Black Hat Digital Self Defense Japan 2006

Black Hat Main Conference Overview

Black Hat Training Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat Sponsors Black Hat Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings Japan 2006
Black Hat Japan 2006 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Japan 2006 Sponsors
Return to the top of the page
Black Hat Speakers

Keynote: Change in the Meaning of Threat and Technology...What are the Current Trends in Japan?
Mitsugu Okatani, Joint Staff Office, J6, Japan Defense Agency

As the Internet becomes a social framework, attacks and incidents with various intents have been actualized. As a result, previously unrelated organizations and groups have become actively engaged in discussions regarding threats and technology. In addition, they have begun to approach and actively engage in creating and implementing information security policies.

This session will cover the information security revolution in Japan, as seen from analzyed attack models which have been actualized and on the changed meaning of threats and the influences.

Mitsugu Okatani became a battleplane pilot after joining the Japan Air Self-Defense Force joined in April 1980, then he worked on the design development and management of the weapon systems as a development engineer. He was engaged in IT system development and information security related projects in the Air Self-Defense Force as a project executive from October 1993. He served in the Communications and Electronics Division in Air Staff Office Defense Division, the Director of Defense Agency Communication Division, and the Office of the Information Security at Cabinet from April 2002. He worked for the Network Information Security Center at Cabinet as a full time staff since Aug 2005, and became a Joint Staff Office at Japan Defense Agency since April 2006.

Return to the top of the page

Low Down and Dirty: Anti-Forensic Rootkits
Darren Bilby, Senior Security Consultant,

It is 4pm on a Friday, beer o’clock. You’re just eyeing up your first beer and thinking about where the fish will be biting tomorrow. The phone rings, something “funny” is happening on a client’s web server. A lot of money passes through the server and it looks like it could be serious. IDS on the network picked up a crypted command shell heading outbound from the server. You break out the security incident response manual and head to the scene.

Being the process oriented and reliable chap you are, you load up your forensic toolkit and take forensic copies of current memory and disk. You kick off your tools to analyse the forensic copies you’ve taken, nothing. All the processes are good, no apparent hooks, all hashes match verifiable sources. You check the forensic copying process, it worked perfectly. What have you missed? How could it not be in memory or on disk?

Someone is playing you for a fool, and it’s probably someone in kernel land. Your forensic image has been faked, and yet any court in the country would accept your process as sound.

This talk will be a low level talk aimed at forensic analysts, investigators, prosecutors and administrators. It will show new techniques and a previously unreleased working implementation called DDefy which anyone involved in forensic analysis should be aware of. The demonstration will show defeating live forensic disk and memory analysis on Windows systems exposing fundamental flaws in popular forensic tools.

Attendees should preferably have an understanding of the live forensics process and some background in modern rootkit technologies. Knowledge of NTFS internals will also aid in understanding.

Darren Bilby is a senior security consultant at and is based in Auckland, New Zealand. When not intrusion testing for clients, he is regularly involved in incident response in both UNIX and Windows environments and is one of the technical leads for the CSIRT team. Darren also works on the source code auditing software Codescan. He is an active researcher and current projects include anti-forensic techniques and VoIP security research.

Return to the top of the page

Taming Bugs: The Art and Science of Writing Secure Code
Paul Böhm, Lord Protector and Defender of the Crown at SEC-Consult

If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal.

Paul Böhm was a founding member of TESO Security in 1998, and has spent a lot of time breaking code. In 2003 he has worked on quantum cryptography at the University of Vienna where he has developed and implemented an improved efficiency qc protocol. His current interest is in Vulnerabilty Defense and Secure Software. He works as a Security Consultant for SEC Consult.

Return to the top of the page

IPv6 World Update: Strategy & Tactics
Kenneth Geers
Alexander Eisen

The U.S. Government has mandated that its organizations be IPv6-compliant by June 30, 2008. The Japanese government has already missed more than one IPv6 deadline. But while we can argue about specific dates for compliance and deployment, there is no question but that your organization must begin to prepare for the next generation Internet, and it should start today. This presentation is based on wide-ranging, in-depth research, including interviews with the top thinkers on the most crucial issues surrounding the sleeping giant known as IPv6. It will give you the facts you need in order to plan for what may be difficult times ahead.

The tactical, down-in-the-weeds take on IPv6 will be examined in detail. This presentation will provide the Black Hat Japan audience with a myriad of technical details to inform them of the challenges that await their organizations as they attempt to keep pace not only with their government mandates, but also with economic competitors from around the world. The Black Hat audience will also learn how hackers will exploit this new technology, and how to stop black hats from taking advantage of the necessarily long-lasting, heterogeneous environment that will be required during the transition to IPv6.

Believe it or not, many nation-states view IPv6 as crucial to their national security plans for the future. This presentation will make stops at the White House, Tokyo, Beijing, and Red Square, and cover in detail the most current v6 research and deployment events in East Asia. It will discuss how, if some governments get their way, most members of the Black Hat audience could well lose their last byte of anonymity on the Internet. The corporate side of Internet addressing will also be addressed: what do the Xbox, IPTV, and the number of beers I have left in my fridge at home have in common? Answer: IPv6!

Kenneth Geers (CISSP, M.A. University of Washington) has worked for many years as a programmer, Web developer, translator, and analyst. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested grapes in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Mr. Geers is the author of "Cyber Jihad and the Globalization of Warfare", "Hacking in a Foreign Language: A Network Security Guide to Russia", and "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall". He loves his wife Jeanne, and daughters Isabelle, Sophie and Juliet.

Alexander Eisen (CISSP, M.S. University at Buffalo) has twice received an Information Assurance Scholarship to complete a multi-disciplinary Computer Science program spanning Cryptography, Cyber Law and Management. Having worked in the fields of penetration testing, incident response, forensics, security software evaluation, his passion is in exploring pioneering topics in security, researching with academia and being a bilingual grayhat-entrepreneur. Mr. Eisen is an adjunct professor on the University of Advancing Technology faculty and a member of the IEEE Computer Society. He wishes to have Kenneth's frequent flyer miles to assist with his back-country snowboarding adventures across the globe and has a Russian Blue cat named Jazz.

Return to the top of the page

Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"
Jeremiah Grossman, Founder and CTO of WhiteHat Security, Inc.
T.C. Niedzialkowski, Sr. Security Engineer, WhiteHat Security, Inc.

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.

Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it.

During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats.

You’ll see:

  • Port scanning and attacking intranet devices using JavaScript
  • Blind web server fingerprinting using unique URLs
  • Discovery NAT'ed IP addresses with Java Applets
  • Stealing web browser history with Cascading Style Sheets
  • Best-practice defense measures for securing websites
  • Essential habits for safe web surfing

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (, where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology.

Return to the top of the page

Increasingly-sophisticated Online Swindler
Yuji Hoshizawa, Principal Security Analyst, SecureBrain Corporation

To know various fraud schemes is important when implementing counter measures against it. During this session, the presenter will show the latest online fraud schemes. Vulnerable Internet users could easily be captured in the traps of which set up by criminals who take increasingly sophisticated online fraud schemes such as Phising and One Click Fraud. In this session, we will show the latest online fraud schemes.

Mr. Hoshizawa joined Symantec in 1998, took a position in charge of security research, correspondence to new viruses, and collection and analysis of vulnerability information as the Asia Pacific regional manager of the Symantec Security Response. He has established himself as a top class virus researcher in Japan, and has been contributing to many IT related publications about computer security. Moreover, he gave talks at the various international conference such as Virus Bulletin, EICAR, and AVAR, on the subject of security issues. After leaving Symantec in September 2004, he joined Secure Brain Corporation and took a charge of the present position since October 2004.

Return to the top of the page

Input Attack Trees: Death of a Thousand Leaves
Heikki Kortti, Codenomicon

By modeling all of the possible inputs of a protocol or file format as an input tree, the potential weak points of an implementation can be assessed easily and efficiently. Existing attacks can be reused for similar structures and datatypes, and any complex or susceptible areas can be focused on to improve the probability for success. This method is applicable not only for creating new attacks, but also for proactive defense and even protocol design. Some knowledge of network protocols is expected, as are also the basics of security testing and anomaly design. The talk will apply the presented techniques by presenting an input tree for DNS and cataloguing the potential attacks and problem areas.

Heikki Kortti is a Robustness Specialist at Codenomicon Ltd. With a background in network and systems administration, he has been working with information security since 1993. At his present job at Codenomicon, he has developed security testing suites for protocols such as BGP4, DNS, SMTP, IMAP, and POP3, as well as actively participated in the development of tests for more than 90 other protocols and file formats. He has personally witnessed countless network servers, client applications, routers, switches, VoIP equipment, web browsers, operating systems, mobile phones, games systems, media players, virus scanners and firewalls fail and beg for mercy at the purifying altar of automated input testing.

Return to the top of the page

Six Degrees of XSSploitation
Dan Moniz, Member, The Shmoo Group
HD Moore, Director of Security Research for BreakingPoint Systems, Founder, The Metasploit Project

Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors.

We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more.

Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec.

HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the

Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Return to the top of the page

Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska, Senior Security Researcher, COSEINC

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems.

A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques.

She currently works as a security researcher for COSEINC, a Singapore based IT security company.

Return to the top of the page

Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0
Alex Stamos, Principal Partner, iSEC Partners
Zane Lackey, Security Consultant, iSEC Partners

The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of “Web 2.0” technologies giving us faster, more exciting, and more useful web applications. One of the fundamental “Web 2.0” is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript.

Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent.

We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX.

The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. 

Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.  He holds a BSEE from the University of California, Berkeley.

Zane Lackey is a Security Consultant with iSEC Partners, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. 

Return to the top of the page

Attacking Internationalized Software
Scott Stender, Principal Partner, iSEC Partners

Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation.

Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface.

If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented.

Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame.

Return to the top of the page

Winny the Pooh
Takayuki Sugiura, CEO, NetAgent Co., Ltd.

There have been a series of information leak incidents being happening in Japan regarding to the use of P2P file sharing softwares. But those incidents are just a tip of iceberg. There were expected to be tens of thousands of incidents that even not reported in the news. P2P file sharing softwares usually designed to enhance user anonymity therefore users of such software can enjoy act of violating the copyright law. However, contrary to such users assumption, the nature of P2P networks are nearly publicly open networks for either the files that being uploaded or downloaded.

This talk will explain about the reason of how the encryption deployed by Winny and Share could be defeated, what will be the change by such encryption becoming disarmed, and what could be the evidence of the information been made public, with the details based on the characteristic of public openness resides in P2P and how the characteristics affect the content of communication exposed on the P2P networks that no longer have anonymity.

Takayuki Sugiura is known as the specialist who cracked the encryption of Winny and Share P2P file sharing softwares. He is also known as the developer of OnePointWall and PacketBlackHole, as well as a pioneer in the field of network forensics and specialized in defeating encryption.

Return to the top of the page

Catching Malware to Detect, Track and Mitigate Botnets
Georg Wicherski, Alliance Founder & Head,
Thorsten Holz

Botnets pose a severe threat to the today’s Internet community. We show a solution to automatically, find, observe and shut down botnets with existing opensource tools, partially developed by us. We start with a discussion of a technique to automatically collect bots with the help of the tool nepenthes. We present the architecture and give technical details of the implementation. After some more words on the effectiveness of this approach we present an automated way to analyze the collected binaries. All these steps can be automated to a high degree, allowing us to build a system that autonomously collects information about existing botnets. This information can then be aggregated and correlated to learn even more. As a result, we obtain information that can be used to mitigate the threat, e.g., as a warning-system within networks or as an information ressource for CERTs. We conclude the talk with an overview of lessons learned and point out further research topics in the area of botnet tracking. Attentands are expected to have a basic knowledge of honeypots and how honeynets work. All necessary information about bots/botnets will be introduced during the talk and the live demonstrations.

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems at the University of Mannheim, Germany. He is one of the founders of the German Honeynet Project and his work concentrates currently on bots/botnets and malware in general. Thorsten is one of the authors of the "Know Your Enemy: Tracking Botnets" paper and has also published some other papers in this area, e.g., at SecurityFocus and various academic conferences/magazines. A blog is available at

Georg Wicherski is an 18-year old German high school graduate with experience in the fields of botnet tracking and mitigation, malware analysis and network engineering. He co-authored the Honeynet Project's paper "Know Your Enemy: Tracking Botnets'' and two papers submitted to ESORICS and DFN-Cert Workshop. He also published his paper "Medium Interaction Honeypots'' on the Internet. His fields of interest besides malware and botnets include robotics engineering and programming as well as wireless appliances.

He is the author of the mwcollectd medium-interaction-honeypot and nepenthes developer. He founded and now leads the mwcollect Alliance, a non-proifit organization aiming at collecting malware with now over 25000 unique in-the-wild samples.

You can find the entrance to the web of his personal pages; most of his projects are listed and linked there.

Return to the top of the page

Darren Bilby

Paul Böhm

Alexander Eisen

Kenneth Geers

Jeremiah Grossman

Thorsten Holz

Yuji Hoshizawa

Heikki Kortti

Zane Lackey

Dan Moniz

Mitsugu Okatani

Joanna Rutkowska

Alex Stamos

Scott Stender

Takayuki Sugiura

Georg Wicherski

Black Hat together with Internet Association Japan will host the third annual Black Hat Briefings Japan in Tokyo.

Black Hat Logo
(c) 1996-2007 Black Hat