Black Hat Digital Self Defense DC 2007

Black Hat Show Page

Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat  Sponsors Black Hat Training Black Hat Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings DC 2007
Black Hat DC 2007 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat DC 2007 Sponsors
Return to the top of the page
Black Hat Speakers

Keynote: Cyber Crime and the Power of Digital Forensics
Special Agent (Ret) Jim Christy, Director, Futures Exploration, Department of Defense Cyber Crime Center

Discussion of the power of Digital Forensics today and the real-world challenges.  Also discuss the Defense Cyber Crime Center (DC3) and the triad of organizations that comprise DC3; The Defense Computer Forensics Lab, the Defense Cyber Crime Institute, and the Defense Cyber Investigations Training Academy. The evolving discipline of cyber crime investigations and the critical role law enforcement plays in a Network Centric Warfare environment.  The accreditation process for a cyber forensics lab, the forensic processes, and capabilities. 

Jim Christy is a recently (1 Dec 2006) retired special agent that specialized in cyber crime investigations and digital evidence for over 20 years and 35 years of federal service. Jim is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired Magazine in January 2007.

From Nov 03 – Nov 06, Supervisory Special Agent Jim Christy, was the Director of the Defense Cyber Crime Institute (DCCI), DC3. The DCCI is responsible for the research & development and test & evaluation of forensic and investigative tools for the DoD Law Enforcement and Counterintelligence organizations. The Institute is also charged with intelligence analysis, outreach, and policy for DC3.  Jim is a retired Air Force Office of Special Investigations, Computer Crime Investigator. 

In Oct 03, the Association of Information Technology Professionals, awarded Jim the 2003 Distinguished Information Science Award winner for his outstanding contribution through distinguished services in the field of information management. Previous recipients of this prestigious award include Admiral Grace Hopper, Gene Amdahl, H. Ross Perot, General Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch Kapor.

From 17 Sep 01– 1 Nov 03 Jim was the Deputy Director/Director of Operations, Defense Computer Forensics Lab, Defense Cyber Crime Center. As the Dir of Ops for the DCFL he managed four sections with over 40 computer forensic examiners that supported Major Crimes & Safety, Counterintelligence and Counterterrorism, as well as Intrusions and Information Assurance cases for the Department of Defense.

From May 98 – Sep 01 Jim was assigned to the Defense-wide Information Assurance Program, Assistant Secretary of Defense for Command, Control Communications and Intelligence (ASDC3I) as the Law Enforcement & Counterintelligence Coordinator and Infrastructure Protection Liaison.

SA Christy served as the DoD Representative to the President’s Infrastructure Protection Task Force (IPTF) from Sep 96 – May 98. The President signed Executive Order, 13010 on 15 Jul 96, creating IPTF to protect the Nation’s critical infrastructure from both physical and cyber attacks.

Prior to the IPTF, Jim was detailed to Senator Sam Nunn’s staff on the Senate, Permanent Subcommittee on Investigations as a Congressional Fellow, Jan - Aug 96. Senator Nunn specifically requested Jim’s assistance for the Subcommittee to prepare for hearings in May - Jul 1996, on the vulnerability and the threat to National Information Infrastructure from cyberspace.

From 1986-1998, Jim was the Director of Computer Crime Investigations, and Information Warfare for AFOSI and established the first computer forensic lab in DOD which is the DoD Computer Forensic Lab.

In 1986, Jim obtained some notoriety as the original case agent in the “Hanover Hacker” case. This case involved a group of German hackers who electronically penetrated DOD computer systems all over the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s Egg”, by Dr. Cliff Stoll. The Public Broadcast system has also produced a docu-drama on this case.

In a murder investigation in 1991, the suspect cut two floppy diskettes into 23 pieces with pinking shears. No agency was able to recover any of the data until Jim and his deputy developed a technique for less then $150.  Jim was able to recover 85%-95% of the data from each piece of diskette. The suspect when confronted with the evidence, confessed, pled guilty and was sentenced to life in prison. This case was profiled on the “New Detectives” series on the Discovery Channel, 2 Jan 99 and was on Court TV’s, Forensics Files in 2005.

Some of SA Christy’s notable firsts in Computer Crime Investigations:

  • 1st civilian computer crime investigator in the U.S. Government
  • 1st computer espionage investigation (Hanover Hacker Case), case agent
  • 1st electronic surveillance of a standalone color PC
  • 1st DoD investigator to go undercover on pedophile bulletin boards
  • 1st to distribute wanted poster on the Internet (triple homicide case)
  • 1st to develop forensic technique to recover data from cutup diskette (homicide investigation)
  • 1st psychological profiling study of computer criminals program (Project Slammer)
  • 1st to create DOD Computer Forensic Lab
  • 1st to create DOD Computer Intrusion Squad
  • 1st computer crime investigator to testify before the U.S. Senate
  • 1st information security survey of private sector by U.S. Senate (authored)
  • 1st to create government, private sector, academia, program to provide free education and awareness about the cyber threat to infrastructure owners and operators (Manhattan Cyber Project)
  • 1st DoD-wide Computer Crime Workshop for IA, investigators and attorneys
  • 1st State Infrastructure Protection Center for Arizona
  • 1st Clearinghouse for Intelligence Media Exploitation (CHIME) to support GWOT
  • 1st Computer Forensics team to support Special Operations
  • 1st Law Enforcement official to be awarded the AITP Distinguished Information Science Award

Jim also teaches two graduate courses at George Washington University, Elliott School of International Affairs`, “The Cyber Threat to American National Security” and “National Cyber Policy”.

Jim has managed Little League Baseball teams for 13-15 year olds for the last 8 years. Jim is retired as a college hockey referee. He has worked as a professional referee at the minor league level and was the USA Hockey Supervisor of Officials for the Mid-Atlantic States. Additionally he worked for the National Hockey League as an Off-ice Official for the Washington Capitals for eight years and officiated on-ice their pre-season, exhibition and training camp games.

Return to the top of the page

Bypassing NAC
Ofir Arkin, CTO, Insightix

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks.

A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal—controlling the access to a network using different methods and solutions.

This presentation (updated with new material) will examine the different strategies used to provide with network access controls.

Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market.

Ofir Arkin is the CTO of Insightix, leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks.

Ofir holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors.

Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences.

Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA).

Ofir is the founder of Sys-Security Group, a computer security research group.

Return to the top of the page

Attack Patterns: Knowing Your Enemies in Order to Defeat Them
Sean Barnum, Managing Consultant, Cigital

Design patterns are a familiar tool used by the software development community to help solve recurring problems encountered during software development. These patterns attempt to address head-on the thorny problems of secure, stable, and effective software architecture and design. Since the introduction of design patterns, many other types of patterns relevant to software have been conceived, including a relatively new construct known as attack patterns.

Attack patterns apply the problem-solution paradigm of design patterns in a destructive rather than constructive context. Here, the common problem targeted by the pattern represents the objective of the software attacker, and the pattern's solution represents common methods for performing the attack. Techniques for exploiting software tend to be few and fairly specific. Attack patterns describe the techniques that attackers may use to break software.

The incentive behind using attack patterns is that software developers must think like attackers to anticipate threats and thereby effectively secure their software. Due to the absence of information about software security in many curricula and the traditional shroud of secrecy surrounding exploits, software developers are often ill-informed in the field of software security and especially software exploitation. The concept of attack patterns can be used to teach the software development community how software is exploited in reality and to implement proper ways to avoid the attacks.

This session will present the concept and construct of attack patterns including their background, structure and content, how they are generated, how they can be leveraged across the SDLC (Policy, Requirements, Arch & Design, Implementation, Test, etc.) and current efforts to collect, classify and make them an available and valuable tool for the software development community.

This session will be a more detailed and updated covering of the material included in the series of attack pattern articles published on the DHS Build Security In website with the addition of discussion of the Common Attack Pattern Enumeration and Classification (CAPEC) effort currently underway and funded by the Department of Homeland Security. It doesn't make much sense to cut and paste a 70 page whitepaper here so I figured I would give you a reference to go check it out.

This material closely aligns with the session proposed by Robert Martin of Mitre covering the Common Weakness Enumeration (CWE). It would make sense to have this session directly follow the CWE session if possible.

Sean Barnum is a Managing Consultant at Cigital. He has 20 years of experience in the software industry and his technical interests include software security, software quality and process improvement, risk management, knowledge architecture, and collaborative technologies. Barnum has a BS in Computer Science and is an ME in Technology Management candidate from Portland State University. He is active in the software assurance community and is a key participant in numerous knowledge standards-defining efforts. Contact him at

Return to the top of the page

Secure Processors for Embedded Applications
James D. Broesch

There are many aspects to security in computing environments. In this presentation we look at some of the options for incorporating security at the hardware level by using variety of secure processor options. Traditionally, developers have relied on FIPS compliant processors when looking to secure processors. While there are many advantages to the use of standard FIPS devices, it is also true that these devices are often relatively expensive and limited in their processing capability. This presentation will discuss how to achieve both a secure computing environment and high performance.

James D. Broesch is a C4ISR specialist (Command, Control, Computers, Communications, Intelligence, Reconnaissance and Surveillance) for the Reconnaissance Systems Group of General Atomics—Aeronautical System Incorporated. He is also an Adjunct Instructor in the Science and Engineering department of UCSD’s extended studies program. Jim has over thirty years of experience, including three years in the US Army, fourteen years of teaching and twenty five years in a wide variety of research and development environments. For eight of those years he was the lead instrumentation and control engineer for the DIII-D National Fusion Facility. During the rest of the time he has been designing products for applications ranging from submarines to satellites. Jim is the author of two books and numerous scientific and engineering papers. His work has been published in three languages and six countries. Most recently, he was and invited speaker at MIT’s Lincoln Laboratories’ High Performance Embedded Computer (HPEC-2006) workshop.

Return to the top of the page

Practical 10 Minute Security Audit: The Oracle Case
Cesar Cerrudo, Founder, Argeniss

This paper will show a extremely simple technique to quickly audit a software product in order to infer how trustable and secure it is. I will show you step by step how to identify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy to use free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated and explained.

While this technique can be applied to any software in this case I will take a look at the latest version of Oracle Database Server: 10gR2 for Windows, which is a extremely secure product so it will be a very difficult challenge to find vulnerabilities since Oracle is using advanced next generation tools to identify and fix vulnerabilities.

Cesar Cerrudo is a security researcher & consultant specialized in application security. Cesar is running his own company, Argeniss. Regarded as a leading
application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest and WebSec.

Return to the top of the page

Firmware Rootkits and the Threat to the Enterprise
John Heasman, Director of Research, NGS Software

At Black Hat Federal 2006, John Heasman presented a means of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). His more recent research has focused on using devices on the PCI bus as a means of achieving a similar goal, that is, a rootkit that has no footprint on disk and can consequently survive reinstallation of the operating system.

This presentation discusses the technical and operational difficulties that must be overcome in order to persist a rootkit onto a PCI device. A common assumption is that attacks against firmware are highly specific not only to every vendor but also down to specific models of hardware. This in turn suggests that a large scale automated deployment of firmware rootkits is difficult to accomplish even in homogeneous environments. This session analyzes the "security through diversity" assumption in detail.

The latter half of this talk focuses on the challenges of firmware rootkit detection in large environments and the available options when an infection is suspected. Finally, the focus moves on to prevention techniques and their feasibility within the enterprise together with the impact of the Trusted Platform Module (TPM) on firmware rootkits.

John Heasman is the Director of Research at NGS Software. He has significant experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, Norton Antivirus, Exchange Server and PostgreSQL.

His primary research interest is in rootkit and anti-rootkit technologies though he also has a strong interest in database security and was a co-author of the "Database Hackers Handbook" (Wiley, 2005).

He holds a Masters degree in Engineering and Computing from Oxford University and is certified as a CHECK Team Leader allowing him to lead penetration tests of UK government systems.

Return to the top of the page

Practical Malware Analysis: Fundamental Techniques and a New Method for Malware Discovery
Kris Kendall, MANDIANT'
Chad McMillan, Principal Security Engineer within the Federal Services Division, MANDIANT

IT environments are under constant assault by malicious software. Protection and detection systems are increasingly ineffective in dealing with this threat. Modern Incident Responders need to be able to identify and analyze malicious code in order to implement protections in their environments. This session will review analysis fundamentals for malware on Windows platforms, including:

  1. The rationalization for performing malware analysis
  2. Categorization of malware and the properties inherent in each group
  3. Creating an analysis environment
  4. Forensic analysis of executable binaries
  5. Static Analysis techniques
  6. Dynamic Analysis techniques
  7. Current tools for performing malware analysis

This session will also include a discussion of a new technique developed by Mandiant for identifying suspicious data on a compromised system based on characteristics of modern malware armoring methods.

Kris Kendall, a key leader of MANDIANT's technical team, has over eight years of experience in computer forensics and incident response. He provides expertise in computer intrusion investigations, computer forensics, and research & development of advanced network security tools and techniques. He is a former Special Agent in the United States Air Force Office of Special Investigations, and has developed several innovative tools that advanced the state-of-the-art in the rapidly evolving field of reverse engineering and binary analysis.

Mr. Kendall earned both a Bachelor of Science and a Master of Engineering degree from the Massachusetts Institute of Technology.

Chad McMillan is a Principal Security Engineer within the Federal Services Division of MANDIANT. Mr. McMillan has more than ten years experience working with leading edge technologies and state of the art computer hardware and software in the both the commercial US military/intelligence communities. He has advanced training and practical experience conducting computer forensic analysis, reverse engineering, university research, and software development. Mr. McMillan has intimate knowledge of mathematics, signals and systems, information theory, and commercial and government imagery and video. He has helped in developments of systems and practices currently in use by the government, as well as development of training in the area of steganography and steganalysis.

Mr. McMillan came to MANDIANT from ManTech Corporation where he served as a Principal Computer Forensics Engineer and the Program Area Lead in both Data Hiding and Data Mining & Visualization. Mr. McMillan developed software to aid in digital media reconstruction, as methodologies and principles for reverse engineering of applications that perform data hiding. Mr. McMillan also has practical experience in creating software that can aid in forensic recovery, such as corrupt file parsers, as well as corrective software to aid in correction of sectors on CD's that have been damaged.

Prior to joining ManTech, Mr. McMillan was a Computer Scientist for the Air Force Research Laboratories. With the AFRL, Mr. McMillan in the Digital Data Embedding Technologies group developing software to perform steganography, steganalysis, and digital watermarking. Mr. McMillan attended numerous conferences and collaborated with university researchers in the area of steganography.

Mr. McMillan has in the area of signals and information theoretics as applied to digital media. With the AFRL, Mr. McMillan worked closely with researchers from Kodak Research to aid in new ideas for digital watermarking technologies to be used in video surveillance taken from Unmanned Aerial Vehicles.

Mr. McMillan holds a Master of Science degree in Computer Science at Clarkson University. His thesis was in the area of Artificial Intelligence, specifically Software Verification. Mr. McMillan also maintains several technical certifications.

Return to the top of the page

Advanced Oracle Attack Techinques
David Litchfield, Founder, Next Generation Security Software

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

Agile Incident Response: Operating through Ongoing Confrontation
Kevin Mandia, Founder, MANDIANT

Many government agencies and organizations are the targets of ongoing efforts to infiltrate their networks and pilfer sensitive data. If an intruder is ever successful, dealing with the incident becomes a protracted effort that can seriously impact operations and unnerve leadership. This session will review techniques to handle ongoing incidents with agile, cost-effective and rapid countermeasures to best diminish the resource drain and psychological wariness that ensues when a network is compromised by a persistent threat.

Kevin Mandia is an internationally recognized practitioner in the field of information security. He has been involved with information security for over fifteen years, beginning in the military as a computer security officer at the Pentagon. He has assisted attorneys, corporations, and government organizations with matters involving information security compliance, complex litigation support, computer forensics, expert testimony, network attack and penetration testing, fraud investigations, computer security incident response, and counterintelligence matters. Kevin established MANDIANT specifically to bring together a core group of industry leaders in this field and solve client's most difficult information security challenges.

Prior to forming MANDIANT, Kevin built the computer forensics and investigations group at Foundstone from its infancy to a global practice that performed civil litigation support and incident response services. As technical and investigative lead, Kevin responded on-site to dozens of computer security incidents per year. He assisted numerous financial services and large organizations in handling and discretely resolving computer security incidents. He also led Foundstone's computer forensic examiners in supporting numerous criminal and civil cases. He has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.

During his career, Kevin has become an extremely experienced instructor. He has developed specialized classes for the Federal Bureau of Investigations, and personally trained over four-hundred FBI agents in investigating computer crime. He has also developed specialized training for the United States Attorney's Office, United States Secret Service, United States Air Force, State Department, the Royal Canadian Mounted Police, and other government agencies. He has trained at the FBI Academy, the National Advocacy Center, and the Federal Law Enforcement Training Center. He developed classes approved by the Continuing Legal Education (CLE) boards in the States of Virginia, New York, and California, and has trained hundreds of attorneys in the technical aspects of computer forensics and network intrusions. In addition to training law enforcement and attorneys, Kevin has provided on-site training at numerous Fortune 500 organizations. He has been a professorial lecturer at Carnegie Mellon University and currently teaches courses at The George Washington University.

Kevin is co-author of "Incident Response: Performing Computer Forensics" (McGraw-Hill, 2003) and "Incident Response: Investigating Computer Crime" (McGraw-Hill, 2001). He has also written articles for SC Magazine and The International Journal of Cyber Crime.

Kevin holds a Bachelor of Science in Computer Science from Lafayette College and a Master of Science in Forensic Science from The George Washington University. He is a Certified Information Systems Security Professional (CISSP), and he has held government security clearances at the Top Secret and higher levels. He has been featured on CNN's Talkback Live, NBC News, and Fox News.

Return to the top of the page

Being Explicit About Software Weaknesses
Robert A. Martin, Principal Engineer, MITRE
Steve Christey, Principal Information Security Engineer, Security and Information Operations Division, The MITRE Corporation

The secure software development community is developing a standard dictionary of the weaknesses that lead to exploitable software vulnerabilities. The Common Weakness Enumeration (CWE) and related efforts are intended to serve as a unifying language of discourse and act as a measuring stick for comparing the tools and services that analyze software for security issues. Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem. Various efforts at DHS, DoD, NIST, NSA, and in industry cannot move forward in a meaningful fashion or with any hope of their efforts being aligned and integrated with each other so we can protect our networked systems starting with the source—the software development lifecycle. While the current driver for CWE is in code assessment tool analysis, we believe that CWE and its related efforts could a have broader impact.

Robert A. Martin, a Principal Engineer at MITRE. For the past 7 years, Robert's efforts have been focused on the interplay of risk management, cyber security and the use of software-based technologies. The majority of this time has been spent working on the CVE, OVAL, CME, and CWE family of security initiatives. Robert joined the MITRE in 1981 with a bachelor's and master's in EE from RPI, later he earned an MBA from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society.

Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is a technical consultant to the Common Weakness Enumeration (CWE) project. His current interests include secure software development, vulnerability information management, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.

Sean Barnum is a Managing Consultant at Cigital. He has 20 years of experience in the software industry and his technical interests include software security, software quality and process improvement, risk management, knowledge architecture, and collaborative technologies. Barnum has a BS in Computer Science and is an ME in Technology Management candidate from Portland State University. He is active in the software assurance community and is a key participant in numerous knowledge standards-defining efforts. Contact him at

Return to the top of the page

Data Seepage: How to Give Attackers a Roadmap to Your Network
David Maynor, Founder & CTO, Errata Security
Robert Graham, co-founder and CEO, Errata Security,

Long gone are the days of widespread internet attacks. What's more popular now are more directed or targeted attacks using a variety of different methods. Since most of these attacks will be a single shot styled attack attackers will often look for anyway to increase the likelihood of success.

This is where data seepage comes in. Unbeknownst to a lot of mobile professional's laptops, pdas, even cell phones can be literally bleeding information about a company's internal network. This can be due to applications like email clients that are set to start up and automatically search for its mail server, windows may be attempting to remap network drives, an application could be checking for updates.

All this information can be used by an attacker to make attacks more accurate with a higher likelihood of success.

Don't laugh and dismiss this as a trivial problem with no impact. Through demonstrations and packet caps we will show how this problem can be the weak link in your security chain.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Robert Graham is the co-founder and CEO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

Return to the top of the page

Device Drivers 2.0
David Maynor, Founder & CTO, Errata Security

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Return to the top of the page

Botnet Tracking: Tools, Techniques, and Lessons Learned
Dr. Jose Nazario, Senior Security Engineer, Arbor Networks' Arbor Security Engineering & Response Team (ASERT)

Botnets are everywhere, and they are not just a corporate problem anymore In fact, Robert Rodriguez, who spent more than 22 years as a special agent with the United States Secret Service, has publicly declared that botnets are a serious threat to the government. Meanwhile, there has been an increase in the number of attacks targeted at Western government interests, with botnets originating all over the world including East Europe/Russia and Asia as well as from the United States.

The structure of botnets has historically created the opportunity to perform direct measurements and observation. Various approaches have been used successfully in the past such as honeypots, infected hosts and normal IRC clients. However, these approaches are inadequate for tracking mass amounts of botnets long-term.

Today's most dangerous cyber criminals are not using the same kind of software as traditional bots and Malware because those have had signatures created already and are easier to detect. To gain access to the specific kinds of information they are looking for, they are utilizing increasingly sophisticated software and Malware. These high-end criminals have to be patient and careful in order to gain access to the targeted information they desire. They are willing to pay into $1000's for the type of access that gets the tax info, patent info, military info; this requires careful planning and skills focused on a specific target.

In 2006 we have seen the pace or migration of botnets away from IRC increased, and many botnets are moving to a web-based model. Instead of a persistent IRC connection, these bots will make a periodic poll to a web server for new commands and updates. This reduces the network footprint of the botnet, making its detection harder in some cases.

In this session Dr. Jose Nazario, author and security researcher, will discuss his research on botnet attacks and the increase of attacks made on government agencies and corporate America. Attendees will learn how botnet attacks have increased in frequency and malice through various forms such as DDoS attacks, new malware outbreaks, and high volume scanning and exploit activity. Attendees will also be supplied with a complete picture of the threats posed by botnets. They will learn how through actively monitoring a large number of botnets specialized tools and techniques have been developed to infiltrate a large number of botnets for long periods of time.

Dr. Jose Nazario is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service.

Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains, a site devoted to studying worm detection and defense research.

Return to the top of the page

RFID for Beginners
Chris Paget, IOActive

RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.

Chris Paget is the Director of Research and Development for IOActive (based in Seattle) and is currently creating IOActive's East-Coast research and auditing facility. After 9 months reviewing the Vista source code and many years performing security audits for the largest and most well-known companies in the world, Chris is getting back to his roots in electronics, radio-frequency hacking, and security theory. Chris' past research projects include the US-VISIT tracking system, RFID-triggered smart bombs, Shatter attacks, and a wide variety of protocol-level weaknesses in well known and widely deployed systems, most of which have yet to be patched or publicly discussed.

Nicole A. Ozer
Technology & Civil Liberties Policy Director
ACLU of Northern California
Rights "Chipped" Away: RFID and Identification Documents.
Veiw our media archive page to view the presentation.

Return to the top of the page

Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)
Joanna Rutkowska, Senior Security Researcher, COSEINC

Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes. This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot. The presented technique has been designed and implement to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

Joanna Rutkowska has been involved in computer security research for about six years. Originating in the filed of Linux and Win32 exploitation research, about four years ago she has moved toward stealth technology research. This includes various types of rootkits, network backdoors and covert channels. She has presented her work on many computer security conferences around the world, including Black Hat, Hack In The Box, CCC and others. She currently works as a security researcher for COSEINC, a Singapore based IT security company, where she recently created Advanced Malware Labs—a small team of researchers focusing on analyzing new techniques for creating malware as well as methods for defending against them.

Return to the top of the page

Reversing C++
Paul Vincent Sabanal, Researcher, IBM Internet Security Systems X-Force
Mark Vincent Yason, Malcode Analyst, IBM Internet Security Systems, X-Force research team supporting IBM ISS' product Virus Prevention System (VPS)

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done.

Paul Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.

Mark Vincent Yason is a malcode analyst. He currently works at IBM Internet Security Systems as a member of the X-Force research team supporting IBM ISS' Virus Prevention System (VPS) technology. Previously, he worked at TrendMicro Incorporated as a research engineer supporting TrendMicro's VSAPI scan engine. His job involves reverse engineering malcode/packers and writing code.

Return to the top of the page

Danger From Below: The Untold Tale of Database Communication Protocol Vulnerabilities
Amichai Shulman, co-founder and CTO, Imperva

Database servers are getting hit via a new attack vector—through the database communication protocols. These refer to the proprietary communication protocols created by database vendors to convey data and commands between database client software and database servers. This year, there have been several vulnerabilities that made headlines.

The database protocols are proprietary, and many pre-date the Internet. Backwards compatibility helps with new product integration, solving compatibility issues between versions. However, it also fuels the fire for potential vulnerabilities. Until recently, researchers didn't focus on this class of vulnerabilities and for many software engineers and DBAs, the existence of potential issues is still relatively unknown.

This presentation delves into the background of database communication protocol development and testing and explains how these vulnerabilities continue to proliferate. I will highlight some interesting information from our extensive research and testing and demonstrate examples of attacks and describe mitigation techniques.

Amichai Shulman is co-founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Return to the top of the page

Smashing Web Apps: Applying Fuzzing to Web Applications and Web Services
Michael Sutton, Security Evangelist, SPI Dynamics

Fuzzing is not a new technique for vulnerability discovery yet it has been a highly successful black box testing technique arguably responsible for the majority of vulnerabilities that we see today. While fuzzing tools for network vulnerabilities have been around for some time, similar tools for web applications and web services are still in their infancy. In many ways, web applications are better suited for fuzzing. Web apps freely reveal information about expected user inputs, making the generation of (in)appropriate test cases far more streamlined, while web services go one step further by openly providing a structured blueprint for the data that is expected.

In this talk we will contrast fuzzing at the network and application layers. We will address some of the unique challenges faced when fuzzing web applications such as automating the identification of data structures and handling exception detection. Fuzzing will be broken into different categories including headers, methods, web services and AJAX. Included throughout, we will reveal open source applications that have been developed to automate the methodologies behind fuzzing web applications and services.

Michael Sutton is a Security Evangelist for SPI Dynamics, the expert in web application security. As Security Evangelist, Michael is responsible for identifying, researching and presenting emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored various whitepapers and is regularly quoted in the media on various information security topics.

Prior to joining SPI Dynamics, Michael was a Director for iDefense/VeriSign where he headed iDefense Labs. In this role, he was responsible for managing a team of world class researchers tasked with discovering original security vulnerabilities in hardware and software implementations. Other responsibilities included developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda.

Michael has his Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) designations and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

Return to the top of the page

Exploting Similarity Between Variants to Defeat Malware
Andrew Walenstein, Research Scientist, Center for Advanced Computer Studies at the University of Louisiana at Lafayette

Most malicious programs that are seen by anti-malware companies are minor variations of some previously released version. This reuse of prior programs should be exploitable in defense. However, in order to do so, one must have an efficient and effective way of comparing new programs against a database of previously-seen versions. We present a method for measuring the similarity of malicious programs, which allows search against a database. It is adapted from text-based search, and uses scaled vectors of code feature frequencies. The method involves first disassembling the programs and then extracting features called n-grams and n-perms from the disassembled text. These features are then counted, and their histograms are scaled and then compared as vectors according to their cosine angle. The scaling is based on the frequency of the features within the database, with common features weighted less heavily. A small study illustrates that the approach is feasible at industrial scales (a database of tens of thousands of samples). False positive rates are also shown to be acceptable for anti-malware analysis. The potential impacts on malware analysis and automated detection are discussed.

Andrew Walenstein is a Research Scientist at the Center for Advanced Computer Studies at the University of Louisiana at Lafayette. He is currently studying methods for malware analysis, and brings in experience from the area of reverse engineering and human-computer interaction. He received his Ph.D. from Simon Fraser University in 2002.

Return to the top of the page

Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process
AAron Walters, Senior Engineer, Komoku, Inc.
Nick Petroni, Jr

Recently, a growing amount of attention has been given to research and advancement in the area of volatile memory forensic analysis. Despite this increased attention, we have found that very few investigators feel they have the time, resources, or expertise to include volatile memory analysis in their digital investigation process. While some investigators, many of whom are faced with a backlog of cases, view volatile system memory as yet another "substance" that needs to be analyzed, we argue that volatile memory is a critical component of the digital crime scene. In this presentation, we will demonstrate the integral role of volatile memory analysis in the digital investigation process and how that analysis can be used to help address many of the challenges facing the digital forensics community. As part of this presentation, we will discuss the shortcomings of the popular tools and techniques currently used for live response. We will also release and discuss Volatools, a set of tools that can be integrated into the digital investigation process. The presentation will demonstrate how investigators can leverage the context found using Volatools to focus investigations with large volumes of evidence. Finally, for the technical audience, we will demonstrate the extraction of cryptographic key material from a volatile memory image that can then be used to access encrypted file systems without knowledge of the password.

AAron Walters is responsible for research and development projects in the area of volatile memory forensics. He was a founding member of 4tphi Research and formerly the Section Lead of BAE Advanced Detection (BAD) research group. AAron is co-developer of the Forensic Analysis ToolKit (FATKit) framework. He holds a M.S. in Computer Science and Information Assurance from Purdue University and has authored peer-reviewed journal and conference papers. While a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS), AAron started working in the area of digital forensics while suffering under Spaf. He also worked for Purdue's Security and Privacy group, which is responsible for campus incident response. He is currently a member of the Dependable and Secure Distributed Systems Lab.

Nick Petroni is a founding member and Senior Engineer at Komoku, Inc. He is lead developer of the Forensic Analysis ToolKit (FATKit) framework for volatile memory analysis. Nick holds a M.S. in Computer Science from the University of Maryland, College Park and is currently pursuing a Ph.D. in Computer Science at the University of Maryland. He has also formerly held positions at Secure Methods and in the Global Security Analysis Lab at IBM Research. Nick has authored peer-reviewed journal and conference papers and was one of the original developers of the first open-source implementation of the IEEE 802.1X specification. His current research is focused on runtime kernel integrity monitoring and volatile memory forensics.

Return to the top of the page

GS and ASLR in Windows Vista
Ollie Whitehouse

The following presentation is two parts, the first covers aspects of Microsoft's GS implementation and usage. The second is a complementary section dealing with ASLR in Windows Vista, its implementation and some surprising results...

Part I Synopsis:
GS is a Visual Studio compiler option that was introduced in Visual Studio 2002 to mitigate the local stack variable overflows that resulted in arbitrary code execution. The following paper details the methods Symantec used to assess which binaries within Windows Vista 32bit leveraged GS as a defensive mechanism. This paper presents the results of this analysis, the techniques that have been developed, and supporting material. The results in this paper are from the 32bit RTM release of Microsoft Windows Vista

Part II Synopsis:
Address Space Layout Randomization (ASLR) is a mitigation technique designed to hinder the ability of an attacker to achieve arbitrary code execution when exploiting software vulnerabilities. As the name implies, ASLR involves placing a computer program and its associated memory at random locations, either between reboots or executions, to hinder the attacker's ability to reliably locate either their shell code or other required data. This paper is the result of a brief analysis of the implementation of ASLR within Microsoft Windows Vista 32bit RTM, conducted by Symantec's Advanced Threat Research.

Ollie Whitehouse has worked in information security both as a consultant and researcher. This has included being employed by companies in a variety of industries ranging from financial services to telecommunications. Mr Whitehouse originally created Delphis Consulting's security practice in 1999. Mr Whitehouse joined @stake Inc in 2000 as a Managing Security Architect before becoming European Technical Director in 2004. After Symantec's acquisition of @stake Inc in 2004 Mr Whitehouse continued as Technical Manager for its professional services division in London until 2005. In mid 2005 he took a full time research role with Symantec Research Labs in Government research. Mr Whitehouse subsequently moved to Symantec's Response division joining its Advanced Threats Research team specializing in mobile platforms and related technologies.

Mr. Whitehouse as previously published research on the security of mobile telecommunication networks, mobile devices and Bluetooth. In addition he has also discovered numerous security vulnerabilities in a wide range of desktop and server applications. His previous research has led him to present at CanSecWest, RuxCON, UNCON and Chaos Communication Camp among others.

Return to the top of the page

Web Application Incident Response and Forensics: A Whole New Ball Game!
Chuck Willis, Principal Consultant, MANDIANT
Rohyt Belani, CISSP

Web applications are normally the most exposed and the most easily compromised part of an organization's network presence. This combination requires that organizations be prepared for web application compromises and have an efficient plan for dealing with them. Unfortunately, traditional techniques for forensics and incident response do not take into account the unique requirements of web applications. The multi-level architecture, business criticality, reliance on major database and middleware software components, and custom nature of web applications all create unique challenges for the security professional. Responding to a web application attack brings many unique issues, often with no clear right and wrong answers, but this talk will provide useful information to guide attendees down this bumpy path.

Chuck Willis is a Principal Consultant with MANDIANT, a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development and application security. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings USA, the IT Underground security conference in Europe, and DefCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner. Chuck's past presentations are available on his Website.

Rohyt Belani, CISSP
During the last 6 years in the information security business, Rohyt Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT. His expertise encompasses the areas of network and application security.

Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, Hack In The Box, and several forums catering to the FBI and US Secret Service agents. He currently co-teaches a class at Carnegie Mellon University and has been invited to guest lecture at the University of Wisconsin.

As an industry expert he has opined on security issues via columns for online publications like Securityfocus and SC magazine, and interviews with BBC UK Radio. He is a also a contributing author for Osborne's Hack Notes - Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.

Return to the top of the page

360° Anomaly Based Unsupervised Intrusion Detection
Stefano Zanero, Partner and CTO, Secure Network

In this talk, after briefly reviewing why we should build a good
anomaly-based intrusion detection system, we will briefly present two IDS prototypes developed at the Politecnico di Milano for network and host based intrusion detection through unsupervised algorithms.
We will then use them as a case study for presenting the difficulties in integrating anomaly based IDS systems (as if integrating usual misuse based IDS system was not complex enough...). We will then present our ideas, based on fuzzy aggregation and causality analysis, for extracting meaningful attack scenarios from alert streams, building the core of the first 360° anomaly based IDS.

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

Ofir Arkin

Sean Barnum

Rohyt Belani

Sun Bing

James D. Broesch

Cesar Cerrudo

Steve Christey

Jim Christy

Robert Graham

John Heasman

Kris Kendall

David Litchfield

Kevin Mandia

Robert A. Martin

David Maynor

Chad McMillan

Jose Nazario

Nick Petroni, Jr

Chris Paget

Joanna Rutkowska

Paul Vincent Sabanal

Amichai Shulman

Michael Sutton

Andrew Walenstein

AAron Walters

Ollie Whitehouse

Chuck Willis

Mark Vincent Yason

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat