Black Hat Briefings & Training Asia 2003

Black Hat Asia 2003 Main page

Black Hat Asia 2003 Call for Papers Black Hat Asia 2003 Briefings Speakers Black Hat Asia 2003 Briefings Schedule Black Hat Asia 2003 Sponsors Black Hat Asia 2003 Training Black Hat Asia 2003 Hotel & Venue Black Hat Asia 2003 Registration
details Current Sponsors for Black Hat Briefings Asia 2003
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win Admission to a future Briefings of your choice.

Day 1 Keynote: The Total Security System Approach - A Perspective From The Financial Industry
Lim Khee Ming, Deputy General Manager (Technology & Operations), Network for Electronic Transfers (S) Pte Ltd (NETS)

In view of today's increasing security breaches, companies need to take a total system approach in analyzing the needs and to design the most cost effective solutions. These include the importance of applying risk management concept in addressing security threats and designing counter-measures; mitigating measures and security systems. Citing case studies of some local companies on their efforts in overcoming their security weaknesses and constructing a robust security system.

Mr Lim Khee Ming is the Deputy General Manager (Technology & Operations) for Network for Electronic Transfers (S) Pte Ltd. He heads both Technology and Operations for greater synergies and charts the direction of the development of new payment services, products and infrastructure for the physical and the virtual worlds.

Having been in the IT industry for more than 20 years, Mr Lim has extensive experience in IT strategy formulation, IT architecture design, technology management, large scale systems development and project management. Mr Lim has worked with Internet computing, mobile computing and smart card based technologies.

Mr. Lim also sits on the Cards & Personal Identification Technical Committee (CPITC) under the IT Standards Committee and chairs the Crypto and Contact Smart Card Work Group.

Mr. Lim holds a B. Engineering (Electrical) from University of Singapore.

Return to the top of the page

Day 2 Keynote: Cyber-crime
Harry SK Tan, Director, Centre for Asia Pacific Technology Law & Policy (CAPTEL)

Electronic crime is the fastest growing field of criminal activity. The use of the new technologies for crime challenges the law in ways that many were not prepared for. These include business organisations, banks, enforcement agencies and governments. Recently there have been international developments to address the many problems including cyber-terrorism faced by law enforcement agencies. This presentation will review some of the current reported cases of cyber-crimes and the current legal standards in place for the investigation, prosecution and sentencing of cyber-crimes in Singapore. The presentation will also address some basics of computer forensics and the organisational policies that should be in place for proper cyber-crime risk management.

Associate Professor Harry Tan is the Director of Centre for Asia Pacific Technology Law & Policy (CAPTEL) at the Nanyang Business School, Nanyang Technological University. CAPTEL is a research centre founded to investigate and research issues on how businesses and economies are being affected by the challenges of new technologies on law, regulation and policy. (

Prof Harry Tan was awarded the Fulbright Scholarship in 1999 by the Council of International Exchange of Scholars and the Fulbright Commission to conduct research on the development of infrastructure for electronic commerce. He is a Visiting Scholar at Berkeley Centre for Law & Technology at University of California, Berkeley, He has been the principal lecturer for E-Business: Law Policy & Strategy since its inception in 1997 at the Nanyang MBA Programme.

Prof Tan is also regularly involved in presenting papers and public seminars at internationally renowned venues. In 1999, he was invited to deliver a public paper at Stanford University’s Japan US Centre for Management of Technology. He has also authored several journal articles on E-Business Law, Cybercrime and E-Fraud.

He has been involved in conducting industry professional development programmes for the management of legal risks in electronic commerce and information technology for the past five years for financial institutions, government offices, law firms and law enforcement agencies.

He has an online consultancy practice at and together with the related site, he maintains a public information service on the developments of E-Business Law.

Return to the top of the page

MOSDEF Tool Release
David Aitel, Immunity, Inc.

Dave Aitel is the founder of Immunity, Inc. and the primary developer of CANVAS and the SPIKE Application Assessment Suite. His previous experience, both within the US Government and the private sector has given him a broad background in exploit development, training, and speaking. He has discovered numerous new vulnerabilities in products such as Microsoft IIS, SQL Server 2000, and RealServer.

Immunity, Inc. is a New York City based consulting and security software products firm. CANVAS, Immunity's flagship product, is a sophisticated exploit development and demonstration framework.

Return to the top of the page

Win32 One-Way Shellcode
S.K. Chong, Co-Founder & Security Consultant, SCAN Associates

The presentation will describe the inner workings of reusable Win32 shellcodes. It will starts with explanation on fundamental techniques to make the shellcode re-locatable and service pack independent. It also will cover processes involved in constructing and testing shellcode which are usually left out in most buffer overflow tutorial. A few simple but handy tools will be introduced in the process. Then, the limitations of existing shellcodes will be discussed. It will leads to the development of one-way shellcode that will overcome those limitations. The talk will also describe a technique to upload/download file in command line. Throughout the presentation, various real exploits using different shellcode will be demonstrated.

S.K. Chong is Co-Founder and Security Consultant for SCAN Associates; a Malaysian based consulting and security Services Company. SCAN Associates is also two-time winner of the Capture the Flag hacking competition held last year in Malaysia. SK Chong is also the author of several white papers including "SQL Injection Walkthrough" and "Win32 Buffer Overflow Walkthrough". The paper detailed findings previously unknown exploit in Microsoft's SQL Server. Over the last 2 years, he has conducted more than 20 professional penetration testings on various local government and military agencies, financial and ISP companies as well as profession binary audit for company in Fortune 500. His primary interests include binary and code audits, exploit research and penetration testing.

Return to the top of the page

A Security Microcosm - Attacking/Defending Shiva, A Linux Executable Encryptor
Shaun Clowes, IT Director, SecureReality

Shiva is an ELF encryption tool written by Neel Mehta and Shaun Clowes. Its purpose is to "encrypt" (or obfuscate) generic ELF executables (Linux programs) to make them more difficult to reverse engineer or modify. While executable encryptors have existed for a long time on Windows, they are an immature technology on Unix platforms. Shiva is an attempt to advance the field, and an interesting experiment in the dynamics of Security.

This speech will describe Shiva, what it is and how it works. It will also cover the Security implications of technologies like Shiva, both positive (i.e assisting defenders) and negative (i.e assisting attackers).

Shiva has had two public releases at this stage, the most recent at Black Hat USA 2003. Since its initial release in November of 2002 we are aware of at least three, successful, generic attacks against it. In this way Shiva is a microcosm of Security technologies in general since it is a protection technology like any other (e.g a Firewall) but works in the most exposed of all environments (an uncontrolled machine) and on a small scale. Thus Shiva is much simpler to attack, and much harder to defend, than many other technologies. Effectively it is a standard security arms race but escalates much more rapidly. Shiva's attack/defence timeline and history is interesting from this (and a technical) perspective, so the speech will also cover this evolution.

Finally, the speech will culminate in the release of a new version of Shiva, that is resistant to all known attacks. While technology like Shiva is locked in an endless arms race, it stirs things up and provokes new research in the process. We've gained a lot from the project so far... lets progress the race and see where it takes us.

Shaun Clowes is the IT Director of SecureReality, a small cutting edge security consultancy based in Sydney, Australia. Shaun holds an honors degree in Computing Science from the University of Technology Sydney and has a wide technical background in IT including Unix systems programming, networking and systems/security administration. Shaun leads the vulnerability research arm of SecureReality which is broadly exploring the security landscape testing both the obvious targets and the glue that holds everything together.

Return to the top of the page

Cisco Security
Stephen Dugan, CCSI

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

Automated Reverse Engineering
Halvar Flake, Reverse Engineer, Black Hat

The presentation will focus on some advanced topics of automated reverse engineering. Algorithms (and plug-ins for IDA that implement them) for detecting programmatic changes between two versions of the same executable and for detecting memory-copying or -decoding loops in executables will be explained and demonstrated.

There are several applications for these techniques, for example porting debug info that a vendor might have accidentally left in an older version of a product to a newer version of the same program or reverse engineering the details of a bug if the vendor has only provided sketchy details. Detection of memory-copying loops has some interesting applications in vulnerability research and code analysis.

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

Return to the top of the page

International DMCA Laws
Jennifer Stisa Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford University
A patchwork of laws arguably applies to vulnerability disclosure. Vendors and system administrators have struggled to find legal means to prevent or slow computer misuse, while security researchers are frightened by the possibility that they may be punished for the dissemination of security research. This talk reviews the major legal issues in vulnerability disclosure, including negligence, conspiracy to commit computer fraud, aiding and abetting computer fraud, the anti-circumvention provisions of the DMCA and the prospective implementation of the Council of Europe Convention on Cybercrime, as well as defenses, like the First Amendment.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

The Art of Defiling: Defeating Forensic Analysis on Unix File Systems
the grugq

The rise in prominence of incident response and digital forensic analysis has prompted a reaction from the underground community. Increasingly, attacks against forensic tools and methodologies are being used in the wild to hamper investigations. This talk will: familiarize the audience with Unix file system structures; examine the forensic tools commonly used, and explore the theories behind file system anti-forensic attacks. In addition, several implementations of new anti-forensic techniques will be released during the talk.

Anti-forensics has cost the speaker one job. This material has never been presented in the North American continent because anti-forensics scares the feds. Find out why.

The grugq has been researching anti-forensics for almost 5 years. Grugq has worked to secure the networks and hosts of global corporations, and hes also worked for security consultanting companies. His work as a security consultant was cut short by the publication of an article on anti-forensics. Currently, he slaves for a start-up, designing and writing IPS software.

Grugq has presented to the UK's largest forensic practioner group where he scared the police. In his spare time, grugq likes to drink and rant.

Return to the top of the page

Defeating the Stack Based Buffer Overflow Exploitation Prevention Mechanism of Microsoft Windows 2003 Server
David Litchfield, Founder, Next Generation Security Software

This talk presents several methods of bypassing the protection mechanism built into Microsoft's Windows 2003 Server that attempts to prevent the exploitation of stack based buffer overflows. Recommendations about how to thwart these attacks are made where appropriate.

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

Brute Forcing Terminal Server Logons with TSGrinder
Tim Mullen, CIO and Chief Software Architect, AnchorIS.Com

The "new and improved" version of "TSGrinder," the original terminal server brute force tool from Hammer of God, has just been completed and will be unvieled at Blackhat Vegas. This much-awaited release will include many new features such as single-session-multiple-password-attempts functionality, 1337 dictionary hashing, logon banner awareness, and more. This free tool will be made available for download immediately following this session.

Timothy Mullen
Beginning his career in application development and network integration in 1984, Timothy Mullen is now CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions. Mullen has developed and implemented network and security solutions for institutions like the US Air Force, Microsoft, the US Federal Court systems, regional power generation facilities and international banking and financial institutions. He has developed applications ranging from military aircraft statistics interfaces and biological aqua-culture management, to nuclear power-plant effect monitoring for a myriad of private, government, and military entities.

Mullen is also a columnist for Security Focus' Microsoft section, and a regular contributor of InFocus technical articles. A.k.a. Thor, he is the founder of the "Hammer of God" security co-op group. Mullen’s writings appear in multiple publications such as Stealing the Network and Hacker’s Challenge, technical edits in Windows XP Security, with security tools and techniques features in publications such as the Hacking Exposed series.

Return to the top of the page

Honeypots Against Worms 101
Laurent Oudot, Computer Security Engineer, Rstack team

This talk will explain how to fight Internet worms by using technologies related to honeypots. The first part will focus on essential needed theory concepts about Internet worms, to move on a second part reminding interesting functions about current honeypots (and Honeynets). Then, Laurent will propose ideas and demonstrations about how honeypots can be used to fight off Internet worms or even fight them back! A strong technical case study will be given to show how Honeyd may be used to deal with MSBlast worms (catching the worms, detecting them, slowing them, stopping them, cleaning them, etc).

Laurent Oudot is a French security expert who works for the CEA. He is also a member of a team called "rstack" composed of security addicts and geeks. Oudot's research focus on defensive technologies highly closed to blackhats activities like honeypots, intrusion prevention, intrusion detection, firewalls, sandboxes, MAC, etc.

Laurent is the (co-)author of several research papers recently published and released at, MISC magazine and Linux Magazine France. He has presented at national and international conferences and meetings such as annual Honeynet Project meeting (Chicago), Libre Software Meeting (Metz), FOSDEM (Bruxelles), etc.

In his spare time, Laurent co-organized security events such as the Libre Software Meeting (co-chairman of the Security Topic with Bradley Spengler from Grsecurity), Symposium Sécurité des Technologies de l'Information et de la Communication (SISTIC), etc.

Laurent teaches network and systems security, and has managed numerous security projects..

Recently with Nicolas Fischbach, he co-created the French Honeynet Project which is part of the international Alliance of Honeynets.

Return to the top of the page

(In)Security in Network Management
Jeremy Rauch

SNMP is the most popular protocol for network management. From high end routers, to low end wireless access points, its everywhere on the network. Yet evil lurks just beneath the surface of this "simple" protocol. With a myriad of protocol level flaws, and a mountain of implementation flaws, just how safe is the network running this protocol?

This talk will discuss many of the protocol level problems in SNMP1/2c, and SNMPv3. It will also inspect some of the biggest implementation flaws out there, as well as discuss new, never before seen implementation problems (READ: SNMP zero-day). A demonstration showing just how useful SNMP and its flaws are will also be conducted.

Jeremy Rauch has been involved in discovering and researching security vulnerabilities for 10 years. During this time, he also worked for a number of security vendors, building and designing security software in the scanner and IDS markets, as well as being one of the founders of Not isolated to only working directly in security, Jeremy spent a number of years working for a major optical networking vendor, where he was a principle engineer, designing 5 9’s uptime distributed control, upgrade and network management systems with an eye to security.

Jeremy has done security training for a wide variety of financial, government and technology companies, written articles for a variety of security websites and magazines, and spoken at a number of conferences. He is currently co-authoring a book with Mike Schiffman for Addison-Wesley, tentatively titled “Modern Network Infrastructure Security”, for publication in 2004.

Return to the top of the page

Addressing Complete Security to Save Money
Russ Rogers, Chief Technical Officer, Security Horizon, Inc

One of the biggest issues in information security is the dependence on technical solutions, by themselves, to solve the problem of security posture within the organization or company. Companies are inundated with security organizations that tout the latest and greatest security product. From the redundant firewall product with high availability to the latest string of honey pot products, companies are told what they need in order to secure their organizations. Unfortunately, technical solutions, when implemented by themselves, fail to address the inherent problem in the system.

Poor security posture can only really be improved when the organization understands what information is critical to their operations. What information do we use, day in and day out, that is required to serve our customer and meet our mission goals? By defining specific information types that are critical to the organization, we can better define the actual impact that the loss of those information types will have on the organization. If we further define the process by measuring the loss of Confidentiality, Integrity, Availability, Accountability, etc of each of these information types, we can better realize more effective security measures to mitigate risk. This increases the cost effectiveness of security solutions that are implemented within the organization.

The key here is that once we’ve defined our information types and the impact to the organization of their loss, we are now better able to define on what actual systems these information types reside. More in-depth evaluations on these key systems can now take place, allowing the organization to focus on higher risk servers and network components. Solutions are implemented within the organization based on these factors, providing more effective and financially responsible security solutions that will dramatically improve the security posture within the organization.

Russ Rogers is the CEO and CTO of Security Horizon, a Colorado Springs based information security professional services firm and is a technology veteran with over 12 years of technology and information security experience. He has served in multiple technical and management information security positions that include Manager of Professional Services, Manager Security Support, Senior Security Consultant and Unix Systems Administrator. Mr. Rogers is a United States Air Force Veteran and has supported the National Security Agency and the Defense Information Systems Agency in both a military and contractor role. Russ is also an Arabic Linguist. He is a certified instructor for the National Security Agency’s INFOSEC Assessment Methodology (IAM).

Return to the top of the page

Putting The Tea Back Into CyberTerrorism

Many talks these days revolve around cyber terrorism and cyber warfare. Some experts suggest such attacks could be effective - others say that targetted country-wide cyberterrorism is just for the movies...or a Tom Clancy book. In this talk we look at very practical examples of possible approaches to Internet driven Cyber Warfare/Terrorism. The talk will include an online demo of a framework designed to perform closely focussed country-wide cyber attacks.

Roelof Temmingh is the technical director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is one of SensePost's senior technical specialists. He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including Black Hat Briefings. Haroon doesn’t drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

HTTP Fingerprinting and Advanced Assessment Techniques
Saumil Udayan Shah, Director, Net-Square Solutions

This talk discusses some advanced techniques in automated HTTP server assessment which overcome efficiency problems and increase the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A free tool - HTTPRINT which performs HTTP fingerprinting, shall be released along with this presentation.

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

David Aitel

S.K. Chong

Stephen Dugan

Halvar Flake

Jennifer Stisa Granick

the grugq

David Litchfield

Haroon Meer

Lim Khee Ming

Timothy Mullen

Laurent Oudot

Jeremy Rauch

Russ Rogers

Saumil Udayan Shah

Harry SK Tan

Roelof Temmingh

Charl van der Walt

Black Hat Logo
(c) 1996-2007 Black Hat