Past speeches and talks from the Black Hat Briefings computer security conferences.<br> The Black Hat Briefings USA 2006 was held August 2-3 in Las Vegas at Caesars Palace. Two days, fourteen tracks, over 85 presentations. Dan Larkin of the FBI was the keynote speaker. Celebrating our tenth year anniversary.<br> A post convention wrap up can be found at http://www.blackhat.com/html/bh-usa-06/bh-usa-06-index.html<br> <br /> <br> Black Hat Briefings bring together a unique mix in security: the best minds from government agencies and global corporations with the underground's most respected hackers. These forums take place regularly in Las Vegas, Washington D.C., Amsterdam, and Tokyo<br> <br /> <br> If you want to get a better idea of the presentation materials go to http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#USA-2006 and download them. Put up the pdfs in one window while watching the talks in the other. Almost as good as being there!;br> <br /> Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! Past speeches and talks from Black Hat in an iPod friendly .mp3 audio and .mp4 h.264 192k video format http://www.blackhat.com Computers/Hacking (c)2006 Black Hat, Inc. http://blogs.law.harvard.edu/tech/rss en Fri, 19 Jan 2007 17:04:45 -0800 jmoss@blackhat.com Fri, 5 Jan 2007 16:01:28 -0800 feedback@blackhat.com FeedForAll v2.0 (2.0.1.1) http://www.feedforall.com Black Hat Briefings, Las Vegas 2006 [Audio] Presentations from the security conference Past speeches and talks from the Black Hat Briefings computer security conferences. The Black Hat Briefings USA 2006 was held August August 2-3 in Las Vegas at Caesars Palace. Two days, fourteen tracks, over 85 presentations. Dan Larkin of the FBI was the keynote speaker. Celebrating our tenth year anniversary. A post convention wrap up can be found at http://www.blackhat.com/html/bh-usa-06/bh-usa-06-index.html Black Hat Briefings bring together a unique mix in security: the best minds from government agencies and global corporations with the underground's most respected hackers. These forums take place regularly in Las Vegas, Washington D.C., Amsterdam, and Tokyo. If you want to get a better idea of the presentation materials go to http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#USA-2006 and download them. Put up the pdfs in one window while watching the talks in the other. Almost as good as being there! Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! Past speeches and talks from Black Hat in an iPod friendly .mp3 audio and .mp4 h.264 192k video format Jeff Moss Black Hat jmoss@blackhat.com Blackhat Briefings and Training, Blackhat USA 2006, Black Hat Vegas, BlackHat Vegas,hacking, convention, computer security, speeches, presentations, spoken word, audio no no "As one of the pioneers of partnerships for the FBI, Dan Larkin of the FBI’s Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra make it "personal" has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and law enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat. Dan Larkin became unit chief of the Internet Crime Complaint Center (IC3), which is a join initiative between the FBI and the National White Collar Crime Center (NW3C) in January 2003. Before that he was a supervisory special agent (SSA) in the White Collar Crime area for ten years. In that capacity he supervised and coordinated numerous joint agency initiatives on both regional and national levels involving corruption and fraud associated with a variety of federal, state, and local agencies. SSA Larkin acted as the congressional investigative team leader in the "Operation Illwind" Pentagon scandal corruption investigation. The combined effort of this team led to record settlements and convictions involving numerous top defense contractors, as well as public officials. Prior to his current assignment UC Larkin developed and supervised the High Tech Crimes Task Force in Western Pennsylvania, one of the first such initiatives in the United States. UC Larkin also developed a national initiative known as the National Cyber Forensics and Training Alliance (NCFTA) This progressive initiative maximizes overlapping public/private sector resources, in identifying and proactively targeting escalating cyber-crime perpetrators both domestically and abroad. This project also serves to attract a perpetual stream of key Subject Matter Experts (SME's) from industry, government and academia, creating a dynamic cyber-nerve-center, for tactical and proactive response, forensics and vulnerability analysis, and the development of advanced training. UC Larkin also co-authored the FBI’s re-organization plan in 2002 which established Cyber Crime as a top priority, and underscored the need for additional Public/Private Alliances in combating priority cyber crimes word-wide." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#larkin feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 48332F47-5B80-45A7-8BFA-C692CC48949F Sun, 4 Jun 2006 16:10:19 -0700 Keynote: Fighting Organized Cyber Crime - War Stories and Trends David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd. 54:41 Dan Larkin Dan Larkin ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Dan Larkin: Keynote: Fighting Organized Cyber Crime - War Stories and Trends David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd. Dan Larkin DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#litchfield feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ E0CCB54C-828D-4B35-A78A-23E5E16C64C3 Sun, 4 Jun 2006 16:10:19 -0700 All New Zero Day David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd. 45:14 David Litchfield David Litchfield ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no David Litchfield : All New Zero Day David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd. David Litchfield DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge. David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University. Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#endler feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 1CF836AB-6C7B-4DF2-932E-A9222ECFDECD Sun, 4 Jun 2006 16:10:19 -0700 Hacking VOIP Exposed "Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge. David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University. Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University." 1:02:39 David Endler David Endler ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no David Endler: Hacking VOIP Exposed "Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge. David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University. Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University." David Endler DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In an online world, anonymity seems easy. Network addresses can be cloaked and files can be manipulated. People rapidly change virtual names, genders, and skills. But even with these precautions, anti-anonymity techniques can track people. Habitual patterns and learned skills are subtle, appearing in everything we type. This presentation discusses profiling methods for identifying online people and breaching anonymity. The topics covered include methods to identify skillsets, nationality, gender, and even physical attributes. Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006)." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#krawetz feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ EBAD2671-A8DC-4EB6-A816-8748B20E726C Sun, 4 Jun 2006 16:10:19 -0700 You are what you type: No classical computer forensics "In an online world, anonymity seems easy. Network addresses can be cloaked and files can be manipulated. People rapidly change virtual names, genders, and skills. But even with these precautions, anti-anonymity techniques can track people. Habitual patterns and learned skills are subtle, appearing in everything we type. This presentation discusses profiling methods for identifying online people and breaching anonymity. The topics covered include methods to identify skillsets, nationality, gender, and even physical attributes. Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006)." 47:47 Neal Krawetz (Dr) Neal Krawetz (Dr) ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Neal Krawetz (Dr): You are what you type: No classical computer forensics "In an online world, anonymity seems easy. Network addresses can be cloaked and files can be manipulated. People rapidly change virtual names, genders, and skills. But even with these precautions, anti-anonymity techniques can track people. Habitual patterns and learned skills are subtle, appearing in everything we type. This presentation discusses profiling methods for identifying online people and breaching anonymity. The topics covered include methods to identify skillsets, nationality, gender, and even physical attributes. Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006)." Neal Krawetz (Dr) DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal - controlling the access to a network using different methods and solutions. This presentation will examine the different strategies used to provide with network access controls. Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market. Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member. Ofir is the founder of (Sys-Security Group), a computer security research group." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#arkin feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ D9A7FB42-4C15-455F-A3FD-306FD7ACD382 Sun, 4 Jun 2006 16:10:19 -0700 Bypassing Network Access Control (NAC) Systems "The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal - controlling the access to a network using different methods and solutions. This presentation will examine the different strategies used to provide with network access controls. Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market. Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member. Ofir is the founder of (Sys-Security Group), a computer security research group." 51:17 Ofir Arkin Ofir Arkin ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Ofir Arkin: Bypassing Network Access Control (NAC) Systems "The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal - controlling the access to a network using different methods and solutions. This presentation will examine the different strategies used to provide with network access controls. Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market. Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member. Ofir is the founder of (Sys-Security Group), a computer security research group." Ofir Arkin DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Trusted computing is considered a dirty word by many due to its use for Digital Rights Management (DRM). There is a different side of trusted computing, however, that can solve problems information security professionals have been attempting to solve for more than three decades. Large scale deployment of trusted computing will fundamentally change the threat model we have been using for years when building operating systems, applications, and networks. This talk will examine the history of trusted computing and the current mindset of information security. From there, we will attempt to demystify the trusted computing architecture and give examples of where trusted computing is being used today. Then, we'll discuss how security constructs that we know an love today (such as firewalls and SSL transactions) fundamentally change when a trusted hardware component is added. Finally, new tools will be released to allow users to examine trusted components in their system. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Potter feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 774E394D-3CDE-43D3-890D-0EEE91F45434 Sun, 4 Jun 2006 16:10:19 -0700 The Trusted Computing Revolution "Trusted computing is considered a dirty word by many due to its use for Digital Rights Management (DRM). There is a different side of trusted computing, however, that can solve problems information security professionals have been attempting to solve for more than three decades. Large scale deployment of trusted computing will fundamentally change the threat model we have been using for years when building operating systems, applications, and networks. This talk will examine the history of trusted computing and the current mindset of information security. From there, we will attempt to demystify the trusted computing architecture and give examples of where trusted computing is being used today. Then, we'll discuss how security constructs that we know an love today (such as firewalls and SSL transactions) fundamentally change when a trusted hardware component is added. Finally, new tools will be released to allow users to examine trusted components in their system. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." 44:41 Bruce Potter Bruce Potter ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Bruce Potter: The Trusted Computing Revolution "Trusted computing is considered a dirty word by many due to its use for Digital Rights Management (DRM). There is a different side of trusted computing, however, that can solve problems information security professionals have been attempting to solve for more than three decades. Large scale deployment of trusted computing will fundamentally change the threat model we have been using for years when building operating systems, applications, and networks. This talk will examine the history of trusted computing and the current mindset of information security. From there, we will attempt to demystify the trusted computing architecture and give examples of where trusted computing is being used today. Then, we'll discuss how security constructs that we know an love today (such as firewalls and SSL transactions) fundamentally change when a trusted hardware component is added. Finally, new tools will be released to allow users to examine trusted components in their system. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." Bruce Potter DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The known topics for this year include: 1. The Worldwide SSL Analysis-There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan. 2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps-without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data. 3. Everything else " http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#kaminsky feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 55EC23A5-88E3-4728-BAB6-D9D9607EEF50 Sun, 4 Jun 2006 16:10:19 -0700 Black Ops 2006 "The known topics for this year include: 1. The Worldwide SSL Analysis-There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan. 2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps-without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data. 3. Everything else " 1:00:27 Dan Kaminsky Dan Kaminsky ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Dan Kaminsky: Black Ops 2006 "The known topics for this year include: 1. The Worldwide SSL Analysis-There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan. 2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps-without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data. 3. Everything else " Dan Kaminsky DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Reverse Engineering has come a long way-what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed. Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#flake feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 647DE04C-6FB4-4394-B770-4B157126B852 Sun, 4 Jun 2006 16:10:19 -0700 RE 2006: New Challenges Need Changing Tools "Reverse Engineering has come a long way-what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed. Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer." 45:20 Halvar Flake Halvar Flake ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Halvar Flake: RE 2006: New Challenges Need Changing Tools "Reverse Engineering has come a long way-what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed. Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer." Halvar Flake DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this. What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques-if you know where to look! Pete Finnigan is well known in the Oracle community for hosting his Oracle security website, www.petefinnigan.com, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course. Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews. He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#finnigan feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 3B6D3D9F-7ED7-4A8F-BF85-1507F2F81E6C Sun, 4 Jun 2006 16:10:19 -0700 How to Unwrap Oracle PL/SQL "PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this. What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques-if you know where to look! Pete Finnigan is well known in the Oracle community for hosting his Oracle security website, www.petefinnigan.com, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course. Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews. He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers." 53:53 Pete Finnigan Pete Finnigan ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Pete Finnigan: How to Unwrap Oracle PL/SQL "PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this. What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques-if you know where to look! Pete Finnigan is well known in the Oracle community for hosting his Oracle security website, www.petefinnigan.com, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course. Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews. He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers." Pete Finnigan DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "VoIP applications went mainstream, although the underlying protocols are still undergoing constant development. The SIP protocol being the main driver behind this has been analyzed, fuzzed and put to the test before, but interoperability weaknesses still yield a large field for attacks. This presentation gives a short introduction to the SIP protocol and the threats it exposes; enough to understand the issues described. A SIP stack fingerprinting tool will be released during the talk which allows different stacks to be identified and classified for further attacks. The main part focuses on practical attacks targeting features from caller ID spoofing to Lawful Interception. Various attack vectors are pointed out to allow further exploit development. Hendrik Scholz is a lead VoIP developer and Systems Engineer at Freenet Cityline GmbH in Kiel, Germany. His daily jobs consist of developing server side systems and features as well as tracking down bugs in SIP stacks. He earned his Bachelor in Computer Science from the German University of Applied Sciences Kiel in 2003. While studying abroad in Melbourne, Australia and working as Unix developer in Atlanta, GA and Orlando, FL, he contributed to FreeBSD and specialized in networking security issues. He released Operating System level as well as Application Layer fingerprinting tools. Having access to present and upcoming VoIP devices, hacking on these has become a spare time passion." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#scholz feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 81E27B1A-3618-41C1-8573-D89F7C1FFD6E Sun, 4 Jun 2006 16:10:19 -0700 SIP Stack Fingerprinting and stack difference attacks "VoIP applications went mainstream, although the underlying protocols are still undergoing constant development. The SIP protocol being the main driver behind this has been analyzed, fuzzed and put to the test before, but interoperability weaknesses still yield a large field for attacks. This presentation gives a short introduction to the SIP protocol and the threats it exposes; enough to understand the issues described. A SIP stack fingerprinting tool will be released during the talk which allows different stacks to be identified and classified for further attacks. The main part focuses on practical attacks targeting features from caller ID spoofing to Lawful Interception. Various attack vectors are pointed out to allow further exploit development. Hendrik Scholz is a lead VoIP developer and Systems Engineer at Freenet Cityline GmbH in Kiel, Germany. His daily jobs consist of developing server side systems and features as well as tracking down bugs in SIP stacks. He earned his Bachelor in Computer Science from the German University of Applied Sciences Kiel in 2003. While studying abroad in Melbourne, Australia and working as Unix developer in Atlanta, GA and Orlando, FL, he contributed to FreeBSD and specialized in networking security issues. He released Operating System level as well as Application Layer fingerprinting tools. Having access to present and upcoming VoIP devices, hacking on these has become a spare time passion." 51:21 Hendrik Scholz Hendrik Scholz ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Hendrik Scholz: SIP Stack Fingerprinting and stack difference attacks "VoIP applications went mainstream, although the underlying protocols are still undergoing constant development. The SIP protocol being the main driver behind this has been analyzed, fuzzed and put to the test before, but interoperability weaknesses still yield a large field for attacks. This presentation gives a short introduction to the SIP protocol and the threats it exposes; enough to understand the issues described. A SIP stack fingerprinting tool will be released during the talk which allows different stacks to be identified and classified for further attacks. The main part focuses on practical attacks targeting features from caller ID spoofing to Lawful Interception. Various attack vectors are pointed out to allow further exploit development. Hendrik Scholz is a lead VoIP developer and Systems Engineer at Freenet Cityline GmbH in Kiel, Germany. His daily jobs consist of developing server side systems and features as well as tracking down bugs in SIP stacks. He earned his Bachelor in Computer Science from the German University of Applied Sciences Kiel in 2003. While studying abroad in Melbourne, Australia and working as Unix developer in Atlanta, GA and Orlando, FL, he contributed to FreeBSD and specialized in networking security issues. He released Operating System level as well as Application Layer fingerprinting tools. Having access to present and upcoming VoIP devices, hacking on these has become a spare time passion." Hendrik Scholz DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines. During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory. As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system. Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#burdach feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 0C30C293-1B1A-4E2B-8EF4-2CA8000B0891 Sun, 4 Jun 2006 16:10:19 -0700 Physical Memory Forensics "Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines. During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory. As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system. Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland." 44:48 Mariusz Burdach Mariusz Burdach ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Mariusz Burdach: Physical Memory Forensics "Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines. During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory. As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system. Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland." Mariusz Burdach DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This presentation prepares attackers and defenders to perform automated testing of some popular Windows® interprocess communication mechanisms. The testing will focus on binary win32 applications, and will not require source code or symbols for the applications being tested. Attendees will be briefly introduced to several types of named securable Windows communication objects, including Named Pipes and Shared Sections (named Mutexes, Semaphores and Events and will also be included but to a lesser degree). Audience members will learn techniques for identifying when and where these communication objects are being used by applications as well as how to programmatically intercept their creation to assist in fuzzing. iSEC will share tools used for interception and fuzzing including tools for hooking arbitrary executable's creation of IPC primitives. Working examples of fuzzers with source code written in Python and C++ will demonstrate altering of data flowing through these IPC channels to turn simple application functionality tests into powerful security-focused penetration tests. Attendees should be familiar with programming in C++ or Python, and have a security research interest in win32. Developers, QA testers, penetration testers, architects and researchers are the primary target audience for this somewhat technical talk. Jesse Burns is a Principal Partner at iSEC Partners, where he works as a penetration tester. Previous to founding iSEC Partners, Jesse was a Managing Security Architect with @Stake and a software developer who focused on security-related projects on Windows® and various flavors of Unix®. Jesse presented in December of 2004 at the SyScan conference in Singapore on exploiting weakness in the NTLM authentication protocol. He has also presented at OWASP, Directory Management World and for his many security consulting clients on issues ranging from cryptographic attacks to emerging web application threats. He is currently working on a book with Scott Stender and Alex Stamos on attacking modern web applications for publication with Addison Wesley." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#burns feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ B756E2F2-81F3-42EC-B3FE-E91661F69158 Sun, 4 Jun 2006 16:10:19 -0700 Fuzzing Selected Win32 Interprocess Communication Mechanisms "This presentation prepares attackers and defenders to perform automated testing of some popular Windows® interprocess communication mechanisms. The testing will focus on binary win32 applications, and will not require source code or symbols for the applications being tested. Attendees will be briefly introduced to several types of named securable Windows communication objects, including Named Pipes and Shared Sections (named Mutexes, Semaphores and Events and will also be included but to a lesser degree). Audience members will learn techniques for identifying when and where these communication objects are being used by applications as well as how to programmatically intercept their creation to assist in fuzzing. iSEC will share tools used for interception and fuzzing including tools for hooking arbitrary executable's creation of IPC primitives. Working examples of fuzzers with source code written in Python and C++ will demonstrate altering of data flowing through these IPC channels to turn simple application functionality tests into powerful security-focused penetration tests. Attendees should be familiar with programming in C++ or Python, and have a security research interest in win32. Developers, QA testers, penetration testers, architects and researchers are the primary target audience for this somewhat technical talk. Jesse Burns is a Principal Partner at iSEC Partners, where he works as a penetration tester. Previous to founding iSEC Partners, Jesse was a Managing Security Architect with @Stake and a software developer who focused on security-related projects on Windows® and various flavors of Unix®. Jesse presented in December of 2004 at the SyScan conference in Singapore on exploiting weakness in the NTLM authentication protocol. He has also presented at OWASP, Directory Management World and for his many security consulting clients on issues ranging from cryptographic attacks to emerging web application threats. He is currently working on a book with Scott Stender and Alex Stamos on attacking modern web applications for publication with Addison Wesley." 1:05:33 Jesse Burns Jesse Burns ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jesse Burns: Fuzzing Selected Win32 Interprocess Communication Mechanisms "This presentation prepares attackers and defenders to perform automated testing of some popular Windows® interprocess communication mechanisms. The testing will focus on binary win32 applications, and will not require source code or symbols for the applications being tested. Attendees will be briefly introduced to several types of named securable Windows communication objects, including Named Pipes and Shared Sections (named Mutexes, Semaphores and Events and will also be included but to a lesser degree). Audience members will learn techniques for identifying when and where these communication objects are being used by applications as well as how to programmatically intercept their creation to assist in fuzzing. iSEC will share tools used for interception and fuzzing including tools for hooking arbitrary executable's creation of IPC primitives. Working examples of fuzzers with source code written in Python and C++ will demonstrate altering of data flowing through these IPC channels to turn simple application functionality tests into powerful security-focused penetration tests. Attendees should be familiar with programming in C++ or Python, and have a security research interest in win32. Developers, QA testers, penetration testers, architects and researchers are the primary target audience for this somewhat technical talk. Jesse Burns is a Principal Partner at iSEC Partners, where he works as a penetration tester. Previous to founding iSEC Partners, Jesse was a Managing Security Architect with @Stake and a software developer who focused on security-related projects on Windows® and various flavors of Unix®. Jesse presented in December of 2004 at the SyScan conference in Singapore on exploiting weakness in the NTLM authentication protocol. He has also presented at OWASP, Directory Management World and for his many security consulting clients on issues ranging from cryptographic attacks to emerging web application threats. He is currently working on a book with Scott Stender and Alex Stamos on attacking modern web applications for publication with Addison Wesley." Jesse Burns DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "During this presentation SensePost will discuss and demonstrate two pieces of new technology - the Suru WebProxy and the SP_LR Generic network proxy. The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch. SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. Its a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer). Both proxies serve distinct masters and will be valuable tools in any analysts arsenal.." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#sensepost feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 090A32CF-178E-4A10-9D28-C4DA3131E925 Sun, 4 Jun 2006 16:10:19 -0700 A Tale of Two Proxies "During this presentation SensePost will discuss and demonstrate two pieces of new technology - the Suru WebProxy and the SP_LR Generic network proxy. The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch. SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. Its a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer). Both proxies serve distinct masters and will be valuable tools in any analysts arsenal.." 40:52 SensePost SensePost ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no SensePost: A Tale of Two Proxies "During this presentation SensePost will discuss and demonstrate two pieces of new technology - the Suru WebProxy and the SP_LR Generic network proxy. The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch. SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. Its a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer). Both proxies serve distinct masters and will be valuable tools in any analysts arsenal.." SensePost DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Thomas Ptacek and Dave Goldsmith present the results of Matasano Security's research into the resilience of Enterprise Agents: the most dangerous programs you've never heard of, responsible for over $2B a year in product revenue, running on the most critical enterprise servers from app servers to mainframes. WHY THIS TALK? 1. Enterprise Agents are their own worms, preinstalled for the convenience of attackers. We found critical, show-stopping vulnerabilities in every system we looked at. 2. It's a whirlwind tour of the landscape of internal security. We reversed proprietary binaries, deciphered custom protocols, and cracked encryption algorithms. 3. It's a call to arms. Applications running behind the firewall aren't getting audited. While vulnerability research talent fights over the scraps of Windows OS security, hundreds of thousands of machines remain vulnerable to attacks most people thought were eliminated in the early '90s For the past 12 months, Matasano Security has conducted a research project into the security of internal applications. Our theory? That any code which doesn't run in front of a firewall, exposed to Internet hackers, is unaudited, wide open-fertile ground for ever-adapting attackers. Our findings? Tens of applications reversed, proprietary protocols deciphered, "state-of-the-art" XOR encryption algorithms cracked, and it's worse than we thought. Perhaps more than any other software, save the operating system itself, insecure systems management applications pose a grave threat to enterprise security. They're the Agobot that your administrators installed for you. Internal security is a nightmare, and things are going to get worse before they get horrible. " http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ C3CCECBE-C338-4CE4-8A14-5DF210B4A27E Sun, 4 Jun 2006 16:10:19 -0700 Do Enterprise Management Applications Dream of Electric Sheep? "Thomas Ptacek and Dave Goldsmith present the results of Matasano Security's research into the resilience of Enterprise Agents: the most dangerous programs you've never heard of, responsible for over $2B a year in product revenue, running on the most critical enterprise servers from app servers to mainframes. WHY THIS TALK? 1. Enterprise Agents are their own worms, preinstalled for the convenience of attackers. We found critical, show-stopping vulnerabilities in every system we looked at. 2. It's a whirlwind tour of the landscape of internal security. We reversed proprietary binaries, deciphered custom protocols, and cracked encryption algorithms. 3. It's a call to arms. Applications running behind the firewall aren't getting audited. While vulnerability research talent fights over the scraps of Windows OS security, hundreds of thousands of machines remain vulnerable to attacks most people thought were eliminated in the early '90s For the past 12 months, Matasano Security has conducted a research project into the security of internal applications. Our theory? That any code which doesn't run in front of a firewall, exposed to Internet hackers, is unaudited, wide open-fertile ground for ever-adapting attackers. Our findings? Tens of applications reversed, proprietary protocols deciphered, "state-of-the-art" XOR encryption algorithms cracked, and it's worse than we thought. Perhaps more than any other software, save the operating system itself, insecure systems management applications pose a grave threat to enterprise security. They're the Agobot that your administrators installed for you. Internal security is a nightmare, and things are going to get worse before they get horrible. " 59:50 Tom Ptacek and Dave Goldsmith Tom Ptacek and Dave Goldsmith ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Tom Ptacek and Dave Goldsmith: Do Enterprise Management Applications Dream of Electric Sheep? "Thomas Ptacek and Dave Goldsmith present the results of Matasano Security's research into the resilience of Enterprise Agents: the most dangerous programs you've never heard of, responsible for over $2B a year in product revenue, running on the most critical enterprise servers from app servers to mainframes. WHY THIS TALK? 1. Enterprise Agents are their own worms, preinstalled for the convenience of attackers. We found critical, show-stopping vulnerabilities in every system we looked at. 2. It's a whirlwind tour of the landscape of internal security. We reversed proprietary binaries, deciphered custom protocols, and cracked encryption algorithms. 3. It's a call to arms. Applications running behind the firewall aren't getting audited. While vulnerability research talent fights over the scraps of Windows OS security, hundreds of thousands of machines remain vulnerable to attacks most people thought were eliminated in the early '90s For the past 12 months, Matasano Security has conducted a research project into the security of internal applications. Our theory? That any code which doesn't run in front of a firewall, exposed to Internet hackers, is unaudited, wide open-fertile ground for ever-adapting attackers. Our findings? Tens of applications reversed, proprietary protocols deciphered, "state-of-the-art" XOR encryption algorithms cracked, and it's worse than we thought. Perhaps more than any other software, save the operating system itself, insecure systems management applications pose a grave threat to enterprise security. They're the Agobot that your administrators installed for you. Internal security is a nightmare, and things are going to get worse before they get horrible. " Tom Ptacek and Dave Goldsmith DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a "proof-of-concept" exploit. The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms. In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework. Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit's internal modules and how to integrate custom exploits with the Metasploit framework." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#shah feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ B4317161-BC41-4687-A2B2-70AEE68D2088 Sun, 4 Jun 2006 16:10:19 -0700 Writing Metasploit Plugins - from Vulnerability to Exploit "This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a "proof-of-concept" exploit. The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms. In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework. Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit's internal modules and how to integrate custom exploits with the Metasploit framework." 1:15:11 Saumil Udayan Shah Saumil Udayan Shah ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Saumil Udayan Shah: Writing Metasploit Plugins - from Vulnerability to Exploit "This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a "proof-of-concept" exploit. The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms. In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework. Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit's internal modules and how to integrate custom exploits with the Metasploit framework." Saumil Udayan Shah DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In this talk, I will discuss some ways to circumvent common mitigations of SQL Injection vulnerabilities in dynamic SQL. I will then suggest ways to protect against them. Bala Neerumalla specializes in finding application security vulnerabilities. He worked as a security engineer for SQL Server 2000 and SQL Server 2005. He is currently working as a security engineer for Exchange Hosted Services." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Neerumalla feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 343F465E-2578-4AAA-99AA-D907C48BC516 Sun, 4 Jun 2006 16:10:19 -0700 SQL Injections by truncation "In this talk, I will discuss some ways to circumvent common mitigations of SQL Injection vulnerabilities in dynamic SQL. I will then suggest ways to protect against them. Bala Neerumalla specializes in finding application security vulnerabilities. He worked as a security engineer for SQL Server 2000 and SQL Server 2005. He is currently working as a security engineer for Exchange Hosted Services." 28:17 Bala Neerumalla Bala Neerumalla ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Bala Neerumalla: SQL Injections by truncation "In this talk, I will discuss some ways to circumvent common mitigations of SQL Injection vulnerabilities in dynamic SQL. I will then suggest ways to protect against them. Bala Neerumalla specializes in finding application security vulnerabilities. He worked as a security engineer for SQL Server 2000 and SQL Server 2005. He is currently working as a security engineer for Exchange Hosted Services." Bala Neerumalla DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks. Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#schulman feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ DF219D15-B8EC-460C-9310-5DC2A39EFCF0 Sun, 4 Jun 2006 16:10:19 -0700 Phishing with Asterisk PBX "As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks. Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign." 48:51 Jay Schulman Jay Schulman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jay Schulman: Phishing with Asterisk PBX "As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks. Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign." Jay Schulman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "During the course of 2005 and 2006, we have responded to dozens of computer security incidents at some of America’s largest organizations. Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Our methods of performing incident response have altered little in the past few years, yet the attacks have greatly increased in sophistication. Mr. Mandia addresses the widening gap between the sophistication of the attacks and the sophistication of the incident response techniques deployed by "best practices." During this presentation, Mr. Mandia re-enacts some of the incidents; provides examples of how these incidents impacted organizations; and discusses the challenges that each organization faced. He demonstrates the "state-of-the-art" methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought. " http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ CB53A011-C6EB-4673-9BE6-BDB0D7629173 Sun, 4 Jun 2006 16:10:19 -0700 The State of Incidence Response "During the course of 2005 and 2006, we have responded to dozens of computer security incidents at some of America’s largest organizations. Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Our methods of performing incident response have altered little in the past few years, yet the attacks have greatly increased in sophistication. Mr. Mandia addresses the widening gap between the sophistication of the attacks and the sophistication of the incident response techniques deployed by "best practices." During this presentation, Mr. Mandia re-enacts some of the incidents; provides examples of how these incidents impacted organizations; and discusses the challenges that each organization faced. He demonstrates the "state-of-the-art" methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought. " 1:08:14 Kevin Mandia Kevin Mandia ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Kevin Mandia: The State of Incidence Response "During the course of 2005 and 2006, we have responded to dozens of computer security incidents at some of America’s largest organizations. Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Our methods of performing incident response have altered little in the past few years, yet the attacks have greatly increased in sophistication. Mr. Mandia addresses the widening gap between the sophistication of the attacks and the sophistication of the incident response techniques deployed by "best practices." During this presentation, Mr. Mandia re-enacts some of the incidents; provides examples of how these incidents impacted organizations; and discusses the challenges that each organization faced. He demonstrates the "state-of-the-art" methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought. " Kevin Mandia DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Black box testing techniques like fuzzing and fault injection are responsible for discovering a large percentage of reported software vulnerabilities. These techniques typically operate by injecting random or semi random input into a program and then monitoring its output for unexpected behavior. While their high potential for automation makes them desirable, they frequently suffer from a lack of "intelligence". That is, the random nature of input space exploration makes the probability of discovering vulnerabilities highly non-deterministic. Black box inputs are similar to unguided missiles. In this talk, we will discuss how we might turn these inputs into guided missiles by intelligently driving their selection using ideas borrowed from probability theory and evolutionary biology. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#embleton feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 29749D5C-17CB-42C7-A1F3-6F8523178748 Sun, 4 Jun 2006 16:10:19 -0700 "Sidewinder": An Evolutionary Guidance System for Malicious Input Crafting Black box testing techniques like fuzzing and fault injection are responsible for discovering a large percentage of reported software vulnerabilities. These techniques typically operate by injecting random or semi random input into a program and then monitoring its output for unexpected behavior. While their high potential for automation makes them desirable, they frequently suffer from a lack of "intelligence". That is, the random nature of input space exploration makes the probability of discovering vulnerabilities highly non-deterministic. Black box inputs are similar to unguided missiles. In this talk, we will discuss how we might turn these inputs into guided missiles by intelligently driving their selection using ideas borrowed from probability theory and evolutionary biology. 1:14:21 Shawn Embleton, Sherri Sparks & Ryan Cunningham Shawn Embleton, Sherri Sparks & Ryan Cunningham ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Shawn Embleton, Sherri Sparks & Ryan Cunningham: "Sidewinder": An Evolutionary Guidance System for Malicious Input Crafting Black box testing techniques like fuzzing and fault injection are responsible for discovering a large percentage of reported software vulnerabilities. These techniques typically operate by injecting random or semi random input into a program and then monitoring its output for unexpected behavior. While their high potential for automation makes them desirable, they frequently suffer from a lack of "intelligence". That is, the random nature of input space exploration makes the probability of discovering vulnerabilities highly non-deterministic. Black box inputs are similar to unguided missiles. In this talk, we will discuss how we might turn these inputs into guided missiles by intelligently driving their selection using ideas borrowed from probability theory and evolutionary biology. Shawn Embleton, Sherri Sparks & Ryan Cunningham DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Application level security is getting better. Basic stack based string overflows have become rare, and even simple heap overflows are getting hard to find. Despite this fact there is still a huge avenue of exploitation that has not been tapped yet: device drivers. Although they don’t sound very interesting, they are full of simple security programming errors as they are often developed for performance and in tight time frames. The traditional thinking is that although the code is bad an attacker can’t really get to it. Development of reliable off the shelf packet injection techniques combined with the excessive complexity of the 802.11 protocol creates a perfect combination for security researchers. Ever seen a laptop owned remotely because of a device driver? Want to? http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 858B7FD3-0A23-47A7-B065-577D8EF9FF05 Sun, 4 Jun 2006 16:10:19 -0700 Device Drivers Application level security is getting better. Basic stack based string overflows have become rare, and even simple heap overflows are getting hard to find. Despite this fact there is still a huge avenue of exploitation that has not been tapped yet: device drivers. Although they don’t sound very interesting, they are full of simple security programming errors as they are often developed for performance and in tight time frames. The traditional thinking is that although the code is bad an attacker can’t really get to it. Development of reliable off the shelf packet injection techniques combined with the excessive complexity of the 802.11 protocol creates a perfect combination for security researchers. Ever seen a laptop owned remotely because of a device driver? Want to? 57:16 Johnny cache and David Maynor Johnny cache and David Maynor ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Johnny cache and David Maynor: Device Drivers Application level security is getting better. Basic stack based string overflows have become rare, and even simple heap overflows are getting hard to find. Despite this fact there is still a huge avenue of exploitation that has not been tapped yet: device drivers. Although they don’t sound very interesting, they are full of simple security programming errors as they are often developed for performance and in tight time frames. The traditional thinking is that although the code is bad an attacker can’t really get to it. Development of reliable off the shelf packet injection techniques combined with the excessive complexity of the 802.11 protocol creates a perfect combination for security researchers. Ever seen a laptop owned remotely because of a device driver? Want to? Johnny cache and David Maynor DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 2F791142-4394-4411-AECB-558AA8EA3AE6 Sun, 4 Jun 2006 16:10:19 -0700 Taming Bugs: The Art and Science of Writing Secure Code If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal. 1:06:39 Paul Böhm Paul Böhm ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Paul Böhm: Taming Bugs: The Art and Science of Writing Secure Code If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal. Paul Böhm DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ This session will examine the threat of spyware to corporations. What does the threat currently look like and how is it evolving? What market forces are at play? How big of a threat is spyware for corporations now and in five years? What countermeasures work now and in the future? How are regulators working to combat this threat? http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 760F8577-CCAC-4151-9C06-30BF5226D9A5 Sun, 4 Jun 2006 16:10:19 -0700 Center for Democracy and Technology Anti-Spyware Coalition Public Forum on Corporate Spyware Threats This session will examine the threat of spyware to corporations. What does the threat currently look like and how is it evolving? What market forces are at play? How big of a threat is spyware for corporations now and in five years? What countermeasures work now and in the future? How are regulators working to combat this threat? 2:16:08 Panel Panel ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Panel: Center for Democracy and Technology Anti-Spyware Coalition Public Forum on Corporate Spyware Threats This session will examine the threat of spyware to corporations. What does the threat currently look like and how is it evolving? What market forces are at play? How big of a threat is spyware for corporations now and in five years? What countermeasures work now and in the future? How are regulators working to combat this threat? Panel DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This presentation shows the next (2.) generation of Oracle Rootkits. In the first generation, presented at the Blackhat 2005 in Amsterdam, Oracle Rootkits were implemented by modifying database views to hide users, jobs and sessions. The next generation presented at the BH USA is using more advanced techniques to hide users/implement backdoors. Modifications on the data dictionary objects are no longer necessary so it’s not possible to find the new generation of rootkits by checksumming the data dictionary objects. Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Kornbrust feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 48F0EDA1-6D5B-4210-8E8D-7DA52917F270 Sun, 4 Jun 2006 16:10:19 -0700 Oracle Rootkits 2.0 "This presentation shows the next (2.) generation of Oracle Rootkits. In the first generation, presented at the Blackhat 2005 in Amsterdam, Oracle Rootkits were implemented by modifying database views to hide users, jobs and sessions. The next generation presented at the BH USA is using more advanced techniques to hide users/implement backdoors. Modifications on the data dictionary objects are no longer necessary so it’s not possible to find the new generation of rootkits by checksumming the data dictionary objects. Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products." 43:03 Alexander Kornbrust Alexander Kornbrust ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Alexander Kornbrust: Oracle Rootkits 2.0 "This presentation shows the next (2.) generation of Oracle Rootkits. In the first generation, presented at the Blackhat 2005 in Amsterdam, Oracle Rootkits were implemented by modifying database views to hide users, jobs and sessions. The next generation presented at the BH USA is using more advanced techniques to hide users/implement backdoors. Modifications on the data dictionary objects are no longer necessary so it’s not possible to find the new generation of rootkits by checksumming the data dictionary objects. Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products." Alexander Kornbrust DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Voice analytics-once the stuff of science fiction and Echelon speculation-is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even detect when a caller is angry or frustrated. It is also being used by large financial institutions for fraud prevention. These same tools can be applied to detect and deter social engineering attacks. This presentation will discuss the current off-the-shelf applications of voice analytics and how these methods can be applied to detecting and preventing social engineering attacks. Doug Mohney is the News and Online Editor for VON Magazine, writing about VoIP and IP Communications, including security issues relating to VoIP, wireless and corporate IT management. He also contributes to The Inquirer website and Mobile Radio Technology magazine on a regular basis. In his pre-media life, he was involved with two Internet start-ups (DIGEX, SkyCache/Cidera), watching one grow big and one go bust." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#mohney feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 5F4487C9-172C-4BD6-9856-09493FC36EDB Sun, 4 Jun 2006 16:10:19 -0700 Defending Against Social Engineering with Voice Analytics "Voice analytics-once the stuff of science fiction and Echelon speculation-is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even detect when a caller is angry or frustrated. It is also being used by large financial institutions for fraud prevention. These same tools can be applied to detect and deter social engineering attacks. This presentation will discuss the current off-the-shelf applications of voice analytics and how these methods can be applied to detecting and preventing social engineering attacks. Doug Mohney is the News and Online Editor for VON Magazine, writing about VoIP and IP Communications, including security issues relating to VoIP, wireless and corporate IT management. He also contributes to The Inquirer website and Mobile Radio Technology magazine on a regular basis. In his pre-media life, he was involved with two Internet start-ups (DIGEX, SkyCache/Cidera), watching one grow big and one go bust." 45:56 Doug Mohney Doug Mohney ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Doug Mohney: Defending Against Social Engineering with Voice Analytics "Voice analytics-once the stuff of science fiction and Echelon speculation-is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even detect when a caller is angry or frustrated. It is also being used by large financial institutions for fraud prevention. These same tools can be applied to detect and deter social engineering attacks. This presentation will discuss the current off-the-shelf applications of voice analytics and how these methods can be applied to detecting and preventing social engineering attacks. Doug Mohney is the News and Online Editor for VON Magazine, writing about VoIP and IP Communications, including security issues relating to VoIP, wireless and corporate IT management. He also contributes to The Inquirer website and Mobile Radio Technology magazine on a regular basis. In his pre-media life, he was involved with two Internet start-ups (DIGEX, SkyCache/Cidera), watching one grow big and one go bust." Doug Mohney DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Web applications are normally the most exposed and the most easily compromised part of an organization's network presence. This combination requires that organizations be prepared for web application compromises and have an efficient plan for dealing with them. Unfortunately, traditional techniques for forensics and incident response do not take into account the unique requirements of web applications. The multi-level architecture, business criticality, reliance on major database and middleware software components, and custom nature of web applications all create unique challenges for the security professional. Responding to a web application attack brings many unique issues, often with no clear right and wrong answers, but this talk will provide useful information to guide attendees down this bumpy path. Chuck Willis is a Senior Consultant with Mandiant, a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development and application security. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings USA, the IT Underground security conference in Europe, and DefCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner. Chuck's past presentations are available on his Web site. Rohyt Belani is a Director at Mandiant and specializes in assisting organizations with securing their network infrastructure and applications. His expertise encompasses the areas of wireless security, application security and incident response. Rohyt is also an experienced and talented instructor of technical security education courses. Prior to joining MANDIANT, Rohyt was a Principal Consultant at Foundstone. Earlier in his career, he was a Research Group Member for the Networked Systems Survivability Group at the Computer Emergency Response Team (CERT). Rohyt is a frequent author of articles on SecurityFocus and is also a contributing author for "Hack Notes-Network Security" and "Extrusion Detection: Security Monitoring for Internal Intrusions". Rohyt is a regular speaker at various industry conferences and forums like OWASP, HTCIA, FBI-Cyber Security Summit, ASIS, HP World, New York State Cyber Security Conference, HackInTheBox-Malaysia, and CPM. Rohyt holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University and is a Certified Information Systems Security Professional (CISSP)." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#willis feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 17D6123B-357D-4273-80B2-848DFCEFB2F3 Sun, 4 Jun 2006 16:10:19 -0700 Web application Incident Response and forensics- A Whole new ball game. "Web applications are normally the most exposed and the most easily compromised part of an organization's network presence. This combination requires that organizations be prepared for web application compromises and have an efficient plan for dealing with them. Unfortunately, traditional techniques for forensics and incident response do not take into account the unique requirements of web applications. The multi-level architecture, business criticality, reliance on major database and middleware software components, and custom nature of web applications all create unique challenges for the security professional. Responding to a web application attack brings many unique issues, often with no clear right and wrong answers, but this talk will provide useful information to guide attendees down this bumpy path. Chuck Willis is a Senior Consultant with Mandiant, a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development and application security. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings USA, the IT Underground security conference in Europe, and DefCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner. Chuck's past presentations are available on his Web site. Rohyt Belani is a Director at Mandiant and specializes in assisting organizations with securing their network infrastructure and applications. His expertise encompasses the areas of wireless security, application security and incident response. Rohyt is also an experienced and talented instructor of technical security education courses. Prior to joining MANDIANT, Rohyt was a Principal Consultant at Foundstone. Earlier in his career, he was a Research Group Member for the Networked Systems Survivability Group at the Computer Emergency Response Team (CERT). Rohyt is a frequent author of articles on SecurityFocus and is also a contributing author for "Hack Notes-Network Security" and "Extrusion Detection: Security Monitoring for Internal Intrusions". Rohyt is a regular speaker at various industry conferences and forums like OWASP, HTCIA, FBI-Cyber Security Summit, ASIS, HP World, New York State Cyber Security Conference, HackInTheBox-Malaysia, and CPM. Rohyt holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University and is a Certified Information Systems Security Professional (CISSP)." 1:05:33 Chuck Willis Chuck Willis ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Chuck Willis : Web application Incident Response and forensics- A Whole new ball game. "Web applications are normally the most exposed and the most easily compromised part of an organization's network presence. This combination requires that organizations be prepared for web application compromises and have an efficient plan for dealing with them. Unfortunately, traditional techniques for forensics and incident response do not take into account the unique requirements of web applications. The multi-level architecture, business criticality, reliance on major database and middleware software components, and custom nature of web applications all create unique challenges for the security professional. Responding to a web application attack brings many unique issues, often with no clear right and wrong answers, but this talk will provide useful information to guide attendees down this bumpy path. Chuck Willis is a Senior Consultant with Mandiant, a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development and application security. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings USA, the IT Underground security conference in Europe, and DefCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner. Chuck's past presentations are available on his Web site. Rohyt Belani is a Director at Mandiant and specializes in assisting organizations with securing their network infrastructure and applications. His expertise encompasses the areas of wireless security, application security and incident response. Rohyt is also an experienced and talented instructor of technical security education courses. Prior to joining MANDIANT, Rohyt was a Principal Consultant at Foundstone. Earlier in his career, he was a Research Group Member for the Networked Systems Survivability Group at the Computer Emergency Response Team (CERT). Rohyt is a frequent author of articles on SecurityFocus and is also a contributing author for "Hack Notes-Network Security" and "Extrusion Detection: Security Monitoring for Internal Intrusions". Rohyt is a regular speaker at various industry conferences and forums like OWASP, HTCIA, FBI-Cyber Security Summit, ASIS, HP World, New York State Cyber Security Conference, HackInTheBox-Malaysia, and CPM. Rohyt holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University and is a Certified Information Systems Security Professional (CISSP)." Chuck Willis DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#stender feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 59DDE6A0-B246-44C0-86A1-DD2EF96D9703 Sun, 4 Jun 2006 16:10:19 -0700 Attacking Internationialized software "Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame." 50:36 Scott Stender Scott Stender ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Scott Stender: Attacking Internationialized software "Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented. Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame." Scott Stender DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness. FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#fx feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ A441C190-91E7-4AB9-B1BB-04205218E517 Sun, 4 Jun 2006 16:10:19 -0700 Analysing Complex Systems: The BlackBerry Case "When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness. FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions." 57:34 FX FX ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no FX: Analysing Complex Systems: The BlackBerry Case "When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness. FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions." FX DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "It's late. You've been assigned the unenviable task of evaluating the security of this obtuse application suite. 2006! Why doesn't everything just use SSL as its transport? No time for excuses. Deadlines loom, and you need to figure this out. And when you do figure it out, write your own fuzzer client. This sucks. (pdb) module add MyAction pdb-ruby.so cifs-ruby.rb (pdb) rule add MyRule dst port 445 (pdb) rule action MyRule MyAction (pdb) rule list MyRule: dst port 445 Action 0: debugger Action 1: MyAction (pdb) go ... (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 40 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) x/b 0x8 40 (pdb) e/b 0x8 0x20 (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 20 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) continue cifs-ruby.rb performing packet alteration... ... But wait, whats this? A tool chain geared around dissecting protocols like a code debugger slices through code? A protocol generation and manipulation framework with a clean, consistent interface, thats scripted instead of compiled? And a fuzzing framework to go along with it? You're saved! Or at least, maybe you'll get to sleep before the sun comes up. PDB is a Protocol DeBugger. GDB meets a transparent proxy. Conditionally break based on BPF filters. Modify protocol contents on the fly. Build custom actions that let you manipulate how you speak on the network. Or manually edit protocol fields and send the packets along. Racket is a protocol generation and manipulation library, in Ruby. Why Ruby? Why not. Use it as a way of writing PDB actions, or on its own. We're flexible that way. Ramble is a Ruby based fuzzing framework. Set it going, and it just goes on and on and on. We know people like that-but unlike them, Ramble is helpful. Automates the protocol testing you're going to have to do to get full coverage. Do the hard stuff by hand. Use Ramble to do the repetitive stuff." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 29A22BF7-03A5-43BC-AC8A-B6DD5784AB7B Sun, 4 Jun 2006 16:10:19 -0700 PDB: The Protocol DeBugger "It's late. You've been assigned the unenviable task of evaluating the security of this obtuse application suite. 2006! Why doesn't everything just use SSL as its transport? No time for excuses. Deadlines loom, and you need to figure this out. And when you do figure it out, write your own fuzzer client. This sucks. (pdb) module add MyAction pdb-ruby.so cifs-ruby.rb (pdb) rule add MyRule dst port 445 (pdb) rule action MyRule MyAction (pdb) rule list MyRule: dst port 445 Action 0: debugger Action 1: MyAction (pdb) go ... (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 40 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) x/b 0x8 40 (pdb) e/b 0x8 0x20 (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 20 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) continue cifs-ruby.rb performing packet alteration... ... But wait, whats this? A tool chain geared around dissecting protocols like a code debugger slices through code? A protocol generation and manipulation framework with a clean, consistent interface, thats scripted instead of compiled? And a fuzzing framework to go along with it? You're saved! Or at least, maybe you'll get to sleep before the sun comes up. PDB is a Protocol DeBugger. GDB meets a transparent proxy. Conditionally break based on BPF filters. Modify protocol contents on the fly. Build custom actions that let you manipulate how you speak on the network. Or manually edit protocol fields and send the packets along. Racket is a protocol generation and manipulation library, in Ruby. Why Ruby? Why not. Use it as a way of writing PDB actions, or on its own. We're flexible that way. Ramble is a Ruby based fuzzing framework. Set it going, and it just goes on and on and on. We know people like that-but unlike them, Ramble is helpful. Automates the protocol testing you're going to have to do to get full coverage. Do the hard stuff by hand. Use Ramble to do the repetitive stuff." 1:05:36 Jeremy Rauch Jeremy Rauch ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jeremy Rauch: PDB: The Protocol DeBugger "It's late. You've been assigned the unenviable task of evaluating the security of this obtuse application suite. 2006! Why doesn't everything just use SSL as its transport? No time for excuses. Deadlines loom, and you need to figure this out. And when you do figure it out, write your own fuzzer client. This sucks. (pdb) module add MyAction pdb-ruby.so cifs-ruby.rb (pdb) rule add MyRule dst port 445 (pdb) rule action MyRule MyAction (pdb) rule list MyRule: dst port 445 Action 0: debugger Action 1: MyAction (pdb) go ... (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 40 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) x/b 0x8 40 (pdb) e/b 0x8 0x20 (pdb) print 00000000: 45 10 00 3c 70 86 40 00 E...p... 00000008: 20 06 00 00 c0 a8 02 06 ........ 00000010: c0 a8 02 56 d8 a0 01 bd ...V.... 00000018: 1e 76 1b 71 00 00 00 00 .v.q.... 00000020: a0 02 ff ff 14 1b 00 00 ........ 00000028: 02 04 05 b4 01 03 03 00 ........ 00000030: 01 01 08 0a 20 4a 7c b1 .....J.. 00000038: 00 00 00 00 .... (pdb) continue cifs-ruby.rb performing packet alteration... ... But wait, whats this? A tool chain geared around dissecting protocols like a code debugger slices through code? A protocol generation and manipulation framework with a clean, consistent interface, thats scripted instead of compiled? And a fuzzing framework to go along with it? You're saved! Or at least, maybe you'll get to sleep before the sun comes up. PDB is a Protocol DeBugger. GDB meets a transparent proxy. Conditionally break based on BPF filters. Modify protocol contents on the fly. Build custom actions that let you manipulate how you speak on the network. Or manually edit protocol fields and send the packets along. Racket is a protocol generation and manipulation library, in Ruby. Why Ruby? Why not. Use it as a way of writing PDB actions, or on its own. We're flexible that way. Ramble is a Ruby based fuzzing framework. Set it going, and it just goes on and on and on. We know people like that-but unlike them, Ramble is helpful. Automates the protocol testing you're going to have to do to get full coverage. Do the hard stuff by hand. Use Ramble to do the repetitive stuff." Jeremy Rauch DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Today’s privacy requirements place significant additional auditing burdens on databases. First you have to know which databases in your environment contain regulated Personally Identifiable Information (PII) or Protected Health Information (PHI), then you have to monitor ALL activity surrounding that data-not just changes to it. In the world of databases, this means auditing all SELECT statements-something many native database auditing tools are not very good at. This presentation will demonstrate how you can log this activity across multiple database platforms (without bringing your database to its knees), and then what to look for in those reams of log entries your auditors made you record. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 178DE4F7-4602-4F49-A480-DCD8ABE64465 Sun, 4 Jun 2006 16:10:19 -0700 Auditing Data Access Without Bringing Your Database To Its Knees Today’s privacy requirements place significant additional auditing burdens on databases. First you have to know which databases in your environment contain regulated Personally Identifiable Information (PII) or Protected Health Information (PHI), then you have to monitor ALL activity surrounding that data-not just changes to it. In the world of databases, this means auditing all SELECT statements-something many native database auditing tools are not very good at. This presentation will demonstrate how you can log this activity across multiple database platforms (without bringing your database to its knees), and then what to look for in those reams of log entries your auditors made you record. 1:03:50 Kimber Spradin and Dale Brocklehurst Kimber Spradin and Dale Brocklehurst ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Kimber Spradin and Dale Brocklehurst: Auditing Data Access Without Bringing Your Database To Its Knees Today’s privacy requirements place significant additional auditing burdens on databases. First you have to know which databases in your environment contain regulated Personally Identifiable Information (PII) or Protected Health Information (PHI), then you have to monitor ALL activity surrounding that data-not just changes to it. In the world of databases, this means auditing all SELECT statements-something many native database auditing tools are not very good at. This presentation will demonstrate how you can log this activity across multiple database platforms (without bringing your database to its knees), and then what to look for in those reams of log entries your auditors made you record. Kimber Spradin and Dale Brocklehurst DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "VoIP, IMS, FMC, NGN, PacketCore, MPLS. Put those together and you are looking at the next security nightmare when it comes to Service Provider infrastructure security. Carriers are already moving away from basic data and VoIP services towards the Next Generation Network, where you have one Packet-based Core network which is going to carry "junk" Internet traffic, "secure" Multi-Protocol Label Switching VPNs, "QoS guaranteed" voice, etc. And soon, thanks to new handhelds you'll see more and more Fixed and Mobile Convergence which enables you to roam anywhere inside and outside of the entreprise and access new interactive content thanks to the IP Multimedia Subsystem. During this talk we will present such an architecture (based on a real large scale deployment with 4 major vendors), the security and architecture challenges we ran (and still run) into, and how we mitigate the risks (denial of service, interception, web apps security, fraud, etc)." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 041A9964-3E19-48C9-9814-5AA46AF79586 Sun, 4 Jun 2006 16:10:19 -0700 Carrier VoIP Security "VoIP, IMS, FMC, NGN, PacketCore, MPLS. Put those together and you are looking at the next security nightmare when it comes to Service Provider infrastructure security. Carriers are already moving away from basic data and VoIP services towards the Next Generation Network, where you have one Packet-based Core network which is going to carry "junk" Internet traffic, "secure" Multi-Protocol Label Switching VPNs, "QoS guaranteed" voice, etc. And soon, thanks to new handhelds you'll see more and more Fixed and Mobile Convergence which enables you to roam anywhere inside and outside of the entreprise and access new interactive content thanks to the IP Multimedia Subsystem. During this talk we will present such an architecture (based on a real large scale deployment with 4 major vendors), the security and architecture challenges we ran (and still run) into, and how we mitigate the risks (denial of service, interception, web apps security, fraud, etc)." 1:05:36 Nicolas Fischbach Nicolas Fischbach ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Nicolas Fischbach: Carrier VoIP Security "VoIP, IMS, FMC, NGN, PacketCore, MPLS. Put those together and you are looking at the next security nightmare when it comes to Service Provider infrastructure security. Carriers are already moving away from basic data and VoIP services towards the Next Generation Network, where you have one Packet-based Core network which is going to carry "junk" Internet traffic, "secure" Multi-Protocol Label Switching VPNs, "QoS guaranteed" voice, etc. And soon, thanks to new handhelds you'll see more and more Fixed and Mobile Convergence which enables you to roam anywhere inside and outside of the entreprise and access new interactive content thanks to the IP Multimedia Subsystem. During this talk we will present such an architecture (based on a real large scale deployment with 4 major vendors), the security and architecture challenges we ran (and still run) into, and how we mitigate the risks (denial of service, interception, web apps security, fraud, etc)." Nicolas Fischbach DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#long feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 07C7536A-CD50-4322-A9D3-3186FF90F62F Sun, 4 Jun 2006 16:10:19 -0700 Death By 1000 cuts "In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" 1:01:15 Johnny Long Johnny Long ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Johnny Long: Death By 1000 cuts "In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" Johnny Long DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#sutton feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 5253F69B-CA3D-4A01-936D-B063896A23C1 Sun, 4 Jun 2006 16:10:19 -0700 Punk Ode - Hiding shellcode in plain sight "Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music." 58:50 Michael Sutton & Greg MacManus Michael Sutton & Greg MacManus ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Michael Sutton & Greg MacManus: Punk Ode - Hiding shellcode in plain sight "Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music." Michael Sutton & Greg MacManus DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices. Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#gutterman feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ D31437FA-E2E0-4841-8EFB-5D85DBC42434 Sun, 4 Jun 2006 16:10:19 -0700 Open to Attack; Vulnerabilities of the Linux Random Number Generator "Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices. Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering." 58:50 Zvi Gutterman Zvi Gutterman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Zvi Gutterman: Open to Attack; Vulnerabilities of the Linux Random Number Generator "Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices. Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering." Zvi Gutterman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#moore feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 9CE75E90-2019-49CE-A1CB-BDBA3CA2A291 Sun, 4 Jun 2006 16:10:19 -0700 Metasploit Reloaded "Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." 1:14:07 HD Moore HD Moore ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no HD Moore: Metasploit Reloaded "Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." HD Moore DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#court feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 013E832F-5447-4649-A78A-6709807DC3EC Sun, 4 Jun 2006 16:10:19 -0700 Hacker Court 2006: Sex, Lies and Sniffers "Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining." 1:08:55 Hacker Court Panel Hacker Court Panel ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Hacker Court Panel: Hacker Court 2006: Sex, Lies and Sniffers "Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining." Hacker Court Panel DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 7647BEE4-71B9-43A1-9C3F-262BD088777E Sun, 4 Jun 2006 16:10:19 -0700 Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems "This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack." 43:05 Robert Auger and Caleb Sima Robert Auger and Caleb Sima ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Robert Auger and Caleb Sima: Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems "This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack." Robert Auger and Caleb Sima DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications. Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#rieback feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 1E229BF2-A27A-43B9-991C-7537DBAF3AB3 Sun, 4 Jun 2006 16:10:19 -0700 RFID Malware Demystified "Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications. Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature." 51:38 Melanie Rieback Melanie Rieback ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Melanie Rieback: RFID Malware Demystified "Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications. Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature." Melanie Rieback DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods. James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN. William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#butler feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ ECB365CA-234D-440E-9B87-DA00D4D3E110 Sun, 4 Jun 2006 16:10:19 -0700 R^2: The Exponential Growth in Rootkit Techniques "Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods. James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN. William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley." 42:20 Jamie Butler Jamie Butler ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jamie Butler: R^2: The Exponential Growth in Rootkit Techniques "Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods. James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN. William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley." Jamie Butler DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#zambon feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ CFD9EE82-8EA0-4CB5-8C02-1C81F9C0C88B Sun, 4 Jun 2006 16:10:19 -0700 "NIDS, false positive reduction through anomaly detection" "The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management." 48:40 Emmanuele Zambon Emmanuele Zambon ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Emmanuele Zambon: "NIDS, false positive reduction through anomaly detection" "The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management." Emmanuele Zambon DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered-"is this change real or is it just lip service?" You may also have asked yourself "self, why did they do that?" This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates. Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Cushman feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 4C0A45BC-47DB-4674-9B21-D757F5B83FE6 Sun, 4 Jun 2006 16:10:19 -0700 Microsoft Security Fundamentals - Engineering, Response and Outreach "You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered-"is this change real or is it just lip service?" You may also have asked yourself "self, why did they do that?" This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates. Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator." 57:13 Andrew Cushman Andrew Cushman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Andrew Cushman: Microsoft Security Fundamentals - Engineering, Response and Outreach "You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered-"is this change real or is it just lip service?" You may also have asked yourself "self, why did they do that?" This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates. Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator." Andrew Cushman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement. The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ EBB4B6D4-9C39-4C61-A4BC-5BEAB7B1C1C4 Sun, 4 Jun 2006 16:10:19 -0700 Meet the Feds: OODA Loop and the Science of Security "The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement. The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop." 48:34 Panel Panel ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Panel: Meet the Feds: OODA Loop and the Science of Security "The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement. The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop." Panel DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity. SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 8F147DB3-37E2-4CDB-8A53-CC27A9F2B4AE Sun, 4 Jun 2006 16:10:19 -0700 Attacking Apple’s Xsan "A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity. SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network." 16:19 Charles Edge Charles Edge ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Charles Edge: Attacking Apple’s Xsan "A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity. SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network." Charles Edge DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 077480FA-6342-41DC-A359-9BD44562479E Sun, 4 Jun 2006 16:10:19 -0700 MatriXay-When Web App & Database Security Pen-Test/Audit Is a Joy This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation. 21:40 Yuan Fan and Xiao Rong Yuan Fan and Xiao Rong ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Yuan Fan and Xiao Rong: MatriXay-When Web App & Database Security Pen-Test/Audit Is a Joy This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation. Yuan Fan and Xiao Rong DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#grossman feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ CA3EEBDA-5C5F-4F97-A942-9F74F52CF60D Sun, 4 Jun 2006 16:10:19 -0700 Hacking Intranet websites from the outside: Malware just got a lot more dangerous "Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology." 54:51 Jeremiah Grossman Jeremiah Grossman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jeremiah Grossman: Hacking Intranet websites from the outside: Malware just got a lot more dangerous "Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology." Jeremiah Grossman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features. Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks. Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#grunwald feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 49C6A4AB-46DD-4DE0-96DC-85049990871D Sun, 4 Jun 2006 16:10:19 -0700 "New Attack to RFID-Systems and their Middle ware and Backends" "This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features. Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks. Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises." 40:09 Lukas Grunwald Lukas Grunwald ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Lukas Grunwald: "New Attack to RFID-Systems and their Middle ware and Backends" "This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features. Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks. Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises." Lukas Grunwald DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#zovi feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 9BDBB549-F567-4F40-8B42-CA296C6CF1B0 Sun, 4 Jun 2006 16:10:19 -0700 Hardware Virtualization Based Rootkits "Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards." 50:10 Dino Dai Zovi Dino Dai Zovi ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Dino Dai Zovi: Hardware Virtualization Based Rootkits "Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards." Dino Dai Zovi DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching. The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ EEDAE910-2308-4AC8-94A1-8138F2C01BCD Sun, 4 Jun 2006 16:10:19 -0700 Hotpatching and the Rise of Third-Party Patches "Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching. The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes." 56:25 Alexander Sotirov Alexander Sotirov ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Alexander Sotirov: Hotpatching and the Rise of Third-Party Patches "Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching. The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes." Alexander Sotirov DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 174CA0A6-E496-4864-958D-BC9D96755B27 Sun, 4 Jun 2006 16:10:19 -0700 Security Engineering in Windows Vista This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else. 48:19 John Lambert John Lambert ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no John Lambert: Security Engineering in Windows Vista This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else. John Lambert DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ AF517827-D141-4867-8911-302392409309 Sun, 4 Jun 2006 16:10:19 -0700 Breaking Crypto Without Keys: Analyzing Data in Web Applications "How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers." 1:00:01 Chris Eng Chris Eng ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Chris Eng: Breaking Crypto Without Keys: Analyzing Data in Web Applications "How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers." Chris Eng DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented. Tom Gallagher has bee" http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 90EEB7F9-3713-4EFE-9BF8-80FC6706063A Sun, 4 Jun 2006 16:10:19 -0700 Finding and Preventing Cross-Site Request Forgery "There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented. Tom Gallagher has bee" 20:05 Tom Gallagher Tom Gallagher ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Tom Gallagher: Finding and Preventing Cross-Site Request Forgery "There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented. Tom Gallagher has bee" Tom Gallagher DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits. More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment. About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ ECDF6718-308F-4943-89EF-477C45CFC099 Sun, 4 Jun 2006 16:10:19 -0700 Investigating Evil Websites with Monkeyspaw: The Greasemonkey Security Professional's Automated Webthinger "Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits. More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment. About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation." 21:29 Tod Beardsley Tod Beardsley ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Tod Beardsley: Investigating Evil Websites with Monkeyspaw: The Greasemonkey Security Professional's Automated Webthinger "Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits. More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment. About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation." Tod Beardsley DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications. Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Hoffman2 feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 75BACF23-C754-4A56-9AFD-EA088B87EF03 Sun, 4 Jun 2006 16:10:19 -0700 Ajax (in)security "Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications. Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." 1:12:34 Billy Hoffman Billy Hoffman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Billy Hoffman: Ajax (in)security "Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications. Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." Billy Hoffman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone? In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag! ;-) Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics. Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#merloni feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ ED904AE6-7766-4A50-AEA0-C3AF2D7403B0 Sun, 4 Jun 2006 16:10:19 -0700 The BlueBag: a mobile, covert Bluetooth attack and infection device "How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone? In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag! ;-) Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics. Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom." 49:20 Claudio Merloni Claudio Merloni ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Claudio Merloni: The BlueBag: a mobile, covert Bluetooth attack and infection device "How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone? In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag! ;-) Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics. Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom." Claudio Merloni DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection. This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions. The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills. Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#silberman feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 19035E74-8F00-4745-A968-879BF837B38E Sun, 4 Jun 2006 16:10:19 -0700 RAIDE: Rootkit Analysis Identification Elimination v 1.0 "In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection. This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions. The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills. Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com." 55:57 Peter Silberman Peter Silberman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Peter Silberman: RAIDE: Rootkit Analysis Identification Elimination v 1.0 "In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection. This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions. The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills. Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com." Peter Silberman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 1DE853AE-674C-49FC-9D28-D428231CE21C Sun, 4 Jun 2006 16:10:19 -0700 Thermoptic Camoflauge: Total IDS Evasion Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be. 1:21:50 Brian Caswell and HD Moore Brian Caswell and HD Moore ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Brian Caswell and HD Moore: Thermoptic Camoflauge: Total IDS Evasion Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be. Brian Caswell and HD Moore DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack-a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Gbadegesin feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 50D11B30-DBEC-422B-A4C6-020BB3A9A826 Sun, 4 Jun 2006 16:10:19 -0700 The NetIO Stack - Reinventing TCP/IP in Windows Vista "TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack-a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade." 58:40 Abolade Gbadegesin Abolade Gbadegesin ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Abolade Gbadegesin : The NetIO Stack - Reinventing TCP/IP in Windows Vista "TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack-a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade." Abolade Gbadegesin DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#long feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 203ABCBC-C0AF-4791-A1E2-786FEC3CE421 Sun, 4 Jun 2006 16:10:19 -0700 Secrets of the Hollywood Hacker "If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" 1:04:30 Johnny Long Johnny Long ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Johnny Long: Secrets of the Hollywood Hacker "If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com" Johnny Long DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation. The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 75C932E0-915F-418C-AC0C-5D63A1517092 Sun, 4 Jun 2006 16:10:19 -0700 I’m Going To Shoot The Next Person Who Says VLANs "Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation. The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products." 24:08 Himanshu Dwivedi Himanshu Dwivedi ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Himanshu Dwivedi: I’m Going To Shoot The Next Person Who Says VLANs "Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation. The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products." Himanshu Dwivedi DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The VoIP Security Essentials presentation will introduce the audience to voice over IP (VoIP) technology. The practical uses of VoIP will be discussed along with the advantages and disadvantages of VoIP technology as it is today. Key implementation issues will be addressed to ensure product selection for VoIP technology will integrate into the organization’s current infrastructure. The presentation will look at some of the latest VoIP security issues that have surfaced and the vendor/industry responses to those issues. Jeff Waldron, CISSP, ISSAP, SCSA has over 15 years of IT experience-over 10 of those years are IT Security specific. Has supported both Commercial, State, Federal and DoD IT security environments. Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies along with UNIX-based security configurations. Has presented at Black Hat USA 04 and a facility member with The Institute for Applied Network Security." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ EF6A1F7B-482E-4E3F-9B24-35F7458F9631 Sun, 4 Jun 2006 16:10:19 -0700 VOIP Security Essentials "The VoIP Security Essentials presentation will introduce the audience to voice over IP (VoIP) technology. The practical uses of VoIP will be discussed along with the advantages and disadvantages of VoIP technology as it is today. Key implementation issues will be addressed to ensure product selection for VoIP technology will integrate into the organization’s current infrastructure. The presentation will look at some of the latest VoIP security issues that have surfaced and the vendor/industry responses to those issues. Jeff Waldron, CISSP, ISSAP, SCSA has over 15 years of IT experience-over 10 of those years are IT Security specific. Has supported both Commercial, State, Federal and DoD IT security environments. Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies along with UNIX-based security configurations. Has presented at Black Hat USA 04 and a facility member with The Institute for Applied Network Security." 17:23 Jeff Waldron Jeff Waldron ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jeff Waldron: VOIP Security Essentials "The VoIP Security Essentials presentation will introduce the audience to voice over IP (VoIP) technology. The practical uses of VoIP will be discussed along with the advantages and disadvantages of VoIP technology as it is today. Key implementation issues will be addressed to ensure product selection for VoIP technology will integrate into the organization’s current infrastructure. The presentation will look at some of the latest VoIP security issues that have surfaced and the vendor/industry responses to those issues. Jeff Waldron, CISSP, ISSAP, SCSA has over 15 years of IT experience-over 10 of those years are IT Security specific. Has supported both Commercial, State, Federal and DoD IT security environments. Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies along with UNIX-based security configurations. Has presented at Black Hat USA 04 and a facility member with The Institute for Applied Network Security." Jeff Waldron DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Have you ever walked into your local Global Mega Super Tech Store and wondered how cheaply you could build a device that could play your digital music, display pictures, and listen to your neighbor's wireless network? Project Cowbird is part of an on-going research project to chart the various predators and prey within the information security landscape into a pseudo-ecology. Project Cowbird demonstrates the reuse of a $30 wireless media adapter as a kismet server. The small form factor of the device, in addition to its abundant hardware features (TV out, PCMCIA slot, prism2 card, 10/100 Ethernet), make the use of this device as a development platform for security tools very intriguing. A brief glimpse into the current and future research of the paper "The Ecology of Information Security" will also be covered. Jonathan Squire is a founding member of the Dow Jones Information Security Group, and is credited with accomplishments that include developing an Information Security model for the enterprise, architecting the security infrastructure for Factiva.com, a Dow Jones and Reuters Company, and architecting a secure, centralized credit card processing solution. Mr. Squire is an active member of the Enterprise Architecture Group within Dow Jones, the group that provides direction of technology initiatives within the enterprise. He is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more the $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 8CF19F77-6238-4EAB-8726-896932290854 Sun, 4 Jun 2006 16:10:19 -0700 $30, 30 Minutes, 30 Networks "Have you ever walked into your local Global Mega Super Tech Store and wondered how cheaply you could build a device that could play your digital music, display pictures, and listen to your neighbor's wireless network? Project Cowbird is part of an on-going research project to chart the various predators and prey within the information security landscape into a pseudo-ecology. Project Cowbird demonstrates the reuse of a $30 wireless media adapter as a kismet server. The small form factor of the device, in addition to its abundant hardware features (TV out, PCMCIA slot, prism2 card, 10/100 Ethernet), make the use of this device as a development platform for security tools very intriguing. A brief glimpse into the current and future research of the paper "The Ecology of Information Security" will also be covered. Jonathan Squire is a founding member of the Dow Jones Information Security Group, and is credited with accomplishments that include developing an Information Security model for the enterprise, architecting the security infrastructure for Factiva.com, a Dow Jones and Reuters Company, and architecting a secure, centralized credit card processing solution. Mr. Squire is an active member of the Enterprise Architecture Group within Dow Jones, the group that provides direction of technology initiatives within the enterprise. He is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more the $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble." 17:22 Jonathan Squire Jonathan Squire ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Jonathan Squire: $30, 30 Minutes, 30 Networks "Have you ever walked into your local Global Mega Super Tech Store and wondered how cheaply you could build a device that could play your digital music, display pictures, and listen to your neighbor's wireless network? Project Cowbird is part of an on-going research project to chart the various predators and prey within the information security landscape into a pseudo-ecology. Project Cowbird demonstrates the reuse of a $30 wireless media adapter as a kismet server. The small form factor of the device, in addition to its abundant hardware features (TV out, PCMCIA slot, prism2 card, 10/100 Ethernet), make the use of this device as a development platform for security tools very intriguing. A brief glimpse into the current and future research of the paper "The Ecology of Information Security" will also be covered. Jonathan Squire is a founding member of the Dow Jones Information Security Group, and is credited with accomplishments that include developing an Information Security model for the enterprise, architecting the security infrastructure for Factiva.com, a Dow Jones and Reuters Company, and architecting a secure, centralized credit card processing solution. Mr. Squire is an active member of the Enterprise Architecture Group within Dow Jones, the group that provides direction of technology initiatives within the enterprise. He is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more the $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble." Jonathan Squire DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of "Web 2.0" technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of "Web 2.0" is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent. We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley. Zane Lackey is a Security Consultant with iSEC Partners, LLC, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. " http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Stamos feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ DA64D8D7-1236-4FD0-97D0-EC6D5191FF66 Sun, 4 Jun 2006 16:10:19 -0700 Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 "The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of "Web 2.0" technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of "Web 2.0" is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent. We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley. Zane Lackey is a Security Consultant with iSEC Partners, LLC, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. " 1:11:39 Alex Stamos & Zane Lackey Alex Stamos & Zane Lackey ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Alex Stamos & Zane Lackey: Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 "The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of "Web 2.0" technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of "Web 2.0" is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent. We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley. Zane Lackey is a Security Consultant with iSEC Partners, LLC, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. " Alex Stamos & Zane Lackey DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In the last 3 years, Bluetooth has gone from geeky protocol to an integral part of our daily life. From cars to phones to laptops to printers, Bluetooth is everywhere. And while the state of the art with respect to Bluetooth attack has been progressing, Bluetooth defense has been lagging. For many vendors, the solution to securing Bluetooth is to simply "turn it off." There are very few tools and techniques that can be used today to secure a Bluetooth interface without resorting to such extreme measures. This talk will examine contemporary Bluetooth threats including attack tools and risk to the user. The meat of this talk will focus on practical techniques that can be employed to lock down Bluetooth on Windows and Linux. Some of these techniques will be configuration changes, some will be proper use of helper applications, and some will be modifications to the Bluez Bluetooth stack designed to make the stack more secure. Finally, we will release the Bluetooth Defense Kit (BTDK), a tool geared towards the end user designed to make Bluetooth security easy to install and maintain on Bluetooth enabled workstations. Ultimately, security tools need to be usable to be useful, and BTDK has been designed with usability in mind. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#potter feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 0296DBDA-1506-4DB9-8D0F-F8A5C1273CC4 Sun, 4 Jun 2006 16:10:19 -0700 Bluetooth Defense kit "In the last 3 years, Bluetooth has gone from geeky protocol to an integral part of our daily life. From cars to phones to laptops to printers, Bluetooth is everywhere. And while the state of the art with respect to Bluetooth attack has been progressing, Bluetooth defense has been lagging. For many vendors, the solution to securing Bluetooth is to simply "turn it off." There are very few tools and techniques that can be used today to secure a Bluetooth interface without resorting to such extreme measures. This talk will examine contemporary Bluetooth threats including attack tools and risk to the user. The meat of this talk will focus on practical techniques that can be employed to lock down Bluetooth on Windows and Linux. Some of these techniques will be configuration changes, some will be proper use of helper applications, and some will be modifications to the Bluez Bluetooth stack designed to make the stack more secure. Finally, we will release the Bluetooth Defense Kit (BTDK), a tool geared towards the end user designed to make Bluetooth security easy to install and maintain on Bluetooth enabled workstations. Ultimately, security tools need to be usable to be useful, and BTDK has been designed with usability in mind. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." 1:03:11 Bruce Potter Bruce Potter ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Bruce Potter: Bluetooth Defense kit "In the last 3 years, Bluetooth has gone from geeky protocol to an integral part of our daily life. From cars to phones to laptops to printers, Bluetooth is everywhere. And while the state of the art with respect to Bluetooth attack has been progressing, Bluetooth defense has been lagging. For many vendors, the solution to securing Bluetooth is to simply "turn it off." There are very few tools and techniques that can be used today to secure a Bluetooth interface without resorting to such extreme measures. This talk will examine contemporary Bluetooth threats including attack tools and risk to the user. The meat of this talk will focus on practical techniques that can be employed to lock down Bluetooth on Windows and Linux. Some of these techniques will be configuration changes, some will be proper use of helper applications, and some will be modifications to the Bluez Bluetooth stack designed to make the stack more secure. Finally, we will release the Bluetooth Defense Kit (BTDK), a tool geared towards the end user designed to make Bluetooth security easy to install and maintain on Bluetooth enabled workstations. Ultimately, security tools need to be usable to be useful, and BTDK has been designed with usability in mind. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton." Bruce Potter DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual-it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden". In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 9002B12B-5785-48BF-BC50-60E45127AEE1 Sun, 4 Jun 2006 16:10:19 -0700 Hacking World of Warcraft®: An Exercise in Advanced Rootkit Design "Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual-it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden". In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable." 49:37 Greg Hoglund Greg Hoglund ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Greg Hoglund: Hacking World of Warcraft®: An Exercise in Advanced Rootkit Design "Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual-it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden". In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable." Greg Hoglund DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies. Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Zanero2 feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 093DC302-D68F-4461-AC7F-61E65982139D Sun, 4 Jun 2006 16:10:19 -0700 Host Based Anomaly Detection on System calls arguments "Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies. Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan." 1:14:57 Stephano Zanero Stephano Zanero ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Stephano Zanero: Host Based Anomaly Detection on System calls arguments "Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies. Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan." Stephano Zanero DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface. But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ C5ED76EA-490F-43CB-95EA-871C76B4ECC8 Sun, 4 Jun 2006 16:10:19 -0700 WiFi in Windows Vista: A Peek Inside the Kimono "Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface. But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista." 58:29 Noel Anderson and Taroon Mandhana Noel Anderson and Taroon Mandhana ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Noel Anderson and Taroon Mandhana: WiFi in Windows Vista: A Peek Inside the Kimono "Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface. But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista." Noel Anderson and Taroon Mandhana DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Technology vendors, security researchers, and customers - all sides of the vulnerability disclosure debate agree that working together rather than apart is the best way to secure our information. But how? This working group will bring all parties together in one room to address the issues and develop a beneficial working relationship extending beyond the conference. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ DD5E0832-30F3-4240-A7F0-12DB690603EC Sun, 4 Jun 2006 16:10:19 -0700 Disclosure Discussion Technology vendors, security researchers, and customers - all sides of the vulnerability disclosure debate agree that working together rather than apart is the best way to secure our information. But how? This working group will bring all parties together in one room to address the issues and develop a beneficial working relationship extending beyond the conference. 1:10:09 Panel Panel ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Panel: Disclosure Discussion Technology vendors, security researchers, and customers - all sides of the vulnerability disclosure debate agree that working together rather than apart is the best way to secure our information. But how? This working group will bring all parties together in one room to address the issues and develop a beneficial working relationship extending beyond the conference. Panel DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Wireless stealth was somewhat expensive some years ago as we were required to use proprietary radios and so on… Thanks to increasingly flexible low-cost 802.11 chipsets we are now able to encode any MAC layer proprietary protocol over 2.4 GHz/5 GHz bands! This could mean stealth to everybody at low-cost! This presentation will focus on two techniques to achieve a good level of stealth: * a userland technique exploiting a covert channel over valid 802.11 frames; * a driverland technique exploiting some 802.11 protocol tweaks. These techniques are somewhat weird! That’s one reason they resist the action of scanners and wireless IDS! The tools that will be released are proof-of-concepts and may be improved both in terms of features and code cleanups!" http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 21C1BE28-4778-41B3-AB3E-856B125593B6 Sun, 4 Jun 2006 16:10:19 -0700 Wi-Fi Advanced Stealth "Wireless stealth was somewhat expensive some years ago as we were required to use proprietary radios and so on… Thanks to increasingly flexible low-cost 802.11 chipsets we are now able to encode any MAC layer proprietary protocol over 2.4 GHz/5 GHz bands! This could mean stealth to everybody at low-cost! This presentation will focus on two techniques to achieve a good level of stealth: * a userland technique exploiting a covert channel over valid 802.11 frames; * a driverland technique exploiting some 802.11 protocol tweaks. These techniques are somewhat weird! That’s one reason they resist the action of scanners and wireless IDS! The tools that will be released are proof-of-concepts and may be improved both in terms of features and code cleanups!" 17:21 Franck Veysset and Laurent Butti Franck Veysset and Laurent Butti ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Franck Veysset and Laurent Butti: Wi-Fi Advanced Stealth "Wireless stealth was somewhat expensive some years ago as we were required to use proprietary radios and so on… Thanks to increasingly flexible low-cost 802.11 chipsets we are now able to encode any MAC layer proprietary protocol over 2.4 GHz/5 GHz bands! This could mean stealth to everybody at low-cost! This presentation will focus on two techniques to achieve a good level of stealth: * a userland technique exploiting a covert channel over valid 802.11 frames; * a driverland technique exploiting some 802.11 protocol tweaks. These techniques are somewhat weird! That’s one reason they resist the action of scanners and wireless IDS! The tools that will be released are proof-of-concepts and may be improved both in terms of features and code cleanups!" Franck Veysset and Laurent Butti DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ There is a growing need to develop improved methods for discovering vulnerabilities in closed-source software. The tools and techniques used to automate searching for these vulnerabilities are either incomplete or non-existent. Fuzz-testing is a common technique used in the discovery process but does not provide a complete analysis of all the vulnerabilities which may exist. Other techniques, such as API hooking, are used to monitor insecure imported functions while leaving inlined functions still waiting to be found. LEVI is a new vulnerability auditing tool (Windows NT Family) which addresses both of these issues by using a code integration-based technique to monitor both imported and inlined functions. Using this approach provides a more complete analysis of the vulnerabilities hidden within closed-source software. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 25C54B9C-A8CC-4A58-92C2-31EB53E38F28 Sun, 4 Jun 2006 16:10:19 -0700 Code Integration-Based Vulnerability Auditing There is a growing need to develop improved methods for discovering vulnerabilities in closed-source software. The tools and techniques used to automate searching for these vulnerabilities are either incomplete or non-existent. Fuzz-testing is a common technique used in the discovery process but does not provide a complete analysis of all the vulnerabilities which may exist. Other techniques, such as API hooking, are used to monitor insecure imported functions while leaving inlined functions still waiting to be found. LEVI is a new vulnerability auditing tool (Windows NT Family) which addresses both of these issues by using a code integration-based technique to monitor both imported and inlined functions. Using this approach provides a more complete analysis of the vulnerabilities hidden within closed-source software. 15:43 William B Kimball William B Kimball ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no William B Kimball: Code Integration-Based Vulnerability Auditing There is a growing need to develop improved methods for discovering vulnerabilities in closed-source software. The tools and techniques used to automate searching for these vulnerabilities are either incomplete or non-existent. Fuzz-testing is a common technique used in the discovery process but does not provide a complete analysis of all the vulnerabilities which may exist. Other techniques, such as API hooking, are used to monitor insecure imported functions while leaving inlined functions still waiting to be found. LEVI is a new vulnerability auditing tool (Windows NT Family) which addresses both of these issues by using a code integration-based technique to monitor both imported and inlined functions. Using this approach provides a more complete analysis of the vulnerabilities hidden within closed-source software. William B Kimball DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community. In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure. Content may be reviewed after the start of the conference." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 9CB80791-C3AA-4E12-BEEC-C74C672BB7E1 Sun, 4 Jun 2006 16:10:19 -0700 The Speed of (In)security: Analysis of the Speed of Security vs. Insecurity "To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community. In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure. Content may be reviewed after the start of the conference." 21:52 Stefan Frei and Dr. Martin May Stefan Frei and Dr. Martin May ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Stefan Frei and Dr. Martin May: The Speed of (In)security: Analysis of the Speed of Security vs. Insecurity "To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community. In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure. Content may be reviewed after the start of the conference." Stefan Frei and Dr. Martin May DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors. We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more. Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an Amazon.com company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#moniz feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 733C2A71-2AFC-4BEF-97CD-31764401AB5A Sun, 4 Jun 2006 16:10:19 -0700 Six Degrees of XSSploitation "Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors. We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more. Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an Amazon.com company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." 43:55 Dan Moniz & HD Moore Dan Moniz & HD Moore ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Dan Moniz & HD Moore: Six Degrees of XSSploitation "Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors. We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more. Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an Amazon.com company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects." Dan Moniz & HD Moore DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Printers, scanners, and copiers still have a reputation of being embedded systems or appliances; dumb machines that perform a specific, repetitive function. Today's devices are far different than their predecessors, but still do not receive the same level of security scrutiny as servers, workstations, routers, or even switches. The goal of this talk is to change the way we look at these devices, and leave the audience with a better awareness of the security implications of having these devices in their environments. Although the concepts in this talk can apply to many different devices, the primary focus will be on vulnerabilities, exploitation, and defense of the new Xerox WorkCentre product line. Previously undisclosed vulnerabilities will be released, along with exploit code that turns a dumb printer, copier, or scanner into a network attack drone. Steps administrators can take to harden these devices will also be covered. Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works in Information Security for a major financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 48EA572D-1074-4263-8152-1D98D3B82010 Sun, 4 Jun 2006 16:10:19 -0700 Vulnerabilities in Not-So Embedded Systems "Printers, scanners, and copiers still have a reputation of being embedded systems or appliances; dumb machines that perform a specific, repetitive function. Today's devices are far different than their predecessors, but still do not receive the same level of security scrutiny as servers, workstations, routers, or even switches. The goal of this talk is to change the way we look at these devices, and leave the audience with a better awareness of the security implications of having these devices in their environments. Although the concepts in this talk can apply to many different devices, the primary focus will be on vulnerabilities, exploitation, and defense of the new Xerox WorkCentre product line. Previously undisclosed vulnerabilities will be released, along with exploit code that turns a dumb printer, copier, or scanner into a network attack drone. Steps administrators can take to harden these devices will also be covered. Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works in Information Security for a major financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft." 1:00:50 Brendan O'Connor Brendan O'Connor ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Brendan O'Connor: Vulnerabilities in Not-So Embedded Systems "Printers, scanners, and copiers still have a reputation of being embedded systems or appliances; dumb machines that perform a specific, repetitive function. Today's devices are far different than their predecessors, but still do not receive the same level of security scrutiny as servers, workstations, routers, or even switches. The goal of this talk is to change the way we look at these devices, and leave the audience with a better awareness of the security implications of having these devices in their environments. Although the concepts in this talk can apply to many different devices, the primary focus will be on vulnerabilities, exploitation, and defense of the new Xerox WorkCentre product line. Previously undisclosed vulnerabilities will be released, along with exploit code that turns a dumb printer, copier, or scanner into a network attack drone. Steps administrators can take to harden these devices will also be covered. Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works in Information Security for a major financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft." Brendan O'Connor DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit. This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented. Alexander Tereshkin specializes in the NT kernel mode coding, focusing on the network interaction. He is interested in rootkit technology in its both offensive and defensive sides. He has worked on various projects that required comprehensive knowledge of Ke, Mm, Ps NT kernel subsystems as well as NDIS internals. His x86 code analyzing engines are used in a few commercial products. In addition to his day work, Alex likes to reverse engineer malware samples. He is also a contributor to rootkit.com." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Tereshkin feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ ADD463F0-9E49-442E-A2E1-D95A58AB9774 Sun, 4 Jun 2006 16:10:19 -0700 Rootkits: Attacking Personal Firewalls "Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit. This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented. Alexander Tereshkin specializes in the NT kernel mode coding, focusing on the network interaction. He is interested in rootkit technology in its both offensive and defensive sides. He has worked on various projects that required comprehensive knowledge of Ke, Mm, Ps NT kernel subsystems as well as NDIS internals. His x86 code analyzing engines are used in a few commercial products. In addition to his day work, Alex likes to reverse engineer malware samples. He is also a contributor to rootkit.com." 51:41 Alexander Tereshkin Alexander Tereshkin ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Alexander Tereshkin: Rootkits: Attacking Personal Firewalls "Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit. This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented. Alexander Tereshkin specializes in the NT kernel mode coding, focusing on the network interaction. He is interested in rootkit technology in its both offensive and defensive sides. He has worked on various projects that required comprehensive knowledge of Ke, Mm, Ps NT kernel subsystems as well as NDIS internals. His x86 code analyzing engines are used in a few commercial products. In addition to his day work, Alex likes to reverse engineer malware samples. He is also a contributor to rootkit.com." Alexander Tereshkin DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth.... The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects: * conceptual weaknesses and ways to detect "transparent" inline equipments * signatures issues * hardware architecture limitations and common jokes * performance vs security necessary trade-off and consequences * behavioral, heuristics, neuronal stuff etc. reality and limitations Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you. Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases. In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#bidou feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 13625736-6F1A-49A1-8449-68516FEFBF76 Sun, 4 Jun 2006 16:10:19 -0700 IPS Short comings "Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth.... The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects: * conceptual weaknesses and ways to detect "transparent" inline equipments * signatures issues * hardware architecture limitations and common jokes * performance vs security necessary trade-off and consequences * behavioral, heuristics, neuronal stuff etc. reality and limitations Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you. Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases. In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France." 1:05:25 Renaud BIDOU Renaud BIDOU ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Renaud BIDOU: IPS Short comings "Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth.... The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects: * conceptual weaknesses and ways to detect "transparent" inline equipments * signatures issues * hardware architecture limitations and common jokes * performance vs security necessary trade-off and consequences * behavioral, heuristics, neuronal stuff etc. reality and limitations Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you. Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases. In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France." Renaud BIDOU DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista. Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Marinescu feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 5EAA1D8B-C792-45E7-8D80-7E00B2DF6AD1 Sun, 4 Jun 2006 16:10:19 -0700 Windows Vista Heap Management Enhancements - Security, Reliability and Performance "All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista. Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits." 1:07:10 Adrian Marinescu Adrian Marinescu ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Adrian Marinescu: Windows Vista Heap Management Enhancements - Security, Reliability and Performance "All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista. Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits." Adrian Marinescu DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include: 1. De-perimeterization - the business imperative 2. From protocols to accessing the web - the technical issues 3. What should be implemented today - current and near term solutions 4. Planning for tomorrow - future solutions and roadmap The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a "technology demonstrator" with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one "office" PC and one laptop. The finals and judging will occur in 2007." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 1985DF6E-D199-4D48-8B97-E09E43D55758 Sun, 4 Jun 2006 16:10:19 -0700 The Jericho Forum and Challenge "In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include: 1. De-perimeterization - the business imperative 2. From protocols to accessing the web - the technical issues 3. What should be implemented today - current and near term solutions 4. Planning for tomorrow - future solutions and roadmap The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a "technology demonstrator" with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one "office" PC and one laptop. The finals and judging will occur in 2007." 2:16:46 Panel Panel ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Panel: The Jericho Forum and Challenge "In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include: 1. De-perimeterization - the business imperative 2. From protocols to accessing the web - the technical issues 3. What should be implemented today - current and near term solutions 4. Planning for tomorrow - future solutions and roadmap The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a "technology demonstrator" with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one "office" PC and one laptop. The finals and judging will occur in 2007." Panel DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side. Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 6AE35BE2-FA53-4F8B-9C01-E9F5399D9FD3 Sun, 4 Jun 2006 16:10:19 -0700 Finding Gold in the Browser Cache "Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side. Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers." 17:58 Corey Benninger Corey Benninger ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Corey Benninger: Finding Gold in the Browser Cache "Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side. Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers." Corey Benninger DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful. Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks. Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME)." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ B0E27CFE-71E3-4B44-9C7D-3D1E7A6FB48D Sun, 4 Jun 2006 16:10:19 -0700 Automated Malware Classification/Analysis Through Network Theory and Statistics "Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful. Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks. Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME)." 26:06 Daniel Bilar Daniel Bilar ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Daniel Bilar: Automated Malware Classification/Analysis Through Network Theory and Statistics "Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful. Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks. Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME)." Daniel Bilar DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly. If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing "own me" sign, this talk is for you. We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 49B8AC82-FC84-4D80-8857-5B867B04EA31 Sun, 4 Jun 2006 16:10:19 -0700 Defending Black Box Web Applications: Building an Open Source Web Security Gateway "Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly. If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing "own me" sign, this talk is for you. We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well." 24:47 Shawn Moyer Shawn Moyer ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Shawn Moyer: Defending Black Box Web Applications: Building an Open Source Web Security Gateway "Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly. If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing "own me" sign, this talk is for you. We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well." Shawn Moyer DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse. This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats. Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Hoffman2 feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 669E9B4A-1808-48CC-BEA2-7B099F8CDBEA Sun, 4 Jun 2006 16:10:19 -0700 Analysis od Web application worms and Viruses "Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse. This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats. Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." 1:22:57 Billy Hoffman Billy Hoffman ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Billy Hoffman: Analysis od Web application worms and Viruses "Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse. This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats. Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus." Billy Hoffman DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty-but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo. Lanman hashes have been broken for a long time and everyone knows it's faster to do a Rainbow table lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a Rainbow table lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton and Dan Moniz will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#hulton feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 5320F436-DF57-4402-87C2-4FAB3D469E43 Sun, 4 Jun 2006 16:10:19 -0700 Faster Pwning Assured: Hardware Hacks and Cracks with FPGA's "This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty-but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo. Lanman hashes have been broken for a long time and everyone knows it's faster to do a Rainbow table lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a Rainbow table lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton and Dan Moniz will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware." 1:06:14 David Hulton & Dan Moniz David Hulton & Dan Moniz ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no David Hulton & Dan Moniz: Faster Pwning Assured: Hardware Hacks and Cracks with FPGA's "This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty-but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo. Lanman hashes have been broken for a long time and everyone knows it's faster to do a Rainbow table lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a Rainbow table lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton and Dan Moniz will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware." David Hulton & Dan Moniz DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'. Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems. A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques. She currently works as a security researcher for COSEINC, a Singapore based IT security company." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#rutkowska feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 18982472-AAE5-4266-A130-347C0A2F5325 Sun, 4 Jun 2006 16:10:19 -0700 Rootkits vs Stealth by design Malware "The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'. Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems. A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques. She currently works as a security researcher for COSEINC, a Singapore based IT security company." 1:19:50 Joanna Rutkowska Joanna Rutkowska ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Joanna Rutkowska: Rootkits vs Stealth by design Malware "The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'. Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems. A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques. She currently works as a security researcher for COSEINC, a Singapore based IT security company." Joanna Rutkowska DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service. The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite. Philip Trainor is currently an employee of Imperfect Networks where he creates remote exploits and audits security devices and practices being used for network equipment manufacturers, antivirus companies, telcom's, and several departments within the US federal Government." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#trainor feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 62106EA9-748D-494C-9006-898B89DA407A Sun, 4 Jun 2006 16:10:19 -0700 The statue of liberty: Utilizing Active Honeypots for hosting potentially malicious Events. "The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service. The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite. Philip Trainor is currently an employee of Imperfect Networks where he creates remote exploits and audits security devices and practices being used for network equipment manufacturers, antivirus companies, telcom's, and several departments within the US federal Government." 21:11 Philip Trainor Philip Trainor ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Philip Trainor: The statue of liberty: Utilizing Active Honeypots for hosting potentially malicious Events. "The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service. The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite. Philip Trainor is currently an employee of Imperfect Networks where he creates remote exploits and audits security devices and practices being used for network equipment manufacturers, antivirus companies, telcom's, and several departments within the US federal Government." Philip Trainor DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Tony Chor will discuss Microsoft’s security engineering methodology and how it is being applied to the development of Internet Explorer 7. He will detail key vulnerabilities and attacks this methodology revealed as well as how the new version of IE will mitigate those threats with unique features such as the Phishing Filter and Protected Mode. Rob Franco lives to make browsing safer for internet users. Rob led Security improvements in Internet Explorer for Windows Server 2003, Windows XP SP2, and IE 7. Prior to that, Rob worked on Corporate deployment features such as Group Policy and the Internet Explorer Administration Kit. When he’s not working, he can usually be found cycling around the Seattle area or boating on a nearby lake." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#chor feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ D597D768-7F17-4174-831D-A0C0414BBC3A Sun, 4 Jun 2006 16:10:19 -0700 Case Study: The Secure Development Lifecycle and Internet Explorer 7 Voice analytics-once the stuff of science fiction and Echelon speculation-is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even dete 45:18 Rob Franco Rob Franco ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Rob Franco: Case Study: The Secure Development Lifecycle and Internet Explorer 7 Voice analytics-once the stuff of science fiction and Echelon speculation-is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even dete Rob Franco DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ C584EF45-6DCD-4B16-BEBE-13C9A82C09EC Sun, 4 Jun 2006 16:10:19 -0700 Building Security into the Software Life Cycle, a Business Case The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization. 24:33 Marco M. Morana Marco M. Morana ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Marco M. Morana: Building Security into the Software Life Cycle, a Business Case The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization. Marco M. Morana DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there. Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future." http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html feedback@blackhat.com (Black Hat RSS Feed) Computers/Hacking/ 16E58947-235F-42A9-890C-C9B4B7ACF7E1 Sun, 4 Jun 2006 16:10:19 -0700 Runtime Packers: The Hidden Problem? "Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there. Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future." 20:09 Tom Brosch and Maik Morgenstern Tom Brosch and Maik Morgenstern ,Blackhat Briefings and Training , Black Hat, BlackHat,hacking, convention, computer security, speeches, presentations, spoken word, audio no no Tom Brosch and Maik Morgenstern: Runtime Packers: The Hidden Problem? "Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there. Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future." Tom Brosch and Maik Morgenstern DEF CON Communications, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/