Black Hat Digital Self Defense Europe 2007

Black Hat Europe 2007 Conference Overview

Black Hat Europe 2007 Briefings Speakers Black Hat Europe 2007 Briefings Schedule Black Hat Europe 2007 Sponsors Black Hat Europe 2007 Training Black Hat Europe 2007 Hotel & Venue Black Hat Europe 2007 Registration
details Current Sponsors for Black Hat Briefings Europe 2007
Black Hat Europe 2007 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Europe 2007 Sponsors
Return to the top of the page
Black Hat Speakers

KEYNOTE: How can the Security Researcher Community Work Better for the Common Good?"
Roger Cumming, Head of Device Delivery and Knowledge, CPNI (Center for the Protection of National Infrastructure)

Roger will provide an overview of the work of CPNI in reducing vulnerability in information systems that form part of the UK. He will then challenge the community on a number of issues, including the development of the malicious market place, and the role security researchers in addressing vulnerabilities as used by a range of threat actors.

Until 31 January 2007 Roger Cumming was Director of the National Infrastructure Security Co-ordination Centre (NISCC), the UK centre responsible for minimising the impact of electronic attack on the UK critical national infrastructure. Since 1 February Roger has been Head of Advice Delivery and Knowledge Development at the UK Centre for the Protection of National Infrastructure (CPNI). CPNI provides protective security advice on information security as well as physical and personnel security to reduce the vulnerability of the UK's national infrastructure to terrorism and other threats.

Return to the top of the page

Web Service Vulnerabilities
Nish Bhalla, Founder, Security Compass
Sahba Kazerooni

Security has become the limiting reagent in the broad adoption of web services. As a result, much emphasis has been placed on the development of various high-level security standards and protocols, but in most cases the simplest attacks, those at the application level, have been neglected.

Nish Bhalla of Security Compass will explore, at a low-level, the vulnerabilities inherent to web services from an attacker's point of view. The talk covers the dependency of web services on xml, the various forms of xml-based attacks, including exploiting parsers and validators, and finally provides recommendations and countermeasures.

This talk is intended for developers and web application architects. It drills down to the details of web services implementation, while maintaining a focus on good versus bad architectural design.

Nishchal Bhalla, the Founder of Security Compass, is a specialist in product, code, web application, host and network reviews.

Nish has coauthored "Buffer Overflow Attacks: Detect, Exploit & Prevent" and is a contributing author for "Windows XP Professional Security", "HackNotes: Network Security", "Writing Security Tools and Exploits" and "Hacking Exposed: Web Applications, 2nd Edition". Nish has also been involved in the open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter. He has also written articles for securityfocus and also spoken at web seminars for Global Knowledge and University of Florida.

Nish who is a frequent speaker on emerging security issues has recently been quoted by both CSO magazine as well as Internet news. He has also spoke at many reputed Security Conferences such as at "Reverse Engineering Conference" in Montreal, the "HackInTheBox 2005" in Malaysia and "ISC2's Infosec Conference" in Las Vegas, New York, DC, Toronto. He also has created and taught the Exploiting & Defending Classes for Security Compass. He is also going to be speaking at the upcoming HITB 2006 conference.

Prior to joining Security Compass, Nish was a Principal Consultant at Foundstone, where he performed numerous security reviews (Web Application / Code ) for major software companies, online banking and trading & e-commerce sites. He also helped develop and teach the "Secure Coding" class, the Ultimate Hacking, Ultimate Web Hacking and Ultimate Hacking Expert classes. Prior to working at Foundstone, Nish provided engineering and security consulting services as an independent consultant to a variety of organizations including Sun Microsystems, Lucent Technologies, TD Waterhouse & The Axa Group.

Nish holds his Masters in Parallel Processing from Sheffield University, is a post graduate in Finance from Strathclyde University and a Bachelor in Commerce from Bangalore University.

Sahba Kazerooni is a Security Consultant with a strong background in J2EE software architecture and development, bringing to Security Compass a unique blend of development and security knowledge. Sahba has recently been engaged in Threat Modeling and web application source code review, as well as research on SOA security. He also plays a critical role in the development of curriculum for and delivering of Security Compass training services.

Sahba will be speaking on Web Services security at Security Opus and DallasCon security conferences.

Prior to joining Security Compass, Sahba held the position of Technical Consultant at Workbrain Inc. where he was involved in the end-to-end implementation of a web-based workforce management solution. He has worked and built recommendable relationships with many fortune 500 organizations in various sectors, from retail to airline and transportation. His experience at Workbrain has equipped Sahba with advanced knowledge of the Software Development Life Cycle (SDLC) as well as the intricacies of the JAVA programming language.

Sahba has a BSc in Computer Science with Software Engineering specialization from the University of Western Ontario.

Return to the top of the page

NIDS: False Positive Reduction Through Anomaly Detection
Damiano Bolzoni, PhD student at Twente University
Emmanuele Zambon

The Achilles' heel of network IDSes lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure.

Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture.

Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness).

Damiano Bolzoni received a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebbIT and many security conferences in Netherlands. At the moment, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management.

Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper.

Return to the top of the page

Software Virtualization Based Rootkits
Sun Bing, Research Scientist

The most popular virtual execution technologies include pure emulator, API emulator and virtual machine, the typical representations of all these three technologies are Bochs, Wine and VMware respectively. The implementation of virtual machine could be divided into two categories by the virtualization extent employed, those are full virtualization and para-virtualization, the latter has come up and been used in most recent years; the “para” means making some assumptions about or doing some modifications on the Target OS. In addition, according to the difference of virtual machine monitor(VMM)’s structure, there are type I and type II VMM, and the type II could be referred to as the hosted VMM as well. As the virtualization technology continues developing and becomes more prevalent, the two biggest processor manufacturers in the world both have developed their new CPU technologies which support virtualization, the Intel VT-x and AMD Pacifica. However, all of the following discussion will still aim at the traditional x86 platform as that is by far the most widely used. The virtualizable processor architecture requires that all the sensitive instructions could be trapped when running with the degraded privilege level. Unfortunately there exists a few non-virtualizable instructions that make x86 a non-strictly virtualizable architecture. In order to achieve the full virtualization of x86, some extremely complicated software techniques should be used to overcome these architectural limitations.

Being an excellent virtual machine software product, VMware has implemented the full virtualization of x86. We take the VMware Workstation version as an example to give a brief introduction about the architecture, basic working principle and some core technologies used of the type II VMM. As a hosted structure, there are two OS contexts, the host and the guest, so VMware must use the total context switch method to ensure necessary execution environment isolation. VMware uses privilege compression and dual execution modes (direct execution and binary translation) to virtualize the instruction execution part of x86 CPU. Direct execution with ring degradation would let a majority of common instructions run natively, and trap most of the sensitive ones at the same time. However, the binary translator would be used to deal with the non-virtualizable instructions. The execution mode selection will be made by the appropriate decision-making module which depends on the CPU’s current mode, privilege level and segment state. It is worthy to point out that binary translation is a very complicated but useful software technique which is also referred to as dynamic recompilation. Besides the fact that the code generation is highly difficult and complex, it will also handle the translation cache’s synchronization and coherency. However, another technique, used by Plex86, that solves the same problem seems much simpler, which should be a good choice for implementing a light weight VMM. In addition to virtualizing the instruction execution part, VMware also applies some other techniques to virtualize the CPU’s segmentation, paging and interrupt/exception system components, such as deferred shadow segmentation, shadow paging and interrupt/exception forwarding. As to device virtualization, VMware chooses the method of full emulation which provides a complete set of virtual devices that are totally different from the true hardware devices. Since the device emulation depends completely on how each given hardware device works, the implementation method varies.

At present, the virtualization technology has been widely used in many computer related fields, but the research and application of virtualization on the security area is still in an elementary state. Virtualization technology could be applied to developing a non-intrusive debugger, a honey pot that traps malicious programs, and VM Based Rootkits. The Microsoft research team working together with Michigan University has developed a VM Based Rootkit prototype named SubVirt. SubVirt could gain system control after the Target OS was infected and rebooted. SubVirt then made the Target OS run within the context of a VM, while SubVirt itself would run directly on the true hardware. SubVirt could control the behavior of the target system via a VMM and provide some malicious services externally. However some inherent and obvious defects of SubVirt greatly reduced its practicality. Finally, as the most key part of the presentation, we will discuss the complete technical scheme of a novel VM Based Rootkit. The VMBR itself is sort of light weight VMM. After the VMBR is loaded, the VMBR will ensure the target system is still running by placing it into a rootkit created virtual execution environment. It then becomes very difficult for the victim to perceive the rootkits’ presence or to find any virtualization footprint. Although this novel VMBR is just a proof of concept, it has at least achieved the coexisting transparently and perfectly with the target system.

KEY WORDS virtual machine, virtual machine monitor, virtual machine based rootkit

Sun Bing is the Research Scientist at an Information Security company currently, and has held security related positions at several famous companies heretofore, such as Rising and Siemens. SUN BING has more than 6 years of experience in Windows Kernel and Security Techniques (Anti-Virus, Firewall, IPS etc) research development, especially with deeply delving into Buffer Overflow Prevention, Rootkit Detection and x86 Virtualization. His main works previously involve participating in Rising Anti-Virus Softwares development, publishing the paper (The Design Of Anti-Virus Engine) at xfocus, taking charge of the design and development of a desktop security product-LinkTrust IntraSec, and speaking at security conferences such as XCON2006 and POC2006...

Return to the top of the page

Wi-Fi Advanced Fuzzing
Laurent Butti, Network Security Expert, France Telecom RD labs

Fuzzing is a software testing technique that consists in finding implementation bugs. Fuzzing Wi-Fi drivers is becoming more and more attractive as any exploitable security bug will enable the attacker to run arbitrary code with ring0 privileges (within victim's radio coverage).

This presentation will describe all the processes involved in the design from scratch of a fully-featured Wi-Fi fuzzer. It will pinpoint all issues and constraints when fuzzing 802.11 stacks (scanning, bugs identification, replaying bugs, analyzing kernel crashes...).

Then some features will be focused on, in order to understand which kind of implementation bugs may be discovered and which vulnerabilities we discovered thanks to this tool (CVE-2006-6059, CVE-2006-6125).

Finally, a real-world example will be fully explained: how we found the first (publicly known) madwifi stack-based overflow thanks to our Wi-Fi fuzzer (CVE-2006-6332).

Laurent Butti is a network security expert working for France Telecom RD labs, where he works on wireless security (IEEE 802.11, IEEE 802.16...), honeypots and malwares. He also spoke at numerous security-focused conferences (EuroSec, SSTIC, FIRST, LSM, ToorCon, ShmooCon, BlackHat...).

Return to the top of the page

Hacking Databases for Owning Your Data
Cesar Cerrudo, Founder, Argeniss
Esteban Martinez Fayo, Security Researcher, Argeniss

Data theft is becoming a major threat, criminals have identified where the money is, In the last years many databases from fortune 500 companies were compromised causing lots of money losses. This talk will discuss the Data Theft problem focusing on database attacks, we will show actual information about how serious the data theft problem is, we will explain why you should care about database security and common attacks will be described, the main part of the talk will be the demostration of unknown and not well known attacks that can be used or are being used by criminals to easily steal data from your databases, we will focus on most used database servers: MS SQL Server and Oracle Database, it will be showed how to steal a complete database from Internet, how to steal data using a database rootkit and backdoor and some advanced database 0day exploits. We will demostrate that compromising databases is not big deal if they haven't been properly secured. Also it will be discussed how to protect against attacks so you can improve database security at your site.

Cesar Cerrudo is a security researcher & consultant specialized in application security. Cesar is running his own company, Argeniss. Regarded as a leading
application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest and WebSec.

Esteban Martínez Fayó is a security researcher; he has discovered and helped to fix multiple security vulnerabilities in major vendor software products. He specializes in application security and is recognized as the discoverer of most of the vulnerabilities in Oracle server software. Esteban has developed and presented novel database attack techniques at international conferences such as Black Hat and WebSec. Esteban currently works for Argeniss. doing information security research and developing security related software solutions.

Return to the top of the page

Kernel Wars
Joel Eriksson, CTO of Bitsec
Karl Janmar, Security Researcher, Bitsec
Christer Öberg, Security Researcher, Bitsec

Kernel vulnerabilities are often deemed unexploitable or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice.

The vulnerabilities that will be discussed are:

Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering.

Karl Janmar is a security researcher at Bitsec. Karl is interested in vulnerability research, especially in the area of kernels. He finds exploit development to be a fun and good way to learn a system. He has worked for various companies developing software ranging from real-time applications to extending kernel network-stacks.

Christer Öberg is a security researcher at Bitsec. Previous employers include Verizon and Swedish firewall manufacturer Clavister. He is interested in vulnerability research, exploit development and breaking any interesting systems he can get his hands on. Christer currently resides in the UK.

Return to the top of the page

Next Generation Debuggers for Reverse Engineering

Classical debuggers make use of an interface provided by the operating system in order to access the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level.

This alternative modelization is also more performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how to keep memory unintrusiveness using a new technique called allocation proxying.

We reveal how we developed the organization of our multi-architecture framework and its multiple modules so that they allow for graph-based binary code analysis, compositional fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. Finally we reveal the reflective essence of our framework: our analyzers are made aware of their own internal structures using concepts of aspect oriented programming, embedded in a weakly typed language dedicated to reverse engineering.

The ERESI team is composed of many experienced professional and researchers in computer security and reverse engineering. ERESI, which stands for ELF Reverse Engineering Software Interface, is an innovative reverse engineering framework for the UNIX environment. The project has been developed for 6 years, starting by the ELF shell, which turned into a fully-featured environment including a disassembly engine for multiple architectures, a graph-based program analysis & compositional fingerprinting library, and a security-oriented embedded debugger. The ERESI team is now pleased to present the first real reverse engineering language dedicated to binary programs analysis and forensics, bringing a very attractive environment relying on its own unified and extensive debug format.

Return to the top of the page

Making Windows Exploits More Reliable
Kostya Kortchinsky

A common issue with Windows exploits is their cross-platform reliability, meaning they often work against either some given service packs of the OS, or some localization of the OS. It is quite rare to find exploits that will work on a very wide range of Windows installs.

While multiplying the number of targets in an exploit is often the solution found in the wild, it seems that nobody has yet disclosed a solution to fingerprint a Windows language, or discuss about cross languages and service packs return addresses (though cross SP only is now fairly well mastered).

Immunity, Inc. had to work on this issue for CANVAS, in order to build more reliable exploits, and this paper intend to explain some of the solutions that were found to these issues.

Kostya Kortchinksy is well known in the security industry for various vulnerability research projects. He is the discoverer of many software vulnerabilities which have resulted in several Microsoft patches, latest one being MS06-074, the SNMP service remote code execution. His most recent conference presentations were at Microsoft's BlueHat Fall 2006 Sessions, speaking on Skype security and at RECON'06. Kostya has joined Immunity, Inc. from the European Aeronautic Defence and Space Company (EADS), where he was a research engineer. He manages Immunity, Inc. Partners Program and does exploit development for CANVAS. Prior to that, Kostya was manager of the French Academic CERT.

Return to the top of the page

Vboot Kit: Compromising Windows Vista Security
Nitin Kumar, Independent Security Engineer and Researcher
Vipin Kumar, Independent Security Engineer and Researcher

Vboot kit is first of its kind technology to demonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used to circumvent the whole protection and security mechanisms of Windows Vista. The booting process of windows Vista is substantially different from the earlier versions of Windows. The talk will give you:

  • details and know abouts for the Vista booting process.
  • explain the vboot kit functionality and how it works.
  • insight into the Windows Vista Kernel.

We will also review sample Ring 0 Shell code (for Vista). The sample shellcode effectively raises the privileges of certain programs to SYSTEM. A live demonstration of vboot kit POC will be done.

Nitin Kumar is an independent Security Engineer and researcher from India.He has been involved in Network Security Analysis and Penetration Techniques. He likes reverse engineering, researching OS and Network Security. He is a recent graduate in Bachelor of Technology, Computer Science and holds RHCE certification. His clients include some of most reputed organizations. His latest work involves the development of boot kit (a technique to subvert Windows 2000/XP/2003 System using custom boot sector).

Vipin Kumar is an independent security consultant and analyst. He has experience in system and network security as well as programming and project design. He likes to develop specialized software and/or stuffs related to windows kernel. He holds MCSE and a Bachelor of Technology in Computer Science. His latest work involves the development of boot kit (a technique to subvert Windows 2000/XP/2003 System using custom boot sector). He is currently analyzing windows vista kernel architecture.

Return to the top of the page

Make My Day – Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection
Toshinari Kureha, Technical Lead and Principal Member of Technical Staff, Fortify Software
Dr. Brian Chess, Chief Scientist, Fortify Software

Today, other than doing a full static analysis of the code, the most common practice to find vulnerabilities in your web application is to get off-the-shelf automated web scanner, point to a URL, and hope that it’s doing the right thing.

But is it? How do you know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way to find all vulnerabilities in an application? What if there was a way to look at what’s happening inside the application while these web scanners were hitting the application?

In this talk, we’ll explore that “looking inside the application as the security test runs” possibility—through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ to inject security monitors directly inside a pre-compiled Java / .NET web application. We will also go through a proof of concept and demo—turning a typical blackbox test into a ‘whitebox’ test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.

Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of Fortify's runtime product line, including Fortify Defender and Fortify Tracer. Prior to joining Fortify, Kureha was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects, including Oracle Grid Control, Oracle Exchange and BPEL Orchestration Designer. Prior to working with Oracle, Kureha worked as a lead developer at Formal Systems, a web-based computer testing and assessment system for use in the Internet/Intranet. Kureha holds a bachelor's degree in computer science from Princeton University.

Brian Chess is the chief scientist at Fortify Software. His work focuses on practical methods for creating secure systems and draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters. Chess earned a doctorate in computer engineering from UC Santa Cruz and has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Return to the top of the page

SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones
Philippe Langlois, Founder and Senior Security Consultant, Telecom Security Task Force

SS7 has been a walled garden for a long time: only big telco would be interconnected to the network. Due to deregulation and a push toward all-IP architecture, SS7 is opening up, notably with SIGTRAN (SS7 over IP) and NGN (Next Gen Networks) initiatives.

SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It's the foundation, as TCP is the foundation for the web and email. SCTP is also used for high-performance clusters, resources pooling and very high-speed file transfer.

When you discover open SCTP ports, you discover a secret door to this walled garden. As a walled garden, the internal security of the SS7 network is not as good as one might expect. SCTPscan is a tool to do exactly just that, and is released as open source.

This presentation will explain how SCTPscan manages to scan without being detected by remote application, how discrepancies between RFC and implementation enable us to scan more efficiently and how we manage to scan without even being detect by systems like SANS - Here we will have a look at INIT packet construction, stealth scanning and a beginning of SCTP fingerprinting.

Then, we go on to detail upper layer protocols that use SCTP and the potentials of the SIGTRAN protcol suite in term of security. We'll see the M2UA, M3UA, M2PA, IUA which are SIGTRAN-specific protocols, and also the more generic SS7 protocols such as ISUP, BICC, BSSAP, TCAP, SCCP and MTP.

Philippe Langlois is a founder and Senior Security Consultant for Telecom Security Task Force, a research and consultancy outfit. He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF).

He founded Qualys in 1999 and led the R&D for this world-leading vulnerability assessment service. He founded Intrinsec, a pioneering network security company in 1995, as well as Worldnet, France's first public Internet service provider, in 1993. He has proven expertise in network security, from Internet to less well known networks - X25 and other legacy systems mostly used in banking, travel and finance.

Philippe was also lead designer for Payline, one of the first e-commerce payment gateways on Internet.

He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (RSA, COMDEX, Interop).

Philippe Langlois is a regular contributor of french-speaking security portal and a writer for ITaudit, the magazine of the International Association of Internal Auditors.

Samples of the missions he has been involved with are Penetration Testing contract on multi-million live users infrastructures such as Telecom operators GSM backbone, due diligence for M&A, security architecture audits, product security analysis and advisory.

Return to the top of the page

RFIDIOts!!! - Practical RFID Hacking (Without Soldering Irons)
Adam Laurie, CSO and Director, The Bunker Secure Hosting Ltd.

RFID is being embedded in everything...From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them...

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers - as secure hosting facilities.

Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here:

Return to the top of the page

Advanced Oracle Attack Techinques
David Litchfield, Founder, Next Generation Security Software

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

Challenging Malicious Inputs with Fault Tolerance Techniques
Bruno Luiz, Security Reseacher

We humans, being imperfect creatures, create imperfect software. This presentation is regarding implementation of software fault tolerance techniques to recover the effects of malicious inputs. Most of the attacks that cause flaws to software appears of malicious inputs that are introduced by a human with the malicious objective of causing harm to the system. In the research, we examine the type of recovery used in fault tolerant software, and the types of redundancy used in software fault tolerance techniques.

During presentation, programming techniques such the assertions, checkpointing, and atomic actions, necessary for implementation of the techniques: Recovery Blocks, N-Version Programming, Retry Blocks, and N-Copy Programming are analyzed. Investigate basic approach to self-checking software and some types of acceptance tests: Reasonableness Test and Computer Run-Time Tests. Two applications of the techniques are proposed: Recovering Exploration and Anti-Fuzzing.

Finally, an implementation methodology may be used as a reference for researchers or practitioners.

Bruno Luiz is a academic security researcher where works exploring and solving new security problems. He worked developing network security tools for open-source security projects, was speaker at Hackers 2 Hackers conference talking about Techniques against Web Anti-Automatization and currently working implementing distributed system for an new Computer Security Incidents Response Center (CSIRC). He is graduate student at the Catholic University in Brazil, studying Computer Science.

Return to the top of the page

Data Seepage: How to Give Attackers a Roadmap to Your Network
David Maynor, Founder & CTO, Errata Security
Robert Graham, co-founder and CEO, Errata Security,

Long gone are the days of widespread internet attacks. What's more popular now are more directed or targeted attacks using a variety of different methods. Since most of these attacks will be a single shot styled attack attackers will often look for anyway to increase the likelihood of success.

This is where data seepage comes in. Unbeknownst to a lot of mobile professional's laptops, pdas, even cell phones can be literally bleeding information about a company's internal network. This can be due to applications like email clients that are set to start up and automatically search for its mail server, windows may be attempting to remap network drives, an application could be checking for updates.

All this information can be used by an attacker to make attacks more accurate with a higher likelihood of success.

Don't laugh and dismiss this as a trivial problem with no impact. Through demonstrations and packet caps we will show how this problem can be the weak link in your security chain.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Robert Graham is the co-founder and CEO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

Return to the top of the page

SMTP Information Gathering
Lluis Mora, Researcher, Neutralbit

The SMTP protocol, used in the transport and delivery of e-mail messages, includes control headers along with the body of messages which, as opposed to other protocols, are not stripped after the message is delivered, leaving a detailed record of e-mail transactions in the recipient mailbox.

Detailed analysis of SMTP headers can be used to map the networks traversed by messages, including information on the messaging software of clients and gateways. Furthermore, analysis of messages over time can reveal organization patching policies and trends in user location and movements—making headers a very valuable resource during the target selection phase of targeted attacks.

Lluis Mora is a researcher at Neutralbit, a research and development provider for information security vendors, where he specializes in vulnerability assessments and penetration testing of products, applications and products.

Lluis has worked in the information security field for over a decade, consulting for various service providers and corporations throughout Spain and South America. He has published various papers on vulnerability research in IT and SCADA systems and won the openhack competition back in 1999 and 2000.

Return to the top of the page

Attacking the Giants: Exploiting SAP Internals
Mariano Nuñez Di Croce

SAP security is still a dark world. Very little information can be found on the Net and almost every question related to security assessment of these applications keeps being unanswered. Besides, very few public presentations on the subject are available.

At CYBSEC, we had been researching SAP security casually, mostly because we came across some of its components while performing penetration tests in our customers. During that superficial research, we discovered more than 20 vulnerabilities (not all of them has been published yet), some of them highly critical.

Several months ago, we decided to perform a deep research over SAP security. We went really deep, down to SAP 's heart: the SAP RFC (Remote Function Call) Interface.

SAP RFC is the heart of communications between SAP systems, and between SAP and external software. Almost every system that wants to interact with SAP does so using the RFC interface. As stated by SAP: "The RFC library is the most commonly used and installed component of existing SAP software".

Our presentation will describe, after a short description of RFC interface purpose and internals, new vulnerabilities discovered in our research, both in the RFC protocol implementation and in the RFC Library itself.

Beyond new vulnerabilities discovered, our presentation will include description of some new advanced attacks we have developed, abusing default mis-configurations and design vulnerabilities. These are mainly RFC connection hi-jacking and MITM attacks, targeting connections between SAP R/3 and external programs working as RFC servers.

To make knowledge practical and publicly available, we will be presenting and releasing a new open-source tool, which will enable penetration testers and researchers to perform security assessments of SAP systems' RFC interface, allowing them to mine information and exploit the vulnerabilities and attacks described during our presentation.

As we are still researching on this subject, more attacks and vulnerabilities may be discovered before the conference day, which would be included in our presentation.

Mariano Nuñez Di Croce has been working as a security consultant for CYBSEC for the last 3 years, focused on Penetration Testing and Vulnerability Research. He has discovered critical vulnerabilities in Microsoft, SAP and several security products. Mariano contributes to some open-source projects, mainly to w3af, an upcoming Web Application Audit and Attack framework. Mariano has given presentations at conferences in Chile, Paraguay, Panama and has been invited to present in Cuba, next February.

Return to the top of the page

New Botnets Trends and Threats
Augusto Paes de Barros, President, Brazilian ISSA Chapter
André Fucs
Victor Pereira,
Security Consultant

The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them.

The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.

Augusto Paes de Barros works with Information Security since 2000. He worked for security consulting companies, Modulo and Proteus, as security analyst and project manager. Augusto also worked in BankBoston, a Bank of America branch, as security manager, and now works as CSO in a Credit Card processing company.

In 2003, coined the term honeytoken during a discussion with other researchers on the focus-ids mailing list. In his last research, Augusto built a Proof of Concept Trojan horse that works against the most recent security measures from Brazilian online banks, presented at the CNASI Conference in 2005. He is an active blogger.

Current president of the Brazilian ISSA Chapter, he also gives Cryptography and Ethical Hacking classes to the post-graduation courses from IBTA University. He is finishing his Master in Computer Engineering at the Technology Research Institute (Instituto de Pesquisas Tecnológicas de São Paulo), working on a methodology for internal threats detection.

Andre Fucs works with Information Security since 1996 and actively advised some pioneer e-government projects in Latin America, like Brazilian & Panamanian Electronic Tax filling systems and the Brazilian Electronic Voting System.

In the last decade, Andre had been energetically involved on the information security development and debate, always with the focus on new-trends and out-of-box solutions. His current focus of research are VoIP and converging technologies security, including the "creative" user of Skype API.

After successfully establishing himself within the Brazilian market, in 2005 Andre moved to Israel where he was one of the responsible for the successful deployment of one of the first Voice over PacketCable systems in the world.

Victor Pereira works with Information Security since 1998. He worked for security consulting companies like Modulo Security Solutions, as security analyst also worked as a security architect in a system development company. Victor also worked in Banespa, a bank of Santander branch, as scurity coordinator, and now works as security consultant in a Credit Card processing company.

Return to the top of the page

Kicking Down the Cross Domain Door (One XSS at a Time)
Billy Rios, Senior Researcher, Advanced Security Center, Ernst and Young
Raghav Dube, Senior Researcher, Advanced Security Center, Ernst and Young

Cross Site Request Forgery (XSRF) has been billed as the newest weapon for cross domain web application exploitation. Despite the massive impact of XSRF, the attack remains extremely difficult to complete, as it requires an attacker to blindly strike against external domains, praying their attacks were successful. Now, imagine a new scenario... a scenario where an attacker can instantly see the results of their cross domain attacks. Imagine that an attacker can now steal cookies from a site you haven't been to in a week, brute force username/password combinations for internal network devices, or use your browser to run a Nikto scan against a website you've never visited!

The complexity of XSRF and Cross Site Scripting (XSS) attacks have grown by bounds over the last few years... but the two exploits are rarely used to complement each other. During this presentation, you will see the impact of an XSRF/XSS one-two combination as we demonstrate a variety of cutting-edge web application attacks, including techniques to break through the cross domain boundary. The specific demonstrations you will see are:

  • Using a victim’s browser as a proxy to surf the Internet/intranet
  • Stealing a victim’s cookies (and other information) from external domains
  • Using a victim's browser to attack internal network devices
  • Using the victim's browser to run Nikto against an external domain (and getting back the results)

Billy Rios is a Senior researcher for Ernst and Young's Advanced Security Center. He has performed network, application, web-application, source-code, wireless, Internet, Intranet, and dial-up security reviews and security architecture design services for various clients in the Fortune 500.

Billy specializes in black-box and grey box application reviews and has served as the team lead for the Advanced Security Center's largest web application testing team.

Prior to joining Ernst and Young, Billy worked as an Intrusion Detection Analyst with the Defense Information Systems Agency (DISA). While at DISA, Billy provided vulnerability analysis, network intrusion detection, incident response, incident handling and formal incident reporting of incidents related to Department of Defense information systems throughout the entire Pacific Region.

Billy has an undergraduate degree in Business (with a formal concentration Information Systems) from the University of Washington and a Master of Science Degree in Information Systems (with Distinction) from Hawaii Pacific University.

Billy is also a Captain in the United States Marine Corps Reserve and served as an active duty Marine Officer during Operation Iraqi Freedom.

Raghav Dube is a Senior researcher at Ernst and Young's Advanced Security Center.

Raghav specializes in black-box and grey box application reviews and has identified hundreds of weaknesses in application logic, access controls, input validation, and server misconfigurations for numerous organizations in the Fortune 500. Several of the assessments Raghav has participated in involved high profile, production application servers.

Raghav has earned a Bachelor of Engineering degree from the Regional Engineering College in Allahabad, India. Raghav has also earned a Master of Science degree in Electrical Engineering from Texas A&M University in College Station, Texas.

Return to the top of the page

Dror-John Roecher, Senior Security Consultant, ERNW GmbH
Michael Thumann, Chief Security Officer, ERNW GmbH

Part I: Introduction – Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology – How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem – NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack – how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach – “stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Return to the top of the page

Heap Feng Shui in JavaScript
Alexander Sotirov, Vulnerability Researcher, Determina Inc.

Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application.

This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision.

This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for two complex heap corruption vulnerabilities.

The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past nine years he has been working on reverse engineering, exploit code development and research of automated source code auditing. His most well-known work is the development of highly reliable exploits for Apache modssl, ProFTPd and Windows ASN.1. He graduated with a Masters degree in computer science in 2005. His current job is as a vulnerability researcher at Determina Inc.

Return to the top of the page

GS and ASLR in Windows Vista
Ollie Whitehouse

The following presentation is two parts, the first covers aspects of Microsoft's GS implementation and usage. The second is a complementary section dealing with ASLR in Windows Vista, its implementation and some surprising results...

Part I Synopsis:
GS is a Visual Studio compiler option that was introduced in Visual Studio 2002 to mitigate the local stack variable overflows that resulted in arbitrary code execution. The following paper details the methods Symantec used to assess which binaries within Windows Vista 32bit leveraged GS as a defensive mechanism. This paper presents the results of this analysis, the techniques that have been developed, and supporting material. The results in this paper are from the 32bit RTM release of Microsoft Windows Vista

Part II Synopsis:
Address Space Layout Randomization (ASLR) is a mitigation technique designed to hinder the ability of an attacker to achieve arbitrary code execution when exploiting software vulnerabilities. As the name implies, ASLR involves placing a computer program and its associated memory at random locations, either between reboots or executions, to hinder the attacker's ability to reliably locate either their shell code or other required data. This paper is the result of a brief analysis of the implementation of ASLR within Microsoft Windows Vista 32bit RTM, conducted by Symantec's Advanced Threat Research.

Ollie Whitehouse has worked in information security both as a consultant and researcher. This has included being employed by companies in a variety of industries ranging from financial services to telecommunications. Mr Whitehouse originally created Delphis Consulting's security practice in 1999. Mr Whitehouse joined @stake Inc in 2000 as a Managing Security Architect before becoming European Technical Director in 2004. After Symantec's acquisition of @stake Inc in 2004 Mr Whitehouse continued as Technical Manager for its professional services division in London until 2005. In mid 2005 he took a full time research role with Symantec Research Labs in Government research. Mr Whitehouse subsequently moved to Symantec's Response division joining its Advanced Threats Research team specializing in mobile platforms and related technologies.

Mr. Whitehouse as previously published research on the security of mobile telecommunication networks, mobile devices and Bluetooth. In addition he has also discovered numerous security vulnerabilities in a wide range of desktop and server applications. His previous research has led him to present at CanSecWest, RuxCON, UNCON and Chaos Communication Camp among others.

Return to the top of the page

ScarabMon: Automating Web Application Penetration Tests
Jonathan Wilkins, iSEC Partners

ScarabMon is a new tool and framework for simplifying web application pentests. It makes the process of finding many common webapp flaws much easier. The user simply navigates the target site while using the WebScarab proxy and ScarabMon constantly updates the user with information on discovered flaws.

ScarabMon is written in Python and all code and modules will be released at the conference.

ScarabMon is also easily extensible, with useful checks often only requiring 5-10 lines of Python code.

I wrote ScarabMon because I couldn't find anything like it.

Historically the standard web proxies have been @Stake's WebProxy (which is totally unavailable anymore as Symantec killed it after the acquisition), SpikeProxy and WebScarab. Those have have recently been joined by two other apps, WebScarab-NG and Pantera.

The latter are not ready for serious usage yet. Pantera development seems to have stalled and WebScarab-NG is missing major features, though it shows the most promise. The latest date on any of the SPIKEProxy files is from 2003.

So basically everyone uses WebScarab for web application pen tests.

WebScarab is obnoxious to program for, as you have to write dozens of lines of Java code (BeanShell) for the simplest tasks. BeanShell is also often unstable.

ScarabMon is currently designed to work with WebScarab, but could be ported to work with any of the above should the need arise. Instead of acting as a proxy, it just monitors the output of the proxy and opportunistically performs tests. Some tests are things people have seen before in other tools (like finding directories that support PUT) and others aren't anything
I've seen in any other tool such as finding values that were set as cookies over SSL that later wind up as a query string parameter.

The best thing is that you get all of this for free. You don't have to change *anything* about your current testing methodology. You just run ScarabMon in the background and it sees the servers and files you're accessing and generates findings.

Module findings include:

  • Insecure Web server SSL configuration
  • Secure cookie values that later get sent clear or as query string values
  • Listable webserver directories
  • Webserver directories that allow upload (via PUT)
  • Values that cross domain boundaries
  • Offsite redirects
  • Values set over SSL that also go cleartext
  • Fuzzing
    and many more

Return to the top of the page

360° Anomaly Based Unsupervised Intrusion Detection
Stefano Zanero, Partner and CTO, Secure Network

In this talk, after briefly reviewing why we should build a good
anomaly-based intrusion detection system, we will briefly present two IDS prototypes developed at the Politecnico di Milano for network and host based intrusion detection through unsupervised algorithms.

We will then use them as a case study for presenting the difficulties in integrating anomaly based IDS systems (as if integrating usual misuse based IDS system was not complex enough...). We will then present our ideas, based on fuzzy aggregation and causality analysis, for extracting meaningful attack scenarios from alert streams, building the core of the first 360° anomaly based IDS.

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

Nish Bhalla

Sun Bing

Damiano Bolzoni

Laurent Butti

Cesar Cerrudo

Brian Chess

Raghav Dube

Joel Eriksson

ERESI team

André Fucs

Robert Graham

Nitin Kumar

Vipin Kumar

Toshinari Kureha

Philippe Langlois

Adam Laurie

David Litchfield

Bruno Luiz

David Maynor

Lluis Mora

Mariano Nuñez Di Croce

Augusto Paes de Barros

Victor Pereira

Billy K Rios

Dror-John Roecher

Alexander Sotirov

Michael Thumann

Ollie Whitehouse

Jonathan Wilkins

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat