Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/8/2013
02:54 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Deep Dive With David Litchfield

Renowned database security researcher chats up shark-diving, bug-hunting -- and how Sandra Bullock killed his zoology degree

David Litchfield says he should have seen the attack coming: The 4-meter-long Great White had been unusually aggressive during a dive session last year. As the security researcher knelt outside the cage to snap a photo of the shark swimming by, the massive creature suddenly swung around and headed straight toward Litchfield, chomping down on the camera with his massive jaws and grazing Litchfield's hand.

"I got a nice picture of the inside of its mouth. My hand got bit. It was a bit silly and shouldn't have [happened]," says Litchfield, who was able to retrieve the camera after the shark spat it out after an apparently unappetizing chew. Such an attack is rare because Great Whites are typically calm and inquisitive, Litchfield explains, and he blames himself for letting his guard down in that instant.

Bite Me
The photo Litchfield took when the shark came after him and his camera

The close encounter with the mouth of the Great White shark didn't deter Litchfield from continuing to shark-dive. He'll be back in the underwater shark cages this weekend off the Neptune Islands in South Australia, and he's planning an even more hard-core shark expedition this September off Guadalupe Island in the Pacific Ocean -- this time with no diving cage for refuge. "I will be fully out, swimming with [the Great Whites] with a safety diver carrying a six-foot long stick," he says. "I'm really looking forward to that. It will be much safer because the Guadalupe water is very clear, and the sharks are very placid."

Most people wouldn't characterize Great White sharks as "placid," or safe, but, then again, most people aren't shark enthusiasts and daredevil security researchers like Litchfield, either. Not much rattles Litchfield, who not only has gone face-to-face with "Jaws," but also has made a name for himself in security by taking on database giant Oracle by exposing gaping security holes in its mission-critical software.

Litchfield, 37, says his reputation as an Oracle security guru sort of just happened. "I cut my teeth on exploiting Microsoft flaws. It wasn't until much later that I started looking at Oracle," Litchfield says. It was a natural progression, really, from studying how to exploit Web servers, he says. "Now we own the Web server, so we start looking at the database server," he explains.

Researcher David Litchfield
Researcher David Litchfield

The turning point for Litchfield's database shift was probably in 2002, when he and some colleagues at NGSSoftware, a security firm he co-founded, started digging around Microsoft's SQL Server software for flaws. After demonstrating at Black Hat that year a vulnerability he discovered in the product, someone apparently weaponized the research, resulting in the infamous Slammer worm that hit big-time in January 2003. Slammer was a game-changing moment for Microsoft software security, as well as for the industry overall. "Someone had taken my exploit code ... It was one of those nightmare moments: Am I doing the right thing there?" Litchfield recalls.

It was the second time in his career that Litchfield had been shaken by the potential fallout of the early days of security research. His first hack was in 1997 while working for a U.K. firm that assigned its researchers to hack into organizations' computers to demonstrate to them their security weaknesses, in hopes they would, in turn, hire the firm to help fix them. "They had me doing things that would be frowned upon today," he says -- including breaking into a server at 10 Downing Street. What started as a marketing strategy by the firm to win over new customers backfired after that high-profile hack that put the company in hot water and served as a wake-up call.

"White-hat security was still very new ... I was lucky," he says. "It was completely the wrong approach, but at the time people were feeling their way [along] ... Very quickly I realized that it is all based on trust," Litchfield says.

Like most seasoned security researchers, Litchfield didn't start out as a security guy. He was studying zoology at Dundee University in 1995 when Sandra Bullock changed his life -- well, a movie Bullock starred in, "The Net," did.

"I said, 'That's what I want to do.' So I quit my zoology degree and taught myself as much as I [could] about" it, he says. He dropped out of college after deciding the computer science classes he was taking weren't teaching him anything he hadn't already learned on his own, and moved to London to look for work. His first job had nothing to do with computers, and he realized he needed additional qualifications to land work.

"I saw an advertisement about becoming a CNE [Certified Novell Engineer] or an MCSE [Microsoft Certified Solutions Expert]. I had no idea what it was at the time," he says. Litchfield couldn't afford the classes, so he purchased a CNE study guide and passed the test before ever touching a Novell box. That landed him his first "real" job, as a Novell administrator. He ended up in tech support and got his first hands-on experience in computer support, although none of it was security-related. "All the while I was teaching myself and studying for the MCSE," he says.

That's also when he began looking at the security aspects of Microsoft's Information Server platform -- schooling that ultimately led to Litchfield's breakthrough research in security flaws in Microsoft server technology in the early 2000s.

But today Litchfield is best-known for his laser focus on Oracle database security. He found what was then a new class of bug in Oracle software that could be used for lateral SQL injection attacks, as well as another previously unknown class of vulnerability that could be exploited for so-called "cursor-snarfing" attacks. Litchfield has even given Oracle public kudos: In 2010, he dropped a zero-day bug from Oracle's then-new 11g database at Black Hat DC while also giving Oracle a respectable "B+" grade for the security of 11g.

He's currently awaiting a visa to relocate from his native Scotland to the U.S. to work alongside his colleagues at Accuvant, where he is chief security architect. Aside from his responsibilities at Accuvant, he's also conducting new vulnerability research. "I'm trying to find new classes of attacks," Litchfield says, focusing mainly on databases. But pinpointing a new class of flaw is a lot a harder than discovering an individual bug, he concedes.

Litchfield dismisses any connection between his passion for shark-diving and his security research. "None whatsoever," he says. "It's just something I enjoy and to get away from computers" and phones, he says of his shark-diving adventures.

He says the primal experience of seeing a Great White look right at you as he contemplates whether you're edible is thrilling. "When he turns toward you and looks at you, you can see a very primitive intelligence beyond those eyes as they twitch and look at you as you swim past," Litchfield says. "There's a connection there."

There may be some symmetry with shark-diving and information security when it comes to gauging risk, though. Here's how Litchfield describes the perceived dangers of shark-diving:

"Most sharks are safe to dive with, even Great Whites. Essentially, people are attacked when they aren't expecting it. If you are diving with sharks, you have done a risk assessment, and know what's going on, and there's usually a safe way of extricating yourself from a situation if things start going awry," he says.

Sound familiar?

This photo taken by David Litchfield was selected as a photo of the day last year in National Geographic
This December 2011 photo taken by Litchfield was selected as a picture of the day on National Geographic's website

PERSONALITY BYTES

  • Worst day ever at work: 25th January 2003 when Slammer, the SQL Server 2000 worm, hit. It became quickly apparent that the code I had demonstrated at the Black Hat Security Briefings six months before had been as a template. I felt awful. Thankfully, Slammer had no nasty payload and simply replicated, so the damage was minimal, but it was reported that some of the emergency response systems in Washington state had failed as a consequence. That was a bit of a wake-up call: realizing that what we do on the Internet can have very real repercussions in the real world.
  • What your co-workers don't know about you that would surprise them: If there's something my co-workers don’t know about me, it’s probably best left that way. Flippant responses aside, there’s nothing really surprising about me.
  • Favorite team: I tend only to watch sports when events such as the Olympics are on, so it would probably be Team GB. I used to compete for Scotland doing the long jump and the decathlon. I was the junior national champion and had aspirations of making it to the Olympics myself, but a bad knee injury scuppered that.
  • Favorite hangout: The ocean. I was probably an otter in a previous life.
  • In Litchfield's music player right now: Last three songs played were "Crystallize" by Lindsey Stirling, "I Will Wait" by Mumford & Sons, and "Mr Rock and Roll" by Amy MacDonald
  • His security must "have-nots:" No Java and no Flash.
  • Comfort food: Sausages, baked beans, and mashed potatoes.
  • Ride: Honda CRV.
  • Favorite shark: One with its fins still on. Stop shark-finning!
  • Most dangerous shark to dive with: Bull, tiger, and Great Whites
  • Actor who would play him in a film: Someone once told me I looked like Sam Worthington, but another also said when they screwed their eyes, I could pass for Patrick Dempsey. I really hope not.
  • Next career: A marine biologist.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.