KEYNOTE
Fighting Organized Cyber Crime – War Stories and Trends
Dan Larkin, Unit Chief, Internet Crime Complaint Center, Federal Bureau of Investigation

As one of the pioneers of partnerships for the FBI, Dan Larkin of the FBI’s Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra “make it personal” has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and law enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat.

Dan Larkin became unit chief of the Internet Crime Complaint Center (IC3), which is a join initiative between the FBI and the National White Collar Crime Center (NW3C) in January 2003. Before that he was a supervisory special agent (SSA) in the White Collar Crime area for ten years. In that capacity he supervised and coordinated numerous joint agency initiatives on both regional and national levels involving corruption and fraud associated with a variety of federal, state, and local agencies. SSA Larkin acted as the congressional investigative team leader in the “Operation Illwind” Pentagon scandal corruption investigation. The combined effort of this team led to record settlements and convictions involving numerous top defense contractors, as well as public officials.

Prior to his current assignment UC Larkin developed and supervised the High Tech Crimes Task Force in Western Pennsylvania, one of the first such initiatives in the United States. UC Larkin also developed a national initiative known as the National Cyber Forensics and Training Alliance (NCFTA) This progressive initiative maximizes overlapping public/private sector resources, in identifying and proactively targeting escalating cyber-crime perpetrators both domestically and abroad. This project also serves to attract a perpetual stream of key Subject Matter Experts (SME's) from industry, government and academia, creating a dynamic cyber-nerve-center, for tactical and proactive response, forensics and vulnerability analysis, and the development of advanced training. UC Larkin also co-authored the FBI’s re-organization plan in 2002 which established Cyber Crime as a top priority, and underscored the need for additional Public/Private Alliances in combating priority cyber crimes word-wide.

SSA Larkin holds a BA in criminology with concentrations in industrial safety and security from Indianan University of Pennsylvania.

WiFi in Windows Vista: A Peek Inside the Kimono
Noel Anderson, Group Manager, Wireless Networking Group, Microsoft Corporation
Taroon Mandhana, Software Development Lead, Wireless Networking team at Microsoft

Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface.

But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista.

Noel Anderson is a Group Manager in the Wireless & Mobility team at Microsoft. Noel has worked in Windows Networking since 1997 and his current focus is software architecture for wireless & mobility. Previous Microsoft projects include the RTC, HTTP & Peer-to-Peer networking stacks. He also led development of the SIP server which is now at the heart of the Office Live Communication Server. Prior to joining Microsoft Noel designed and developed embedded systems for Telecoms, Automotive Electronics, Avionics and Aircraft Weapon Systems.

Taroon Mandhana is a Software Development Lead in the Wireless Networking team at Microsoft. Taroon has worked in Windows Networking since 2001 and his current focus is Wireless Security and Manageability. Prior to Microsoft, Taroon worked at Information Sciences Research Center at Bell Labs. Taroon holds a masters degree from University of Texas at Austin and bachelors from I.I.T Delhi.

Bypassing Network Access Control (NAC) Systems
Ofir Arkin

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks.

A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal – controlling the access to a network using different methods and solutions.

This presentation will examine the different strategies used to provide with network access controls.

Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market.

Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks.

Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors.

Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: “ICMP Usage in Scanning”, “Security Risk Factors with IP Telephony based Networks”, “Trace-Back”, “Etherleak: Ethernet frame padding information leakage”, etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2.

Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member.

Ofir is the founder of (Sys-Security Group), a computer security research group.

Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems
Robert Auger, Security Engineer, SPI Dynamics Inc., Co-Founder, Web Application Security Consortium
Caleb Sima, CTO and Co-Founder, SPI Dynamics

This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. 

As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack.

Robert Auger is a Security Engineer for SPI Dynamics where he is responsible for Web application security R&D. He is a known expert on Web application security vulnerabilities and exploits and currently runs a popular Web application security resource Web site http://www.cgisecurity.com. Robert co-founded the Web Application Security Consortium (WASC)—a group dedicated to developing and promoting "security standards of best practice" for the World Wide Web—in 2004 where he currently leads the WASC-Articles project. He has also contributed attack signatures to SNORT, an open source network intrusion detection system (IDS), as well as served as an expert technical advisor to the media on stories related to Internet security.

