Deep Dive With David Litchfield

Renowned database security researcher chats up shark-diving, bug-hunting -- and how Sandra Bullock killed his zoology degree

David Litchfield says he should have seen the attack coming: The 4-meter-long Great White had been unusually aggressive during a dive session last year. As the security researcher knelt outside the cage to snap a photo of the shark swimming by, the massive creature suddenly swung around and headed straight toward Litchfield, chomping down on the camera with his massive jaws and grazing Litchfields hand.
I got a nice picture of the inside of its mouth. My hand got bit. It was a bit silly and shouldnt have [happened], says Litchfield, who was able to retrieve the camera after the shark spat it out after an apparently unappetizing chew. Such an attack is rare because Great Whites are typically calm and inquisitive, Litchfield explains, and he blames himself for letting his guard down in that instant.
The photo Litchfield took when the shark came after him and his camera
The close encounter with the mouth of the Great White shark didnt deter Litchfield from continuing to shark-dive. Hell be back in the underwater shark cages this weekend off the Neptune Islands in South Australia, and hes planning an even more hard-core shark expedition this September off Guadalupe Island in the Pacific Ocean -- this time with no diving cage for refuge. I will be fully out, swimming with [the Great Whites] with a safety diver carrying a six-foot long stick, he says. Im really looking forward to that. It will be much safer because the Guadalupe water is very clear, and the sharks are very placid.
Most people wouldnt characterize Great White sharks as placid, or safe, but, then again, most people arent shark enthusiasts and daredevil security researchers like Litchfield, either. Not much rattles Litchfield, who not only has gone face-to-face with Jaws, but also has made a name for himself in security by taking on database giant Oracle by exposing gaping security holes in its mission-critical software.
Litchfield, 37, says his reputation as an Oracle security guru sort of just happened. I cut my teeth on exploiting Microsoft flaws. It wasnt until much later that I started looking at Oracle, Litchfield says. It was a natural progression, really, from studying how to exploit Web servers, he says. Now we own the Web server, so we start looking at the database server, he explains.
Researcher David Litchfield
The turning point for Litchfields database shift was probably in 2002, when he and some colleagues at NGSSoftware, a security firm he co-founded, started digging around Microsofts SQL Server software for flaws. After demonstrating at Black Hat that year a vulnerability he discovered in the product, someone apparently weaponized the research, resulting in the infamous Slammer worm that hit big-time in January 2003. Slammer was a game-changing moment for Microsoft software security, as well as for the industry overall. Someone had taken my exploit code ... It was one of those nightmare moments: Am I doing the right thing there? Litchfield recalls.
It was the second time in his career that Litchfield had been shaken by the potential fallout of the early days of security research. His first hack was in 1997 while working for a U.K. firm that assigned its researchers to hack into organizations computers to demonstrate to them their security weaknesses, in hopes they would, in turn, hire the firm to help fix them. They had me doing things that would be frowned upon today, he says -- including breaking into a server at 10 Downing Street. What started as a marketing strategy by the firm to win over new customers backfired after that high-profile hack that put the company in hot water and served as a wake-up call.
White-hat security was still very new ... I was lucky, he says. It was completely the wrong approach, but at the time people were feeling their way [along] ... Very quickly I realized that it is all based on trust, Litchfield says.
Like most seasoned security researchers, Litchfield didnt start out as a security guy. He was studying zoology at Dundee University in 1995 when Sandra Bullock changed his life -- well, a movie Bullock starred in, The Net, did.
I said, Thats what I want to do. So I quit my zoology degree and taught myself as much as I [could] about it, he says. He dropped out of college after deciding the computer science classes he was taking werent teaching him anything he hadnt already learned on his own, and moved to London to look for work. His first job had nothing to do with computers, and he realized he needed additional qualifications to land work.
I saw an advertisement about becoming a CNE [Certified Novell Engineer] or an MCSE [Microsoft Certified Solutions Expert]. I had no idea what it was at the time, he says. Litchfield couldnt afford the classes, so he purchased a CNE study guide and passed the test before ever touching a Novell box. That landed him his first real job, as a Novell administrator. He ended up in tech support and got his first hands-on experience in computer support, although none of it was security-related. All the while I was teaching myself and studying for the MCSE, he says.
Thats also when he began looking at the security aspects of Microsofts Information Server platform -- schooling that ultimately led to Litchfields breakthrough research in security flaws in Microsoft server technology in the early 2000s.
But today Litchfield is best-known for his laser focus on Oracle database security. He found what was then a new class of bug in Oracle software that could be used for lateral SQL injection attacks, as well as another previously unknown class of vulnerability that could be exploited for so-called cursor-snarfing attacks. Litchfield has even given Oracle public kudos: In 2010, he
dropped a zero-day bug from Oracles then-new 11g database
at Black Hat DC while also giving Oracle a respectable B+ grade for the security of 11g.
Hes currently awaiting a visa to relocate from his native Scotland to the U.S. to work alongside his colleagues at Accuvant, where he is chief security architect. Aside from his responsibilities at Accuvant, hes also conducting new vulnerability research. Im trying to find new classes of attacks, Litchfield says, focusing mainly on databases. But pinpointing a new class of flaw is a lot a harder than discovering an individual bug, he concedes.
Litchfield dismisses any connection between his passion for shark-diving and his security research. None whatsoever, he says. Its just something I enjoy and to get away from computers and phones, he says of his shark-diving adventures.
He says the primal experience of seeing a Great White look right at you as he contemplates whether youre edible is thrilling. When he turns toward you and looks at you, you can see a very primitive intelligence beyond those eyes as they twitch and look at you as you swim past, Litchfield says. Theres a connection there.
There may be some symmetry with shark-diving and information security when it comes to gauging risk, though. Heres how Litchfield describes the perceived dangers of shark-diving:
Most sharks are safe to dive with, even Great Whites. Essentially, people are attacked when they arent expecting it. If you are diving with sharks, you have done a risk assessment, and know whats going on, and theres usually a safe way of extricating yourself from a situation if things start going awry, he says.
Sound familiar?
This December 2011 photo taken by Litchfield was selected as a picture of the day on National Geographics website
Worst day ever at work:
25th January 2003 when Slammer, the SQL Server 2000 worm, hit. It became quickly apparent that the code I had demonstrated at the Black Hat Security Briefings six months before had been as a template. I felt awful. Thankfully, Slammer had no nasty payload and simply replicated, so the damage was minimal, but it was reported that some of the emergency response systems in Washington state had failed as a consequence. That was a bit of a wake-up call: realizing that what we do on the Internet can have very real repercussions in the real world.
What your co-workers dont know about you that would surprise them:
If theres something my co-workers don’t know about me, it’s probably best left that way. Flippant responses aside, there’s nothing really surprising about me.
Favorite team:
I tend only to watch sports when events such as the Olympics are on, so it would probably be Team GB. I used to compete for Scotland doing the long jump and the decathlon. I was the junior national champion and had aspirations of making it to the Olympics myself, but a bad knee injury scuppered that.
Favorite hangout:
The ocean. I was probably an otter in a previous life.
In Litchfields music player right now:
Last three songs played were Crystallize by Lindsey Stirling, I Will Wait by Mumford & Sons, and Mr Rock and Roll by Amy MacDonald
His security must have-nots:
No Java and no Flash.
Comfort food:
Sausages, baked beans, and mashed potatoes.
Ride:
Honda CRV.
Favorite shark:
One with its fins still on. Stop shark-finning!
Most dangerous shark to dive with:
Bull, tiger, and Great Whites
Actor who would play him in a film:
Someone once told me I looked like Sam Worthington, but another also said when they screwed their eyes, I could pass for Patrick Dempsey. I really hope not.
Next career:
A marine biologist.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Deep Dive With David Litchfield