Thursday was the executive sessions, speakers gave truncated versions of their talks, once in the morning, and once in the afternoon. There were a very senior group of folks in the room, up to people like Jim Allchin, Brian Valentine, and a lot of other names that I recognized, but don’t remember.

Andrew Cushman did a great job of framing the talks, explaining why they were selected, and the reasons that they were important. The audience was engaged, and a couple of times, people turned and asked “Why do we do that?” of the person responsible for a feature that was being (ahem) presented in a new light.

The speakers, myself, and Dan Kaminsky got to have a lunch session with Jim Allchin, and a few other Microsoft folks. Jim talked about new features in upcoming products, and got our thoughts on how Microsoft is doing, and how they could do better.

There’s lots more after the break.

The speakers were:

• Dave Maynor of ISS talked about “You are the Trojan,” in which he discussed patterns of research, some issues with things like direct memory access.
• Matt Miller, of Metasploit gave a talk “Temporal Chronomancy.” He discussed how various counters are sometimes interpretable as universal instructions. Very cool.
• Vinnie Liu (also with Metasploit) talked about the Metasploit’s anti-forensics project. One tidbit he shared was that by changing the extension of a text file to .exe, and the first two bytes to “MZ,” a leading forensics tool would see it as an executable. We learned a few minutes later that MZ, the fellow who used his initials as the first bytes of an executable, was in the room with us, and we had some great conversations with him in the hallway later.
• yrg and Jussi of Toolcrypt presented “Reinforcing the TCB.” Yrg explained to me that he and Jussi are sensitive about where details go. I’m going to respect their desire for privacy, and simply say it was slick implementations of things we’ve all known to be possible.
• Brett Moore, of Security Assessment presented SBDA, “Same Bug, Different App,” reinforcing the point that code has patterns, and that the bad guys search for those patterns as new issues are revealed.

Many of the speakers spent time discussing their attacks with the people who wanted to fix them, talking about what changes would be effective, how a new attack might get around a defense. While patch and penetrate is not security engineering, learning from attackers certainly is part of that engineering process.

Each of these talks was given in a longer version on Friday. Before we get there, I’ll mention two other bits: tours of both the Windows build lab, and a really good presentation about the sustaining engineering lab and processes. I have an ongoing interest in patch quality, and got to meet the people who build and ship the hotfixes, and hear lots about their process. John, I hope you get to put that stuff on the web soon.

Friday, we were in what I understand is Microsoft’s largest conference room, and the speakers gave longer, more detailed versions of their talks. Most of the speakers spent most of the day in the speaker lounge, so Microsoft’s employees could discuss what they were hearing without worrying they were going to be quoted here. (Although only once or twice did anyone in earshot of me say that they weren’t comfortable answering a question, and only once did someone get really worked up about an attack. Lots of Microsoft folks gave very deep explanations of why things work the way they do, and the tradeoffs they made.)

At the close of Friday’s session, Dan Kaminsky and I joined the other speakers for a panel discussion with lots of audience questions. We had a lot of panelists, which made for somewhat challenging panel management, and a few of us ended up talking more than others. In a day or two, I’m going to reprise and expand on one of my answers, about separation of code and data.

That evening…well, lets just say, darling, you looked great in aluminum foil, and God Save the Queen!

PS: The New York Times has a report in “At Microsoft, Interlopers Sound Off on Security.” Pete Lindstrom has some comments in “Microsoft’s Blue Hat”

[Update: Slashdot has an article, "Microsoft Consults Ethical Hackers at Blue Hat, too.]

]]> http://emergentchaos.com/archives/2005/10/blue-hat-report.html/feed 0 http://emergentchaos.com/archives/2005/09/what-is-phishing.html http://emergentchaos.com/archives/2005/09/what-is-phishing.html#comments Tue, 27 Sep 2005 11:46:16 +0000 adam http://emergentchaos.com/?p=1060 Continue reading →]]> In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay is much improved.

First, lets look at what phishing is. There are many
technical answers, but the core of phishing is that people are drawn
to a website, mistakenly thinking it belongs to a company that they
trust. There are a couple of core elements here: The first is the
phishing email. These can be bulk or targeted. Criminals use exactly
the same mail merge technology companies use, and will insert any
details they can: Name, address, account number (or last 4 thereof),
SSN (or last 4), your logo or copyright statements, etc. All of this
is designed to convince the user that it’s ok to click on the link to
visit the bank. That’s crucial, because without that feeling that
it’s ok to click, the victim will not end up at the fraudster’s site.

So there is where we must concentrate our defense. We need to prevent
the victim from feeling that its ok to click on the link. But how?
SSL–the little padlock–doesn’t help. Anyone can buy a cert for
cb.pharmphr33.supersecure.com if they operate that domain. It’s easy.
Almost anything you can do in an email, the fraudster can duplicate.

And so there lies the key. Use the several established channels you
have in concert. Use the customer as an ally. Move them
away from clicking links to selecting bookmarks.

]]> http://emergentchaos.com/archives/2005/09/what-is-phishing.html/feed 1