BlueHat v15 Announces Schedule and Registration

As we inch closer to the 15th BlueHat Security Conference, we are happy to announce the lineup of speakers and topics for this event.  This year will continue with a solid speaker and topic selection that engage engineers, executives, and invited guests to discuss and tackle some of the hardest problems facing the industry today.  Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat is set for Tuesday, January 12th through Wednesday, January 13th at Microsoft’s Redmond campus.  The first day will set the stage of the threat environment and what is impacting customers today.  The second day splits into four simultaneous tracks (two in the morning and two in afternoon) focusing on protecting customers and defense strategy, pivoting to help customers, software/service development, and attacks/exploits in the wild.

External invites have been sent and registration is now open for BlueHat v15.  We look forward to another great conference.


Tuesday, January 12th, 2016 | General Audience


9:00-9:50 AM| Ofir Arkin | Intel
Keynote:  Security in a World Out of Our Control

The traditional security models are failing as they become obsolete in a world where the environment and technology are constantly changing and advancing.The need to allow anywhere anytime access (Mobility) to enterprise resources from any user (Collaboration), and any device (BYOD), has challenged the mare existence of the fixed perimeter and the traditional defense mechanisms. In a world where IT is losing control over devices, users and even it’s own infrastructure a new security model, that takes into account these new realities, must be put in place.


10:00-10:50 AM | Nick Carr and Matthew Dunwoody | Mandiant           
No Easy Breach: Challenges and Lessons from One of Madiant's Most Demanding Investigations

Every IR presents unique challenges. But – when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day – the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

11:00-11:50 AM | Shawn Loveland |Microsoft 
The Business of Cybercrime

Just as the PC/computer/mobile device ecosystem has grown over the decades, so has the cybercrime industry, which today is more organized and motivated than at any time in history.  Blackhat cybercrime is a form of malicious online behavior motivated by profit and a predictable ROI.  Treating Blackhat cybercrime as a purely technological problem, makes mitigation difficult, costly, and ineffective.  By understanding the attacker’s Tools, Techniques, Motivations, and Business Models, we can understand how our products, services, and users are, and will be, victimized by Blackhat Cybercriminals.


1:00-1:50 PM |Daniel Edwards | Microsoft        
HoneyPots & Deception – What is happening to our Azure customers?

The theme of the talk this year will be about my experiments in running a honeypot in Azure, what I learned, how the information can be used to improve protection and a call to action.  The PowerPoint is a very basic outline meant to convey the theme of the talk.  I just haven’t had a chance to create all the diagrams but I already have all the data (and continue to collect additional data every day) that I am talking too.  The word document is a sample of the analysis that I will be incorporating.

2:00-2:50 PM | Alex Weinert and Dana Kaufman| Microsoft
A Year in the Trenches with Microsoft Identity Protection team

Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, how we see fraudsters adapting to those systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

3:00-3:50 PM |Jonathan Birch | Microsoft          
Unintended Authentication

Unintended authentication to untrusted services is a common but largely ignored problem in Windows applications. In this talk, I explain how this type of vulnerability occurs and why its potential and current exploitation create a risk that application developers should work immediately to mitigate. To give reference examples, I discuss two cases where this type of vulnerability occurred and was fixed in Microsoft Office. Finally, I demonstrate how to test for and fix unintended authentication problems and best practices that can be used to prevent them from being introduced into a product.

4:00-4:50 PM |Matt Graeber | Veris Group        
Windows Management Instrumentation – The Omnipresent Attack and Defense Platform

A resourceful attacker seeking to maximize his or her compromise/effort ratio will naturally target any omnipresent technology present in a homogeneous environment. Windows Management Instrumentation (WMI) is one such technology that is present and listening on every Windows operating system dating back to Windows 95. WMI is a powerful remote administration technology used to get/set system information, execute commands, and perform actions in response to events. While it is a well-known and heavily used technology by diehard Microsoft sysadmins, attackers (i.e. diehard unintended sysadmins) find such built-in technology enticing, especially those who wish to maintain a minimal footprint in their target environment. In reality, targeted and criminal actors are making heavy use of WMI in the wild and defenders need to be informed of its capabilities both from an offensive and defensive perspective. This talk aims to inform the audience of the basics of WMI, in the wild attacks, theoretical attack scenarios, and how defenders can leverage the WMI eventing system against an attacker.

Wednesday, January 13th, 2016 | General Audience 

TRACK 1 – DEVELOPMENT                         

9:00-9:50 AM | Lee Holmes |Microsoft
Attackers Hunt Sysadmins. It's time to fight back

What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what’s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It’s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure.

10:00-10:50 AM | Laura Bell | SafeStack              
Protecting our people (The Awkward Border)

People are problematic when it comes to security. We all know and laugh about the ease with which we can lie, cheat and steal from those around us whilst stubbornly refusing to admit that the same scams would probably work on us too. A culture of fear and negative consequences spanning decades has given us a workforce that is not only scared of being attacked, but scared of saying something if they see a threat or do something wrong.

So how do we change this? Can we enable, empower and engage _all_ of our people to protect themselves and those around them? More importantly can we do this without destroying privacy or putting those people at risk? This isn't a sales pitch. This isn't a miracle cure. This is the story of trying to protect our people and the difficult road to achieving this.

11:00-11:25 AM | Shawn Hernan | Microsoft
Factor-and-a-half Authentication

Many traditional techniques for protecting the stored representation of passwords derive their security by making the password verification operation expensive. For example, a server may hash a password many times as a way to slow down brute-force attacks against an offline copy of the password database. In such a scheme, acceptable password security may result in unacceptably poor login-time performance. Memory-intensive functions like scrypt may not scale well on a server that has to support a large number of simultaneous login attempts.  Multi-factor authentication schemes based provide protection against many of the common problems that plague reusable passwords. Unfortunately, adoption rates for MFA are low in general, and many of the systems are expensive or suffer from usability issues.  This talk proposes an authentication system “factor-and-a-half authentication,” to address some of these problems. Factor-and-a-half authentication consists of “something you know,” and “something you create,” along with initial setup and verification protocols and policy management between clients and server.

11:30-11:55 AM | Scott Longheyer | Microsoft 
Network Defense- Isolation Enforcement

Some things are meant to be shared, some are not. From dedicated to software-defined networks, we discuss modern solutions to enforce network isolation in extremely dynamic, often exposed, single or multi-tenant hosting environments. The tools are getting better, let’s wield them. Network certifications are not required to attend.

TRACK 2 – Pivoting to Help Customers                                     

1:00-1:50 PM | Amit Hilbuch |Microsoft             
Early Detection of Fraud Storms in the Cloud

Cloud computing resources are sometimes hijacked for fraudulent use. While some fraudulent use manifests as a small-scale resource consumption, a more serious type of fraud is that of fraud storms, which are events of large-scale fraudulent use. These events begin when fraudulent users discover new vulnerabilities in the sign up process, which they then exploit in mass. The ability to perform early detection of these storms is a critical component of any cloud-based public computing system.

In this work we analyze telemetry data from Microsoft Azure to detect fraud storms and raise early alerts on sudden increases in fraudulent use. The use of machine learning approaches to identify such anomalous events involves two inherent challenges: the scarcity of these events, and at the same time, the high frequency of anomalous events in cloud systems. We compare the performance of a supervised approach to the one achieved by an unsupervised, multivariate anomaly detection framework. We further evaluate the system performance taking into account practical considerations of robust-ness in the presence of missing values, and minimization of the model’s data collection period. This work describes the system, as well as the underlying machine learning algorithms applied. A beta version of the system is deployed and used to continuously control fraud levels in Azure.

2:00-2:50 PM | Christiaan Beek | Intel Security
There’s A Pot of Gold at The End of the Ransomware Rainbow

Ransomware is one of the threats we have seen rising over the past few years with a huge resurfacing in 2014. Mostly Windows platform but also Linux, Mobile and OSX Operating systems are getting targeted for these campaigns.  In this presentation, we will start with an overview of the different crypto-ransomwares we have seen in the past couple of year combined with some of the technical developments in the industry that assisted in making this business-model very lucrative. We continue with some examples of in-depth analysis of behavior patterns we discovered in certain families that helped us identifying them and classifying them. Besides the malware itself we will highlight some insights around how the actors in general are operating, the infrastructure they build-up, the financial infrastructure, the profit and connections with other cybercrime operations.

