Can I interest you in a glass of Berry Blue Kool-Aid?: A Recap of BlueHat v7

Hello all, Nate McFeters here to give you a recap of all the fun at Microsoft BlueHat v7.  If you don’t know me, I work for Ernst & Young’s Advanced Security Center and I also blog over at ZDNet’s Zero-Day Security Blog.  You may have also seen me on the conference circuit, as I’ve spoken recently at such prestigious events as Black Hat and ToorCon.  This time around though, I wasn’t brought in to speak at a conference; Microsoft had Rob Carter (also from EY’s ASC) and I come in to discuss some recent vulnerabilities that we’ve discovered with a few third-party vendors with whom Microsoft has tight relationships.  Actually, that’s worth a shout out to Katie Moussouris for being awesome and putting Rob and I in touch with the proper people to get our issues fixed AND bringing us in to BlueHat for our efforts.


Coming to Seattle is always a treat for me.  The hacking/security research community is represented in Seattle like no other place that I’ve been to.  Of course, Seattle did not let me down once again!  On Wednesday, I got a chance to attend the iSec Partners party, celebrating the opening of their new Seattle office, so congrats to all those guys.  After the iSec party, I rolled over to the BlueHat speaker’s party with Billy Rios (former EY ASC guy, now a Microsoft employee, and a BlueHat Speaker) and got a great opportunity to drink free beer and hang out with some industry leading figures, such as Alex (kuza55), Fukami, Sowhat, and Manuel Caballero.


After a long first night, I took care of some work-related stuff and relaxed most of Thursday… that is, until the BlueHat party.  It was a great premise: Put a bunch of hackers in a bar and feed them free booze until closing time… the night before the big show!  Good thing these guys are professionals!


The highlights of the talks for me were:


1.)         Getting to see Alex (kuza55) discuss browser insecurities to a packed audience.  This guy has some really progressive stuff, but what really stuck to me was Alex’s mature understanding of the greater picture, which was truly impressive, even more so from a 17-year-old.  He discussed the need for more transparency from vendors on the standards that the browsers depend upon… nowhere was this more interesting than in the case of Cross-site Cooking and his FindMimeFromData attack.  Alex explained how dangerous the lack of understanding of these technologies are, and how, unless the security community is given more of the bigger picture, we can expect these issues to lay dormant until discovered, and of course, we have no guarantee that it will be a good guy finding it.


2.)         Watching Billy Rios’ and Nitesh Dhanjani’s phishing discussion, which was by FAR the most entertaining and enlightening talk that I’ve ever seen.  The talk was basically a recap of research that Billy and Nitesh got involved in over a year ago, where basically they joined up to the phishing community and realized that it’s not just about phishing, it’s really about identity theft.  They discovered that phishing was just one means of supply to fill the demand for identities in the identity theft ecosystem.  They were able to discover phishing sites, the kits that phishers use, and the sites where phishers sell stolen identities… truly unbelievable.  The saddest thing was realizing just how tech un-savvy these phishers truly are, and then further realizing how huge an impact they’ve caused to the Internet.  If you have not seen this talk, you should absolutely go catch it at Black Hat Vegas. If you have, I’m sure you’ll be seeing it again.


3.)         Manuel Caballero discussed something that originally didn’t catch my attention.  It initially sounded like the same research that’s been put into cross-site scripting attack frameworks, which basically involved using XSS to create a bi-directional communication channel between victim and attacker for exploitation of XSS.  Then I realized what Manuel was really talking about.  Resident scripts have put the fear of God into me.  Whereas a normal cross-site scripting attack vector is great for the site that was cross-site scripted, it stopped there; it couldn’t follow you off-domain.  Manuel’s can.  Scary. 


After the presentations, I was fortunate enough to get included in the IOActive Limo Race after party.  I’ve never been involved in an event that led to as many hilarious pictures as that one.  Specifically, the pictures of Dan Kaminsky, David Hulton, and Andrew Cushman are priceless.  Thanks to Josh Pennell and all the IOActive crew for putting that on — it was outstanding fun.


All of that and I closed off the week by coming home to Chicago and proposing to my long-time girlfriend, Melissa Radocha (she said yes, thank God!), so it was probably one of the best weeks of my life.  Sorry to all of the media guys like Ryan Naraine and Rob McMillan who I’m sure wanted to join me, but keep in mind, I wasn’t here for media coverage… I just got lucky to steal an exclusive by having some research that Microsoft was interested in!  J





Editor’s Note:  The BlueHat planning team wishes to extend our heartfelt congratulations to Nate and Melissa!