I am in Redmond at the moment for internal meetings. We have been able to align these meetings with the Fall Session of Bluehat. I already blogged about the summer sessions and would like to give you some insights and views on the Fall sessions as well. To be clear, I am "just" attending the Exec Briefing which is a short version of the complete Bluehat but it is nevertheless extremely interesting to listen to the presenters. If you want to know more about Bluehat, go to http://www.microsoft.com/technet/security/bluehat/2007fall.mspx
It is always eye-opening listening to the presenters at Bluehat. Let me share a few conclusions/thoughts with you:
- Windows Mobile Security: Even though we already came a long way, we still have a lot of things to do. To keep it easy: We have to take the technology and concepts of Windows Vista and bring it to the mobile platform! This is obvious – isn't it?
- Looking at the underground economy, it comes to an interesting discussion about ethics. We had Roberto from WasiSabiLabi at Bluehat. I blogged about them earlier this year (http://blogs.technet.com/rhalbheer/archive/2007/07/06/vulnerability-auction.aspx) and I had to realize that there are definitely different views on ethics and the way you can stretch your view based on the position you are in. Roberto is convinced that he is working ethically and legally.
- If I look at virtualization and the key summary – it is a pretty obvious one: Software offering virtualization has vulnerabilities (BTW, Virtual PC and Virtual Server are not too bad here) and where you have vulnerabilities, there will be attacks. These attacks however might cross the virtual machines and infect/attack either other VMs or the host. This is pretty obvious but this is one of the beauties of Bluehat: It makes you think and it "forces" you to look at certain threat scenarios you did not yet look into concretely. They simply show you the threats!
- We talked about fuzzing at Bluehat as well. If you want to know more about Fuzzing, look at Wikipedia. The title actually was: "Fuzzing suchks". To me it is not that fuzzing actually sucks as a methodology but much more that the tools have quite some shortcomings.
- The scary part is always if somebody who is writing exploits or IDS signatures talks to you about how they reverse-engineer security updates. People who are doing that for a living, they are really skilled in understanding the way we work and they are extremely fast. It is a real arm's race…… Finding the actual vulnerability in our code takes them just a few minutes (often less than an hour).
- Last but not least Mark Russinovich talked about real and "unreal" security boundaries in Windows. The goal here is to understand the limitations of the different technologies and solutions within Windows Vista. He is working on a Technet article addressing this as well – so watch out.
Again this was a refreshing and very interesting experience and I am looking forward to the next Bluehat