Black Hat Digital Self Defense USA 2005

Black Hat Federal 2006

Black Hat Federal 2006 Call for Papers Black Hat Federal 2006 Briefings Speakers Black Hat Federal 2006 Briefings Schedule Black Hat Federal 2006 Sponsors Black Hat Federal 2006 Training Black Hat Federal 2006 Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings Federal 2006
Black Hat Federal 2006 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Federal 2006 Sponsors
Return to the top of the page
Black Hat Speakers
Security Research and Vulnerability Disclosure
Dr. Linton Wells II, Principal Deputy Assistant Secretary of Defense (Networks and Information Integration)

Dr. Linton Wells, II was named Principal Deputy Assistant Secretary of Defense for Command, Control, Communications and Intelligence (C3I) on August 20, 1998, and serves in that capacity in the C3I successor organization, Networks and Information Integration (NII). In addition, Dr. Wells serves as Acting Deputy Assistant Secretary of Defense for Spectrum, Space, Sensors, and Command, Control, and Communications (DASD (S3C3)).

Prior to this, Dr. Wells served the Office of the Under Secretary of Defense (Policy) from July 1991 to June 1998, concluding most recently as the Deputy Under Secretary of Defense (Policy Support).

In his twenty-six years of naval service, Dr. Wells served on a variety of surface ships, including command of a destroyer squadron and a guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; Networks and Information Integration (NII); and special access program oversight.

Dr. Wells was born in Luanda, Angola, in 1946. He graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. Naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored "Japanese Cruisers of the Pacific War", which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.

Return to the top of the page

Dave Aitel, CTO/Founder, Immunity, Inc.

This presentation presents concepts for taking exploitation frameworks into the next evolution: solving complex security problems by generating robustly controllable beneficial worms. The Why, How, and What of Nematode creation are discussed, along with some concepts in Mesh routing.

Problems discussed include legal issues, controlling your worm, writing an intermediate language, the Nematode Intermediate Language (NIL) for writing robust worms, reliability problems, communications protocols, and future work.

Dave Aitel is the CTO of Immunity, Inc, and is still responsible for research and development for their flagship CANVAS product. In addition, he created and distributes under the Gnu Public license the fuzzing tool, SPIKE, the web application analysis tool SPIKE Proxy, and the remote access tool Hydrogen.

His original stint was as a computer scientist at the National Security Agency, after which he spent a few years at @stake, a private security consulting firm, and finally started Immunity, Inc. Immunity’s product CANVAS is used by penetration testing firms, government agencies, large financial firms, and other companies who wish to simulate information attacks against their infrastructure.

Return to the top of the page

Finding Digital Evidence in Physical Memory
Mariusz Burdach

Historically, only file systems were considered as a storage where evidence could be found. But what about the volatile memory which contains a huge amount of useful information? What about anti-forensic methods of defeating forensic and incident response tools? Why a content of the memory is not dumped during a process of a data collection from a suspicious computer. How to analyze the physical memory? Is it possible? I will try to find the answer.

During the presentation methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as: a full content of files, detailed information about each process (e.g. owner, MAC times, content) and also about processes that were being executed and were terminated in the past. This presentation aims to explain the concepts of the memory‚s digital investigations. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering a content of files from the physical memory.

As an integral part of presentation new ways of detecting hidden objects will be presented. This methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or warms. Discussed methods allows us to detect objects which were hidden by Direct Kernel Object Manipulation (DKOM) technique.

Finally, toolkits will be presented to help an investigator to extract some information from an image of the physical memory or from the memory object on live system. Currently, a POC exist, but I am going to develop full version which allows to extract information from Linux and Windows memory images.

Mariusz Burdach, Senior Consultant, CompFort Meridian Polska sp. z o.o.

Mariusz Burdach is a security researcher specialized in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and the SANS Local Mentor. As an independent instructor he has been teaching Incident Response, Forensic Analysis and Hardening Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland.

Return to the top of the page

Client Side Penetration Testing
Max Caceres, Director of Product Management, CORE IMPACT, Core Security Technologies

The notion of a network perimeter that we can fully protect and monitor is no longer valid. The overwhelming need for constant connectivity has driven the aggressive adoption of a multitude of applications, rich document formats and communication mechanisms that continually pierce traditional network boundaries, blurring the line between what once was the internal network and the public Internet.

As securing this network becomes an increasingly complex challenge, a mechanism is required to assess the current security level of the network, evaluate the effectiveness of existing counter measures and track progress. Traditional penetration testing can fall short of expectations in this environment, especially if focused exclusively on the perimeter.

This presentation will cover both a methodology and a framework for incorporating the principles of penetration testing to evaluate a network’s security from this new perspective. During this session we will discuss Client Side vulnerabilities and exploits, key differences and challenges of client-side penetration testing versus more traditional testing, and we will propose a framework approach to aid in the testing process. The presentation will cover methodology, technology requirements and a discussion of findings from real world penetration tests where this approach was taken.

Max Caceres is responsible for CORE IMPACT's product development including technology research, product management and product marketing at Core Security Technologies. Caceres is an industry veteran with over 10 years of experience in the information security market. In addition to his expertise in product management, Caceres also has deep experience in designing software to meet evolving market demands. He previously led the engineering team responsible for delivering the first two releases of CORE IMPACT, and served as the project leader for the initial security audit of Microsoft's .NET platform. Prior to joining Core, Caceres worked for 4 years as a member of the Special Projects Group at the Argentine tax agency. There, he assisted in the development of several information security related software projects.

Return to the top of the page

How to Automatically Sandbox IIS With Zero False Positive and Negative
Tzi-cker Chiueh, Professor, Stony Brook University

Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to grab the control of a victim application and possibly the underlying machine. The main barrier to the acceptance of this system call monitoring approach is the availability of accurate sandboxing policies, especially for Windows applications whose source code is unavailable. In fact, many commercial computer security companies take advantage of this fact and fashion a business model in which their users have to pay a subscription fee to receive periodic updates on the application sandboxing policies, much like anti-virus signatures. This paper describes the design, implementation and evaluation of a sandboxing system called BPAID that can automatically extract a highly accurate application-specific sandboxing policy from a Win32/X86 binary, and enforce the extracted policy at run time with low overhead. BPAID is built on a binary interpretation and analysis infrastructure called BIRD, supports application binaries with dynamically linked libraries, exception handlers, and multi-threading, and has been shown to work correctly for a large number of native Windows-based network applications, including IIS and Apache. The measured throughput and latency penalty for all the applications tested under BPAID, except one, is under 8%.

Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995, two Long Island Software Awards in 1997 and 2005, and has published over 130 technical papers in refereed conferences and journals in the areas of operating systems, networking, and computer security. He has developed several innovative security systems/products in the past several years, including SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion Detection), DOFS (Display-Only File Server), and CASH.

Return to the top of the page

Angel Recon System (ARS) Prototype: Heuristic Vulnerability Analysis and Attack
Drew Copley, Senior Research Engineer, eEye Digital Security

ARS is a heuristic vulnerability analysis system which is meant to run on a system to heuristically detect the protection systems in place in that system: it does this through a complicated decision tree cloning process. ARS is both offensive and defensive in nature.

ARS is designed with three key goals: maximum stealth, maximum survivability, and maximum information. ARS enters the system and uses a cloning system to send out agents on that system, agents which attempt to try various dangerous attacks on the system. When these said agents succeed, they report back to the master agent. When the agents fail, the master agent knows this through a timer system. Defensive systems which trap and quarantine processes and binaries
based on their behavior then trap and quarantineonly one of the master
application's clones, not the master application itself.

The primary goal of ARS is to be a robust reconnaissance system for proof of concept. It is designed to enter the system and very carefully gain crucial information about the nature of the system while keeping itself from quarantine long enough to safely report back this information to the target controller. The secondary nature of ARS is as a defensive, heuristic, analysis system.

Drew Copley has been at eEye Digital Security in a Senior Research capacity for close to four years. In that capacity he has done a wide variety of work for eEye's product lines, as well as having found several major security vulnerabilities in various major products.

He has designed and implemented eEye Digital Security's Blink IPS heuristic agent in that capacity. He also co-founded a famous pro-democracy hacker group which got him involved in many covert execution issues.

He also wrote some early covert trojan systems as proof of concept including the first true client side trojan system.

Return to the top of the page

Attacks on Uninitialized Local Variables
Halvar Flake

Buffer overflows have been abused in order to compromise software systems for the better part of the last 25 years. In recent years, many restricted solutions to curb their negative effect (stack canaries, frontlink/backlink verification for heap implementations, reordering of local variables) have been proposed and implemented in most popular compilers and operating systems. What is commonly overlooked is that the 'general' problem is the ability of attackers to trigger behaviour that is 'undefined' by the ANSI C99 standard, not the (relatively small) subclass of 'buffer overflow'.

A common programming mistake is a situation where under some exceptional conditions a local variable is not initialized prior to its first use. As the local variables are usually allocated on the stack, the memory thus used is not zeroed and may contain values 'left over' from other parts of the program. Most discussions of this topic imply that these values cannot be controlled by an attacker in a meaningful manner, and thus use of uninitialized variables means no security risk beyond a denial-of-service (e.g. application crash). This talk proposes methods with which an attacker can determine the set of functions in a program that are accessing the same memory range that will later on be re-used by the faulty function. By constructing several specialized graphs from the disassembly of a program, it is possible to determine the set of functions that might be used to control the 'uninitialized' values.

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

New Directions in Disk Forensics
Simson L. Garfinkel, Postdoctoral Fellow, Harvard University

As the number of hard drives sized during the course of investigations increases into the hundreds, new techniques must be developed to allow examiners to cope with the overload. This presentation discuss tools and techniques developed by the author while working on a study of 500 hard drives purchased on the secondary market. The first tool is AFF, the Advanced Forensics Format, a new file format for storing hard drive images that captures both the drive's contents and its metadata in a compressed but highly usable form. Implementing AFF is a series of AFF Tool, including AIMAGE ,the Advanced disk Imaging system. Finally, a new technique called Cross Drive Analysis will be presented. The CDA technique allows information from across disk drives to be correlated—for example, allowing the examiner to determine that different targets were in fact members of the same organization.

Simson L. Garfinkel is a postdoctoral fellow at the Center for Research on Computation at Society at Harvard University and an instructor at the Harvard Extension School, where he teaches courses on computer security and application design.

He is a consulting scientist at Basis Technology Corp., which develops software for extracting meaningful intelligence from unstructured text, and a founder of Sandstorm Enterprises, a computer security firm that develops advanced computer forensic tools used by businesses and governments to audit their systems.

Dr. Garfinkel has research interests in computer forensics, the emerging field of usability and security, and in personal information management. He is also interested in information policy and terrorism, and has actively published and researched in these areas since the late 1980s.

Garfinkel writes a monthly column for CSO Magazine, for which he was awarded both the 2004 and the 2005 Jesse H. Neal National Business Journalism Award for Best Regularly Featured Department or Column. He wrote a weekly column for The Boston Globe between 1996 and 2000 and for Technology Review Magazine between 1998 and 2004. He was a founding contributor of Wired Magazine, and still writes for Wired on an occasional basis. Overall, Garfinkel's popular articles have appeared in more than 70 publications around the world.

Garfinkel is the author or co-author of fourteen books on computing, published by Addison-Wesley, IDG Books, MIT Press, O'Reilly and Associates, and Springer-Verlag. He is perhaps best known for his book "Database Nation: The Death of Privacy in the 21st Century". Garfinkel's most successful book, "Practical UNIX and Internet Security" (co-authored with Gene Spafford), has sold more than 250,000 copies in more than a dozen languages since the first edition was published in 1991.

Garfinkel received three Bachelor of Science degrees from MIT in 1987, a master's of science in journalism from Columbia University in 1988, and a Ph.D. in Computer Science from MIT in 2005.

Garfinkel's CV is located on the Internet at

Return to the top of the page

Implementing and Detecting An ACPI BIOS Rootkit
John Heasman, Principal Security Consultant, NGSSoftware

As rootkit detection tools become more sophisticated, the rootkit writer must strive to leave less of a footprint and inhabit areas that detection tools do not currently interrogate. One such area, the BIOS, has many associated difficulties in development and deployment but offers numerous benefits over ‘traditional’ rootkits—namely it leaves no trace on disk and can survive reinstallations in order to infect new operating systems. 

This talk discusses how a generic rootkit may be developed for an ACPI-compliant BIOS. With the aid of several demonstrations, it covers implementing BIOS rootkits for both Windows and Linux. The latter part of the talk considers the defense perspective, investigating the steps required to detect and remove such a rootkit. As software-based rootkit detection and protection tools continue to evolve, this talk broaches the important topic of hardware protection and how current protection and detection models designed to combat a BIOS virus may be insufficient to defend against a BIOS rootkit. Finally we discuss the impact of initiatives such as the Trusted Computing Platform Alliance (TCPA) on rootkit deployment.

John Heasman is a Principal Security Consultant for NGS Software. He has worked as a security consultant for three years and has been certified as a CHECK Team Leader. He has invaluable experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, PostgreSQL, Apple Quicktime and RealNetworks Realplayer. Furthermore he has a strong interest in database security and was a co-author of the Database Hackers Handbook (Wiley, 2005).

Return to the top of the page

Analysis of Web Application Worms and Viruses
Billy Hoffman, Security Researcher, SPI Dynamics, Inc.

Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse.

This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the authors sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Smogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats.

Participates should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.

Billy Hoffman is a security researcher for SPI Dynamics ( where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Toorcon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, Phreaknic, Interz0ne, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus.

Return to the top of the page

Network Black Ops: Extracting Unexpected Functionality from Existing Networks
Dan Kaminsky

Our networks are growing. Is our understanding of them? This talk will focus on the monitoring and defense of very large scale networks, describing mechanisms for actively probing them and systems that may evade our most detailed probes. We will analyze these techniques in the context of how IPv6 affects, or fails to affect them. A number of technologies will be discussed, including:

  • New findings in our worldwide scans of the DNS infrastructure, particularly focusing on the use of DNS to measure the global spread of the Sony rootkit.
  • Mechanisms for very high speed reconstruction of IPv4 and IPv6 network topologies, complete with visual representation of those topologies implemented in OpenGL. We will discuss how a graph theoretical approach to network management can (and can't) solve flow control for massive scans.
  • A temporal attack against IP fragmentation, using variance in fragment reassembly timers to evade Network Intrustion Detection Systems
  • DNS poisoning attacks against networks that implement automated defensive network shunning, and other unexpected design constraints developers and deployers of security equipment should be aware of

Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.

Return to the top of the page

Analysis of Adversarial Code: Problem, Challenges, Results  
Arun Lakhotia, Associate Professor of Computer Science, University of Louisiana at Lafayette
Michael Venable, Software Engineer, University of Louisiana at Lafayette

Disassemblers and debuggers, tools that were in vogue two decades ago, have resurged. In the past these tools were used by programmers to track bugs, now they are used by security analysts to find hidden features. The catch is that these tools, and other techniques for program analysis, were developed as an aid for program development. They were not designed to aid security analysts, and it is no surprise that they can easily be fooled. The talk will demonstrate the limitations of these technologies, and explain the theory underlying their limitations.

Developing tools that aid in analyzing adversarial programs requires us to go back to the drawing board. Besides presenting a broad vision for adversarial code analysis, this talk will highlight some kinks in the armor of a malware writer. The talk will also present some emerging technologies geared for analyzing unfriendly program, for instance, a deobfuscating disassembler to aid in finding and analyzing specific obfuscations; a reverse morpher to undo metamorphic transformations; and a virus phylogeny generator to match a new sample with a database of known malware.

Dr. Arun Lakhotia is an Associate Professor of Computer Science at the Center for Advanced Computer Studies in the University of Louisiana at Lafayette. Over the last twelve years he has been conducting research in reverse engineering and reengineering of software systems. His research, which started as developing aids for program comprehension, has now digressed in developing technologies for aiding security analysts analyze third-party components for security exploits. His research has led to new ways to counter metamorphic viruses, to deobfuscate code, and to detect new viruses by comparing their code with previously known viruses. Dr. Lakhotia teaches a course on malware analysis and has given tutorial on the subject in IEEE Working Conference in Reverse Engineering. Dr. Lakhotia has also ventured into robotics, and is the Project Director of Team CajunBot, a finalist in the 2004 and 2005 DARPA Grand Challenge. He is recipient of the 2004 Louisiana Governor's University Technology Leader of the Year award.

Return to the top of the page

David Litchfield, Founder, Next Generation Security Software

Four years ago at Blackhat, David presented a talk on critical weaknesses in the Oracle database server and Oracle Application Server debunking their claims that their software was "Unbreakable". This talk and presentation will show that their software is still as insecure as it was four years ago and suffers from almost identical holes.

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of The Database Hacker's Handbook, The Shellcoder's Handbook, SQL Server Security, and Special Ops. In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

Foreign Attacks on Corporate America (How the Federal Government can apply lessons learned from the private sector)  
Kevin Mandia, President, Red Cliff

Throughout his career, Kevin Mandia has worked directly with both the public and private sector to deal with responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. With the increased level of sophistication and complexity of attacks, along with the increased government regulations surrounding security, we are at an integral point in risk management. Federal government, international corporations and individual home-users are under constant attack.  Many of these attacks are originating from foreign lands where the perpetrators are impervious to our laws and legislation. Mr. Mandia discusses the types of attacks and how our clients are responding to these incidents and the technical and legal intricacies of computer forensics when dealing with these cases.      

During this presentation, Mr. Mandia discusses emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought. He will re-enact some of the incidents; provide examples of how these incidents impacted organizations; and discuss the challenges that each organization faced. He will demonstrate the “state-of-the-art” methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He concludes the presentation by outlining the need for new technologies to address these challenges, and what these technologies would offer.

Kevin Mandia is an internationally recognized expert in the field of information security. He has been involved with information security for over fifteen years, beginning in the military as a computer security officer at the Pentagon. He has assisted attorneys, corporations, and government organizations with matters involving information security compliance, complex litigation support, computer forensics, expert testimony, network attack and penetration testing, fraud investigations, computer security incident response, and counterintelligence matters. Mr. Mandia established Red Cliff specifically to bring together a core group of industry leaders in this field and solve client’s most difficult information security challenges.

Prior to forming Red Cliff, Kevin built the computer forensics and investigations group at Foundstone from its infancy to a multi-million dollar global practice that performed civil litigation support and incident response services. He led Foundstone’s computer forensic examiners in supporting numerous criminal and civil cases and has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.

Mr. Mandia is co-author of "Incident Response: Performing Computer Forensics" (McGraw-Hill, 2003) and "Incident Response: Investigating Computer Crime" (McGraw-Hill, 2001). He has also written articles for SC Magazine and The International Journal of Cyber Crime.

Kevin holds a Bachelor of Science in Computer Science from Lafayette College and a Master of Science in Forensic Science from The George Washington University. He is a Certified Information Systems Security Professional (CISSP), and he has held government security clearances at the Top Secret and higher levels.  He has been featured on CNN’s Talkback Live, NBC News, and Fox News.

Return to the top of the page

SCADA Security and Terrorism: We're Not Crying Wolf!
David Maynor, Research Engineer, ISS X-Force R&D, Internet Security Systems
Robert Graham, ISS

Many are beginning to believe the FUD about SCADA is merely the cyber-security industry employing scare tactics. This presentation will erase all doubt. Understanding SCADA security is easy: there is none. The back end networks that control our power, oil/gas, manufacturing, water, and transportation systems have no security. In most cases, the systems themselves don't support authentication, encryption, or even the most basic validation protocols. The few systems that do support these protocols are usually run with security features disabled.

Under contract with our customers, Internet Security Systems has pen-tested many of the worldís most important national SCADA networks and can confirm that the cyber-security fears are justified. The destruction hurricane Katrina caused in the Gulf Coast area demonstrated the severe effects of a regional infrastructure disruption on the nation (and indeed the world). Through these unsecured back end networks, which are increasingly connected to the Internet, hackers anywhere in the world can easily target and disrupt national infrastructure using everything from a WAP-enabled cell phone to an Excel spreadsheet. Law makers in Washington are rightly concerned that this lack of security could easily lead to a major cyber-terrorist incident. Attendees to the session will: learn what the black-hats know about SCADA, hear anecdotes from our pen-tests and witness our live demo.

David Maynor
Mr. Maynor is a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Robert Graham
Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. IRL, he is the co-founder, CTO, and chief-architect at Network ICE (now owned by ISS).

Return to the top of the page

Combatting Symbian Malware
Jarno Niemelä, Senior Anti-Virus Researcher, F-Secure

Viruses worms and trojans that operate on Symbian devices are becoming from a technical curioisity to a threat. The localized outbreaks caused by Cabir and Commwarrior worm variants indicate, that in any large organization, the possibility of employee phones being infected by mobile malware is increasing with time.

While the current Symbian malwares are still technically rather primitive, they can be rather difficult to handle and disinfect without proper knowledge how to operate with Symbian based smartphones.

The purpose of this talk is to give information how to handle, analyze and disinfect Symbian based malware threats. The presentation will give overview of Symbian OS from malware point of view, most common Symbian malware, brief overview how to malware works, and how to counter malware infection both on the network and individual phone level.

Jarno Niemelä was born in Helsinki in 1975. He graduated from EVTEK Institute Of Technology in 1999 with Bachelor of Engineering Degree. During and after studies he worked as smartcard and driver programmer in Setec Ltd, which at that time specialized in smartcards, printed money and passports. At 2000 he joined F-Secure Corporation as Mobile Anti-Virus researcher and currently serves as Senior Anti-Virus researcher in same position. He has followed the mobile malware and
security field for almost five years and has seen the development of the threats from the first Palm OS trojan to current Symbian malware. In addition of his day work he teaches information security to engineers EVTEK and Stadia polytechnics in Helsinki region. He is married and lives in Espoo. During his free time he enjoys food and beer gastronomy, running and teaching.

Return to the top of the page

The Era of a Zero-Day Nation-State: Characterising the real threats to our nation’s critical information systems
Tom Parker, Security Research Group Manager, MCI
Matthew G. Devost, CEO, Terrorism Research Center

Since Tuesday, September 11th 2001, the concept of cyber terrorism has been extensively referenced, speculated over, argued over and discussed by the world’s mass media.

To this day, a finger has yet to be pointed in the direction of a single act of so-called cyber terrorism – perhaps one of the many reasons why few seem to truly understand what form the phenomena will manifest itself in, if it indeed exists. 

With extensive backgrounds in adversary characterization, vulnerability exploitation, attack analysis and kinetic terrorism; Parker and Devost will go about picking apart what we really know about nation states use of information systems to attack foreign states, the types of highly robust exploits which they might be creating for this very purpose and the likelihood, and circumstances under which they may be used.

Tom Parker is a computer security analyst who, along side his work for some of the world's largest organizations, providing integral security services is widely known for his vulnerability research on a wide range of platforms and commercial products. His more recent work includes the development of an embedded operating system, media management system and cryptographic code for use on digital video band (DVB) routers, deployed on the networks of hundreds of large organizations around the globe. In 1999, Mr. Parker helped form Global InterSec LLC, playing a leading role in developing key relationships between GIS and the public and private sector security companies.

Whilst continuing his vulnerability research, focusing on emerging technologies and new vulnerability exploitation techniques, Tom spends much of his time researching methodologies aimed at characterizing adversarial capabilities and motivations against live, mission critical assets, providing methodologies to aid in adversarial attribution in the unfortunate times when incidents do occur. Currently working as a security consultant for NetSec, a provider of managed and professional security services; Tom continues his research into finding practical ways for large organizations, to manage the ever growing cost of security, through the identification where the real threats lay there by defining what really matters.

Tom regularly presents at closed-door and public security conferences including the Black Hat briefings and is often quoted by the world's media on matters relating to Computer Security. In the past, Tom has appeared on the BBC News and has been quoted by the likes of Reuters News and ZDNet. Tom is the author of "Cyber Adversary Characterization: Auditing the Hacker Mind" by Syngress publishing (ISBN: 1-931836-11-6) and a contributing author to the Amazon best seller "Stealing the Network: How to Own a Continent" by Syngress publishing (ISBN: 1-931836-05-1).

Matthew G. Devost is President and CEO of the Terrorism Research Center, Inc. overseeing all research, analysis, assessment, and training programs. Mr. Devost also co-founded and serves as Executive Director of Technical Defense, Inc., a highly specialized information security consultancy. Mr. Devost also holds an Adjunct Professor position at Georgetown University.

Previously, Mr. Devost was the Director of Operations for Professional Services at Counterpane Internet Security. Mr. Devost had performed the same function as Director of Operations for Security Design International, Inc, which was acquired by Counterpane Internet Security.

Mr. Devost has been researching the impact of information technology on national security since 1993. Prior to joining SDII, he was the Director of Intelligence Analysis for Infrastructure Defense (iDefense), where he led an analytical team identifying infrastructure threats, vulnerabilities and incidents for Fortune 500 and government clients including Microsoft and Citigroup.

As a Senior INFOSEC Engineer at Science Applications International Corporation (SAIC), Mr. Devost provided support on Information Operations and its related subsets to the Department of Defense Community.

In 2004, Mr. Devost was appointed to the Defense Science Board Task Force on Critical Homeland Infrastructure Protection to provide advice to the Department of Defense and Department of Homeland Security. Mr. Devost serves as a Senior Advisor to the Airline Pilots Association National Security Committee, sits on the Board of Directors as a Founding Member of the Cyber Conflict Studies Association, and is and adjunct member of the Los Angeles Terrorism Early Warning Group.

Mr. Devost holds a B.A. degree from St. Michael’s College and a Master of Arts Degree in Political Science from the University of Vermont.

Return to the top of the page

Rootkit Hunting vs. Compromise Detection
Joanna Rutkowska

Recently we can observe increased interest in rootkit technology all over the world. Eventually many AV companies started working on commercial rootkit hunting tools for the Smith family... But is rootkit detection the same as compromise detection? What about backdoors, key stroke loggers and other malware which is “stealth by design” and do not require rootkit technology as a protection? How does the current anti-rootkit technology work here?

The presentation will first focus on different types of system compromises and will explain how it is possible for the attacker to achieve full stealth without classic rootkit technology. Then it will discuss possible solutions for detecting these different types of compromises and compare them against “classic” rootkit detection approaches, introducing the need for explicit system verification. Those subjects will be discussed from the perspective of desktop computers as well as server machines.

The talk will be supported by live demos showing the limitations of current anti-rootkit tools against malware which is “stealth by design”. Author is also going to release new version of her Virginity Verifier – a tool for explicit compromise detection of Windows systems.

Joanna Rutkowska is an independent security researcher. Her main interest is in stealth technology, that is, in the methods used by attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She is interested in both detecting this kind of activity and in developing and testing new offensive techniques. She develops assessment and detection tools for various companies around the world. She lives in Warsaw, Poland.

Return to the top of the page

Pentesting J2EE
Marc Schoenefeld,

J2EE is known as a framework that provides java business application with a secure underpinning. Again, the devil is also here hidden in the details, unfortunately for you if you are a developer, fortunately for you if you are a pentester. The talk shows how j2ee services can be assessed for weaknesses. In addition the used protocols and corresponding attacks types are prepared.

Marc Schoenefeld

  • Dipl.Wirtschaftsinformatiker
  • Phd student at University of Bamberg
  • submitted >20 bugs about jdk to Sun - 2005 speaker at XCon, Bellua, HITB and RSA

Return to the top of the page

Beyond EIP

When we built Metasploit, our focus was on the exploit development process. We tried to design a system that helped create reliable and robust exploits. While this is obviously very important, it's only the first step in the process. What do you do once you own EIP? Our presentation will concentrate on the recent advancements in shellcode, IDS/firewall evasion, and post-exploitation systems. We will discuss the design and implementation of the technologies that enable complex payloads, such as VNC injection, and the suite of tools we've built upon them. We will then present a glimpse of the next generation of Metasploit, and how these new advances will serve as its backbone.

Since late 2003, spoonm has been one of the core developers behind the Metasploit Project. He is responsible for much of the architecture in version 2.0, as well as other components including encoders, nop generators, and a polymorphic shellcode engine. A full-time student at a northern university, spoonm spends too much of his free time on security research projects.

Skape is a lead software developer by day and an independent security researcher by night. He joined forces with the Metasploit project in 2004 where his many contributions have included the Meterpreter, VNC injection, and many other payload advances. Skape has worked on a number of open-source projects and has authored several papers on security related technologies. His current security related interests include post-exploitation technologies, payload development and optimization, and exploitation prevention technology.

Return to the top of the page

Playing Server Hide and Seek on the Tor Anonymity
Paul Syverson, Mathematician, Naval Research Laboratory
Lasse Øverlier, Mathematician, Norwegian Defence Research Establishment & Gjøvik University College

Can you set up a server that anyone can access but no one can find? Yes you can. Since 2004 we have deployed location hidden servers on the Tor network. Anyone can set one up and hide it using Tor. Tor is a freely available anonymous communication network developed by the Naval Research Laboratory and the Free Haven Project. It is the most widely deployed and used anonymizing network ever in existence. It currently consists of about 250 servers on six continents and has an unknown (hidden) number of users estimated to be in the hundreds of thousands. Tor was named one of the 100 best products of 2005 by PC World.

Hidden services have many uses from resisting server DDoS to anonymous blogging. has published a guide to "Torcasting" (anonymity preserving and censorship resistant podcasting). And both the Electronic Frontier Foundation and Reporters Without Borders have issued guides that describe using hidden services via Tor to protect the safety of dissidents as well as resist censorship.

Our primary focus in this presentation will be attacks. We will start by briefly describing the basic motivation and design of hidden services, outline how to set up your own hidden server and question how secure these hidden services really are. We will then demonstrate attacks we have recently carried out in experiments on the deployed Tor network that uncover the location of hidden servers in a matter of minutes. We will also tell you how to protect against these attacks. We will present helper nodes and other countermeasures to these attacks that have recently been implemented and describe how they counter the attacks.

Paul Syverson is inventor of Onion Routing, for which he received the Edison Invention Award, and designer of all three generations of Onion Routing systems, including the latest system, Tor. Dr. Syverson has been designing and analyzing security and privacy systems at the Naval Research Laboratory for sixteen years. He has been chair of eight conferences and workshops ranging from the European Symposium on Research in Computer Security to the Privacy Enhancing Technologies Workshop and the Financial Cryptography Conference. He is editor of several books on these topics, as well as author of many dozens of papers published in refereed conferences and journals. He is also the author of Logic, Convention, and Common Knowledge, a book that discusses philosophical foundations of logic, and employs game theory and distributed computing in doing so. He is former editor of IEEE Cipher. He has been an invited visitor at the Newton Institute for Mathematical Sciences in Cambridge England and was on the faculty of the first International School on Foundations of Security Analysis and Design in Bertinoro Italy. Degrees: PhD and MA in philosophy (logic), MA in mathematics (all three from Indiana), AB in philosophy from Cornell. More information available at

Lasse Øverlier is an employee of the Norwegian Defence Research Establishment ( where he works on Computer Network Operations. He also lectures security classes at the Master of Science in Information Security program at Gjøvik University College and at the University Graduate Center at Kjeller. He is currently located at the Naval Research Laboratory in Washington DC working on the security of anonymity systems while struggling towards a PhD at Gjøvik University College.

Return to the top of the page

FragFS: An Advanced NTFS Data Hiding Technique
Irby Thompson, Senior Software Security Engineer, Lockheed Martin - ATRC
Mathew Monroe, Senior Software Security Engineer
Lockheed Martin - ATRC

The ability to both conceal and detect hidden data on the hard drive of a compromised computer represents an important arms-race between hackers and forensic analysts. While rootkits and other kernel manipulation tools make hiding on live systems fairly easy, the trick of hiding data from forensic tools and offline drive analysis is much more difficult. In this presentation, we will review traditional data hiding techniques, examine their strengths and weaknesses, and then explore more advanced methods of data hiding which go beyond the detection capabilities of current forensics tools. Further attention will be given to enabling transparent access to hidden file systems while also minimizing detection, ensuring data confidentiality, and providing robustness against corruption. The culmination of our research will be demonstrated in an advanced data hiding methodology and corresponding forensic detection utility.

Irby Thompson is currently a Senior Software Security Engineer for the Advanced Technology Research Center of Lockheed Martin. His interest in computer security began in high school and led to a career in network and host security with a focus on operating system security and applied cryptography. Irby’s past experience includes the design and development of a secure email system including features such as guaranteed read-receipts, message expiration, one-time read, and un-send capabilities. He holds a Masters degree in Information Security from Georgia Tech and a Bachelors degree in Computer Science, Math, and Management of Technology from Vanderbilt University.

Mathew Monroe has a BS in Electrical and Computer Engineering with an additional major in Mathematical Sciences from Carnegie Mellon University, and is currently pursuing graduate studies there. He is an accomplished developer specializing in embedded systems and computer security. In addition, Mathew has experience designing and implementing high performance distributed file systems and applications. He is currently a Senior Security Engineer at the Lockheed Martin Advanced Technology Research Center. Prior to this post he implemented, deployed, and tested Lustre file systems on Lawrence Livermore National Laboratory’s MCR and ACL clusters and Pacific Northwest National Laboratory’s rx2800 cluster. The Lustre file system is an advanced high performance distributed file system used by a number of the world’s top super computers. In addition, Mathew designed and implemented firmware and low level file system code for network attached storage devices at Spinnaker Networks (now Network Appliances).

Return to the top of the page

My IDS is better than yours. Or is it?
Stefano Zanero, Ph.D. Candidate, Politecnico di Milano T.U.; CTO & Founder, Secure Network S.r.l.

What do we, as customers or researcher, need to know about testing methodologies for IDSs ? What about the currently "standard" industry test methodologies ? How to make sense (or disperse the FUD) in the cloud of statistics vendors use for concealing their flaws. And should we draft tests for evaluation of technology in our environment, how should we deal with the various performance indexes of IDS systems ?

Stefano Zanero, M.S. in Computer Engineering, has graduated “cum laude” from the Politecnico of Milano school of engineering, with a “Laurea” (M.S.) thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Department of Electronics and Information of the same university. His current research interests include, besides learning IDSs, the security of web applications and computer virology. He has been a speaker at international scientific and technical conferences (including CanSecWest, Black Hat and IT Underground), and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", and various international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He is also a regular columnist of the “Security Manager’s Journal” on Computer World Italy, and has been awarded a journalism award. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

David Aitel

Mariusz Burdach

Max Caceres

Tzi-cker Chiueh

Drew Copley

Matt Devost

Halvar Flake

Simson L. Garfinkel

Robert Graham

John Heasman

Billy Hoffman

Dan Kaminsky

Arun Lakhotia

David Litchfield

Kevin Mandia

David Maynor

Matthew Monroe

Jarno Niemelä

Lasse Øverlier

Tom Parker

Joanna Rutkowska

Marc Schoenefeld



Paul Syverson

Irby Thompson

Linton Wells

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat