Skip to main content


BlueHat Redmond Security Briefings: Fall 2011 Sessions

BlueHat v11: November 3-4 at the Microsoft corporate headquarters

The primary objective of the BlueHat Conference Series is to build bridges between Microsoft developers and executives, key security program partners, and members of the security research community while educating the greater Microsoft population on security threats and mitigations.

BlueHat v11 again brought leading external security researchers to campus to present timely and lively presentations that showcased ongoing research, state-of-the-art security tools/techniques, and emerging security threats. Our main themes for BlueHat v11 focused on threat landscape, web application security, cloud security, and the security ecosystem.

News from BlueHat 2011

Get the latest conference news from internal Microsoft speakers and external community members.

Day 1: Thursday, November 3rd – BlueHat v11 General Sessions

Morning Block: Threat Landscape

 Opening RemarksAndrew Cushman, Director, GSSD, Microsoft
 Challenges and Successes in Mitigating the Cyber ThreatShawn Henry, Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch, FBI
 Modern Threats from an Attacker’s and a Responder’s PerspectiveMark Raeburn, CEO, Context Information Security
 Microsoft's Perspective on Targeted AttacksMark Oram, Principal Security Group Program Manager, EcoStrat, Microsoft


Afternoon Block: Web Application Security

 A Statistical Journey through the Web Application SecurityJeremiah Grossman, CTO, WhiteHat Security Inc.
Locking the Throne Room - ECMA Script 5, a frozen DOM, and the eradication of XSSMario Heiderich, Independent Researcher, Ruhr-University
You Spent All That Money And You Still Got Owned????Joe McCray, Founder and CEO of Strategic Security

Day 2: Friday, November 4th – BlueHat v11 General Sessions

Morning Block: Cloud Security

 New Ways To Hack your Web AppRich Lundeen, Security Engineer, Microsoft; Jesse Ou, Security Engineer, Microsoft; Travis Rhodes, Security Engineer, Microsoft
 How To Determine the Value of SecurityJared Pfost, CEO, Third Defense
 Assume Breach, Now What?John Walton, Principal Security Manager, Office 365 Security, Microsoft


Afternoon Block: Security Ecosystem

 Win Phone 7 OEM FailAlex Plaskett, Security Consultant, MWR InfoSecurity
 The Security Trifecta – The Platforms, the Apps, and the StoresMatias Brutti, Researcher, IOActive
 SSL and the Future of AuthenticityMoxie Marlinspike, CTO, Whisper Systems


Session Videos

Nine Trends Affecting the Future of ExploitationBlueHat Kickoff!

When the idea of the first BlueHat was conceived, a mad brainchild of an idea to invite hackers behind the walls and bring their experience, expertise, and participate in the security entity that is Microsoft, no one thought past the "let's make sure we pull this off successfully". We had no idea of the impact that little ol' security conference could and would have 6 years later as it has grown into an annual multi-day event, international forums, and a force in the internal and external security science space. Andrew shares his perspective on the evolutions, lessons learned, and thoughts about the future of BlueHat and security challenges at Microsoft.

A Statistical Journey through the Web Application Security Landscape

Breaking news or stale information; the web can be a dangerous place. This afternoon block of BlueHat v11 will kick off with Jeremiah Grossman presenting a statistical analysis of the current state of web vulnerabilities.

Locking the Throne Room - ECMA Script 5, a Frozen DOM and the Eradication of XSS

Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content filters, educational programs and trainings, programmer's best practices and guidelines, proxy filters and many more. Still XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker.

This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and light-weighted way - without being "too loud". Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution privileges. The presentation will show how these attacks work, what the implications are, and what the future of XSS mitigation and eradication might look like.

You Spent All That Money and You Still Got Owned????

This talk will focus on practical methods of identifying and bypassing modern enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC). The goal of this talk is to show IT Personnel the common weaknesses in popular security products and how those products should be configured.

The key areas are:

  • IPS Identification and Evasion
  • WAF Identification and Bypass
  • Anti-Virus Bypass
  • Privilege Escalation
  • Becoming Domain Admin

How To: Determine The Value Of Security

Jared Pfost, a former Blue Badge, shares techniques how to determine the right amount of security investment for IT, cloud services, or even the SDL. Jared challenges you to define what success really looks like for security and decide if you really want it. Jared breaks down security investment by being honest about mandatory vs. discretionary spending, how to gauge control effectiveness, and approaches to understand team efficiency. While his techniques originated during his Microsoft years, Jared picked up significant advancements working in startups and financial services.

The Security Trifecta - The Platforms, the Apps and the Stores

Given that application delivery is shifting rapidly toward a distributed model, particularly with regard to online/mobile app stores, the complexity of the application security landscape, including the platforms on which they live and the stores themselves, is increasing. While this model is currently relevant to the mobile application realm, it's also being adopted by the desktop/tablet market, so it's important to stay abreast and aware of all the potential security risks involved.