Andrew Cushman back again.


BlueHat v8 is October 15th, 16th and 17th on the Microsoft campus in Redmond. The BlueHat team selected content that’s especially interesting and topical for Microsoft engineers and execs. We start it off with an Exec Day on the 15th – condensed versions of the presentations – still deeply technical – just delivered faster and with fewer graphics and demos. Then two days of general sessions – the morning of day one is the, by now traditional, focus on emerging security threats and in the afternoon on state of the art hacking tools and techniques. Day two covers Security Development Lifecycle (SDL) – a whole day’s content focused on the full lifecycle of security engineering – with a progression from design, to implementation, to verification.

Over the past four years, BlueHat has expanded and grown. It’s gratifying to see the progress and the impact BlueHat has internally at Microsoft and that it’s starting to have in the larger ecosystem. The two original goals still apply and guide the conference:

- Expose senior product leaders and front line engineers to the threats, attack tools and methodologies used in the real world; take the security threat from the theoretical/intellectual level of, “I understand what a buffer overflow is,” to “OMG that’s what it’s like.” BlueHat connects with execs and engineers at a visceral level and *really* brings the message home.

- Expose security researchers (and the security community) to Microsoft engineers and business leaders. BlueHat gives us a chance to open up on our home turf and give researchers an opportunity to interact with all levels of the organization. They get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.

For the eighth edition of BlueHat we have explicitly added a new goal:

- To promote a community based defense agenda. BlueHat seeks to leverage Microsoft’s unique place in the ecosystem and our unique set of relationships to make bridging connections between diverse ecosystem constituents and to the foster dialog necessary to breathe life into mantra of “it takes a village”.

Here’s a brief overview of the talks and speakers.  Full details will be available on the BlueHat web site within the week.

Day 1

We’ll start day 1 of the general sessions with a focus on crimeware. Iftach Amit from Alladin will give us a glimpse into the intricate workings of supply and demand, the pricing models, distribution models and the sophistication of the development environment.

Next up, in the “what could possibly go wrong” category, a couple talks about the unintended consequences of the social networking phenomenon and the explosion of information on the Internet. Nitesh Dhanjani (Ernst & Young) teams up with Akshay Aggarwal from Microsoft’s ACE team to talk about how your online persona and activity can be tracked, correlated and used to influence behavior.

Roelof Temming (Paterva) covers a similar topic but more broadly and (if possible) with even bigger implications to online communities. Roelof will show how the Maltego framework can collect and correlate public information and create a comprehensive profile of a person or a group / organization.  He’ll also describe how the lack of true identity on the net can result in the creation of imaginary friends and wholesale fictitious virtual communities which can be used for anything from stock market manipulation to political gain.

We’ll round out the threat portion of the day with presentations on how old favorites like Cascading Style Sheets and DNS are being abused in new ways.  David Lindsay (Security Innovation), Gareth Heyes & Eduardo Vela will detail how CSS can be used for a lot more than making a website look sexy – e.g., how to scan an internal network, to track visited links on third-party websites, or read the content of third-party websites.   Dan Kaminsky (IOActive) also makes a return to BlueHat. Dan asked us not to disclose the details of his talk (or at least give him 30 days from the announcement), so we’re not exactly sure what Dan’s going to talk about. But we’re really glad to have him back again. <wink>


We’ll have two presentations from SWI – Richard Johnson and Ian Hellen. Richard will discuss several visualization techniques and their usability in software security. He’ll also demo internally developed processes for creating visualizations of data from static analysis. Ian will recap lessons learned from the security review process for Windows and discuss methods to identify high risk components that need special attention in the form of design and code reviews.

Day 2

We’ll start day two with a couple talks on Threat Modeling – Danny Dhillon will share EMC’s experience applying threat modeling to the EMC development process and Adam Shostack will discuss Microsoft’s approach and publicly demonstrate the new SDL Threat Modeling tool used by Microsoft development teams.

SDL day also features a return by a true leviathan in the industry – Matt Miller returns to BlueHat, this time on the SDL track to discuss the evolution of sophisticated exploitation techniques and the corresponding development of equally sophisticated mitigations such as GS, DEP, and ASLR. This presentation explores the technical details of these developments by illustrating the logical evolution of Microsoft’s mitigations and how well each mitigation has fared.  

Scott Stender and Alex Vidergar from iSEC Partners kick off the afternoon, demonstrating concurrency attacks on web applications. They will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws, helping developers and testers alike.

A trio from the SWI team will discuss several aspects of fuzzing: How should I fuzz?  When have I fuzzed enough?  What do I do now that I’ve fuzzed? Jason Shirk, Lars Opstad and Dave Weinstein will compare fuzzing models (dumb vs. smart) and highlight the merits of several approaches. They will use real world examples to discuss the many variables at play when considering how much fuzzing is enough.

Vinnie Liu is back again – this time talking about code audits. He’ll provide a thorough and objective review of the benefits, shortcomings, and trade‑offs of static code analysis tools, black box application scanners and provide recommendations for which activities are best done by machine.

And we’ll wrap the SDL day, and the conference, with a panel discussion that asks, “Is all of this SDL stuff really necessary? Why not just slap a Web Application Firewall on all of our online properties and avoid the muss and fuss of 100+ SDL requirements?” This is not a rhetorical question! Our panelists, Arian Evans of White Hat Security, Mike Andrews of Foundstone, the SDL team’s Bryan Sullivan, and Nate McFeters from Ernst & Young will seriously discuss this issue and come to a conclusion.


We continue to expand the BlueHat blog and the TechNet site to keep you up-to-date on the happenings at the conference. We’ll update both regularly with new blog entries and video podcasts.