Hack.lu: Why it’s all about building bridges


Maarten Van Horenbeeck

Senior Program Manager

Slicing covert channels, foraging in remote memory pools, and setting off page faults

The crackling sound of crypto breaking, warm vodka martni

“We want to remain what we are” (“Mir wëlle bleiwe wat mir sinn”) is the national motto of the Grand Duchy of Luxembourg. It expresses a strong pride in identity, something that is also reflected in its approach to information security. A small nation in the center of Europe, Luxembourg is the home of an innovative, well respected security conference, Hack.lu. I was in the area last week and was fortunate enough to attend.

Hack.lu is organized by the Computer Incident Response Centre Luxembourg (CIRCL), the country’s national CERT. What makes Hack.lu special is its unique combination of free workshops and conference presentations. Where other conferences often provide day-long training sessions, Hack.lu chooses a different model by filling its first few days with short, incredibly potent workshops. For example, Didier Stevens, a well respected researcher, taught attendees how to analyze malicious PDF documents; Philippe Langlois discussed how to assess SS7, a set of ubiquitous PSTN signaling protocols; and Saumil Shah showed us the value of return-oriented programming in breaking buffer overflow mitigations.

After the obligatory beer tasting workshop, attendees also had an opportunity to attend a good number of presentations. European security conferences tend to be places where a lot of attention is given to design-level vulnerabilities, as opposed to relatively easy-to-understand coding errors, and Hack.lu very much follows this trend. From a Microsoft point of view, I learned the most from Tom Keetch and Emmanuel Bouillon, who each covered a different design issue in our products. Both of them had contacted us before the conference to let us know what they had found, and it was very interesting to catch-up with them in person at the conference and learn more about their research.

On Friday afternoon, there were plenty of good laughs with Chris Nickerson of “Tiger Team” fame, who told the gathered attendees interesting and amusing stories about social engineering and the use of body language. I, for one, learned many new and fascinating meeting techniques, which my colleagues will get to enjoy very soon now.

Overall, this conference is a great example of the valuable contributions the computer hardware/software emergency response community brings to the table.

An update on me — three months ago I began leading the information sharing group on Microsoft’s ecostrat team. Our group works on building relationships and sharing information with third-party security providers, national governments, and the global incident response community. Our team’s goal is to help choose partners who will protect our mutual customers, and to help them build protections against vulnerabilities in our products.

To this effect, the EcoStrat team runs a number of different programs, which you’ll learn more about on this blog over the course of the next few months:

·         The Microsoft Active Protections Program (MAPP) shares vulnerability information with providers of security software so they can release detection signatures and protections simultaneously with our monthly security bulletin releases. MAPP also helps us bring together partners in the industry on specific projects, and gives them a direct path for reporting vulnerabilities they identify to our engineering teams.

·         The Defensive Information Sharing Program (DISP) is a pilot program that, under strong restrictions, shares vulnerability information (including limited source code snippets) with specific government agencies for the purpose of protecting critical national infrastructure against attack.

·         The Exploitability Index (EI) shares our internal assessment of the exploitability of a security vulnerability with our customers. This helps them prioritize which security updates should be installed first in order to better allocate their own security resources.

·         In addition, we work with the global public-sector community CERT and CSIRT teams through the Security Cooperation Program. This program gives defenders the tools and information they need to successfully identify and stop exploitation of security vulnerabilities in the wild. Quite often, Microsoft has a difficult time reaching and defusing malware and exploit servers in distant lands, but our local CERT partners are powerful allies for spreading information and taking action at the local level.

If you’re interested in more detail about these programs, I recommend reading our MSRC 2010 Progress Report published last July. It contains some hard numbers on the success of these projects, and the feedback we’re getting from various partners is also very encouraging.

Conferences such as Hack.lu are great opportunities for us to meet others in the industry, build bridges between islands of competence, and deal with some of the more difficult information security issues together. Most of the joy in this role isn’t so much about Microsoft being in touch with a researcher, or building a new collaboration, but more about bringing that researcher together with another researcher or existing partner, and then marveling at the nifty ideas both wizards concoct.

Often heavily funded, cybercrime is not easily deterred by a single player. We recognize that Microsoft will be less successful fighting the problem alone, in isolation. Given this, we are eager to partner with others to help put an end to cybercrime together!


Maarten Van Horenbeeck
senior security program manager