Randomization (ASLR), full support for NX (No Execute) feature of modern processors, mandatory integrity control to enforce application isolation, separation of system services, interactive logins, and more.
Despite earlier public criticisms of Windows’ lack of security, the efforts to make it more secure haven’t always been met with open arms by computer users. Many complained bitterly about the User Account Control (UAC) feature in Windows Vista and its “in your face” security. Likewise, many administrators were unhappy about the locked-down-by-default nature of Internet Explorer in Windows Server.
Because “more security” often goes hand-in-hand with “less convenience,” added security measures are sure to annoy those who don’t like the extra effort it requires to access the resources they want, and some just turn the security features off, defeating the whole purpose (and making Windows less secure). However, when used as intended, these features significantly increase the security of Windows systems.
Something else I noticed regarding the BlackHat schedule is that Microsoft is represented there, with presentations being given by Microsoft employees Mark Russinovich and Katie Moussouris. A perusal of the list of speakers doesn’t turn up anyone from Google or Apple. Of course, Apple tends to avoid tech events that aren’t devoted exclusively to their own products (for example, CES), but one might expect Google representatives to be there (there is a former Google employee on the list). Does this mean those companies are less serious about participating in the security community?
I think it’s encouraging that Microsoft is willing to send employees to speak in a venue such as BlackHat, in which many of the participants have traditionally been hostile to or at least skeptical of Microsoft’s products. While other technologies are becoming increasingly important in home and business computing and thus are now rightly coming under more scrutiny on the security front, the security issues of Microsoft, which its still-large market share, are far from irrelevant. They say actions speak more loudly than words, and both Microsoft’s words and actions over the past several years indicate that they are serious about getting security right. Whether or not they actually have accomplished that is another matter – one to be saved for another edition of this column.