Black Hat USA 2004 Topics and Speakers

Current Sponsors for Black Hat Briefings USA 2004

Black Hat USA 20004 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Keynote
Thinking Outside the Box–Embracing Globalization
Paul Simmonds, Global Information Security Director (CISO), Jericho Forum/ICI Plc.

The days of the corporate network, completely isolated with a well-secured outer shell are long gone; yet we continue to cling to this model. Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners.

Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line and the CISO is seen to be a true partner in corporate strategic thinking? What does business need from its suppliers to make this a feasible reality? What do you need to be doing now to achieve this goal?

The problem has been defined. Now, the solution is being acted upon. This presentation will discuss significant new developments in the past three months towards embracing globalization.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI (www.ici.com), working for the CIO Office in London.

Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a deperimiterised environment.

In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites.

He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

Privacy, Economics and Immediate Gratification: Why Protecting Privacy Is Easy But Selling It Is Not
Dr. Alessandro Acquisti, Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University; Research Fellow, Institute for the Study of Labor (IZA), and co-founder & former CEO, PGuardian Technologies, Inc.

Surveys have repeatedly identified privacy as one of the most pressing concerns of those using new information technology. Only in terms of Internet sales, billions of dollars are said to be lost every year because of privacy fears. At the same time, academic research and security industry efforts have developed protocols and technologies to protect individuals' privacy in almost any conceivable scenario— from browsing the Internet to purchasing on- and off-line. There is a demand, and there is an offer. So, why is there no market clearing?

This talk will combine analysis of technology, economic tools, and behavioral psychology to explain why privacy enhancing technologies have failed to gain widespread adoption, while privacy and security of personal information have remained a concern for many.

Acquisti will apply lessons from the research on behavioral economics to understand the individual decision making process with respect to privacy. He will show that it is unrealistic to expect individual rationality in this context. Models of so-called "self-control problems" and "immediate gratification" offer more realistic descriptions of the decision process and are more consistent with currently available data. In particular, Acquisti will show why individuals who may genuinely want to protect their privacy might not do so because of psychological distortions well documented in the behavioral literature; he will show that these distortions may affect not only 'naive' individuals but also 'sophisticated' ones; and he will prove that this may occur also when individuals perceive the risks from not protecting their privacy as significant.

Lastly, Acquisti will present preliminary evidence from an ongoing series of surveys and experiments aimed at testing the rationality assumption in privacy-related decision making, and will recommend strategies that developers and security experts may consider when building usable privacy enhancing technologies.

Alessandro Acquisti is the Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University; a Research Fellow at the Institute for the Study of Labor (IZA); and the co-founder and former CEO of PGuardian Technologies, Inc, a provider of Internet security and privacy services.

Alessandro's work investigates the economics of privacy and information security, economics of computers and AI, ecommerce, and cryptography. His research in these areas has been disseminated through journals, books, and leading international conferences, including Financial Cryptography, ACM Electronic Commerce, WEIS, WISE, AAMAS, AAAI Symposia. He has been committee member for the PET workshop in 2003 and 2004 and for the Workshop on Economics and Information Security in 2004. In his current research, Alessandro combines economic methodologies and cryptographic tools. Alessandro also maintains the resource page on the economics of privacy: http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm

Prior to joining CMU Faculty, Alessandro Acquisti researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group; at JP Morgan London, Emerging Markets Research, with Arnab Das; and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey. At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station.

In 2000 he co-founded PGuardian Technologies, Inc. in Palo Alto, CA. PGuardian Technologies is a provider of Internet security and privacy services, for which Alessandro designed two currently pending patents. In a previous life, Alessandro worked as classical music producer and label manager (PPMusic.com), arranger, lyrics writer (BMG Ariola/Universal), and soundtrack composer for theatre, television (RAI National Television), and indy cinema productions.

Alessandro Acquisti has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and in the San Francisco bay area, where he worked with John Chuang, Doug Tygar, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California at Berkeley.

Publications and further information can be found at: http://www.heinz.cmu.edu/~acquisti/.

Phishing–Committing Fraud in Public
Phillip Hallam-Baker, Principal Scientist, VeriSign Inc.

In late 2003 the rate of phishing fraud suddenly began to escalate leading to widespread media reports. Phishing fraud is impersonating a trusted party such as a bank in order to steal personal information such as credit card numbers of account details. This talk will describe real life phishing incidents experienced by one of the largest on-call response teams in the field and the actions being taken by the industry to prevent or discourage future attacks.

Dr Phillip Hallam-Baker has been active in the development of security protocols for the World Wide Web since 1992. He has since made substantial contributions to many Internet protocols including HTTP, X.509/PKIX, OCSP, XKMS, SAML and WS-Security. He is currently the editor of the XKMS specification, a co-editor of the WS-Security specification and a co-author of various related specifications. He is also the editor-emeritus of the SAML specification. His research interest in countering phishing fraud began as part of his work on stopping spam. In addition to his extensive work in the security area Dr Hallam-Baker has a long-standing research interest in online collaboration systems.

Dr Phillip Hallam-Baker holds a degree in Electronic Engineering from Southampton University and a doctorate from the Nuclear Physics Department at Oxford University. He has held research positions at DESY, CERN and MIT and is currently Principal Scientist at VeriSign Inc.

Information Security Law Update: The Emerging Trend Toward Programmatic Information Security Management
Brad Bolin, Senior Security Consultant, Shavlik Technologies

There is an emerging trend from ad hoc information security practices toward more a strategic, programmatic approach to information security. Generally speaking, this means a trend toward more structured, comprehensive and documented information security management plans. This change to programmatic approaches is primarily driven by new laws, regulations and standards. We'll begin with a description of the evolution of these laws, regulations and standards, and their impact on information security, highlighting their increasingly regimented, programmatic nature. The presentation will then culminate in a prediction of what we can expect in the next few years in terms of new requirements placed on information security, and what security professionals can do to prepare for (as opposed to react to) these requirements.

Brad Bolin is a senior security consultant who brings an uncommon blend of experience and training to Shavlik’s information security consulting practice. As a licensed attorney, he is uniquely positioned to advise corporations on strategic risk management issues, such as the implications of contemporary data security laws and regulations. As a Certified Information Systems Security Professional (CISSP) with over 6 years of experience in network and security administration, including risk assessment and mitigation at a number of Minnesota’s largest companies, Brad possesses a wide variety of technical skills upon which to draw when confronting the issues faced by Shavlik’s clients.

Acting in Milliseconds—Why the Defense Process Needs to Change
Dominique Brezinski, Pyrogen

Why are attackers and worms so successful? Because the process we use to defend systems is too slow to protect against an opponent that uses a superior, faster process. Come watch me argue the case for this hypothesis and how the defense process might be changed in response.

A scenario is presented where a new vulnerability is disclosed at the same time a patch is made available and attackers and defenders are waiting to make use of the patch for their opposing purposes. The process both sides go through will be deconstructed using Boyd’s OODA loop model, and from the analysis we will see the attacker can win too often. Great.

Re-thinking the defense process, we will step back to see what we can generalize about vulnerabilities and the systemic conditions that make exploitation easier. We will also enumerate some general conditions that imply an exploit succeeded. From there I will take the stance that the defense process must be something that can be automated and discuss potential attributes of an automated response process. To put some meat on them bones there will be a demonstration of an implementation of an automated response system consistent with the one described. The demonstrated system will be made available, so you can tinker with it. We all love to tinker.

The presentation will try to stay out of the weeds and clouds, but still present some low-level technology and philosophical ideas. Attendees should gain some insight into the current state of attacker tools and methodologies and the possible future of computer defense. If nothing else attendees will be left with some Linux kernel modules and Python code that does some cool, geeky security juju. Come on, what more could you ask for?

Dominique Brezinski dabbles in things, from intrusion detection and response system developer to former AVP of Technology at In-Q-Tel. He has been employed by Amazon.com, Decru, In-Q-Tel, Secure Computing, Internet Security Systems, Cybersafe, and Microsoft in various security engineering, consulting, testing, research, and management roles over the past decade. Dominique currently serves on the technical advisory board of Sana Security. When not in front of the keyboard writing kernel modules or hacking with Python, he spends time climbing rock, since it is the only thing that makes the code go away.

VICE - Catch the Hookers!
Jamie Butler, Director of Engineering, HBGary, LLC
Greg Hoglund, Founder, Rootkit.com & HBGary, LLC

Rootkits are the backbone of software penetrations. They provide stealth and consistent access to a computer system. Rootkits employ technology for covert ex-filtration of data, IDS evasion, and anti-forensics. Rootkit technology is now incorporated into the most deadly of threats, network worms. Serious security professionals must understand rootkit technology in detail. Commercial anti-virus technology is woefully inadequate at dealing with the threat. There is no magic security tool that will protect your system. Rootkits now employ specific methods to evade many security utilities, including host-based intrusion prevention systems (HIPS).

This talk focuses on specific rootkit threats and more importantly, how intrusion-prevention software can be designed to detect these threats. Illustrated threats include direct kernel object manipulation (DKOM), hooking, and runtime code patching. We will release a new version of our freeware tool, called 'VICE', that can detect many of these rootkit threats.

Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at rootkit.com.

Greg Hoglund has spent the last few years working on automated reverse engineering problems. He has released several open source tools and presented on the subject matter at many security conferences. He founded HBGary, Inc. last year, his second commercial startup in the software security testing space. Hoglund recently authored the very successful book "Exploiting Software" (Addison Wesley). He offers the training program "Aspects of Offensive Rootkit Technology" several times a year. His side-projects include running the rootkit.com website.

Google Attacks
Patrick Chambet, IT Security Senior Consultant, EdelWeb - ON-X Group

How knows that Google is a powerful attack tool for pen-testers but also for other kind of black hats ? Few people are aware of how much critical information Google can display with some carefully crafted searches: IP addresses, network architectures, machine roles, sometimes passwords.

In this talk, we will consider ourselves as pen-testers. We won’t talk about classical spying and information warfare. The personal pen-tester experience of the speaker will be presented and some real-life cases will be described.

Patrick Chambet is a Senior Consultant within Edelweb SA (ON-X Group), a leader French company in the IT Security domain. With 8 years of experience in this domain, he is an expert in the security of Windows NT/2000/XP/2003 architecture, and in security audits and pen tests.

He managed a lot of missions in highly secured environments, including in classified environments, and leaded numerous audits and pen tests for big companies in several sectors.

He regularly talks in international briefings (INFOSEC, EUROSEC, SPIRAL, SSTIC, BlackHat Europe, JIP, ...). He teaches IT Security in some universities, and very often writes articles in professional newspapers. He collaborated to the creation of a newspaper about IT Security in France, called "MISC", read in Europe and Canada.

He is also an active member of the rstack team.

More information on his personal website.

Managing MSIE Security in Corporate Networks by Creating Custom Internet Zones
Patrick Chambet, IT Security Senior Consultant
EdelWeb - ON-X Group

Everyone is aware of MSIE vulnerabilities (real or potential), but a great number of administrators have to cope with MSIE in their corporate network. Few of them know and use some advanced security configuration options like Internet Zones and Policies.

This talk will explain how to create your own Internet Zones, how to configure them to respect your security policy and how to allow some ActiveX only but not all of them.

Some demonstrations will show that you can rather secure the browsing habits of your users even if they use MSIE on your corporate network.

He managed a lot of missions in highly secured environments, including in classified environments, and leaded numerous audits and pen tests for big companies in several sectors.

He regularly talks in international briefings (INFOSEC, EUROSEC, SPIRAL, SSTIC, BlackHat Europe, JIP). He teaches IT Security in some universities, and very often writes articles in professional newspapers. He collaborated to the creation of a newspaper about IT Security in France, called "MISC", read in Europe and Canada.

He is also an active member of the rstack team.

More information on his personal website.

Program Semantics-Aware Intrusion Detection
Tzi-cker Chiueh, Professor, Stony Brook University/Rether Networks Inc.

One of the most dangerous cybersecurity threats is "control hijacking'' attacks, which hijack the control of a victim application, and execute arbitrary system calls assuming the identity of the victim program's effective user.

These types of attacks are viperous because they do not require any special set-up and because production-mode programs with such vulnerabilities appear to be wide spread. System call monitoring has been touted as an effective defense against control hijacking attacks because it could prevent remote attackers from inflicting damage upon a victim system even if they can successfully compromise certain applications running on the system. However, the Achilles' heel of the system call monitoring approach is the construction of accurate system call behavior model that minimizes false positives and negatives. This presentation describes the design, implementation, and evaluation of a Program semantics-Aware Intrusion Detection system called PAID, which automatically derives an application-specific system call behavior model from the application's source code, and checks the application's run-time system call pattern against this model to thwart any control hijacking attacks.

The per-application behavior model is in the form of the sites and ordering of system calls made in the application, as well as its partial control flow. Experiments on a fully working PAID prototype show that PAID can indeed stop attacks that exploit non-standard security holes, such as format string attacks that modify function pointers, and that the run-time latency and throughput penalty of PAID are under 11.66% and 10.44%, respectively, for a set of production-mode network server applications including Apache, Sendmail, Ftp daemon, etc.

Dr. Tzi-cker Chiueh is currently an Associate Professor in Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in Electrical Engineering from National Taiwan University, M.S. in Computer Science from Stanford University, and Ph.D. in Computer Science from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995. Dr. Chiueh's research interest is on computer security, network/storage QoS, and wireless networking. Dr. Chiueh's group developed the world's fastest array bound checking compiler that incurs less than 10% run-time overhead than programs without checking under Gcc, and built the world's fastest disk-based logging system, which accomplishes a single-sector disk write operation within 450 micro-seconds.

Hacking Without Re-Inventing the Wheel
Nitesh Dhanjani, Sr. Consultant, Ernst & Young's Advanced Security Center
Justin Clarke, Manager, Ernst & Young's Rudolph W. Giuliani Advanced Security Center in New York

Home-grown applications and services are increasingly being implemented in order to suit corporate and invidual needs. These custom applications and services are also succepitble to vulnerabilities which must be scanned for quickly and effectively. In addition, closed source scanning tool vendors often do not release checks for vulnerabilities until its too late, and these costly scanning tools do not offer vulnerability checks against custom-made applications and services that may be widely deployed by a corporation. In order to cope with this, individuals and companies are forced to develop their own scanning tools in order to quickly scan for and identify vulnerabilities. This talk will offer solutions against developing scanning tools from scratch. There is no need to re-invent the wheel when open source tools such as Nessus, Hydra, and Nmap are flexible enough to allow for their functionality to be extended by offering appropriate API and plugin functionality. This talk will teach the audience how to develop custom plugins for these popular tools in order to accomplish custom vulnerability scanning and enumeration needs.

Nitesh Dhanjani is a senior consultant for Ernst & Young's Advanced Security Center. He has performed network, application, web-application, wireless, source-code, host security reviews and security architecture design services for clients in the Fortune 500.

Nitesh is the author of "HackNotes: Unix and Linux Security" (Osborne McGraw-Hill). He is also a contributing author for the best-selling security book "Hacking Exposed 4" and "HackNotes: Network Security".

Prior to joining Ernst & Young, Nitesh worked as consultant for Foundstone Inc. where he performed attack and penetration reviews for many significant companies in the IT arena. While at Foundstone, Nitesh both contributed to and taught parts of Foundstone s "Utimate Hacking: Expert" and "Ultimate Hacking" security courses.

Nitesh has been involved in various educational and open-source projects and continues to be active in the area of system and Linux kernel development. He has published technical articles for various publications such as the O'Reilly Network.

Nitesh graduated from Purdue University with both a Bachelors and Masters degree in Computer Science. While at Purdue, he was involved in numerous research projects with the CERIAS (Center for Education and Research Information Assurance and Security) team. During his research at Purdue, Nitesh was responsible for creating content for and teaching C and C++ programming courses to be delivered remotely as part of a project sponsored by IBM, AT&T, and Intel.

Justin Clarke is a Manager in Ernst & Young's Rudolph W. Giuliani Advanced Security Center in New York. He has over 6 years of security experience in network, web application, source code and wireless testing work for some of the largest organizations in the United States. Prior to joining E&Y in the US, Justin did corporate and government security work in New Zealand.

Justin is active in developing security tools for penetrating web applications, servers, and wireless networks and as a compulsive tinkerer he can't leave anything alone without at least trying to see how it works. Justin got his Bachelor's degree in Computer Science from Canterbury University in New Zealand."

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis
Roger Dingledine, The Free Haven Project

Tor (second-generation Onion Routing) is a distributed overlay network that anonymizes TCP-based applications like web browsing, secure shell, and instant messaging. We have a deployed network of 30 nodes in the US and Europe, and the code is released unencumbered as free software. Tor's rendezvous point design enables location-hidden services—users can run a standard webserver or other service without revealing its IP.

I'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and how user applications interface to it. I'll show a working Tor network, and invite the audience to connect to it and use it.

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. Currently he consults for the US Navy to design and develop systems for anonymity and traffic analysis resistance. Recent work includes anonymous publishing and communication systems, traffic analysis resistance, censorship resistance, attack resistance for decentralized networks, and reputation.

Insecure IP Storage Networks: Problems with Network Attached Storage (NAS)
Himanshu Dwivedi, Director of Security Architecture, @stake, Inc.

The presentation will discuss the security problems with enterprise storage architectures using Network Attached Storage (NAS) devices, such as filers, NAS heads, and NAS gateways. The key objective of the presentation is to show the exposure of sensitive data and confidential information sitting on NAS devices. The presentation will demonstrate how storage devices, such as EMC and NetApp filers, are not any more secure than the weak protocols that they supports, such as NFS, CIFS, FTP, and even HTTP.

The session will show common weakness with NAS devices supporting NFS and CIFS. Additionally, a demonstration of the attacks that can be executed on NAS filers supporting NFS or CIFS will be shown. Furthermore, the presentation will discuss how data stored in a default NAS installation is just as insecure as any default operating system, making NAS security equally as important as other entities in local area networks.

Himanshu Dwivedi is a Director of Security Architecture at @stake, Inc. At @stake, Himanshu leads the Storage Center of Excellence (CoE), which focuses research and training around storage technology, including Network Attached Storage (NAS) and Storage Area Networks (SAN). Himanshu is considered an industry expert in the area of SAN security, specifically Fibre Channel Security. Himanshu has given numerous presentations and workshops regarding the security in SANs, including the SNIA Security Summit, BlackHat Security Conference, Storage Neworking World, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, etc.

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals (U.S. Patent Serial No. 10/198,728). Additionally, Himanshu has written two published books and has written a storage security chapter on a third. The book titles include The Complete Storage Reference – Chapter 25 (McGraw-Hill/Osborne), Storage Security Handbook (Neoscale Publishing), and Implementing SSH: Strategies for Optimizing the Secure Shell (Wiley Publishing). Furthermore, Himanshu has also published two white papers. The first white paper Himanshu wrote is titled “Storage Security” (http://www.atstake.com/research/reports/index.html) and “Securing Intellectual Property” (http://www.vsi.org/cgiscripts/ippwp3request.htm).

Attacking Obfuscated Code with IDA Pro
Chris Eagle, Associate Chairman, Computer Science Department Naval Postgraduate School

Virtually every virus and worm that circulates the Internet today is "protected" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ASPack, and teLock has become standard. Protection of malicious code is not the only goal of binary obfuscators however which can be used to protect intellectual property. In the Linux world, tools such as Burneye and Shiva exist which can be used in ways similar to any Window's obfuscation tool.

To fight such methods, analysts have created specific tools or techniques for unraveling these code obfuscators in order to reveal the software within. To date, in the fight against malware, anti-virus vendors have had the luxury of focusing on signature development since obfuscation of malware has presented little challenge. To combat this, malware authors are rapidly morphing their code in order to evade quickly developed and deployed signature-matching routines. What will happen when malware authors begin to morph their obfuscation techniques as rapidly as they morph their worms?

While not designed specifically as a malware protection tool, one program, Shiva, aims to do exactly that. Shiva forces analysis of malicious code to be delayed while analysts fight through each novel mutation of Shiva's obfuscation mechanism. This, in effect, provides the malware a longer period of time to wreak havoc before countermeasures can be developed.

This talk will focus on the use of emulated execution within IDA Pro to provide a generic means for rapidly deobfuscating protected code. Capabilities of the emulation engine will be discussed and the removal of several types of obfuscation will be demonstrated. Finally, the development of standalone deobfuscation tools based on the emulation engine will be discussed.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 18 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering.

Information Hiding in Executable Binaries
Rakan El-Khalil

Information Hiding techniques are much researched in the context of watermarking or fingerprinting images and sound files, mainly as a means of copyright protection and piracy prevention/detection. Those mediums offer a significant amount of redundancy, thus lending themselves to the implementation of robust IH systems. Executables however do not offer such amounts of redundancy, and have thus far proven to be a difficult and rarely used medium for steganographic and other IH purposes. The aim of this talk is to be an introduction to IH, with a thorough coverage of state of the art techniques for embedding into binaries. Hydan, a tool for performing such embeddings in machine code, will be presented. In addition to typical IH uses [steganography, watermarking], the tool and techniques shown can be used in anti-reverse engineering, trusted application execution, frustrate some buffer overflow attacks, and as an engine for metamorphic viruses. An interesting effect of the tool is that the executable remains the same size before and after embedding, while of course remaining functionally equivalent.

Rakan El-Khalil is currently on sabbatical in France. He is a recent MS CS graduate from Columbia University. While he was there he worked on a variety of projects at the CS Research Lab, such as an IDS that uses machine-learned models to detect network threats, and a syscall based permission system on OpenBSD [predating systrace]. He was also responsible for the short-lived official KaZaA Linux client `kza'. Currently he is involved with The Bastard, a powerful linux disassembler, and has been researching steganography and information hiding in machine code.

The Laws of Vulnerabilities for Internal Networks
Gerhard Eschelbeck, Chief Technology Officer & Vice President of Engineering, Qualys, Inc.

New vulnerabilities to internal networks are discovered and published on a daily base. With each such announcement, the same questions arise. How significant is this vulnerability? How prevalent is this vulnerability? How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? Due to lack of global vulnerability data, answers to these questions are often hard to find and risk rating is even more difficult.

As part of ongoing research, Gerhard Eschelbeck of Qualys, Inc. has been gathering statistical vulnerability information for more than two years. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. Users of the QualysGuard network security audit and vulnerability management web service and any of its related free evaluation services are automatically generating the raw data. This data is not identifiable to individual users or systems. However, it provides significant statistical data for research and analysis, which enabled Gerhard to define the Laws of Vulnerabilities for Internal Networks.

The Laws of Vulnerabilities for Internal Networks is derived from vulnerability data gathered during the past 30 months from over five million scans of individual systems. During this timeframe a collective amount of more than three million vulnerabilities—reflecting five different levels of severity—has been identified. Furthermore, the responses to external events (i.e. availability of an exploit or worm taking advantage of a vulnerability) have been studied for the declaration of this new law.

The presentation will also update the Laws of Vulnerabilities for Network Perimeters, originally presented at Black Hat in 2003.

Gerhard Eschelbeck is chief technology officer and vice president of engineering for Qualys, Inc. The QualysGuard network security audit and vulnerability management web service he created secures more than 150 Fortune 1000 companies. Among the company’s 1,400 customers are Hershey Foods, Hewlett Packard, and The Thomson Corporation. Gerhard is a respected teacher, speaker, researcher and writer. His published topics include Active Security, Automating Security Management, and Multi-Tier IDS. He holds several patents on inventions for security integration and security management. Gerhard is also founder of IDS GmbH, a secure remote tool company aquired by McAfee. Gerhard teaches on the field of network security at his alma mater, the University of Linz, Austria where he earned Masters and Ph.D. degrees in computer science. Gerhard speaks regularly at events such as RSA, InfoSec, SANS, and CSI. He can be reached at ge@qualys.com. This is Gerhard’s second speech at Black Hat.

Vulnerability Finding in Win32—A Comparison
FX, Phenoelit

There are several well known techniques to find a vulnerability in a closed source product running on the Windows family of operating systems. Researchers tend to prefer one over the other for many different reasons. But a person entering the field and facing the problem of choosing the techniques appropriate for one particular task is often not aware of the pros and cons of each technique.

This talk will compare the most widely used techniques, where their strong and weak points are and how to combine them to perform vulnerability analysis on closed source applications. The techniques covered are:

Strictly manual testing
This method requires little to no extra tools and proves to still be one of the most effective when it comes to security vulnerabilities in custom applications, especially with proprietary protocols and interfaces.
Fuzzing
In the last years, fuzzing became very popular as a vulnerability finding method. It can be done with home-grown scripting as well as with more or less professional tools. Both approaches and the tools available will be discussed.
Static Binary Analysis
Static binary analysis is perhaps the most well-established method for analyzing binaries of all types, not only for security vulnerabilities. The results are often hard to find but high impact vulnerabilities in critical services. Required tools and prerequisite knowledge as well as ways to estimate the time required will be discussed.
Binary Diff
This fairly recent method will be covered shortly, showing the effectiveness of static binary analysis combined with advanced techniques with a focus on the real world application of vulnerability analysis.
Runtime Analysis
This method with it’s roots in ancient computer ages is lately less often used for vulnerability analysis but can prove very effective. Especially in situations were the other methods show unexpected weaknesses, runtime analysis can reduce the time required drastically.

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Cyber Jihad and the Globalization of Warfare: Computer Networks as a Battle Ground in the Middle East and Beyond
Peter Feaver, Alexander F. Hehmeyer Professor of Political Science & Public Policy, Duke University
Kenneth Geers, Analyst, Computer Investigations and Operations, Navy NCIS

This briefing addresses the world's first global Internet war: the cyber skirmishes associated with the Palestinian intifadah. What started out as a localized conflict spread to battles around the globe as forces sympathetic to either the Israelis or the Palestinians joined the fray. With the Middle East cyber war as a backdrop, this presentation will cover the ways in which people can try to affect the course of world history through coordinated action in cyberspace.

The authors first describe the globalized and asymmetric nature of modern warfare, the asymmetry of computer hacking, and the psychology of subcultures. They outline the legal issues surrounding cyber warfare, from the perspective of a lone hacker to a massive government intelligence service, and discuss the problems inherent in cyber retaliation and in the prosecution of hackers.

On the technical side, this briefing discusses the targeting of Internet sites for attack, and the strategies used by hackers to bring them down or merely leverage them in more subtle ways to support their cause. The primary focus is the means used by cyber commanders to accomplish political and/or social goals, in particular the creation of Web portals through which their foot soldiers are able to unite and rain network packets down upon their enemies.

Finally, this briefing examines the difference between the perception and the reality of cyber attacks. We address the strategies that national governments are employing to combat the threat, the potential impact of cyber attacks on military operations, and the vexing problem of Denial of Service attacks, Web defacements, and free speech. The authors assess the threat and the limits of the more powerful weapons in the cyber arsenal, and consider who might be the biggest target of cyber attacks in the coming years.

Peter D. Feaver (Ph.D., Harvard, 1990) is the Alexander F. Hehmeyer Professor of Political Science and Public Policy at Duke University and Director of the Triangle Institute for Security Studies (TISS). Feaver is co-directing (with Bruce Jentleson) a major research project funded by the Carnegie Corporation, "Wielding American Power: Managing Interventions after September 11." Feaver is author most recently of "Armed Servants: Agency, Oversight, and Civil-Military Relations" (Harvard Press, 2003),and co-author, with Christopher Gelpi, of "Choosing Your Battles: American Civil-Military Relations and the Use of Force" ( Princeton University Press, 2004). He is co-editor, with Richard H. Kohn, of "Soldiers and Civilians: The Civil-Military Gap and American National Security" (MIT Press, 2001); and author of "Guarding the Guardians: Civilian Control of Nuclear Weapons in the United States" (Cornell University Press, 1992). He has published several other monographs and over thirty articles and book chapters on American foreign policy, nuclear proliferation, civil-military relations, information warfare, and U.S. national security. He won the Duke Alumni Distinguished Undergraduate Teaching Award in 2001 and the Trinity College Distinguished Teaching Award in 1994-95. In 1993-94, Feaver served as Director for Defense Policy and Arms Control on the National Security Council at the White House where his responsibilities included counterproliferation policy, regional nuclear arms control, the national security strategy review, and other defense policy issues. He is a Lieutenant Commander in the U.S. Naval Reserve (IRR). He is married to Karen Feaver, and they have three children, two sons and a daughter.

Kenneth Geers (M.A., University of Washington, 1997) is a Computer Investigations & Operations analyst with the Naval Criminal Investigative Service (NCIS). His career at the Department of Defense also includes work at the National Security Agency, the Defense Intelligence Agency, an SAIC nuclear arms control support team, the John F. Kennedy Assassination Review Board, and the U.S. embassy in Brussels, Belgium. He is an expert in French and Russian, who finished first in a class of seventy at the Defense Language Institute at the Presidio of Monterey. Mr. Geers is the author of training and testing software to prepare U.S. Army Major Commands for Russian strategic arms inspections, and he has designed multiple U.S. Army Space and Missile Defense Command websites devoted to arms control. These days, he spends his time analyzing computer and network logs of all types. In his free time, he plays chess and serves as a SANS mentor in the Washington D.C. area. Over the years, he has taken the opportunity to see the world, stopping long enough to wait tables in Luxembourg, harvest grapes in the Middle East, climb Mount Kilimanjaro, and set his alarm clock for 3 AM in a strict Trappist monastery. He loves his wife Jeanne, and daughters Isabelle and Sophie.

Diff, Navigate, Audit: Three Applications of Graphs and Graphing for Security
Halvar Flake, Reverse Engineer, Black Hat

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

Pocket PC Abuse: To Protect and Destroy
Seth Fogie, VP, Airscanner

When most people look at a PDA, they see a harmless device that is handy for keeping a few notes, or maybe playing solitaire. What they don't realize is that this seemingly innocuously device is vulnerable to many of the same standard security threats that its big brother, the PC, faces on a routine basis. As a result, these little computers are often passed over as a security risk, which is good news for those with malicious intent.

This talk will start with a short overview on reverse-engineering Pocket PC (Windows Mobile) binaries, followed by several examples that sequeway into demonstrations of a live Pocket PC backdoor/Trojan and a nasty little buffer overflow attack. From here we examine airborne viruses and finish with several examples/demonstrations of how a PDA can be useful as a malicious hacker's tool.

Seth Fogie is the VP of Dallas-based Airscanner Corporation where he oversees the development of security software for the Window Mobile (POcket PC) platform. Seth recently earned his Masters Degree in Information Technology, and has worked in several IT related fields, from IT Manager to ISP support specialist. He has co-authored four technical books on information security, including the top selling "Maximum Wireless Security" from SAMS, and the recently released "Security Warrior" from O'Reilly. Mr. Fogie frequently speaks at IT and security conferences, including Defcon (10 & 11), CSI, and Dallascon. In addition, Seth has co-authored the HIPAA medical education course for the Texas Medical Associate and is acting Site Host for Security at Pearson Education's "InformIT.com" website where he writes articles and reviews/manages weekly information security related books and articles.

Managing Hackers: The Top 8 Rules for Creating Productive Security Teams
James C. Foster (CISSP, CCSE), Deputy Director, Global Security Development for CSC

While commonly entrenched within bleeding-edge technology, most forget the importance and art of management and getting the very best out of your personnel investment – a.k.a. your largest and most valuable corporate asset. This talk aims to address the eight critical focal points that all information security managers must recognize and take action upon to ensure the ongoing success for their team. Building from the lessons learned and implemented while at Harvard, Wharton, Guardent, Foundstone, and now CSC, Foster will overview the “Top 8” principles for building and managing world-class information security teams.

James C. Foster (CISSP, CCSE), Deputy Director, Global Security Development for CSC, is responsible for the technical vision and development of security solutions within CSC. Prior to joining CSC, Foster was the Director of R&D for Foundstone Inc. and responsible for all aspects of product and corporate R&D initiatives. Foster was also a Senior Advisor and Research Scientist with Guardent Inc.(Acquired by Verisign) and an adjunct author at Information Security Magazine(Acquired by TechTarget.) Foster has co-authored or contributed to books including Snort 2.0, Snort 2.1, Hacking Exposed 4th Ed, Special Ops Security, Intrusion Detection and Prevention, Anti-Hacker Toolkit 2nd Ed, Hacking the Code, and Anti-Spam Toolkit. Foster has an AS, BS, MBA and is currently a fellow at the University of Pennsylvania's Wharton School of Business.

Antivirus Software Tests: What you Need to Know!
Sarah Gordon, Senior Research Fellow, Symantec Corporation

There are a plethora of antivirus software tests available—magazines, universities, and commercial organizations abound with reports of antivirus software performance. However, you need to know what these tests actually measure in order to evaluate and interpret the test—and that may be more complicated than it sounds! For example, tests that show “100% detection” may not tell you that it took the product 4 tries to get there, or that the things its detecting aren’t even viruses; some testers may create or modify viruses for testing, creating a test that looks and sounds sexy and inviting—but that does not measure what users are likely to encounter. This faced-paced presentation examines the current state of affairs in antivirus software testing and takes a look at the strengths and weaknesses of available tests so that you can more critically evaluate the tests that help you make decisions about protecting your corporation’s data..

Sarah Gordon is a Senior Research Fellow at Symantec Security Response. Her current research areas include testing and standards for antivirus and security software, privacy issues, cyberterrorism and psychological aspects of human/computer interaction. She has been featured in diverse publications such as IEEE Monitor, The Wall Street Journal and Time Digital, and profiled by PBS, ITN, and CNN International. A highly sought-after speaker, Sarah has presented at conferences ranging from DEFCON to Govsec. She serves on the Editorial Board for Elsevier Science Computers and Security Journal, and is Senior Editor of Network Security Magazine. She also serves on the Advisory Board of Virus Bulletin, and is a both co-founder and board member of The WildList Organization International. She is just completing a four-year term as Technical Director of The European Institute for Computer Antivirus Research, where she also serves on the organization's conference committee.

Responsible for security testing and recommendation for The United Nations, Sarah participates in various initiatives for Homeland Security and Infrastructure Protection. She was chosen to represent the security industry in "Facts on File: Careers for Kids who Like Adventure"; her work in ethics, technology and profiling computer criminals is required coursework in various academic information security programs. She is committed to excellence in information security education, guest lecturing at Universities world-wide on topics ranging from virus writers and hackers to the truth about cyberterrorism.

Sarah's undergraduate work focused on special projects in both UNIX system security and ethical issues in technology. She holds a Master's Degree in Professional Counseling/Human Behavior. Prior to joining Symantec, she worked with the Massively Distributed Systems Group at IBM's Thomas J. Watson Research Laboratory in New York in the AntiVirus Research and Development Team. She lives with her husband Richard in Florida, where she enjoys singing, songwriting, swimming, shelties and sunsets.

Privacy: Do As I Say….Not as I Do!
Sarah Gordon, Senior Research Fellow, Symantec Corporation

We’ve heard the saying “Do As I Say, Not as I Do”—and it applies now to information security! People say they value privacy—defined herein as the control of disclosure of information about themselves and/or their transactions. This is true almost universally, even when they differ on their definition of control or what is ‘private” data. However, despite this valuation, you may be shocked to learn that many people—specifically information security professionals—do not conform to functional behaviours that reinforce this control, putting valuable information of all types at risk. The study upon which this presentation is based showed that information security professional in the US, UK and EU often fail to take advantage of technical and policy solutions that could help mitigate risks to their corporation. It is a wake up call for corporations worldwide, and challenges the attendee to examine his or her own behaviour in light of his corporate security culture.

Sarah's undergraduate work focused on special projects in both UNIX system security and ethical issues in technology. She holds a Master's Degree in Professional Counseling/Human Behavior, and a PhD in Computer Science. Prior to joining Symantec, she worked with the Massively Distributed Systems Group at IBM's Thomas J. Watson Research Laboratory in New York in the AntiVirus Research and Development Team. She lives with her husband Richard in Florida, where she enjoys singing, songwriting, swimming, shelties and sunsets.

A Historical Look at Hardware Token Compromises
Joe Grand, President & CEO, Grand Idea Studio, Inc.

This talk examines the details behind successful hardware attacks of early authentication tokens: Two USB devices and one iButton device. We'll be looking at the methods used to compromise the devices and gain access to private data stored on them without having legitimate credentials. Our attacks were based on an approach of using only common, off-the-shelf tools, yet we still succeeded in defeating the security features. While learning from history is important to avoid repeating the same design mistakes, we'll also look at some of the newer authentication tokens and hypothesize about potential attacks.

Joe Grand is the President and CEO of Grand Idea Studio, a product development and intellectual property licensing firm.

A nationally recognized name in computer security, Joe's pioneering research on mobile devices, digital forensics, and embedded security analysis is published in various industry journals. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty", a co-author of "Stealing The Network: How to Own A Continent", and is a frequent contributor to other texts. As an electrical engineer, Joe specializes in the invention and design of breakthrough concepts and technologies. Many of his creations including consumer electronics, medical products, video games, and toys are licensed worldwide.

Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Air Force Office of Special Investigations and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Introduction to Embedded Security
Joe Grand, President & CEO, Grand Idea Studio, Inc.

The design of secure hardware is often overlooked in the product development lifecycle, leaving many devices vulnerable to hacker attacks resulting in theft of service, loss of revenue, or a damaged reputation. Many times, products must be redesigned after a harmful incident, which raises overall development costs and increases time-to-market. This paper focuses on general concepts for secure hardware design coupled with practical examples. Topics in this talk include recommendations on incorporating security into the product development cycle, attack and threat models, and design solutions for enclosure, circuit board, and firmware layers.

Joe Grand is the President and CEO of Grand Idea Studio, a product development and intellectual property licensing firm.

Legal Liability and Security Incident Investigation
Jennifer Stisa Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford University

Companies and governments use various techniques to investigate when computer break-ins happen, and to learn more about potential intruders. But these techniques can invade the privacy of entities other than the suspect, and violate privacy laws. Additionally, regulations may define different investigative techniques themselves as attacks or intrusions. There is little legal guidance in this area, and a lot of uncertainty. This talk will discuss the legality and of network scans, war driving, borrowing wireless connectivity, sniffers, "hack-back", social engineering and other techniques under U.S. law.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project , which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

RF-ID and Smart-Labes: Myth, Technology and Attacks
Lukas Grunwald, CTO, DN-Systems Enterprise Internet Solutions GmbH

This talk provides an overview of the RF-ID Smart-Labes, small labels on products with an embedded microchip and an antenna. Smart-Labes store product and serial-number, expiration date etc. and can be read from a distance.

The Industry is planning to put these labels with an international product code on every product within the next decade, effectively replacing the old bar-code system. Some stores already use Smart-Labes, for example certain pharmacies in the US, and in Europe the Metro Group in their Future Store.

At the end of this talk there is a practical demonstration of RF-DUMP, my tool to read and write Smart-Labes, check their meta-data and manipulate it.

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany)— a globally acting consulting office working mainly in the field of security and internet/eCommerce solutions for enterprises.

Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, Forensic Analysis, Audits and Active Networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT Conference.

NoSEBrEaK - Defeating Honeynets
Thorsten Holz, RWTH-Aachen University
Maximillian Dornseif, RWTH-Aachen University

Honeynets are one of the more recent toys in the white-hat arsenal. They are usually assumed to be hard to detect and attempts to detect or disable them can be unconditionally monitored. Sometimes it is even suggested that deploying honenets is a way to incerase security.

We scrutinize this assumption and demonstrate a method how a host in a honeynet can be completely controlled by an attacker without any substantial logging taking place. We show how to detect honeynets, circumvent logging on a honeynet and finally 0wn a honeynet hard disabling all of a honeypots security features and present the tools to do so.

While being fairly technical the a basic knowledge how shellcode and the like works should be enough to follow the talk.

Maximillian Dornseif has studied laws and computer science at the University of Bonn, Germany where he wrote his PhD Thesis about the "Phenomenology of Cybercrime". He has been doing security consulting since the mid nineties. His clients included the industry but also government. At the moment he works on a third party founded research project about measurement of security and security breaches taking place at the Laboratory for Dependable Distributed Systems, RWTH Aachen University. He also oversees several other projects in the area of detection and documentation of security incidents. Dornseif has published in the legal and computer science fields on a wide range of topics.

Thorsten Holz is a research student at the Laboratory for Dependable Distributed Systems at RWTH Aachen University where he is trying to bring a solid scientific foundation to Honeynet research. He is going to graduate next spring and will probably continue his studies as a Ph.D. student.

Blind SQL Injection Automation Techniques
Cameron Hotchkies, 0x90.org

Because of improper software design and implementation practices, the number of web-based applications vulnerable to SQL injection is still alarmingly high. Yet the actual steps used to exploit these applications remain very tedious and repetitive. This presentation will focus on methods available to automate the task of exploiting blind sql injection holes and will discuss the use of pattern recognition in the domain of web applications. This talk will also feature a new tool, "SQueaL" and explain some of the research, decisions and algorithms used in the creation of this tool.

Cameron Hotchkies, aka nummish, is a member of the 0x90.org digital think-tank. He currently works outside the security industry developing business based web applications on the .NET platform. Outside of work, he generally spends most of his time writing code. Some people have suggested he get out more. He is currently struggling to write code to teach him how to properly pronounce the word "about".

WorldWide WarDrive 4: An Analysis of Wireless Security Trends
Chris Hurley aka Roamer

The WorldWide WarDrive is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. Chris Hurley (aka Roamer), the founder of the WorldWide WarDrive will present a statistical analysis of the results from the fourth WorldWide WarDrive and an analysis of those results compared to past years.

Chris Hurley (aka Roamer) is an Information Assurance Engineer working in the Washington D.C. area and is the author of "WarDriving: Drive, Detect, Defend". A Guide to Wireless Security from Syngress Publishing. His experience ranges from Security Engineering and Architecture to vulnerability assessments and penetration testing on both wired and wireless networks. In addition to running the WorldWide WarDrive he organizes the annual DefCon WarDriving contest.

The Black Ops of DNS
Dan Kaminsky, aka Effugas, Senior Security Consultant, Avaya's Enterprise Security Practice

The Domain Name System is a powerful, flexible, and integral part of the Internet. Somewhat analogous to the 411 information service offered throughout American telephone system, DNS's most common use is to translate names—such as www.blackhat.com—to addresses— 216.231.63.34. But behind this deceptively simple operation lies a complex and interesting system, distributed widely but with a deeply centralized core. Though most commonly used to execute simple translations of the sort mentioned earlier, three aspects of the machinery lend themselves to more creative exploits. By creatively abusing the heirarchal, recursive, and cache-oriented nature of the multi-million-node DNS architecture, we can effect a range of unexpected functionality, including firewall penetration, bidirectional anonymous communication, large scale data transmission, and even "Voice over DNS".

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

You can contact dan at: kaminsky at avaya døt com and www.avaya.com/security

Nobody’s Anonymous—Tracking Spam and Covert Channels
Curtis Kret, Researcher, Secure Science Corporation

Viagra! Work from home! Who sends this stuff? And what if not all Spam is what appears to be? This talk discusses forensic methods for identifying forged emails and tracking individual senders who would otherwise be anonymous.

This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Five spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel.

Curtis Kret has a Ph.D. in Computer Science and over 15 years of computer security experience. His current research focuses on methods to track “anonymous” people and applying the research to spam. Dr. Kret is a researcher for Secure Science Corporation’s External Threat Assessment Team.

Secure Science Corporation is a professional services and software company that develops advanced technology dedicated to protecting online assets. Secure Science Corporation is pioneering innovative ways to transform the Internet into a secure environment for both online communications and transactions.

Bluesnarfing - The Risk From Digital Pickpockets
Adam Laurie, Chief Security Officer, A.L. Digital Ltd & The Bunker
Martin Herfurt, Salzburg Research Forschungsgesellschaft mbH

In November 2003, Adam Laurie of A.L. Digital Ltd. discovered serious flaws in the authentication and data transfer mechanisms on some bluetooth enabled devices, and, in particular, mobile phones including commonly used Nokia and Sony Ericsson models. Shortly thereafter, Martin Herfurt of Salzburg Research Forschungsgesellschaft mbH expanded on these problems, and teamed up with Adam to investigate further.

This talk will cover the issues arising out of these flaws, including loss of personal data, identity theft, phone tapping, tracking, fraud and theft of service. The threat to individuals and corporates will be examined, and statistics and examples from the real world presented, as well as live demonstrations of each of the problems.

This will be a fun talk and a real eye-opener for those with bluetooth enabled devices.

For further background information on the issue, see:
http://www.thebunker.net/release-bluestumbler.htm

Adam Laurie is Chief Security Officer and Director of AL Digital Ltd. and The Bunker. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Martin Herfurt is a researcher at the Salzburg Research Forschungsgesellschaft m.b.H and lecturer in Telecommunications Engineering Degree Program at the Salzburg University of Applied Sciences and Technologies.

He completed his Telecommunications Engineering Degree at the Salzburg University of Applied Sciences and Technologies in 2001. Alongside his study Martin was involved in numerous industry projects, providing him with commercial programming practise.

In 2000 Martin followed up his formal study with a four-month internship at the telecommunications institute of TELCOT institute in San Ramon, California, USA.

Since the second half of 2000 Martin has been working as a full time researcher at Salzburg Research Forschungsgesellschaft m.b.H. His project responsibilities range from the co-ordination of a European IST project with a total budget of over 5 million Euro to software agents development.

Together with a Salzburg Research colleague, Martin began in the summer of 2003 a class on mobile data services at the Salzburg University of Applied Sciences and Technologies.

Martin is also currently working on a PhD in computer science at the University of Salzburg.

As part of his fascination with the rapid development in computer programming Martin has become a regular participant in the Chaos Communication Congress which is a yearly meeting of the German hacker association CCC.

All New Ø-Day
David Litchfield, Founder, Next Generation Security Software

This presentation will be entirely new and never seen before. Code included.

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

You got that with GOOGLE?
Johnny Long, CSC

This presentation explores the explosive growth of a technique known as "Google Hacking". When the modern security landscape includes such heady topics as "blind SQL injection" and "integer overflows", it's refreshing to see such a deceptively simple tool bent to achieve such amazing results; this is hacking in the purest sense of the word. Attendees will learn how to torque Google to detect SQL injection points and login portals, execute portscans and CGI scans, fingerprint web servers, locate incredible information caches such as firewall and IDS logs, password databases, SQL dumps and much more - all without sending a single packet to the target! Borrowing the techniques pioneered by malicious "Google hackers", this talk aims to show security practitioners how to properly protect clients from this often overlooked and dangerous form of information leakage.

The speaker, Johnny Long, maintains the Internet's most comprehensive database of Google exposures on his website.

Johnny Long did not develop his skills within the hallowed halls of higher learning but rather by spending way too many late nights huddled in front of his computer, developing his anti-social tendencies.

Mr Long (Johnny's professional alter-ego) has previously presented at SANS and other computer security conferences nationwide. In addition, he has presented before several government alphabet-soup entities including three starting with the letter 'A', four starting with the letter 'D', a handful starting with the letters 'F' and 'S' and two starting with the today's letter, the letter 'N'. During his career as an attack and penetration specialist, Mr Long has performed active network and physical security assessments (one in the cube is worth twenty on the net) for hundreds of government and commercial clients.

Johnny Long is the Author of 'Penetration Testing with Google', available December 2004 from Syngress Publishing

The Evolution of Incident Response
Kevin Mandia, President, Red Cliff Consulting