Black Hat Digital Self Defense Japan 2004

Black Hat Main Conference Overview

Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat Sponsors Black Hat Hotel & Venue Black Hat Registration
Black Hat Japan 20004 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Raisuke Miyawaki
  • Chairman, Ochanomizu Associates, Tokyo, Japan
  • Senior Advisor, Commission on Japanese Critical Infrastructure Protection
  • Research Counselor and Trustee, Institute for International Policy Studies, Tokyo
  • Vice President, Japan Forum for Strategic Studies

Mr. Miyawaki is Japan’s leading expert on the role of organized crime in Japan’s economy.  He joined the Japanese National Police Agency (NPA) in 1956, ultimately becoming director of the NPA’s criminal investigation division, where he headed the NPA’s anti-underworld campaign. 

In his last government post, from 1986 until 1988, Mr. Miyawaki served in the Senior Cabinet Secretariat of the Prime Minster of Japan, as Advisor for Public Affairs to Prime Minister Yasuhiro Nakasone.  Since leaving government service, he has served as Chairman of Ochanomizu Associates, a Tokyo-based think tank, and as an advisor on organized crime, cyberterrorism, politics, public affairs, and other issues to the leaders of a number of Japan’s largest companies, including Nippon Telegraph and Telephone (NTT), Dentsu Inc., and ITOOCHU, Inc. 

Mr. Miyawaki is a frequent speaker and lecturers in the Japan, the US, Russia, and China, and he is the author of Gullible Japanese:  The Structure of Crises in Japan (Shincho-sha, 1999), and Cyber Crisis:  The Invisible Enemy Invading Japan (PHP, 2001).

Mr. Miyawaki is a graduate of Tokyo University Law School, and is a Life Fellow of the Edwin O. Reischauer Center of the School of Advanced International Studies (SAIS), the Johns Hopkins University.

Return to the top of the page

Thinking Techie's Social Responsibility - Lessons From Winny Case
Shunichi Arai

ARAI Shunichi is the chair of which supports Winny's author Isamu Kaneko. He raised 16 million yen defense fund in a month. He is now researching on anonymity technology and distributed systems as Ph.D. student at Waseda university. He is also a founder and CEO of Mellowtone inc. Arai started programming at age of 3, and now he is certified as `genius programmer' by Japanese government. Co-translator of "Applied Cryptography" Japanese translation.

ARAI Shunichi is the chair of which supports Winny's author Isamu Kaneko. He raised 16 million yen defense fund in a month. He is now researching on anonymity technology and distributed systems as Ph.D. student at Waseda university. He is also a founder and CEO of Mellowtone inc. Arai started programming at age of 3, and now he is certified as `genius programmer' by Japanese government. Co-translator of "Applied Cryptography" Japanese translation.

Return to the top of the page

Attacking Obfuscated Code with IDA Pro
Chris Eagle, Associate Chairman, Computer Science Department Naval Postgraduate School

Virtually every virus and worm that circulates the Internet today is "protected" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ASPack, and teLock has become standard. Protection of malicious code is not the only goal of binary obfuscators however which can be used to protect intellectual property. In the Linux world, tools such as Burneye and Shiva exist which can be used in ways similar to any Window's obfuscation tool.

To fight such methods, analysts have created specific tools or techniques for unraveling these code obfuscators in order to reveal the software within. To date, in the fight against malware, anti-virus vendors have had the luxury of focusing on signature development since obfuscation of malware has presented little challenge. To combat this, malware authors are rapidly morphing their code in order to evade quickly developed and deployed signature-matching routines. What will happen when malware authors begin to morph their obfuscation techniques as rapidly as they morph their worms?

While not designed specifically as a malware protection tool, one program, Shiva, aims to do exactly that. Shiva forces analysis of malicious code to be delayed while analysts fight through each novel mutation of Shiva's obfuscation mechanism. This, in effect, provides the malware a longer period of time to wreak havoc before countermeasures can be developed.

This talk will focus on the use of emulated execution within IDA Pro to provide a generic means for rapidly deobfuscating protected code. Capabilities of the emulation engine will be discussed and the removal of several types of obfuscation will be demonstrated. Finally, the development of standalone deobfuscation tools based on the emulation engine will be discussed.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 18 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering.

Return to the top of the page

Capture the Flag Games: Measuring Skill with Hacking Contests
Riley "Caezar" Eller, Special Projects Manager, CoCo Communications

With the cost of security experts increasing each year, it is expensive to audit critical systems as often as is needed. Worse yet, it is difficult to know how much to trust the reports since the worst consultants give the most positive answers. In order to address this problem, Caezar proposes a system for ranking the merit of security experts alone or in teams. Based on his years of experience with DEFCON Capture the Flag games, Caezar shows the difficulty of solving this problem in a fair and reliable manner. He will demonstrate the state-of-the-art technique used in this year's game and show insight into the eight teams, concentrating on the top two. Then, beginning with discussion of the failings of the International Chess Federation's (FIDE) "Elo" rating scheme, Caezar will propose a complete framework for ranking security professionals.

By night, he donates his time and energy to the Ghetto Hackers organization; a group best known for dominating the annual DEFCON Capture the Flag contest. As the creator of the Root Fu scoring system, Caezar is the foremost authority on security contest scoring.

By day, Mr. Eller has extensive experience in Internet embedded devices and protocol security. He invented fully automatic web vulnerability analysis and ASCII-armored stack overflow exploits, and contributed to several other inventions including a pattern language for describing network attacks. Mr. Eller's credits include the Black Hat Security Briefings and Training series, the Meet the Enemy seminars, "Hack Proofing Your Network: Internet Tradecraft", and the "Caezar's Challenge" think tank.

Return to the top of the page

The Laws of Vulnerabilities
Gerhard Eschelbeck, Chief Technology Officer & Vice President of Engineering, Qualys, Inc.

New vulnerabilities to networks are discovered and published on a daily base. With each such announcement, the same questions arise.  How significant is this vulnerability? How prevalent is this vulnerability?  How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? Due to lack of global vulnerability data, answers to these questions are often hard to find and risk rating is even more difficult.

As part of ongoing research, Gerhard Eschelbeck of Qualys, Inc. has been gathering statistical vulnerability information for more than two years. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. This data is not identifiable to individual users or systems. However, it provides significant statistical data for research and analysis, which enabled Gerhard to define the Laws of Vulnerabilities.

The Laws of Vulnerabilities is derived from vulnerability data gathered during the past 30 months from over five million scans of individual systems from global organizations. During this timeframe a collective amount of more than three million vulnerabilities - reflecting multiple levels of severity and prevalence - has been identified. Furthermore, the responses to external events (i.e. availability of an exploit or worm taking advantage of a vulnerability) have been studied providing valuable lessons for attendees on how to protect networks and systems from evolving threats.

Gerhard Eschelbeck is a respected CTO, researcher and author in the network security field. He published the now well-known "Laws of Vulnerabilities," the industry's first research derived from a statistical analysis of millions of critical vulnerabilities collected across thousands of networks over a multi-year period. Eschelbeck presented his findings before Congress at the hearing on "Worm and Virus Defense: How Can We Protect Our Nation's Computers from These Serious Threats?" His research has been featured at major security conferences including Black Hat, CSI, and RSA and in numerous media outlets, including The Wall Street Journal, The Economist and others. Gerhard was named one of Infoworld's 25 Most Influential CTO's in 2003 and 2004 and is a significant contributor to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. Prior to joining Qualys, Eschelbeck was Senior VP of Engineering for security products at Network Associates, VP of Engineering of anti-virus products at McAfee Associates, and Founder of IDS GmbH, a secure remote control company acquired by McAfee. Earlier, he was a research scientist at the University of Linz, Austria, where he earned Masters and Ph.D. degrees in computer science and where he still teaches regularly in the field of network security. Eschelbeck has authored several papers on active security, automating security management, and multi-tier IDS. He is an inventor of numerous patents in the field of managed network security.

Return to the top of the page

Understanding Hardware Security
Joe Grand, President & CEO, Grand Idea Studio, Inc.

Hardware security is often overlooked during a product's development, which can leave it vulnerable to hacker attacks resulting in theft of service, loss of revenue, identity theft, unauthorized network access, or a damaged reputation. This presentation will show you how to reduce the number of vulnerabilities in your embedded hardware designs and how to evaluate the threats against your products. Learning from history is important to avoid repeating old design flaws, so we will also look at previously successful hardware attacks against security products.

Joe Grand is the President of Grand Idea Studio, a San Diego-based product development and intellectual property licensing firm, where he specializes in embedded system design, computer security research, and inventing new concepts and technologies. Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty" and a co-author of "Stealing The Network: How to Own A Continent". Joe holds a Bachelor of Science degree in Computer Engineering from Boston University.

Return to the top of the page

David Litchfield, Founder, Next Generation Security Software

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

You got that with GOOGLE?
Johnny Long, CSC

This presentation explores the explosive growth of a technique known as "Google Hacking". When the modern security landscape includes such heady topics as "blind SQL injection" and "integer overflows", it's refreshing to see such a deceptively simple tool bent to achieve such amazing results; this is hacking in the purest sense of the word. Attendees will learn how to torque Google to detect SQL injection points and login portals, execute portscans and CGI scans, fingerprint web servers, locate incredible information caches such as firewall and IDS logs, password databases, SQL dumps and much more - all without sending a single packet to the target! Borrowing the techniques pioneered by malicious "Google hackers", this talk aims to show security practitioners how to properly protect clients from this often overlooked and dangerous form of information leakage.

The speaker, Johnny Long, maintains the Internet's most comprehensive database of Google exposures on his website.

Johnny Long did not develop his skills within the hallowed halls of higher learning but rather by spending way too many late nights huddled in front of his computer, developing his anti-social tendencies.

Mr Long (Johnny's professional alter-ego) has previously presented at SANS and other computer security conferences nationwide. In addition, he has presented before several government alphabet-soup entities including three starting with the letter 'A', four starting with the letter 'D', a handful starting with the letters 'F' and 'S' and two starting with the today's letter, the letter 'N'. During his career as an attack and penetration specialist, Mr Long has performed active network and physical security assessments (one in the cube is worth twenty on the net) for hundreds of government and commercial clients.

Johnny Long is the Author of 'Penetration Testing with Google', available December 2004 from Syngress Publishing

Return to the top of the page

Cybercrime Treaty and Legal Environment of Japanese Computer Crime and Laws
Hisamichi Okamura

Return to the top of the page

The Keys to the Kingdom: Understanding Covert Channels of Communication
Russ Rogers, CEO, Security Horizon

Security professionals see the compromise of networked systems on a day to day basis. It's something they've come to expect. The blatant exploitation of operating systems, applications, and configurations is a common event and is taken into account by most security engineers. But a different type of security compromise threatens to crumble the underlying security of the modern organization.

There are forms of communication that transfer sensitive data outside of organizations every day. Covert channels are used to move proprietary information in and out of commercial, private, and government entities on a daily basis. These covert channels include things such as Steganography, Covert network channels, Data File Header and Footer Appending, and Alternate Data Streams. Media to be covered include images, audio files, TCP covert channels, Word substitution mechanisms, the Windows file system and others.

This presentation will show the attendees common means of covert communication by hiding information through multiple means. We'll also discuss the future of Covert Channels and how hidden information is becoming more and more difficult to detect. Detection of these forms of communication is trailing well behind the technology creating them, this presentation will discuss some of the newest concepts in utilizing Covert Channels and Steganography.

Russ Rogers is the CEO of Security Horizon, a Colorado Springs based information security professional services firm and is a technology veteran with over 13 years of technology and information security experience. He has served in multiple technical and management information security positions that include Manager of Professional Services, Manager Security Support, Senior Security Consultant and Unix Systems Administrator. Mr. Rogers is a United States Air Force Veteran and has supported the National Security Agency and the Defense Information Systems Agency in both a military and contractor role. Russ is also an Arabic Linguist. He is a certified instructor for the National Security Agency's INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) courses. He holds his M.S. degree from the University of Maryland is also a Co-Founder of the Security Tribe (, a security think tank and research organization.

Return to the top of the page

Optimized Attack for NTLM2 Session Response
Daiji Sanai, President & CEO, SecurityFriday Co., Ltd.
Hidenobu Seki, aka Urity

Windows 2000 SP3 or later and Windows XP now use a new network logon authentication method by default, the NTLM2 Session Response. Employed by Windows 2000, this unproven authentication method is considered to reduce the vulnerability found in network LM and NTLM v1 authentication. In this session, we will describe and demonstrate our audit approach for detecting easy-to-crack passwords from packets traveling on the network in real time. This approach was developed based on our thorough investigation of the characteristics of this NTLM2 Session Response. We will also discuss the possibility of attacks being attempted against Windows XP SP2 and the differences between our approach and the famous rainbow table used for analyzing Windows passwords.

Daiji Sanai, President & CEO, SecurityFriday Co., Ltd.
Best known as a specialist in the field of personal information security, Daiji Sanai has a long history engaging in a wide variety of activities to address security issues associated with personal information. In 2000, he organized a network security research team,, and has continued his technology research as a leader, focusing on intranet security. In 2001 Daiji Sanai presented "Promiscuous Node Detection Using ARP Packets" at the BlackHat Briefings USA in Las Vegas. In 2003, SecurityFriday Co., Ltd. was founded based on his research team, and he was named President and Chief Executive Officer.

Hidenobu Seki, aka Urity works as a network security specialist at SecurityFriday Co., Ltd in Japan. He has published many tools, ScoopLM/BeatLM/GetAcct/RpcScan etc. He has been a speaker at the Black Hat Windows Security 2002, 2003 and 2004.

Return to the top of the page

When the Tables Turn
Charl van der Walt, SensePost
Jaco van Graan, SensePost

Until now network security defences have largely been about building walls and fences around the network. This talk revolves around spiking those walls & electrifying those fences! During this talk we will highlight techniques (and tools) that can be used to turn the tables on prospective attackers with passive-Strike-Back. We will explore the possibilities across the assesment spectrum responding to the standard assesment phases of Intelligence gathering, Reconnaissance & Attack with Disinformation, Misdirection, Camouflage, Obfuscation & Proportional Response.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

Environment Dependencies in Windows Exploitation
Yuji Ukai, Researcher and Software Engineer, eEye Digital Security

In the case of vulnerabilities which allow the execution of arbitrary machine code, the reliability of exploitation is swayed by the type of vulnerability, the conditions surrounding the vulnerable code, and the attack vector, among other considerations. The reliability of exploitation an important factor for those attempting to exploit a vulnerability—especially so for worm and virus writers—so therefore it is also an important consideration for the threat analysis of security vulnerabilities.

In Japan, some public institutions and non-governmental enterprises are providing detailed information and threat analyses of vulnerabilities, exploits, and worms. Because the majority of the systems in Japan run the Japanese version of Windows, the analysis and consideration of language-specific dependencies are very important factors for both the providers and consumers of such information in Japan, especially in case of the worms.

Since one of highest priorities of a worm is to propagate as far as possible, some recent worms have employed techniques that avoid language and version dependencies, such as choosing return addresses that can be used across multiple language versions of Windows.

In this presentation, the discussion of detailed and practical techniques to achieve environment independence will be avoided, but, at least understanding the technical overview and potentiality of these techniques is important for both providing proper threat analyses, and understanding them in depth.

In Black Hat USA 2004, as part of our threat analysis research, we discussed return address discovery using context-aware machine code emulation—namely, our EEREAP project— which is intended to help prove whether universal return addresses exist. In Black Hat Japan 2004, we will expand on this presentation, and we will both explore the risk factors that aid in the avoidance of language and version dependencies, and show how to mitigate these risks.

Yuji Ukai is a researcher and senior software engineer with eEye Digital Security. After completing his Ph.D. in computer science at the National University of Tokushima, he began his employment at an appliance vendor in Japan where he developed embedded operating systems. Over the last several years he has discovered several important security holes affecting various software products (Workstation Service and LSASS for Windows, etc) as well as pioneered new trends in wireless security technologies.

Return to the top of the page

Black Hat Logo
(c) 1996-2007 Black Hat