Halvar Flake, Sabre Security 

I have been told that I can write a blog entry for the BlueHat blog, with little or no editing, and now I sit here and have to make up something interesting to write about. I have a bit of a writers block today, caused by being tired, jetlagged, and already halfways on my way to the airport for my flight back. Also, the first draft of my blog post tried to be witty, and failed spectacularly at that.

Bluehat is an interesting event – it's quite enlightening to talk to the people here. MS usually has problems to solve that are larger (and by extension more interesting) than most other companies.

One has to admit that Vista is arguably the most secure closed-source OS available on the market. Microsoft did do a good job at addressing the issues of previous Windows versions. Progress on all fronts has been achieved, and MS is probably better than any other closed-source software vendor when it comes to the security of their products.

This makes it difficult for attackers. The cost of developing an exploit for Vista is significantly higher than for any previous versions.

As a result, I think that most of the security researchers will move on to greener pastures for a while. Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some Antivirus software with shoddy file parsing, and the latest ITunes ?

I expect only a small number of remotely exploitable vulnerabilities in Vista. We will see everybody else getting hammered though. But, for a while, there will be (relative) quiet and calm in Redmond.

It is important to keep in mind though that everybody is just waiting for Microsoft to become complacent again. Secretly, all attackers are hoping that Vista will be a failure, security spending will be scaled back and nobody will attempt to build a secure mainstream OS again.

Let's wait and see where this goes. It was fun being here, and I hope that I will be back at some point in the future.

Katie Moussouris here.  I’m the newest Security Strategist here at Microsoft.  I was brought in by Sarah Blankinship to contribute to the work of the MSRC Security Community Outreach Team.  I work in the group that is responsible for securing current and future Microsoft products. 

My background is application security, having come from Symantec by way of the @stake acquisition.  I founded and ran the Symantec Vulnerability Research Program.  Before that, I spent many years as an application penetration tester, security researcher, and started the security response program for an OS company.  There were penguins involved – but that can be our little secret (just between you, me, and the Internet).  ;-)

This installation of BlueHat was my first attendance as an “insider”, and I was able to see for myself that the true beauty of BlueHat was making sure the right people met and spoke to each other outside of the lectures.  The event allows for the natural convergence of passionate technologists (researchers and MS engineers alike) to come together and brainstorm about ways to protect end users now and in the future.

One of these opportunities for interaction was introducing RSnake to the IE team and anti-phishing task force so that they can talk about how we can work together to come up with better ways to fight phishing, cross-site scripting, cross-site request forgeries, and their ilk.  I can’t wait to see what the researchers bring us in September!

Another cool thing I got to do in my first 30 days at Microsoft was speak at ToorCon Seattle (Beta).  (See – I wasn’t assimilated.)

 The talk was titled “Vulnerability Disclosure Panel Remix” and it was the perfect opportunity to ask the security community “What makes a ‘good vendor’ from a researcher’s perspective?”

This direct feedback from the research community can help not just Microsoft find more efficient ways to maintain friendly relationships with researchers, but also help other vendors improve their researcher relations.  It’s my job to help Microsoft lead the way when it comes to proactive security community outreach.  My 20 minutes of running around in the audience this past Saturday with mic in hand was more than a “How’s my driving?” exercise;   It was a “How’s everyone’s driving?” exercise.  We all share the road, traffic is heavy, and we all have some miles to go before we reach home.

Brad Sarsfield here again. I’d like to share with you my thoughts on David Litchfield’s BlueHatv3 talk.  David Litchfield is the Chief Research Scientist at Next Generation Security Software (NGS) and spoke to a 600+ standing room only crowd at Bluehat 3 on March 9^th. David took us through his thoughts on the current state of the database security world and talked about his current areas and focus of his research.

David did not discuss specific database vulnerabilities but rather showed the concepts behind subverting the database application logic to attack the database. David talked about SQL injection inside the database and also second order SQL injection inside the database; whereby you store data in the database and at a later time it gets used in a place vulnerable to SQL injection.

David talked through the possible dangers of having system stored procedures and triggers that could be vulnerable to SQL injection. Since triggers execute under the permissions of the owner; if one can find a trigger that is vulnerable to SQL injection the permission boundaries can be crossed and it be used to gain escalation of privileges inside the database.

If you have access to the database and if you have a SQL injection vulnerability in a stored procedure or trigger that runs outside of your permission boundary a malicious user could use the vulnerable SP’s to grant themselves privileges that they are not supposed to have.

A the end of the day

1)    Tools are not enough. Your database and application design need to have clear forethought. Tools are a good start but don’t rely on them to catch all of your mistakes. (That's exactly what our own security experts have been telling us)

2)    Triggers can be dangerous. Think about how you use them carefully.

3)    Even low risk issues should be respected

If you’re interested in David Litchfield’s work I would highly suggest a book that he co-authored titled “The Database Hacker's Handbook: Defending Database Servers” (ISBN: 0764578014)

Caleb Sima: Exploiting Web Applications
Halvar Flake: BinDiff Analysis
HD Moore: How not to deploy ASP.Net applications & Metasploit
Alexander Kornbrust: Database Viruses & Rootkits

Enjoy,
Brad Sarsfield

The BlueHat team has been getting a lot of questions from both inside and outside of Microsoft asking if we are going to publicly post video or audio recordings of the BlueHat presentations, or if we are going to hoard the BlueHatty goodness and keep the presentation details all to ourselves...  A totally valid question since all of our BlueHat presentations from 2005 and 2006 are fantastic and things any developer or IT Pro could benefit from seeing. 

BlueHat speakers present at a number of public conferences, many of the speakers have written books, and in some cases speakers are willing to schedule private presentations to interested groups.  So while we don’t want to deprive customers of information that could help them improve their enterprise or product security, Microsoft is also respectful of our speaker’s expertise and the business they derive from that.  To that end, we are attempting to provide a list of publicly available resources you might reference for additional information.

(speakers – please let me know if I’ve missed something and I’ll update the posting!!)

~Kymberlee

Upcoming Public Presentations & Training (listed in date order)

Caleb Sima - Methodologies and Demos of Web Application Hacks: ISSA Charlotte 3^rd Annual Information Security Summit, Charlotte NC, March 23

Vinnie Liu - Bleeding-edge Anti-forensics: InfoSecWorld 2006, Orlando FL, April 3-5

HD Moore - Metasploitation (and a dash of IPS): CanSecWest, Vancouver BC, April 5-7

Halvar Flake - More on Uninitalized Variables: CanSecWest, Vancouver BC, April 5-7

Alex Stamos & Scott Stender - Attacking Web Services: CanSecWest, Vancouver BC, April 5-7

Vinnie Liu - Defeating Forensic Analysis: Computer and Enterprise Investigations Conference 2006 (CEIC), Lake Las Vegas NV, May 3-6

David Litchfield - Breakable: Secure Your Oracle Servers By Breaking Into Them: Black Hat Training, Las Vegas NV, July 29-30 and again July 31-August 1

Kev Dunn - Advanced Database Security Assessment: Black Hat Training, Las Vegas NV, July 29-30 and again July 31-August 1

Halvar Flake - Analyzing Software for Security Vulnerabilities: Black Hat Training, Las Vegas NV, July 31-August 1

Halvar Flake – SABRE Security Training, Frankfurt Germany, October 2006

On Demand Webcasts, Videos, & Presentations

Caleb Sima: http://www.spidynamics.com/spilabs/education/webcasts.html

Caleb Sima: http://www.spidynamics.com/spilabs/education/videos.html

Brett Moore: http://www.security-assessment.com/tech-1.htm

BlueHat speakers present at many conferences worldwide, but Black Hat and ShmooCon are the only conferences we are aware of that offer a public archive of prior conference presentations. 

http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html.  

http://www.shmoocon.org/schedule.html

*whoops, RECon and HITB also have online archives...  Thanks TG for the reminder.

Books

David Litchfield: The Database Hacker's Handbook: Defending Database Servers (ISBN: 0764578014)

David Litchfield: The Shellcoder's Handbook : Discovering and Exploiting Security Holes (ISBN: 0764544683)

David Litchfield: SQL Server Security (ISBN: 0072225157)

Caleb Sima: Hacking Exposed Web Applications, Second Edition (Hacking Exposed) (ISBN: 0072262990)

Johnny Long: Google Hacking for Penetration Testers (ISBN: 1931836361)

Vinnie Liu, Johnny Long: Penetration Tester's Open Source Toolkit (ISBN: 1597490210)

Vinnie Liu: Writing Security Tools and Exploits (ISBN: 1597499978)

Dan Kaminsky: Hack Proofing Your Network 2^nd Edition (ISBN: 1928994709)

David Maynor: ISS X-Force: Next Generation Threat Analysis and Prevention (ISBN: 1597490563)

UPDATED MARCH 29, 2006 to add upcoming presentations by Vinnie Liu, change authors listed on Penetration Tester's Open Source Toolkit, and add two more conference archives. 

Hi, I'm Brad Sarsfield (bradsa!); I’m the SQL guy here. One of the interesting things about me and my team is that I own the ‘slammer’ component in SQL Server, so by that very nature quite a large part of my job description is to ensure (and I quote) “that never … ever … happens again”.  So by default that makes me a SQL security guy and I work quite closely within the SQL Server security team.

In my adventures to fulfill my job description I’ve met a lot of brilliant database security researchers like David Litchfield, Kevin Dunn and Alexander Kornburst.  I’ve had conversations with these and other researchers that I really wish I could have shared with the 1000 of my SQL Server engineering colleagues.  So after a few of the “I wish everyone working on SQL Server could hear this right now!” moments I talked Kymberlee Price and Andrew Cushman into adding another day; thus we added another day focused on SQL, Data and Web application security.

The first day was a condensed set of talks to senior product leadership and executive types. The second day took a SQL, Data and Web application focus while the third day focused in on the Windows Platform. 

On the first day, putting around 40 highly technical senior level engineers, architects and executives in a room for a few hours with some of the top security researches in the world was an amazing sight, oh and we did it twice that day (March 8^th).  It was open and honest discussion about problems specific to Microsoft technologies and also problems that affect our enitre industry.  Some of the speakers gave a condensed version of their talk during this session.

Everything was fair game.  Hearing senior executives say things like:  “I want the people responsible for those features in my office early next week; I want to get to the bottom of this” was at least one measure of success from my point of view for the event.  The speakers were quite impressed with the technical depth that our executives have.

Stay tuned as we bring more content online at the BlueHat technet site.

Brad Sarsfield

Microsoft SQL Server

bradsa@microsoft.com

Andrew Cushman here.

BlueHat is back in Redmond, as BlueHat v6: The Vuln Behind The Curtain opens September 27th and 28th. Once again we have two days of great security content that covers the spectrum of issues in security. The BlueHat speakers, both leading external security researchers and internal Microsoft engineers, will pierce the security veil of virtualization and process isolation. Plus, we’ve got a couple of talks on Windows Mobile and more about automated exploit creation – this time using Metasploit. There will also be a talk on a DNS pinning design issue that demonstrates how Internet Explorer can turn into a VPN concentrator. All this--and talks on Office, Binary Instrumentation, Visualization and the Economics of Security!  And we’re pretty sure there won’t be any visa issues for our invited speakers. :-)

As we reflect back on the 10 years of evolution in security at Microsoft, it’s fascinating to watch the deepening of relationships between Microsoft and the security ecosystem, and consider how these relationships tie into larger, longer term initiatives.  Hearing from the people doing cutting edge research helps Microsofties understand the external research community’s focus and motivations, and helps us build better products and offerings.

As I mentioned in my blog entry for BlueHat v5, the goals of BlueHat are:

-              To expose senior product leaders and front line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ”I understand what a buffer overflow is”, to “OMG that’s what it’s like.”  BlueHat connects with execs and engineers at a visceral level and *really* brings the message home…

-          To expose security researchers (and the security community) to Microsoft engineers and business leaders… BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.

BlueHat is unique and still a closed door conference for MS product teams, but this year we will open up a little – with info about the conference before it starts and with more info made available during the conference. Please check the BlueHat blog for current info and updates.

Ollie Whitehouse
Architect, Advanced Threat Research, Symantec  Corporation

So if you had told me that one day I would be invited to Microsoft to talk about a subject I’ve now been involved in researching on and off for over six years and something I must say that has burned in my belly with passion for most for most of it, I would have said ‘unlikely’. However as I write, this is indeed what I’m doing. Microsoft has invited for a second time an employee of Symantec to present at BlueHat- Matt Conovor was the first on heap overflows.

Before I go into detail on what I’m speaking about at BlueHat, let me first provide a little background on the security of mobile devices and where we are today. Today we sit in a world where there are security risks with most devices – however these risks are in most cases difficult to exploit due to the proprietary nature of the operating systems on them.

These proprietary systems, by their very nature, have little or no public information – this precludes even the most determined attacker from reverse engineering and exploiting them unless they have access to resources confined to a few. However with the arrival and increased uptake of COTS on the handset, this is changing. 

Today we have three major players – Symbian, Windows Mobile (CE) and Linux. These systems due to the fact they are designed to be customized, extended and developed for by device developers, operators as well as aftermarket means that there is both commonly within devices running the same OS as well as a wealth of information. This in turn helps aid the successful exploitation – we have also seen the emergence of traditional malicious code on two of these platforms (Symbian and Windows Mobile).

To say this malicious code is on the same scale as the desktop as I’ve said many times before would be only to overplay the situation. However the following points are true – we now have mobile devices that have such ubiquitous communication and that comparative to their desktop counterpart are at least a generation or two behind in security evolution.  This means that as the value and sensitivity of the data held on mobile devices increases, combined with the facts that their prevalence is increasing, their links into the corporate infrastructure increase.  The fact that the desktop is becoming harder to attack means that it is logically only a matter of time before we see the emergence of, at best case, targeted attacks against mobile devices, and at worse case, epidemics as we see on the desktop today.

Many people ask why we haven’t seen widespread mobile attacks to date.  My reply is often simple and sometimes quite short – that is ‘why bother when the desktop is still so fruitful?’ We have to remember attackers are lazy – they will rarely innovate of their own volition – often only choosing new targets when forced to do so.   This, combined with the fact that the handset market is quite fragmented between the three players and the mix of proprietary platforms, means that locating the correct type of device to attack or propagate to in a non discriminatory manner (Microsoft doesn’t have 90% of this space) is much harder, and is likely to fail. The attack is also more likely to be detected and mitigations installed in the network where possible and signatures rolled out to handset Antivirus. 

However we have had one good example where most vendors made some sort of mistake – and that, my friends, was Bluetooth. One standard, with many implementations, and many mistakes – this demonstrated that implementation issues or standards interpretations through standard stack based overflows could exist in code developed by many vendors with an impact on security. This was quite a scare - but since then the industry has not had to respond to anything of this scale.

So before I ramble for too long, on to what I’m at Microsoft to talk about. Well I’ve been working for Advanced Threat Research for nearly two years now and before that Government Research at Symantec.  I’ve been looking at the types of threats mobile devices and networks are susceptible to.  Some of this research has been summarized on a Symantec Blog [1] [2].  The rest has been directed solely at our internal product teams. As part of this research, I’ve spent a lot of time documenting the attack surfaces of mobile devices [3], as well as doing some deeper analysis on Windows CE/Mobile. It is both of these subjects that I’m here at Microsoft to present on.  In summary, my talk covers:

§  General Summary of CE 5.x’s, WM 5’s and WM6’s security posture

§  The susceptibility of CE 5/WM 5 & 6 to rootkits and why there is no real difference from the desktop [4]

§  Mobile Device Attack Surfaces

§  Experiences of interacting with MSRC when discussing security issues [5] [6]

The goal is really to leave the audience with six messages:

§  Security investment in CE/WM has paled when compared to the desktop

§  The net result being that it doesn’t have many of the same mitigations as the desktop

§  The vulnerabilities it’s susceptible to are no different than the desktop and their impact no less

§  The ubiquity of communications means they have the largest attack service of any system currently in existence

§  That by addressing these issues today we can stop a repeat of the running battles we’ve seen on the desktop – i.e. Let’s learn from what’s happened before

And with that I’ve think I’ve typed enough, all pretty logical, all pretty straightforward...

I raise my beer to change and improvement!

[1] http://www.symantec.com/enterprise/security_response/weblog/security_response_blog/mobile_wireless/
[2] http://www.symantec.com/enterprise/security_response/weblog/authors/ollie_whitehouse.html
[3] http://www.symantec.com/enterprise/security_response/weblog/upload/2007/02/MobileThreatBlog-lg.jpg
[4] http://www.symantec.com/enterprise/security_response/weblog/2007/07/windows_cemobile_rootkits.html
[5] http://www.symantec.com/enterprise/security_response/weblog/2006/05/the_elephant_under_the_carpet.html
[6] http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_elephant_is_still_under_th.html

------------------

Editor's Note: For more information on Microsoft's Mobile and Embedded Security, see http://msdn2.microsoft.com/en-us/embedded/aa714508.aspx