News Database Security
Deep Dive With David Litchfield
Renowned database security researcher chats up shark-diving, bug-hunting -- and how Sandra Bullock killed his zoology degree
David Litchfield says he should have seen the attack coming: The 4-meter-long Great White had been unusually aggressive during a dive session last year. As the security researcher knelt outside the cage to snap a photo of the shark swimming by, the massive creature suddenly swung around and headed straight toward Litchfield, chomping down on the camera with his massive jaws and grazing Litchfield's hand.
"I got a nice picture of the inside of its mouth. My hand got bit. It was a bit silly and shouldn't have [happened]," says Litchfield, who was able to retrieve the camera after the shark spat it out after an apparently unappetizing chew. Such an attack is rare because Great Whites are typically calm and inquisitive, Litchfield explains, and he blames himself for letting his guard down in that instant.
More Security Insights
White PapersMore >>
The close encounter with the mouth of the Great White shark didn't deter Litchfield from continuing to shark-dive. He'll be back in the underwater shark cages this weekend off the Neptune Islands in South Australia, and he's planning an even more hard-core shark expedition this September off Guadalupe Island in the Pacific Ocean -- this time with no diving cage for refuge. "I will be fully out, swimming with [the Great Whites] with a safety diver carrying a six-foot long stick," he says. "I'm really looking forward to that. It will be much safer because the Guadalupe water is very clear, and the sharks are very placid."
Most people wouldn't characterize Great White sharks as "placid," or safe, but, then again, most people aren't shark enthusiasts and daredevil security researchers like Litchfield, either. Not much rattles Litchfield, who not only has gone face-to-face with "Jaws," but also has made a name for himself in security by taking on database giant Oracle by exposing gaping security holes in its mission-critical software.
Litchfield, 37, says his reputation as an Oracle security guru sort of just happened. "I cut my teeth on exploiting Microsoft flaws. It wasn't until much later that I started looking at Oracle," Litchfield says. It was a natural progression, really, from studying how to exploit Web servers, he says. "Now we own the Web server, so we start looking at the database server," he explains.
The turning point for Litchfield's database shift was probably in 2002, when he and some colleagues at NGSSoftware, a security firm he co-founded, started digging around Microsoft's SQL Server software for flaws. After demonstrating at Black Hat that year a vulnerability he discovered in the product, someone apparently weaponized the research, resulting in the infamous Slammer worm that hit big-time in January 2003. Slammer was a game-changing moment for Microsoft software security, as well as for the industry overall. "Someone had taken my exploit code ... It was one of those nightmare moments: Am I doing the right thing there?" Litchfield recalls.
It was the second time in his career that Litchfield had been shaken by the potential fallout of the early days of security research. His first hack was in 1997 while working for a U.K. firm that assigned its researchers to hack into organizations' computers to demonstrate to them their security weaknesses, in hopes they would, in turn, hire the firm to help fix them. "They had me doing things that would be frowned upon today," he says -- including breaking into a server at 10 Downing Street. What started as a marketing strategy by the firm to win over new customers backfired after that high-profile hack that put the company in hot water and served as a wake-up call.
"White-hat security was still very new ... I was lucky," he says. "It was completely the wrong approach, but at the time people were feeling their way [along] ... Very quickly I realized that it is all based on trust," Litchfield says.
Like most seasoned security researchers, Litchfield didn't start out as a security guy. He was studying zoology at Dundee University in 1995 when Sandra Bullock changed his life -- well, a movie Bullock starred in, "The Net," did.
"I said, 'That's what I want to do.' So I quit my zoology degree and taught myself as much as I [could] about" it, he says. He dropped out of college after deciding the computer science classes he was taking weren't teaching him anything he hadn't already learned on his own, and moved to London to look for work. His first job had nothing to do with computers, and he realized he needed additional qualifications to land work.
"I saw an advertisement about becoming a CNE [Certified Novell Engineer] or an MCSE [Microsoft Certified Solutions Expert]. I had no idea what it was at the time," he says. Litchfield couldn't afford the classes, so he purchased a CNE study guide and passed the test before ever touching a Novell box. That landed him his first "real" job, as a Novell administrator. He ended up in tech support and got his first hands-on experience in computer support, although none of it was security-related. "All the while I was teaching myself and studying for the MCSE," he says.
That's also when he began looking at the security aspects of Microsoft's Information Server platform -- schooling that ultimately led to Litchfield's breakthrough research in security flaws in Microsoft server technology in the early 2000s.
But today Litchfield is best-known for his laser focus on Oracle database security. He found what was then a new class of bug in Oracle software that could be used for lateral SQL injection attacks, as well as another previously unknown class of vulnerability that could be exploited for so-called "cursor-snarfing" attacks. Litchfield has even given Oracle public kudos: In 2010, he dropped a zero-day bug from Oracle's then-new 11g database at Black Hat DC while also giving Oracle a respectable "B+" grade for the security of 11g.
He's currently awaiting a visa to relocate from his native Scotland to the U.S. to work alongside his colleagues at Accuvant, where he is chief security architect. Aside from his responsibilities at Accuvant, he's also conducting new vulnerability research. "I'm trying to find new classes of attacks," Litchfield says, focusing mainly on databases. But pinpointing a new class of flaw is a lot a harder than discovering an individual bug, he concedes.
Litchfield dismisses any connection between his passion for shark-diving and his security research. "None whatsoever," he says. "It's just something I enjoy and to get away from computers" and phones, he says of his shark-diving adventures.
He says the primal experience of seeing a Great White look right at you as he contemplates whether you're edible is thrilling. "When he turns toward you and looks at you, you can see a very primitive intelligence beyond those eyes as they twitch and look at you as you swim past," Litchfield says. "There's a connection there."
There may be some symmetry with shark-diving and information security when it comes to gauging risk, though. Here's how Litchfield describes the perceived dangers of shark-diving:
"Most sharks are safe to dive with, even Great Whites. Essentially, people are attacked when they aren't expecting it. If you are diving with sharks, you have done a risk assessment, and know what's going on, and there's usually a safe way of extricating yourself from a situation if things start going awry," he says.
- Worst day ever at work: 25th January 2003 when Slammer, the SQL Server 2000 worm, hit. It became quickly apparent that the code I had demonstrated at the Black Hat Security Briefings six months before had been as a template. I felt awful. Thankfully, Slammer had no nasty payload and simply replicated, so the damage was minimal, but it was reported that some of the emergency response systems in Washington state had failed as a consequence. That was a bit of a wake-up call: realizing that what we do on the Internet can have very real repercussions in the real world.
- What your co-workers don't know about you that would surprise them: If there's something my co-workers don’t know about me, it’s probably best left that way. Flippant responses aside, there’s nothing really surprising about me.
- Favorite team: I tend only to watch sports when events such as the Olympics are on, so it would probably be Team GB. I used to compete for Scotland doing the long jump and the decathlon. I was the junior national champion and had aspirations of making it to the Olympics myself, but a bad knee injury scuppered that.
- Favorite hangout: The ocean. I was probably an otter in a previous life.
- In Litchfield's music player right now: Last three songs played were "Crystallize" by Lindsey Stirling, "I Will Wait" by Mumford & Sons, and "Mr Rock and Roll" by Amy MacDonald
- His security must "have-nots:" No Java and no Flash.
- Comfort food: Sausages, baked beans, and mashed potatoes.
- Ride: Honda CRV.
- Favorite shark: One with its fins still on. Stop shark-finning!
- Most dangerous shark to dive with: Bull, tiger, and Great Whites
- Actor who would play him in a film: Someone once told me I looked like Sam Worthington, but another also said when they screwed their eyes, I could pass for Patrick Dempsey. I really hope not.
- Next career: A marine biologist.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.