Microsoft BlueHat Security Briefings: Fall 2009 Sessions

Vinny Gullotto
GM of MMPC, Microsoft

As general manager of the Malware Protection Center at Microsoft, Vinny Gullotto oversees the company's day-to-day and long-term strategies for protecting customers from viruses, malware, and other security threats.

Gullotto and his team are responsible for researching malicious threats and attacks against computer users. With that research, they develop solutions and work in conjunction with the Microsoft Security Response Center to provide customers with guidance and support and protection from those threats. Under his charter, the Microsoft Malware Protection Center supplies core anti-malware technology to Windows Live OneCare, Microsoft Windows Defender, the Malicious Software Removal Tool and the Forefront security products. Gullotto's goal is to help ensure that Microsoft expertise in fighting security threats will help protect PC users around the world.

Before joining Microsoft, Gullotto worked for several years at McAfee, Inc., where he held the position of Vice President of the Anti-virus Research and Vulnerability Emergency Response Team (AVERT). In addition to speaking at security conferences around the world, Gullotto has testified before a congressional subcommittee on the federal government's response to security threats facing computers in the United States.

Gullotto sat on the board of directors at a privately held U.S. firm that developed automated, PC-based voice mail attendant systems. Gullotto earned a Bachelor of Science degree in business administration from the University of Phoenix.

Dr. Jose Nazario
Manager of Security Research, Arbor Networks

Dr. Jose Nazario is Manager of Security Research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, and developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books Defense and Detection Strategies against Internet Worms and Secure Architectures with OpenBSD. He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at FIRST, CanSecWest, PacSec, Black Hat, and NANOG. He also maintains WormBlog.com, a site devoted to studying worm detection and defense research.

With great power comes great responsibility. Rich Internet Application frameworks like Adobe Flash and Flex and Microsoft Silverlight allow developers to create unique and exciting Web applications; but if the technologies are misused, they can also allow developers to create unique and exciting Web application vulnerabilities. Furthermore, some unscrupulous people have been known to craft intentionally malicious Flash and Silverlight applications with the intent of tricking good, honest people into hosting these applications on their own Web sites.

This session will explore these issues from both the Flash and Silverlight perspectives. Learn how to create more secure RIA applications, how to identify potentially malicious RIAs before hosting them on your site, and what the Flash and Silverlight teams are doing to help protect our customers.

Peleus Uhley
Senior Security Researcher, Adobe

Peleus Uhley is a senior security researcher within the Secure Software Engineering team at Adobe. His primary focus is assisting with Adobe platform technologies, including Flash Player and AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for companies such as @stake and Symantec.

Jesse Collins
Software Security Engineer, Microsoft

Jesse Collins is a senior security engineer on the Silverlight team. He started his security career in 2005 by training with David Ross and his MSRC researchers for a while before working on WPF. Today, he helps secure the Silverlight platform through fuzzing, hacking, and begging devs to run OACR. Jesse also helps guide customers and Microsoft product teams about how to write secure Silverlight applications.

Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes, coupled with increasingly complex cross-communication layers, have created a nuanced and precarious trust layer between many different previously unrelated components.

This presentation attempts to address the issue of trust in the context of active content, and how it is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.

Ryan Smith
Security Researcher, Accuvant

Ryan Smith, who maintains www.hustlelabs.com, primarily focuses on discovering software vulnerabilities, developing exploitation strategies, conducting general reverse engineering, and designing algorithms to aid program analysis. He’s been credited by numerous vendors with the discovery of vulnerabilities in server software, P2P applications, Web browser technology, anti-virus software and compression programs.

David Dewey
X-Force Researcher, IBM Internet Security Systems

David Dewey is a researcher with the IBM Internet Security Systems X-Force. He has discovered numerous vulnerabilities in application servers, anti-virus applications, and browser technology. His research over the last year has been primarily focused on browser exploitation. David has spoken at a number of industry conferences, including Black Hat.

With the increased usage of text messaging around the globe, SMS provides an ever-widening attack surface on today's mobile phones. From over-the-air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.

This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with third-party functionality that can be reached via SMS. Results of testing against mobile platforms in real-world situations will be presented.

In addition to our own results, we will discuss and release a number of tools to help users test the security of their mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.

Luis Miras
Independent Security Researcher

Luis Miras is an independent security researcher. He has worked for both security product vendors and leading consulting firms. His interests include vulnerability research, binary analysis, and hardware and software reverse engineering. In the past he has worked in digital design and embedded programming. He has presented at CanSecWest, Black Hat, CCC Congress, XCon, REcon, DefCon, and other conferences world-wide. Recently Luis co-authored Reverse Engineering Code with IDA Pro (Syngress, 2008).

Zane Lackey
Senior Security Consultant, iSEC Partners, Inc.

Zane Lackey is a Senior Security Consultant with iSEC Partners, Inc. His research focus includes mobile phone security, AJAX Web applications, and Voice Over IP (VoIP). Zane has spoken at top security conferences including Black Hat, Toorcon, MEITSEC, YSTS, and the iSEC Open Forum. Additionally, he is a co-author of Hacking Exposed: Web 2.0 (McGraw-Hill) and contributing author/technical editor of Hacking VoIP (No Starch Press). He holds a Bachelor of Arts in Economics with a minor in Computer Science from the University of California, Davis.

Josh Lackey
Senior Security Development Lead, Microsoft

Josh Lackey is the manager of the TwC MSEC Penetration Testing team. His team is responsible for attacking Microsoft products before external hackers get the chance. Josh holds a Ph.D. in Mathematics and spends his time researching security vulnerabilities. He enjoys breaking things and is especially pleased when he can break things using software radio.

Charlie Miller
Principal Analyst, Independent Security Evaluators

Charlie Miller was the first to publicly exploit both the Apple iPhone and Google G1 phone. He has won the Pwn2Own competition the last two years. He was rated as one of the top ten hackers of 2008 by Popular Mechanics magazine. He holds a PhD from the University of Notre Dame and is currently Principal Analyst at Independent Security Evaluators.

What does it mean to implement security in a mobile carrier's network? Can't you just implement some firewalls here and IPS there and call it a day?

This presentation will discuss the unique challenges that mobile carriers face in implementing security and where obvious solutions like firewalling, filtration, and intrusion prevention fail to scale in not so obvious ways. Audience members will learn the functions of a mobile network and will leave with insight into the security challenges that operators face in delivering a mobile network as well as onboarding new platforms for that network.

Patrick McCanna
Security Architect, AT&T Mobility

Patrick McCanna is a Lead Member of Technical Staff in AT&T's Chief Security Organization, where he is responsible for security in consumer-facing products and services at AT&T mobility. Although he is not actively developing today, his software development portfolio includes networking software for airplane cockpits, e-commerce Web applications, and datacenter metrics tools. Patrick holds a B.S. in Computer Science with a Math Minor from Linfield College. He is a Certified Information Systems Security Professional.

Andrew Cushman
Senior Director, TwC Security - Microsoft Corporation

As Sr. Director of Strategy in the Trustworthy Computing Group at Microsoft Corporation, Cushman's primary focus is on End to End Trust—Microsoft's initiative for a safer, more trusted Internet, which aims to bring the trustworthiness of the physical world to the cyber world. Cushman is responsible for End to End Trust Outreach and works with teams across Microsoft responsible for formulation and delivery of Privacy, Security, Reliability, and Trusted Experience.

Cushman joined the MSRC in 2004 as a member of the Security Engineering Group executive leadership team that made security processes an integral part of Microsoft’s engineering culture. Since then he has been a driving force behind the company’s security researcher outreach strategy and execution efforts, formulating the Responsible Disclosure Initiative strategy and initiating the BlueHat security conference franchise.

Cushman previously managed the Microsoft Security Response Center (MSRC). The MSRC leads emergency response to security threats, defines and enforces response policies, and monitors monthly update quality and timeliness. Cushman expanded the MSRC's outreach programs to cover security researchers as well as mainstream security organizations, companies and computer emergency response teams.

Since joining Microsoft in January 1990, Cushman has held positions on the Microsoft International Product Group, the Microsoft Money team and the Internet Information Services (IIS) team. He led the IIS product team during the development of IIS 6.0 in Windows Server® 2003. IIS 6.0 was one of the first Microsoft products to fully adopt the security engineering processes that are today embodied in the SDL and remains a “poster child” of Microsoft’s commitment to security engineering and Trustworthy Computing.

Cushman earned a bachelor’s degree in international studies from the University of Washington and a master of international business degree from Seattle University. Away from work, he is an avid skier.

What was in is now out.

This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our data centers are being re-perimiterized and quite literally turned inside out thanks to cloud computing and virtualization.

One of the really scary things that is happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect. Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services – and by whom and using whose infrastructure – yields significant concerns related to security, privacy, compliance, and survivability. 

Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on cloud IaaS providers which rely on cloud network providers. It's a house of, well, turtles.

We will show multiple cascading levels of failure associated with relying on cloud-on-cloud infrastructure and services, including exposing flawed assumptions and untested theories as they relate to security, privacy, and confidentiality in the cloud, with some unique attack vectors.

Chris Hoff
Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco Systems

Chris Hoff has over fifteen years of experience in high-profile global roles in network and information security architecture, engineering, operations and management, with a passion for virtualization and all things cloud. Hoff is currently Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco Systems. Prior to Cisco, he was Unisys Corporation's Systems & Technology Division's Chief Security Architect. Additionally, he served as Crossbeam Systems' chief security strategist, was the Chief Information Security Officer for a $25 billion financial services company, founder/Chief Technology Officer of a national security consultancy, and advises companies and venture capitalists. He blogs at http://www.rationalsurvivability.com and is co-host of the Cloud Security Podcast.

John Walton
Principal Security Lead with Microsoft

The Online Services Security Leadership Team (OSSLT) is a v-team consisting of security SMEs from across Microsoft and focused on solving online services security challenges. This team develops and shares security best practices, tools, processes, patterns, as well as intelligence on new attack vectors and vulnerabilities. The OSSLT was formed in order to have strategic impact on how Microsoft does Software-plus-Services (S+S) security. John Walton is a Principal Security Lead with Microsoft, where he spends his time managing the engineering security team responsible for enabling and driving the secure development of Trustworthy Microsoft Online Services. He and his team founded the Online Services Security Leadership Team (OSSLT) in order to evangelize and collaborate on security best practices across the broader online services community at Microsoft. His team's responsibilities include security research, threat modeling, code auditing, tool development, and penetration testing of software-plus-services that Microsoft develops and hosts for businesses.

Robert Fly
Director of Product Security, salesforce.com

Robert Fly heads up the Product Security team at salesforce.com. Among other things, his team drives the security development lifecycle effort which assures that the utmost attention is paid to keeping customers' data secure. Through security standards, tools, automation, and checkpoints, salesforce.com has been able to build and maintain a program that keeps our commitment of trust with our customers.

Before joining salesforce.com, Robert spent eight years at Microsoft, most recently leading the software security team of what is now known as Microsoft Online Services. Prior to this, he spent time on the Office Security team helping secure such products as Outlook and SharePoint. He is a co-author of the book Open Source Fuzzing, founding member of the Cloud Security Alliance, a CISSP, and has several patents pending in the areas of security and testing of software.

Thanks to the plethora of emerging of cloud service offerings, the sheer power of computation available to almost anyone with a (stolen) credit card is quite stunning. This presentation will not discuss legal and compliance implications of consuming cloud services; let us leave that to the auditors and their checklists. Instead, this presentation will focus on the following topics:

• An examination of how the cloud "Security Stack" increases or decreases security exposures.
• A demonstration of how the impact of well-known attack vectors can have a devastating effect on cloud platforms and the clients that consume them.
• A walkthrough of discovered vulnerabilities that affected well-known, popular cloud providers.
• New attack vectors that target the business models of cloud service providers, which may introduce perpetual and unstoppable abuse without deviation in the cloud providers' business models.

The goal of this presentation is to kick off a discussion in the technology community with the sincere hope that it will lead to a broad realization of the security implications of changes that are likely to affect cloud platforms and their clients in the near future.

Billy Rios
Security Engineer, Microsoft

Billy Rios is currently a Security Engineer for Microsoft working for the Business Online Services Group. Prior to his current role, Billy was a penetration tester for both VeriSign and Ernst and Young. As a penetration tester, Billy was hired by numerous Fortune 500 organizations to assess the effectiveness of each organization's security posture. Billy made his living by outsmarting security teams, bypassing security measures, and demonstrating the business risk of security exposures to executives and organizational decision makers. Before his life as a penetration tester, Billy worked as an Information Assurance Analyst for the Defense Information Systems Agency (DISA). While at DISA, Billy helped protect Department of Defense (DoD) information systems by performing network intrusion detection, vulnerability analysis, incident handling, and formal incident reporting on security-related events involving DoD information systems. Before attacking and defending information systems, Billy was an active-duty officer in the United States Marine Corps. Billy has spoken at numerous security conferences including: Black Hat Briefings, BlueHat, RSA, Hack in the Box, and PACSEC. Billy holds a Bachelor's degree in Business Administration, a Master of Science degree in Information Systems, and is currently pursuing his Master of Business Administration.

Nathan McFeters
Senior Security Advisor, Ernst and Young

Nathan McFeters is a Senior Security Advisor for Ernst & Young’s Advanced Security Center based out of Houston, TX. He has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC’s largest client, leading hundreds of web application reviews this year alone.

Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities, a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.

Nathan has an undergraduate degree in computer science theory and analysis from Western Michigan University and a Master of Science degree in computer science with an emphasis on computer security, also from Western Michigan University.

We describe our experience with a system designed to select optimal input seed candidates for software fuzz testing from large sample corpora with minimal initial investment of effort. Model inference-assisted fuzzing has excelled at identifying vulnerabilities in software parsing highly structured input data; we describe how to achieve comparable results without the requisite grammar and at far reduced setup cost. Our technique applies set cover minimization to sample corpora, combined with feedback-driven mutation using a new technique we call sub-instruction profiling. We will demonstrate how we used this technique to uncover multiple vulnerabilities in Windows.

(The title is derived from the observation that major research into fuzzing is leaning towards making fuzzers more intelligent, and giving them greater understanding of the protocol and target they're attacking. We argue that this is the wrong direction, and demonstrate how software can be made "dumber" generically, essentially making very naive fuzzing as effective as more expensive [in terms of development effort] fuzzers).

Tavis Ormandy
Security Engineer, Google

Tavis Ormandy is a UNIX security researcher and an active participant in open source security. As an information security engineer on Google's Security Team, he is responsible for identifying and analyzing vulnerabilities and exploits in a wide range of software. Recent publications include the co-authored Exposing Application Internals, and Hostile Virtualized Environments.

Neel Mehta
Staff Software Engineer, Information Security, Google

Neel Mehta is a security researcher at Google, with a background in reverse engineering. Neel has spent most of his career finding wide-reaching vulnerabilities in networked software and hardware. He was co-author of The Shellcoder's Handbook, and has spoken at many academic and applied information security conferences. Above all else, Neel works hard to be on the forefront of vulnerability research and reverse engineering, where his real passion lies. In particular, Neel enjoys auditing Microsoft software.

This is a multipart presentation by engineers working on Microsoft Office security. The first part will detail a distributed fuzzing framework. The second part will detail engineering defenses to fuzzing attacks in the upcoming release of Office (Office 2010).

Security researchers and zero day exploits continue to leverage fuzzing bugs in Microsoft products. What are we doing to defend our products? As presented during last year's Blue Hat, the more fuzzing iterations performed, the more likely you are to find bugs. The SDL now requires a clean fuzz run of half a million iterations in order to ship. Seems like a good idea and achievable, but what happens if your application parses more than 200 formats? Time to think like a black hat and leverage the power of a botnet to get your work done – complete with fuzzing commands and control servers to delegate work to the fuzzing bots.

This presentation covers a framework built by the Office team to efficiently fuzz any file format parser. This framework can be used by any internal product team that parses file input, and significantly reduces the pain around file fuzzing. This framework is not a fuzzer itself. You won't need to rewrite your fuzzers. Instead it allows existing fuzzers to plugin and run in a distributed fashion. The Office team is using this system to perform millions of iterations per day without purchasing any additional hardware. The Office team turned desktop machines and lab machines into a botnet for fuzzing during downtime. Other challenges that are solved by the distributed fuzzing framework and covered in this presentation include central run management, recurring job scheduling, duplicate detection across machines and runs, automated regression passes, and automated bug filing.

Even with millions of fuzz iterations and following the best practices of the Security Development Lifecycle (SDL), some bugs will be missed. The Office security team has engineered a series of layered defenses in addition, to strengthen the parsers themselves. This presentation also covers two of these layers. The first layer, Gatekeeper, helps validate if the data should be loaded by the target application. The Gatekeeper architecture allows it to be used by other applications and describe additional binary formats. The second layer discussed leverages Windows Integrity Levels and is known as Protected View. Even if malicious code runs inside of Protected View, it should not be able to alter the host machine. The presentation will demonstrate how recent MSRC cases are mitigated by Protected View and Gatekeeper.

Tom Gallagher
Security Senior Test Lead, Microsoft

Tom Gallagher has been intrigued by both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. Tom co-authored the Microsoft Press title Hunting Security Bugs, and has presented at the Open Web Application Security Project (OWASP) in Seattle, at Black Hat, and at the TechEd conferences.

Dave Conger
SDET II, Microsoft

David Conger started at Microsoft in 2005 after graduating from the University of Puget Sound. He is a Software Development Engineer in Test II on the Microsoft Access team and built the Distributed Fuzzing Framework as a way to better utilize his team's resources for fuzzing.

Web applications are being exploited every day as attackers find new vectors for performing cross-site scripting attacks. This talk will cover ways that latent character and string handling can transform clever inputs into malicious outputs. Many application frameworks such as Microsoft .NET and ICU enable these behaviors without the developer's knowledge. String transformations through best-fit mappings, casing operations, normalization, over-consumption and other means will be discussed, with inputs useful for testing. A testing tool is also planned for release.

The current state of visual spoofing attacks will also be discussed. Phishing attacks are prevalent on the Web, and well-designed URLs can increase an attack's chance of success. It's eye-opening to see demonstrations of just how vulnerable modern Web browsers still are to many forms of visual spoofing attacks.

Chris Weber
Co-Founder, Casaba Security

Chris Weber is co-founder at Casaba Security where he leads product development for new tools to assist in the field of Unicode and Web-application security. He has spent years focusing on software security testing for some of the world's leading software development companies and online properties. Chris has authored several security books, articles and presentations, and regularly speaks at industry conferences. He has worked as a security researcher and consultant for over a decade, identifying hundreds of security vulnerabilities in many widely-used products.