Black Hat Digital Self Defense
briefings
training
Current Organization and Media Sponsors for Black Hat Briefings USA 2002
Dave Aitel

Thomas Akin

Ofir Arkin

Rebecca Bace

Robert Baird

Scott Blake

Jay Beale

Maximiliano Caceres

Matthew Caldwell

Don Cavender

Richard Clarke

Shaun Clowes

Sean Convery

Chris Davis

Roger Dingledine

Mark Dowd

Stephen Dugan

Mark Eckenwiler

David Endler

Carole Fennelly

Nicolas Fischbach

Halvar Flake

Oliver Friedrichs

FX

Richard George

JD Glaser

Ian Goldberg

David Goldman

Jennifer Granick

Dennis Groves

Jed Haile

Nishad Herath

Aaron Higbee

Greg Hoglund

Jack Holleran

Paul Holman

Honeynet Project

Jeff Jonas

Dan Kaminsky

Diana Kelley

kim0

Jonathan Klein

Paul Knight

Jesse Kornblum

Sébastien Lacoste-Séris

Elias Levy

Steve Lipner

David Litchfield

Debra Littlejohn Shinder

Mike Lynn

Kevin Manson

Robert Marotta

Brian Martin

Haroon Meer

Neil Mehta

Michael I. Morgenstern

Tim Mullen

Rich Murphey

Tom Parker

Bill Pennington

Bruce Potter

Ian Poynter

Rain Forest Puppy

Marcus H. Sachs

Richard P. Salgado

Len Sassaman

O. Sami Saydjari

Mike D. Schiffman

Marc Schönefeld

Simple Nomad

Rick Smith

Chris Spencer

Michael Sutton

Roelof Temmingh

Richard Thieme

Dan Veeneman
main speakers schedule sponsors training hotel
detailske me to..
Topic descriptions are listed alphabetically by speaker.
Presentations are now online and can be found beneath the speaker name on this page.
If you missed any of the talks or was not able to attend, audio and video is available from The Sound of Knowledge.

An Introduction to SPIKE, the Fuzzer Creation Kit
Dave Aitel, Immunity, Inc

SPIKE (spike.sourceforge.net) is a tool created in order to better analyze new or complex network protocols. Publicly, SPIKE is best known for locating 2 of the recent IIS vulnerabilies; privately, it has located many more.

Although SPIKE is a fuzzer, and there are many fuzzers, SPIKE has some unique theoretical underpinnings. These, and the SPIKE API itself, will be presented, along with some interesting demos.

Dave Aitel spent 6 years with the National Security Agency before joining @stake, heading up its Attack and Penetration Center of Excellence. He now works for Immunity, Inc.

Return to the top of the page

Cisco Router Forensics
Thomas Akin, CISSP
 [ Intrusion Destection / Incident Response / Computer Forensics ]

Routers have long been used as resources for footprinting a network before an attack. Now they are increasingly becoming the target of attack themselves. A compromised router allows an attacker to not only easily map out the network, but provides means of rerouting traffic and bypassing firewalls and IDS systems. The outline for the presentation is below:

  1. Router Exploits & Their Implications
  2. Brief Router Hardware/Software Overview
    1. Details of Router Memory and Flash Storage
  3. Router Forensics v/s Traditional Forensics
  4. Router Incident Response
  5. Securely Accessing the Router
  6. Recording Your Analysis
  7. Router Forensic Imaging
  8. Evidence Preservation & Chain of Custody
  9. Evidence Discovery
    1. Volatile Evidence (RAM)
    2. Non-volatile Evidence (Flash)
    3. External Analysis
  10. Evidence Analysis
    1. IOS Vulnerabilities
    2. Logging Analysis
      1. Console, Buffer, Terminal, SNMP, AAA, Syslog Logging
      2. ACL Logging
    3. Timestamp Correlation
  11. Router
  12. Using Routers to Perform Real-time Analysis

Thomas Akin is a Certified Information Systems Security Professional (CISSP) who has worked in Information Security for almost a decade. He is the founding director of the Southeast Cybercrime Institute where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations.

Thomas is the author of "Hardening Cisco Routers" from O'Reilly and Associates. He also has a chapter titled "Cybercrime: Response, Investigation, and Prosecution" in the upcoming Information Security Management Handbook. He developed Kennesaw State University's highly successful UNIX, Cisco, and Computer Investigation training programs. Finally, in addition to his CISSP he is certified in Solaris, Linux, and AIX, is a Cisco Certified Academic Instructor (CCAI), and is a Certified Network Expert (CNX). Thomas can be reached at takin@crossrealm.com

Return to the top of the page

Cracking VoIP Architecture Based on the Session Initiation Protocol (SIP)
Ofir Arkin, Managing Security Architect, @stake
 [ Routing & Infrastructure ]

"...it is no longer necessary to have a separate network for voice..."

Voice over IP (VoIP) is the next generation of telecommunications. It is combined from singling protocols (which establish, modify, and tear-down sessions), media transfer protocols (which carry the voice samples), and supporting protocols (which support the other two protocols with services they need such as routing, DNS, etc).

Security issues with VoIP based protocols are less highlighted than the hype about the technology. This talk will be focusing on the Security issues with the Session Initiation Protocol (SIP), a signaling protocol that is the crown contender of H.323, and with the Real-Time Transport Protocol (RTP) which is the most common vessel for carrying voice samples.

The presentation will highlight ways to take advantage of the design of these protocols. The talk will also examine ways to bypass any element in a VoIP architecture based on the Session Initiation Protocol. Among the issues we will be examining are free phone calls, call hijacks, call tracking, manipulation of conversations, fraud (and detection) and other gizmos.

Ofir Arkin has worked as a consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. His experience includes working for a leading European Swiss bank architecting the security of the bank's E-banking project.

Prior to joining @stake Ofir acted as chief security architect for a 4th generation telecom company, were he designed the overall security scheme for the company. Ofir has published several papers as well as articles and advisories. Most known are the "ICMP Usage in Scanning", and "Trace-Back" research papers. Some of his research was mentioned in professional computer security magazines. He is an active member with the Honeynet project and participated in writing the Honeynet's team book, "Know Your Enemy" published by Addison-Wesley.

Ofir Arkin is also the Founder of the Sys-Security Group, a web site dedicated to computer security research.

Return to the top of the page

Advanced 802.11b Attack
Robert Baird
Mike Lynn
 [ Wireless ]

This presentation will initially open with an in depth discussion of theoretical wireless attacks. The centerpiece of this presentation will be a demonstration of an 802.11b wireless MITM. This will be a full Layer 1 insertion between the victim’s machine and the wireless infrastructure and NOT just simple redirection of upper level protocol packets (like IP). This attack is performed with custom software tools used to cause the victim machine to send all of its 802.11b frames through the attacking machine. This attack can be performed without close proximity to the victim and does not require any custom hardware. Additionally, as time permits we will explore the upper layer protocol vulnerabilities that can then be exploited by this technique.

