An update from FIRST and what we can learn from the Nijō Castle

Hi, Ziv Mador again. This week I’m attending the FIRST conference in Kyoto, Japan along with four of my Microsoft colleagues: Steve Adegbite, Andrew Cushman, Jonathan Ness and Dan Wolff.

Today Jonathan, Steve and I gave a presentation about Microsoft's response to the attacks which exploited a 0-day vulnerability back in the fall of 2008. Microsoft released a security update MS08-067 that fixed that vulnerability. Given the wormable nature of that vulnerability, we had strongly encouraged customers to install the security update, for example in the following blog post.  In the days, weeks and months following the bulletin release, malware exploiting MS08-067 has been launched, including the widely known Conficker worm. In our presentation we described the evolution of those exploits and the steps that Microsoft has taken to mitigate the threats.

FIRST is a worldwide organization of response teams and the annual FIRST conference is an international event. Nearly 400 researchers from 52 countries are attending the event this year. It is a great example of collaboration and information sharing in the security industry. Microsoft is a member and returning sponsor of FIRST. We participate in FIRST in order to share our experience and best practices and to encourage collaboration and community based defense to meet current and future challenges. Microsoft also participates in other forums. For example, it participates in the Conficker Working Group which helps mitigate the Conficker worm.

Kyoto includes many different historical sites as it used to be the Imperial capital of Japan for about a thousand years. One of these sites is the Nijō Castle.


The architects of this castle designed and created several defense systems. There are two rings of fortifications; each one of them uses a wall and a wide moat. That obviously made an attack on the castle more difficult. But another interesting security feature was used there:  the floors in the corridors were built in a way that they chirp like birds when people step on them. That’s why they are called uguisubari or nightingale floors. This feature helped the defenders of the castle immediately know when someone entered the castle, possibly with a malicious intent. It is probably one of the earliest security warning systems ever developed. This castle or the Red Fort in Agra which David described in an earlier blog post, represent some of the basic ideas in defense systems also for modern computers networks: in order to secure them there is a need for an effective warning system, multiple security defense layers, and plans for response and recovery. Conficker can be used as a good example here. The later variants of this worm, spread using multiple vectors: they exploit MS08-067 to infect other computers on the network but also spread through shares with weak passwords and through removable media and auto-run. That means that even if an organization fully deploys all the security updates as soon as they are released, they still haven’t mitigated the risk of infections. To minimize that risk, the organization must also ensure that shares use strong passwords, disable auto-run (or educate users to select only the legit options), use an up to date AV, enterprise firewall, IPS systems etc. That said, modern computer networks should be protected the same way as the Nijō castle: a multi-layered defense approach.

Keep safe,
Ziv Mador

Comments (0)

Skip to main content