Black Hat Briefings & Training Europe 2004

Black Hat Europe 2004 Conference Overview

Black Hat Europe 2004 Briefings Speakers Black Hat Europe 2004 Briefings Schedule Black Hat Europe 2004 Sponsors Black Hat Europe 2004 Training Black Hat Europe 2004 Hotel & Venue Black Hat Europe 2004 Registration
details Current Sponsors for Black Hat Briefings Europe 2004
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

De-Perimeterisation - Border Security Is Obsolete - The Security Challenge For This Decade
Paul Simmonds, Global Information Security Director (CISO), Jericho Forum/ICI Plc.

The days of the corporate network, completely isolated with a well secured outer shell are long gone; yet we continue to cling to this model.

Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners.

Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line and the CISO is seen to be a true partner in corporate strategic thinking.

What does business need from it's suppliers to make this a feasible reality?

What do you need to be doing now to achieve this goal?

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI (, working for the CIO Office in London.

Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a deperimiterised environment.

In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites.

He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

Return to the top of the page

DKOM (Direct Kernel Object Manipulation)
Jamie Butler, Director of Engineering, HBGary, LLC

This talk will address insecurities in the current implementation of today's operating systems. Because of the lack of exclusive access to kernel objects used to track privileges, report processes, and do auditing, rootkits and other subversive programs can modify them without detection in many cases. Obscurity is no longer enough! Corporations and some private consumers have tried to secure themselves by buying third party products. However, these products are not enough to prevent an attacker using the DKOM method. DKOM writes directly to memory without calling the kernel functions used to protect these objects thus bypassing the protection mechanisms of the kernel and third party tools such as HIPS (Host Intrusion Prevention Systems).

Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at

Return to the top of the page

Security Patches Management On A Windows Infrastructure
Patrick Chambet, Sr. Consultant, Edelweb SA (ON-X Group)
Eric Larcher,
CSO, Accor Services

Patch management is an absolute necessity nowadays: a few years ago, CSA had only to patch their Internet exposed servers, but now, because of fast spreading worms, they have to regularly patch every workstation in their network. Moreover, the worms speed impose a very short delay between the patch release and its application on all the computers, typically a few hours.

In these conditions, this presentation will firstly present some useful tools that can be used by now, and will study in details Microsoft Software Update Services (MSUS), the new free tool from Microsoft to manage Windows security patches, with its advantages and its weaknesses and points of failure. The inner working of MSUS will be presented.

Secondly, this presentation will present some elements of strategy to deploy a working patch management architecture in a typical company, based on the speakers own tests and experience: from the test network to the deployment of patches with multi-level server replication.

Patrick Chambet is a Senior Consultant within Edelweb SA (ON-X Group), a leader French company in the IT Security domain. With 8 years of experience in this domain, he is an expert in the security of Windows NT/2000/XP/2003 architecture, and in security audits and pen tests.

He managed a lot of missions in highly secured environments, including in classified environments, and leaded numerous audits and pen tests for big companies in several sectors.

He regularly talks in international briefings in Europe (INFOSEC France, EUROSEC, SPIRAL Luxembourg, SSTIC, …) and North Africa (JIA). He teaches IT Security in French universities, and very often writes articles in french-speaking professional newspapers. He collaborated to the creation of a new newspaper about IT Security in France, called “MISC”, read in Europe and Canada.

He is also an active member of the eXperts team leaded by Nicolas Fischbach (, and of the rstack team leaded by Laurent Oudot (

More information on his personal website:

Eric Larcher is Chief Security Officer of Accor Services, a Division of the Accor Group, worldwide leader in Hotels and Services.

He regularly talks in international briefings in Europe (like EUROSEC). He has published a book about IT security in France ("L'Internet sécurisé", Eyrolles) and several articles in French-speaking newspapers (L'Informatique Professionnelle, Confidentiel Securite, etc.). He also teaches IT security in French universities.

Eric Larcher is a member of CLUSIF and OSSIR. He is also a member of the executive board of the "Cercle Europeen de la Securite".


Return to the top of the page

Reverse Engineering ARM Based Devices
Job de Haas, Technical Director, ITSX

As embedded devices become more and more critical, also the reversing engineering of these devices becomes more important. This talk will look at the specifics of reverse engineering ARM code. First a short general overview will be given of the specifics of an ARM processor and the typical aspects of its instruction set. By examining examples from different devices and compilers, patterns will be examined that can be facilitate understanding the code.

As many devices also employ ARM/DSP combo chips, a side step will be made to these devices and aspects of reversing the TI 320C54x DSP code and how they integrate with the ARM processor.

Finally some real life ARM reverse engineering will be shown including how improvements in products can be tracked through reverse enigineering. Especially when used in researching the use of security mechanisms in devices.

Job de Haas got involved in the area of Internet and security in 1991, during his studies in Electrical Engineering, when he responded to internet providers offers to hack their sites and win a free account. Following post-graduate studies in Control Engineering and three years of work in aerospace robotics at the Netherlands National Aerospace Laboratory, he worked for DigiCash, where he acquired experience in cryptographic techniques used in secure, anonymous payment systems for the Internet. Now, after leading ITSX for five years, Job moved to the position of Technical Director where he leads and supervises the penetration testing teams.

Return to the top of the page

Smartphone Security Issues
Luc Delpha, Manager Cyber Risk Consulting, Cyber Networks
Maliha Rashid, Security Consultant, Cyber Networks

Mobile phones are becoming more and more like computers today, resulting in smartphones that combine processing power with always on connectivity to the Net.

Mainstream availability makes these devices potentially dangerous to the enterprise, extending the information system beyond the frontiers of the traditional trusted perimeter. This presentation discusses the security issues surrounding the use of these devices.

After an introduction to the functionalities and architecture of smartphones (Symbian…), attendees of this presentation will have an overview of the technical risks associated with smartphone connectivity to wireless networks (Bluetooth, GPRS…) and malicious mobile code (Java MIDP) amongst others.

Legal issues on the European level will then be addressed, with a focus on the legal limits on controlling the use of such devices, and the share of legal responsibility. 

Smartphones bring new challenges to the security of the enterprise. This presentation will help attendees take into account both the technical and legal challenges in securing the enterprise, and conclude with a proof-of-concept demo.

Luc Delpha is a Consultant Manager at Cyber Risk Consulting, a French consultancy specialised in Information Systems Security. Cyber Risk Consulting is part of Cyber Networks, itself a leader in Information Systems Security on the French market, with proven experience in mobility and wireless security architectures and issues.

Luc Delpha has extensive experience in the field of cyber security, advising various government organisations and financial institutions on complex security issues and architectures. He was previously CSO of Citizentrade (financial portal-broker).

Today he leads a team of consultants working on security projects ranging from security audits, pen-testing, risk assessment, disaster & recovery plans, security policy and Public Key Infrastructure to wireless and mobility issues, as well as security architecture design and Netscoring© through a partnership with Marsh.

Maliha Rashid is the author of white papers on Pda and smartphone security. As a Consultant in Information Systems Security with Cyber Risk Consulting, she performs pen-tests, audits, risk assessment and works on security policies with a focus on security issues raised by emerging mobile and wireless technologies.

Return to the top of the page

Old win32 Code For A Modern, Super-Stealth Trojan
Eric Detoisien
Eyal Dotan

In this presentation, we'll show a combination of known Win32 programming techniques often used in legitimate software, but which can very well serve Trojan horses. By using these techniques, Trojan horses can quite easily become quite stealth and adapt to even the most secure environments.

We'll assume an ultra-secure environment where the user who launched the Trojan horse has limited local privileges, has a desktop firewall, and a firewall on the network. HTTP is assumed to be the only way of connecting to the outside world; be it through an authentication-based HTTP proxy, a simple HTTP proxy or simply a direct HTTP connection.

We also assume that the attacker knows nothing about the aimed network, and hence the Trojan horse has to use only generic methods (no attack / dependancy on any specific software or registry keys), no use of any vulnerabilities of any kind. The Trojan has to be autonomous and find out by itself about the network's infrastructure: servers and protocols used for connecting to the outside world, and eventually passwords.

To evade anti-virus signature detection, the Trojan will integrate an auto-update feature allowing it to b e constantly modified by the attacker(s).

Note that we will not get into the details of inserting the Trojan horse into the target machine— this is usually a matter of fooling the users, using social engineering, or using vulnerabilities (which depends on the exact moment the Trojan is used).

Eric Detoisien is a security expert who currently works for a french bank. His previous experience was in penetration testing, security consulting and tr aining for various companies.

He is (co)-author of several articles for the french security magazine MISC. He is involved in a team called rstack composed of security addicts and geeks. Several of his projects are available on the web site

Eyal Dotan
Citizen of Israel, Eyal Dotan studied in the University of California Santa Cruz and EPITA (Computer School for Advanced Technologies), Paris - France. Since the early 90’s, he's been designing and developing new virus protection technologies.

Eyal is author of DVP technology included in ViGUARD, an award-winning signature-less virus protection software and has participated in numerous conferences, including Virus News International Conference ("New techniques for fighting macro viruses", Paris - France, 1997) and INFOSEC ("New antiviral technology for fighting unknown viruses") Paris - France, 1998. Eyal researches alternative & innovative virus protection techniques, based on the challenge of finding the most basic security rules for preventing at once simple and complex malicious code, without using "black-lists". He is author of several US and Europe patents in the domain of security software. He has developed the first ever macro white-list certification system, and has authored the first versions of the IN-DEFENSE anti-virus software.

Along with his Israel-based R&D team, he has been working on a brand new, ground-breaking anti-malware technology during the last years, while heading the research & development department of ViGUARD at TEGAM International ( Eyal also lectures "Computer security, viruses and malicious code" at EPITA, one of the most reknown computer schools in France

Return to the top of the page

What To Do With Your Router Once You Get It
Stephen Dugan, CCSI

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

Security Within A Development Lifecycle
Eli O

Security is a process, not a product. This talk discusses how to improve your product through improving your development process with a focus on security. Broad in scope and non-technical in nature the presenter will share his insights and challenge the audience to improve the security and quality of software they write.

Eli O has been working in the computer industry for fifteen years, and active in the security community for over ten years. He has worked at large operating system manufacturers, world known credit card processors, and global security companies. Working in a QA capacity has given him the opportunity to discover and help fix dozens of vulnerabilities before the software was deployed in the real world.

Return to the top of the page

Hide 'n' Seek? - Anatomy of Stealth Malware
Gergely Erdelyi, Antivirus Researcher, F-Secure Corporation

As much as stealth malware seemed to fade away with the DOS era it might make a loud comeback in modern day trojans.

Stealth features have been adapted to the Windows world and show up more and more often in coming malware. Coupled with the excessive complexity of modern operating systems malicious programs can hide using very simple methods.

In the presentation I examine stealth techniques starting from simple tricks to dissection of several kernel-based rootkits. The paper mainly concentrates on Windows NT user and kernel space stealth code but some Windows 9x related topics are also covered.

The last part discusses possible ways of detection either by programs (eg. Antivirus) or manual inspection.

Gergely Erdelyi works in the Antivirus Research Team for F-Secure Corporation. He has been chasing computer viruses since 1996. His primary interest as a researcher is in binary malware on W32 & GNU/Linux and network security.

He has authored a couple of papers about computer malware and has done presentations in security conferences.

Return to the top of the page

Practical Win32 and UNICODE Exploitation
FX, Phenoelit

This talk will cover:

  • Vulnerabilities in wide char environments
    • Stack based buffer overflows
    • Format strings
  • Return address selections
    • UNICODE selectable
    • SEH return
    • A generic return address solution
  • Shellcode in UNICODE
    • Simple stack run
    • Venetian shell code
  • Annual Phenoelit Ø-Day release

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Return to the top of the page

Building an Early Warning System in a Service Provider Network
Nicolas Fischbach, Senior Manager, European Network Security Engineering, COLT Telecom & Co-founder Sécurité.Org

Service Provider networks and systems are, by definition, a forced point of transit for most of the attacks we see nowadays on the Internet.

Combining data from exposed systems (like DNS and SMTP servers), BGP updates, Netflow accounting, uRPF, ACLs and interfaces counters helps to build a network's behaviour baseline and to detect activities like DDoS attacks, worms, covert channels, hacked systems, open proxies, etc. This can even be compared to an high bandwidth, distributed, low-cost IDS.

To improve the quality of the anomaly detection one can add sensors in the network, mainly composed of low-interaction honeypots and sinkholes. Additional deployments, like honeybots (running DDoS zombies in a sandbox to gather attack data) and honeyrouters (to catch BGP speaking routers hunters) are more resource intensive but broaden the scope of the EWS.

Such an approach is not CAPEX/OPEX intensive, and comes with nearly zero impact on the infrastructure thanks to the re-use data and statistics that are already available from monitoring, security and management systems. When combined with real-time traffic diversion techniques the macroscopic (high level flows and anomalies) view can become a microscopic one (full header and payload).

Most of these concepts and ideas also apply to internal IT networks and can be really helpful when it comes to detect rogue activities like worm breakouts or unusual traffic flows.

Nicolas Fischbach is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts, an informal security research group and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC.

More details and contact information on his homepage.

Return to the top of the page

Introduction to Embedded Security
Joe Grand, President & CEO, Grand Idea Studio, Inc.

The design of secure hardware is often overlooked in the product development lifecycle, leaving many devices vulnerable to hacker attacks resulting in theft of service, loss of revenue, or a damaged reputation. Many times, products must be redesigned after a harmful incident, which raises overall development costs and increases time-to-market. This paper focuses on general concepts for secure hardware design coupled with practical examples. Topics in this talk include recommendations on incorporating security into the product development cycle, attack and threat models, and design solutions for enclosure, circuit board, and firmware layers.

Joe Grand is the President and CEO of Grand Idea Studio, a product design and development firm that brings unique inventions to market through intellectual property licensing. Many of his creations, including consumer electronics, medical products, video games and toys, are sold worldwide.

A recognized name in computer security and electrical engineering, Joe’s pioneering research on product design and analysis, mobile devices, and digital forensics is published in various industry journals. He is the author of Hardware Hacking: Having Fun While Voiding Your Warranty (Syngress Publishing, ISBN 1-932266-83-6), and a co-author of Hack Proofing Your Network (Syngress Publishing, ISBN 1-928994-70-9) and Stealing The Network (Syngress Publishing, ISBN 1-931836-87-6).

Joe has testified before the United States Senate Governmental Affairs Committee on the state of government and homeland computer security, and is a former member of the legendary hacker think-tank L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the United States Air Force Office of Special Investigations, the USENIX Security Symposium, and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Return to the top of the page

Introduction to Mobile Device Insecurity
Joe Grand, President & CEO, Grand Idea Studio, Inc.

Mobile devices, particularly PDAs, have numerous security weaknesses and are wide open to attack due to their widespread implementation and current lack of a decent security framework. Although well known in the security industry to be insecure, PDAs are ubiquitous in enterprise environments and are being used for such applications as one-time-password generation, storage of medical and company confidential information, and e-commerce. It is not enough to assume all users are conscious of computer security and it is crucial to understand the risks of using portable devices in a security infrastructure.

This talk serves as an introduction into the classes of problems in mobile devices and provides detail into specific scenarios, security weaknesses, and mitigation recommendations related to data protection, malicious code, and virus storage and propagation. The practical examples provided in this session will focus on Palm OS devices. Additionally, users and developers can use the research presented as a model to gain a deeper understanding of the security risks PDAs and other portable devices introduce.

Joe Grand is the President and CEO of Grand Idea Studio, a product design and development firm that brings unique inventions to market through intellectual property licensing. Many of his creations, including consumer electronics, medical products, video games and toys, are sold worldwide.

A recognized name in computer security and electrical engineering, Joe’s pioneering research on product design and analysis, mobile devices, and digital forensics is published in various industry journals. He is the author of Hardware Hacking: Having Fun While Voiding Your Warranty (Syngress Publishing, ISBN 1-932266-83-6), and a co-author of Hack Proofing Your Network (Syngress Publishing, ISBN 1-928994-70-9) and Stealing The Network (Syngress Publishing, ISBN 1-931836-87-6).

Joe has testified before the United States Senate Governmental Affairs Committee on the state of government and homeland computer security, and is a former member of the legendary hacker think-tank L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the United States Air Force Office of Special Investigations, the USENIX Security Symposium, and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Return to the top of the page

The Art of Defiling: Defeating Forensic Analysis on Unix File Systems
the grugq

The rise in prominence of incident response and digital forensic analysis has prompted a reaction from the underground community. Increasingly, attacks against forensic tools and methodologies are being used in the wild to hamper investigations. This talk will: familiarize the audience with Unix file system structures; examine the forensic tools commonly used, and explore the theories behind file system anti-forensic attacks. In addition, several implementations of new anti-forensic techniques will be released during the talk.

Anti-forensics has cost the speaker one job. This material has never been presented in the North American continent because anti-forensics scares the feds. Find out why.

The grugq has been researching anti-forensics for almost 5 years. Grugq has worked to secure the networks and hosts of global corporations, and hes also worked for security consultanting companies. His work as a security consultant was cut short by the publication of an article on anti-forensics. Currently, he slaves for a start-up, designing and writing IPS software.

Grugq has presented to the UK's largest forensic practioner group where he scared the police. In his spare time, grugq likes to drink and rant.

Return to the top of the page

Pseudorandom Number Generation, Entropy Harvesting, and Provable Security in Linux
Seth Hardy, Tsumego Foundation

Many efficient methods of generating "good'' random numbers exist in the literature of mathematics and theoretical computer science. One particular method of generating good randomness is to use "extractors'': graphs which will transform "bad'' randomness (i.e. smaller ratio of entropy/data, or randomness distributed poorly) to "good'' randomness (of a provable level of security) by an additional input of only a small number of truly random bits.

This talk will cover the mathematical background behind pseudorandom number generation, including concepts such as entropy and what "good'' and "bad'' randomness actually means. Once the appropriate background has been presented, the talk will move from the world of theory to that of practice, demonstrating how these concepts can be used for the purpose of pseudorandom number generation. Specifically, the current /dev/{,u}random PRNG for Linux will be discussed and compared to the new /dev/erandom PRNG written which uses these extractors.

Entropy harvesting will also be covered; the work on /dev/erandom prompted a number of improvements to the entropy harvesting methods used in the Linux kernel. The new framework for entropy harvesting will be demonstrated, and the advantages (specifically flexibility and extensibility) of the new method will be covered.

This talk is meant to help bridge the gap between theory and practice in the realm of cryptography and computer security. Although all of the concepts will be presented with mathematical rigor, no prior knowledge of the subject is required. The talk is structured such that people who are new to the subject will be able to learn a lot, while those familiar with the introductory concepts being presented will still be able to get much from the details.

Seth Hardy is currently a member of a prominent cryptography research group at a well-known university. In general, his research in the area of cryptology can be viewed from two different but related sides. On the side of computer science, he has worked on a number of projects including crypto libraries developed for the European Union and a distributed elliptic curve cracker. On the side of mathematics, his attention has mostly been on optimization of cryptosystems and cryptanalysis through combinatorics and coding theory, although recently he has made the move to research of pseudorandom number generation (and its more theoretical applications) from a complexity-theoretic standpoint.

Mr. Hardy is involved in a number of other side projects, including being a founding member of the Tsumego Foundation, a private research group and think tank specializing in cryptology, provably secure cryptosystems, steganography, and integration of the above into real-world systems.

Return to the top of the page

Privacy Rights Management Using DRM: Is This A Good Idea?
Larry Korba, National Research Council of Canada

While there are growing concerns about how to manage citizen privacy, currently there are no established technology solutions that meet privacy regulations. Certainly XML and other schemas have been developed to express privacy rights. But how can those rights be managed or enforced? This talk examines the prospect of using a digital rights management approach to manage individual data privacy. In the talk, the Privacy Principles, derived from EU Data Directives, are explained, then analyzed in terms of the effectiveness and practicality of using a rights management approach for maintaining the principles. What works, as well as the key technical challenges of using DRM for privacy rights managment are described. Also, other challenges associated with taking an intellectual property approach to deal with privacy regulations.

This talk will be of interest for those who wish to learn about the technical challenges of creating privacy enhancing technologies that meet legal requirements. While not absolutely necessary, it would be great if audience members know a bit about the privacy principles based upon the EU data directives, and the basics (and especially the controversies) behind digital rights management.

Larry Korba is a researcher and the group leader of the Network Computing Group in the Institute for Information Technology of the National Research Council of Canada . He is currently involved in several projects related to security and privacy. An active researcher, having published over 100 papers in research journals and conference proceedings, his current research interests include privacy enhancing technologies, agent-based security, network security and privacy, especially as applied to computer supported collaborative work.

Return to the top of the page

Oracle PL/SQL Injection
David Litchfield, Founder, Next Generation Security Software

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

The Keys to the Kingdom – Understanding Covert Channels
Russ Rogers, Chief Technical Officer, Security Horizon

Security professionals see the compromise of networked systems on a day to day basis. It’s something they’ve come to expect. The blatant exploitation of operating systems, applications, and configurations is a common event and is taken into account by most security engineers. But a different type of security compromise threatens to crumble the underlying security of the modern organization.

There are forms of communication that transfer sensitive data outside of organizations every day. Covert channels are used to move proprietary information in and out of commercial, private, and government entities on a daily basis. These covert channels include things such as Steganography, Covert network channels, Data File Header and Footer Appending, and Alternate Data Streams. Media to be covered include images, audio files, TCP covert channels, Word substitution mechanisms, the Windows file system and others. We’ll also look at how the Internet has created a perfect haven for the safe use of covert channels.

This presentation will show the attendees common means of covert communication by hiding information through multiple means. Examples of encoding and transmission techniques will be covered. We’ll cover the actual formats of each file and how the insertion of hidden data affects each channel.  The attendees will also learn about the tell-tale signs that indicate a covert channel. A comparison of common tools and methods will be examined and attendees should expect to walk away having the base knowledge required to conduct more in-depth research into the topic of covert channels.  Information on the most popular tools and modern research projects will also be presented.

Russ Rogers is the CEO and CTO of Security Horizon, a Colorado Springs based information security professional services firm and is a technology veteran with over 12 years of technology and information security experience. He has served in multiple technical and management information security positions that include Manager of Professional Services, Manager Security Support, Senior Security Consultant and Unix Systems Administrator. Mr. Rogers is a United States Air Force Veteran and has supported the National Security Agency and the Defense Information Systems Agency in both a military and contractor role. Russ is also an Arabic Linguist. He is a certified instructor for the National Security Agency’s INFOSEC Assessment Methodology (IAM).

Return to the top of the page

When the Tables Turn

Until now network security defences have largely been about building walls and fences around the network. This talk revolves around spiking those walls & electrifying those fences! During this talk we will highlight techniques (and tools) that can be used to turn the tables on prospective attackers with passive-Strike-Back. We will explore the possibilities across the assesment spectrum responding to the standard assesment phases of Intelligence gathering, Reconnaissance & Attack with Disinformation, Misdirection, Camouflage, Obfuscation & Proportional Response.

Roelof Temmingh is the technical director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is one of SensePost's senior technical specialists. He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including Black Hat Briefings. Haroon doesn’t drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

HTTP Fingerprinting and Advanced Assessment Techniques
Saumil Udayan Shah, Director, Net-Square Solutions

This talk discusses some advanced techniques in automated HTTP server assessment which overcome efficiency problems and increase the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A free tool - HTTPRINT which performs HTTP fingerprinting, shall be released along with this presentation.

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

Dynamic Detection and Prevention of Race Conditions in File Accesses
Eugene Tsyrklevich, CTO, Security Architects

Race conditions in filesystem accesses occur when sequences of filesystem operations are not carried out in an isolated manner. Incorrect assumptions of filesystem namespace access isolation allow attackers to elevate their privileges without authorization by changing the namespace bindings. To address this security issue, we propose a mechanism for keeping track of all filesystem operations and possible interferences that might arise. If a filesystem operation is found to be interfering with another operation, it is temporarily suspended allowing the first process to access a file object to proceed, thereby reducing the size of the time window when a race condition exists. The above mechanism is shown to be effective at stopping all realistic filesystem race condition attacks known to us with minimal performance overhead.

Eugene Tsyrklevich is Chief Technical Officer for Security Architects, a security company based in London specializing in advanced security solutions. Eugene has an extensive security background ranging from designing and implementing Intrusion Prevention Systems to training people in research, corporate, and military environments. Eugene holds both a Bachelor and a Masters degree in Computer Science from the University of California, San Diego.

Return to the top of the page

Windows WaveSEC Deployment
Paul Wouters, in close collaboration with NLnetlabs, RIPE NCC and the FreeSwan Project

Paul Wouters has been involved with Linux networking and security since he co-founded the Dutch ISP "Xtended Internet" back in 1996. His first article about network security was published in LinuxJournal in 1997 Since then, he has written mostly for the Dutch spin-off of the German "c't magazine", focussing on Linux, networking and the impact of the digital world on society. He has presented papers at SANS, OSA, CCC and HAL.

He is currently involved with the FreeS/WAN project, a Linux IPsec stack that aims to bring Opportunistic Encryption to everyone. For this feature, a secure DNS is needed, which triggered his interest in assisting the widespread use of DNSSEC. Wouters received his Bachelors degree in Education in 1993

Return to the top of the page

Detecting Ø-days Attacks With Learning Intrusion Detection Systems
Stefano Zanero, Politecnico di Milano University, Milano, Italy

Traditional anomaly-based intrusion detection systems, relying pattern matching and static signatures, are not really able to keep up with the creation of new forms of attacks, particularly with zero-day attacks. In this talk we will analyze the problem, and present new types of misuse detection systems, based on unsupervised learning techniques, that can complement well traditional IDS systems and help detect zero-days techniques of attack and various other misbehaviours. A proof of concept based on our current research prototypes will be also presented.

Stefano Zanero, M.S. in Computer Engineering, has graduated “cum laude” from the Politecnico of Milano university, with a “Laurea” (M.S.) thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Department of Electronics and Information of the same university. Among his current research interests, besides anomaly-based IDSs, there are the performances of security systems, grid computing and advanced clustering techniques. He is a member of the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery). He has participated in national and international conferences. He is the author of the weekly “Security Manager’s Journal” column on Computer World Italy, and has been recently awarded a journalistic prize. He also runs a small network and information security consulting company.

Return to the top of the page

Jamie Butler

Patrick Chambet

Job de Haas

Luc Delpha

Eric Detoisien

Eyai Dotan

Stephen Dugan

Eli O

Gregely Erdelyi


Nicolas Fischbach

Joe Grand

the grugq

Seth Hardy

Larry Korba

Eric Larcher

David Litchfield

Maliha Rashid

Russ Rogers

Saumil Udayan Shah


Paul Simmonds

Eugene Tsyrklevich

Paul Wouters

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat