Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/8/2013
02:54 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Deep Dive With David Litchfield

Renowned database security researcher chats up shark-diving, bug-hunting -- and how Sandra Bullock killed his zoology degree

David Litchfield says he should have seen the attack coming: The 4-meter-long Great White had been unusually aggressive during a dive session last year. As the security researcher knelt outside the cage to snap a photo of the shark swimming by, the massive creature suddenly swung around and headed straight toward Litchfield, chomping down on the camera with his massive jaws and grazing Litchfield's hand.

"I got a nice picture of the inside of its mouth. My hand got bit. It was a bit silly and shouldn't have [happened]," says Litchfield, who was able to retrieve the camera after the shark spat it out after an apparently unappetizing chew. Such an attack is rare because Great Whites are typically calm and inquisitive, Litchfield explains, and he blames himself for letting his guard down in that instant.

Bite Me
The photo Litchfield took when the shark came after him and his camera

The close encounter with the mouth of the Great White shark didn't deter Litchfield from continuing to shark-dive. He'll be back in the underwater shark cages this weekend off the Neptune Islands in South Australia, and he's planning an even more hard-core shark expedition this September off Guadalupe Island in the Pacific Ocean -- this time with no diving cage for refuge. "I will be fully out, swimming with [the Great Whites] with a safety diver carrying a six-foot long stick," he says. "I'm really looking forward to that. It will be much safer because the Guadalupe water is very clear, and the sharks are very placid."

Most people wouldn't characterize Great White sharks as "placid," or safe, but, then again, most people aren't shark enthusiasts and daredevil security researchers like Litchfield, either. Not much rattles Litchfield, who not only has gone face-to-face with "Jaws," but also has made a name for himself in security by taking on database giant Oracle by exposing gaping security holes in its mission-critical software.

Litchfield, 37, says his reputation as an Oracle security guru sort of just happened. "I cut my teeth on exploiting Microsoft flaws. It wasn't until much later that I started looking at Oracle," Litchfield says. It was a natural progression, really, from studying how to exploit Web servers, he says. "Now we own the Web server, so we start looking at the database server," he explains.

Researcher David Litchfield
Researcher David Litchfield

The turning point for Litchfield's database shift was probably in 2002, when he and some colleagues at NGSSoftware, a security firm he co-founded, started digging around Microsoft's SQL Server software for flaws. After demonstrating at Black Hat that year a vulnerability he discovered in the product, someone apparently weaponized the research, resulting in the infamous Slammer worm that hit big-time in January 2003. Slammer was a game-changing moment for Microsoft software security, as well as for the industry overall. "Someone had taken my exploit code ... It was one of those nightmare moments: Am I doing the right thing there?" Litchfield recalls.

It was the second time in his career that Litchfield had been shaken by the potential fallout of the early days of security research. His first hack was in 1997 while working for a U.K. firm that assigned its researchers to hack into organizations' computers to demonstrate to them their security weaknesses, in hopes they would, in turn, hire the firm to help fix them. "They had me doing things that would be frowned upon today," he says -- including breaking into a server at 10 Downing Street. What started as a marketing strategy by the firm to win over new customers backfired after that high-profile hack that put the company in hot water and served as a wake-up call.

"White-hat security was still very new ... I was lucky," he says. "It was completely the wrong approach, but at the time people were feeling their way [along] ... Very quickly I realized that it is all based on trust," Litchfield says.

Like most seasoned security researchers, Litchfield didn't start out as a security guy. He was studying zoology at Dundee University in 1995 when Sandra Bullock changed his life -- well, a movie Bullock starred in, "The Net," did.

"I said, 'That's what I want to do.' So I quit my zoology degree and taught myself as much as I [could] about" it, he says. He dropped out of college after deciding the computer science classes he was taking weren't teaching him anything he hadn't already learned on his own, and moved to London to look for work. His first job had nothing to do with computers, and he realized he needed additional qualifications to land work.

"I saw an advertisement about becoming a CNE [Certified Novell Engineer] or an MCSE [Microsoft Certified Solutions Expert]. I had no idea what it was at the time," he says. Litchfield couldn't afford the classes, so he purchased a CNE study guide and passed the test before ever touching a Novell box. That landed him his first "real" job, as a Novell administrator. He ended up in tech support and got his first hands-on experience in computer support, although none of it was security-related. "All the while I was teaching myself and studying for the MCSE," he says.

That's also when he began looking at the security aspects of Microsoft's Information Server platform -- schooling that ultimately led to Litchfield's breakthrough research in security flaws in Microsoft server technology in the early 2000s.

But today Litchfield is best-known for his laser focus on Oracle database security. He found what was then a new class of bug in Oracle software that could be used for lateral SQL injection attacks, as well as another previously unknown class of vulnerability that could be exploited for so-called "cursor-snarfing" attacks. Litchfield has even given Oracle public kudos: In 2010, he dropped a zero-day bug from Oracle's then-new 11g database at Black Hat DC while also giving Oracle a respectable "B+" grade for the security of 11g.

He's currently awaiting a visa to relocate from his native Scotland to the U.S. to work alongside his colleagues at Accuvant, where he is chief security architect. Aside from his responsibilities at Accuvant, he's also conducting new vulnerability research. "I'm trying to find new classes of attacks," Litchfield says, focusing mainly on databases. But pinpointing a new class of flaw is a lot a harder than discovering an individual bug, he concedes.

Litchfield dismisses any connection between his passion for shark-diving and his security research. "None whatsoever," he says. "It's just something I enjoy and to get away from computers" and phones, he says of his shark-diving adventures.

He says the primal experience of seeing a Great White look right at you as he contemplates whether you're edible is thrilling. "When he turns toward you and looks at you, you can see a very primitive intelligence beyond those eyes as they twitch and look at you as you swim past," Litchfield says. "There's a connection there."

There may be some symmetry with shark-diving and information security when it comes to gauging risk, though. Here's how Litchfield describes the perceived dangers of shark-diving:

"Most sharks are safe to dive with, even Great Whites. Essentially, people are attacked when they aren't expecting it. If you are diving with sharks, you have done a risk assessment, and know what's going on, and there's usually a safe way of extricating yourself from a situation if things start going awry," he says.

Sound familiar?

This photo taken by David Litchfield was selected as a photo of the day last year in National Geographic
This December 2011 photo taken by Litchfield was selected as a picture of the day on National Geographic's website

PERSONALITY BYTES

  • Worst day ever at work: 25th January 2003 when Slammer, the SQL Server 2000 worm, hit. It became quickly apparent that the code I had demonstrated at the Black Hat Security Briefings six months before had been as a template. I felt awful. Thankfully, Slammer had no nasty payload and simply replicated, so the damage was minimal, but it was reported that some of the emergency response systems in Washington state had failed as a consequence. That was a bit of a wake-up call: realizing that what we do on the Internet can have very real repercussions in the real world.
  • What your co-workers don't know about you that would surprise them: If there's something my co-workers don’t know about me, it’s probably best left that way. Flippant responses aside, there’s nothing really surprising about me.
  • Favorite team: I tend only to watch sports when events such as the Olympics are on, so it would probably be Team GB. I used to compete for Scotland doing the long jump and the decathlon. I was the junior national champion and had aspirations of making it to the Olympics myself, but a bad knee injury scuppered that.
  • Favorite hangout: The ocean. I was probably an otter in a previous life.
  • In Litchfield's music player right now: Last three songs played were "Crystallize" by Lindsey Stirling, "I Will Wait" by Mumford & Sons, and "Mr Rock and Roll" by Amy MacDonald
  • His security must "have-nots:" No Java and no Flash.
  • Comfort food: Sausages, baked beans, and mashed potatoes.
  • Ride: Honda CRV.
  • Favorite shark: One with its fins still on. Stop shark-finning!
  • Most dangerous shark to dive with: Bull, tiger, and Great Whites
  • Actor who would play him in a film: Someone once told me I looked like Sam Worthington, but another also said when they screwed their eyes, I could pass for Patrick Dempsey. I really hope not.
  • Next career: A marine biologist.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.