The strangest thing about security is that it so rarely has anything to do with security. Smart security is risk management, and risk management is about money. In our complex, technological society, people are ill-equipped to manage their own risks. Hence, they turn to proxies: regulatory agencies, legislators, companies, professional organizations, insurance companies, courts. The problem is these proxies don't have the same agendas as people who rely on them; they respond to outside pressures. For example, the FAA is entrusted with airline safety, but also responds to financial needs of airlines. This talk looks at security proxies and these externalities, and discusses how this affects security in ways profounder than the tactics of technological countermeasures.

Internationally renowned security technologist and author Bruce Schneier is the Founder and the Chief Technical Officer of Counterpane Internet Security, Inc., the world leader in Managed Security Monitoring. Counterpane provides security monitoring services to Fortune 2000 companies world-wide. He is the author of six books on security and cryptography, including the security best seller, "Secrets & Lies: Digital Security in a Networked World." His first book, "Applied Cryptography," has sold over 150,000 copies world-wide, and is the definitive work in the field. Schneier designed the Blowfish and Twofish encryption algorithms, and writes the influential "Crypto-Gram" monthly newsletter. He is a frequent lecturer on computer security and cryptography.

Luncheon: Day 1
International Hacking: When The Cooperation is The Only Cure
Dario Forte, CFE, CISM, Security Advisor, European Electronic Crimes Task Force (EECTF)

In August 2002, fourteen Italian hackers known as the "Reservoir Dogs" almost all information security professionals were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, the U.S. Army, U.S. Navy and various universities around the world.

This talk, given by the Director of the Police Unit during that time who lead the investigation and made the arrests (called "Operation Rootkit), will illustrate the variety of techniques used by the attackers with particular reference to the insider threat.

In addition, this session will demonstrate how international cooperation is fundamental in hacking investigations. In Europe, the newly-formed Electronic Crime Task Force (EECTF) - supported by the U.S. secret service in Milan - gave strong assistance to the computer crime investigators, not only related to "Operation Rootkit" but also with regard to other cases.

For example, through its network of contacts EECTF was advised that leader of a worldwid credit card trafficking ring had been arrested in Cyprus. The EECTF was able to arrange for the travel of both the evidence and police officers involved in the case to its forensic lab in Italy, where Dario is Security Advisor.

Once in Italy, the EECTF was able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as a more complete investigation could be completed in the U.S. This will be covered as well.

Dario Forte, CFE, CISM, is Security Advisor for the newly-formed European Electronic Crimes Task Force (EECTF) supported by the U.S. Secret Service in Milan. He has been active in the field of information security since 1992. He is 34 years old, with almost 15 years as Police Investigator in the Drug and Organized Crime Enforcement, CyberCrime Unit.

Forte is a Member of the Computer Security Institute of San Francisco/USENIX and Sage, publishing technical articles all over the world while contributing at numerous international conferences on Information Warfare, including the RSA Conference Europe, the Computer Security Institute NETSEC, Computer Associates CAWorld and the Digital Forensic Research Workshop.

He teaches classes and presents lectures on Information Security Management and Incident Response/Forensics at universities and other accredited institutions worldwide. He is an Intrusion Instructor for the Department of Homeland Security Internet Forensics Training Program given at the Federal Law Enforcement Training Center.

For more than 10 years, Dario has worked with many government agencies worldwide including NASA, and the U.S. Army/Navy, supporting them in incident response and forensics procedures while solving many important hacking-related investigations. Now he provides security/incident response and forensics consulting to the Government, Law Enforcement and corporate world and is also involved with InfoSec projects at the international level.

Global interest in securing cyberspace is gaining momentum, not just as a reaction to the steady rise in denial of service attacks or increases in rapidly spreading worms and viruses, but also because of an understanding that to build a digital world there has to a significantchange in our global networking culture. To enable our digital futurewe need an infrastructure that is reliable and secure. We need new protocols, new processes, new ways of doing business. However, computer network security is no longer just a technical challenge - it also requires leader involvement, policy development, user education and awareness training, and international cooperation. This presentationwill cover the United States government's efforts to develop and implement a domestic national strategy for securing cyberspace, as well as international efforts to foster a global culture of security. We will explore lessons learned over the past few years in dealing with both physical and cyber incidents, discuss best practices for cyberspace security currently adopted by industry leaders, and will examine challenges coming our way in the near future.

Marcus Sachs is the Cyber Program Director in the Information Analysis and Infrastructure Protection Directorate, US Department of Homeland Security, where he is responsible for developing the implementation plan for the President's National Strategy to Secure Cyberspace. Marc was previously the Director for Communication Infrastructure Protection in the White House Office of Cyberspace Security and was a staff member of the President's Critical Infrastructure Protection Board. Marc retired from the United States Army in 2001 after serving over 20 years as a Corps of Engineers officer. He specialized during the later half of his career in computer network operations, systems automation, and information technology. His final assignment in the Army was with the Defense Department's Joint Task Force for Computer Network Operations where he was the Senior Operations Analyst and Technical Director.

Web based email such as Yahoo! and Hotmail are the most prevalent email clients in use--Hotmail alone has over 118 million accounts worldwide. While providing great convenience, web based email clients leave a tremendous amount of information behind. This information can be reconstructed to determine what email has been sent, received, and deleted from the account. Additionally, dates & times, use of folders, address books, and login and password information can often be gathered. This presentation covers identifying and analyzing these files to reconstruct a users activity. Popular web mail systems such as Yahoo!, Hotmail, and more secure alternatives such as ZipLip and Hushmail will be analyzed. Finally, a perl scripts to help automate the process of analyzing webmail files will be announced and demonstrated.

One of Thomas' specialties is Email Forensics and he has performed numerous Email based investigations. He has presented on advanced forging techniques such as using SSH tunnels to obscure the original sending IP, and how to investigate such forgeries. Thomas is also on the review committee for the National White Collar Crime Center's upcoming Email Forensics course.

Thomas is the author of "Hardening Cisco Routers" from O'Reilly & Associates and the "Cybercrime: Response, Investigation, and Prosecution" chapter in the 5th edition of the Information Security Management Handbook. In addition to being a CISSP he is certified in Solaris, Linux, and AIX, Networking, and is a Cisco Certified Academic Instructor (CCAI). Thomas can be reached at takin<a>kennesaw.edu.

Revolutionizing Operating System Fingerprinting
Ofir Arkin, Founder, Sys-Security Group

Xprobe is an active operating system fingerprinting tool, which was officially released two years ago at the Blackhat briefings USA 2001. The first version of the tool was a proof of concept for the methods introduced in the “ICMP Usage in Scanning” project, which I have conducted. Two years after, and several versions later (mainly Xprobe2 v0.1 release), this talk would examine several issues with operating system fingerprinting we (Fyodor Yarochkin and myself) have encountered during the development of Xprobe and Xprobe2.

Mainly the talk will explain why traditional operating system fingerprinting methods suffer from a number of caveats, and how these issues directly affects the results different operating system fingerprinting tools relying on these methods produce (these issues will be explained along with different examples).

During the talk I will introduce several advancements in the field of operating system fingerprinting. The methods introduced greatly enhance the accuracy of operating system fingerprinting. Several new ways to gather information about a host OS will be uncovered along with ways to overcome many of the current issues of active operating system fingerprinting methods.

During the talk examples will be given, and the audience will be encouraged to participate in a discussion.

A paper release, and a new version of Xprobe2 will accommodate the talk.

Ofir Arkin is the founder of the Sys-Security Group, a non-biased computer security research and consultancy body.

Armed with extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several major European finance institutes were he played the role of Chief Security Architect and Senior Security Architect. In his role as Senior Security Architect, Ofir was responsible for assessing the future external and inter-bank IP communication security architecture for one of the world’s top 10 banks, analyzing the needs and solutions for an internal Single Sign-On (SSO) project for a world leading pharmaceutical company, securing the E-banking project for a leading Swiss bank, etc.. Ofir also acted as Chief Security Architect for a 4th generation telecom company, where he designed the overall security architecture for the company.

Ofir has published several papers as well as articles and advisories. The most known papers he has published are “Etherleak: Ethernet frame padding information leakage”, “Security Risk Factors with IP Telephony based Networks”, the “ICMP Usage in Scanning” research paper, xprobe2 (tool and paper), “The Cisco IP Phones Compromise”, and “Trace-Back”. He is currently conducting research on a number of TCP/IP protocols as well as Voice over IP. Ofir’s research has been mentioned in a number of professional computer security magazines.

Ofir is an active member with the Honeynet project and participated in writing the Honeynet’s team book, “Know Your Enemy” published by Addison-Wesley.

Lawful Interception of IP: The European Context
Jaya Baloo

Lawful Interception (LI) is currently in development internationally and the area of IP interception poses significant regulatory, as well as implementation, challenges. The presentation attempts to elucidate major legal and technical issues as well as citing the vendors, operators and governments involved in creating the standards and solutions.

In the European context, all EU countries have been mandated to have LI capabilities in place and be able to provide assistance to other member states when tracking transborder criminals. Public Communications Providers must tread warily between privacy concerns and LI requirements. Especially with the new talks concerning Interpol, Enfopol, & Data Retention, communication over public channels is anything but private. The conditions for interception and the framework for oversight are not widely known.

As LI in Europe presents an example for the rest of the world attention should be given to the changing face of EU legislation. This is relevant not only to the EU expansion but also concerns EU influence over her eastern and western allies.

Jaya Baloo (CCNP, CISSP) has been working in InfoSec for 5 years, starting at Unisource in The Netherlands. After moving to KPN Telecom, she has worked internationally for the Dutch Telecom Operator in Namibia, Egypt, Germany, and Costa Rica designing secure IP infrastructures for national operators. More recently she has worked in Prague for Czech Telecom on Lawful Interception.

Locking Down Mac OS X
Jay Beale, Lead Developer, the Bastille Project and Senior Research Scientist, George Washington University Cyber Security Policy and Research Institute

Apple's OS X operating system combines BSD Unix with easy-to-use Mac operating system components. This has produced an operating system that natively runs Microsoft Office, is friendly as can be finding you people with which to chat and exchange fileshares with, and yet still runs a command line! Needless to say, it could probably use some lockdown before you want to take it to Black Hat, or even to the airport, with the wireless card plugged in.

The speaker has ported Bastille Linux to OS X and learned a thing or two about locking down OS X in the process. This talk will demonstrate lockdown, showing you how to harden the OS X operating system against future attack.

Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and a core participant in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others.  A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through Baltimore-based JJBSec, LLC.

Jay writes the Center for Internet Security's Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense. He maintains the Center's Linux Security benchmark document and, as a core participant in the non-profit Center's Unix team, is working with private enterprises and US agencies to develop Unix security standards for industry and government.

Aside from his CIS work, Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for SecurityPortal.com and SecurityFocus.com. He authored the Host Lockdown chapter in 'Unix Unleashed,' served as the security author for 'Red Hat Internet Server' and co-authored 'Snort 2.0 Intrusion Detection.'  Jay's currently finishing the Addison Wesley book, 'Locking Down Linux.'

Formerly, he served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution. He now works to further the goal of improving operating system security. To read Jay's past articles and learn about his past and future conference talks, take a look at his site.

Automated Detection of COM Vulnerabilities
Frederic Bret-Mounet, Senior Security Architect, @stake

@stake announces COMbust – an automated COM object auditor Few scriptable objects published have mechanisms to prevent unauthorized execution. If an object presents security vulnerabilities, an attacker could use such objects to perform remote attacks, resulting in potentially serious consequences.

Until now, assessing COM objects required developing custom scripts and a security expertise few testing teams had. With COMbust, one can not only build automated regression tests for functionality testing, but also perform negative testing such as a hacker would do.

COMbust automatically executes methods of a COM object with boundary case arguments. In many cases, this will identify buffer overflows, file system or registry access, thus exposing the object’s vulnerabilities. COMbust also provides scripting capabilities to support creation and initialization of the target objects.

In addition to an introduction to COMbust, we will also cover two topics related to using Scriptable COM objects.

First, we will describe the implications of declaring objects scriptable. Why declare an object scriptable? How can your object be used as an attack vector?

Second, we will propose practical solutions to control who can execute your components. Several techniques will be presented ranging from controlling execution access to usage of cryptography.

This presentation will be a mix of slideshow and live demos. The audience is expected to have some understanding of the following technologies: Windows, COM, VB / JavaScript, and XML.

Prior to working with @stake, Fred was part of a consulting company where he completed multiple assignments with both dot-com and financial clients.

Fred’s skills cover a broad range of technical and managerial areas:

• End to end knowledge of web and client/server architectures including client, presentation, middleware and backend tiers.
• Expert in Windows, MFC, C++, VB, COM and Java.
• Strong wireless networking (802.11) experience with all major current chipsets.

Areas of Research / Individual Accomplishments / Affiliations
n ApSniff – a WiFi access point sniffer for Intersil Prism chipset based cards.

• CISSP certified.
• COM / ActiveX R&D.

Opensource Kernel Auditing/Exploitation
Silvio Cesare

For a period of up to 3 months in 2002, a part-time manual security audit of the operating system kernels in Linux, FreeBSD, OpenBSD, and NetBSD was conducted.

The aims of audit were to examine the available source code, under the presumption of language implementation bugs. Thus classic programming bugs, prevalent in the implementation language [C], exemplified in integer overflows, type casting, incorrect input validation and buffer overflows etc were expected. The initial introduction to auditing examined easily accessible entry points into the kernel including the file system and the device layer. This continued to an increased coverage and scope of auditing. From this work, identification of conjectured prevalent bug classes was possible. These results are in favour of the initial expectations; that bugs would be that in line of classical language bugs.

The results of this audit are surprising; a large [more than naively expected] number of vulnerabilities were discovered. A technical summary of these vulnerabilities will be treated in detail. Bug classes and [conjectured] less secure specific subsystems in the kernel will be identified. These conjectures support the the research of Dawson Engler's work in automated bug discovery in application to open-source kernel auditing.

Vulnerabilities after bug categorisation, are applied in the treatment of exploitation. The results are again surprising; exploitation sometimes being trivial, and primarily being highly reliable. The assumptions of exploitation difficulty, is conjectured to be a false belief due to lack of any serious focus on kernel auditing prior to this paper. This conjecture is supported by in-line documentation of kernel sources indicative of immediate security flaws.

Attack vectors are identified as a generalisation of bug classes. Risk management is touched upon to reduce the scope of attack, but is not the primary purpose of this paper.

Discussion is finally that of vendor contact, and the associated politics of vulnerabilities. First hand reports of acknowledgement times, problem resolution times and public dissemination policies are presented in candid. The author may be biased at this point, but it appears that in during this audit period, open-source holds up to the promise of security concern and responsibility in its community. Problem acknowledgement in at least one of the the cases presented is perhaps the fastest in documented history (less than three minutes).

The majority of the vulnerabilities discovered during the audit, were resolved and patched in co-operation with the open-source developers and community responsible for each respective operating system. A very large thanks must go to Alan Cox, Solar Designer and later followed by Dave Miller who made enormous efforts to continually resolve all issues uncovered.

Silvio Cesare has for many years, been involved in computer security and the many talented and lesser front page individuals behind it. In 2001, Silvio relocated from Australia to France to work in the development of managed vulnerability assessment, after the best part of the previous year in Australia establishing the legal requirements to make this possible. In 2002, he relocated again to the US, after cessation of product development in France. During the last months working in the US as scanner architect of the companies flagship MVA product, he spent his part time auditing open source operating system kernels. Silvio spoke at conferences in 2002, including CanSecWest on his reverse engineering work; for which he was at one time in negotiations for authoring a book on Unix Virus. After impending legal requirements to leave the US, Silvio returned back to Australia for 2003. During the current year, he has been quietly involved in Ruxcon, an Australian computer security conference, presenting the results of the previous years part-time auditing. Silvio spends his days currently in Australia as a System Administrator outside of industry interests in computer security.

Security Issues with Fibre Channel Storage Networks (SANs)
Himanshu Dwivedi, Managing Security Architect, @stake

This presentation will discuss security issues in Fibre Channel storage networks, specifically Storage Area Networks (SANs), as it pertains to four different categories, Fibre Channel fabrics and frames, Fibre Channel switches, SAN attacks, and possible solutions. The presentation describes a fibre channel overview, current weaknesses, potential future problems, current and future attacks, and short-term/long-term solutions.

The presentation will be a combination of detail technical discussion of security exposures and will continue to discuss tactical best practices. The technical discussion will focus on current attacks, future attacks, and fibre channel frame weaknesses that expose storage products and storage networks. Furthermore, high-level best practices will also be discussed as it pertains to storage solutions, device configurations, and architectural designs.

Himanshu Dwivedi is a Managing Security Architect at @stake, Inc. At @stake, Himanshu leads the Storage Center of Excellence (CoE), which focuses research and training around storage technology, including Network Attached Storage (NAS) and Storage Area Networks (SAN). Himanshu’s focus in security is networking technology and storage architecture, specifically Fibre Channel Security. Himanshu has given numerous presentations and workshops regarding the security in SANs, including the SNIA Security Summit, Storage Networking World, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, StorageWorld, etc.

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals. The patent is for a storage security design that can be implemented on enterprise storage products deployed in Fibre Channel storage networks. Additionally, Himanshu has co-authored two published books that discuss storage security. The book titles included, The Complete Storage Reference-Chapter 25 (McGraw-Hill/Osborne), and Storage Security Handbook (Neoscale/isitSTORAGE). Furthermore, Himanshu has also published two white papers. The first white paper is titled “Storage Security” which provides the basic best practices and recommendations in order to secure a SAN or a NAS storage network. Additionally, Himanshu has written a second white paper titled “Securing Intellectual Property”, which provides insight and recommendations on how to protect an organization’s network.

At @stake, Himanshu forms part of the San Francisco based Professional Services Organization (PSO) providing clients with network architecture assessments, attack & penetration services, secure network design, and secure server analysis. Additional to the PSO, Himanshu is also part of the @stake Academy where he is a lead instructor in several security classes, including Cyber Attacks and Countermeasures, Windows 2000 Security, and Storage (SAN and NAS) Security.

Recently the security of BGP has been called into question by the government, security experts, and the media. Perhaps by assuming that a compromise of the Internet routing infrastructure would be relatively trivial to accomplish, most of the recent attention has focused on replacements to BGP rather than ways to do the best with what we have. Because any possible replacement for BGP will not be widely deployed in the near-term, an understanding of the key threats and mitigation techniques against current BGP deployments needs to be better understood. Furthermore, since most of the existing work related to BGP vulnerabilities is largely theoretical, any new effort should be based in real testing on actual implementations that are commonly deployed by ISPs.

This talk presents the results of research in the area of BGP attacks. This research includes three main areas. First, specific attacks as
outlined in the BGP Attack Tree draft were tested against lab networks to gauge attack results, difficulty, and the availability of best practices which mitigate the attack's effects. Where appropriate, these attacks were conducted against multiple BGP implementations to more accurately determine the real risks to ISPs and the Internet— vs. what what was possible with a single vendor. Implementations were also evaluated using a BGP malformed message generator to determine their robustness and see whether BGP was susceptible to the same sorts of issues that have plagued SNMP, SIP, SSH, and other protocols. Third, the prevalence of generally accepted best practices on the Internet was measured by querying a representative set of the Internet's BGP routers on management interfaces including telnet, SSH, and HTTP. This survey also included the behavior of BGP implementations, based on their response to a valid BGP Open. Analysis of this data will be useful for operators looking to improve the security of their BGP networks today and to evaluate potential improvements to BGP in the future, especially given the challenge of balancing scalability and ease of deployment with security in any future "secure BGP."

Matthew Franz is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG) in Austin, Texas. Apart from work on BGP, interests include industrial automation (SCADA/DCS/Industrial Ethernet), security, and automated protocol test tools. Before joining CIAG, Matthew was senior security engineer in the Security Technologies Assessment team, where he conducted product security evaluations on a variety of Cisco products and network protocols. Before coming to Cisco in 2000, Matthew was a network security consultant and taught technical network security courses to government information warfare customers in San Antonio, Texas.

Sean Convery is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG). While in CIAG Sean's research efforts have centered on Internet infrastructure issues including BGP and IPv6. Before coming to the CIAG, Sean worked primarily on the SAFE blueprint, and is an author of several whitepapers on the subject. Prior to his five years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking.

In today's corporate environment electronic physical security is a serious business. Every corporation has some form of access control and/or cctv system in place. There are only three really important questions to ask about it. Does it do what it's designed to do? Was is designed to do what it needs to do? WHO'S RESPONSIBLE AT THE END OF THE DAY?

This presentation will:

1. Give in depth explanation of the different technologies used in Access Control and CCTV today.
2. Give an overview of general system designs.
3. Give the most common security flaws that are existing today.

Michael D. Glasser is currently employed as a Security Consultant in the New York Tri-State Area. He consults primarily on electronic physical security, as well as more conventional locking systems.

Glasser has been in the security industry for more then 10 years. He started as a technician in the field installing electronic security, and brodened his technical knowledge to cover all electronic and conventional security systems.

Glasser is Licensed by New York State and a Burglar and Fire Alarm Installer, Certified as a Locksmith, and has numerous electronic security certifications. He is a an active member of many local, state and national associations. He teaches classes on electronic security in the New York Area.

Prior speaking engagements of this type have been at both the DefCon series of conferences and at the 2600 sponsored HOPE conferences.

Glasser can be contacted at mglasser<a>setec.org

This talk will discuss criminal copyright infringement and how it applies to warez trading. We will discuss what is legal and what isn’t, who has been prosecuted, why they were prosecuted and what happened to them, and why the law is bad policy. You should expect to leave the talk more knowledgeable about what activities are criminal and how great or small the risks are.

Eric Goldman is an assistant professor of law at Marquette University Law School in Milwaukee, WI, where he teaches cyberlaw, intellectual property and legal ethics. He has taught cyberlaw since 1995-96 and has authored dozens of articles and given dozens of speeches relating to Internet law issues. His article, A Road to No Warez: the Paradigm Misstep of the No Electronic Theft Act, will be published this year. Prior to joining the Marquette faculty, he was General Counsel of Epinions.com and, before that, a technology transactions attorney at Cooley Godward LLP.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Pure static analysis of machine code is both time consuming and, in many cases,incapable of determining control flow when branching decisions are based on user-supplied input or other values computed at runtime. Other problems include the lack of type information or the inability to identify all instructions. Although difficult if not impossible to solve using static analysis, many specific problems can be solved by running the program and observing its behavior. Hoglund presents a strategy that combines static analysis with runtime sampling to determine data flow and, more importantly, trace data from the point of user input to potentially vulnerable locations in code. His focus is directly on security auditing and techniques to significantly reduce the amount of time it takes to audit a binary executable. To get the most from this talk, attendees should have experience debugging code.

Greg Hoglund is a recognized speaker and business person working out of California. His work is focused on reverse engineering and exploiting software. Hoglund has developed several automated tools and commerical products. Hoglund most recently developed the fault-injection product called 'Hailstorm' and has now moved on to form a new company, HBGary, LLC. In his spare time, Hoglund hosts the popular internet site www.rootkit.com and takes his dog, Oreo, for walks on the beach.

Focusing on Sebek and the latest advances in Honeynet Technologies. Includes a general overview of the Honeynet Project and Honeynet Technologies.

What can your network do? You might be surprised. Layer by layer, this talk will examine previously undocumented and unrealized potential within modern data networks. We will discuss aspects of the newest versions of scanrand, a very high speed port scanner, and the rest of the Paketto Keiretsu. Interesting new techniques will also discussed, including:

• Bandwidth Brokering - a technique that allows market-based load balancing across administrative boundries using existing TCP protocols
• DHCP-less Bootstrapping - a sub-optimal but effective strategy for bootstrapping network access for hosts that cannot directly acquire a DHCP lease
• State Reconstruction - a design model that allows stateless network scanners (such as scanrand) to acquire deep knowledge about scanned hosts
• Multihomed Node Detection - a simple set of techniques that expose firewalled hosts with alternate paths to an unfirewalled network link.
• Generic ActiveX Encapsulation - a step-by-step methodology for safely launching arbitrary win32 tools (such as putty or a Cygwin OpenSSH environment) from a web page

We will also be discussing significant advances in data visualization, made necessary by the sometimes daunting amount of raw information these sorts of tools can expose one to.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems, and he is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

The presentation will use the Kerberos encryption schema as an example of a public protocol that has been subject to proprietary (private) extensions. Proprietary protocols are especially dangerous in the digital network context, since control of one protocol can implicate control across the network. A short non-technical outline of the Kerberos system and topology is presented, as well as the means by which the public standard has been infiltrated by certain privately “owned” patents and trade secrets. This leads to a discussion of how public law— intellectual property law (copyright, patent, etc.)— is used to enforce private interests. Public law— usually the guarantor of a balancing of public and private rights— is used in this context to upset that balance to benefit private control. Fair use, a public right embodied in the copyright act, can be used to explore and avoid the impact of proprietary protocols and extensions; but new laws, such as the Digital Millennium Copyright Act and the proposed anti-terrorism statute “US Patriot Act II” undermine the utility of “fair use,” particularly in the context of examining proprietary encryption schemes. The presentation concludes with an endorsement of open standards and source.

Curtis Karnow is a partner at the law firm of Sonnenschein, Nath + Rosenthal and a member of the firm’s e-commerce, security and privacy, and intellectual property groups. He is the author of Future Codes: Essays In Advanced Computer Technology & The Law (Artech House, 1997). Mr. Karnow has counseled on public key infrastructure policies, electronic contracting, and digital signatures. Formerly Assistant U.S. Attorney in the Criminal Division, Mr. Karnow’s responsibilities included prosecution of all federal crimes, including complex white-collar fraud, from investigation and indictment through jury verdict and appeal. Since then, Mr. Karnow has represented defendants indicted for unauthorized access to federal interest computers; defended against a criminal grand jury investigation into high tech export actions; represented clients before federal grand juries investigating alleged antitrust conspiracies and securities violations; brought legal actions against internet-mediated attacks on client networks, and in a state criminal investigation represented a computer professional framed by a colleague in a complex computer sabotage. He has also advised on jurisdictional issues arising out of a federal criminal Internet-related indictment, and advises on liability and policy issues, including interfacing with law enforcement authorities, arising from computer security breaches and Internet privacy matters. He occasionally sits as a temporary judge in the California state court system.

Notes on Domino is a discussion on some of the rarely used Domino security features. Implementing these features often makes administration and configuration more difficult. The result of not implementing these security features can sometimes be devastating. This discussion will focus on analyzing these security features, describing and demonstrating the possible impact of not utilizing these features, and general Domino architecture and design. The context of the discussion will include the Lotus Domino web interface, as well as the often-overlooked conventional Notes interface.

Demonstrations will include exploiting weaknesses created by security mis-configurations. Methods of reducing the effectiveness of the demonstrated attacks will be presented. In each of the methods Lotus Domino 6 features will be compared and contrasted to Lotus Domino 4 and 5 features.

Real life examples will be utilized to reinforce the impact of ignoring available Domino security features.

Aldora Louw is a Senior Associate in the PricewaterhouseCoopers Security practice with more than 7 years experience in Security and Information Technology. She has extensive knowledge and experience in systems design and implementation, system integration, policy and procedure development, security penetration testing and implementing countermeasures to reduce or minimize Internet-based computer or network vulnerabilities. Aldora has provided security and infrastructure consulting to various organizations in the Energy, Financial and Professional Services sectors. Aldora has advanced technical experience with the following technologies/products: Firewalls, UNIX, Windows NT, Windows 2000, Cisco Routers, Lotus Domino, Intrusion Detection systems.

Aldora's article detailing different wireless communications and their security was recently published in "Information Strategy: The Executive's Journal".

Legal mechanisms can be efficient weapons in the battle to secure propriety information, particularly if used preemptively. Maximizing the leverage offered by these legal mechanisms generates a two-fold benefit for business entities. First, sound proprietary information security practices preserve strategic business advantage by contractually and otherwise hindering attempts by competitors to garner proprietary information for competitive advantage. The legal sources for protection of proprietary information and intellectual property assets are three-fold: (1) contract; (2) state level trade secret law; and (3) federal intellectual property and other law. Second, when proprietary information includes third party data, in particular consumer data, sound information security practices help limit liability associated with violation of privacy regulation and serve to demonstrate the exercise of due care in data management. In some instances, affirmative legal confidentiality and privacy obligations may pertain to entities engaged in certain types of information intensive businesses. For example, entities engaged in businesses which involve financial, health, children’s or European data trigger regulation both domestically and internationally. Noncompliance with such regulatory requirements can result in both enforcement actions by various governmental agencies and liability arising from civil suits. Through viewing contracts as tools for increasing future certainty and through instituting entity-wide information control policies and practices, entities can greatly diminish transactions costs associated with information leakage.

In addition to the design and development aspect a practical example will be released in the form of a correlation engine and agents. This presentation is most beneficial to security administrators and engineers of enterprise environments where the amount of information produced by security tools is overwhelming.

To take the most advantage, the attendees will need an understanding of current security tools (nessus, snort, iptables, and tripwire). In addition, since the focus of the talk will be on the development of this tool, participants will need to be familiar with C and python as well as socket programming and general networking concepts.

Most people ask about all the great new exploits that exist in .NET applications and infrastructure. As usual, there is really nothing new under the sun. Part I of this talk focused on specific .NET only related functionality that had issues, however important they were.

Part II focuses on the technologies that are not being used by .NET developers and designers which would make attacks such as denial-of-service, authentication bypassing and information leakage detectable and leave the applications immune.

Many of the basic problems with local and network application technologies still exists even in .NET. We will focus on understanding where those vulnerabilities lie.

Though many of the points may be subtle, they apply to every line of code written for a .NET application. Default UI settings for text controls, the lack of using the easy-to-use cryptographic namespace in .NET continues the ability for hackers to access systems and data written with .NET technology. This does not have to be the case. Apply good processes and keep your data safe from everyone, including those disgruntled employees."

Drew Miller has been a software engineer for more than ten years. Drew has worked at many levels of software development, from embedded operating systems, device drivers and file systems at Datalight Inc. to consumer and enterprise networking products such as Laplink’s PCSync and Cenzic’s Hailstorm. Drew’s experience with many software genres combined with his passion for security give him a detailed perspective on security issues in a wide variety of software products.

Drew’s latest projects were the aided design and development of two security courses for Hewlett-Packard at the Hewlett-Packard Security Services Center. One course aimed at educating quality assurance personal and the other educating developers to the exposures that exist in present day network applications and how to avoid such exposures. Drew is currently an instructor for Black Hat Training, Inc.

The Synergistic and Perceptual Intrusion Detection Systems with Reinforcement (SPIDeR) framework coordinates the results from multiple intrusion detection agents distributed throughout a network. These agents are capable of utilizing widely different computational models ranging from fuzzy logic to regular expressions. The system centrally combines the agent’s results where they are used to produce an automated response. As the operational environment changes over time, agents and sensors are dynamically added and trimmed. This also allows an administrator to balance the use of system resources vs. system security. The use of heterogeneous sensor agents provides a level of immunity to attacks against the IDS that is not possible in single model architectures while simultaneously decreasing the rate of false-positives. These agents will, in addition to using diverse computational models, analyze diverse data sources.

During the presentation, Patrick Miller will discuss the ongoing research and development that is taking place on SPIDeR, a project proposed and supervised by Dr. Atsushi Inoue, the director of the Inland Northwest Security Systems Initiative (INSSI) within the Department of Computer Science at Eastern Washington University. Particular attention will be focused on the need for multiple, heterogeneous agents. Time will also be spent examining different detection methodologies and the computational models best suited to those in different environments.

Many automated response systems suffer from a high number of false-positives prohibiting an administrator from assigning the most appropriate response.These systems often also suffer from a prohibitive degree of rigidity. This presentation will explore the use of fuzzy logic systems, in coordination with administrator feedback to develop a more flexible, adaptive response system.

Patrick Miller has spent the last year and a half as a primary researcher and developer for the SPIDeR project, a knowledge-based distributed intrusion detection system, part of Eastern Washington University’s cyber security initiative. His recent publications and work have focused on the use of heterogeneous machine learning systems in real-time intrusion detection.

Prior to this research Patrick has performed a number of security audits, focusing on the unique security needs of colleges and universities and has been asked to present on this topic at both a local and national level.

The "new and improved" version of "TSGrinder," the original terminal server brute force tool from Hammer of God, has just been completed and will be unvieled at Blackhat Vegas. This much-awaited release will include many new features such as single-session-multiple-password-attempts functionality, 1337 dictionary hashing, logon banner awareness, and more. This free tool will be made available for download immediately following this session.

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles. A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

August 2002 saw the release of Shatter - the first of a new class of security vulnerabilities. Shatter attacks break Windows security by using pure GDI messages; Click Next to Continue explores the issues in more depth. Building upon the original white paper, this presentation explores in more detail the techniques involved in locating and exploiting a Shatter-style vulnerability, what can be accomplished with them, and how they can be fixed.

Two new exploits will be presented; a privilege escalation vulnerability in Windows 2000 along similar lines to the original WM_TIMER issue, and a second exploit which can circumvent virtually all personal firewalls. Also to be released is Smashing - a highly versatile exploit for the original WM_TIMER issue and a test-bed for further exploration.

Smart cards have been popular internationally for years. Now they are gaining popularity in the United States, both in the public and private sector. Historically, smart cards have been expensive and difficult to deploy because each card was customized for the application it contained. With the advent of technologies such as Java Card, applications can be loaded on a card at any point of its lifetime. This allows for specialized, inexpensive, small-scale card deployments. Smart cards can now be used in any size organization to fit a number of security requirements.

This talk will cover the ins and outs of Java Card and its security architecture. It will provide perspective by briefly covering smart card history and basics. The presentation will explore reasons to deploy smart cards (and why to think twice about it). It will present the structure of the Java Card Virtual Machine and Runtime Environment as well as important off-card entities. Finally, the talk will cover best practices in Java Card application development through examples.

Bruce Potter has a broad information security background. From application security assessments to low-level smartcard analysis to wireless network deployments, Bruce has worked in both the open- and closed-source communities.Trained in computer science at the University of Alaska Fairbanks, Bruce now serves as a Senior Security Consultant for Cigital, Inc. in Dulles VA. Bruce is founder and President of Capital Area Wireless Network, a non-profit community wireless initiative based in Washington DC. In 1999 Bruce founded The Shmoo Group, an ad-hoc group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O’Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.

Technical Security Countermeasures: The Real Story Behind Sweeping for Eavesdropping Devices
Jeffrey Prusan, President, Corporate Defense Strategies Inc.

As a corporate security advisor, former investigator, and TSCM technician, we will dispel the myths behing bugging and wiretapping. We will separate what tappers can and can not do (everything you see in the movies is not always true!!). What companies can do that will realistically protect themselves from eavesdropper and thereby help to protect their network, proprietary information, and intellectual property. We will explain and demonstrate the sophisticated electronic tools used by a professional sweep team, and describe what happens during the sweep process. We will demonstrate how phones are tapped in homes(analog phones), small businesses (KSU telephones systems), and larger companies (PBX systems). We will show how corporate spies attempt to infiltrate company telephone systems and ultimately compromise your network infra-structure. We show how anything purchased to detect eavesdropping from a "spy shop" will only waste your money and give you a false sense of security. We lay out the planning and execution of a successful sweep, and explain how to protect your company from threats in the future.

Jeffrey Prusan is the President of Corporate Defense Strategies Inc., a security consulting and security systems integration firm, founded in 1982, and located in Woodcliff Lake, New Jersey. Mr. Prusan has provided his services to; businesses ranging from Fortune 500 companies to small "Mom and Pop" businesses looking to protect their privacy and security. He and his company have worked and continue to provide security services for local, and county government agencies, law enforcement agencies, and the Federal Government. Mr. Prusan has a strong background in investigations and corporate security, and has successfully located, and assisted in the apprehension of a perpetrator that eluded law enforcement authorities after murdering a police officer. Mr. Prusan located and apprehended an international embezzler who had stolen $45 million dollars from his employer. Prusan was deployed by the United States Federal Government to travel to the Phillipines to conduct a fact finding mission regarding the bombing of the World Trade Center, and the bombing of a Philipine airliner bound for the United States. Jeffrey Prusan has worked with and advised law enforcement agencies on all levels as to bugs and wiretaps that were discovered as a result of Technical Security Countermeasures (TSCM) Sweeps. Mr. Prusan has performed eavesdropping detection services for offices, homes, cars, yachts, and corporate aircraft. Mr. Prusan is a member of the
American Society for Industrial Security, and is listed in Who's in Who in Security. Mr. Prusan has appeared on WNBC News on numerous occasions to discuss security, privacy, and protection topics. His company has appeared in print media such as; Bergen Record newspaper, Time Magazine (August 14, 2000), and Security Management. Articles written by Jeff Prusan have appeared on MSN.com and securitydriver.com, to name only a few. Mr. Prusan has also authored articles on electronic vehicle tracking, and technical Security Countermeasures.

Modern Intrusion Practices
Gerardo Richarte, Core Security Technologies, Inc

The main focus of this talk is to start walking the path to a new perspective for viewing cyberwarfare scenarios, by introducing different concepts tools (a formal model) to evaluate the costs of an attack, to describe the theater of operations, targets, missions, actions, plans and assets involved in cybernetic attacks. We’ll talk about current and immediate uses of this tools for attack and defense, as well as some future-but-not-sci-fi applications of it.

Gerardo Richarte - Core Security Technologies, Inc

Having worked formally for more than 10 years in the field, first in the public sector (University and Goverment) and latter in the private sector, gera is today leading the exploit development for CORE IMPACT penetration testing framewoork, he's been occasionally, doing penetration tests and teaching basic and advanced exploits writing techniques with Core's security consulting services.

In the last year, he has been a speaker in different computer security conferences, where he presented about automated pen-testing and exploit writing techniques and methodologies. He also published papers on low level security aspects, like format string exploitation or stack smashing protections bypassing, and was part of the jury for Honeynet's 2002 reverse engeneering challenge.

He doesn't drink or smoke, so he'll be easy to spot in Las Vegas for the "Where-Am-I face" that he'll be wearing (at least the first day).

One of the most important questions in computer security is how to check if given machine has been compromised or not.

This is very difficult task, because the attacker can exploit an unknown bug to get into the system and, most importantly, after break in, he can install advanced rootkits and backdoors in order to stay invisible.

This presentation will concentrate on rootkit and backdoor detection in Windows 2000 systems. First, some rootkit prevention programs will be discussed (Integrity Protections Driver, Server Lock) and some vulnerabilities in those products will be presented.

The main part of the presentation will be devoted to new approach of rootkit and backdoor detection in Windows kernel and system DLLs. This technique is based on Execution Path Analysis (EPA), which makes use of some Intel processor features, in order to analyze what has been really executed during some typical system calls. EPA is not limited to Windows 2000, author has also developed similar detection utility for Linux OS on Intel paltfrom.

Jan Rutkowski is independent security researcher. His main interests are in non trivial exploitations techniques (like heap corruption or smart payloads) and advanced aspects of rootkit and backdoor technology. Currently he focuses on Windows 2000 and Linux systems.

Attacks on Anonymity Systems (Theory) will draw upon data gathered during real-world attacks on the Mixmaster network, a public Internet anonymity system.

The second presentation, Anonymity Systems (Practice) will build upon the information given in the first, and will demonstrate how these theoretical attacks can be exploited in practice. The two parts can be attended independently, though attendees are encouraged to attend part one if they are not already deeply familiar with anonymity systems.

Len Sassaman is a communication security consultant specializing in Internet privacy and anonymity technologies. Len has been a strong defender of personal rights through technology. As a volunteer, he has lent his expertise to human rights organizations, victim support groups, and civil liberties organizations.

Len is an anonymous remailer operator, and is currently project manager for Mixmaster, the most advanced remailer software available. Previously, he was a software engineer for PGP Security, the provider of the world's best known personal cryptography software. A returning Black Hat speaker, Len is also a frequent contributor to online discussions of electronic privacy issues, and has contributed to the development of free software privacy utilities.

Roger Dingledine is a security and privacy researcher. While at MIT under professor Ron Rivest, he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. After graduating he provided security expertise to a small startup in Boston, where he researched how to integrate reputation into p2p and other pseudonymous dynamic systems. Since then he has been on the program committee of almost a dozen conferences, including being program chair twice for the annual Privacy Enhancing Technologies workshop. Currently he consults for the US Navy to design and develop systems for anonymity and traffic analysis resistance. Recent work includes anonymous publishing and communication systems, traffic analysis resistance, censorship resistance, attack resistance for decentralized networks, and reputation.