Monthly Archives: May 2019

BlueHat Shanghai 2019: Amplifying the power of defensive partnerships around the world

Earlier this week BlueHat Shanghai brought together security researchers and hundreds of cybersecurity professionals from China and across Asia to explore the latest topics in cybersecurity research. Including presentations from Qihoo 360, Baidu, Alibaba and the Chinese Academy of Sciences, BlueHat Shanghai highlighted incredibly talented Chinese researchers and focused on cutting edge topics including container and IoT security.   

In the conference kick off, Eric Doerr (General Manager, MSRC) shared how researchers in China have helped protect Microsoft customers over the last year by reporting high impact vulnerabilities under Coordinated Vulnerability Disclosure. Many of these researchers qualified for bounty awards as well; Chinese researchers dominate the Microsoft Edge bounty program, and report a substantial portion of submissions made to the Windows Insider Preview bounty program 

Microsoft has long invested in security engineering and fortifying our products and services, while recognizing that partnerships with the worldwide research community plays an important role in securing Microsoft customers and the broader ecosystem. Expanding our BlueHat events to China is just one example of how we’re working to build and strengthen these partnerships and recognize the contributions of our community members. We’re also continuing to improve our security response and management operations to make it easier and more rewarding to work with the MSRC. In addition to the recent launch of the MSRC submission portal and increased bounty awards, we’re pleased to give researchers more choices in how they receive their bounty awards with the addition of Bugcrowd to Microsoft’s bounty payment provider options.     

Eric highlighted some of the emerging areas of technology that are getting quick adoption by Microsoft customers like AI, GitHub and Dynamics, and the need for researchers around the world to increase their focus on these and other emerging areas of technology to continue to keep the world safe.  As technology evolves, Microsoft’s security engineering practices keep pace to ensure our customers remain safe. And as we have done for two decades, we look forward to working with researchers around the world to tackle these new challenges.

Sylvie Liu & Jarek Stanley
Security Program Managers
Microsoft Security Response Center



BlueHat Shanghai brought together cybersecurity professionals from China and beyond!  

from MSRC

NY Investigates Exposure of 885 Million Mortgage Documents

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

from Krebs on Security