Something to keep an eye on later this week: Microsoft’s BlueHat v6 blog.

Set to take place in Redmond this Thursday and Friday, BlueHat v6 will feature Microsoft brass meeting with outside security experts on topics like virtualization, process isolation, Windows Mobile and automated exploit creation.

Here are two goals of the conference as described by Andrew Cushman, Microsoft director of security outreach.

- “To expose senior product leaders and front-line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ‘I understand what a buffer overflow is,’ to ‘OMG that’s what it’s like.’ BlueHat connects with execs and engineers at a visceral level and *really* brings the message home…

- To expose security researchers (and the security community) to Microsoft engineers and business leaders… BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.”

Of course, it’s Microsoft’s conference and it’s closed - so don’t expect breaking news to appear on the BlueHat blog, but it’s still worth keeping tabs on.

News flash – Microsoft employs ethical hackers - researchers who test the company’s software for holes.

Well maybe that’s not news. But, somewhat surprisingly, Redmond has given its white hats a soapbox.

The hackers@microsoft blog kicked off Saturday with a short lesson on what hackers at the company do, and how they’ll be presenting information on the blog in the weeks and months to come. It’s worth a look.

Here’s a peek at what they had to say:

“Of course, there is controversy even in the word ‘hacker,’ but I don’t think that should stop us from using it in the manner I think is the most appropriate. At his or her core, a true hacker is someone who is curious and wants to learn how systems work. This can, and of course at Microsoft, is done in an ethical, legal manner. We employ ‘white hat hackers’ who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don’t once we’ve released that code into the wild. We employ many, many smart testers who know more about some of our software then perhaps the architects who designed it. We also employ some of the top researchers in their industry, dedicated people working on the bleeding edge of what’s going to be common place in the next five or 10 years of computing. So yes, Microsoft does have hackers, and its time to introduce you to some of them and show you what it is exactly that they do.”

- techjunkie, hackers@microsoft, Aug. 25, “welcome to a different kind of blog from microsoft”

This isn’t a week-in-review post, or a pre-holiday recap. But here are viewpoints from two IT security blogs on some pre-Memorial Day stories covered this week.

New Office 2000 ActiveX flaw
McAfee on Thursday downplayed the flaw, disclosed as part of the Month of ActiveX Bugs project, on the Avert Labs blog. Researcher Allysa Myers pointed out that “if you’re practicing good computer hygiene, you’ll be just fine.”

“The PoC code itself is harmless, as intended, but will lower macro security settings in Word 2000. However, if you’ve been regularly applying your Office patches, you don’t have to worry about the exploit,” she said. “This vulnerability was patches seven years ago this month, so you’d have to be a pathological procrastinator to have missed the update. This fix is also included in Office 2000 (Service Pack 3).”

nCircle acquires Cambia Security
Almost a depressing send off to Cambia here from Mark Wood, who was the company’s VP of product management and marketing, before it was acquired this week by nCircle. He’s stressing opportunity over sentimentality in this post.

“For the past two years, I’ve worked hard with a team of incredibly talented people here in Atlanta to bring an agent-less configuration compliance solution to market and to make it as effective and as well-known as possible. That journey ended this morning when the Cambia website vanished for the last time and was replaced by the redirects to the nCircle site. I sat alone in a silent office at 8 am as I watched the Cambia home page go dark,” he said. “Now, I don’t want you to think I’m unhappy with this acquisition. It’s terrific. It was just harder to watch the Cambia stuff go away than I expected. Transitions like this often are, I suppose.”

Here’s one blog post worth revisiting.

On Monday, Rahul Kashyap took TippingPoint’s ZeroDay Initiative to task for paying researcher Dino Dai Zovi $10,000 for a flaw he disclosed at CanSecWest.

That incident reached its zenith when Gartner analysts made their feelings clear on hacking contests and vendor association with them.

What’s more interesting than the post is the discussion it set off between Kashyap and Terri from TippingPoint – two opposing sides of the debate on vulnerability disclosure ethics. And don’t overlook Thomas Ptacek’s challenge to McAfee to link to its own code of conduct.

It’s also worth clarifying that the nCircle commentary - the one slamming ZDI - quoted in the post is from August 2005. In relation to the flaw purchased at CanSecWest, nCircle has been supportive of TippingPoint’s efforts.

Now, why would Microsoft need my credit card information when I paid for my PC with my debit card? No, wait, why would they need it at all?

The bad guys are hoping users at home don’t think that when they see this new malware, pointed out by the Security Response researchers at Symantec today.

The social engineering techniques it uses are same old, same old. But what immediately catches the eye is the pains attackers tool to make it look like an actual Microsoft message.

It asks end users to punch in their credit card and personal information to assure the company of their purchase. And this ogre won’t let you past without the info.

The key is to be a little tricky. The trojan wants personal information, but it’ll settle for any personal information – so just make something up.

It seems like every week there’s a new IT security blog. We at SC Magazine know all about this, since last week it was us.

But Microsoft’s new Security Development Lifecycle team blog is especially noteworthy. Michael Howard, senior security program manager in the Security Engineering Group, kicked off this week by explaining what the company has learned from the ANI cursor vulnerability.

Howard, who’s been penning his own blog for a few years now, gives a better explanation of the situation in Redmond than I can, so please check it out for yourself.

It’s no secret that Microsoft is everyone’s favorite punching bag, whether the software empire deserves it or not. But give them credit for adding another layer of disclosure with this blog.

It’s not unusual for an IT security story to have twists and turns. With the ever-changing technology on both sides of the good guy/bad guy divide, that’s inevitable.

The story of the CanSecWest “hack-a-Mac” contest is a good example. It started as two researchers exploiting a MacBook Pro vulnerability to win a contest at a Vancouver conference.

It became an assumed flaw in Apple’s Safari web browser.

After some information from TippingPoint, which sponsored the contests, it was clarified to be a flaw in QuickTime that affects all Java-based browsers, which evolved later in the week into a flaw affecting Internet Explorer on Windows operating systems, including Vista.

But today’s big question was, “Did the exploit become public through the wireless network at CanSecWest?” The answer now looks like, “probably not.”

Thomas Ptacek at Matasano Security’s blog followed the reports, closing with an ominous hunch that the vulnerability could turn into something big and a conclusion that blogs may not be the best place for exploit disclosure.

The Roundup came across a thoughtful take on the QuickTime flaw revealed at CanSecWest last week, now found to affect numerous web browsers.

Information Security Sell Out brought up a lightning rod topic this week: vulnerability management ethics.

The Sell Out questions whether a firm, in this case TippingPoint, is engaging in bad business by allegedly using the discovery of a flaw as a marketing opportunity. Did TippingPoint put Mac users at risk by offering $10,000 for discovery of a Mac flaw, thus practically ensuring one would be disclosed? And what if TippingPoint mishandles the newly purchased vulnerability?

Scroll down to the discussion section; a back-and-forth ensues.

Vancouver, British Columbia is a bit off the beaten path for many IT security vendors, but for Mac aficionados, it might’ve been worth the trip to CanSecWest.

To make a long story short, the show offered two MacBook Pros to researchers who could use a fresh zero-day flaw to hack into the Apple laptop.

Researcher Shane Macaulay did, with a little legal help from Dino Dai Zovi, and the team took home both a $10,000 prize provided by TippingPoint and a MacBook.

But what appeared to be the winning vulnerability in Safari is actually much more. The QuickTime flaw actually exists in any Java-enabled browser, meaning Firefox users on Macs are vulnerable, and Firefox users on Windows are most likely vulnerable, as long as QuickTime is installed.

The Matasano Chargen blog has an interesting take on the developing story, if for no other reason because Dai Zovi, like Mozilla security bigwig Window Snyder, is a Matasano emeritus.

Technology news is sort of like food; if you leave it out too long, it’s only a matter of time until it goes bad.

If breaking news isn’t covered within a few days, it’s going to be passed over for the next juicy steak of a story to come along. And with ever-changing technology, and bad guys who never seem to sleep, nowhere in the media is this as clear as than with tech news.

So with that in mind, here are a few blog items to much on over the weekend.

As if they don’t have enough to worry about…
When doing business overseas, a road warrior is likely to check his or her bank account information via the web instead of running up an expensive phone bill or strolling the streets of Tokyo or London looking for a Chase Bank ATM.

So imagine being stationed in a foreign country for months on end, with few urban centers nearby to check account balances.

That’s the rationale behind a new man-in-the-middle phishing scheme that traps members of the U.S. Armed Forces into visiting a website that logs their keystrokes. F-Secure’s research team has a good description on its blog.

Warning: The scam websites, which pretend to be official Bank of America pages and require check card numbers, expiration dates and PIN numbers, look quite real.

Keep it classified
Here’s an another scary item.
Privacy blog PogoWasRight.org, named after a cartoon character famous for saying, “We have met the enemy and he is us,” (must’ve been before my time) has picked up an Associated Press story on Los Alamos workers being warned about identity theft.

Moving towards disclosure
Finally, patch distribution is a tricky business. Most months, Microsoft can’t seem to make anyone happy, no matter what it fixes or how many patches it releases.

With Oracle’s latest patch release just in the rearview mirror, Eric Maurice, the company’s manager for security in the Business Technology Unit, blogged about the latest distribution.

It’s worth reading because public disclosure about patch distributions is an even trickier business than releasing the fixes. It’s a tightrope walk above malicious users and IT pros, and both groups want as much information as possible.

It’s also worth noting that Oracle has made strides in recent months to release patches on a more selective basis and rank vulnerabilities on a clearer scale.