Black Hat USA 2010 //briefings

Caesars Palace Las Vegas, NV • July 28-29

Register Now //speakers & topics

Event AUDIO & VIDEO: The Source of Knowledge will be onsite to sell audio and video recordings of the Briefings sessions. Their booth will be located outside of the Fourth Floor (Promenade Level), Emperor's Ballroom, or click here to visit the SOK site: order media »

Quynh Nguyen Anh, Kuniyasu Suzaki

Virt-ICE: next generation debugger for malware analysis

Dynamic malware analysis is an important method to analyze malware. The most important tool for dynamic malware analysis is debugger. However, because debuggers are originally built by software developers to debug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can potentially tamper with the debugger, and prevent it from functioning correctly. Unfortunately, all of the above drawbacks are unfixable in the current architecture.

This research presents a new debugger named Virt-ICE, which is designed to address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is totally invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with. Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, therefore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept malware execution, which can help to improve the debugging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points.

We conclude the talk with some live demos to show how Virt-ICE can debug some real malware.

James Arlen

SCADA and ICS for Security Experts: How to avoid Cyberdouchery

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product is loudly advertising how it solves SCADA SECURITY AND COMPLIANCY ISSUES!!! And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

Let's sit down for a little fireside chat and discuss all things SCADA and ICS with an eye towards increasing our knowledge to the point where we can confidently say: "I'm not an expert at everything, I can help some, may we work together on a solution?" It's time to stop being a CyberDouche and start being a positive contributor. Learn some truth, look behind the curtain, bust some FUD, Oh - and make government agents have kittens. That's fun for everyone.

olle B

Standing on the shoulders of the blue monster - Hardening Windows applications

Microsoft has implemented lots of useful functionality in Windows that they use in their own products. Many of these features can be used to enhance the security of third party applications, but not many developers or software architects know about them. This talk will detail some of the technical underpinnings of Windows features like UAC, IE protected mode and Terminal Serivces and show how they can be used to defend your own software from attack.

Don Bailey, Nick DePetrillo

Carmen Sandiego is On the Run!

The global telephone network is often an opaque and muddy environment where many false assumptions of privacy are made by its users. Providers do their best to compartmentalize as much privacy-centric data as possible. However, information must be shared for the sake of network interoperability. The speakers will discuss gaps in privacy protection and how they can be leveraged to expose who you are, your location, and the privacy of those in contact with you.

Demonstrations will reveal how location data can be augmented and used in several fashions. First, the speakers will show how information can be leveraged to develop fairly accurate physical boundaries of a particular mobile switching center and how this information changes over time. Second, the speakers will overlay cellular tower data to depict coverage in a particular mobile switching center. Next, the speakers will demonstrate how to visualize an individual traveling across adjacent mobile switching centers and the cell towers they are likely to associate with. Finally, the speakers will demonstrate how known location values for many subscribers can reveal location information for handsets where location information can't be obtained directly.

Lastly, the speakers will elaborate on mitigation strategies for these attacks at the subscriber level and potential mitigation strategies for the provider level.

Andrew Becherer

Hadoop Security Design? Just Add Kerberos? Really?

Distributed computing is a alive and well in 2010. The Hadoop project is carrying the banner for open source distributed computing with its Hadoop Distributed File System and MapReduce engine. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft) and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of kerberos pixie dust Hadoop is now secure, or is it?

This talk will describe the types of attacks the Hadoop team attempted to prevent as well as the types of attacks the Hadoop team decided to ignore. We will determine whether Hadoop was made any more secure through the application of copious amounts of kerberos. We will complete the talk with a short discussion of how to approach a Hadoop deployment from the perspective of an penetration tester.

Christiaan Beek

Virtual Forensics

This presentation will be about the problems we are facing when forensic research has to be done on environments which are virtualized. What are the differences between 'tradional' system forensics, what techniques & tools can be used. Which files are important when performing forensic research on Citrix & VMWare environments? What about VHD file format with Windows 7 and what do we need for future research?

Damiano Bolzoni, Christiaan Schade

Goodware drugs for malware: on-the-fly malware analysis and containment

In this presentation we will show a new approach to perform on-the-fly malware analysis (even of previously unknown malware), without the need of deploying any instrumentation at the end host before hand. Our approach leverages the fact that malware quite often comes as a small (in size) "spore", which is then responsible for making the malware persistent on the targeted host and download additional components ("eggs"). Eggs usually come in the shape of executables or DLLs, and extend the capabilities of the spore (password grabbing, URL redirection, etc.)

Our system, we call it Avatar, detect failed attempts to download eggs, and ships back to the suspected malware what we call a "red pill". When the malware executes the red pill, this performs some preliminary checks and can send to an instrumented host a copy of the parent process' executable. In this instrumented (i.e., sand-boxed) environment it is possible to perform real-time analysis of the suspicious program. The red pill can be then remotely instrumented to terminate the monitored process, in case it appears to be a real threat. By doing so, it is possible to effectively contain a large infection.

Kenton Born

PSUDP: A Passive Approach to Network-Wide Covert Communication

This presentation analyzes a novel approach to covert communication over DNS by introducing PSUDP, a program demonstrating passive network-wide covert communication. While several high-bandwidth DNS tunnel implementations are freely available, they all use similar strategies. Storage channels are created in DNS requests by encoding data in subdomain labels, while responses take many forms such as TXT, NULL, and CNAME resource record types to complete the bi-directional link. However, these tunnels may be detected when examining subdomains and irregular resource records in responses. Additionally, these tunnels only provide communication through the active generation of traffic.

The method and tool discussed in this paper allows a network of computers to participate in passive covert communication by piggy-backing on legitimate network DNS traffic. While low-bandwidth passive tunnels have been built using techniques such as timing channels and field manipulation, no passive high-bandwidth DNS tunnels exist. A novel approach is used to provide significantly higher bandwidth in network-wide covert communication by manipulating legitimate DNS traffic. It is also shown how, in certain scenarios, this method may be used for both covert data exfiltration and as a replacement for existing DNS tunnels. Additionally, it will be shown how a similar method can be applied to many other protocols, not being limited to DNS traffic.

In addition to PSUDP, this presentation will briefly cover a few other recent findings I have had in DNS tunnel creation and detection. Firstly, I will show how bi-directional DNS tunnels may be created using a browser and fine-grained JavaScript manipulation. Secondly, I will show my work in detecting DNS tunnels using n-gram frequency analysis.

Grant Bugher

Secure Use of Cloud Storage

Cloud storage systems like Microsoft's Windows Azure Storage and Amazon's Simple Storage Service allow web sites and services to cheaply store large amounts of data and make it available in a controlled manner. However, as with traditional methods of data storage and retrieval (such as SQL-based relational databases), application authors must take care to use cloud storage systems correctly to avoid unauthorized data access or tampering. This presentation will cover a variety of attacks on applications using cloud storage, such as enumeration and REST/SOAP injection, to show how the same effects as a SQL injection attack may be realized on an application using a cloud storage system, as well as how developers can protect themselves from these attacks.

Elie Bursztein, Baptiste Gourdin & Gustav Rydstedt

Bad memories

No matter which kind of cryptography you are using to defend your network, , sooner or later to make it work you will have to store somewhere a password, a key or a certificate. If the attacker is able to tamper with its storage mechanism then even the strongest encryption mechanism became irrelevant.

In this talk we will show how to attack storage mechanisms to tampers with SSL session and break into Wifi network that use WPA encryption. For SSL we will show how to exploit warning inconsistency and caching mechanisms to trick the user into accepting a bad cert and gets his credential stolen. For Wifi network we will demonstrate how to use clickjacking, CSRF, and XSS to steal from routers the two piece of information that an attacker needs to geo-localize and break into it, namely the WPA key and the mac address. Finally we will discuss how to discuss what frame busting defense are used by the Alexa top 100 website and how we were able to break them using standard and not so standard tricks. This is a join work with Dan Boneh and Collin Jackson.

David Byrne, Charles Henderson

GWT Security: Don’t get distracted by bright shiny objects

The Google Web Toolkit (GWT) produces some of the slickest web-based applications out there; it’s easy to understand why it has been gathering popularity. But there’s obviously more to writing a secure application than making the UI nice and shiny. The framework’s functionality is not limited to GUI controls - it also has significant support for remote procedure calls. The browser-side code is implemented entirely in JavaScript that the GWT generates from developer-written Java code. While GWT RPC can be implemented securely, many developers either rely on the JavaScript obfuscation, or don’t realize how their Java code is going to be split between the server & client. Either way, insecure GWT remoting is very common.

This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. Non-human readable format of the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, the presenters are releasing REGWT, a tool to reverse engineer GWT applications. It will allow a pen tester to map out GWT RPC methods that would otherwise be hidden and easily test them for various vulnerabilities.

Cesar Cerrudo

Token Kidnapping's Revenge

On April 14, 2009 Microsoft released a patch (documented here) to fix the issues detailed in my previous Token Kidnapping presentation (download PDF). The patch properly fixed the issues but...

This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems.

Greg Conti, Sergey Bratus

Voyage of the Reverser: A Visual Study of Binary Species

When analyzing large binary objects such as process memory dumps, proprietary data files, container file formats, and network flow payloads, security researchers are limited by the tiny textual window a hex editor and common command line utilities typically provide.

To the uninitiated, these objects may appear to be homogeneous, but -- as reverse engineers know -- in reality they consist of many diverse parts: text, images, compressed data, encrypted regions, audio samples, data structures, and much more. Some of these parts are instantly recognizable to a seasoned reverser, and the nature of others (e.g., compressed data) may be guessed when suitably depicted. Yet, visual classification remains arcane and unaided by convenient tools that would both present objects at a glance and help segment them.

