RSS feed logo header graphic

Black Hat DC 2008 Speaker List

Black Hat DC 2008 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Birds of a Feather #1 - CyberCOPS (Not the TV series)

Ovie Carroll, Jim Christy, Andy Fried, Ken Privette, SA David Trosch

Join some of the longest running cybercops in a reality session not made for TV. Hang out on the front lines to learn about the most sophisticated attacks happening so far this year. We don't expect to win an Emmy, but we might get a Pwnie.



Panelists

  • Ovie Carroll is the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing computer forensic and other technical support to CCIPS and other DOJ attorneys as it applies to implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

    Mr. Carroll has 20-years law enforcement experience. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Computer Crimes Unit at the United States Postal Service, Office of Inspector General, responsible for all computer intrusion investigations within the USPS network infrastructure and for providing all computer forensic analysis in support of USPS-OIG investigations and audits.

    Mr. Carroll has also served as the Chief, Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force.

  • Jim Christy s a retired special agent that specialized in cyber crime investigations and digital evidence for over 22 years and 36 years of federal service. Jim returned to the federal government as an IPA and is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired Magazine in January 2007.

  • Andrew Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration¹s System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

    During his 17 year career with Treasury, he is credited with developing his agency¹s Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

    In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.

  • Ken Privette works as the Special Agent in Charge of the Technical Investigations Division (TID) at the USPS Office of Inspector General. He manages three programs including the Polygraph Program and two digital evidence programs ­ Technical Operations Unit and the Computer Crimes Unit (CCU). The TID conducts computer crime investigations and provides computer forensics support to a force of 600 agents who conduct fraud and internal crime investigations for the U. S. Postal Service. Over the past two years, Ken's team has doubled in size, now managing a forensic workload of more than 900 requests per year. Through a creative partnership with the Postal Service¹s CIO, his team has pioneered new computer forensics initiatives such as remotely imaging computers across the Postal Service infrastructure and proactively mining computer crime cases from Postal data. This partnership has also resulted in cutting the turnaround time for critical investigative data by as much as 75% through the leveraging of technologies and partnerships.

    Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters.

Keynote - Quest for the Holy Grail

Jerry Dixon

Online fraud has become pervasive and increasing at an alarming rate affecting all organizations, private and public. This talk will provide an overview of current trends affecting both government and private sector companies, what enables online fraud, what are some of the barriers, and suggestions for what organizations should be doing to combat the problem.



Jerry Dixon is currently Infragard's National Member Alliance's Vice President for Government Relations, he currently serves as Director of Analysis for Team Cymru, and the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response. Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Birds of a Feather #2 - Cyber Commission Recommendations

Jerry Dixon, Tom Kellerman, James Andrew Lewis, Amit Yoran

The commission overview is: The Center for Strategic and International Studies (CSIS) proposes to establish a Commission on Cyber Security for the 44th Presidency ­ the administration that will take office in January 2009. The goal of the commission would identify a strategy and set of recommendations for the next administration to move ahead in securing cyber space. The Commission would complete its work by December 2008.

There has been much improvement in securing cyberspace in the last five years, but much still needs to be done. The starting point for the Commission¹s work would be the progress that has been made to date. The Commission will examine existing plans and strategies to assess what a new administration should continue, what it should change, and what new policies should be adopted or new authorities sought from Congress. Issues for consideration will include infrastructure protection, software assurance, federal agency cyber security, and information security initiatives in both the public and private sectors. As part of its work, the Commission will review how the Federal government organizes its cybersecurity efforts and make recommendations for improvement. It will examine existing legal authorities for cyber security and identify where new authorities (including incentives) are necessary.

The Commission will be a bipartisan group composed of twenty to twenty-five experts drawn from the cyber security policy community and from the private sector. It will be co-chaired by leaders from Congress and the private sector. The work of the Commissioners will be reinforced by a private sector advisory group composed of representatives from companies and associations, and by the ex officio participation of relevant federal officials.



Panelists

  • Jerry Dixon is currently Infragard's National Member Alliance's Vice President for Government Relations, he currently serves as Director of Analysis for Team Cymru, and the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response. Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

  • Tom Kellerman is responsible for building Core's relationships with key industry and government partners, and helping further the acceptance of auditing security defenses to reduce organizations' operational risk. Additionally, Kellermann represents Core at US, international and industry security working groups, helping these organizations promote improved security practices and policies. Specifically, Tom is a Commissioner and Chair of the Threats Working Group on The Commission on Cyber Security for the 44th Presidency. Tom also serves as the Chair of the Technology Working Group for the Financial Coalition Against Child Pornography.

    Tom Kellermann formerly held the position of Senior Data Risk Management Specialist the World Bank Treasury Security Team. Tom was responsible for Cyber-intelligence and policy management within the World Bank Treasury. Tom regularly advised central banks around the world per their cyber-risk posture and layered security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book E-safety and Soundness: Securing Finance in a New Age and the White Paper, E-security: Risk Mitigation in Financial Transactions. Tom is also the author of numerous World Bank white papers on cyber security:

    • Mobile Risk Management
    • The Digital Insider
    • Phishing in Digital Streams
    • Bots: Cyber Parasites
    • Zero Day
    • Money Laundering in Cyberspace
    See: http://www.worldbank.org/finance/esecurity

  • James Andrew Lewis is a Senior Fellow at the Center for Strategic and International Studies and directs its Technology and Public Policy program. He joined CSIS after fifteen years in the U.S. Foreign Service and Senior Executive Service. His assignments included the U.S. Central American Task Force, the U.S. Southern Command (for Just Cause), and the U.S. Central Command (for Desert Shield). From 1991 to 2000, Lewis was responsible for policies on commercial remote sensing, satellite exports, encryption, and technology transfers and high-tech trade with China and other nations. His diplomatic experience included military basing negotiations in Asia, the Cambodia Peace Process, and the Five Power Talks on Arms Transfer Restraint. Lewis led the U.S. delegation to the Wassenaar Arrangement Experts Group for advanced civil and military technologies.

    Lewis has authored numerous reports at CSIS, including 'Assessing the Risk of Cyber Terrorism, 'China as a Military Space Competitor,'Globalization and National Security, 'The Limits of Conventional Arms Control, 'Strengthening Law Enforcement Capabilities for Counterterrorism, 'Beyond CFIUS, 'Spectrum Management for the 21st Century, 'Waiting for Sputnik: Basic Research and National Security, 'China's Information Technology Industry, and 'Intellectual Property and Innovation, Lewis appears frequently in the press and serves on several Federal advisory boards. His current research involves innovation and economic change; internet policy and information technology; space; and intelligence reform. He received his Ph.D. from the University of Chicago in 1984.

  • Since completing a management buyout from Mantech in 2006, Amit Yoran serves as the Chairman and CEO of NetWitness Corporation, a leading provider of network security analytic products. Prior to NetWitness he was Director of the National Cyber Security Division of Homeland Security, and as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. Formerly Mr Yoran served as the Vice President of Worldwide Managed Security Services at the Symantec Corporation. Mr. Yoran was the co-founder of Riptech, a market leading IT security company, and served as it¹s CEO until the company was acquired by Symantec in 2002. He formerly served an officer in the United States Air Force in the Department of Defense's Computer Emergency Response Team.

    Mr Yoran serves as an independent director on the boards of several innovative security technology companies Boards, including; Guardium, Digital Sandbox, and IronKey. He previously served on the board of Cyota until the company¹s acquisition by RSA in 2006, Guidance Software (GUID) through the company¹s successful IPO in 2007 and as an advisor to Intruvert Networks until the company¹s acquisition by McAfee in 2003.

    Mr. Yoran received a Master of Science degree from the George Washington University and Bachelor of Science from the United States Military Academy at West Point.

Side Channel Analysis on Embedded Systems. Impact and Countermeasures

Job De Haas, Riscure

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. While embedded systems often have a lower security profile, such attacks are also becoming real for these devices. An example is the latest attack on the Xbox 360. This talk explores the use and impact of Side Channel Analysis on embedded systems. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.



Job De Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, PDAs, VoIP enabled devices and a range of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics that are based on Sparc, MIPS, Intel and ARM processors.

At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has researched the security features and weaknesses of embedded technology for many years.

Job has a long speaking history at international conferences, including talks on kernel-based attacks, security of mobile technologies such as GSM, SMS and WAP, and the reverse engineering of embedded devices.



Bad Sushi - Beating Phishers at Their Own Game

Nitesh Dhanjani, Senior Manager and Leader of Application Security Services, Ernst & Young LLP

Billy Rios, Microsoft


This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.

Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.

This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.

This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.



Nitesh Dhanjani - In addition being an actual reincarnation of Dawkins' Spaghetti Monster, Nitesh Dhanjani is also a rare type of Blowfish that is poisonous to phishermen across the world. Once netted, Dhanjani's poison quickly disables the phishermen and spreads to the their prized lines and lures. Currently, only two individuals, namely Chuck Norris and Bruce Schneier, are known to handle this toxic poison without fear of death.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Entertainment Talk - Social Engineering

Peter Earnest, Founding Executive Director of the International Spy Museum


Get the inside story from a true insider. Peter Earnest will share his expertise in espionage. Once Peter has shared his exclusive accounts, the audience is invited to join in an open-ended discussion.



Peter Earnest is the founding executive director of the International Spy Museum and a 35 year veteran of the Central Intelligence Agency (CIA). He served 25 years as a case officer in its Clandestine Service, primarily in Europe and the Middle East. He ran wide range of intelligence collection and covert action operations including counterintelligence and double agent operations working with the Federal Bureau of Investigation and military intelligence. Assigned to the Office of the Director of Central Intelligence, he served as an Inspector with the Inspector General, liaison with the U.S. Senate, and director of media relations and spokesman. A member of the Senior Intelligence Service, he received the CIA¹s Medal of Merit and Career Intelligence Medal. He is Chairman of the Board of the Association for Intelligence Officers (AFIO). As Museum director, he has played a leading role in its extraordinary success as a Washington attraction and he has frequently been interviewed by the major media in radio, TV, and the press on current intelligence issues.

IO in the Cyber Domain, Immunity Style

Sinan Eren, VP of Research, Immunity

This presentation will discuss techniques to attack secure networks and successfully conduct long term penetrations into them. New Immunity technologies for large scale client-side attacks will be demonstrated as will a methodology for high-value target attack. Design decisions for specialized trojans, attack techniques, and temporary access tools will be discussed and evaluated.



Sinan Eren is the VP for Research for Immunity, Inc., a Miami Beach based offensive information security company. He is responsible for ongoing research into hardware based trojans (Immplant), next generation attack frameworks (PINK), binary analysis and software exploitation.



Biometric and Token-Based Access Control Systems

Zac Franken, Freelance Security Consultant

An overview and demonstration of common access control and biometric systems. This talk will include the key elements of their implementation and includes in-depth technical analysis of their common weakness.

I will then demonstrate bespoke hardware developed to perform an attack that renders most access control systems useless.



Zac Franken is a freelance consultant based in the UK with over 20 years of computing and security experience. At present he is researching physical access control systems. He started work back in ’87 as a Unix Systems Administrator and founded of one of the UK’s top Internet development shops in ’94. His work has been quoted in international press and he is a frequent speaker at security conferences. Zac has been Operations Director for DefCon so long that he can no longer be officially considered sane.



Comments to Follow the Keynote

Andy Fried, IRS

After Jerry Dixon's keynote, Andy Fried will give more details about the latest phishing challenges related to IRS.

Andy Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration¹s System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

During his 17 year career with Treasury, he is credited with developing his agency¹s Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.



Threats to the 2008 Presidential Election

Oliver Friedrichs, Symantec Corporation

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of Phishing on an election. Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.



Oliver Friedrichs is director of emerging technologies in Symantec Security Response. In this role he oversees Symantec Advanced Threat Research, a team of experts specializing in the analysis of future threats and emerging technologies.

Friedrichs served as co-founder and director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. Friedrichs managed the development of DeepSight Threat Management System, the industry’s first early warning technology for Internet attacks.

Prior to joining SecurityFocus, Friedrichs served as co-founder and vice president of Engineering at Secure Networks, Inc., where he architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner after being acquired by Network Associates.

Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing.

Friedrichs has more than 15 years of expertise in security technologies including network assessment, intrusion detection systems, firewalls, penetration testing and honeypots. As a frequent speaker, he has shared his expertise with many of the world’s most powerful organizations including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.

Developments in Cisco IOS Forensics

FX, Recurity Labs GmbH

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform. This talk will show new developments in this sector and query the audience for their experience, input and wishes.



Felix ‘FX’ Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments.

FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

Cracking GSM

David Hulton, Steve Pico Computing, Inc.

This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for 900 USD. The second part of the talk unravels a practical solution to crack the GSM encryption A5/1.



David Hulton and Steve are enthusiastic security researchers.

Hacking VoIP through IPSec Tunnels

Sachin Jogkelar, Sipera VIPER Lab

One of the primary advantages of Voice over IP (VoIP) is that it allows mobile operators and enterprises to extend their core telephony networks. And, with WiFi-enabled VoIP phones, users can connect to their core telephony servers over the Internet from any remote location. Often, such remote VoIP is secured using IPSec VPNs, which, as this demonstration will show, is not sufficient to secure VoIP.

In this presentation, we will show how to exploit a SIM card from an IPSec VPN-enabled GSM/VoIP phone to launch attacks through the IPSec tunnel. This demonstrates that IPSec VPNs are not sufficient to secure VoIP, and that it is possible to embed exploits inside the tunneled traffic to generate attacks on the core telephony network. More importantly, with all VPN tunnel traffic considered “trusted,” such attacks go undetected and can have a devastating impact on the core network.

While there are several ways to implement VPNs and authenticate remote phones, for the purpose of this demonstration, the demonstration will focus on EAP-SIM based authentication that is typically implemented in dual-mode GSM/VoIP phones.

With GSM 2G mobile network standards, GSM phones are equipped with a SIM module (typically a smart card) to allow the gateway server of the core telephony network to authenticate the identity of the GSM phone and to enable over-the-air encryption of the voice traffic. When such a GSM phone is also equipped with a VoIP module, the standard GSM authentication security strength is insufficient in the context of the IP-network. This problem is solved by extending the GSM authentication with the EAP-SIM (Extensible Authentication Protocol) mechanism (RFC 4186). Essentially, the GSM SIM runs GSM algorithms using credentials stored in the SIM card and challenges received from the core network to set up an IPSec tunnel with the network, and then routes all VoIP traffic through the tunnel. As far as the core network is concerned, any device that responds successfully to its challenges, and abides by the negotiated security parameters, is a legitimate device -- which is where the problem lies. As this demonstration will show, it’s easy to become an authenticated subscriber on the network and launch attacks on the core infrastructure.

The presentation and demonstration will include following:

  • Introduction to SIM-based authentication and IPSec VPN setups.
  • Explain how to extend free open-source tools to exploit the SIM card using a Linux laptop and turn it into a seemingly legitimate mobile phone.
  • Demonstrate successful setup of IPSec tunnel from the laptop with a SIM reader. This is the heart of the demonstration and will show the vulnerability in the core telephony networks which allows the attacker to pose as a legitimate phone and subsequently launch attacks on the network and other legitimate users. The vulnerability exists because the core network does not monitor activities inside the IPSec tunnel as it assume everything received within the tunnel is trusted.
  • Show attacks through the IPSec tunnel by writing simple applications that inject attack traffic inside the tunnel. We will demonstrate IKE protocol message flooding attacks (IKE_SA_INIT, IKE_SA_AUTH) and RTP flooding attacks.
  • Discuss the impacts of the attacks and other possible ones. For example, with all network elements available, there several other application level attacks that can be launched on a UMA network, such as IMSI Reconnaissance, Session Anomalies, and Location Update spoofing.


Sachin Joglekar is a VoIP vulnerability researcher for past 4 years. He is currently working with Sipera’s VIPER Lab which conducts vulnerability research on various VoIP, mobile, and multimedia products and services. Sachin was a seed engineer for Sipera’s VoIP IDS/IPS product.

