rss feed link header graphic

Black Hat DC 2009 Briefings Speakers

Hyatt Regency Crystal City • February 16-17

Speakers and Topics

Register Button

capitol dome at night

Ryan C. Barnett

WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

Cesar Cerrudo

SQL Server Anti-Forensics

This presentation is about how SQL Server can be attacked leaving as few evidence as possible, so in case someone suspects of a possible incident then the techniques used in the attack will make forensics investigation harder because lack of tracks or confusing tracks. While this presentation is focused on Anti-Forensics, forensics techniques for SQL Server will be learned from the Anti-Forensics ones and from the concepts and theory explained. At the end it will be discussed of how to protect your servers against these attacks.

Cesar Cerrudo is the lead researcher for Application Security Inc’s Team SHATTER and is the founder and CEO of Argeniss (, a security consultancy firm based in Argentina. He is a security researcher and consultant specializing in application security. Regarded as a leading application security researcher, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec. HITB, Microsoft BlueHat, etc. Cesar collaborates with and is regulary quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.

Matthew Flick

XSS Anonymous Browser

Current anonymous Internet browsing applications build dynamic routes using a network of willing hosts and layers of encryption along the route. The cross site scripting anonymous browser ("XAB") exploits vulnerable web sites/applications and victim browsers to build a network of drones. The intent of XAB is not to replace the current applications, such as Tor, but rather to provide an alternative that does not require willing participants and further stretches the functionality and intent of JavaScript and other browser technology.

Matt Flick has, for more than 8 years, developed his career in the information security industry, with expertise in application security and other areas within information security management, services, and auditing. Matt has worked with both commercial and federal government clients to help plan, develop, and assess their information security programs. Matt is currently a Principal with FYRM Associates Inc., an information security professional services organization, and a member of OWASP DC, ISACA and ISSA.

Trey Ford

Alternate Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills—all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service. You may have heard these referred to as business logic flaws, but the name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Complicate this further—IDS cannot detect them and Web application firewalls can’t block them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Trey Ford is the director of solutions architecture at WhiteHat Security, providing vision to customers, partners, and prospects on website security initiatives. Mr. Ford also spearheads WhiteHat’s participation in the PCI Standards Council and assists customers in navigating regulatory bodies. With a consulting background in risk assessment and regulatory compliance, Mr. Ford is a frequent speaker at industry events, and is frequently quoted in media publications. Prior to WhiteHat, Trey served as compliance practice lead at FishNet Security.

Xinwen Fu

One Cell is Enough to Break Tor's Anonymity

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this talk, we will present a new class of attacks, protocol-level attacks, against Tor. Different from existing attacks, these attacks can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In protocol-level attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender. The manipulated cells traverse middle onion routers and arrive at an exit onion router along a circuit. Because Tor uses the counter mode AES (AES-CTR) for encrypting cells, the manipulated cells disrupt the normal counter at exit onion routers and decryption at the exit onion router incurs cell recognition errors, which are unique to the investigated protocol-level attacks. If an accomplice of the attacker at the entry onion router also controls the exit onion router and recognizes such cell recognition errors, the communication relationship between the sender and receiver will be confirmed. Protocol-level attacks can also be used for launching the denial-of-service (DoS) attack to disrupt the operation of Tor. We systematically analyze the impact of these attacks. We have implemented these attacks on Tor and our experiments validate their effectiveness and efficiency. We also present guidelines for defending against such attacks.

Xinwen Fu is an assistant professor in the Department of Computer Science, University of Massachusetts Lowell. He has been teaching classes on software security, intrusion detection, digital forensics and basic computer security stuff. The presentations from Black Hat Briefings are his favorite class materials. He tried his best to demonstrate those tricks to students. "Hack Proofing Your Network" was the textbook for his classes, software security and intrusion detection. Dr. Fu's current research interests are in network security and privacy. He has been building systems, and hacking kernels and systems through his research. He believes that hacking plays a key role in making systems secure.

Travis Goodspeed

Reversing and Exploiting Wireless Sensors

Wireless sensors will soon be part of many industrial, military, and home networks. Of the various networking protocols—Zigbee, ISA100, Wireless HART, 6LowPAN, and others--none has yet become a definitive standard. Neither have vendors standardized upon a given operating system, compiler, or microcontroller. Users of these sensor networks are often given no command-line, no internal documentation, and no access to the internals of each device.

This lecture provides a thorough introduction to reverse engineering such devices, both in hardware and in software. Along the way, plenty of methods of exploiting and patching them will be covered.

Travis Goodspeed is a neighborly fellow from Knoxville in Southern Appalachia. He has spoken at ToorCon 9 and the Texas Instruments Developer's Conference regarding stack overflow exploits of the MSP430-based wireless sensor networks. At Black Hat 2008, he demonstrated a timing attack which allows confidential code to be extracted from recent revisions of the chip. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques to low-power embedded systems.

Vincenzo Iozzo

Let Your Mach-O Fly

Mac OS X is starting to spread among users, as such new exploitation techniques have to be discovered. Even if a lot of interesting ways of exploitation on OSX were presented in the past, the lack of anti-forensics techniques is clear. The talk is focused on an in memory injection technique. Specifically how it is possible to inject into a victim's machine any kind of binaries ranging from your own piece of code to real applications like Safari. This is accomplished without leaving traces on the hard disk and without creating a new process, since the whole exploitation is performed in memory. If an attacker is able to execute code in the target machine, it is possible to run this attack instead of a classic shellcode and to use it as a trampoline for higher-lever payloads. Other similar payloads like meterpreter or meterpretux exist but none of them is able to run on Mac OS X. Besides many of those techniques require to run specific crafted binaries, that way precompiled applications are left out from the possible range of payloads.

Vincenzo Iozzo is a student at the Politecnico di Milano where he does some research regarding malware and IDS. He is involved in a number of open source projects, including FreeBSD due to Google Summer of Code. He also works as a security consultant for Secure Network, an Italian company, and as a reverse engineer for Zynamics.

Prajakta Jagdale

Blinded by Flash: Widespread Security Risks Flash Developers Don't See

In this presentation I will examine the Flash framework and then delve into the Flash security model and the transitions it has undergone over the years. To explore the avenues of compromise in the security model, I will use a test Flash application and demonstrate various attack vectors including Cross-Site Request Forgery, data injection and script injection. During this demonstration, I will explain the associated threats in detail and discuss means to mitigate these threats. Even though the test application validates the attack surface, the question remains: how many applications actually deployed are vulnerable to these threats? I will answer this question by providing astonishing statistics about vulnerable, real world applications I was able to find using simple Google queries.

Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Prajakta focuses on automated discovery of Web application vulnerabilities and crawling technologies. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis.

Dan Kaminsky

DNS 2008 and the New (old) Nature of Critical Infrastructure


Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Server 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

William Kimball

Emulation-based Software Protection Providing Encrypted Code Execution and Page Granularity Code Signing

We present an original emulation-based software protection scheme providing protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. Protection mechanisms execute in trusted emulators while remaining out-of-band of untrusted systems being emulated. This protection scheme is called SecureQEMU and is based on a modified version of Quick Emulator. RCE uncovers the internal workings of a program. It is used during vulnerability and intellectual property (IP) discovery. To protect from RCE program code may have anti-disassembly, anti-debugging, and obfuscation techniques incorporated. These techniques slow the process of RCE, however, once defeated protected code is still comprehensible. Encryption provides static code protection, but encrypted code must be decrypted before execution. SecureQEMUs' scheme overcomes this limitation by keeping code encrypted during execution. Software exploitation leverages design and implementation errors to cause unintended behavior which may result in security policy violations. Traditional exploitation protection mechanisms provide a blacklist approach to software protection. Specially crafted exploit payloads bypass these protection mechanisms. SecureQEMU provides a whitelist approach to software protection by executing signed code exclusively. Unsigned malicious code (exploits, backdoors, rootkits, etc.) remain unexecuted, therefore, protecting the system.

William Kimball has a M.S. in Cyber Operations from the Air Force Institute of Technology, a B.S. in Computer Science from the University of Dayton, and is currently a research assistant for the Center for Cyberspace Research. Kimball is the developer of Fylasso Antivulnerability, ShellDeny, L.E.V.I. (released BlackHat U.S. 06), the Vulnerability Discovery Framework and SecureQEMU. Kimball has spoken at BlackHat, ISSA, Ohio Information Security Group, Ohio Academy of Science and has briefed the Air Force Scientific Advisory Board, Swedish Defense Ministry, and other U.S. military and government officials.

Paul Kurtz

Keynote: The Move from Strategic Indecision to Leadership in Cyberspace

Paul Kurtz will address the most pressing challenges the US government and private sector face in cyberspace and define top priorities for the next few years.

Paul B. Kurtz is a recognized cyber security and homeland security expert. He served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush and is currently an on-air consultant to CBS News. Mr. Kurtz advises clients on cyber-security and homeland security issues. He joins Good Harbor after serving as the founding Executive Director of the Cyber Security Industry Alliance (CSIA), an advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, technology, education and awareness. Prior to joining CSIA, Mr. Kurtz most recently was special assistant to the President and senior director for critical infrastructure protection on the White House's Homeland Security Council (HSC), where he was responsible for both physical and cyber security. Before joining HSC in 2003, Mr. Kurtz served on the White House's National Security Council (NSC) as senior director for national security of the Office of Cyberspace Security and a member of the President's Critical Infrastructure Protection Board, where he developed the international component of the National Strategy to Secure Cyberspace. Previously, he was a director for counterterrorism in the NSC's Office of Transnational Threats from 1999–2001. Prior to his White House work, Mr. Kurtz served in several bureaus in the State Department, specializing in weapons of mass destruction non-proliferation policy and strategic arms control. He also served as political advisor to Operation Provide Comfort in Incirlik, Turkey, and as science attaché in Vienna, Austria. He participated in several arms control inspection teams, traveling to Iraq and North Korea. Mr. Kurtz received his bachelor's degree from Holy Cross College and his master's degree in International Public Policy from Johns Hopkins University's School of Advanced International Studies

Brian Krumheuer

QuietRIATT: Rebuilding the Import Address Table Using Hooked DLL Calls

For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes.

QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can’t be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.

Brian Krumheuer is a Reverse Engineer for the Software Security Team at Riverside Research Institute. He worked for over eight years in IT and Software Development before entering the field of Reverse Engineering. Currently, he plays a vital role on the team by developing many ring-3 and ring-0 reverse engineering tools for both Windows and Linux. He has also helped create an instructional course on Reverse Engineering.

Jason Raber serves as the technical lead for the Riverside Research Institute Red Team which provides government and commercial entities with specialized software security support. Focus areas include:Reverse Engineering:Specializes in extracting intellectual property from a broad spectrum of software. This includes user applications, DLLs, drivers, OS kernels, and firmware. The software can be based on a variety of platforms (Windows/Linux/Mac/Embedded etc). Malware/Virus/RootKit Analysis:Identifies and analyzes intrusion software to characterize and/or neutralize the threat. Jason has spent 8 years in the world of reverse engineering, preceded by 5 years working at Texas Instruments developing Compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc). Developing C compilers for 5 years prior to reverse engineering has provided a good foundation for understanding machine language and hardware to be utilized in reverse engineering tasks.

Adam Laurie

Satellite Hacking for Fun and Profit

Ever wondered just how much data and how many services are being beamed down at you from space right now? We all know there are thousands of channels out there, but how can we make sense of them all? How can we find the stuff "they" don't want us to know about? Is there any such stuff? What can we do with it once we've found it? Will we go blind, like mother told us?

Adam Laurie Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at

Andrew Lindell

Making Privacy-Preserving Data Mining Practical with Smartcards

Data mining provides large benefits to the commercial, government and homeland security sectors, but the aggregation and storage of huge amounts of data about citizens inevitably leads to erosion of privacy. To achieve the benefits that data mining has to offer, while at the same time enhancing privacy, we need technological solutions that simultaneously enable data mining while preserving privacy. This need has been recognized by the US government, as can be seen in the February 2008 report on data mining by the Office of the Director of National Intelligence (see pages 9-12). In this presentation, we demonstrate surprisingly simple and extraordinarily efficient protocols for a number of non-trivial tasks related to privacy-preserving data mining. Our protocols use standard smartcards and standard smartcard infrastructure, and are the first truly practical solutions for these problems that provide strong security guarantees.

Andrew Lindell is the Chief Cryptographer at Aladdin Knowledge Systems and an Assistant Professor at Bar-Ilan University in Israel. Andrew attained a Ph.D. at the Weizmann Institute of Science in 2002 and spent two years at the IBM T.J.Watson research lab as a Postdoctoral fellow in the cryptography research group. Andrew has carried out extensive research in cryptography, and has published more than 50 conference and journal publications, as well as an undergraduate textbook on cryptography and a book detailing secure protocols. Andrew has presented at numerous international conferences, workshops and university seminars, and has served on program committees for top international conferences in cryptography. In addition to Andrew's notable academic experience, he joined Aladdin Knowledge Systems in 2004. In his position as Chief Cryptographer, he has worked on the cryptographic and security issues that arise in the design and construction of authentication schemes, smartcard applications, software protection schemes and more. Offering a unique combination of academic and industry experience, Andrew brings a fresh and insightful perspective on many of the crucial security issues that arise today.

David Litchfield

The Forensic Investigation of a Compromised Oracle Database Server

Database Forensics expert David Litchfield will discuss his new tool and paper. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate "stale" data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box.

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Chief Scientist of Next Generation Security Software Ltd.

Moxie Marlinspike

New Techniques for Defeating SSL/TLS

This presentation will demonstrate some new tools and techniques that allow attackers to silently alter, inject, and log traffic intended for secure transmission by SSL/TLS in common web applications such as online banking or secure webmail logins. It builds off of the SSL exploit tools and research on the failure of browsers to validate BasicConstraints that I published in 2002, and will include demonstrations of a new tool for exploiting current use patterns as well as some data gathered from field testing in the real world.

Moxie Marlinspike has shied away from the professional security community since its emergence, and tends to hang out with the wrong crowd instead. He's a fellow at the Hack The Planet Institute of Pittsburgh, and in his spare time he rides freight trains across the country or sails derelict boats across oceans.

Michael Muckin

Windows Vista Security Internals

This presentation will describe in detail some of the specific changes in Windows Vista's security internals. Focus is on actual security modules and functions relevant to authentication, passwords, network communications and IPSec enhancements. The primary purpose of this presentation is to provide the audience with an overview of what these changes entail, the knowledge necessary to modify existing or craft new tools, and to explore and understand the risks present within the new security architecture. Potential areas of vulnerability will be presented and discussed in detail. These changes were primarily discovered through a lot of research, security testing and reverse engineering tasks and will be presented in this context. This talk is NOT about DEP, ASLR and other enhancements in Vista that have already been adequately covered elsewhere. The main benefits of application of this knowledge will fall into the post-exploitation arena.

Michael Muckin is the Team Lead for the Lockheed Martin Security Engineering Test Team where he regularly performs penetration tests, vuln research, reverse engineering, product assessments and other various security tasks. Prior to LM, Michael worked at Foundstone as a Managing Principal Consultant and at Microsoft as a Security Services Specialist for the Enterprise Services group.

Duc Nguyen

Your Face Is NOT Your Password

Biometrics has nowadays been of universal interest and has been developed and used for many purposes such as for the detection of criminals and undesirables, identification and access control. Within this paper, we would like to concern about Facial Cognitive Biometric Systems and their application in User Authentication Based on Face Recognition.

Lenovo, Asus, and Toshiba are known as the first three big computer manufacturers to put that technology into practical use and to bring about greater convenience for their customers. The one question to ask is whether such technology is really safe and secure for its users to enjoy.

My research, which is concluded in this paper, will prove that the mechanisms used by those three vendors haven’t met the security requirements needed by an authentication system and that they cannot wholly protected their users from being tampered.

Mr. Duc Nguyen is senior researcher of Bkis. He is the manager of the Application Security Department. He also takes part in developing Bkav Anti-Virus and Bkav Firewall, the most well-known security software in Vietnam. His responsibilities cover both technical and management aspects of studies on network security and security vulnerability research. He is also an instructor of Bkis Security Training Course for Banks, ISPs... in Vietnam./p>

Warren Roberts

Alternate: Transparent Emergency Data Destruction

Transparent Emergency Data Destruction allows a user to destroy information quickly and discreetely when facing an adversary. When the computer is booted, the user will be prompted for a password. In the event of an emergency, the user can enter a duress password, which will render their data inaccessible before booting to a discreet desktop environment.

The proof of concept is done in Ubuntu Linux. It uses a standard full disk encryption utility, a read-only installation of the basic operating system, and modified boot scripts. The time spent destroying data is negligible compared to the time it takes to boot the operating system, and the performance penalties during operation are minor.

Warren Roberts is a research scientist with the Institute for Information Security (ISEC) at the University of Tulsa. He started out with ISEC's research into Risk-Adaptive Access Control, but has moved on to spear-head the research into Transparent Emergency Data Destruction.

Peter Silberman

Snort My Memory

For almost a decade Network Intrusion Detection Systems (NIDS) have been a critical technology used by network security professionals to identify attacks against their infrastructure. There are numerous sources producing signatures for the latest malware outbreak or “Patch Tuesday” exploit. In many circumstances, these network-based indicators exist in host memory and can be detected using the same signatures that are used in NIDS products. This presentation introduces a method for using these network-based signatures to identify hosts with malware or shellcode present using memory forensic analysis techniques. The benefits of using snort signatures in memory are: malware may not have sent the strings over the network yet; and malware that encrypts strings over the network may have decrypted strings in memory prior to calling into some encryption library. The talk concludes with the introduction of MindSniffer, a new tool that converts a Snort IDS signature to a Memoryze™ filter. The demo uses existing signatures, converts them to filters and shows how these filters can identify malware or potential shellcode in live system memory or acquired memory images.

Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning

Val Smith, Colin Ames

Dissecting Web Attacks

Attackers have been increasingly using the web and client side attacks in order to steal information from targets. Some of the more interesting and wide spread attacks seem to be originating from countries like China and Russia. This talk will describe some of these attacks in detail including how they are achieving large numbers of penetrations, their web infrastructures and some of the mistakes they have made which have allowed us to track them back further. This information will provide some evidence as to where these attacks are truly originating from and what their purposes are.

Val Smith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Attack Research which is devoted to deep understanding of the mechanics of computer attack. Previously Valsmith founded Offensive Computing, a public, open source malware research project.

Colin Ames is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

Michael Sutton

A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage

As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as persistent cookies, Flash storage and Google Gears. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting.

Michael Sutton

Rafal Wojtczuk & Joanna Rutkowska

Attacking Intel® Trusted Execution Technology

We describe what Intel® TXT is, how it works, and how it can be used to build more secure systems. We also show, however, weaknesses in current TXT implementations and how they can be practically exploited. We will show a working exploit code against tboot - Intel®'s implementation of trusted boot process for Xen and Linux.

Rafal Wojtczuk has 10 years experience with computer security. He has found vulnerabilities in popular operating systems and virtualization software. He has published articles on advanced exploitation techniques, among others about exploiting buffer overflows in partially randomized address space environment. He is also the author of libnids, a low-level packet reassembly library. In July 2008 he joined Invisible Things Lab, the company known for research in hypervisor security.

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world. In 2007 she founded Invisible Things Lab, a boutique security consulting company focusing on OS and virtualization systems security.

Paul Wouters

Defending Your DNS in a Post-Kaminsky World

The Kaminsky bug sent everyone scrambling to fix their DNS. Or did it? While nearly all of the big DNS providers have taken measures, most of the smaller players are still vulnerable. People are afraid to make changes to their DNS infrastructure, and although the world is moving towards DNSSEC, that will not be reality for at least another two years.

Contrary to popular belief, the IETF is not leaving people in the dark until they adopt DNSSEC. It has come up with some viable workarounds that can be deployed. This presentation will teach the counter measures that can be taken with minimal changes to currently deployed DNS infrastructure. And heck, we'll even explain Bernstein's dnscurve.

Paul Wouters is often involved with cryptography, digital rights and cypherpunk projects. He co-founded "Xtended Internet", one of the first the Dutch ISP's back in 1996. In 2003 he co-founded Xelerance, a company specialised in VPN technology that develops and maintains "Openswan", the Linux IPsec software. He has been involved with the deployment of DNSSEC worldwide, and is an active IETF and RIPE contributor. In 2006 he published "Building and integrating Virtual Private Networks with Openswan". He currently maintains various cryptographic software and DNS related packages for Red Hat's Fedora and RHEL Linux, including the popular Instant Messenger encryption software "Off the Record". If not travelling, he can regularly be found at Toronto's HackLab collective.

Stefano Zanero

Alternate: Masibty: A Web Application Firewall Based on Anomaly Detection

During this talk we will focus on why current web application firewalls and IPSs are basically useless, since they are misuse based (e.g. rely on rules). Since misuse detectors are unable to keep up with evolving attack schemes, evasion techniques, and custom applications, better anomaly detectors are badly needed. Masibty is an anomaly detection reverse proxy, aimed at detecting web application attacks. It is able to detect zero-day attacks (the real thing, not a marketing-tainted redefinition) after an initial live training which does not require attack-free data. Modularized for easy extension, in its current implementation it is able to detect and block anomalies in the DOM tree - therefore blocking XSS attacks - and in application parameters. It is resilient to URL rewriting, and it was tested against in-the-wild exploits collected from the usual sources over a number of months, with the use of various forms of evasion.

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is an Assistant Professor. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association), for which he sits in the International Board of Directors. He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Earl Zmijewski

Defending Against BGP Man-In-The-Middle Attacks

At DEFCON 16, Alex Pilosov and Tony Kapela presented a new BGP attack in which traffic to a victim is hijacked, but then transparently routed to the intended recipient. This allows for wholesale eavesdropping, including alteration, of all incoming traffic to the victim. In this talk, we review enough BGP routing background to understand the threat and how it breaks the trust model inherent in Internet routing. Then we review possible detection mechanisms via data aggregation from global route collection. The tip-off to such attacks includes prefix de-aggregation, invalid originations, invalid AS adjacencies, and even improbable AS paths. Detection techniques depend whether or not you know ground truth, i.e., if you are looking to defend your own network or simply observe such hijacks in the wild. We conclude with case studies of applying these techniques to global routing data.

Earl Zmijewski is responsible for all of Renesys's Internet Data software, services and operations. He has over 20 years of experience encompassing scientific computing and most areas of IT, with particular emphasis on networking and security. Before Renesys, Earl spent over 12 years as IT Director at Fluent Inc., a computational fluid dynamics software company, where he was instrumental in establishing new offices throughout the US, Europe and Asia and was the principal architect in the design of Fluent’s networks and Internet security posture. Before that, Earl held various academic positions at Cornell University, University of California, and James Madison University. Earl has a PhD and MS in Computer Science from Cornell University and an MS and BA in Mathematical Sciences from The Johns Hopkins University.

Black Hat Webcasts

Black Hat Social

About Black Hat | Privacy Policy | Sponsorship Inquiry | DEFCON | Black Hat Main RSS Feed