BlueHat Redmond Security Briefings: Fall 2011 SessionsBlueHat v11: November 3-4 at the Microsoft corporate headquarters The primary objective of the BlueHat Conference Series is to build bridges between Microsoft developers and executives, key security program partners, and members of the security research community while educating the greater Microsoft population on security threats and mitigations. BlueHat v11 again brought leading external security researchers to campus to present timely and lively presentations that showcased ongoing research, state-of-the-art security tools/techniques, and emerging security threats. Our main themes for BlueHat v11 focused on threat landscape, web application security, cloud security, and the security ecosystem. News from BlueHat 2011 Get the latest conference news from internal Microsoft speakers and external community members. Day 1: Thursday, November 3rd – BlueHat v11 General SessionsMorning Block: Threat Landscape| | Opening Remarks – Andrew Cushman, Director, GSSD, Microsoft | | | | | | Challenges and Successes in Mitigating the Cyber Threat – Shawn Henry, Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch, FBI | | | | | | Modern Threats from an Attacker’s and a Responder’s Perspective – Mark Raeburn, CEO, Context Information Security | | | | | | Microsoft's Perspective on Targeted Attacks – Mark Oram, Principal Security Group Program Manager, EcoStrat, Microsoft |
Afternoon Block: Web Application Security| | A Statistical Journey through the Web Application Security – Jeremiah Grossman, CTO, WhiteHat Security Inc. | | | | | Locking the Throne Room - ECMA Script 5, a frozen DOM, and the eradication of XSS – Mario Heiderich, Independent Researcher, Ruhr-University | | | | | You Spent All That Money And You Still Got Owned???? – Joe McCray, Founder and CEO of Strategic Security |
Day 2: Friday, November 4th – BlueHat v11 General SessionsMorning Block: Cloud Security| | New Ways To Hack your Web App – Rich Lundeen, Security Engineer, Microsoft; Jesse Ou, Security Engineer, Microsoft; Travis Rhodes, Security Engineer, Microsoft | | | | | | How To Determine the Value of Security – Jared Pfost, CEO, Third Defense | | | | | | Assume Breach, Now What? – John Walton, Principal Security Manager, Office 365 Security, Microsoft |
Afternoon Block: Security Ecosystem| | Win Phone 7 OEM Fail – Alex Plaskett, Security Consultant, MWR InfoSecurity | | | | | | The Security Trifecta – The Platforms, the Apps, and the Stores – Matias Brutti, Researcher, IOActive | | | | | | SSL and the Future of Authenticity – Moxie Marlinspike, CTO, Whisper Systems |
Session Videos
.png) BlueHat Kickoff! When the idea of the first BlueHat was conceived, a mad brainchild of an idea to invite hackers behind the walls and bring their experience, expertise, and participate in the security entity that is Microsoft, no one thought past the "let's make sure we pull this off successfully". We had no idea of the impact that little ol' security conference could and would have 6 years later as it has grown into an annual multi-day event, international forums, and a force in the internal and external security science space. Andrew shares his perspective on the evolutions, lessons learned, and thoughts about the future of BlueHat and security challenges at Microsoft. | | | |
Locking the Throne Room - ECMA Script 5, a Frozen DOM and the Eradication of XSS Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content filters, educational programs and trainings, programmer's best practices and guidelines, proxy filters and many more. Still XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker. This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and light-weighted way - without being "too loud". Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution privileges. The presentation will show how these attacks work, what the implications are, and what the future of XSS mitigation and eradication might look like.
| |
You Spent All That Money and You Still Got Owned???? This talk will focus on practical methods of identifying and bypassing modern enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC). The goal of this talk is to show IT Personnel the common weaknesses in popular security products and how those products should be configured. The key areas are: - IPS Identification and Evasion
- WAF Identification and Bypass
- Anti-Virus Bypass
- Privilege Escalation
- Becoming Domain Admin
| |
How To: Determine The Value Of Security Jared Pfost, a former Blue Badge, shares techniques how to determine the right amount of security investment for IT, cloud services, or even the SDL. Jared challenges you to define what success really looks like for security and decide if you really want it. Jared breaks down security investment by being honest about mandatory vs. discretionary spending, how to gauge control effectiveness, and approaches to understand team efficiency. While his techniques originated during his Microsoft years, Jared picked up significant advancements working in startups and financial services. | |
The Security Trifecta - The Platforms, the Apps and the Stores Given that application delivery is shifting rapidly toward a distributed model, particularly with regard to online/mobile app stores, the complexity of the application security landscape, including the platforms on which they live and the stores themselves, is increasing. While this model is currently relevant to the mobile application realm, it's also being adopted by the desktop/tablet market, so it's important to stay abreast and aware of all the potential security risks involved. | |
| |
.png)
