Microsoft to lift lid on hacker conference

It plans to publish findings from its third Blue Hat confab, where hackers give tips to Microsoft execs.

Tom Espiner Special to CNET News
2 min read
Microsoft will publish the findings of its three-day "Blue Hat 3" security conference, according to a blog posting by one of the organizers.

The third Blue Hat conference, held last week, was organized to discuss the current state of global security. Security researchers were invited to give talks and practical demonstrations to assembled Microsoft executives on topics such as exploiting Web applications and hacking search engines.

"Over the coming days, we'll be posting our reflections on Blue Hat 3, as well as photos and links to podcasts and video from the event," Kymberlee Price, a Microsoft security program manager, wrote on Thursday.

Listen up

Security Bites
An impromptu commentary on the week's security news.

Download mp3 (10.5MB)

"We sincerely hope that our Blue Hat 3 speakers (and Blue Hat 1 and 2 speakers) will post their comments to the site as well and share their Blue Hat experience with you," Price added.

Details of Blue Hat 3 will be published during the spring, according to TechNet, Microsoft's developer site.

"It was open and honest discussion about problems specific to Microsoft technologies and also problems that affect our entire industry," conference organizer Brad Sarsfield, a Microsoft SQL Server coder, wrote in another Blue Hat blog posting.

"Hearing senior executives say things like, 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this,' was at least one measure of success, from my point of view, for the event," Sarsfield added.

The first day was a set of talks to senior product leadership and executives. The second day took an SQL, Data and Web application focus, while the third day focused on the Windows platform, according to Sarsfield's posting.

Security researcher and NGS co-founder David Litchfield gave a talk on Oracle database security at the event. Litchfield told ZDNet UK that various aspects of database security were discussed during his time at the conference.

"There were talks on SQL injection and database rootkits--SQL injection subverts the application logic, piggybacking attack queries on valid SQL queries. An attacker can then do something nasty, like access user passwords and IDs," Litchfield said.

"SQL injection is probably today's biggest security issue. This problem has been known about for years, but seven out of 10 Web applications are still vulnerable," Litchfield added. "I find it extremely frustrating."

Litchfield applauded Microsoft for holding the Blue Hat conference.

"I think it's great Microsoft (is) doing this. It's still investing so much into its security culture. Oracle could take a leaf out of (its) book." Litchfield has heavily criticized Oracle in the past, after he discovered a clutch of vulnerabilities in its database software.

Litchfield also said that while attack code was demonstrated at Blue Hat 3, "no Microsoft issues were discussed" during his time at the conference.

Tom Espiner of ZDNet UK reported from London.