Sachin holds a Masters of Science, Computer Science degree from the University of North Texas with specialization in computer security and a Bachelors of Engineering, Electronics degree from Mumbai (Bombay) University, India.



A Picture's Worth: Digital Image Analysis

Dr. Neal Krawetz, Hacker Factor Solutions

Photoshop, 3D Studio Max, Maya, other programs can readily create high quality images and alter existing pictures. Services such as MySpace, Google Video, and Flickr make it trivial to distribute pictures, and many are picked up by the mass media. However, there is a problem: how can you tell if a video or picture is showing something real? Is it computer generated or modified? In a world where pictures are more influential than words, being able to distinguish fact from fiction in a systematic way becomes essential. This talk covers some common and not-so-common forensic methods for extracting information from digital images. Using these techniques, you will not only be able to distinguish real images from computer generated ones, but also identify how they were created.



Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006) and "Hacking Ubuntu" (Wiley, 2007).

SCADA Security

Jason Larsen,IOActive, Inc.

It’s not often that an attacker has the opportunity to actually break things; and while breaking software is fun, breaking hardware can be even more rewarding. Process control systems are where the physical hardware of the real world meets the software we all know and love.

One of the great unknowns of the process control world is how many physical valves, pumps, and breakers can be damaged by a remote attacker who has gained access to the control systems. Reinstalling a computer or restarting an embedded device isn’t fun, but cutting out a valve and replacing it is even less fun. For example CNN carried an article explaining how a several-ton electric generator was made to jump off the floor and permanently damage itself.

In this presentation, smaller and more common components will be connected and tested to failure as they normally appear in the field. We will discuss classes of hardware failure as well as how much control and knowledge of the process is required to drive the hardware component to the point of failure.



Jason Larsenis a Principal Security Consultant at IOActive and a recognized thought leader in control systems and IDS/IPS creation and modification. Mr. Larsen specializes in software-related audits and testing, including deep experience in protocol reverse engineering and custom binary exploits. At IOActive, he helps clients develop secure software using innovative methods to detect weakness and anticipate exploits through his application review design, threat modeling, and auditing of environment and application code-base.

Mr. Larsen has established some of the key tools used in the history of IPS development, including the creation of a Supervisory Control and Data Acquisition (SCADA) Penetration Toolkit, a Shellcode Compression tool, Hogwash, Snort, and SPUD. His work as Chief Security Architect and Analyst of Last Resort for the Department of Energy has won him national recognition, most notably for his on-record penetration and control of the electrical power grid. He is expert with a wide range of operating systems, including Windows, Linux, Unix, Tru64, Solaris, embedded systems, cell phones and cell towers.

RFIDIOts!!! -Practical RFID hacking (without soldering irons)

Adam Laurie, Freelance Security Consultant

RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....



Adam Laurie is a UK based freelance security consultant. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother, Ben, became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centers (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings. More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here: http://rfidiot.org

Oracle Security

David Litchfield, NGS Software



David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

URI Use and Abuse

Nathan McFeters, Ernst & Young, LLP

URIs link us to commands and programs which have been written by developers and are subject to all of the same code flaws that any other system might be, what is most interesting is that the usage of URIs links us to that back end application through a browser, making Cross Site Scripting attacks a possible trigger for any flaws we may discover.

This presentation will discuss the subject of URI attacks, glossing over several 0-days that were originally discussed at DEFCON 15, Black Hat Japan 2007, and Black Hat Federal 2008 and will move into more recent research that exposes applications functionality resulting in some scary attacks. Examples will include stack overflows, command injections, format string flaws, utilizing an application to send all of a user's pictures to an arbitrary server, etc. All of these attacks are leverage able thru XSS exposures, and thus XSS, CSRF, Phishing, and Anti-DNS Pinning attacks will be combined with the URI attacks to devastating effect.



Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Chicago, IL. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box.

Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.

Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.



Analyzing an Unknown RF-Based Data Transmission (Aka: Fun with 27Mhz wireless keyboards)

Max Moser, Dreamlab Technologies AG

For years, most of the security people had a bad feeling about those available 27Mhz based wireless keyboards from vendors like Logitech or Microsoft. After about 6 month of researching on the Microsoft products, a clear picture of the whole functionality is available. Keyboard Identifications and data encryption could be identified and we where able to break the encryption as well. Using a simple Radio scanner some software all keyboards in range can be sniffed. (Injection is not working at the moment but will maybe work when conference is taking place). The talk is about our research, the pitfalls and contains a lot of advises. The target is to deliver the know how on how to analyze such signals. To keep it interesting we use the wireless keyboard research as the example. We have made already a complete presentation about it, which will be modified again. Please note, that we will not release the proof of concept at the end because there won't be a quick fix for the vendors and we prefer to deliver the know-how instead of the toolset.

(un)Smashing the Stack: Overflows, Countermeasures, and the Real World

Shawn Moyer, Agura Digital Security

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack, lib, heap) protection, or have one available that's relatively trivial to implement / enable.

So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing.

The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety.

This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. Our focus will be on building defense-in-depth, with some real-world examples of what works, what doesn't, and why.

As an attendee, you should come away with a better understanding of how to protect yourself and your boxes, with some tools to (hopefully) widen the gap between what's vulnerable and what's exploitable.



Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major multinational corporations and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences.

Shawn is currently working on application security architecture for a global Fortune 200, and spends far more time than he should obsessing about horology.



Exploiting Live Virtual Machine Migration

Jon Oberheide, University of Michigan

As virtualization becomes increasingly popular in enterprise and organizational networks, operators and administrators are turning to live migration of virtual machines for the purpose of workload balancing and enhanced management. However, the security of live virtual machine migration has yet to be analyzed. We shed light on this poorly explored area and demonstrate the importance of secure migration through attacks on the migration data plane of existing virtualization products. In particular, we show how a malicious party can exploit the latest versions of the popular Xen and VMware virtual machine monitors (VMMs) and present a tool to automate the manipulation of a guest operating system's memory during a live virtual machine migration across the network. In addition to presenting sample exploits against a VM's userland applications and kernel, we show how the manipulation of a live VM migration can lead to the compromise of the entire VMM/hypervisor.



Jon Oberheide is a researcher at the University of Michigan, where he previously received a B.S. in Computer Science and is currently pursuing a PhD. While his interests as an independent researcher span code, network, and physical security, his current academic work focuses on the threats posed by modern malware to enterprise environments. Prior to his PhD work, Jon held positions at Merit Network in Research and Development and at Arbor Networks in the Arbor Security Engineering and Response Team (ASERT).

Scanning Applications 2.0 - Next Generation Scan, Attacks and Tools

Sheeraj Shah, Blueinfy

Ajax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.

This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.



Sheeraj Shah B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06), Web Hacking: Attacks and Defense (Addison-Wesley 03) and Web 2.0 Security. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Security Failures in Secure Devices

Christopher Tarnovsky, Flylogic Engineering, LLC.



Flylogic Engineering, LLC. specializes in analysis of semiconductors from a security "how strong is it really" standpoint. We offer detailed reports on substrate attacks which define if a problem exists. If a problem is identified, we explain in a detailed report all aspects of how the attack was done, level of complexity and so on. This is something we believe is unique and allows the customer to then go back to the chip vendor armed with the knowledge to make them make it better (or possibly use a different part).

Preparing for the Cross Site Request Forgery Defense

Chuck Willis, Principal Consultant, MANDIANT

Computer Forensic cases often involve an analysis of a user’s web browser’s cache and history in order to reconstruct actions that a user took online. Corporations also routinely monitor Internet activity of users and illicit or inappropriate use can result in disciplinary actions. These and other types of online investigations also involve looking at third-party web sites and applications for actions that can be attributed to a user of interest. This presentation will describe how all of these types of investigations can be mislead by an incredibly common web vulnerability known as Cross Site Request Forgery. This type of forgery can be used to force a user to submit data to online web applications and also can manipulate a user’s local cache and history. Using this vulnerability a user can be forced to make Internet searches, fetch arbitrary image files or web pages, post messages to online forums, or even manipulate the user’s account in common web sites. Also covered in this presentation will be methods to detect or rule out the use of this vulnerability during an investigation.



Chuck Willis is a Principal Consultant with MANDIANT (http://www.mandiant.com/), a full spectrum information security company in Alexandria, Virginia, where he concentrates in web application security, research, and development. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings, the OWASP AppSec Conference, the IT Underground security conference in Europe, DefCon, and ShmooCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner.

DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife

David Weston, Science Applications International Corporation (SAIC)

Tiller Beauchamp Science Applications International Corporation (SAIC)

Security researchers face many challenges when searching for vulnerabilities and reverse engineering applications. Simple fuzzing can be time consuming and fruitless and require many different tools to fully instrument the target. Applications and malware can detect and evade traditional debuggers and generate phantom exceptions. Kernel and driver bugs can be difficult to discover and debug. This paper will examine how DTrace, a kernel based dynamic scriptable tracer, can help security researchers overcome these challenges.

DTrace, created by SUN and originally intended for performance monitoring, is one of the most exciting additions to OS X Leopard and is being ported to Linux and BSD. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we explore and build upon the use of DTrace as a security research tool.

Many of the features of DTrace can be leveraged to discover new exploits, unobtrusively monitor malware and even protect against buffer overflow attacks. We will walk the reader through the interesting applications of DTrace, showing how to trace fuzz data through vulnerable system calls, generate code coverage graphs of vulnerable and network accessible functions and trace code paths in target applications over the network visually with IDA Pro, all without the overhead of stopping and starting the application that traditional debuggers impose. In order to overcome the limitations of DTrace, we will introduce a DTrace-based programmatic framework written in Ruby. This framework supports vulnerability discovery through binary instrumentation by offering function level code coverage, stack visualization and integration with the IDA debugger. Finally we illustrate how the framework is used to efficiently discover vulnerability and engineer an exploit.



David Weston is security researcher and penetration tester at Science Applications International Corporation. Pursuing a graduate degree his research interests include: Fuzzing and Reverse Engineering. He has an undergraduate degree from the University of California at Santa Barbara

Tiller Beauchamp works as a senior security consultant for SAIC providing security auditing services to large commercial, state and DoD customers. His areas of expertise include network penetration testing, web application security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer Science from the University of Oregon with a specialization in software engineering. He has worked as the lead developer for Team Defend, SAIC's portable computer and network defense exercise. Beauchamp is also responsible for maintaining the company's penetration toolkit and penlab.

Classification and Detection of Application Backdoors

Chris Wysopal, CTO, Veracode

Last September the Defense Science Board issued a report that said federal agencies using software developed in foreign countries are at serious risk of being hacked. And because Defense relies heavily on commercial software developed in countries such as India, China, and Russia, there is the risk that some of the country’s most important software could be compromised.

A defect left in the code by an attacker either intentionally or unintentionally – known as a backdoor – is what the Defense report described as a “serious” problem. Backdoors can provide sophisticated hackers easy, undetected access to an application and the highly confidential data that resides in it. They enable the software’s developers to bypass authentication or other security controls in order to access the software application.

In this presentation, Chris Wysopal, CTO of Veracode, will examine the risks backdoors can pose when embedded within the code of legitimate software applications. He will give real world examples of backdoors and will discuss the research he most recently completed on this subject and his creation of the first ever taxonomy of backdoors.



Chris Wysopal is co-founder and CTO of Veracode, which provides an on-demand software security analysis service. He has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. Chris co-authored the password auditing tool L0phtCrack, wrote the windows version of netcat, and was a researcher at the security think tank, L0pht Heavy Industries, which was acquired by @stake. He was VP of R&D at @stake and later director of development at Symantec, where he led a team developing binary static analysis technology. He was influential in the creation of responsible vulnerability disclosure guidelines and a founder of the Organization for Internet Safety. Mr. Wysopal wrote "The Art of Software Security Testing: Identifying Security Flaws", published by Addison Wesley and Symantec Press in December 2006. He earned his Bachelor of Science degree in Computer and Systems Engineering from Rensselaer Polytechnic Institute

1997-2008 Black Hat ™