Security TechCenter

Microsoft BlueHat Security Briefings: Spring 2008 Sessions and Interviews

The spring Microsoft BlueHat Security Briefings event was held on May 2, 2008. View interviews with the presenters, and read the session descriptions and speaker bios below. Find out more about BlueHat.

On This Page

Bad Sushi: Beating Phishers at Their Own Game
Web Browsers and Other Mistakes
A Resident in My Domain, plus, Unweaving Silverlight from Flash
Token Kidnapping
Attacking Antivirus
Microsoft Security Grunt
Vulnerability Economy Panel

Bad Sushi: Beating Phishers at Their Own Game

Session Description	Speakers
This talk will expose the tools and tactics used by the phishing underground. It's really a new look at an old problem. Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by phishers, see how phishers "phish" other phishers, and discover the sites where real life identities are being bought and sold… The specific topics covered by this talk will include: how phishers set up a phishing site, a look at the backdoors used by phishers, determining how phishers get identity information, a thorough look at the tools used by phishers, and a detailed look at the sites used to buy and sell stolen identities.	Billy Rios Security Engineer, Microsoft Billy Rios lives in a phish bowl and is constantly being sent e-mails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for $30,000 instead of $30. View an interview with Billy Rios. Nitesh Dhanjani Senior Manager & Leader of Application Security Services, Ernst & Young LLP Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani is currently Senior Manager at Ernst & Young LLP where he leads their Application Security Services efforts. Dhanjani is responsible for evangelizing new application security service lines, ensuring current service lines stay bleeding edge, and helping enterprises develop world-class application security strategies. Prior to E&Y, Dhanjani was Senior Director of Application Security and Assessments at Equifax where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & threat modeling, and managed the attack & penetration team. Before Equifax, Dhanjani was Senior Advisor at Foundstone's Professional Services group where, in addition to performing security assessments, he contributed and taught Foundstone's Ultimate Hacking security courses. Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly) and "HackNotes: Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes: Network Security"(Osborne McGraw-Hill). Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, and OSCON. Dhanjani graduated from Purdue University with both a Bachelor’s and a Master’s degree in Computer Science.

Session Description

Speakers

This talk will expose the tools and tactics used by the phishing underground. It's really a new look at an old problem. Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by phishers, see how phishers "phish" other phishers, and discover the sites where real life identities are being bought and sold…

The specific topics covered by this talk will include: how phishers set up a phishing site, a look at the backdoors used by phishers, determining how phishers get identity information, a thorough look at the tools used by phishers, and a detailed look at the sites used to buy and sell stolen identities.

Billy Rios
Security Engineer, Microsoft

Billy Rios lives in a phish bowl and is constantly being sent e-mails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for $30,000 instead of $30.

View an interview with Billy Rios.

Nitesh Dhanjani
Senior Manager & Leader of Application Security Services, Ernst & Young LLP

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani is currently Senior Manager at Ernst & Young LLP where he leads their Application Security Services efforts. Dhanjani is responsible for evangelizing new application security service lines, ensuring current service lines stay bleeding edge, and helping enterprises develop world-class application security strategies.

Prior to E&Y, Dhanjani was Senior Director of Application Security and Assessments at Equifax where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & threat modeling, and managed the attack & penetration team. Before Equifax, Dhanjani was Senior Advisor at Foundstone's Professional Services group where, in addition to performing security assessments, he contributed and taught Foundstone's Ultimate Hacking security courses.

Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly) and "HackNotes: Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes: Network Security"(Osborne McGraw-Hill). Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, and OSCON.

Dhanjani graduated from Purdue University with both a Bachelor’s and a Master’s degree in Computer Science.

Top of page

Web Browsers and Other Mistakes

Session Description	Speakers
Web browsers are becoming almost as complex as operating systems, and just as prevalent, and yet we know so little about them. This talk will examine the parts of browsers and plug-ins that lead to Web applications being exploitable on the client-side.	Alex kuza55 K. Independent Security Researcher *Alex kuza55* K.** has been an active member of the Web application security research community for the past several years, publishing several well-regarded papers and presenting his findings recently at the 24th Chaos Communications Congress computer security conference in Berlin. Alex is an Associate at SIFT where he gets paid to break things, and in his spare time as an independent security researcher, breaks things for the fun of it. Alex's current fascination is with the serious, the fun, and the crazy functionality creeping into Web browsers, and the ancient functionality that is not being removed. View an interview with Alex kuza55 K.

Session Description

Speakers

Web browsers are becoming almost as complex as operating systems, and just as prevalent, and yet we know so little about them. This talk will examine the parts of browsers and plug-ins that lead to Web applications being exploitable on the client-side.

Alex *kuza55* K.
Independent Security Researcher

Alex *kuza55* K. has been an active member of the Web application security research community for the past several years, publishing several well-regarded papers and presenting his findings recently at the 24th Chaos Communications Congress computer security conference in Berlin. Alex is an Associate at SIFT where he gets paid to break things, and in his spare time as an independent security researcher, breaks things for the fun of it. Alex's current fascination is with the serious, the fun, and the crazy functionality creeping into Web browsers, and the ancient functionality that is not being removed.

View an interview with Alex *kuza55* K.

Top of page

A Resident in My Domain, plus, Unweaving Silverlight from Flash

Session Description	Speakers
A Resident in My Domain Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move. No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.	Manuel Caballero Independent Security Researcher Manuel Caballero is a security researcher with particular interest in Web browsers and plug-ins. He has worked for an online ad agency as the developer of all "evil" tricky scripts: cross-domains, popup blocker bypasses, resident scripts, etc. He is currently working at Microsoft as a Penetration Tester of products like Internet Explorer, Silverlight, Gadgets, etc. Fukami Independent Security Researcher Fukami works as a security consultant for a Cologne (Germany) based company, SektionEins. His main focus is Web application security. He is founder of a project dedicated to RIA, and especially Adobe Flash security-related topics, called FlashSec. View an interview with Manuel Caballero and Fukami.
Unweaving Silverlight from Flash New browser plug-in technology needs to be very secure, maybe even more secure than already existing solutions. The question is whether there's something to be learned from the mistakes and weaknesses of similar technology. Does Silverlight deserve to be called "Silverstrong" because of its security? The second part of the talk will be a step-by-step analysis comparing the security of Silverlight and Flash. Similarities and differences such as security sandboxes, requests and sockets handling, cross-domain policies, and persistent storage will be discussed, including attack scenarios.

Session Description

Speakers

A Resident in My Domain
Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Manuel Caballero
Independent Security Researcher

Manuel Caballero is a security researcher with particular interest in Web browsers and plug-ins. He has worked for an online ad agency as the developer of all "evil" tricky scripts: cross-domains, popup blocker bypasses, resident scripts, etc. He is currently working at Microsoft as a Penetration Tester of products like Internet Explorer, Silverlight, Gadgets, etc.

Fukami
Independent Security Researcher

Fukami works as a security consultant for a Cologne (Germany) based company, SektionEins. His main focus is Web application security. He is founder of a project dedicated to RIA, and especially Adobe Flash security-related topics, called FlashSec.

View an interview with Manuel Caballero and Fukami.

Unweaving Silverlight from Flash
New browser plug-in technology needs to be very secure, maybe even more secure than already existing solutions. The question is whether there's something to be learned from the mistakes and weaknesses of similar technology. Does Silverlight deserve to be called "Silverstrong" because of its security?

The second part of the talk will be a step-by-step analysis comparing the security of Silverlight and Flash. Similarities and differences such as security sandboxes, requests and sockets handling, cross-domain policies, and persistent storage will be discussed, including attack scenarios.

