09-01-2001 Speeches Added: Ofir Arkin, Jennifer Granick, John Tan, Job de Haas, and the Panel Discussion. Trust Factory is being re-processed.
06-05-2001 John Tan's presentation link fixed.

"Plenty of Coppers in change"

This speech addresses the issue of Internet Criminality from the operational perspective of traditional Law Enforcement.

Specifically we will look at the current and future role of the Police together with public perceptions of the capacity and ability to manage internet investigations, locally and trans-globally.

Reference will be made to the conflicting legislation within Europe, particularly the impact of the European Convention on Human Rights and, within the UK, the Regulation of Investigative Powers Act 2000. Particularly we will look at the conflict between The Right to Privacy and the Right to Security. We will also look at plans made at National and International level to impact on Internet investigations, the likely consequences and the ambitions they hold.

Stuart joined Avon and Somerset Constabulary in 1983. He served in a variety of areas including Bristol, Taunton and West Super Mare. He played a major part in shaping the Education section of the ACPO Drugs manual. His last posting in that force was DCI in charge of squads where he managed a number of operations including a large Computer conspiracy.

In 1997 he was promoted to Detective Superintendent in West Yorkshire. He has retained a keen interest in Police Internet issues and has addressed seminars in the USA and recently in Canada (Society for the Policing of Cyberspace). He has published an article on the UK Police use of the Internet and maintains an active website (www.wypbcm.demon.co.uk). He has also managed the creation and implementation of the Bradford District Police site (www.bradfordpolice.co.uk), including the self reporting of information ãCrimebeatä

Stuart has been a Senior Investigating Officer in Bradford and has managed a number of high profile cases including murder and kidnap. He is actively managing the working relationship between the police in Kashmir and the UK and has visited Pakistan to support this work. 

Currently he is the Divisional Commander of Eccleshill Division in Bradford. He has managed Problem Orientated Policing and has helped to develop better working relationships between the police and minority groups in Bradford, and he is Chairman of the West Yorkshire Institute of Management.

Their Presentation! (PowerPoint 764k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Auditing The Security of Applications.

Their Presentation! (PowerPoint 100k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Defending your network with Kerberos. 

A joint talk by Raymond Forbes and JD Glaser, that examines the new Windows Kerberos technology in detail and discusses the most effective use of it in your network. Topics will include: 

NT Kerberos implementation, NT Specific Kerberos Domain issues, Kerberos security configuration issues, Kerberos wire details, Applying Kerberos to your network, Auditing your Kerberos implementation system - how to tell if it's working. Potential weaknesses - how to tell when you system is using downgraded encryption, Configuration Tips for a secured network.  In order to deal with the increasing number of network attacks, better defense techniques need to be put into place. This talk will equip you with an improved knowledge set in applying defensive measures to your network. 

JD Glaser is the senior software engineer for Foundstone, Inc., a new security company headed by George Kurtz and Stuart McClure. Previous projects included building the company, NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT, file system filters for real-time intrusion detection systems, and now, specialized security tools for the Foundstone Tiger Team. 

Their Presentation! (PowerPoint 265k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Getting rooted and never knowing it: What happens when you can't protect your kernel. 

Most if not all intrusion detection and integrity checking software depends on the integrity of the kernel. That they can no longer be depended on when this integrity is violated has been known for a long time. Working examples of such kernel modifications have existed years  before the issue was publicly demonstrated by half-life in an article in Phrack in 1997. Since then several snippets of code have become available for a range of operating systems all reusing most of the examples that were presented then. Still in all these years the level of kernel protection has not much changed. The biggest change happened for the free and open source Unices. Several types of additional access control were proposed and implemented. However, for most commercial unices those solutions never came or were only made available as separate solutions. As often with such issues nothing much happens until a real life working implementation becomes available that demonstrates the issues clearly. 

This presentation is about such a demonstration tool, which performs a modification for the Solaris operating system. The implementation of the module is shown in detail. Features that it currently has are hiding of files, hiding of directories, hiding of processes and their children (/proc only), redirection of execve() for hidden backdoors and surviving a reboot.  Additional features that are being worked on include hiding of network connections, hiding of processes through /dev/kmem, and redirection of network traffic for stealth network backdoors. When discussing the various tricks, also possible counter measures for detection are discussed and also possible ways a modification could defeat those in turn. The current measures are already sufficient to successfully defeat Tripwire detection. A live demonstration will show it's use and effectiveness. 

A presentation on this topic would not be complete with a view at the possible solutions to this problem. As mentioned before, the free unices have started to adopt several implementations of countermeasures. Best known is the securelevel approach, which is also known for its coarse nature. More recent techniques aim at reducing the need for the root account by introducing several 'capabilities' or 'privileges'. Thereby decreasing the chances of root getting compromised and the kernel getting compromised. Also specific solutions to prevent modification of kernel tables are known. These techniques suffer from the chicken and egg problem: the one to get to the kernel first can theoretically always trick the other in believing things are all right. Another track is adding protection to the mechanism of loading kernel modules. For instance by adding trusted and immutable paths and modules. 

From the presentation on the issues above it can be concluded that the problem is a serious one that justifies good solutions. The practice of today is one of some proper implementations, a lot of development for free unices and little work from the vendors of 'off the shelve' commercial operating systems. 

Job de Haas, like many others in the IT and Internet industry, started his career in another technical field. Shortly before finishing his Electrical Engineering studies, in 1991, he came into contact with the Internet. From that moment on, he's been interested in computer security. 

In the beginning this interest was a hobby, albeit a very time consuming one. This was noticed by the first Internet providers that started to appear in The Netherlands. Their systems were almost never secure, and Job cleverly used their offers to give him free Internet access in trade for pointing out security flaws in their systems. This exercise in breaking security has proved to be an invaluable asset when protecting systems, since one can only protect what one can crack. 

Apart from this, Job has been a cryptographic programmer at DigiCash, which has developed a cryptographically secure anonymous payment system for the Internet. 

Their Presentation! (PowerPoint 87k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

What is involved in a forensic effort, and what you can do to improve your environment to yield the maximum results.

Process Oriented Techniques for Computer Forensics Computer forensics is a four step process.  This talk will overview tools and techniques as they relate to this process with a focus on acquisition (field services) and identification (forensic laboratory services).  Consideration is given not only to responding to incidents but also to preparing your environment to support digital evidence collection and preservation.

John Tan has been involved in computer security since the mid 1980's.  He joined the L0pht in the mid 1990's and is now part of @stake's R&D team.  Tan has spoken at SANS and a number of universities including most recently the MIT Summer Security Camp.  As a member of L0pht, he testified to the U.S. Senate regarding the state of this nation's critical infrastructure.  Tan holds a BS/BA in Management Science.

Their Presentation! (PowerPoint 1,782k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Strategies for Defeating Distributed Attacks. 

With the advent of Distributed Denial of Service attacks, there have been dozens of papers and tools that have appeared to help counter these attacks. But the next wave, Distributed Attacks, needs a new way of being explored and defended. Distributed Attack tools are already starting to appear, and this talk outlines what these tools look like now, what they will probably look like in the future, and how we can start planning defenses now.

Simple Nomad, a Senior Security Analyst for BindView Corporation, adds distributed systems and networking expertise to BindView's RAZOR security team. He is also the founder of the Nomad Mobile Research Centre, and has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a regular lecturer at security conferences, and has been quoted in various media outlets regarding computer security.

Their Presentation! (PowerPoint 122k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Issues surrounding international computer crime laws.

The Internet is a global computer network which by its nature raises international issues in computer crime prevention and punishment. There has been little international consensus on what a computer crime is or what should be prohibited conduct. Nor are there agreements on procedural matters such as transborder searches, data preservation, standard of proof, jurisdiction, or punishment. This presentation will review the points of contention, discuss current efforts towards obtaining consensus and highlight the benefits and detriments of international consensus to investigators and civil libertarians alike.

Jennifer Stisa Granick is a defense attorney practicing in the areas of high tech and computer crime law from her office in San Francisco. She defends unauthorized access, trade secret theft, and email interception cases nationally. Granick has published articles on Internet legal issues in Wired and securityfocus.com. Additionally, she has spoken at previous Black Hat Briefings, to NASA computer security professionals, and to the National Security Agency about computer crime laws, digital forensics and evidence collection.

Their Presentation! (PowerPoint 45k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Finding holes in closed-source software.

Application security is crucial in any networked environment. Joey has demonstrated how reverse engineering can be utilized to find unknown vulnerabilites in his speech at Black Hat Singapore. This speech will go further into the idea of using reverse engineering to audit closed-source programs. 

Specifically, the first focus will be on common programming mistakes such as buffer overflows and format string vulnerabilites and how they can be spotted when no source is available. 

The second focus will be on how to reduce the amount of repetetive and boring work by devising algorithms that will do a good part of the stupid work automatically and which are capable of pointing out dangerous or suspicious programming constructs. 

Finally it will be demonstrated how these algorithms were used in a real-life example to find a yet-unpublished buffer-overflow vulnerability.

A passing understanding of x86-Assembly language as well as understanding the concepts of buffer overflows and format string problems will help greatly in understanding this speech.  While the speech is primarily focusing on x86 platforms, I will briefly cover some issues concerning SPARC as well at the end of the speech.

HalVar Flake is a reverse engineer specializing in x86 Assembly. Originally working in the realm of copy protection on the NT platform, he one fateful day decided that writing an exploit for a buffer overflow was a good way to pass his sunday afternoon.  He was hooked and realized that his reverse engineering experience was a very handy asset on a closed-source platform such as NT.

After completely abandoning copy protection work in favour of network security, he spent his time reverse engineering applications and looking for flaws. He is currently serving his mandatory military service in Germany while working for The Relay Group during his days off.

Previous work experience includes analyzing PE-Virii, Polymorphic Engines, CPU-Emulators and pretty much everything that has been written to be annoying to reverse engineer. 

Their Presentation! (PowerPoint 363k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

ICMP Usage In Scanning

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122, 1256, 1822), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network are the subject of this lecture.

The first topic to be presented  will be Host Detection using the various ICMP query message types using some elementary examples. Next will overview the process of some Advanced Host Detection methods mainly centered in eliciting an ICMP error message back from the probed machines. Methods that allow us to map entire networks and understand ACL filtering devices protecting networks, will be used during the course of the lecture. Some of the above mentioned methods also allow us to bypass weak firewalls. Recent methods of operating system fingerprinting discovered by the ICMP project (www.sys-security.com) will also be presented. Some of these methods allow a malicious computer attacker to identify Microsoft Windows 2000 machines, and to isolate certain groups of operating systems.

New methods currently being researched by Ofir Arkin which deal with Passive Fingerprinting with the ICMP protocol will be discussed as well. At the end of the talk a few minutes will be spent on some considerations necessary for firewall policy design.

Ofir Arkin is a passionate researcher and explorer of the computer security field. His passion for knowledge in the "Know How" category has led him to many projects in the lowest levels of the TCP/IP stack, the latest being "ICMP Scanning Techniques". Currently Ofir is working at ITcon a security Consultancy firm in Israel as a Senior Security Analyst and Chief Grey Hats.  Ofir is currently involved in leading the security architecture of a banking project for a leading Swiss Bank. He is also the manager of the company's Tiger Team and is involved in several European E-commerce projects.

Their Presentation! (PowerPoint 1,715k) His Paper! (.pdf 552k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Falling Domino's 

Lotus Notes / Domino is considered one of the more secure mail/groupware platforms in the world. With an installed base of more than 50 millions ­mainly corporate and government- seats, the product is used by almost all financial institutions, big 6 accounting firms, government's secret agencies and defense organizations. 

At Defcon 8, Trust Factory consultants Patrick Guenther, Kevin McPeake and Wouter Aukema presented several new vulnerabilities along with Chris 'BloodAxe' Goggans, of Security Design International, who validated their research. Topics included known vulnerabilities  and new ones, such as bypassing the Execution Control List, modifying Notes design elements and identity theft. Using Notes Sesame, a tool written by Patrick Guenther, Trust Factory demonstrated weaknesses in the hashing alorithms for internet passwords as well as the validation of Notes ID-files obtained from remote networks and users. 

At BlackHat, Patrick and Wouter will give in-depth information about the vulnerabilities they discovered. Also, they will give and update about their latest results of their ongoing research. 

1.        Execution Control List : The ECL was designed to prevent malicious code from running on a client Several methods exist to bypass and/or reset the ECL 
2.       Design Element manipulations : How to re-enable Stored Forms which is known to be a dangerous feature and implementing mechanisms for information operations.
3.        Traditional Hashing algorithms
4.        ID-file: Validation mechanism and bypassing it and brute forcing an ID-file.
5.        Revealing the 'strong' password hash: The strong password hash was Lotus' answer to the vulnerabilities they discovered. Patrick will talk about the latest findings of his research regarding the "strong password hash". 

Originally entering the world of computer security at the age 11 & armed with his TRS-80, Kevin McPeake has worked in many different facets of the computer industry.  In the beginning of 90's, after he began his formal career, he began developing applications for various banks and institutions which were making the move to electronic funds transfers over X.25 networks.  In 1993, his skills in protocols & programming were recognized by a Dutch firm, who relocated him to Germany and later to The Netherlands, where he worked on various protocol development for the BBS & Telecom industry.  After trying his hand at International Sales (which he refers to as "paid social engineering") in 1994, Kevin returned to the IT market in the USA, where he worked as a X.25 network & Internet consultant.  In 1996, Kevin was relocated to The Netherlands for his "2nd Tour of Duty" by another Dutch firm, where he served as an Infrastructure Consultant and later Chief of Network Security.  Realizing that one could actually make money in security, he eventually returned to his roots and co-founded his own security company, Trust Factory BV, where he now serves actively as a senior consultant, as well as the CEO. 

Wouter Aukema is the co-founder of Trust Factory. He's been in the security undergound for about three years, and he concentrates mainly on Lotus Notes/Domino and other (client) application security issues.  His interest in computers date from 1980, when he bought himself an Acorn Atom computer. Since '86, Wouter has worked for seveal corporations, such as Philips daughter Origin, AT&T and the Venezuelan state-owned oilcompany PDVSA, where he also specialised in telephone switches. 

Patrick Guenther, a Swiss native and resident, previously worked at Arlan SA, where he personally oversaw the integration of Lotus Notes into the KLE-LINE electronic payment system, and developed a Java based licensing system for third party Lotus Notes applications.  Guenther also developed the first version of EQS (Electronic Quality System) for Lotus Notes, which went on to win the Lotus Beacon Award in 1996.  Guenther recently joined Trust Factory in May 2000, where he heads up R&D of security vulnerabilities as well as new software products.  Guenther recently was credited with the discovery of multiple password hashing problems within the Lotus Notes environment and presented these findings to the community at DEFCON-8. 

Their Presentation! (PowerPoint 210k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream)

Security Experts Panel

The panel starts off with the question "What do you see now and in the future as the security trends in your area of expertise?" and expands from there.