Given adequate speaking time, we may also cover a number of additonal attacks on wireless implementations such as known plain text attack posibilities with WEP and the effects that shared key authentication has on them

All custom software tools and drivers will be made available on the BH2002 CD.

Robert Baird: Robert is a senior IT engineer with 17 years professional experience and 5 years security experience and holds a B.S. degree in Electrical Engineering and is a Certified Information Systems Security Professional. Robert has been researching wireless security and performing wireless assessments for 2 years.

Mike Lynn: Mike is a software engineer with over 5 years development experience and is currently working in the security field. Mike has been researching wireless networking and writing custom 802.11 drivers for 1 year.

Return to the top of the page

Attacking and Securing UNIX FTP Servers
Jay Beale, Founder & Principal Security Consultant, JJB Security Consulting & Training
[ Web, Mail, DNS & Others ]

The Unix FTP servers have been called 'the IIS of the Unix world' for their frequent and potent vulnerabilities. Each has provided remote exploits, usually at the root privilege level, on a consistent and frequent basis. WU-FTPd is the most popular Unix FTP server by far, shipping by default on most Linux distributions, and even on Solaris, and being installed most commonly on the rest of the Unix platforms. This talk will demonstrate working exploits on WU-FTPd, then show you how to configure WU-FTPd to defeat them. While the talk will use WU-FTPd as the primary example, we'll also discuss ProFTPd, the other major FTP daemon for Unix.

Jay Beale is the founder and principal security consultant for JJB Security Consulting and Training. He is the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux and HP-UX. Jay is the author of a number of articles on computer security, along with the upcoming book "Locking Down Linux the Bastille Way" to be published in the second quarter of this year by Addison Wesley. You can learn more about his articles, talks, courses and consulting via http://www.bastille-linux.org/jay.

Return to the top of the page

Politics of Vulnerability Reporting
Scott Blake, CISSP, Vice President of Information Security, Bindview Corporation
[ Web, Mail, DNS & Others ]

The vulnerability reporting process is rife with competing interests. Research is conducted by software vendors themselves, paid consultants, government agencies, professional and academic researchers, as well as people who make their living in other ways. Each of these groups have particular interests in the process. The vendor of the targeted software has their concerns. The public at large has an interest in the process (and its results), but it is unclear what the public should be concerned with. This talk explores vulnerability reporting from all angles, including that of the public good. Atendees will learn a rudimentary cognitive framework for understanding the powers in play in vulnerability reporting and apply that to understand the present and the future of security.

Scott S. Blake, CISSP
As BindView's Vice President of Information Security, Mr. Blake is responsible for the functioning of RAZOR, a worldwide team of security experts providing security expertise to all of BindView's technologies and performing original research in computer and network security, as well as supervising BindView's operational security, risk management, and emergency response team. Additionally, Mr. Blake is responsible for BindView's Public Policy group. Mr. Blake was Director of Security Strategy at BindView before being promoted. Prior to joining BindView, Mr. Blake was Director of Technical Services for Netect where he was responsible for the Technical Support, Information Technology, and Pre-Sale Engineering groups. He also participated in the design of HackerShield, an award-winning vulnerability assessment scanner. Before Netect, Mr. Blake was Network Security Architect for Internet Security Corporation where he designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities. Mr. Blake is frequently sought to speak at security and information technology conferences and by the media to comment on security issues. He is the author of several articles on various aspects of information security.

Mr. Blake is a Member Emeritus of the Common Vulnerabilities and Exposures Editorial Board and Chairperson of the Simon's Rock College Alumni Association Advisory Board. He holds a BA, cum laude, from Simon's Rock College, an MA in Political Sociology from Brandeis University, and is a Certified Information Systems Security Professional.

Return to the top of the page

Syscall Proxying - Simulating Remote Execution
Maximiliano Caceres, Product Engineer, CORE IMPACT, CORE SECURITY TECHNOLOGIES
[ Deep Knowledge ]

A critical stage in a typical penetration test is what we call the "Privilege Escalation" phase. An auditor typically encounters this stage when access to an intermediate host or application in the target system is gained, by means of a successful attack. Access to this intermediate target allows for staging of more effective attacks against the system. Webs of trust and a more privileged position in the target system's network topology allow for an "attacker profile" switch. This 'profile switch' is referred to as 'pivoting' along this document. Pivoting over a compromised host can often be an onerous task, sometimes involving porting tools and/or exploits to a different platform, deploying these tools, and even installing C compilers on the target system! Syscall Proxying is a technique aimed at simplyfing this stage. By providing an interface into the target's operating system it provides both a framework for developing new penetration-testing tools and isolates remote attacks from local configuration issues (for example, lowered privileges and chroot jails). Syscall Proxying transparently "proxies" operating system syscalls to a remote server, effectively simulating remote execution.

The presentation is structured into the following sections:

  1. Syscall Proxying. General concepts
    1.1.- UNIX syscalls
    1.2.- Windows "syscalls"
  2. A first into an implementation
    2.1.- An RPC client-server model
  3. Optimizing for size. Redefining the word "shellcode".
    3.1.- No more exec '/bin/sh'
    3.2.- Why? No more shellcode cutomization
    3.3.- A sample implementation for Linux
  4. The real world: applications
    4.1.- Exploiting buffer overflows / format strings
    4.2.- An example, breaking out of a chroot jail after attacking wu-ftpd

This is a fairly technical presentation, aimed at exploit and general pen-testing tool writers. It has a some assembly code and Python samples. The complete materials for the presentation will be a paper (in PDF), a powerpoint presentation (exclusively for this Black Hat conference) and couple of code samples, both for a syscall client and a syscall server, which will allow the audience to actually try the technology for themselves in their own systems.

Maximiliano Caceres is the head engineer for a CORE IMPACT, a revolutionary risk assessment product developed to professionalize the Penetration Testing practice. He's been part of the IS consulting services team at CORE-ST as a senior consultant, responsable for coordinating and executing penetration test, security architecture design and product security evaluation engagements. Maximiliano has also been involved in the research, discovery and reporting of computer security vulnerabilities during the last 8 years.

Return to the top of the page

Security Event Correlation – Security's Holy Grail?
Matthew Caldwell, CISSP, Chief Security Officer & Co-founder, GuardedNet
[ Intrusion Destection / Incident Response / Computer Forensics ]

Today, one of the main issues affecting the security teams of large organizations today is the management of their intrusion detection data. Security teams are inundated with enormous amounts of data from their intrusion detection systems, much of which is false positive. In addition, firewalls, routers, anti-virus solutions and all the other security point solutions provide a plethora of data that teams must manually pour through and analyze. This process is laborious, and prone to human error, such that analysts often miss the true threats to their networks or they find them too late. Organizations need a solution that automates the time-consuming, mundane tasks of aggregation and correlation of security event data, so that security analysts can focus on the tasks that require human intelligence such as trending and analysis, investigation and response.

Correlation tools are considered the Holy Grail for intrusion security professionals who are bogged down with log data overload. They hope that correlation can pull the needle out of the haystack – diminishing false positives and finding attacks that are ignored by individual point products. They imagine that correlation will put the "real" in real-time. But in reality, when it comes to stopping attackers, correlation is only the beginning of a complex threat analysis process.

During this presentation, Matt Caldwell from GuardedNet will discuss correlation of security data in detail. What is can do and what it can't do. You will learn the following:

  • The definition of correlation and the various types of correlation that
    can be used in a security infrastructure to glean attack information
  • The difference between Micro and Macro correlation and why Macro
  • The process of automating data correlation

Matthew Caldwell, CISSP, is chief security officer and co-founder of GuardedNet, a leading developer of security operations threat management software. He has 11 years of experience in the field of network security and development, working for organizations such as NCR, Intel, Solectron and Alcoa.

Before GuardedNet, Mr. Caldwell led the Security Audit Project for The State of Georgia. His group conducted covert penetration testing, defended against intrusion, and developed forensics for security incidents. He is an expert in IDS products, developing high-availability intrusion detection capabilities, and distributed war-dialing systems.

Previously, Mr. Caldwell was a Senior Security Analyst for VC3, an IT services firm, where he founded the security business. Additional prior experience includes Intel Inc., NCR Inc, AT&T, and a regional ISP. His advanced server group won "Best Server" at Comdex 1998. Mr. Caldwell is a frequent guest speaker on advanced hacker tools. He serves as a network forensics expert for the Georgia Bureau of Investigations and has created forensic methodologies with a baited system that traps and logs hackers.

Return to the top of the page

National Strategy for Securing Cyberspace
Richard Clarke, Office of Cyberspace Security
[ Keynote ]

Richard Clarke will discuss the National Strategy for Securing Cyberspace.

National Security Advisor Condoleezza Rice and Director of Homeland Security Governor Ridge announced in October the appointment of Richard A. Clarke as Special Advisor to the President for Cyberspace Security.

Mr. Clarke has served in several senior national security posts. Most recently he served as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism on the National Security Council. As National Coordinator, he led the U.S. government’s efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction, and international organized crime.

In the George H.W. Bush Administration, he was the Assistant Secretary of State for Politico-Military Affairs. In that capacity, he coordinated State Department support of Desert Storm and lead efforts to create post-war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff. He continued as a member of the NSC staff throughout the Clinton Administration. In the Reagan Administration, Mr. Clarke was the Deputy Assistant Secretary of State for Intelligence.

Richard Clarke is a career member of the Senior Executive Service, having begun his federal service in 1973 in the Office of the Secretary of Defense.

Mr. Clarke is a graduate of the Boston Latin School, the University of Pennsylvania, and the Massachusetts Institute of Technology.

Return to the top of the page

Fixing/Making Holes in Binaries: the Easy, the Hard, the Time Consuming
Shaun Clowes, IT Director, SecureReality
[ Application Security ]

The ability to modify a binary while on disk or as a running process provides an amazing array of opportunities for the systems programmer or blackhat/whitehat since it is then possible to modify a program to:

  • Insert debugging/profiling code
  • Render it invulnerable to a known security issue
  • Add malicious code (e.g a backdoor)

However, traditionally both in file and runtime binary modification have been sufficiently complex to limit their use to virus writers, black hats and others with a reasonably intimate understanding of systems level programming.

This talk will attempt to demystify both binary and runtime program modification, focusing on the modification of ELF binaries under Linux and Solaris. In particular a variety of methods will be discussed and demonstrated including:

  • Binary patching
  • Process memory patching
  • Library interception
  • Run time library interception

The talk will cover the basic approach behind each of the methods along with their advantages and disadvantages. The demonstrations will show how the methods can be used for evil but more importantly how they can empower administrators and systems programmers to protect applications for which they do not have the source from known security vulnerabilities (rather than falling at the mercy of the software vendors).

A substantial amount of the talk will be devoted to discussion about and demonstration of injectso, a recently released tool by the speaker that allows for simple run time patching of processes under Solaris (Sparc) and Linux (IA32 and Sparc) through the injection of shared libraries.

Shaun Clowes is the IT Director of SecureReality, a small cutting edge security consultancy based in Sydney, Australia. Shaun holds an honors degree in Computing Science from the University of Technology Sydney and has a wide technical background in IT including Unix systems programming, networking and systems/security administration. Shaun leads the vulnerability research arm of SecureReality which is broadly exploring the security landscape testing both the obvious targets and the glue that holds everything together.

Return to the top of the page

Hacking Layer 2: Fun with Ethernet Switches
Sean Convery, Security Researcher, Cisco
[ Routing & Infrastructure ]

Lots of time has been spent presenting L2 hacking from the attacker's perspective. What is needed is a focus on the network administrator and what he can and can't do to try and thwart these attacks. This session presents currently available L2 attack methods interspersed with details on mitigating the attack. The findings are the result of combined @Stake and Cisco testing. Security issues addressed include: ARP Spoofing, MAC Flooding, VLAN hopping, DHCP starvation, packet sniffing, and STP concerns. Common myths with Ethernet switch security will be either confirmed or debunked and security lockdown recommendations will be provided.

Sean Convery, CCIE #4232, is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG). The research arm of the CIAG is tasked to collaborate with various groups (primarily academia and national laboratories) on security issues 3-5 years in the future. Before coming to the CIAG, Sean worked primarily on the SAFE blueprint, and is an author of several whitepapers on the subject. Prior to his four years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking.

Return to the top of the page

Why Is Anonymity So Hard?
Roger Dingledine, the Free Haven Project
[ Privacy & Anonymity ]

With reasonable anonymity designs that are decades old, it seems clear that we should have a reliable, secure, and ubiquitous anonymity network by now. But apart from the purely technical challenges, there are social barriers as well. The complexity of distributing trust, problems funding the infrastructure or getting volunteers to run it, and challenge of making users comfortable all conspire to make deploying a strong anonymity system very difficult.

I'll describe several anonymity designs, each with its own strengths and weaknesses, and compare ease of deployment based on the above issues. I will focus on Onion Routing, a low-latency stream-based anonymous communication system under research and development. Throughout, I'll share some intuition about how to break these systems and fix them, including some new and very effective attacks.

Roger Dingledine, The Free Haven Project. As a cryptographer and network security expert, Roger Dingledine lives in that space between theory and practice. He prefers to tackle the really hard problems so one day we can build real solutions. Current interests include anonymous publishing and communication systems, censorship-resistance, attack-resistance for decentralized networks, and reputation.

Return to the top of the page

Professional Source Code Auditing
Mark Dowd, ISS X-Force
Nishad Herath, ISS X-Force
Neil Mehta, ISS X-Force
Chris Spencer
Halvar Flake, Black Hat Consulting
[ Deep Knowledge ]

Finding security vulnerabilities in software is getting increasingly difficult as coders (particularly of open source products) are learning the potential dangers of using certain functions or doing unbounded memory copies and so fourth. Vulnerabilities of a more technical nature are beginning to be uncovered recently which are much more subtle than standard programming errors and due to this have gone undetected for quite some time.

This speech aims to address some interesting conditions that occur in many software applications as well as demonstrate the threat these vulnerabilities represent. Some techniques will be disclosed here that we have developed for auditing software and exposing interesting vulnerabilities in both UNIX and Win32 Applicatioins. Several examples will also be shown to relate the theory of software analysis to the real world and give listeners an idea of what coding errors are being commonly made in the software community.

Mark Dowd has been part of the ISS X-Force research and development team for the past year and a half. In that time he has uncovered a number of vulnerabilities in major widely-used software applications. Some examples include buffer overflows in the /bin/login program for Solaris (exploitable remotely), CDE vulnerabilities and a radiusd buffer overflow.

Prior to working at ISS, Mark was consulting and performing penetration tests for an Australian company, where he was able to develop his skills, and also uncovered a number of software vulnerabilities in a number of UNIX operating systems, including remote vulnerabilities (and proof of concept exploit code) in Linux, Solaris, *BSD, Tru64 and IRIX.

Nishad Herath is a respected member of the Win32 security community. He has an in depth understanding of Windows internals and has published a variety of papers discussing the Windows architecture and its' internal operation, as well as given speeches (including at previous blackhat briefings) on topics such as Win32 kernel code injection. He has also discovered a number of vulnerabilities in major software applications including remote Oracle weaknesses. Nishad has started working at ISS X-Force recently, but has been involved in research and development jobs for a number of years.

Neil Mehta is a recent addition to the research team at ISS X-Force, and specializes in reverse engineering and application security. His reverse engineering background was cultivated through his copy protection consulting business that was founded over two years ago. Neel has done extensive research into detecting subtle coding errors in C-based languages and within binaries, and has applied this research to detect many flaws in widely used software.

Chris Spencer

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Return to the top of the page

Putting 2 and 2 Together: Designing Security into Your Network Infrastructure
Stephen Dugan, CCSI 101labs.com
[ Routing & Infrastructure ]

This talk will focus on tying together your security within a well designed campus network. Understanding the layer 2 and layer 3 attacks against your Cisco network is one thing, learning how to apply methods to stop them within a structured design is another matter. Practical application of these security measures brings many challenges, compromises, and common mistakes.

We will tackle this from a couple different approaches. First we will look at some design models and show some possible security issues inherent with the model itself. What specific commands will be needed, and where will they be applied, within your network. Second we will look at some proactive testing. Start some sniffing at the user’s connection at look for things we shouldn’t see. If we see protocols like L3 Routing updates, CDP, STP or others where could we apply commands to stop the user from seeing network management protocols? Third we will look at some configurations and point out some common mistakes that lead to opening various security holes.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

The USA Patriot Act and Criminal Investigations: What Service Providers Need to Know
Mark Eckenwiler, Senior Counsel in the Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice
 [ Privacy & Anonymity ]

The USA Patriot Act has been widely described as a "vast expansion of government surveillance authority." This session will challenge that assertion head-on by offering a detailed review of the federal criminal surveillance laws in effect for decades and describing the changes made by USA Patriot.

Mark Eckenwiler is Senior Counsel in the Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice. His areas of responsibility include federal wiretap law, computer search and seizure, and online investigations. An Internet veteran for almost two decades, Mark has written and spoken widely on such issues as anonymity and free speech, e-mail stalking laws, Internet jurisdiction, electronic privacy, and the Fifth Amendment implications of cryptographic keys. His articles have appeared in The National Law Journal, Legal Times, American Lawyer, Civil RICO Report, Internet World, and NetGuide. Recent speaking events include talks before Usenix, NANOG, and Computers, Freedom & Privacy Conference audiences, as well as an appearance at Black Hat 2000. Mark holds an A.B. cum laude from Harvard in History and Literature and an M.A. in Classics (Ancient Greek) from Boston University. After receiving his J.D. cum laude from New York University School of Law, he clerked for U.S. District Court Judge I. Leo Glasser in the Eastern District of New York.

Return to the top of the page

Web Application Brute Forcing 101 – “Enemy of the State (Mechanism)”
David Endler, CISSP, Director, iDEFENSE Labs
Michael Sutton, Senior Security Engineer, iDEFENSE Labs
 [ Web, Mail, DNS & Others ]

Almost all of today’s “stateful” web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms — purposes for which they were not well designed.

It is already well known that a user’s web session is vulnerable to hijacking in a replay attack if these session IDs are captured or sniffed by an attacker. A replay attack involving a web application means that an attacker can use a session ID to log on to a user’s account without the appropriate username or password. For example, by sniffing a URL that contains the session ID string, an attacker may be able to hijack a session simply by pasting this URL back into a web browser.

What is not well known is just how easily many of these session IDs can be guessed or brute-forced in order to conduct a replay attack. This eliminates the need for an attacker to guess someone’s username and password on one of these websites.

A session ID is an identification string used to associate specific web page activity with a specific user so that a sense of state is preserved for a web application. Session IDs can be used to preserve knowledge of the user across many pages and across historical sessions, enabling websites to provide features such as site personification (my.yahoo.com), online retail shopping carts (cdnow.com) and web-based e-mail (mail.yahoo.com and hotmail.com). Some web servers will generate a session ID for users after they visit any page on that server for the first time (Microsoft IIS, Apache, etc.). Additionally, other applications running on that web server (ATG Dynamo, BEA Weblogic, PHPNuke, etc.) may also generate more and different types of session IDs once the user has successfully authenticated.

This presentation focuses on the ease with which many of these session IDs can be brute-forced, allowing an attacker to steal a legitimate web application user’s credentials. While a somewhat narrow area of web application exploitation, the simplicity of the attacks and the prevalence of these vulnerabilities on the Internet make this an important topic. Malicious users can try (usually automated) combinations of well-known usernames and passwords, or indeed attempt all possible combinations of the accepted character set. However, the scope of a brute force attack can be greatly reduced when Session IDs are predictable in nature. The presentation will include an overview of the issues involved with exploiting predictable or “reverse-engineerable” web session ID’s and demonstrate some real world exploitation examples. It will conclude with a discussion on ways both users and developers can protect web applications from these types of attacks.

David Endler is the director of iDEFENSE’s security research group. Prior to iDEFENSE, Mr. Endler served with Deloitte and Touche LLP in the e-business security and technology practice. In previous lives, Mr. Endler also performed security research for Xerox Corporation, National Security Agency, and Massachusetts Institute of Technology. He has conducted numerous media interviews, published technical articles in trade journals, and has previously presented in the areas of intrusion detection, malicious code forensics, and web application security. Mr. Endler holds a B.S. and M.S. in Computer Science, is a member of the Open Web Application Security Project (OWASP), and is a Certified Information Systems Security Professional (CISSP).

Return to the top of the page

Hacker Court
Carole Fennelly, Partner, Wizard's Keys Corporation
Rebecca Bace, President/CEO, Infidel, Inc.
Richard Thieme, Thiemeworks
Jennifer Granick, Litigation Director of the Public Interest Law & Technology Clinic at Stanford Law School's Center for Internet & Society
Jonathan Klein, President & Co-founder, Wizard’s Keys Corporation
Brian Martin, Security Consultant, CACI-NSG
Don Cavender, Instructor, Internet & Network Investigations for FBI, Federal, State & Local Law Enforcement Investigators, Case Support & Consultation & Research
Jesse Kornblum,Chief of Research & Development for the Air Force Office of Special Investigations Computer Investigations and Operations Branch
Kevin Manson, Senior Instructor, Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC)
Simple Nomad, Nomad Mobile Research Centre
Richard P. Salgado, trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice
[ Panel ]

A panel of experts in law and computer forensics enacts typical computer crime issues to demonstrate how Computer Forensic investigations translate to a courtroom and jury. Three scenarios will be presented with time for Q&A between each.

Overview:
The legal aspect of computing technology has barely been touched yet. We're at a critical phase where legislation and precedents set over the next few years will form the foundation for cyber-law. The conjunction of a legal system with inadequate technical understanding will result in cyber-legislation built on a foundation of sand.

We need cases that set clear precedents for the legal system. The challenge will be to present the facts of a case in a manner that non-technical juries can understand. As clearly demonstrated at the O.J. Simpson trial, technology doesn’t translate very well to the average person. To be effective in a courtroom, technical witnesses need to understand courtroom procedure and how to translate dry, technical facts to layman’s terms. It doesn’t matter how good the expert analysis is – it matters how much the jury believes it. From the legal side, attorneys and law enforcement need to understand what is actual evidence. Is possession of a few hacking tools evidence of the intent to commit a crime?

This presentation will enact a courtroom environment, complete with judge, jury, attorneys, and witnesses to demonstrate three key issues in computer crime cases. Each segment will last about 15 minutes with a break between each to answer audience questions. The judge and jury will decide how effectively the points were presented.

Segments
Validating the evidence
“No autopsy, no foul” is an expression murder investigators are familiar with. Simply having evidence to submit in court is not enough. The evidence must conform to rules of evidence gathering. The integrity and continuity of the evidence must be validated.
In this scenario, methods for evidence gathering and preservation will be presented and challenged. The goal in this phase is to simply validate the evidence, not interpret it.

Law enforcement, attorneys, defendant, victim

The battle of the expert witnesses
Conferences such as Black Hat and Usenix have accustomed technical presenters to a technical audience. When presenting a paper, the proof is often self-evident to the audience. Not so in a courtroom situation. We’ve all dealt with the pain of counseling non-technical family members through computing problems. Multiply this by a factor of 12.
In this scenario, expert witnesses for the prosecution and defense will interpret a given set of evidence for a non-technical jury (or as non-technical as we can get at Black Hat).

Expert witnesses, attorneys

Stereotyping the defendant
Far too often, prosecutors and law enforcement rely on the stereotyped image of the “hacker” to sway a jury. Often web logs are produced “proving” the defendant frequents “known hacker sites”. Such “evidence” certainly looks technical to the jury, but often isn’t evidence of a crime at all. Throw some techno-babble and Hollywood images in, and juries will typically swallow the case. In this section, we will demonstrate the methods used to stereotype the defendant and possible countermeasures.

Participants
Carole Fennelly (coordinator and contact) is a partner in Wizard's Keys Corporation, a security consultancy she founded in 1992 with her husband, Jonathan Klein. With 20 years as a Unix systems administrator and security consultant, Carole has a wealth of experience in both technical and managerial procedure. Her rather caustic articles, both technical and editorial, have been widely published and she has been quoted in numerous trade publications. Carole has little tolerance for FUD tactics.

Rebecca Bace is the President/CEO of Infidel, Inc., a network security consulting practice, headquartered in Scotts Valley. She provides strategic and operational consulting services for clients that include security point product developers, legal firms, and Internet solutions providers. She is also a noted author on topics in intrusion detection and network security, with credits including the white paper series for ICSA's Intrusion Detection Consortium. Her book on Intrusion Detection waspublished by Macmillan Technical Publishing in January, 2000.

Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Recent speaking/consulting clients include: Network Flight Recorder; System Planning Corporation (SPC); Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); National Intellectual Property Law Institute (NIPLI); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.

Jennifer Stisa Granick is the Litigation Director of the public interest law and technology clinic at Stanford Law School's Center for Internet and Society. Ms. Granick's work focuses on the interaction of free speech, privacy, computer security, law and technology. She is on the Board of Directors for the Honeynet Project and has spoken at the NSA, to law enforcement and to computer security professionals from the public and private sectors in the United States and abroad. Before coming to Stanford Law School, Ms. Granick practiced criminal defense of unauthorized access and email interception cases nationally. She has published articles on wiretap laws, workplace privacy and trademark law.

Jonathan Klein is president and co-founder of Wizard's keys, a security consultancy located in New Jersey. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose independent consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan , discovering there is more to being a technical witness than purely technical knowledge.

Brian Martin is an outspoken security consultant for CACI-NSG in the Washington DC area. Brian has the relatively unique experience of being on both sides of an FBI investigation.. His daily work takes him in and out of commercial and government networks, usually without sparking law enforcement investigation. His work at CACI-NSG revolves around making recommendations based on cynical review of network and system security. He will be survived by his three cats.

Don Cavender
SSA Cavender has twelve years experience as an FBI Agent. The past seven years he has been involved in high technology investigations and/or digital forensics. He is presently responsible for instruction in Internet and Network Investigations for FBI, Federal, State and Local Law Enforcement Investigators, case support and consultation and research.

Jesse Kornblum
SA Kornblum is the Chief of Research and Development for the Air Force Office of Special Investigations Computer Investigations and Operations Branch. A graduate of the Massachusetts Institute of Technology, he has experience running intrusion investigations and supporting other agents in more traditional investigations. He is currently responsible for developing tools and techniques to allow agents to conduct investigations.

Kevin Manson serves as a Senior Instructor with the Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC). In 1993, while an instructor with the FLETC Legal Division, he pioneered Internet training for the federal law enforcement community, created FLETC's first major computer security training component in 1997 ("Digital Officer Safety") and deployed the first working use of wireless networking in a FLETC training program. He is a co-founder of the Cybercop Secure Portal, which networks over 1,500 law enforcement and IT security professionals to strengthen our nation's "Cyber Civil Defense" as contemplated by Presidential Decision Directive 63 (A topic he addressed as co-keynote to last years July Blackhat conference). He is a member of the New York Electronic Crimes Task Force. His personal interests include the impact of technology on society, promoting industry and law enforcement cooperation in information age security and policing and use of Internet technology to deliver secure distance learning materials over the Internet to the laptops, palmtops and (future) wearable computers of those who serve behind the "thin digital blue line". His public service career also includes experience as a state prosecutor and magistrate and service as staff counsel with the US Senate Judiciary Committee for Senator Robert Dole.

Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology. By day he works as a Senior Security Analyst for BindView Corporation. He has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a regular lecturer at security conferences, and has been quoted in various media outlets regarding computer security. He also believes The Illuminati search his hotel room during his conference lectures.

Richard P. Salgado is a trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice. Mr. Salgado specializes in investigating and prosecuting computer network cases, such as computer hacking, denial of service attacks, illegal sniffing, logic bombs, viruses and other technology-driven privacy crimes. Often such crimes cross international jurisdictions; Mr. Salgado helps coordinate and manage the investigation and prosecution of those cases. Mr. Salgado also leads the Section's Team Technical Issues. In that capacity, he participates in policy development relating to emerging technologies such as the growth of wireless networks, voice-over Internet Protocol, surveillance tools and forensic techniques. Mr. Salgado serves as a lead negotiator on behalf of the Department in discussions with communications service providers to ensure that the ability of the Department to enforce the laws and protect national security is not hindered by foreign ownership of the providers or foreign located facilities. Mr. Salgado also regularly trains investigators and prosecutors on the legal and policy implications of emerging technologies, and related criminal conduct. Mr. Salgado is an adjunct law professor at Georgetown University Law Center where he teaches a Computer Crime seminar, and is a faculty member of the SANS Institute. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Return to the top of the page

IP Backbone Security
Nicolas Fischbach, Manager, IP Engineering Department, COLT elecom & Co-founder Sécurité.Org
Sébastien Lacoste-Séris, Security Officer & Manager, IP Research & Development Department, COLT Telecom & Co-founder, Sécurité.Org
[ Routing & Infrastructure ]

IP backbones and core networks of large companies and Service Providers are becoming more and more complex and are (still) the target of a lot of Denial of Service attacks. Redundancy, routing, hardware, cabling and large pipes are usually some of the key items in the network architecture, but security of the network, the equipment it's composed of
and proactive protection against (D)DoS are not.

We will discuss the security issues and features of major routing protocols (BGP, OSPF and IS-IS) and also of MPLS based VPNs. Why IS-IS ? Because a lot of Service Provider are changing their IGP from OSPF to IS-IS, usually in relation with MPLS, Traffic Engineering deployment or because they are looking for "subsecond" convergence. The second part of the talk will focus on DDoS detection based on Netflow data and DDoS prevention/protection with filtering techniques using BGP and latest additions to Cisco IOS.

Nicolas Fischbach is managing the IP Engineering Department and Sébastien Lacoste-Séris is the Security Officer and managing the IP Research & Development Department at COLT Telecom AG, a leading provider of high bandwidth data, Internet and voice services in Europe.

Nicolas and his team are working on network, system and security architectures for the Swiss network. Previously he was dealing with the Internet Solution Centre deployment and security processes/auditing for major financial institutes, insurance companies and large hosting/housing projects. He worked for a french ISP and he's also teaching network and security courses in engineering schools and universities. He has an Engineer degree in Networking and Distributed Computing.

Sébastien Lacoste-Séris is leading the Research and Development department for COLT Telecom AG and is also in charge of the security for Switzerland. His team is mainly working on the evaluation, integration and development of new IP based technologies. He previously worked for several major European ISPs as a network and security architect, he alsodid consulting and software auditing (ITSEC) for a security company. Sébastien holds a Degree in Computer and Network Engineering.

Nicolas and Sébastien are co-founders of Sécurité.Org a french speaking portal on computer and network security, and are frequent speakers at technical and security conferences. You can reach them at webmaster@securite.org

Return to the top of the page

Graph-Based Binary Analysis
Halvar Flake, Reverse Engineer, Black Hat Consulting
[ Deep Knowledge ]

Though many Servers run Open-Source solutions these days, a lot of the critical infrastructure consists of commercial closed-source software: From IDS Sensors over VPN Gateways and Enterprise Database Servers to large Firewalls: Closed Source is still everywhere. An attacker who is proficient at reverse engineering can - given the right amount of time - find bugs in these critical programs and then attack the network with undisclosed bugs - which is every administrators Nightmare.

Binary analysis is a time-consuming and tedious process, and few people outside of government agencies are proficient at it. Even fewer people realize that a large part of the analysis process can be automated, and that binary analysis can at times even come up to the speed of source code analysis.

This presentation will explain some concepts & tools which can drastically improve the performance of a the reverse engineer when trying to find security-critical vulnerabilites such as buffer overruns. Various ideas and their implementation will be discussed- from graph-coloring using an interface to running a debugger to analysis of flowgraphs to automatically find buffer overruns.

The tools & methodologies presented will be tested 'in the wild' by letting them run over a few major commercial software packages.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

Attacking Networked Embedded Systems
FX, Phenoelit
kim0, Phenoelit
[ Routing & Infrastructure ]

Every device on a network that has a processor, some memory and a network interface can become a target. Using printers as an example, the talk will show how a seemingly innocent device can be used by attackers, ranging from attacks on the device itself to the point where the embedded system becomes an attack platform itself. Then, protection mechanisms and ways to include these devices in a company's security concept will be discussed.

FX of Phenoelit is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

kim0 is a member of the German Phenoelit group. His interest is in social engineering, mistakes made during implementation and configuration of networks effecting security, and security implications of protocols that are less-known.

kim0 previously worked as a contractor for various government and military organizations and is now a security consultant and leader of the security group with n.runs GmbH.

Return to the top of the page

Views On the Future Direction of Information Assurance
Richard George, Technical Director of the Security Evaluations Group, NSA
[ Luncheon Speaker ]

This talk will discuss a brief history of Information Assurance evaluation at the National Security Agency. We will then proceed to discuss how communications systems have evolved over the past 30 years and the impact this has had on the security evaluation of these systems. This change includes the shift from purely Government produced security products to more reliance upon commercial products. We will discuss the role commercial
products will play in Department of Defense communications systems and how NSA plans to work with the private sector to achieve the security that is necessary in today's world.

Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 32 years as a cryptomathematician. He currently serves as the Technical Director of the Security Evaluations Group which is responsible for evaluating security solutions used by the Department of Defense and Intelligence Community.

Return to the top of the page

JD's Toolbox: Fire & Water
JD Glaser, President, NT OBJECTives, Inc
[ Application Security ]

JD Glaser is the President of NT OBJECTives, Inc. He specializes in Windows NT system software development and COM/DCOM application development. His most recent achievement was the successful formation of NT OBJECTives, Inc., a software company exclusively centered on building NT security tools. Since it's inception, over 100,000 of those security tools have been downloaded and put into practice. In addition, he has written several critical, unique intrusion audit pap ers on NT intrusion forensic issues. Currently, JD has been retained as a featured speaker/trainer for all the Black Hat Conferences on NT security issues.

Return to the top of the page

Off-the-Record Messaging
Dr. Ian Goldberg, Chief Scientist & Head Cypherpunk, Zero-Knowledge Systems
[ Privacy & Anonymity ]

Quite commonly on the Internet, cryptography is used to protect private, personal communications. However, most commonly, systems such as PGP are used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity.

We claim that most social communications online should have just the opposite of the above two properties; namely, they should have —perfect forward secrecy — and — repudiability. In this talk, we will describe a protocol for secure online communication called "off-the-record messaging'' which has properties better-suited for casual conversation than do systems like PGP or S/MIME.

We have so far implemented this protocol into an instant messaging client, but the same techniques also work for email communication.

This is joint work with Nikita Borisov and Eric Brewer, both of UC Berkeley.

Dr. Ian Goldberg is Chief Scientist and Head Cypherpunk of Zero-Knowledge Systems, a Canadian privacy technology company. Having been a founding member of UC Berkeley's Internet Security, Applications, Authentication and Cryptography group, his research interests focused on cryptography, security, and privacy. Dr. Goldberg is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours; breaking Netscape's implementation of the encryption system SSL; and breaking the cryptography in the GSM cellular phone standard.

Return to the top of the page

Securing Your Computing Environment to Conform to Privacy Regulations
David Goldman, PriceWaterhouseCoopers
Robert Marotta, PriceWaterhouseCoopers
[ Privacy & Anonymity ]

As security and privacy gain widespread press and notoriety, there has been increased pressure on regulatory bodies to act. To that end, several significant pieces of legislation have been passed that contain wide-ranging requirements from policy to technical implementation. These regulations already include: Health Insurance Portability and
Accountability Act (HIPPA), the Child Online Protection Act (COPA), the Graham-Leach-Bliley Act (GLBA), and CFR Part II. As such, businesses in fields from medicine and insurance to financial services and ecommerce sites must be diligent and informed to ensure compliance and avoid negative press and potential lawsuits.

In this session, we will discuss the significant components of these acts and how they relate to technological system configuration settings in business computing environments. We will view these components through scenario-based studies to view the risks from external sources, business partners, and internal/trusted personnel.

David Goldman is currently in PricewaterhouseCoopers Global Risk Management Services - Security consulting practice and is focusing on assisting businesses secure their online environments. Leveraging his background in e-business systems and Internet enabled application design, he facilitate the incorporation of sound security practices into corporate operations. Currently, he is managing the assessment, design, and implementations of security and controls on systems and applications across disparate environments. His specialty is Windows NT/2000 and has written several white papers and articles on the subject.

Robert Marotta. Prior to joining PricewaterhouseCoopers over five years ago, Robert was a U.S. Navy cryptologist specializing in Electronic Intelligence. During his time with PwC, he has specialized in conducting security penetration reviews in a variety of networking environments, in which he has evaluated the security controls afforded to remote access, internal, and external connections using automated and manual "hacking" tools and techniques. Robert has also conducted security diagnostic reviews of firewalls, routers, UNIX and Windows NT servers. Most recently, Robert has conducted IT security risk assessments for clients in the transportation and financial services industries, the evaluation of client's Computer Security Incident Response procedures and privacy regulation compliance for companies in the financial services industry. Rob also acts as a liaison between the Security and Insurance practices in the New York area.

Return to the top of the page

Web Application Security: "Stuff Your Mother Never Told You"
Dennis Groves, Director of Internet Security Consulting, Centerstance, Inc.
Bill Pennington, Principal Consultant & Technical Program Lead for Penetration Testing & Web Application Assessments, Guardent
[ Web, Mail, DNS & Others ]

Web Application Security is of paramount interest to everyone from corporations to consumers as society moves toward an ecommerce infrastructure. The design of the HTTP protocol simply does not allow for truly secure applications to exist. The only thing you can do is minimize your potential risk.

In the course of several years experience working in web application security, we as well as others, have discovered an overwhelming number of ways to attack any web applications. The conclusion of this can be drawn that potentially any Web-accessible system is vulnerable to attack. This presentation will discuss and demonstrate some of the more pervasive security weaknesses using Whitehat Arsenal.

Main Topics of Discussion:
Data Manipulation:
A variety of common web application vulnerabilities such as URL Manipulation, Parameter Tampering, Directory Traversal and HTTP Request Header Manipulation

Filter-Bypass Manipulation:
Defeating the security safeguards and filters using a variety of techniques. Method Switching, URL Encoded Strings, Double Hex Encoding, Long URLs, Case Sensitivity, XSS Filter-Bypass Manipulation, and Null Character Injection are possible avenues of attack.

Cross-Site Scripting:
An all to common and often misunderstood web attack. An easy to accomplish exploit used frequently by script kiddies and other malicious intruders.

Accompanying each attack vector, possible resolution and mitigation techniques will be discussed as well which will help protect you web applications.

Most of the web attack demonstrations with be executed using WhiteHat Arsenal. Whitehat Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make Whitehat Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis.

Dennis Groves is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan. He has spent the last five years pen-testing high profile websites, and web application security testing numerous significant ecommerce and financial companies. He is best known for having taught Jeff Moss to hack; and hopefully less known as the one who stole Jeff's 2400bps modem.

Bill Pennington is a Principal Consultant and Technical Program Lead for Penetration Testing and Web Application Assessments with Guardent. Bill has performed web application assessments for over three years in a variety of industry verticals including financial services, eCommerce, and biotechnology. Bill has six years of professional experience in information security, eleven in information technology. He is familiar with Linux, Solaris, Windows, and OpenBSD, and is a Certified Information Security Systems Practitioner and Certified Cisco Network Administrator (CCNA). He has broad experience in web application security, penetration testing, computer forensics and in intrusion detection systems. Bill also contributed several chapters to "Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios"

Return to the top of the page

Hogwash
Jed Haile, Nitro Data Systems
[ Firewall / Access Control ]

Hogwash is an intrusion prevention system based on the Snort intrusion detection system. Hogwash uses the Snort rules language, and is capable of detecting and stopping portscans, most known exploits, and other malicious activity.

The presentation will give an overview of how Hogwash works, what it is capable of doing, how rules are written, and will include a demonstration of Hogwash in action.

Jed Haile is the lead security architect at Nitro Data Systems. In his current job he designs high volume, large scale data management systems for security data. He is an active developer and deployer of intrusion detection systems, with contributions to Snort as well as Hogwash. He is a member of the Honeynet project where he is working to develop data and network control mechanisms for the second generation honeynets

Return to the top of the page

DC Phone Home
Aaron Higbee, Security Consultant, Foundstone
Chris Davis, Senior Security Consultant, RedSiren
[ Deep Knowledge ]

DC Phone Home (DreamCast Phone Home, a pun on the well-known film ET: The Extraterrestrial) is a project that challenges conventional enterprise security models by showing the ease by which an attack to an organization’s network resources and infrastructure can be performed from an internal perspective. Simply put, once the DreamCast is deployed, it ‘phone’s home’ joining an organization’s internal network, with our network. We show that this type of attack can be performed easily with a variety of available hardware and software and in such a way that is not easily discovered by an organization’s employees or security resources.

Our presentation will include demonstrations of the attack tools that we have developed and are continuing to develop. The attack tools are comprised of a SEGA Dreamcast, a Compaq iPAQ handheld device, and a bootable x86 CD-ROM which can perform the attack using any available PC. Using opensource tools that we have ported to these platforms we have created devices that ‘phone’s home’ over known protocols.

In addition to describing and demonstrating the attack, we also propose methods by which this detected, if not entirely prevented. We emphasize security policies and procedures; network, firewall, and proxy configurations; and also introduce a new concept: policy-driven IDS. We would be remiss by not offering a solution alongside the attack.

Aaron Higbee has been working in information security for the past 4 years getting his start at Earthlink Network as a Network Abuse Administrator. In his capacity Aaron became intimately acquainted with the tactics of spammers, hackers, and every kind of network abuse imaginable. Later, while working as RoadRunner’s Senior Security Administrator, Aaron learned and responded to the network abuse problems that plague broadband connections. Working at two national service providers, Aaron was able to become an expert in the tactics of hackers and the mistakes that get them caught. This experience made his transition from incident response to penetration testing a natural one. Currently, Aaron works for Foundstone Inc. as a security consultant.

Chris Davis has been working in the field of information technology for 8 years, with a concentration on information security for the past 4 years. He has participated in secure systems development, information security consulting, penetration testing and vulnerability assessments, and information security R&D. He is a contributing author to Newrider’s recent publication Building Linux Virtual Private Networks(VPN) and continues to write and publish various papers. He has developed and instructed a number of courses, the most recent of which was a 3-month course on software vulnerability discovery and exploit coding. Currently, Chris is a Senior Security Consultant for Veritect.

About the Speakers
Aaron and Chris met while working as security consultants for Lucent Technologies. During that time, they coordinated efforts to discover new attacks and build the tools required to mount those attacks. After leaving Lucent Technologies, they have continued their joint efforts by developing the attacks, tools, and solutions as found in their upcoming paper “180-Degree Hacking.” Their presentation “DC Phone Home” is a detailed discussion on the attacks found in the above paper.

Return to the top of the page

Application Testing Through Fault Injection Techniques
Greg Hoglund, Founder, Cenzic, Inc.
[ Application Security ]

Our networks are based on billions of lines of horribly buggy code. Software development practices have not matured enough to build reliable software in the face of a hostile, ever-evolving network. Computers are no longer a choice or a hobby - they ingrain every part of our daily lives. The past few years have shown us that the industry cannot rely on ad-hoc testing and full-disclosure to guarantee quality, bug-free code. The software vendors and the consumers need to collectively understand that the bar has been raised - new development practices and testing methodologies are required to ensure reliable software. This talk focuses on repeatable methods that can be used to find security bugs and reliability problems in software. Some of these methods are new and some have been used for years by other engineering disciplines. This talk will give a high level tour of the options, including reverse engineering, source code review, attack and penetration, and "black box" testing.

Greg Hoglund has focused his career on the issues facing the security community. Capitalizing on his growing security knowledge, he wrote one of the earliest security scanners, which he sold to WebTrends, Inc. and joined the company in a strategic product-development role. Today, his scanner is renamed the WebTrends Security Analyzer and is installed in over half of the Fortune 500 companies. Hoglund later joined Tripwire, Inc. in a key R&D role at the computer security company.

Hoglund steadily expanded the breadth and intensity of his security knowledge, emerging as a recognized expert on many facets of security technology. He has been a frequent speaker at computer security conferences - including Blackhat, DefCon, Infosec, and SANS in the US, Europe and Asia-Pacific - and has authored several respected papers on security topics.

Hoglund's experience and expertise led directly to co-founding Cenzic Inc. with Penny Leavy in May of 2000 to provide a true security-QA platform that will effectively enable security risk management.

Return to the top of the page

Enterprise Email Security Made Practical
Paul Holman, Metasecura
[ Web, Mail, DNS & Others ]

Indroduction
Email has become the most fundamental communication mechanism for the modern enterprise. As such,email is the fulcrum against which all other security measures are leveraged. This presentation is based on our work architecting high-security email services for law-enforcement agencies,law-firms and human rights NGOs.These organizations have typically had difficulties adopting solutions,primarily due to poor usability.Recognizing this,our approach aims to k