Microsoft to lift lid on hacker conference

Microsoft is to publish the findings of its three day "Blue Hat 3" security conference, according to a blog posting by one of its organisers.

The third Blue Hat conference, which was held last week, was organised to discuss the current state of global security. Security researchers were invited to give talks and practical demonstrations to assembled Microsoft executives on topics such as "exploiting Web applications" and "hacking search engines".

"Over the coming days we'll be posting our reflections on BlueHat 3 as well as photos and links to podcasts and video from the event," wrote Kymberlee Price, a Microsoft security programme manager, on Thursday.

"We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience with you," Price added.

Details of Blue Hat 3 will be published during the spring, according to TechNet, Microsoft's developer site.

"It was open and honest discussion about problems specific to Microsoft technologies and also problems that affect our entire industry," wrote conference organiser Brad Sarsfield, a Microsoft SQL Server coder in another BlueHat blog posting.

"Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this,' was at least one measure of success from my point of view for the event," Sarsfield added.

The first day was a set of talks to senior product leadership and executives. The second day took a SQL, Data and Web application focus while the third day focused on the Windows platform, according to Sarsfield.

Security researcher and NGS co-founder David Litchfield gave a talk on Oracle database security at the event. Litchfield told ZDNet UK that various aspects of database security were discussed during his time at the conference.

"There were talks on SQL injection and database rootkits. SQL injection subverts the application logic, piggybacking attack queries on valid SQL queries. An attacker can then do something nasty like access user passwords and IDs," said Litchfield.

"SQL injection is probably today's biggest security issue. This problem has been known about for years, but seven out of ten Web applications are still vulnerable," Litchfield added. "I find it extremely frustrating."

Litchfield applauded Microsoft for holding the Blue Hat conference.

"I think it's great Microsoft are doing this. It's still investing so much into its security culture. Oracle could take a leaf out of their book." Litchfield has heavily criticised Oracle in the past, after he discovered a clutch of vulnerabilities in its database software.

Litchfield also told ZDNet UK that while attack code was demonstrated at Blue Hat 3, "no Microsoft issues were discussed" during his time at the conference.