BlueHat is Microsoft’s internal security conference, similar to our own SecCon. This year the conference was held Oct. 14-15, consisting of two full days of great content in a lecture theater environment. As part of their community outreach and Secure Development Lifecycle (SDL) collaboration I was invited to travel to Redmond for a few days to attend. The theme this year was Security Odyssey; I don’t know if you have seen the movie 2001, but there were references to HAL everywhere. BlueHat v10 Talks was a combination of internal and external sessions — with no NDA’s.
Though I spent much of my time in the speaker lounge, here are a few talks I had a chance to hear (with a little bit of Space Odyssey humor).
Day 1 (Morning Track)
Kicking things off Colonel Sebastian M. Convertino II dove into the topic of computer and information security and discussed his role developing the full spectrum of the Air Force’s cyber warfare capabilities.
BlueHat Alumni Ian Amit then led us on a cyberspace journey through CyberCrime and CyberWarfare; he also mapped out the key players amongst each in CyberCrime and CyberWarfare – connecting the dots.
Day 1 (Afternoon Track)
Dan Kaminsky, in true enthusiastic style, discussed the Unified Theory of DNS Security.
Vincenzo Iozzo, Tim Kornau, and Ralf-Philipp Weinmann revisited their Black Hat USA talk, showing us how return-oriented programming (ROP), an advanced exploitation technique, can be used to bypass most platform mitigations.
Fermin J. Serna and Andrew Roths (Microsoft) reviewed their Enhanced Mitigation Experience Toolkit (EMET), which is similar to Cisco’s Runtime Defense Toolkit. They showed how EMET’s new features can actually defeat current attacks, such as ROP.
Day 2 (Morning Track – Mobile Security – Care to guess the OS that was mentioned most?)
After a brief intro into the subject from Mike Howard, Charlie Miller gave a deeper dive into the space by outlining a brief history of mobile security and addressed what makes mobile exploit payloads unique.
Microsoft’s, Geir Olsen discussed the key challenges that the mobile security model tackled and how its provisions work together in practice to enable trustworthy mobile computing on the Windows Phone 7.
Day 2 (Afternoon Track – The Web Browser Landscape)
Browsers are our windows to the web. Through these windows we see clouds and the Internet first hand. Jeremiah Grossman and Robert “RSnake” Hansen were there to tell us just how distorted the images we see through a browser really are.
Jeremiah Grossman demonstrated how browsers can be broken and used maliciously in Browser Hacks, Design Flaws, & Opt-In Security.
Robert “RSnake” Hansen reminded us of our primitive human traits (of ingenuity and adaptability) by challenging us to design secure browsers for a hostile world (despite complex browser, OS, and network interoperability requirements). Robert’s talk explored just how unusable a browser would be if paranoid internet surfer’s attempt to secure themselves from web-based threats.
For more info and the full agenda on the conference visit this site: