It has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.
Fraud and Abuse: A Survey of Life on the Internet Today --> WATCH IT ON DEMAND
Ellen Cram Kowalczyk, Principal Security Program Manager Lead, MicrosoftKowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.
Social Authentication --> WATCH IT ON DEMAND
Alex Rice, Product Security, FacebookOver the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.
Scriptless Attacks: Stealing the Pie Without Touching the Sill --> WATCH IT ON DEMAND
Mario Heiderich, Dr.-Ing, Ruhr-University in Bochum, GermanyRemoving JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.
Sh*t My Cloud Evangelist Says… Just Not My CSO --> WATCH IT ON DEMAND
Chris Hoff, Senior Director and Security Architect, Juniper NetworksIn front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…
Don't Stand So Close to Me: An Analysis of the NFC Attack Surface --> WATCH IT ON DEMAND
Charlie Miller, Systems Software Engineer, TwitterNear-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.
Building Trustworthy Windows Store Apps --> WATCH IT ON DEMAND
David Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, MicrosoftThe Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.
Why UEFI? --> WATCH IT ON DEMAND
Matthew Garrett, Senior Software Engineer, NebulaThe Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.
Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation --> WATCH IT ON DEMAND
Patrick Jungles, Security Program Manager, MicrosoftCredential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.
Why Johnny Can't Patch: And What We Can Do About It --> WATCH IT ON DEMAND
David Seidman, Senior Security Program Manager, MicrosoftMicrosoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.
Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.
Emily Anderson
Security Program Manager, MSRC, Microsoft