The authors of this talk attempt to remedy this. The authors have laboriously gathered, cataloged, and studied forms of binary structure and will present a (concise) "visual dictionaries" of the binary structures you find in the wild and in the lab. You will see and understand the constituent parts found within binary objects, essential knowledge for the reverser, forensic analyst, and security researcher. You will be far better prepared to dissect proprietary data files, conduct memory forensics and deeply analyze any large binary object you may encounter.

Claudio Criscione

Virtually Pwned: Pentesting Virtualization

Virtualization systems are nowadays ubiquitus in enterprises of any size. Penetration testers and security auditors, however, often overlook virtualization infrastructures, simply looking at the virtual machines without any direct analysis of the underlying solution, not to mention those analyses simply marking virtual environments as "not-compliant".

A different, new approach is required to assess such systems, defining new targets and new ways to get there. This talk will outline procedures and approaches, complete with tools and demos, to execute a penetration test or a design review on virtualization enviroments. Security experts eager to know more about these systems and sysops willing to protect their own fortress will find this talk interesting

Tom Cross

Unauthorized Internet Wiretapping: Exploiting Lawful Intercept

For many years people have been debating whether or not surveillance capabilities should be built into the Internet. Cypherpunks see a future of perfect end to end encryption while telecom companies are hard at work building surveillance interfaces into their networks. Do these lawful intercept interfaces create unnecessary security risks?

This talk will review published architectures for lawful intercept and explain how a number of different technical weaknesses in their design and implementation could be exploited to gain unauthorized access and spy on communications without leaving a trace. The talk will explain how these systems are deployed in practice and how unauthorized access is likely to be obtained in real world scenarios. The talk will also introduce several architectural changes that would improve their resilience to attack if adopted. Finally, we'll consider what all this means for the future of surveillance in the Internet - what are the possible scenarios and what is actually likely to happen over time.

Arshan Dabirsiaghi

JavaSnoop: How to hack anything written in Java

Anybody who has assessed anything with a thick Java client has probably been frustrated beyond belief and unhappy with their coverage, but that's only because this tool hasn't been released yet. We created a tool that allows you to easily jump into any JVM on your machine, and tamper with class bytecode, method parameters, return values - without requiring any pesky original source code, or the most elusive artifact - skill! What happens when that applet you want to hack uses serialized objects over a custom encryption scheme, and you have 40 hours to break it? Theoretically, you know that's not good enough, but who cares about "theoretically"? JavaSnoop will allow you to intercept calls inside the JVM for tampering with data before it gets to the network, while its still in object form! What happens when that fancy desktop tool you have has an expired license? JavaSnoop will allow you to make that isLicensed() check return the value you want, instead of the value you didn't pay for. All this in a nice, portable GUI tool. I can't wait to enable you!

Dino Dai Zovi

Return-Oriented Exploitation

The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will cover the current state of memory corruption exploitation and exploit mitigation as well as an in-depth discussion of a variety of return-oriented exploitation techniques. Finally, the presentation will discuss what ramifications return-oriented exploitation techniques have for exploit developers, software vendors, malware analysts, and enterprise IT security professionals.

Neil Daswani

mod_antimalware: a novel apache module for containing web-based malware infections

Drive-by downloads planted on legitimate sites (e.g., via "structural" and other vulnerabilities in web applications) cause web sites to get blacklisted by Google, Yahoo, and other search engines and browsers. In this talk, I describe the technical architecture and implementation of mod_antimalware, a novel, open-source containment technology for web servers that can be used to 1) quarantine web-based malware infections before they impact users, 2) allow web pages to safely be served even while a site is infected, and 3) give webmasters time to recover from an attack before their web sites get blacklisted by popular search engines and browsers.

Michael Davis

Security is not a four letter word

When security professionals talk with executives about security a four letter word normally comes to their mind – COST. During the economic downturn of 2008 and 2009, we saw flat budgets for security, layoffs, and more work to be done even though there was a marked increase of investment into so called “malicious” entities that commit fraud, identity, theft and other crimes through the use of malware and other attack vectors(Social networks, etc). Security professionals are left in a precarious position in that they are more concerned about the sophistication of recent attacks than ever and feel that their existing technology won’t combat the new threats. Since the tools and technologies they have won’t help the newest threats they are fighting, the security professionals must ask for additional funding to procure the new technology and that is where the problem starts. Most security professionals are like a deer in front of headlights when they need to justify or communicate additional investment in security. It is not their fault though as most education for security professionals never talks about IT security metrics, how to communicate security value, and, even though it is a soft skill, how to talk with executives.

This paper and presentation aims to change this. IT Security metrics are a growing topic for many security organizations as they flay about looking for ways to communicate the reasons why the business should provide additional funding to the security team when many executives simply assume that if the threat didn’t happen last year, it won’t happen this year.

In June 2010, we will be launching the last step in our research of this topic. We will leverage the readership of InformationWeek, of the largest IT magazines, and survey the IT security professionals to learn what metrics they are use, why they are using them, what is and is not working, and how the communicate to their executive management. We will take this survey data in addition to the data from a many interviews with CSOs and IT Security process engagements with clients over the past year and half to educate the attendees on the best practices to address this growing problem.

Our research to data has shown some amazing trends that we believe will surprise attendees and change the way the currently “sell” security to their management. For example, we found that the organizations that had the highest continued investment in security usually did not have that investment lead by IT Security. That’s right, the more IT security was “out of the equation” the more likely the organization was to actually provide funding. Of course, the devil is in the details and we found that this is because the committee or team that proposed new IT security investments was usually made up of 3-5 people with only one person being an IT Security representative. The format of their meetings in which they reviewed IT security progress and potential needs for investment focused on educating the other 2-4 members of the committee about the security value through the use of real-world business applicable scenarios that actually involved the team members of the executives in the room, and most importantly, was mapped to business strategy. There is an overwhelming correlation between the linkage of business strategy and IT Security to successfully funded organizations in our research.

Linking security metrics, which is normal esoteric and very technically oriented, to strategic business objectives is difficult for many security professionals but leveraging the approach of using the Balanced Score Card business strategy method, but adapting it to IT security, has shown to be the key factor for making the link occur.

Within our presentation we will provide a step by step process to building and implementing an IT security Metrics program, tying that program to Business strategy using the Balanced Score Card method (the most used method for documenting and quantifying business strategy), and then provide case studies, and results from our interviews and survey, to educate the attendees on how to communicate effectively in the board room when asking for security investment.

Although we will release results of our interviews and survey’s, the focus is education through case studies and the best practices we have found to work when implementing the three areas of security required to effectively communicate security value: Measurement, Business Justification, and Communication skills.

This is the missing link for most security professionals to take their career to the next level.

Mariano Nuñez Di Croce

SAP Backdoors: A ghost at the heart of your business

In any company, the ERP (Enterprise Resource Planning) is the heart of the business technological platform. These systems handle the key business processes of the organization, such as procurement, invoicing, human resources management, billing, stock management and financial planning. Among all the ERPs, SAP is by far the most widely deployed one, having more than 90.000 customers in more than 120 countries and running in Fortune 100 companies, governmental and defense organizations.

The information stored in these systems is of absolute importance to the company, which unauthorized manipulation would result in big economic losses and loss of reputation.

This talk will present an old concept applied to a new paradigm: SAP Backdoors. We will discuss different novel techniques that can be deployed by malicious intruders in order to create and install backdoors in SAP systems, allowing them to retain access or install malicious components that would result in imperceptible-and-ongoing financial frauds.

After the description of these techniques, we will present the countermeasures that should be applied in order to avoid these attacks and protect the business information, effectively reducing financial fraud risks and enforcing compliance.

Furthermore, we will release a new Onapsis free tool that will help security managers to automatically detect unauthorized modifications to SAP systems.

Is your SAP backdoored? If your answer is "I don’t know," you may consider attending to this talk.

Chris Eng, Brandon Creighton

Deconstructing ColdFusion

ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers.

In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape. We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code.

We’ll also delve into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level. Included in the talk is a detailed description of the WAR/EAR structure for compiled ColdFusion apps. We'll release open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format.

Patrick Engebretson, Kyle Cronin & Dr. Josh Pauli

SprayPAL: How capturing and replaying attack traffic can save your IDS

Testing Intrusion Detection Systems (IDS) to ensure the most malicious attacks are detected is a cornerstone of these systems, but there is no standardized method to execute these tests. Running live exploitations is not always a viable option – especially when the rule set isn’t finalized, and clients are often nervous about the use of “hacker tools” on their networks. Furthermore, educators struggle to teach IDS concepts as a standalone principle without teaching attack methodologies at the same time. We are releasing two artifacts to help solve these problems. First we introduce PAL, a PCAP Attack Library full of individual pre-captured attack files that can be easily replayed for IDS testing and education. This library is completely preassembled, clean, and extendable to include further additions of attacks. Our initial library is created from the findings in the Common Attack Pattern Enumeration Classification (CAPEC) from the Department of Homeland Security. Second, we introduce SprayPAL, a software tool that we’ve developed to replay the PCAP attack library files. Users can send attacks to a specific target or broadcast to an entire subnet of machines. Additional features include the ability to select individual or multiple simultaneous attacks as well as provide layer 2 and 3 packet level manipulation. We conclude by presenting a methodology for capturing attacks and adding them to the public library. Both our PCAP attack library and SprayPAL tool will be released at Black Hat 2010 to the general public.

Stefan Esser

Utilizing Code Reuse/Return Oriented Programming in PHP Web Application Exploits

In 2009 one of the hottest topics has been code reuse and return oriented programming as means to bypass exploitation mitigation features in modern operating systems. We have seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take ROP into the world of web application security.

This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.

The second part of the presentation will go below the PHP level and feature a previously unknown memory corruption in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.

Esteban Martínez Fayó

Hacking and protecting Oracle Database Vault

Oracle Database Vault was launched a few years ago to put a limit on DBAs unlimited power especially over highly confidential data where it is required by regulations. This presentation will show how this add-on product for Oracle Database performs on this difficult task, first giving an introduction to DB Vault and what protections does it brings, then showing with many examples how it is possible to bypass the protections provided.

The attacks demonstrated include getting operating system access to disable DB Vault, SQL Injection and impersonation techniques to bypass DB Vault protections and how it is possible using simple exploits to circumvent DB Vault. These attack examples are accompanied by recommendations on how to protect from them. Also the presentation shows some issues with native database auditing and has a section with additional recommendations to secure DB Vault and conclusions.

Ben Feinstein, Jeff Jarmoc & Dan King

The Emperor Has No Clothes: Insecurities in Security Infrastructure

Your security infrastructure (firewalls, IDS/IPS devices, management consoles, etc.) holds a very sensitive position of trust. This equipment is relied upon to reliably perform security critical functions under potentially hostile conditions. These are highly valuable assets to an attacker, yet their value is sometimes not captured by conventional risk management. This presentation will explore several new vulnerabilities and weaknesses in these products, with the goal of offering useful recommendations and approaches for mitigating the risk.

This presentation explores a series of vulnerabilities and weaknesses in security infrastructure that we discovered and responsibly disclosed. We’re in the business of managing and monitoring this gear for our clients, so we have great familiarity with all aspects of its operation. We've found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so.

Daniel King discovered McAfee Network Security Manager (the web-based management appliance for McAfee IPS sensors) was vulnerable to authentication bypass / session hijacking (CVE-2009-3565) and cross-site scripting (CVE-2009-3566) vulnerabilities. We’ll demonstrate a proof-of-concept attack scenario that blends these vulnerabilities to gain unauthorized access to the NSM web management interface through cookie stealing and hijacking an administrator’s session.

Jeff Jarmoc discovered an access-control list (ACL) bypass vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco PIX (CVE-2009-1160, Cisco Bug ID CSCsq91277). These devices would fail to apply the expected implicit deny behavior for packets that did not match any ACEs in an ACL.

The TLS renegotiation vulnerability publicly disclosed in November 2009 (CVE-2009-3555) impacted many products, including Cisco Adaptive Security Device Manager (ASDM) (Cisco Bug ID CSCtd00697). We will demonstrate a never before seen proof-of-concept attack that exploits the TLS authentication gap to achieve arbitrary command injection against the Cisco ASDM web-based management interface. A man-in-the-middle may arbitrarily manipulate the ASA policies managed by an ASDM by exploiting the TLS authentication gap. Cisco fixed this in a general deployment release on January 11, 2010 with version 8.2(2). If you haven’t patched before seeing this demo, you will want to afterward!

Using these vulnerabilities and weaknesses as illustrative examples, we will offer real-world recommendations for on how to better secure your organization’s security infrastructure. Some recommendations include ruling your security infrastructure as within scope during penetration testing and security assessment activities, including product security in your organization’s purchasing and product evaluation processes, and somewhat ironically, deployment of security products in the role of compensating controls for potential vulnerabilities in other parts of your organization’s security infrastructure.


Blitzableiter - the Release

The talk presents a simple but effective approach for securing Rich Internet Application (RIA) content before using it. Focusing on Adobe Flash content, the security threats presented by Flash movies are discussed, as well as their inner workings that allow such attacks to happen. Some of those details will make you laugh, some will make you wince. Based on the properties discussed, the idea behind the defense approach will be presented, as well as the code implementing it and the results of using it in the real world.

After a year of development, we hope to release a working tool to the world, so you can apply the defense technique to your web browser.

Fyodor, David Fifield

Mastering the Nmap Scripting Engine

Most security practitioners can use Nmap for simple port scanning and OS detection, but the Nmap Scripting Engine (NSE) takes scanning to a whole new level. Nmap's high-speed networking engine can now spider web sites for SQL injection vulnerabilities, brute-force crack and query MSRPC services, find open proxies, and more. Nmap includes more than 125 NSE scripts for network discovery, vulnerability detection, exploitation, and authentication cracking.

Rather than give a dry overview of NSE, Fyodor and Nmap co-maintainer David Fifield demonstrate practical solutions to common problems. They have scanned millions of hosts with NSE and will discuss vulnerabilities found on enterprise networks and how Nmap can be used to quickly detect those problems on your own systems. Then they demonstrate how easy it is to write custom NSE scripts to meet the needs of your network. Finally they take a quick look at recent Nmap developments and provide a preview of what is soon to come. This presentation does not require any NSE experience, but it wouldn't hurt to read

Lurene Grenier, Richard Johnson

Harder, Better, Faster, Stronger: Semi-Auto Vulnerability Research

Much work has been presented in the past few years concerning bug discovery through fuzzing. Everything from the feasibility of exhaustive generation fuzzing, to the continued productivity of simple mutation fuzzing has been covered. This talk will assume finding bugs is a foregone conclusion, and instead discuss the pre and post fuzzing process necessary to efficiently analyze vulnerabilities for a given program to the stage where exploitability has a high confidence, and exploitation can be handed off or undertaken in house. This process will be driven by intelligent, analyst driven automation, with a focus on the continued production of exploitable bugs with a minimum of wasted effort.

Jeremiah Grossman

Breaking Browsers: Hacking Auto-Complete

Did you know a malicious website, laced with javascript malware, can steal passwords for other websites stored in Firefox’s password manager using nothing but garden variety Cross-Site Scripting? How about javascript’s ability to mine out HTML form auto-complete data in Internet Explorer 6 and 7 (about one-third of the Web), which could be used to reveal a users first name, last name, aliases, email addresses, physical address, etc? What about forcing Web browsers to evict all of their cookies—thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on?

Technically speaking, all of these Web hacking techniques and others are publicly documented, only just not very well-known or advertised. For whatever reason they've been ignored by the browser vendors and Web security researchers. Time to bring them up to the surface.

Live demos on display!

The Grugq

Base Jumping: Attacking GSM Base Station Systems and mobile phone Base Bands

Recent technological advances have placed GSM tools within the reach of today's security researchers and hackers. It is finally possible to directly explore the lowest levels of the GSM stack.

This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface.

The primary technological focus of this talk is on the exposed interfaces between the GSM networks and users. This covers the base station system -- the network components which communicate with mobile phones -- and the base band -- the component of the mobile phone which communicates with the network.

During the talk the two main components of the attack system will be demoed - malicious basestations and malicious basebands. The base station enables fuzzing mobile phone basebands, as well as other attacks. The baseband is used to test GSM network equipment for flaws, as well as exploit backend systems.

Trust us, you'll *want* to turn off your phone for the duration of this talk!

Nathan Hamiel, Marcin Wielgoszewski

Constricting the Web: Offensive Python for Web Hackers

It seems that everything is a web application nowadays. Whether the application is cloud-based, mobile, or even fat client they all seem to be using web protocols to communicate. Adding to the traditional landscape there is rise in the use of application programming interfaces, integration hooks, and next generation web technologies. What this means for someone testing web applications is that flexibility is the key to success. The Python programming language is just as flexible as today’s web application platforms. The language is appealing to security professionals because it is easy to read and write, has a wide variety of modules, and has plenty of resources for help. This additional flexibility affords the tester greater depth than many of the canned tests that come with common tools they use on a daily basis. Greater familiarity plus flexible language equals tester win!

In this presentation we introduce methods with which to create your own clients, tools, and test cases using the Python programming language. We want to put testers closer to the conditions in which they are testing for and arm them with the necessary resources to be successful. We also discuss interfacing with current tools that people commonly use for web application testing. This allows for pinpoint identification of specific vulnerabilities and conditions that are difficult for other tools to identify.

Robert Hansen, Josh Sokol

HTTPS Can Byte Me

HTTPS was created to protect confidentiality and prove integrity of content passed over the web. It has essentially become the de-facto standard for internet commerce transport security. Over the years a number of exploits have attacked the principle, underlying PKI infrastructure and overall design of HTTPS. This presentation will drive another nail in the HTTPS coffin through a number of new exploitation techniques leveraging man-in-the-middle attacks; the goal of which is to break confidentiality and integrity of HTTPS traffic. The impact of these flaws suggests a need for changes in the ways we protect the transmission of data online.

Nick Harbour

The Black Art of Binary Hijacking

This presentation will unveil a new tool for hijacking executables and discuss the underlying techniques it uses. Binject is a tool that can be used by pen-testers to establish a persistent foothold on a compromised host through trojanizing a system binary, or anyone with a burning desire to add functionality to a compiled program. Original techniques for process injection developed for this tool will be discussed in detail.

Craig Heffner

How to Hack Millions of Routers

This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router's internal-facing administrative interface. Unlike other DNS rebinding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, internal IP address, host name, etc, and does not rely on any anti-DNS pinning techniques, thus circumventing existing DNS rebinding protections.

A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim's router in real time, just as if the attacker were sitting on the victim's LAN. This can be used to exploit vulnerabilities in the router, or to simply log in with the router's default credentials. A live demonstration will show how to pop a remote root shell on Verizon FIOS routers (ActionTec MI424-WR).

Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.

Christofer Hoff

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities.

This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place.

The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.

We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

Greg Hoglund

Malware Attribution: Tracking Cyber Spies and Digital Criminals

Corporate, state, and federal networks are at great risk and a decade of security spending has not increased our security. Hundreds of thousands of malware samples are released daily that escape undetected by antivirus. Cyber-spies are able to take intellectual property like source code formulas and CAD diagrams at their whim. We are at a crisis point and we need to rethink how we address malware.

Malware is a human problem. We can clean malware from a host but the bad guy will be back again tomorrow. By tracing malware infections back to the human attacker we can understand what they are after, what to protect, and counter their technical capabilities. Every step in the development of malware has the potential to leave a forensic toolmark that can be used to trace developers, and ideally can lead to the operators of the malware. Social cyberspaces exist where malware developers converse with one another and their clients. A global economy of cyber spies and digital criminals support the development of malware and subsequent monetization of information. This talk focuses on how code artifacts and toolmarks can be used to trace those threat actors.

We will study GhostNet and Aurora, among others. Example toolmarks will include compiler and programming language fingerprints, native language artifacts (was it written for Chinese operators, etc), mutations or extensions to algorithms, command and control protocols, and more. We will discuss link analysis (using Palantir, etc) against open-source data such as internet forums and network scans. Ultimately this information will lead to a greater understanding of the malware operation as a whole, and feeds directly back into actionable defenses.

Wayne Huang, Caleb Sima

Drivesploit: Circumventing both automated AND manual drive-by-download detection

This year saw the biggest news in Web security ever­—Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in oogle’s compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government. Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads. If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google’s) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.

We will reveal for the first time, in this conference, some very advanced techniques that is almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit—a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.

At the very beginning of our talk, we will be giving out a page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.

Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injection—such as Google’s aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90’s. All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.

Alex Hutton, Allison Miller

Ushering in the Post-GRC World: Applied Threat Modeling

Risk management at a systemic level is complicated enough that many organizations deem it practically impossible. Yet constructing and applying risk and threat models appropriately is the cornerstone for any successful security program; since they focus energy on 1) what needs to be protected and 2) how much investment is needed. In this talk Alex Hutton and Allison Miller will show how risk models can be translated from the white-board to implementation.

Mikko Hypponen

You will be billed $90,000 for this call

Computers do not have a built-in billing system. Phones do: it's called the phone bill. We have already seen the first examples of money-making malware that infects various types of smartphones. This talk will go into details of the currently known smartphone trojans that either place calls or send text messages to expensive premium-rate numbers. How does this work technically? Which platforms are at risk? What kind of premium-rate numbers are the criminals using? How do they route the money back to them without getting caught? And what can we do about this before it gets worse?

Vincenzo Iozzo, Tim Kornau & Ralf-Philipp Weinmann

Everybody be cool this is a roppery!

Return-oriented programming is one of the most advanced attack techniques available today. This talk presents algorithms which allow an attacker to search for and compose gadgets regardless of the underlying architecture using the REIL meta language. We show a return-oriented compiler for the ARM architecture as a proof-of-concept implementation of the algorithms developed and discuess applications to the iPhoneOS platform. This compiler accepts inputs in an assembly-like language, simplifying the otherwise tedious gadget selection process by hand. Thus enabling the researcher to focus on the other parts of successful exploitation by minimizing the shellcode development time.

Barnaby Jack

Jackpotting Automated Teller Machines Redux

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.

I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Samy Kamkar

How I Met Your Girlfriend

How I Met Your Girlfriend: The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.

Dan Kaminsky

Black Ops Of Fundamental Defense: Web Edition

Lets be honest: Year in, year out, we keep finding the same bugs in the same places, and wondering: Why don't they learn? Why don't developers use these beautiful tools we provide them -- parameterized queries, XSRF tokens, X.509 certificates, and escapes in all their glorious forms? I will tell you: It is because these tools are not very good. And they are not very good, because their quality simply has not mattered. Security demands, devs implement, and if devs don't implement, security complains. And six months later, it's the same bugs, in the same places, by the same devs. It doesn't have to be this way. In this talk, I will discuss the theory that most classes of security flaws are actually symptoms of deeper causes. Furthermore, I will present attempts at addressing these causes. Specific areas of investigation will include potential answers to questions, specifically: 1) Why can't we keep code and data separate? 2) Why can't we log into web sites? 3) Why can't we authenticate across organizational boundaries? By answers, I mean code, and by code, I mean _a lot_ of code. I will not provide any assurances that the code is secure -- only extended peer review can do that -- but I want to show another way of doing things. This talk is going to be packed with live demos.

David Kane-Parry

More Bugs In More Places: Secure Development On Moble Platforms

Nothing succeeds like success, and with the attention garnered by Apple’s App Store, many companies are either looking to port existing applications to or develop exclusive applications for the top mobile platforms: Blackberry, iPhone, Windows Mobile, and Android. Each of these platforms provides the would-be developer with a SDK to do the heavy-lifting of coding, but can they be trusted to carry that weight? Just as some languages make it easier or harder to develop secure applications, so it is with SDKs. One SDK may provide robust cryptographic functions, another may restrict hardware access, and yet another may enforce strict memory management. This talk will compare the top four SDKs in terms of the security features they provide and lack, to help new mobile developers decide which is the safest and most dangerous for their applications.

Rami Kawach

NEPTUNE: Dissecting Web-based Malware via Browser and OS Instrumentation

Increased built-in security and robust standard configurations have made the classical operating system vulnerabilities a rare occurrence. Malware authors have been forced to switch to alternative channels to get their malicious software installed. One of the main delivery mechanisms is the “drive-by-download”: malware is placed on websites and visiting users get infected through their browser, either by attacking a vulnerability in the browser itself; or in one of the common extension or plug-ins.

NEPTUNE is the code name for a project sponsored by Qualys to build an automatic malware analysis engine and deliver it as a free tool for the industry. NEPTUNE intercepts key method invocations within Internet Explorer’s TRIDENT rendering engine and reverse engineers its internal data structures in order to trace JavaScript execution. We further hook all relevant operating system entry points in order to monitor browser process activity and network traffic. This allows us to detect any malicious behavior of the browser during the rendering of the page and de-obfuscates layer by layer all JavaScript. We rely heavily on the DETOURS package, which is a Microsoft library for intercepting arbitrary Win32 binary functions on x86 machines.

We will step through two real world examples of web based attacks, one using a JavaScript vector, the other exploiting a weakness in Adobe’s Acrobat Reader. We enumerate the APIs necessary to detect and de-obfuscate the attack. We also will discuss in detail the DETOURS library in comparison with traditional API hooking, and points out its strengths and its shortcomings and what was required to overcome them.

We will then investigate and compare NEPTUNE’s main strategies for the detection of malware: static analysis that applies heuristics vs. a purely behavioral model. Both methods have pros and cons and we will demonstrate advantages and disadvantages of both approaches discussing accuracy, complexity and performance.

In conjunction with the presentation we will release a free web based tool that can be used by anyone to determine the malware status of single web page. Reports will contain a full breakdown of the page in question, including de-obfuscated JavaScript, Reputation scores by host and results of the behavior analysis. An API will also be released in conjunction for larger scanning needs.

Nathan Keltner, Tim Elrod

Adventures in Limited User Post Exploitation

Just how much damage *can* be done with EIP under a non-Administrative Windows environment? Much, much more than you likely think. Through new techniques and live examples, attendees will be guided through the modern day attack surface of a restrictive corporate Windows world. Based purely on the Windows privilege model, demonstrations and new code will cover techniques related to collecting and replaying passwords and password hashes, destroying the browser trust model, attacking the network and the domain, and more, all without administrative access.

Moving into a world of Windows Vista, 7, and hardened XP environments, the days of easily popping shells with Admin access are becoming less common. When a Limited User is exploited via a client side vulnerability, damage is often believed to be lessened due to the inability of attacker code to access sensitive portions of the OS, such as those containing passwords and password hashes, without an additional privilege escalation exploit. Despite conventional wisdom from vendors and security press, taking your users out of the 'Local Administrators' OU doesn't mean your environment is magically protected from privilege-agnostic attackers.

David Kennedy, Joshua Kelley

Microsoft Powershell - It's time to own

Microsoft Powershell is an extensible and powerful arsenal to any systems administrator... and hacker. Now being installed by default in Server 2008, Windows 7, and optional in other operating systems, Powershell is something that will be a prevalent default on the most popular operating systems going forward. Since Microsoft removed our method of delivering malicious payloads on a system through Windows debug, we got creative. Through this presentation, we will release two working payloads (bind and reverse) written purely in Powershell and the ability to deliver whatever payload you want onto the operating system and execute. We'll also be releasing a Metasploit auxiliary module utilizing this new attack vector the day of the talk. Also included in this talk is ways of bypassing the execution restrictions which requires no modifications to the operating system to execute powershell backdoors. Lastly, there will be discussion on the future of Powershell and how we can use it for more advanced attack vectors going forward.

Nate Lawson, Taylor Nelson

Exploiting timing attacks in widespread systems

Much has been written about timing attacks since they first appeared over 15 years ago. However, many developers still believe that they are only theoretically exploitable and don't make it a priority to fix them.

We have notified vendors who declined to fix timing attacks for this reason. Thus, they won't have any problem with us using their applications as a demo for how to effectively exploit timing attacks, right?

This talk will show how we exploited timing attacks in common frameworks (such as the Java crypto framework). We will provide experimental evidence on what filtering techniques work best for dealing with network and host jitter to decrease attack time.

Finally, we will show the current limits of exploitability and give predictions about whether attackers or defenders will benefit more from future technology advances such as multicore systems and virtualization.

Long Le

Payload already inside: data re-use for ROP exploits

Return-oriented programming (ROP) is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhoneOS to bypass DEP and code signing but no any practical ROP work for modern Linux distributions so far. Main issues for ROP exploitations on Linux x86 include ASCII-Armor address protection which maps libc address starting with NULL byte and Address Space Layout Randomization (ASLR).

In this presentation we will show how we can extend an old return-into-libc technique to a stage-0 loader that can bypass ASCII-Armor protection and make ROP on Linux x86 become a reality. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection. A new ROP tool to build and search for ROP instructions will be released in the presentation.

Anthony Lineberry, David Luke Richardson
& Tim Wyatt

These Aren't the Permissions You're Looking For

The rise of the robot revolution is among us. In the past year Android has stepped up to become a leader in the world of mobile platforms. As of early may the platform has surpassed the iPhone in market share at 28%. Third party trackers for the Android Market have reported upwards of 50,000 apps available now. The Android security model relies heavily on its sandboxed processes and requested application permissions. It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means. We aim to explore novel techniques for attacks based around abuse of the permission system. Both in performing opperations sans appropriate permissions, as well as abusing granted permissions outside of their scope. We'll be demonstrating various ways to hijack input, steal sensitive information, and many other ways to break the rules put in place by our new robot overlords.

Kevin Mahaffey, John Hering

App Attack: Surviving the Mobile Application Explosion

The mobile app revolution is upon us. Applications on your smartphone know more about you than anyone or anything else in the world. Apps know where you are, who you talk to, and what you're doing on the web; they have access to your financial accounts, can trigger charges to your phone bill, and much more. Have you ever wondered what smartphone apps are actually doing under the hood? We built the largest-ever mobile application security dataset to find out.

Mobile apps have grown tremendously both in numbers and capabilities over the past few years with hundreds of thousands of apps and billions of downloads. Such a wealth of data and functionality on each phone and a massive proliferation of apps that can access them are driving a new wave of security implications. Over the course of several months, we gathered both application binaries and meta-data about applications on the most popular smartphone platforms and built tools to analyze the data en masse. The results were surprising. Not only do users have very little insight into what happens in their apps, neither do the developers of the applications themselves.

In this talk we're going to share the results of our research, demonstrate a new class of mobile application vulnerability, show how we can quickly find out if anyone in the wild is exploiting it, and discuss the future of mobile application security and mobile malware.

Moxie Marlinspike

Changing Threats To Privacy: From TIA To Google

A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.

Haroon Meer

Memory Corruption Attacks: The (almost) Complete History...

Buffer Overflows, Stack Smashes and Memory Corruption Attacks have been the info sec headline stealers for the better part of 3 decades. Sadly, poor record keeping (and dismal regard for attribution of prior research) has resulted in huge gaps in our "hacker folklore". It has also resulted in several re-inventions of the wheel.

This talk traces the history of memory corruption attacks and defenses, from the Morris Worm of 1988 to the awesome Pointer Inference work published by Blazakis in 2010. We will demonstrate with code samples, live demo's (and pretty pictures) the progression of these attacks, how they work, when they first came to light, and the mitigations that have been developed and deployed to thwart them.

* For the most part we focus on the Windows & Linux on the X86 Platform.

Leandro Meiners, Diego Sor

WPA Migration Mode: WEP is back to haunt you...

Cisco access points support WPA migration mode, which enables both WPA and WEP clients to associate to an access point using the same Service Set Identifier (SSID). If WEP clients are still around, we can use the traditional WEP cracking arsenal against them. Therefore, we focused on analyzing the consequences of having this feature enabled when no WEP clients are present; for example after the migration to WPA has been carried out but this feature has been left enabled. We found that it is possible for an attacker to crack the WEP key under this scenario (i.e. no WEP clients). Once the key is recovered, it is possible to connect to the access point using this key (as it is operating in WPA migration mode) and access the network.

Charlie Miller, Noah Johnson

Crash Analysis using BitBlaze

You’ve fuzzed your favorite application and found a mountain of crashes, now what? BitBlaze is an open source binary analysis platform which can perform whole system taint tracing, dynamic symbolic execution, as well as static analysis. Using BitBlaze, it is possible to determine, upon application crash, which registers and memory locations are tainted from the fuzzed input and in what ways they are used. Furthermore, this taint information can give a level of understanding on what went wrong with the program and why, reducing crash analysis from days to hours and sometimes minutes. In this talk, we present BitBlaze as well as walk through real life case studies of its use.

Shawn Moyer, Nathan Keltner

Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios

If you haven't just emerged from a coma, you probably have some idea of the multifaceted attack surface that the inevitable modernization of power transmission and distribution is rapidly introducing.

What you may *not* be thinking about just yet, though, is the path much of that attack surface travels on... The air around you.

Our talk gives a crash course in the brain-melting number of wireless Smart Grid radio implementations very quickly popping up all around us (some built on actual standards, some snuggled in the comforting blanket of proprietary obscurity) and describes our own experience in reverse engineering Smart Grid radio stacks, and how it's possible to gnaw one's way through to the soft, squishy SCADA underbelly, invariably hiding just below the surface.

Along the way, we'll take a hard look at the future landscape of theft of service, point out some larger threats, and try to find a realistic middle ground between the "we're doomed" and the "let's all put our toasters on the Internet" camps in what ultimately is (warts and all) a natural and inevitable step forward.

Ben Nagy

Industrial Bug Mining - Extracting, Grading and Enriching the Ore of Exploits

If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing. In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines which is optimised for fuzzing. Last year we released some metrics, then MS released better ones. So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using magic, funky graphs and compression before comparing them side by side with the clean run. Our diff files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.

Karsten Nohl

Attacking phone privacy

Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented.

Steve Ocepek, Charles Henderson

Need a hug? I'm secure.

0-days are a lot of fun. Whether it’s an overlooked buffer overflow, a poorly implemented encryption algorithm, or something downright bizarre, the thrill of breaking things is the reason most of us get hooked. That’s why Trustwave’s Global Security report is a bit sobering. Why are so many of these systems still vulnerable to SQL injection, LANMAN hash recovery, and default password guessing? And is an NFS exploit considered a 7665-day?

But this isn’t about getting bent out of shape about the state of information security. Without being too preachy, this talk is about what we can do to help turn things around. Because if there’s one thing that is clear, the need for information security will only increase. And we’re all feeling the growing pains.

The end of 2009 brought with it a great deal of controversy over the effectiveness of information security. We’re all pretty frustrated about it. But that’s the thing about growing up – you start to realize your own limitations. Like dieticians and dentists, we watch people make bad choices and wonder where we went wrong. And like them, we need to focus on the fundamentals: eating healthy, brushing your teeth, and blocking port 139. But man, that sounds pretty boring.

So maybe it’s time for a new approach. Maybe it’s not so much about the message, but how it’s getting delivered. And maybe there’s something we can do about that. After all, we’re pretty secure folks – we can handle the touchy-feely stuff, right?

Hernan Ochoa, Agustin Azubel

Understanding the Windows SMB NTLM Weak Nonce vulnerability

In February 2010, we found a vulnerability in the SMB NTLM Windows Authentication mechanism that have been present in Windows systems for at least 14 years (from Windows NT 4 to Windows Server 2008). You probably haven't heard about this vulnerability, but basically the authentication mechanism used by all Windows systems to access remote resources using SMB was flawed, allowing attackers to get read/write access to remote resources and remote code execution without credentials, using different techniques such as passive replay attacks, active collection of duplicate challenges/responses, and prediction of challenges. This vulnerability is also a good example of flaws found in challenge-response authentication mechanisms.

This presentation will describe the vulnerability in detail, including its scope and severity, explain different techniques to exploit the flaws found and demo fully functional exploit code.

Jeongwook Oh

ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically

We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates.

In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching. But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input.

This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured opensource binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.

Gunter Ollmann

Becoming the six-million-dollar man

Starting a life of Internet crime is easy; in fact you’ve probably already doing it as far as the RIAA is concerned. Now that you’ve chosen to embark upon a new career, how are you going to get dirty, filthy, stinking rich? How do you become a millionaire? The tool of choice has got to be botnets. Building them is just the start. How do you monetize the tens or hundreds of thousands of machines under your control? Should you harvest confidential and personal information from the victims, or would it be more prudent to become a specialist service provider to other botnet operators? Which models work best, and how can you become a six-million-dollar man within a year?

Chris Paget

Extreme-range RFID tracking

If you think that RFID tags can only be read a few inches away from a reader you haven't met EPC Gen2, the tag that can be found in Enhanced Drivers Licenses - this 900MHz tag is readable from 30 feet with off-the-shelf equipment. Without amplifying the signal from a commercial reader we were able to equal the previous Defcon record of 69 feet, and with less than $1000 of equipment we acheived considerably further than that. This talk covers everything you'll need to know to read federally-issued RFID tags at extreme ranges and explores the consequences to personal privacy of being able to do so.

Tom Parker

Finger Pointing for Fun, Profit and War?

Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe.

This talk will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.

Meredith L. Patterson, Len Sassaman

Exploiting the Forest with Trees

One of the most difficult aspects of securing a protocol implementation is simply bounding the scope of the attack surface: how do you tell where attacks are likely to crop up? Historically, variations between implementations have led to some of the most successful attack techniques -- from simple TCP "Christmas tree" packets to last year's multiple break of the X.509 certificate authority system (by these speakers). But without access to all the relevant source code, how can developers identify potential sources of exploitable variations in behavior? In this presentation, we go beyond the accumulated wisdom of "best practices" and demonstrate a quantitative technique for minimizing inconsistent behavior between implementations. We will also show how this technique can be used from an attacker's perspective. Last year we showed you how to break X.509; this year, we will show you how we found those vulnerabilities and how the same techniques can be used to discover multiple novel 0-days in any vulnerable protocol implementation.

Nicholas J. Percoco, Jibran Ilyas

Malware Freak Show 2010: The Client-Side Boogaloo

We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's DEFCON talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.

Jonathan Pollet, Joe Cummins

Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

SCADA Systems control the generation, transmission, and distribution of electric power, and Smart Meters are now being installed to measure and report on the usage of power. While these systems have in the past been mostly isolated systems, with little if no connectivity to external networks, there are many business and consumer issuing driving both of these technologies to being opened to external networks and the Internet.

