« Load Jacking latest buzzword | Main | Wireshark 1.0.4 Released »

My Trip To Microsoft's Bluehat Conference

Last week I attended Microsoft's Bluehat conference for the first time and found the experience to be pretty positive. Here are a few highlights

New Tools Announced
- Microsoft Threat Modeling tool v3.1 RC2 (Public release date: unknown)
- CSSH is a CSS history theft tool combining a crawler to enumerate the links you've visited on a site.

The talks
- The fuzzing talk 'Fuzzed Enough? When It’s OK to Put the Shears Down' was decent. It is amazing just how much time and effort Microsoft puts into fuzzing. 

- The Crimeware talk 'Crimeware Behind the Scenes' discussed how attackers are geolocating countries to attack. Not new, but rarely spoken about.
- The 'Concurrency Attacks on Web Applications' talk was good. This discussed race conditions in web applications and the impacts of multi-threaded web frameworks.

- The 'WAF vs SDL shootout' panel was as expected. Everybody thought that WAF's were are over hyped and had little value.

- The 'Investigating Individuals and Organizations Using Open Source Intelligence' talk was neat. A tool by Roelof Temmingh was demo'd showing how to identify associations between people and data sets. This tool is definitely something I'll be looking into.

Mike Andrews also has a decent writeup of the event at http://www.mikeandrews.com/2008/10/19/bluehat-review/

More Information: http://technet.microsoft.com/en-us/security/cc748656.aspx

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!



I'm not sure if the CSS Attribute Reader counts as a tool release, but it's more useful than CSSH IMO. Actually, I think CSSAR is pretty damn epic, but maybe that's just me.


I'm 99% sure CSSH was the tool that identified the site you were on, then crawled that site and attempted CSS history theft enumeration on each url on the site.

What is CSSAR? Maybe I goofed the name? Couldn't find it online anywhere unfortunately.


CSSAR == CSS Attribute Reader

Maybe it's more a technique than a tool, but it's the attack they demoed where you can read out values from HTML using only CSS and no JavaScript (or any other active content either), you can find it with the rest of their demos: http://p42.us/css/

Though I guess they haven't posted the PHP code anywhere...hrm...


That is the site I was looking for.

http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php?z=www.slashdot.org is the tool I was speaking of.


source code can be found here:

http://eaea.sirdarckcat.net/cssar/v2/?source