BlueHat Security Briefings: Spring 2006 Sessions
The spring Microsoft BlueHat Security Briefings event was held on March 8-10, 2006. Read the session descriptions and speaker bios below.
On This Page
|In this presentation David discussed his most recent database research and future trends he sees in database vulnerabilities.|
David Litchfield, the Managing Director and Chief Research Scientist at NGSSoftware, is credited with finding more published software security vulnerabilities than any other researcher in the world. This was recognized in 2004 when Information Security Magazine voted him “Best Bug Hunter” jointly with his brother Mark. Formerly a research scientist and director of security architecture with @stake, he now continues his research and development activities with NGS and acts in an advisory capacity to CESG and NISCC, the two UK Government Departments responsible for the computer security of Her Majesty's Government and the UK National Critical Infrastructure.
David specializes in searching for new threats to database systems and Web applications. He is a co-author of The Database Hacker's Handbook, The Shellcoder's Handbook, SQL Server Security, and Special Ops.
|This talk demonstrated how to defend against common attacks at the Web application layer, with examples covering Web application hacking methods such as SQL injection, cross site scripting, parameter manipulation, session hijacking, and Lightweight Directory Access Protocol (LDAP) injection. In addition, the session covered the techniques and processes that can be implemented to ensure protection from such common attacks.|
Caleb Sima is the co-founder and chief technology officer of SPI Dynamics, the expert in Web application security. Caleb is responsible for directing the lifecycle of the company's Web application security solutions and is the director of the SPI Labs research and development team within SPI Dynamics. Caleb has been engaged in the Internet security arena since 1996, and has become widely recognized as an expert in penetration testing and for identifying emerging security threats. Prior to co-founding SPI Dynamics in early 2000, Caleb worked for Internet Security Systems' elite X-Force research and development team and as a security engineer for S1 Corporation. Caleb is a frequent speaker and expert resource for the press on Internet attacks. He is a member of the Internet Systems Security Association (ISSA) and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within the Organization for the Advancement of Structured Information Standards (OASIS), as well as a founding member of the Web Application Security Consortium (WASC).
Windows developers depend on the core OS to provide a platform where their application's security assertions can be met. However, it is often the case that developers expect a core technology to provide one security assertion, when in fact it provides a whole set of unrelated assertions. Alex and Scott have found that many security flaws identified during Windows application penetration tests, both internal and external to Microsoft, are the result of a fundamental misunderstanding of a core security technology.
This talk covered the security technologies in Windows that Alex and Scott find are commonly used, and, almost without exception, misused. From if you really know if the machine you are talking to is your server to whether your data packet is safe from tampering on the network, Alex and Scott discussed how to find out if your application is making silly security assumptions or whether you have truly mitigated risks against it.
Alex Stamos and Scott Stender
Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization, with several years experience in security and information technology. Alex specializes in application security and securing large infrastructures and has taught multiple classes in network and application security. Prior to iSEC, he spent two years as a managing security architect with @stake, where he was technical leader on many complex assignments, including a thorough penetration test and architectural review of a six million line enterprise management system. Before @stake, Alex had operational security responsibility over 50 Fortune-500 Web applications while at Loudcloud, Inc. Alex has also worked in a security role at a Department of Energy National Laboratory and holds a BSEE from the University of California, Berkeley.
Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC, Scott worked as an application security analyst with @stake, where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft, where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Most recently, Scott was published in the January-February 2005 issue of IEEE Security & Privacy, where he co-authored a paper entitled Software Penetration Testing and presented on Attacking Web Services at BlackHat USA 2005. He holds a BS in Computer Engineering from the University of Notre Dame.
Comparing two executable objects has many different and interesting applications, ranging from “offensive” security (such as attacking systems) and “defensive” security (analyzing malware) to legal questions, such as detecting code theft without access to source code of either party. The actual process of comparing executables is complicated by different optimization settings on different executables, or even different compilers.
It is oftentimes beneficial to treat the executable not as computer code but as a directed graph and to apply graph-theoretical algorithms on the graph without taking the actual instructions into account. This talk explained the concepts behind SABRE BinDiff, a tool that uses a graph-theoretical approach to compare two executable objects. Different applications for such a comparison technique were discussed, ranging from the analysis of security patches over the porting of debug information from one executable to the other, to identifying highly similar code in two different executables.
Halvar Flake is the CEO and head of research at SABRE Security. He has been working on topics related to reverse-engineering (and vulnerability research) for the last eight years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (Blackhat Briefings; CanSecWest; SSTIC; the Detection of Intrusions and Malware, and Vulnerability Assessment Conference).
Aside from his research activity, he has taught classes on code analysis, reverse engineering, and vulnerability research to employees of various government organizations and large software vendors.
Halvar founded SABRE in 2004 in order to further research automation of reverse engineering and code analysis.
|This presentation investigated the security flaws present in common ASP.NET deployments. Moore reviewed the key security improvements in ASP.NET v2.0 and delved into many of the architectural flaws present in ASP.NET v1.1. MSFT-developed applications and Web sites were used as case studies throughout the presentation.|
HD Moore is a professional security engineer, frequent contributor to Open Source Vulnerability Database (OSVDB), and co-author of Metasploit.
|This talk described the many ways search technologies are being employed by users with malicious intent. The implications of this activity are far reaching and often quite surprising. Chock full of live, current examples, this talk outlined the many techniques behind this dangerous and often misunderstood form of information leakage. Extending well beyond "interesting queries," this talk took it to the next level, revealing the awesome power of a well thought out, properly executed, large-scale information gathering campaign that relies solely on "open source" search technologies.|
Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. Recently, Johnny has enjoyed writing stuff, reading stuff, editing stuff, and presenting stuff at conferences, which has served as yet another diversion to a serious (and bill-paying) job as a professional hacker and security researcher for Computer Sciences Corporation. Johnny enjoys spending time with his family and making much-too-serious security types either look at him funny or start laughing uncontrollably. Johnny has written or contributed to several books, including Google Hacking for Penetration Testers, from Syngress Publishing, which has secured rave reviews and has lots of pretty pictures.
|This talk described new trends in database security. Alexander showed how to transfer common malware concepts like rootkits and viruses into the database world. He showed how a database rootkit works and different ways to implement database viruses (for example, by infecting database views).|
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings. Before that he worked for several years for Oracle Germany, Oracle Switzerland, and IBM Global Services as a consultant.
Alexander Kornbrust has worked with Oracle products as a DBA and developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products.
A database system does not receive as much security scrutiny as the operating system on which it runs, but flaws within database software, and the configuration choices made by database administrators, can allow a malicious attacker to compromise the data and the host completely.
This talk discussed database weaknesses within systems deployed in corporate enterprise environments. Products from Oracle, Sybase, Microsoft, IBM, and the open source community are commonly used to fulfill data store requirements, and all can be abused and compromised with ease under all-too-familiar scenarios. Accessing the data, popping the server, and attacking the network beyond can all be achieved with just a few simple steps. Examples of the most common problems encountered during specialist consultancy and research from NGS Software were used to illustrate the main pitfalls associated with corporate database systems.
Commentary on the ways in which database vendors must change their products in the future was given, including how SQL Server 2005 held up under fire when NGS was asked to try to hack it by Microsoft.
Kev Dunn is a senior consultant for NGS Software, responsible for conducting penetration testing and security assessments of customer networks across many different operating environments. Providing consultancy advice for a wide selection of high profile clients has ensured detailed exposure, and assessment of database and network architectures common place within the world's financial and technology industries. His specialist knowledge combined with hands-on consultancy experience of back-end database systems and network infrastructure has lead to an invitation to design, author, and present a comprehensive list of training courses for NGS. He currently teaches the first and only database hacking training course to appear at the BlackHat Security Briefings.
|The Metasploit Framework is an advanced exploit development and security research platform. The Metasploit development team has spent the last year rewriting the entire code base to extend the capabilities of the system and provide a rich development application programming interface (API). This presentation focused on the extensive functionality improvements and development possibilities available in the latest version of the Framework.|
HD Moore is a professional security engineer, frequent contributor to OSVDB, and co-author of Metasploit.