Over the past 10 years, we have performed over 100 security assessments on SCADA, EMS, DCS, AMI, and Smart Grid systems. We have compiled very interesting statistics regarding where the vulnerabilities in these systems are typically found, and how these vulnerabilities can be exploited. Of course, we can not disclose any specific exploits that will allow you to steal power from your neighbors, but we can give away enough meat in this session to expose common vulnerabilities at the device, protocol, application, host, and network layers.

Jason Raber, Jason Cheatham

Reverse Engineering with Hardware Debuggers

This is a brief tutorial of one of the reverse engineering tools (Hardware Emulator) used by the Air Force Research Laboratory to analyze application and driver code on x86 systems. It’s also a neat way to debug hypervisors!

Tiffany Rad, Christopher Mooney

The DMCA & ACTA vs. Academic & Professional Research: How Misuse of this Intellectual Property Legislation Chills Research, Disclosure and Innovation

Fair use, reverse engineering and public discussion of research encourage innovation and self-regulate industries. However, these principles which define our vibrant and creative marketplace are fading. If a professional cannot constructively critique another’s research online without being burdened with take down notices until the critique is obscured or functionally removed for long periods of time, we do not have a society from which we can learn from other’s mistakes and improve our trade. Attendees will gain a greater appreciation about how the Digital Millennium Copyright Act (DMCA) is increasingly being used in ways that chill free speech, disclosure of security vulnerabilities and innovative research. Using hypothetical examples and discussing case law, we will outline procedures for counterclaiming and alternatives to removal of allegedly infringing materials including discussing why data havens (some in anticipation of enactment of the Anti-Counterfeiting Trade Agreement) are becoming more popular.

Francis Brown, Rob Ragan

Lord of the Bing: Taking back search engine hacking from Google and Bing

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Enno Rey, Daniel Mende

Burning Asgard - What happens when Loki breaks free

I personally remember the release of Yersinia at Black Hat Europe 2005. It was a ground breaking experience: a number of Layer 2 attacks regarded purely theoretical until then, was suddenly available in a mostly automated way. And those guys even showed some forays completely unbeknownst to me at the time. We plan to do the same in Vegas, with a new tool called Loki (after the giant from Norse mythology associated with cunning, trickery and evil). It's a Python based framework implementing many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others.

After outlining Loki's inner architecture we'll give insight into several modules and discuss some particularly interesting attacks in the routing protocol space (e.g. cracking OSPF MD5 keys, injection of routes into OSPF and EIGRP environments etc.). Furthermore we'll describe vulnerabilities in lesser known protocols like VRRP. Every attack we mention will be shown in a practical demo and - of course - Loki will be released right after our talk.

Ivan Ristic

State of SSL on the Internet: 2010 Survey, Results and Conclusions

SSL (TLS) is the technology that protects the Internet, but very little is actually known about its usage in real-life. How are the many Internet SSL servers configured? Which CA certificates do they use? Which protocols and cipher suites are supported? Answers to even these basic questions were either unavailable, or restricted to the small number of organizations who could afford to fund such research.

In this talk we will present the first results of the SSL Survey project, which is the most comprehensive SSL and TLS server configuration survey ever undertaken. By using the deep assessment technology developed at SSL Labs for over a year, we scan and analyze every SSL server on the Internet. In this talk, we will present the assessment methodology, the rationale, as well as the results. The findings will be made freely available to the public. In addition, we will also share the raw data with qualified security researchers.

As a bonus, during the talk we will also unveil an updated version of the free online SSL assessment tool, which uses the same assessment technology as the SSL survey itself. SSL Labs (, funded by Qualys, is a research effort that focuses on SSL and TLS. Its other projects include: SSL threat model, passive SSL fingerprinting, SSL client capability database, SSL server capability database, and SSL usage tracking.

Richard Rushing

USB - HID, The Hacking Interface Design

The USB HID class describes devices used with nearly every modern computer. Many predefined functions exist in the USB HID class. These functions allow hardware manufacturers to design a product to USB HID class specifications and expect it to work with any software that also meets these specifications. The (HID) Hacker Interface Design is due to the fact that the benefits of a well-defined specification like the USB HID class is the abundance of device drivers available in most modern operating systems. So this hardware attack is cross platform. And ultra simple to carry out.

Thomas Ryan

Getting In Bed With Robin Sage

Given the vast number of security breaches via the internet, the experiment seeks to exploit the fundamental levels of information leakage—the outflow of information as a result of people’s hap-hazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people’s decisions to trust and share information with the false identity. The main factors observed were: the exploitation of trust based on gender, occupation, education/credentials, and friends (connections).

By the end of this Experiment, Robin finished the month having accumulated 100’s connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.

Through this 28 day experiment, it became evident that the propagation of a false identity via social networking websites is rampant and viral. Much of the information revealed to Robin Sage violated OPSEC procedures. The deliberate choice of an attractive young female exposed the role that sex and appearance plays in trust and people’s eagerness to connect with someone. In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision. By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity combined with carefully chosen false credentials led to a false trust that could have resulted in the breach of multiple security protocols.

Shreeraj Shah

Hacking Browser's DOM - Exploiting Ajax and RIA

Web 2.0 applications are using dynamic DOM manipulations extensively for presenting JSON or XML streams in the browser. These DOM calls mixed with XMLHttpRequest (XHR) object are part of client side logic written in JavaScript or part of any other client side technology be it Flash or Silverlight. DOM driven XSS is a sleeping giant in the application code and it can be exploited by an attacker to gain access to the end user’s browser/desktop. This can become a root cause of following set of interesting vulnerabilities – Cross Widget Sniffing, RSS feed reader exploitation, XHR response stealing, Mashup hacking, Malicious code injection, Spreading Worm etc. This set of vulnerability needs innovative way of scanning the application and corresponding methodology needs to be tweaked. We have seen DOM driven XSS exploited in various different popular portals to spread worm or virus. This is a significant threat on the rise and should be mitigated by validating un-trusted content poisoning Ajax or Flash routines. DOM driven XSS, Cross Domain Bypass and CSRF can cause a deadly cocktail to exploit Web 2.0 applications across Internet. This presentation will be covering following important issues and concepts.

  • Web 2.0 Architecture and DOM manipulation points
  • JavaScript exploits by leveraging DOM
  • Cross Domain Bypass and Hacks
  • DOM hacking for controlling Widgets and Mashups
  • Exploiting Ajax routines to gain feed readers
  • Scanning and detecting DOM driven XSS in Web 2.0
  • Tools for scanning the DOM calls
  • Mitigation strategies for better security posture

Tim Shelton

Advanced AIX Heap Exploitation Methods

With the ever increasing importance of providing and maintaining reliable services for both infrastructure support as well as business continuity, companies rely upon the IBM AIX operating system. In most cases, these machines hold the most critical data available for their business which makes IBM AIX a highly valued target from a hacker’s perspective. Over the past decade, hackers have increasingly focused on infiltrating valuable data such as proprietary databases, credit information, product pricing information and more. As such, the importance of protecting the IBM AIX operating system should be priority one.

Initial heap exploitation research was first documented and published by David Litchfield, in August of 2005. His paper entitled, ”An Introduction to Heap overflows on AIX 5.3L” focused on AIX heap abuse within the utilization of heap’s free()/rightmost() functions.

While Litchfield’s method solves one scenario, there is an additional scenario that has been left out. So what is the difference between the leftmost call versus rightmost? A stack trace will show leftmost is utilized when a fresh heap segment is requested, while rightmost is utilized when the application requests the heap to remove a previously allocated chunk from memory.

Adam Shostack

Elevation of Privilege: The easy way to threat model

Threat modeling is critical to secure development, and people find it intimidating and tough to get started. Adam will present Elevation of Privilege, a simple card game that makes it easy and fun to get started threat modeling.

Sumit Siddharth

Hacking Oracle From Web Apps

This talk will focus on exploiting SQL injections in web applications with oracle back-end and will discuss all old/new techniques. The talk will target Oracle 9i,10g and 11g (R1 and R2) It is widely considered that the impact of SQL Injection in web apps with Oracle back-end is limited to extraction of data with the privileges of user mentioned in connection string. Oracle database does not offer hacker friendly functionalities such as openrowset or xp_cmdshell for privilege escalation and O.S code execution. Further, as Oracle by design do not support execution of multiple query in single SQL statement, the exploitation is further restricted. The Talk will highlight attack vector to achieve privilege escalation (from Scott to SYS) and O.S code execution, all by exploiting Oracle SQL injections from web applications.

As a number of organizations move to compliances like PCI thereby ensuring that the Card data is always stored encrypted with the private key never stored inside the database. The talk will focus on what hackers are doing in the wild to bypass these and to obtain clear text card data when its only stored encrypted or even when its never stored at all.

Marco Slaviero

Lifting the Fog

Cloud services continue to proliferate and new users continue to flock, in a clear demonstration that cloud computing is more than simply a flash-in-the-pan. Coupled with this rapid evolution of services are protection mechanisms for the services, which often lag. Last year we highlighted weaknesses in the cloud model and demonstrated a number of vulnerabilities in large cloud providers. In this talk, we examine a particular technology underlying the scalability of many cloud applications, namely memcached. We discuss the possibility of memcached mining which would be a natural exploitation path once a vulnerability inside a cloud application is discovered and will demonstrate this with a new tool aimed at discovering and mining memcached servers.

Rich Smith

pyREtic – Reversing obfuscated Python bytecode & live Python objects

Increasing numbers of commercial and closed source applications are being developed in Python. The Developers of these applications are investing increasing amounts to stop people being able to see their source code through by a variety of bytecode obfuscation efforts.

At the same time Python is an increasingly present component of 'The Cloud' where traditional decompilation techniques fall down through lack of access to files on disk. This presentation outlines a methodology, and releases a toolkit, to be able to reverse obfuscated Python applications from live objects in memory as well as showing how to defeat the obfuscation techniques commonly employed today. This will allow people to find bugs in code that was previously opaque to them.

Ryan Smith

Defenseless in Depth

Defense in Depth (DiD) is a term commonly used by the security industry to describe the strategy of implementing layers of security controls at various logical and physical teirs within an organization to reduce security risk. This presentation will examine DiD from a researcher's perspective and challenge its effectiveness as a best practice. The presentation will include several case studies directly supporting our case, and contain original vulnerability research into products that are used to implement a DiD strategy.

Val Smith, Colin Ames & Anthony Lai

Balancing the Pwn Trade Deficit

China has become a major player in the security community in recent years. From numerous news articles regarding government, military and commercial spying, to high profile cases such as the recent attack on Google, the tools, research and hacking groups coming out of China are are high on everyone's radar. This talk will provide an analysis of the Chinese hacking community, including its capabilities, goals, and cultural differences as well as similarities. A deep technical analysis and reverse engineering of prominent Chinese tools and techniques will be provided as well. We will highlight specifics such as binary obfuscators, encryption, and specific stealth techniques in order to round out an, up til now, spotty picture about this formidible member of the security community.

Scott Stender, Brad Hill & Rachel Engel

Attacking Kerberos Deployments

The Kerberos protocol is provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication.

However, simply "adding a dash of Kerberos" does not make a magically secure a network. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

A careful review of RFCs, deployment guidance, and developer reference materials reveals a host of “theoretical” flaws when Kerberos is used. This presentation will demonstrate new techniques that make the theoretical practical in common Kerberos deployments, and provide guidance to ensure that software and systems are hardened against attack.

Matthieu Suiche

Blue Screen Of the Death is dead

This talk is introducing MoonSols Windows Memory Toolkit aims at being the ultimate memory and crash dump acquisition and conversion tool for Windows. Including live acquisition on Windows of Microsoft crash dumps, the conversion of hibernation file into crashdump, and even to get a crashdump of a running VMWare Virtual Machine without rebooting it and without any BSOD!

Bryan Sullivan

Cryptographic Agility: Defending Against the Sneakers Scenario

In the movie Sneakers, a brilliant young mathematician invents a device that defeats a public-key encryption algorithm. An interesting fiction, but what if this happened in real life? All of your applications using that algorithm would need to be changed as quickly as possible. This session will show how to best accomplish this by implementing cryptography without hard-coding specific algorithms.

Chris Sumner

Social Networking Special Ops: Extending data visualization tools for faster Pwnage

If you’re ever in a position when you need to pwn criminals via social networks or see where Tony Hawk likes to hide skateboards around the world, this talk is for you.

The talk is delivered in two parts, both of which are intended to shine a fun light on visual social network analysis.

The first part introduces how you can extend the powerful data visualization tool, Maltego to speed up and automate the data mining and analysis of social networks. I’ll show how I analyzed skateboard legend, Tony Hawk’s twitter hunt and highlight how you could use the same techniques to set up your very own backyard miniature ECHELON.

The second part illustrates how these techniques have been used to enumerate a 419 scam, infiltrate the scammers social network and expose deeper, more sinister links to organized crime.

I focus specifically on Twitter and Facebook, demonstrating how you can graphically map and analyze social relationships using the Twitter API's, publicly available Facebook profiles, screen scraping and some clunky regex.

Chris Tarnovsky

Semiconductor Security Awareness, Today and Yesterday

Walk through various countermeasures that have been found and overcome in various devices. Will include currently not-hacked-to-date devices from Satellite TV (DTV/Dish Network). To include a walk through the latest security layers put in place on today's technology. Will also discuss commonly found devices to consumers like AVR8, AVR32, MSP430F, PIC, etc.

Patrick Thomas

BlindElephant: WebApp Fingerprinting and Vulnerability Inferencing

Standard known web applications such as blogging, forum and e-commerce software make up over half of the active web applications on the Internet. Vulnerabilities in these applications (and their plugins) are discovered at an accelerated rate and abused for site defacement and increasingly to serve malware.

Website administrators need to keep track of the versions of these web applications installed and update them to a non-vulnerable release. Remote web application fingerprinting is a technique to identify the version of a known web application through only its publicly available files and to use the data to report on vulnerabilities of the application.

The presentation will detail the steps in this fingerprinting process, including full automation from database seeding to remote probing. It will then illustrate use of the detection technique on a number of well known websites to show what applications and plugins are installed and what vulnerabilities are resident on these sites. The presentation will discuss how our techniques are able to produce order of magnitude improvements over existing implementations.

In conjunction with this talk, I will also release a free community tool implementing the described techniques with more examples.

Julien Tinnes, Taviso Ormandy

There's a party at Ring0 (and you're invited)

Getting to ring0 is the final step towards complete system compromise and can also be the most fun. In the course of one year, we have found around twenty kernel vulnerabilities, mostly in Windows and Linux, some of them being uncovered after ten or fifteen years of existence. We share some of this work and demonstrate some exploits, bugs and techniques.

Raj Umadas, Jeremy Allen

Network Stream Debugging with Mallory

Using the same techniques that governments use to surreptitiously read private email and SSL encrypted traffic, you can easily find more bugs in all types of client and server apps! Sometimes the easiest way to quickly understand a client, a server, or just the protocol they use to communicate with, is to become the "man in the middle." Many client side proxies - such as Burp, Paros, and WebScarab - already exist to let you tamper with HTTP and proxy aware clients. But sometimes your client might not be proxy aware, nor your protocol as simple as HTTP or HTTPS. What to do? You can start with Wireshark, but be limited to viewing traffic on the wire and not tampering with it. You can debug the client or server, which can be effective, but also time consuming. Or you can try becoming the "man in the middle" with tools like Ettercap, or the Middler, which might work - but might also fail.

Or you can use our new tool, named Mallory. Mallory is a MITM capable of intercepting any TCP or UDP base network stream. Why is Mallory different? Well first of all, you don't need to configure it. Just turn her on, and she starts intercepting traffic. Mallory is designed to be an undetectable, transparent proxy, capable of intercepting any known or unknown application protocol, just like those super-duper SSL MITM devices documented in the "Certified Lies" paper. The same techniques that allow over bearing governments to snoop on private email, we've been using to easily own up tons of mobile applications running on arbitrary platforms. And did we mention how much fun it is to MITM SSH?

Chris Valasek

Understanding the Low-Fragmentation Heap: From Allocation to Exploitation

Over the years, heap exploitation has continued to increase in difficulty, along with the complexity of heap algorithms and data structures. Due to anti-exploitation counter measures and lack of comprehensive heap knowledge, reliable exploitation has severely declined. Understanding of the inner workings of a memory manager can be the difference between unreliable failure and precise exploitation.

Beginning with Vista, the Low-Fragmentation heap has been the default front-end memory manager for the Windows operating system. This new front-end manager brought with it a different set of data structures and algorithms that replaced the lookaside list. This new system also changed the way back-end memory management works as well. All of this material must be reviewed to understand the repercussions of creating and destroying objects within an application on Windows 7.

This talk covers the following:

  • A detailed review of previous Windows memory managers
  • The underlying foundation for the newly created Low-Fragmentation heap
  • Complete coverage of the allocation and free algorithms, along with all their associated data structures
  • Heap determinism and meta-data corruption

While the Windows XP still has a grasp on the total market share of machines on the internet today, Windows 7 will increasingly replace this now aging operating system. Knowledge of these new memory constructs is vital to providing reliable exploitation in an unreliable environment.

The main goal of this presentation will be to educate the audience on what has changed in newer versions of Windows with regard to the memory manager. Not only will the changes be discussed, but they will be covered in great detail; providing attendees high-granularity insight into the core of the Windows operating system. By understanding the algorithmic changes, exploitation challenges can be more easily overcome, and knowledge of the internal data structures will provide exploit writers the details they require for manipulating objects.

Specifically, new data structures such as LFH ‘UserBlocks’, ‘BlocksIndex’ and ‘SubSegments’ will be discussed to show how the front-end manager keeps track of memory. Additionally, functions such as ‘RtlpLowFragHeapFree()’ and ‘RtlpLowFragHeapAllocFromContext()’ will be thoroughly investigated providing the audience exact context of allocations and frees. Along with analysis of current methods, I will also examine new counter measures introduced in Windows Vista / Windows 7.

Once the attendees have been provided knowledge about the underlying algorithms and data structures, I will then cover aspects of heap determinism. These will focus on seeding data within the heap for exploitation purposes. Data population is necessary for exploitation of use-after-free vulnerabilities and adjacent placement of heap chunks is required for overwriting selected data.

Finally, I will be presenting an example exploit, providing practicality to the previously discussed material. This will be coupled with some newly created heap visualization tools providing greater vision into the Low-Fragmentation heap. Hopefully all this information can be used to fully comprehend the new memory manager and ensure reliable exploitation against all odds.

Paul Vixie, Robert Edmonds

SIE Passive DNS and the ISC DNS Database

Passive DNS replication is a technique invented by Florian Weimer for tracking changes to the domain name system. This session will introduce the problems faced by passive DNS replication in the areas of collection, analysis, and storage of DNS data at scale, and will introduce state-of-the-art solutions to these problems developed at ISC SIE. Components of SIE’s passive DNS architecture will be showcased, including a specialized DNS capture tool, a tool for processing and deduplicating raw DNS message data, and the storage engine used to archive and index processed data. A bulk HTTP query API and web interface to the storage engine will also be demonstrated and made available.

Stephen de Vries

Hacking Java Clients

The presentation will demonstrate a complete analysis and compromise of a Java client-server application using entirely open source tools. Performing penetration testing on Java clients, both applications and applets is often problematic because the data transport (typically RMI) is difficult to manipulate in a meaningful way and complex applications require more refined techniques than direct byte code manipulation. Java development approaches and tools have been steadily improving and many of these new paradigms and tools can be used to fully decompose and manipulate client side Java without resorting to decompiling the binary.

Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.

Mario Vuksan, Tomislav Pericin

TitanMist: Your First Step to Reversing Nirvana

Security is notoriously disunited. Every year multiple tools and projects are released and never maintained. TitanMist is its inverse opposite. Built on top of TitanEngine, it provides automation and manages all known and good PEID signatures, unpacking scripts and other tools in one unified tool. TitanMist is the nicely packaged amd open source catch all tool that will become your first line of defense. The project also goes beyond pure tool development. It builds a forum to share information and reverse engineering experience built around the biggest online and collaborative knowledge base about software packers.

With the increase in packed and protected malicious payloads, collaboration and quick response between researchers has become critical. As new sample numbers are quickly closing to 40M samples per year, solution to this problem has to come from reverse engineers themselves, integrating the work that they have done in the past and they continue to do. Huge databases of format identification data and unpacking scripts can be reused in a way to maxize automation. Yet, where do we find a definite collection of functional tools, identification signatures and unpacking tools? And how do we integrate them in a meaningful and accurate way?

Come to this talk to hear how we plan to raise reversing collaboration with TitanMist to a whole new level. We will address today's and future challenges, source code, packaging and distribution, and define your role in making TitanMist the most powerful community tool for the years to come.

This talk will be a Black Hat exclusive; a launch and demonstration of TitanMist, a new open source project based on TitanEngine. All components will be available for distribution with the conference materials.

Nicolas Waisman

Aleatory Persistent Threat

Over the years, exploitation objectives have changed alongside the associated efforts by vendors to protect their software. Exploitation has moved from remote exploits on Unix servers to the community focusing on client-side targets, such as document viewers and browsers.

Some prime examples of these are the Aurora and IE peers zero-days actively exploited in the wild. These bugs answer many questions related to what the new breed of attacker is focusing on, yet all hype aside the real lesson is: botnet authors are learning how to fuzz for these vulnerabilities but are not able to write reliable exploits to accompany them.

With that premise in mind, this presentation intends to explore the techniques used to exploit the "use-after-free" bug class on Internet Explorer 8, diving into the API internals, reviewing the art of heap crafting and presenting new techniques to improve it.

Georg Wicherski

dirtbox, a highly scalable x86/Windows Emulator

The increasing amount of new malware each day does not only put anti-virus companies up to new limits handling these samples for detection by creating new signatures. But also for network security providers and administrators, getting information on how samples affect the networks they try to protect is an increasing problem. Dynamic analysis of malware by execution in sandboxes has been an approach that has been successfully applied in both of these problem scenarios, however classic sandbox approaches clearly suffer from severe scalability problems. Most of these rely on setting up a real target system ­ such as the Windows XP operating system ­ as a virtual machine with additional software that does logging of performed actions. While these are easy to develop and set up, they require a separate virtual machine instance for each malware sample to be analyzed and therefore do not scale up with today's requirements in terms of malware growth.

Anti-Virus vendors tried to circumvent performance issues for file analysis by developing custom emulators that can be deployed on a customer end-host for detection and do not require a whole operating system inside a virtual machine. These emulators however often are software interpreters for the x86 instruction set and run therefore into execution speed limitations on their own. Additionally, they suffer from detectability because they try to emulate every single Windows API but suffer from accuracy issues.

dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions.

Since no instrumentation alike instruction rewriting is being done, disassembler results per basic block can be cached and all execution happens in the same process without context-switches, a high grade of performance is achieved.

The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as:

  • Examination of the ecx register after a SEH protected API call
  • Stolen bytes from an API library implementation
  • Direct reads and writes from PEB or other static locations or libraries are supported automatically

Furthermore, process and heap layout reassemble that of a genuine process since the original ntdll PE loading and heap management code can be executed and used.

William Yerazunis

Keeping the Good Stuff In: Confidential Information Firewalling with the CRM114 Spam Filter & Text Classifier

In this whitepaper we consider the problem of outbound-filtering of emails to prevent accidental leakage of confidential information, We examine how to do this with the GPLed open-source spam filter CRM114 and test the accuracy of this filter against a 10,000+ document corpus of hand-classified emails (both confidential and non-confidential) in Japanese. We look into what moving parts are involved in these filters, and how they can be set up. The results show that a hybrid of multiple CRM114 filters outperforms a human-crafted regular-expression filter by nearly 100x in recall, by detecting > 99.9% of confidential documents, and with a simultaneous false alarm rate of less than 5.3%. As the programmers creating the machine-learning programs don't know how to read or write Japanese, this problem is an almost ideal case of the Searle “Chinese Room” problem.

Panel Discussions

Executive Briefings //Optimizing the Security Researcher and CSO Relationship

The relationship between the enterprise and government security organizations and the security researcher community has and continues to evolve rapidly.  Mature technology organizations now understand how the community works, how to value its contribution and how to work effectively with security researchers. The community has also learned how large organizations work, the challenges the organizations face and how to productively engage with them. Many organizations and researchers still do not understand this process and even those that do, have periods of friction. How can we apply the lessons from the past more broadly and are there secrets to success as we encounter new issues? Come hear experts from across the security ecosystem share their thoughts on effective collaboration.

Executive Briefings //Systemic DNS Vulnerabilities and Risk Management: A Discussion with the Experts

The experts on this panel will provide their views on systemic risks facing the DNS and provide thoughts on measures that should be undertaken to remediate the risks.  The panelists will discuss both the challenges and the security benefits that will arise from the implementation of DNSSec.

Executive Briefings //Cyber war... Are we at war?  And if we are, how should we fight it?

It appears that no contemporary issue is more discussed and less understood than "cyber war."  Former Director of National Intelligence Mike McConnell says that the war is underway.  Howard Schmidt, White House Cybersecurity Coordinator suggests that the concept is misplaced.  Are we at war?  And, if we are, how should we fight it?  If we aren't, how should we prevent it?  And, why does this subject seem so hard to discuss and to understand?  

Executive Briefings //One on One Interview with General (Ret.) Michael V. Hayden

SINET Chairman & Founder Robert Rodriguez interviews General Hayden one of the nations’ most respected and preeminent intelligence thought leaders in Washington DC on; why he chose public service, the qualities that define leadership, his formative years growing up on the North Side of Pittsburgh as the son of a welder and the persons who impacted his life and direction, the journey from his early days as a taxi driver and young analyst to Director of the NSA and then CIA. Please join us to hear his thoughts and the opportunities that will allow IT security professionals to build communities of interests rather than stovepipes.

Executive Briefings //Security Innovation Network Panel: Connecting Buyers, Builders, and the Research Community

The need for collaboration between industry and the research community cannot be overstated. The risks are too great and our adversaries are “out innovating” us. Open and collaborative models are crucial to protecting our nation's IT critical infrastructures. This dialogue between industry and academia will explore how and where the research community can assist corporations with there most pressing challenges. Opening opportunities for sharing information on real world experiences is extremely valuable to the academic community that is focused on pursuing challenges that they can solve. Partnering the practical with the theoretical on common goals can lead to profound deliverables benefiting everyone.

Executive Briefings //Security Innovation Network Reception

Please join our panelists for a reception designed to bridge gaps between disparate groups, build relationships and communities of interest. All in the name of Advancing Innovation through Collaboration...

Hacker Court 2010

MyTwitFace is a social networking service. Militant head of security buys Ambiguous Manage monitoring software for the company to monitor every employee’s laptop, but the software is exploitable (similar to Lower Marion school software, Absolute Manage).

Coder on open source competitor hacks into the CEO's computer, and captures video/screenshot, and then exposes CEO's personal life in an embarrassing way via chat roulette - plus CEO is exposed as writing he does not care about his user's privacy. Lots of opportunity for funny videos and photos.

Information passed to a journalist. The CEO reads article, call local FBI, but too small a case. Then calls REACT task force, now this a priority, and journalist is raided, computers seized.

Prosecution for 2511 (wiretap), 1030 (CFAA). Issues are wiretap act via-a-vis audio, video, for profit of 1030 in context of open source, and screen shot wiretap issue.

Motion to suppress raided computers, asking for exclusion (fails).


  • Head of Security – Carole Fennelly
  • CEO - Richard Thieme
  • Open source competitor
  • Expert witness re exploit
  • Case agent – Jonathan Klein
  • Judge – Richard Salgado
  • Prosecution - Paul Ohm
  • Defense - Kevin Bankston
  • Defense - Kurt Opsahl
  • Legal Assistance – Kevin Manson

Meet the Feds //CSI: TCP/IP

The average criminal case today has over a terabyte worth of data to analyze. The cyber forensics field is just beginning to mature. Join federal agents to discuss the forensics field now and in the future.

Meet the Feds //Policy, Privacy, Deterrence and Cyber War

This panel of federal agents will discuss cyber policy.  How do we conduct robust continuous monitoring across a large multi-organizational enterprise yet stay within the constitutional requirements for privacy, civil rights and civil liberties?  What changes are needed in the criminal justice system to increase the deterrence of committing cyber-crime? Once a cyber-crime has occurred - and through investigative efforts is determined to be a nation state - who becomes in charge or better yet who determines if it rises to the level of cyber-war versus espionage?  What happens next?

Meet the Feds //Human Intel

Federal agents will discuss issues, ideas and cases in working with human sources. In the recent case involving Alberto Gonzalez and other similar cases the use of informants has been effective. However, there are many challenges in managing informants.

Meet the Feds //Ex-Fed Confessions

Former feds are always more fun. Listen to stories about how the government works from speakers without approved talking points.

Meet the Feds //Reception

Join former and current US federal agents for some beer and cheese. More than fifteen agencies will be represented.