Top of page

Token Kidnapping

Session Description	Speakers
This presentation is about a new technique for elevating privileges on Windows, mostly from services. This technique exploits design weaknesses in Microsoft Windows XP, Windows Server 2003, Windows Vista, and even Windows Server 2008. The presentation will explain how it’s possible in Windows XP and Windows Server 2003 to elevate privileges to LOCAL SYSTEM from any process that has impersonation rights, and how it's possible in Windows Vista and Windows Server 2008 to elevate privileges to LOCAL SYSTEM from processes running under NETWORK SERVICE and LOCAL SERVICE accounts, demonstrating that running code under NETWORK SERVICE or LOCAL SERVICE is nonsense since it's always possible to end up running code under LOCAL SYSTEM account. It will also show zero-day code for elevating privileges in SQL Server 2005 and Internet Information Services 6 and 7.	Cesar Cerrudo Founder and CEO, Argeniss Cesar Cerrudo, is a security researcher and consultant specializing in application security. Cesar runs his own company, Argeniss (www.argeniss.com). Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks, and exploitation techniques, and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, and HITB. Cesar collaborates on and is regularly quoted in articles in online publications such as eWeek, ComputerWorld, etc. View an interview with Cesar Cerrudo.

Session Description

Speakers

This presentation is about a new technique for elevating privileges on Windows, mostly from services. This technique exploits design weaknesses in Microsoft Windows XP, Windows Server 2003, Windows Vista, and even Windows Server 2008.

The presentation will explain how it’s possible in Windows XP and Windows Server 2003 to elevate privileges to LOCAL SYSTEM from any process that has impersonation rights, and how it's possible in Windows Vista and Windows Server 2008 to elevate privileges to LOCAL SYSTEM from processes running under NETWORK SERVICE and LOCAL SERVICE accounts, demonstrating that running code under NETWORK SERVICE or LOCAL SERVICE is nonsense since it's always possible to end up running code under LOCAL SYSTEM account. It will also show zero-day code for elevating privileges in SQL Server 2005 and Internet Information Services 6 and 7.

Cesar Cerrudo
Founder and CEO, Argeniss

Cesar Cerrudo, is a security researcher and consultant specializing in application security. Cesar runs his own company, Argeniss (www.argeniss.com). Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks, and exploitation techniques, and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, and HITB. Cesar collaborates on and is regularly quoted in articles in online publications such as eWeek, ComputerWorld, etc.

View an interview with Cesar Cerrudo.

Top of page

Attacking Antivirus

Session Description	Speakers
This is perhaps the first comprehensive presentation that combines two important topics: how to exploit antivirus software, and how to audit it. People have indeed talked about antivirus security before; however, talks have either been from the reverse engineering point of view, or they have failed to mention exploitations and tended to lack technical detail. This talk will concentrate on: why antivirus security is critical; why antivirus software is full of holes; what are the ways in which attackers can exploit antivirus vulnerabilities; how to audit antivirus software; and what exactly the vendors, researchers, and end-users should do. This talk will also seriously question the security of "security products": AV, firewall, IPS, IDS, etc. Sowhat says: "I hope the developers can learn something from my presentation and know how to make Forefront and Antigen more secure than the other antivirus software."	Sowhat Technical Lead, Nevis Labs Sowhat is a Technical Lead at Nevis Labs. His emphasis is on uncovering vulnerabilities and analyzing them. He has discovered over 30 vulnerabilities in popular applications from companies like Microsoft, Symantec, Apple, Trend Micro, HP and Real Networks, among others. Sowhat is also a frequent speaker at conferences and has presented at XCON 2005. He was scheduled to present at 22C3 and PACSEC, but unfortunately had to cancel due to personal reasons. He will give a presentation on Blackhat Europe 2008, Holland, on March 26th. View an interview with Sowhat.

Session Description

Speakers

This is perhaps the first comprehensive presentation that combines two important topics: how to exploit antivirus software, and how to audit it. People have indeed talked about antivirus security before; however, talks have either been from the reverse engineering point of view, or they have failed to mention exploitations and tended to lack technical detail.

This talk will concentrate on: why antivirus security is critical; why antivirus software is full of holes; what are the ways in which attackers can exploit antivirus vulnerabilities; how to audit antivirus software; and what exactly the vendors, researchers, and end-users should do. This talk will also seriously question the security of "security products": AV, firewall, IPS, IDS, etc.

Sowhat says: "I hope the developers can learn something from my presentation and know how to make Forefront and Antigen more secure than the other antivirus software."

Sowhat
Technical Lead, Nevis Labs

Sowhat is a Technical Lead at Nevis Labs. His emphasis is on uncovering vulnerabilities and analyzing them. He has discovered over 30 vulnerabilities in popular applications from companies like Microsoft, Symantec, Apple, Trend Micro, HP and Real Networks, among others.

Sowhat is also a frequent speaker at conferences and has presented at XCON 2005. He was scheduled to present at 22C3 and PACSEC, but unfortunately had to cancel due to personal reasons. He will give a presentation on Blackhat Europe 2008, Holland, on March 26th.

View an interview with Sowhat.

Top of page

Microsoft Security Grunt

Session Description	Speakers
In the interest of improving the transparency of Microsoft processes within the security community — and having been offered complete immunity from any disciplinary action — Bryan will be talking about his experiences in his first 30 days as a Microsoft employee. Is "Microsoft Security Grunt" really the 6th worst job in the world (just slightly better than elephant vasectomist)? Come find out the truth firsthand.	Bryan Sullivan Security Program Manager, Microsoft Bryan Sullivan is a Security Program Manager at Microsoft. He is a frequent speaker at industry events including RSA Conference and Black Hat, and is a published author on Web application security topics. His first book, "Ajax Security," was published by Addison-Wesley in 2007. View an interview with Bryan Sullivan.

Session Description

Speakers

In the interest of improving the transparency of Microsoft processes within the security community — and having been offered complete immunity from any disciplinary action — Bryan will be talking about his experiences in his first 30 days as a Microsoft employee. Is "Microsoft Security Grunt" really the 6th worst job in the world (just slightly better than elephant vasectomist)? Come find out the truth firsthand.

Bryan Sullivan
Security Program Manager, Microsoft

Bryan Sullivan is a Security Program Manager at Microsoft. He is a frequent speaker at industry events including RSA Conference and Black Hat, and is a published author on Web application security topics. His first book, "Ajax Security," was published by Addison-Wesley in 2007.

View an interview with Bryan Sullivan.

Top of page

Vulnerability Economy Panel

Session Description	Speakers
The Vulnerability Economy Panel takes an in-depth look into the world of buying and selling vulnerabilities with diverse perspectives from our various panelists. The panel will provide an overview of the current market while explaining the differing roles panelists play within this market. Microeconomics, macroeconomics and efficient markets will all be touched upon.	Panelists include: Terri Forslof Manager of Security Response, Tipping Point Technologies Adam Shostack Senior Security Program Manager, Microsoft Jeremiah Grossman Founder & CTO, WhiteHat Security Dan Kaminsky Director of PenTest, IOActive View an interview with Dan Kaminsky. Charlie Miller Principal Analyst, Independent Security Evaluators

Session Description

Speakers

The Vulnerability Economy Panel takes an in-depth look into the world of buying and selling vulnerabilities with diverse perspectives from our various panelists. The panel will provide an overview of the current market while explaining the differing roles panelists play within this market. Microeconomics, macroeconomics and efficient markets will all be touched upon.

Panelists include:

Terri Forslof
Manager of Security Response, Tipping Point Technologies

Adam Shostack
Senior Security Program Manager, Microsoft

Jeremiah Grossman
Founder & CTO, WhiteHat Security

Dan Kaminsky
Director of PenTest, IOActive

View an interview with Dan Kaminsky.

Charlie Miller
Principal Analyst, Independent Security Evaluators

Top of page