 3:00-3:50 PM | Jasika Bawa, Costas Boulis, and Roman Porter| Microsoft           
Advancing SmartScreen To Disrupt The Exploit Kit Economy

Microsoft SmartScreen integrated with Internet Explorer, Microsoft Edge, and Windows, has helped protect users from socially engineered attacks such as phishing and malware downloads since the release of Internet Explorer 7. Over time, SmartScreen reputation checks on URLs and SmartScreen Application Reputation protection in the browser and in Windows have significantly changed the socially engineered attack landscape, leaving such attacks at historic lows. However, attackers have continued to adapt—enter Exploit Kits (EKs), one of the fastest growing threats online.

EKs often originate on trusted websites and target vulnerabilities in software used by our customers every day. Moreover, EK-based attacks do not require any user interaction—there's nothing to click, nothing to download—and infection is invisible. Approximately two-thirds of new malware is now being delivered by EKs, hardly surprising given that a single EK on a popular site can infect thousands of people in less than an hour. The recently analyzed Angler EK, for instance, was found to target almost 90,000 innocent victims each day, earning cyber criminals potentially more than $30 million annually and further proving the EK space to be an extremely financially lucrative one. But all isn't lost! Starting with the November release of Windows 10, Microsoft SmartScreen will begin protecting users from EK attacks in Internet Explorer and Microsoft Edge. In this talk, we will discuss the growing EK landscape, how it is impacting our customers, and how, with new synchronous blocks for EKs, SmartScreen once again aims to continue increasing the cost of exploitation for attackers.

4:00-4:50 PM | Mark Novak and Dave Probert |Microsoft          
Virtual Secure Mode and Shielded Virtual Machines

Virtual Secure Mode is a new virtualization-assisted security technology that made its debut in Windows 10.  This talk will describe the fascinating security properties of VSM as well as cover the two new technologies that were built with its help: shielded virtual machines and Credential Guard. Microsoft developers interested in utilizing VSM in their projects should talk to folks in the WDG.

Wednesday, January 13th, 2016 | General Audience  


9:00-9:50 AM |Nils Sommer|Bytegeist
Windows Kernel Fuzzing

Attackers often rely on Windows kernel vulnerabilities to break out of application sandboxes and escalate privileges. To rapidly identify such vulnerabilities, we adapted techniques from browser fuzzing to assess the kernel and have reported a number of critical issues to Microsoft. All aspects of the fuzzer, from test case generation to testcase minimisation are highly distributed and it produces high quality testcases for reproduction. This talk will discuss our approach for fuzz testing the Windows kernel, from assessing the kernel's attack surface and effective test case generation, to the design and architecture of a highly distributed fuzzer that scales to many hundreds of CPU cores.

10:00-10:50 AM | Leigh Honeywell and Ari Rubinstein | Slack   
Secure Development for Snake People: New Ideas for the Next Generation

Startups hear the word “process” and freak out – shipping code every day isn’t optional. What if you could build a secure development process that accelerated development, instead of slowing it down? At Slack, we have – allowing our small team to distribute security work to developers, and building up their security skills from intern to senior engineer. We’ll talk through the tools and processes we built – a flexible, open source framework including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process. Together, these encourage security thinking in the tools developers already spend their time in – allowing us to effortlessly document people’s thought processes around risk. By empowering developers to think about security themselves and incorporate secure practices into their own teams and workflows, we’ve defeated the fear of the checkbox and replaced it with new tooling and process that teams actually want to work with.

11:00-11:25 AM | Jason Shirk|Microsoft             
Microsoft Bounty Program: Making it to the MSRC Top 100

Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.

11:30-11:55 AM | Eugene Bobukh|Microsoft    
Transcending Threat Modeling Limitations

Threat Modeling as we know it today has inherent scalability limitations. It can be shown that its computational complexity is O(N^2) with respect to the number of elements modeled. In everyday practice that places an upper limit for human driven threat modeling at approximately 20 elements. However, contemporary software is significantly more complex, consisting of thousands of logical components. What options are available to transcend that limitation? In this talk we shall explore some experimental approaches for scalable threat modeling.


1:00-1:50 PM | Anna Chung | Uber
The Glocalization of the Underground Market

Start with a general introduction of Chinese speaking cyber crime underground market, this presentation aims to discuss how international hacking tools and compromised data being used by financially motivated criminals, and what kind of adjustments were made in order to localize the business model. The talk would use cyber crime activities targeting Japanese online banking system and possibly the spread of DDoS web-based DDoS tools to explain the glocalization status in Chinese underground economy.

2:00-2:50 PM | Nicolas Joly |Microsoft

Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistant to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

3:00-3:50 PM | Kostya Kortchinsky | Google
VMware Workstation Escape: the Virtual Printer Case

VM Escapes, or how to execute code on the Host OS from a Guest. While they are not a new concept, they are increasingly attractive as virtualization expands, in the datacenters and elsewhere.
This presentation, focusing on VMware Workstation, will demonstrate how arbitrary code execution in the Host was achieved from the Guest through memory corruption vulnerabilities in VMware Workstation Printer Virtualization.
I will cover the virtual printer protocol, how to fuzz it, the vulnerabilities uncovered (through fuzzing and reading the assembly code), and finally walk through a fully working exploit for Workstation 11.1.0 on a Windows 8.1 Host.


4:00-4:50 PM | Matt Miller and David Weston | Microsoft
The Cutting Edge of Web Browser Exploitation

Web browsers are the primary portal to the Internet for most people and it is no surprise that they continue to be one of the most preferred infection vectors for targeted and large scale attacks in-the-wild. Over the past few years, Microsoft has observed some significant changes in the trends related to how browser-based vulnerabilities are discovered and exploited in practice. In this presentation, we will explore these trends and dig into the technical details of how browser-based vulnerability exploitation has changed over the past 15 years. We will show how Microsoft has responded to these changes in the threat landscape by showcasing some of the major security investments that have been made in Windows, Internet Explorer, and the Microsoft Edge browser. We will provide an objective assessment of the impact that these investments have had thus far and explain how these hardening measures, particularly in the Microsoft Edge browser, have significantly affected the playbook that attackers have developed for exploiting browser-based vulnerabilities.


**PLEASE NOTE: This schedule may be subject to change but we will endeavor to keep the final schedule as close as possible to what appears here.



BlueHat v15 End-of Event Survey Give-Away Rules

At the end of each conference day, please ensure you complete the End-of-Event survey located at:  

As part of the Microsoft BlueHat BlueHat v15 Conference, Microsoft will conduct a give-away of prizes described in the prizes section below. A reconciliation of attendees and end of event survey completions will occur to determine eligible participants. Any duplications will be removed as only one entry per person is allowed. A random drawing by a disinterested party will occur based the list of eligible personnel who have submitted their end of event surveys by Midnight on 1/18/2016. All decisions regarding winners by the event organizers are final.

Prizes: As part of the BlueHat Conference, Microsoft will select one individual to receive a Microsoft Xbox One valued at $399 and 10 individuals to receive a Starbucks gift card valued at $10 each.

Eligibility: The give-away is open to all the BlueHat v15 attendees (to External attendees, Microsoft FTEs and Interns, and Contingent Staff) who attend the conference either in person or via Live Streaming, and COMPLETE the End of Event Surveys. Personnel who are unable to attend due to technical issues, geography, or other events that prohibit attendance are not eligible. Additionally, personnel who view only the On Demand videos after the event and event organizers are not eligible.

Any questions regarding this give-away should be sent to

BlueHat v15 Give-Away Winners

Microsoft Xbox One Winner

Christian Kuhtz

$10 Starbucks Gift Card Winners
Rich Eicher
Nate Warfield
Marius Bunescu
Max Poliashenko
John Bambenek
Roman Golovin
Samuel Jenkins
Neil Coles
Chris Kaler
Angie Wilson

BlueHat v15 Full Agenda_Jan12-13.pdf