Microsoft Security Response Center (MSRC)
Microsoft Security Response Center (MSRC)
The Microsoft Security Response (MSRC) team identifies, monitors, responds to and resolves security incidents and vulnerabilities in Microsoft software. This helps our customers manage security risks, build community-based defense capabilities, and enable the development of best practices that have been adopted by others in the software industry. For more than 20 years, MSRC has driven security engineering innovation in technologies and tools that protect our customers, and we provide a voice for security ecosystem trends with monthly security guidance, updates and community insights. We are constantly addressing the cyber threats of - today and tomorrow.
Пікірлер
brilliant, 5 years old can't believe i haven't heard more about it
Though purple is not my favorite color it does look good there.
39:20 I think the biggest reason why the Xbox One security has lasted so long is that there are only a handful of Xbox One exclusive games (and except Forza and Halo 5 they are rather niche)... All other games are also available on Windows where they are much easier to crack/pirate (even Denuvo is not an obstacle anymore these days). So console hacking became rather uninteresting these days, at least for the Xbox ...
I need your help I don't understand how to solve my problem, I need your help
Great job to everyone. This is an important conversation. Also, great to see you in your element, Devin. Keep getting after it!
Outstanding conversation and facilitation!
I hope I can one day work for Microsoft. I’ve always been into tech and worked in tech. I just made some bad choices as a young man that affected my life.
Octo Tempest, Lapsus will love this talk
Sería más bueno Wee UE se traduzca en español
anyone have AI pentest tool project working on?
There is a slightly longer version of this very same presentation (literally with the same title) on Platform Security Summit YT channel
Great talk, thank you for sharing.
Microsoft will sue you
Why
ur goin' down u villians!!!!!
This doesn't feel like responsible disclosure to me. Sure, all of the attacks require physical access, and yet there is no mitigation strategy even discussed. Is facecam Windows Hello insecure too? Who knows...
See sweetheart the public shouldn't have a cloud if you have a clown inside the public you have a construction of someone else's business that you're learning brainwave structure through to learn the placement of someone else's organization or the rotation of weight of gravity's movement in someone else is mine
you should stop taking that new pill immediately!
Thank you!
Actual review starts 20:52
How did the fucking Synaptics chip pass certification? Its hard to imagine scenarios where that chip makes it to market without fraud. Microsoft: More dog food, less dog shit. Your least technically savvy userbase uses the Surface line. The breach of trust with that product's implementation is outrageous. Disgarded broken keyboards could be used to spoof a user. Is there facility to wipe them? Nope. Its so dumb.
Mygawd BRO!! It seems as though public speaking makes you a little nervous which is common. You can clearly tell by your breathing. The gum chewing really amplifies all these little things. I really hate to be that person but this was serious topic and that gum, breathing, and savage borderline choke swallowing midsentence was too much.🥴 This is definitely your fault but I would definitely ask your bros why they all let you carry on without giving you a signal or even text. I ended up reformatting the transcript and listened to a gun free ai. Great information and appreciate the teams work!
This will result in some wild and totally unsecure NTLM hack, I guarantee it.
Nice. Good job. I wish you tested Fingerprint cards (FPC) sensor to. I wonder if there was a specific reason not to?
This was a specific case of integrated fingerprint sensors, representing the typical implementation of a direct-from-device-manufacturer fingerprint scanner utilized by Windows Hello for enhanced security, ie a typical use case for a Microsoft user (for example in the business world). The realm of third party fingerprint sensor peripherals is so vast in both size and quality that it would be very difficult to adequately evaluate in its own case study, much less in one also including integrated biometrics. Another big sticking point is that proper implementation of security standards with these integrated devices depends on Microsoft working with device manufacturers. That isn't really a thing in the peripherals market, except for maybe a couple of choice partners (maybe, idk for sure in this case, that's just how it usually goes), so it would really muddy the waters when it comes time to draw conclusions about what Microsoft could do to improve their security feature. Remember, at the end of the day, this is security science research, not consumer product testing; and effective research is all about controlling the variables.
"the problem is you have to turn credential guard on" 🤣🤣
Hopefully, they can fix this with a firmware and software update. Also totally astonishing that the Linux implementation is just completely unauthenticated.
anyone ever get a ping in your head , or ears at the same kind of times. like a pattern >?
Firmware in modern vehicles is going to be a huge vulnerability as well, I think... I doubt that most cars/trucks are well protected, and updating/overriding firmware could lead to some very interesting (if not outright catastrophic) attacks. A good subplot for a modern thriller movie... :)
Happy to find you here! Great talk. I use MSTICPy regularly and it’s a part of my job. Hope to get in touch and discuss features.
Is this this gentleman’s research? There is an American who did a talk at defcon 31 who used this exact talk schematic, down to the calculator demo!!
Stök is Swedish
@@rahulramteke3338 not stok it was another speaker
To be fair he did shout out to David..
Also a calculator demo is used often to illustrate the ability to run apps/executables when you're not supposed to.
@@umlal it just seemed ripped unfortunately, not saying that this dude isn’t intelligent or understands the content, but I think my analysis stands and is valid
How about Zig? Won't it be an easier transition for existing projects even if new projects do Rust?
Zig is NOT a safe language, rewrite them in Zig is meaningless.
Just started the talk, but Zig isn’t suitable for secure OS code
Nim and Odin are in a more mature state than Zig. Both are after v1.0.
@@AdamFiregateokay, I wasn't aware of those ones. I will check them out.
@@AdamFiregate Nim documentation is ass
anyone knows what he says @38:55 ? "Meeting model", "Ming Model" ?
this is excellent secure by design for embedded devices. we need all the ICS OT IIoT IoT embedded systems and cyber-physical systems devices and components people to start doing the same thing for PLC, IED, IPC, HMI, VFD, medical devices etc etc
In R**t, we trust
Awesome conference as always 👍👍
*Promo SM* 🤷
Dan has always been interesting and relatable. I think I'm of a similar age and have those same sort of teenage stories, so I guess that makes him someone who I find great to listen to.
Microsoft Your verification code system is sending 6 digit codes instead of 7 digit codes to my email. I am locked out of my computer indefinitely until you can fix this problem and send a correct 7 digit verification code. I have tried to call multiple times and the phone line now just hangs up on me. I've tried to direct message on instagram and I've been ignored. I can't access any online support because i can't sign in and none of the prompts can believe i didn't make an error. I have tried the verification app and that too won't accept the codes that are being sent. Why don't you offer actual support for consumers? All of my files and equipment have been held hostage because of this all day, I've spent literal hours trying to fix or get around this. This is unacceptable. That this is even a problem for starters, but also that its a recurring problem for people especially, and that you have no other support option other than "twiddle your thumbs without access to your computer until we randomly decide to reset the system, because we don't actually allow you an avenue to let us know this is a problem". The kicker is that i didn't even change anything, i have no idea why my PIN needed to be reset in the first place. I shouldn't have even been prompted to change it. This is ridiculous. when are you going to fix this issue? I see complaints from January about this.
Ok so after peppering all of Microsoft's social media for a good half hour with the same message.. I finally have a 7 digit code and am able to sign into my computer after.. 8 hours. Thankyou to whichever Microsoft marketing employee escalated the issue. I still think your customer service is broken.
What an amazing talk!
first
This is an excellent explanation of Red Teaming and Red Team value. Well done.
This guy is a wizard of the web. What a great talk!
Hey there, Is there a place where I could read more about 'TPM for Credential Binding?' Thanks!
In my 26 years of breathing, I have never met anyone remotely close to Cameron’s work ethic, so I’m not surprised he’s made it thus far. Congrats brother
This is a very engaging talk! To go from bug bounties to being implemented into an AI is NUTS!!!
Great work, Dan and Ben. Glad to see you guys going from strength to strength!
👍🏼👌
Some really brilliant comments here
I see a point of fault in your graph that can be exploited
Was always just easy to use Maltego and input all the API keys you wish to use. Like Shodan etc… and there’s good o’l nmap 😂
I think the description on this video might be for a different talk
This is what my laptop is infected with back in July and I still haven’t been able to remove anything thank you for the video it helps me better understand what I’m dealing with
everyone say i am i then your name then run tell people to stop using my fucking name and call them you fucking devil stop fucking lying and autoexe and never let this man lie about who i am .sermon eula only played in my 1st part voice, second part five flats in my instrument treble clef only and third part bass clef for eula and make read only and spiderweb all friends and family members and departments rulescand regulations of the American Christian bible law enforcement bible and the holy bible of mine officer and investigator p15892 and other badge 43 President of United States Dr. Rice, Jerry Dean II Oklahoma Hwy Patrol Ranger.badge 2022. stop using my fucking you fucking devil stop fucking lying and autoexe and never let this man lie about who i am .sermon eula only played in my 1st part voice, second part five flats in my instrument treble clef only and third part bass clef for eula and make read only and spiderweb all police departments rulescand regulations of the American Christian bible law enforcement bible and the holy bible of mine officer and investigator p15892 and other badge 43 President of United States Dr. Rice, Jerry Dean II Oklahoma Hwy Patrol Ranger.badge 2022. And if you lie on me or steal from me as the owner Microsoft security response center and name change to Jerry Dean Rice ii :company business number is 3612830464.. Tradename rice co ii holdings : you get a evil seance for lying on my word and trademark circle with triangle in the middle. And butterscotchcom better not lie about my product or get evil seance.