Caleb Sima is the co-founder and CTO of SPI Dynamics, a Web application security company. Caleb is responsible for directing the lifecycle of the company’s Web application security solutions and is the director of SPI Labs R&D team within SPI Dynamics. Caleb has been engaged in the Internet security arena since 1996, and has become widely recognized as an expert in Web security, penetration testing and for identifying emerging security threats. His pioneering efforts and expertise in Web security have helped define the direction the Web application security industry has taken. Prior to co-founding SPI Dynamics in early 2000, Caleb worked for Internet Security Systems’ elite X-Force R&D team and as a security engineer for S1 Corporation. Caleb is a frequent speaker and expert resource for the press on Internet attacks and has been featured in the Associated Press. He is also a contributing author to various magazines and online columns, and is a co-author of the book titled, Hacking Exposed Web Applications Second Edition. Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).

Investigating Evil Websites with Monkeyspaw: The Greasemonkey Security Professional's Automated Webthinger
Tod Beardsley, Lead Counter-Fraud Engineer, TippingPoint, a division of 3com

Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits.

More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment.

About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation.

Tod Beardsley is the Lead Counter-Fraud Engineer at TippingPoint (division of 3Com). He researches, prevents and occasionally invents network-based exploits and vulnerabilities in support of TippingPoint‚s award-winning line of Intrusion Prevention System products. Tod has 16 years of experience with data and telephony network security, and has held IT security positions at Dell and Westinghouse. His greatest professional achievement was second place in a nerd beauty pagent.

Finding Gold in the Browser Cache
Corey Benninger, Security Consultant, Foundstone, a Division of McAfee

Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side.

Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers.

IPS Shortcomings
Renaud Bidou, Radware

Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth....

The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects:

• conceptual weaknesses and ways to detect "transparent" inline equipments
• signatures issues
• hardware architecture limitations and common jokes
• performance vs security necessary trade-off and consequences
• behavioral, heuristics, neuronal stuff etc. reality and limitations

Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you.

Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases.

In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France.

Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful.

Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks.

Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME).

Taming Bugs: The Art and Science of Writing Secure Code
Paul Böhm, Lord Protector and Defender of the Crown at SEC-Consult

If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal.

Paul Böhm was a founding member of TESO Security in 1998, and has spent a lot of time breaking code. In 2003 he has worked on quantum cryptography at the University of Vienna where he has developed and implemented an improved efficiency qc protocol. His current interest is in Vulnerabilty Defense and Secure Software. He works as a Security Consultant for SEC Consult.

Physical Memory Forensics
Mariusz Burdach, Senior Consultant, CompFort Meridian, Polska Sp. z o.o.

Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines.

During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory.  As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. 

Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system.

Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland.

Fuzzing Selected Win32 Interprocess Communication Mechanisms
Jesse Burns, Principal Partner, iSECPartners

This presentation prepares attackers and defenders to perform automated testing of some popular Windows® interprocess communication mechanisms. The testing will focus on binary win32 applications, and will not require source code or symbols for the applications being tested. Attendees will be briefly introduced to several types of named securable Windows communication objects, including Named Pipes and Shared Sections (named Mutexes, Semaphores and Events and will also be included but to a lesser degree). Audience members will learn techniques for identifying when and where these communication objects are being used by applications as well as how to programmatically intercept their creation to assist in fuzzing. iSEC will share tools used for interception and fuzzing including tools for hooking arbitrary executable's creation of IPC primitives. Working examples of fuzzers with source code written in Python and C++ will demonstrate altering of data flowing through these IPC channels to turn simple application functionality tests into powerful security-focused penetration tests.

Attendees should be familiar with programming in C++ or Python, and have a security research interest in win32. Developers, QA testers, penetration testers, architects and researchers are the primary target audience for this somewhat technical talk.

Jesse Burns is a Principal Partner at iSEC Partners, where he works as a penetration tester. Previous to founding iSEC Partners, Jesse was a Managing Security Architect with @Stake and a software developer who focused on security-related projects on Windows® and various flavors of Unix®. Jesse presented in December of 2004 at the SyScan conference in Singapore on exploiting weakness in the NTLM authentication protocol. He has also presented at OWASP, Directory Management World and for his many security consulting clients on issues ranging from cryptographic attacks to emerging web application threats. He is currently working on a book with Scott Stender and Alex Stamos on attacking modern web applications for publication with Addison Wesley.

R^2: The Exponential Growth in Rootkit Techniques
Jamie Butler, CTO Komoku, Inc.
Nick Petroni
William A. Arbaugh, President, Komoku, Inc.

Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods.

James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN.

William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia.

Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley.

Device Drivers
johnny cache
David Maynor, Senior Researcher, SecureWorks

Application level security is getting better. Basic stack based string overflows have become rare, and even simple heap overflows are getting hard to find. Despite this fact there is still a huge avenue of exploitation that has not been tapped yet: device drivers. Although they don’t sound very interesting, they are full of simple security programming errors as they are often developed for performance and in tight time frames. The traditional thinking is that although the code is bad an attacker can’t really get to it. Development of reliable off the shelf packet injection techniques combined with the excessive complexity of the 802.11 protocol creates a perfect combination for security researchers. Ever seen a laptop owned remotely because of a device driver? Want to?

David Maynor is a Senior Researcher, SecureWorks. He was formerly a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Johnny Cache is currently attending school and will receive a Masters in computer security in September at which point he will be looking for a job. He as also currently working on "Hacking Exposed: Wireless". His latest creation is Airbase, a suite of 802.11 utilities all tied together with a single core C++ library for packet creation and manipulation. Currently Cache is working on a tool to allow for remote chipset/driver detection of various 802.11 devices. 

Thermoptic Camoflauge: Total IDS Evasion
Brian Caswell, Research Engineer, Sourcefire
HD Moore, Director of Security Research, BreakingPoint Systems

Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be.

Brian Caswell is a member of the Snort core team, where he is the primary author for the world's most widely used intrusion detection rulesets. He was most recently the technical editor and "go to guy" for the book, "Snort 2.0 Intrusion Detection." He is a member of the Shmoo group, an international not-for-profit, non-milindustrial independent private think tank. Currently, Brian is a Research Engineer within the Vulnerability Research

Team for Sourcefire, a provider of one of the world's most advanced and flexible Intrusion Management solutions. Before Sourcefire, Brian was the IDS team leader and all around supergeek for MITRE, a government sponsored think tank. Not only can Brian do IDS, he was a Pokémon Master Trainer for both Nintendo and Wizards of the

Coast, working throughout the infamous Pokémon Training League tours.In his free time, Brian likes to teach his young son Patrick to write perl, reverse engineer network protocols, and autocross at the local SCCA events.

HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the

Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Microsoft Security Fundamentals: Engineering, Response and Outreach
Andrew Cushman, Director, Microsoft Security Response, Engineering and Outreach Team

You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered—“is this change real or is it just lip service?” You may also have asked yourself “self, why did they do that?” This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates.

Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator.

I’m Going To Shoot The Next Person Who Says VLANs
Himanshu Dwivedi, Principal Partner, iSEC Partners

Booksigning: Hacker’s Challenge 3 with Jeremiah Grossman and Himanshu Dwivedi at 12:30 on Thursday, August 3 at the BreakPoint Books booth.

Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. 

The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation.

The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products.

Himanshu Dwivedi is a founding partner of iSEC Partners, an independent information security organization, with 12 years experience in security and information technology. Before forming iSEC Partners, Himanshu was the Technical Director for @stake’s Bay Area practice, the leading provider for digital security services. Himanshu has focused his security experience towards storage security, specializing in SAN and NAS security. His research includes iSCSI and Fibre Channel (FC) Storage Area Networks as well as IP Network Attached Storage.

Himanshu has three published books (two of them within the last year), including "Securing Storage: A Practical Guide to SAN and NAS Security" (Addison Wesley Publishing), "Hackers Challenge 3" (McGraw-Hill/Osborne), and "Implementing SSH" (Wiley Publishing). Himanshu also has a patent pending on a storage design architecture.

Attacking Apple’s Xsan
Charles Edge, Partner and Lead Engineer, Three18

A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity.

SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network.

Charles Edge began his consulting career working with Support Technologies, Andersen Consulting and Honda to name a few. In January of 2000 Charles arrived at Three18, a boutique consulting firm in Santa Monica, California. At Three18, Charles has worked with Network Architecture and Design for film, commercial production, post-production, advertising and design clients. As a partner at Three18 Charles manages a team of engineers and programmers.

Charles maintains an MCSE with Microsoft, a Network+ with Comptia and an ACSA with Apple. The Apple Certifications are those he is most proud of, having obtained the top certification of Apple Certified System Administrator. His first book, Mac Tiger Server Little Black Book is available through Paraglyph Press. His second book, Web Admin Scripting Little Black Book is also available through Paraglyph Press.

“Sidewinder”: An Evolutionary Guidance System for Malicious Input Crafting
Shawn Embleton, University of Central Florida
Sherri Sparks, University of Central Florida
Ryan Cunningham, University of Central Florida

Black box testing techniques like fuzzing and fault injection are responsible for discovering a large percentage of reported software vulnerabilities. These techniques typically operate by injecting random or semi random input into a program and then monitoring its output for unexpected behavior. While their high potential for automation makes them desirable, they frequently suffer from a lack of “intelligence”. That is, the random nature of input space exploration makes the probability of discovering vulnerabilities highly non-deterministic. Black box inputs are similar to unguided missiles. In this talk, we will discuss how we might turn these inputs into guided missiles by intelligently driving their selection using ideas borrowed from probability theory and evolutionary biology.

Shawn Embleton is a PhD student at the University of Central Florida currently researching optical network routing for the NSF. He has recently become interested in genetic algorithms and automated reverse code engineering. Shawn enjoys software engineering in general and prefers to work on new problems when the opportunity presents itself. New problems come with a fresh mix of challenges and provide the chance to learn new ideas. He is a “student for life” and still going strong after over 2³-2¹ years.

Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Engineering and subsequently switched to Computer Science after developing an interest in application security. Currently, her research interests include offensive / defensive malicious code technologies and automated reverse code engineering. She has published articles in Usenix Login; Security Focus, and Phrack magazine.

Ryan Cunningham is a theory guy. CFG stands for context-free grammar in his world. He pursues his work and interests in the fields of information theory, formal languages, evolutionary biology, genomics, machine learning, and computer security as a graduate student at the University of Central Florida. He is also handsome, smart, and funny. No one should suggest that this biography might be biased simply because he wrote it himself.

Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. 

We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. 

As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge.

David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools.  Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University.

Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University.

How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next—ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it?

This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high–level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience.

This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers.

Chris Eng is the Director of Security Services with Veracode.

His primary areas of expertise include application and network security assessments, with a focus on penetration testing and vulnerability analysis. Additional areas of interest include binary analysis, exploit development, and cryptography.

Previously, he served as a Consulting Manager with Symantec (formerly @stake), where he helped numerous Fortune 500 companies assess the security of their networks, web applications, and commercial software. Prior to joining @stake, he was a computer scientist at the NSA, where he spent a portion of his time performing penetration tests against US government-owned networks. He holds a BS degree in Electrical Engineering and Computer Science from the University of California.

When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness.

FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions.

MatriXay—When Web App & Database Security Pen-Test/Audit Is a Joy
Yuan Fan, Founder, DBAppSecurity Inc. 
Xiao Rong

This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool "MatriXray" was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).

How to Unwrap Oracle PL/SQL
Pete Finnigan, Principal Consultant, Siemens Insight Consulting

PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this.

What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques—if you know where to look!

Pete Finnigan is well known in the Oracle community for hosting his Oracle security website, www.petefinnigan.com, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course.  Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews.  He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers.

Carrier VoIP Security
Nicolas Fischbach, Senior Manager, European Network Security Engineering, COLT Telecom & Co-founder Sécurité.Org

VoIP, IMS, FMC, NGN, PacketCore, MPLS. Put those together and you are looking at the next security nightmare when it comes to Service Provider infrastructure security. Carriers are already moving away from basic data and VoIP services towards the Next Generation Network, where you have one Packet-based Core network which is going to carry "junk" Internet traffic, "secure" Multi-Protocol Label Switching VPNs, "QoS guaranteed" voice, etc. And soon, thanks to new handhelds you'll see more and more Fixed and Mobile Convergence which enables you to roam anywhere inside and outside of the entreprise and access new interactive content thanks to the IP Multimedia Subsystem.

During this talk we will present such an architecture (based on a real large scale deployment with 4 major vendors), the security and architecture challenges we ran (and still run) into, and how we mitigate the risks (denial of service, interception, web apps security, fraud, etc).

Nicolas Fischbach is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts, an informal security research group and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC.

More details and contact information on his homepage.

RE 2006: New Challenges Need Changing Tools
Halvar Flake, CEO of Sabre Security

Reverse Engineering has come a long way—what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed.

Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Black Hat Stand-up Take Two: So What If I Don’t Sell My Vulnerabilities…
James C. Foster, Deputy Director, CSC

Encoring last year’s early morning stand-up act, Foster will return armed and ready to fire again at the world’s worst security blunders. In an eye-opening fashion, Foster will crack the audience with a twenty minute overlay of the current problems in the security industry relating to publications, free tools, company incentives, the Google demographic and more. Come take part in some straight-up fun.

Sit back, relax, and enjoy Black Hat Standup Take Two: So what if I don’t sell my vulnerabilities.

James C. Foster, Fellow, is the Deputy Director of CSC Global Security. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate R&D initiatives. Prior to joining Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc (acquired by Verisign) and an editor at Information Security Magazine(acquired by TechTarget Media), subsequent to working as an Information Security and Research Specialist for the Department of Defense. Foster's core competencies include high-tech management, international software development and expansion, web-based application security, cryptography, protocol analysis, and search algorithm technology. Foster has conducted numerous code reviews for commercial OS components, Win32 application assessments, and reviews on commercial and government cryptography implementations.

Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Foster holds degrees in Business Administration, Software Engineering, and Management of Information Systems and has attended the Yale School of Business, Harvard University, the University of Maryland, and is a Fellow at University of Pennsylvania's Wharton School of Business.

Foster is also a well published author and has authored, contributed, or edited for major publications to include "Snort 2.0", "Snort 2.1" 2nd Edition, "Hacking Exposed" 4th Ed and 5th Edition, "Special Ops Security", "Anti-Hacker Toolkit" 2nd Ed, "Advanced Intrusion Detection", "Hacking the Code", "Anti-Spam Toolkit", "Programmer's Ultimate Security DeskRef", "Google for Penetration Testers", "Buffer Overflow Attacks", "Writing Security Tools and Exploits", "Hacking Exposed: Wireless", "Pen Tester’s Open Source Toolkit", and "Sockets/Porting/and Shellcode".

Case Study: The Secure Development Lifecycle and Internet Explorer 7
Rob Franco, Security Program Manager, Internet Explorer, Microsoft Corporation

Tony Chor will discuss Microsoft’s security engineering methodology and how it is being applied to the development of Internet Explorer 7. He will detail key vulnerabilities and attacks this methodology revealed as well as how the new version of IE will mitigate those threats with unique features such as the Phishing Filter and Protected Mode.

Rob Franco lives to make browsing safer for internet users. Rob led Security improvements in Internet Explorer for Windows Server 2003, Windows XP SP2, and IE 7. Prior to that, Rob worked on Corporate deployment features such as Group Policy and the Internet Explorer Administration Kit. When he’s not working, he can usually be found cycling around the Seattle area or boating on a nearby lake.

The Speed of (In)security: Analysis of the Speed of Security vs. Insecurity
Stefan Frei, Security Researcher, ETH Zurich
Dr. Martin May, Senior Scientist, ETH

To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community.

In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure.

Content may be reviewed after the start of the conference.

Stefan Frei received his ETH diploma (Dipl.El.Ing.ETH) in 1995, having completed his studies at the Swiss Federal Institute of Technology (ETH) in Zurich and the école nationale supérieure des télécomunications (Telecom) in Paris. A student he worked for the IBM Research Laboratory Zurich and has specialised in network and Internet application design, deployment and analysis later. Stefan Frei worked as a Senior Security Consultant in the ISS X-Force Security Assessment Services Team in Zurich and London from 2000 to 2004. End of 2004 he joined ETH Zurich for a PhD Research Position in information security under supervision of Prof. Bernhard Plattner. Stefan Frei homepage. more about him.

Martin May homepage.

Finding and Preventing Cross-Site Request Forgery
Tom Gallagher, Security Test Lead, Microsoft

There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented.

Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".

TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack—a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. 

Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade.

Booksigning: Hacker’s Challenge 3 with Jeremiah Grossman and Himanshu Dwivedi at 12:30 on Thursday, August 3 at the BreakPoint Books booth.

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.

Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it.

During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats.

You’ll see:

• Port scanning and attacking intranet devices using JavaScript
• Blind web server fingerprinting using unique URLs
• Discovery NAT'ed IP addresses with Java Applets
• Stealing web browser history with Cascading Style Sheets
  
• Best-practice defense measures for securing websites
• Essential habits for safe web surfing

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology.

This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features.  Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks.

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises.

Open to Attack; Vulnerabilities of the Linux Random Number Generator
Zvi Gutterman, CTO of Safend, Ltd.

Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator.

This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices.

Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering.

Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder.

This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications.

Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design.

Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus.

Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse.

This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats.

Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.

Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus.

Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft^® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual—it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden".

In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable.

Greg Hoglund is the founder of rootkit.com, has been involved in many software security companies, and currently works for HBGary, Inc. Hoglund has authored several books on software security. He has frequently spoken at conferences and offered training on reverse engineering and rootkit development. His new training class, co-trained w/ Jamie Butler, "Advanced Second Generation Digital Weaponry" is now offered through Blackhat.

This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively.

Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty—but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty.

What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably.

CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo.