Black Hat® Japan 2008 Briefings & Training

Briefing Speakers - ブリーフィングスピーカー

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

-Keynote- Black Ops of DNS 2008 : Its The End Of The Cache As We Know It
-基調講演- DNS 2008版 Black Ops. 今までのDNSキャッシュじゃ通じない!

by Dan Kaminsky (ダン・カミンスキー)

DNS is at the heart of every network -- when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct -- but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

Dan Kaminsky Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Server 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

Dan Kaminsky氏はシアトルにあるIOActiveにおいてDirector of Penetration Testingとして活躍しており、お山の大将として子分たちを引きつれている。もともとCISCOやAVAYAでの経験を元に、最近ではマイクロソフトのWindows Server 2008用のVistaクライアントの監査を行う"Blue Hat Hackers"のメンバーとして活躍しており、現在に至る。彼の得意分野は巨大なネットワークに対してのスウィープや特殊パケットを使った計略や仕様からくる脆弱性など多岐にわたる。

Understanding Targeted Attacks with Office Documents

by Bruce Dang (ブルース・ダン)

As more security features and anti-exploitation mechanisms are added to modern operating systems, attackers are changing their targets to higher-level applications. In the last few years, we have seen increasing targeted attacks using malicious Office documents against both government and non-government entities. These attacks are well publicized in the media; unfortunately, there is not much public information on attack details or exploitation mechanisms employed in the attacks themselves. This presentation aims to fill the gap by offering:

  1. A brief overview of the Office file format.
  2. In-depth technical details and practical analytical techniques for triaging and understanding these attacks.
  3. Defensive mechanisms to reduce the effectiveness of the attacks.
  4. Forensics evidence that can help trace the attacks.
  5. [If we have time] Static detection mechanism for these vulnerabilities (i.e., how to write virus signatures for these vulns).
  6. Techniques to help detect these attacks on the wire.
  7. (7) A surprise. :)

Bruce Dang is a Security Software Engineer in the Secure Windows Initiative (SWI) group. Before joining SWI, he performed incident response, tools development, reverse engineering, and malware analysis for large companies. Once in a while, he contributes to the SWI team blog: In his spare time, he spends time with his family, talking to people about both geeky and non-geeky stuff, and reading poetry.

Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"
金持ちになれ!ダメなら目指せ! - Webでの儲け方

by Arian Evans (アリアン・エバンス)

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what's possible.

Arian Evans is the Director of Operations at WhiteHat Security leading a team of security engineers assessing over 600 production websites. Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many commercial organizations on Web application security and hacking incident-response. Arian consistently researches and discloses new attack techniques and vulnerabilities in Web application software, including commercial platforms like Cisco and Nokia. Arian is a frequent speaker at industry conferences including Black Hat, OWASP, RSA, WASC, and software developer events and was a contributing author of "Hacking Exposed:Web Applications." Arian also likes combining mountains, mistresses, martinis, and motorcycles. Especially race V-twins that go "braap".

Cyberspace and the Changing Nature of Warfare

by Kenneth Geers (ケネス・ギアス)

Practically everything that happens in the real world is mirrored in cyberspace. For national security planners, this includes espionage, reconnaissance, targeting, and – to an unknown extent – warfare itself. All political and military conflicts now have a cyber dimension, whose size and impact are difficult to predict.

Aggressive cyber warfare strategies offer many advantages. Above all, the Internet is vulnerable to attack. Further, its amplifying power means that future victories in cyberspace could translate into victories on the ground. Both state and non-state actors enjoy a high return on investment in cyber tactics, which range from the placement of carefully crafted propaganda to the manipulation of an adversary's critical infrastructure.
Current events demonstrate that cyber conflict is already commonplace around the world. Five case studies suggest that it is no longer a question of whether computer hackers will take national security planners by surprise, but when:

  • The conflict in Chechnya demonstrated the strength of the Internet to disseminate powerful and unpredictable propaganda.
  • During the war over Kosovo, non-state actors attempted to disrupt military operations through hacking, and were able to claim minor victories.
  • The Middle East cyber war quickly spread around the world, and brought targets of pure economic value into the conflict.
  • In 2001, simmering tensions between the USA and China spilled over into a “patriotic” hacker war, with uncertain consequences for national security leadership.
  • The politically-motivated cyber attacks on IT-dependent Estonia brought unprecedented attention to cyber security from governments around the world.

The Internet is changing much of life as we know it, to include the nature and conduct of warfare. At times, cyber tools and tactics favor nations robust in information technology, but the Internet is a prodigious tool for a weaker party to attack a stronger conventional foe.
As with terrorism and weapons of mass destruction, the dynamic, asymmetric, and still-evolving nature of cyber attacks makes all aspects of cyber defense – including detection, analysis, investigation, prosecution, retaliation, and more – critical questions for national security planners to answer.

Kenneth Geers (NCIS) is the U.S. Representative to the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.

Attacking with Character Encoding for Profit and Fun

by Yosuke Hasegawa (長谷川陽介)

In the world of web-based applications rapidly growing these days, text data in the form of HTML or XML is more widely used than ever. Character encoding here is so important a kind of meta-data for text data that neglecting it often results in serious security flaws.

Even apart from issues concerning web applications, various confusions happen during the transition from legacy encoding schemes such as EUC-JP or Shift_JIS to the latest one namely the Unicode. Such clutters at times could bring about security problems. In addition, tricks related to character encoding is not only an issue in data handling by software but also a human factor issue with its remarkable visual effect, hence providing a robust tool for attackers.

This session will sort out security concerns related to character encoding and consider "how" to cope with "what" kind of attack.

Yosuke Hasegawa is an engineer of NetAgent Co.,Ltd. and was born in 1975. I have received the Microsoft MVP award for Windows Security every year since 2005. I have investigated on the security issues that the character encoding such as Unicode causes. I have discovered a lot of vulnerabilities of various software applications including Internet Explorer and Mozilla Firefox so far, such as CVE-2008-0416, CVE-2008-1468, CVE-2007-2225, CVE-2007-2227 and so on.

"FFR EXCALOC" - Exploitability Calculator Based on Compiler Analysis

by Toshiaki Ishiyama (石山智祥)

Recent compilers have some security extensions intended to make exploits fail and protect the software even if vulnerabilities exist. These functionalities contribute greatly to prevent exploitation of code execution vulnerabilities. it is getting hard to find "truly exploitable" vulnerabilities - especially for beginners of vulnerability hunting.

However, there are still many applications built by compilers without any security extensions. We still confirm some code execution vulnerabilities in very recent software which is not protected by common stack protection mechanism and safe heap management features as provided by the compiler and/or operating systems. These vulnerability can be truly exploited by traditional methods such as typical stack/heap overflow attacks.

Taking this as a basis, we analyzed the object code generated by most major compilers - including obsolete versions. We extracted various characteristics by checking the generated machine code and PE structure. Afterwards, we developed an algorithm to calculate the exploitability by using the extracted characteristics. We are now able to apply this algorithm to some popular existing software which contain buffer overflow bugs and check their exploitability. In conclusion, we confirm that this algorithm calculates the exploitability of software easily and efficiently. By using this algorithm, security analysts can find software which is potentially exploited in an efficient manner.

We will describe the details of the algorithm and its implementation as well as release vulnerabilities found in software which indicate a high exploitability while using our algorithm. We will also distribute the beta version of this system at the end of our presentation.

Toshiaki Ishiyama is a senior software engineer at Fourteenforty Research Institute. His main work focuses on researching a variety of security core technologies, and the development of security products. As one of the malware analysis team's specialists, he additionally researches techniques of malware reverse engineering an dynamic code analysis. Moreover, he is conducting a surveillance study on vulnerability analysis and P2P system security.

Threat Gallery of Japanese Landscape

by Hiroshi Kawaguchi (川口洋)

In past, attacks against server applications and activities of virus/worms running alone were mainstream. However, big thread combined by a lot of methods are seen in current Japanese landscape. These are made up of SQL injections, passive attacks and malwares. I explain Japanese landscape in the view of JSOC, a security operation center which has more than 300 clients in Japan.

SQL Injection. In 2005, starting with information leakage striking famous sites of Japan, the numubers of attacks is increasing. After 2008 attacks to steal information change ones to deface web sites and the methods become more and more malicious.

Passive Attack. This method targets users attacked by defacing legitimate web sites or sending mail attached malicious files. It is difficult to detect these attacks. At last, attackers make PCs parasitize malwares and steal resource and data, but the owners do not notice them. I also explain characteristics of activities of malware in 2008.

Understanding current situation of these threats properly and progressing security counter measures, we hope realizing the landscape of safety IT society.

Hiroshi Kawaguchi
Hiroshi Kawaguchi, CISSP, Little eArth Corporation Co., Ltd.
JSOC Chief Evangelist and Chief Enkai OfficerJapan Security Operation Center, Little eArth Corporation Co., Ltd. Experiences in information security field as an analyst leader of Incident Response Team, JSOC CTO, and currently as a JSOC Chief Evangelist at Little eArth Corporation  Co., Ltd., leading company dedicated to information security in Japan.
Major responsibilities:

  • Control in creating/tuning JSIGs (JSOC original signatures) with proprietary know-how and monitoring networks.
  • Speak at various events (PacSec, InternetWeek) to raise awareness of cyber security and to deliver up-to-date information on the cyber attacks.
  • My column is being published in serial from in @IT (only Japanese).

 New reverse engineering technique using API hooking and sysenter hooking, and capturing of cash card access
API hooking と Sysenter Hooking を使った新しいリバースエンジニアリングテクニックと、キャッシュカードアクセスのキャプチャ

by Kenji Aiko(愛甲健二)

The technique of using API hooking and sysenter hooking has been researched by many reverse engineers for a few years now. In particular, we can use the technique in a kind of underground rootkit community to hide arbitrary programs. For this reason, most people may think the technique is an underground skill because general applications don't employ it. But I think this is an important technique which is helpful in reverse engineering. When we analyse some software, we have to read assemble code, but this is very troublesome.
Even if we are excellent engineers, it is difficult for us to read huge amounts of assemble code. To be precise, we need to read an assemble code to analyse some software, but our purpose is to analyse several pieces of software quickly and more easily than now, rather than read an assemble code.
Consequently, I will propose a new reverse engineering technique using an API hooking and sysenter hooking. By using this technique, we'll be able to analyse software quickly and more easily than now.
Lastly, I will do a demonstration that demonstrates capturing the communication data of a cash card reader and a cash card using API hooking.

Kenji Aiko
Board Member of NetAgent Co.,Ltd.
He published many books related to the reverse engineering or any other technology.

The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation -
インターネットは壊れている:Document.Cookieのむこう側 - エクストリーム・クライアントサイド・エクスプロイテーション -

by Nathan McFeters (ネイサン・マクフィーター)

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws... after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center (ASC) and is currently serving in a Security Evangelist role for the ASC based out of Chicago, IL. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area. Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

Owning the Fanboys: Hacking Mac OSX
Mac OSXをハッキング:マックファンを乗っ取れ!

by Charlie Miller (チャーリー・ミラー)

In this talk I will begin by discussing some Leopard specific security features including sandboxing and memory randomization (or not). Then I'll move on to show some tips and tricks for reverse engineering Mac OS X binaries. I'll then detail ways to find vulnerabilities and how to exploit them, with a case study of the exploit used to win the Pwn2Own competition, including how to get reliable code execution from Safari bugs using JavaScript. Finally, I'll demonstrate how these techniques translate to the stripped down Mac OS X running on the iPhone.

このセッションではLeopardに特化したセキュリティ機能について触れます、内容はsandboxingやメモリーランダミゼーションなど。まずは全体の概要を消化してから、実際にMacOS Xのバイナリーをリバースエンジニアリングするためのいくつかのノウハウを紹介してゆく。そして、Pwn20wn大会で勝利をもたらしてくれたエキスプロイトをケーススタディとしてどのように脆弱性を見つけてその脆弱性を攻撃するかやSafariのバグをもとにJavascriptを使ったコード実行の方法を紹介する。最後にこのようなテクニックをiPhoneで稼動しているMacOSXの亜種に対してどう使っていくかを紹介していく。

Charlie Miller Charlie Miller is Principal Analyst at Independent Security Evaluators. Previously, he spent five years at the National Security Agency. He is known for hacking the iPhone, SecondLife, and winning the Pwn2Own contest at CanSecWest. He has a Ph.D. from the University of Notre Dame and has spoken at numerous security conferences.

Satan is on My Friends List: SNS Survey

by Shawn Moyer & Nathan Hamiel (シャウン・モイヤー&ネイサン・ハミルトン)

Social Networking is shaping up to be the perfect storm. An implicit trust of those in ones network for social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML. Yikes.

But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate. A target-rich and trusting environment for custom-tailored, laser-focused attacks.

Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major multinational corporations and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences.

Shawn is currently working on a slash fanfic adaptation of 2001:A Space Odyssey, told from the perspective of Hal9000. He only accepts friend requests on Facebook if they include a DNA sample and a scanned copy of a valid driver's license or passport.

Nathan Hamiel is a Senior Consultant for Idea Information Security and the founder of the Hexagon Security Group. He is also an Associate Professor at the University of Advancing Technology. Nathan has previously presented at numerous other conferences including DEFCON, Shmoocon, Toorcon, and HOPE.

Nathan spent much of DEFCON 15 without shoes and is planning ahead this year with a defense-in-depth approach that includes failover footwear. He has 1,936 people in his extended network, and finds that disturbing on a number of levels.

Exploiting Symbian OS in mobile devices

by Collin Mulliner (コリン・マリナー)

SymbianOS is one of the major smart phone operating system and has been around for many years still exploitation has not been researched yet. The lack of proper exploitation techniques is mostly due to the fact that until the recent introduction of PIPS/OpenC (a POSIX API port) SymbianOS did not have the means for programmers to EASILY write insecure code.

The presented work will show that now it is possible to exploit buffer overflows on Symbian like on any other (mobile) platform. To do this we will show some proof-of-concept exploits and provide an overview on writing shellcode for

Further we will show some short comings of the Symbian security model and discuss the possible impact. To do this we will show that is possible to create a piece of (mobile) malware that is capable to sign itself.

We believe vulnerability exploitation will become the next big issue on SymbianOS because the current version of Symbian only permits installation of signed applications thereby shutting out currently existing Symbian worms. We believe worm authors will adapt soon.

Collin Mulliner is a researcher in the department for Secure Mobile Systems at Fraunhofer-Institute for Secure Information Technology (SIT). Collin's main interest is the security of mobile devices with a special emphasis on mobile and smart phones. In recent years he did some work on Bluetooth-based projects where he created the first Bluetooth port-scanner. Since 1997 Collin has developed software and did security work for PalmOS, J2ME, Linux, and Windows Mobile. In 2006 he published the first remote code execution exploit based on the multimedia messaging service (MMS).

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

by Junichi Murakami (村上純一)

Recently malware has become more stealthy and thus harder to detect, than ever before. Current malware uses many stealth techniques, such as dynamic code injection, rootkit technology and much more. Moreover, we have seen full kernel mode malware like Trojan.Srizbi.

Many detection tools were released that specialize in kernel mode malware and especially in the detection of rootkits. However, these tools are a cat and mouse game, because they and the malware are executed on the same privilege level.

This is why we developed an IPS based on a hypervisor, which uses features of hardware virtualization. It is executed on Ring-1 and thus runs with higher privileges than the OS layer.

In this session, we will talk about stealth mechanisms used by recent malware and demonstrate how to protect against such malware using Hypervisor IPS.

Junichi Murakami is a Senior Research Engineer at Fourteenforty Research Institute, Inc, and a member of the Alpha Unit Research & Development team. He is interested in kernel space related security technology on both Windows and Linux. He has developed LKM(Loadable Kernel Module) rootkits and rootkit detectors for Linux as a student. His work can be found in chkrootkit and StMichael projects. He also developed a comprehensive honeypot system for collecting malware. Currently, he focuses on Windows based malware and the reverse engineering thereof.

Disclosing Secret Algorithms from Hardware

by Karsten Nohl (カルステン・ノール)

Proprietary algorithms are often kept secret to protect intellectual property, provide security, or control the usage of devices. Applications of such algorithms range from key obfuscation in smart-cards, over image processing on graphics cards, to usage control for game consoles. The hardware implementations of the algorithms are secured against reverse-engineering by an array of protective measures. This tutorial introduces techniques for circumventing these measures and explores to what extent reverse-engineering of algorithms is feasible. The scope of examples will range from unprotected RFID tags to state-of-the-art “tamper-proof” TPMs and cryptographic memories.

Karsten Nohl hacks hardware at CCC and with some of the Shmoos. He is currently finishing his PhD at UVa where his research bridges theoretical cryptography and hardware implementation. Some of his current projects deal with RFID crypto, privacy protection, and the value of information.

ePassports Reloaded

by Jeroen van Beek (ジェローン・バンビーク)

In 2006, Black Hat Las Vegas presented a cloned ePassport. In 2008, the rumor goes that Elvis is still alive or at least his passport is. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms.

Jeroen van Beek is a Security Consultant and Security Researcher with over 6 years of professional experience in network security and penetration testing. In 2007 he presented the world’s first publicly available full blown cracker for Oracle 11g. vonJeek is a well-known guest speaker at several Dutch universities. Besides security, he likes sleeping, drinking wine, the sun and fast red Italian motorcycles.

Jeroen van Beekは主にネットワークセキュリティやペネトレーションテストを行うセキュリティコンサルタントとして活躍の傍らセキュリティ研究者としても広く知られている。2007年にはOracle11gの世界初のクラッカーを発表したことでも有名。vonJeekはオランダの大学などで頻繁に講義を行っており、セキュリティ以外では寝ること、ワインや真っ赤なイタリアンオートバイが趣味。