The Black Hat Briefings '00, July 26-27th Las Vegas
The Black Hat Briefings '00, July 26-27th Las Vegas

Hotel Information

The Black Hat Briefings was Wednesday July 26th to Thursday July 27th 

The first track will be the Less technical  talks surrounding the implementation of security.
The second track will be More Technical discussions surrounding security policy and trends.
The third track will be the White Hat track focused towards CIO / CEO needs.
The fourth track will be the Deep Knowledge track.
NOTE: Presentations on-line (2-19-01)

Take me to..
The More Technical Speakers
The  Technical Speakers
The White Hat Speakers
Deep Knowledge Speakers
Key Note Speakers
Marcus Ranum - Full Disclosure and Open Source.

Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall,, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons.

Arthur Money, Assistant Secretary of Defense & CIO of the DoD.

Arthur L. Money was sworn in as Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD (C3I)) on October 5, 1999. Mr. Money served as the Senior Civilian Official, Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) and Chief Information Officer of the Department of Defense from February 20, 1998 to October 4, 1999. 

He served as Assistant Secretary of the Air Force for Acquisition from January 1996 to May 1999.  He was President of ESL Inc., a subsidiary of TRW, before it was consolidated with TRW's Avionics and Surveillance Group, and Vice President and Deputy General Manager for the TRW Avionics and Surveillance Group. The group is internationally recognized for airborne electronic systems and technologies, including reconnaissance and intelligence systems and advanced integrated avionics. 

Mr. Money has more than 35 years of management and engineering experience with the defense electronics and intelligence industry in the design and development of intelligence collection analysis capabilities and airborne tactical reconnaissance systems. 

Bruce Schneier, CTO, Counterpane Internet Security, Inc.

The Internet and the Death of Security.

Building a secure system requires a lot more than just stringing together a bunch of security buzzwords.  Most systems are insecure, not because of any one problem but because of failures in the design process.  Engineers misuse secure primitives, introduce security flaws in the implementation, build bad user interfaces, don't allow for errors or failures, and generally fail to design systems that counter the actual threats.  Traditional engineering is about making things work; security engineering is about programming Satan's computer: a malicious system that does exactly the wrong thing at exactly the right time.

The problem with bad security is that it looks just like good  security.  In this talk Bruce will discuss the failure of security on the Internet: the failure of testing, the futility of building security that relies on the average user, and the problems of securing modern complex systems.  Security is not a product; it's a process.  Strategies that leverage process are our only hope for a secure digital future.

Internationally renowned security technologist and author Bruce Schneier is both a Founder and the Chief Technical Officer of Counterpane Internet Security, Inc. He established the Company with Tom Rowley to address the critical need for increased levels of security services. Schneier is responsible for maintaining the Company's technical lead in world class information security technology and its practical and effective implementation. Schneier's successful tenure leading Counterpane Systems make him uniquely qualified to shape the direction of the company's research endeavors, as well as to act as a spokesperson to the business community on e-commerce issues and solutions. 

While president of Counterpane Systems, Schneier designed and analyzed hardware and software cryptographic systems, advised sophisticated clients on products and markets, and taught technical as well as business courses related to the field of cryptography. Concerns as diverse as Microsoft, the National Security Agency, Citibank, and the White House staff have all relied upon Schneier's unique expertise. In addition, Schneier designed the Blowfish algorithm, which remains unbroken after eight years of cryptanalysis. And Schneier's Twofish is among a small number of algorithms currently being considered by the National Institute of Standards and Technology for the advanced encryption standard (AES) to replace the current data encryption standard (DES). 

Schneier is the author of five books including Applied Cryptography, the seminal work in its field. Now in its second edition, Applied Cryptography has sold over 110,000 copies worldwide and has been translated into three languages. He has presented papers at many international conferences, and he is a frequent writer, contributing editor, and lecturer on the topics of cryptography, computer security, and privacy. Schneier served on the board of directors of the International Association for Cryptologic Research, is an Advisory Board member for the Electronic Privacy Information Center, and was on the board of directors of the Voter's Telecom Watch. 

Brian Snow - NSA

We Need Assurance

Track A - Technical Speakers
Jeremy Rauch, UN*X Security Specialist,

Routers, Switches & more: The glue that binds them all together : Part II

By now, anyone with an inkling about security knows that they need to protect their assets.  We've all heard we need a firewall, and we all know that we need to lock down machines.  What about the glue that binds them all together?  The routers, switches, network administration protocols, authentication protocols... what about that stuff?  This talk will go in to the security flaws you don't even think about, realize are there, or have dismissed as being inconsequential. 

Padgett Peterson, PE, CISSP.  Corporate Information Security, Lockheed Martin Corporation.

Securing E-Mail Gateways from Attack - what to do while waiting for vendors to respond to the latest virus / worms:  A look at how such malware operates, what is necessary to block it, and what is not.

A registered professional engineer and graduate of the General Motors Institute, I have been involved with digital computers, communications, and cryptography for over thirty years. Became involved with viruses in 1988 and information security has been my day job since 1990. Have written a number of anti-virus programs (DiskSecure and MacroList) which are given away as FreeWare. Am currently the Chief Information Protection Architect for Lockheed-Martin Corporation.

Mark Kadrich, CISSP, Director of Security - Conxion Corp.

Intrusion detection in high speed networks.

Mark will discuss the issues of providing comprehensive ID in large, geographically diverse data centers that utilize multiple OC3s and greater. This talk would discuss issues associated with detection, response, and tracking. Proposed solutions for mitigating DDOS attacks and methods of identifying spoofed addresses will be proposed.

David Litchfield, Managing Director, Cerberus Information Security.

Compromising web servers, and defensive techniques.

David's talk will explain the ins and outs of buffer overrun vulnerabilities, examining an as-of-yet-undisclosed hole in a major software vendor's web service and show how to remotely gain full control of a vulnerable server by developing an new form of exploit(?) that remains the same regardless of the commands an attacker wants to run.

David Litchfield is recognized as a leading researcher in vulnerability assessment and has discovered over 60 major security holes in various products such as Microsoft's Windows NT/2000 and Oracle Application Server.  David is the co-founder of Cerberus Information Security, Ltd and is the author of Cerberus' Internet Scanner, CIS.

Ron Gula, CEO, Network Security Wizards.

Bypassing Intrusion Detection Systems.

This session will highlight some common sense approaches to bypassing IDS tools as well as review the basic theory behind the technology and operation of an IDS.  As a NIDS vendor, pushing the limits of NIDS technology makes for a better overall NIDS. As a NIDS consumer, understanding the types of threats that can occur to a NIDS allows for better operation and understanding.

Mr. Gula has been involved with real world computer security for nine years. He wrote the initial Dragon IDS, has a patent pending on network honey pots and has conducted penetration testing on almost every sensitive US gov't network. It is also rumored that he was the technical expert behind the now infamous Eligible Receiver exercise. 

Ron Moritz, Senior Vice President and Chief Technical Officer, Symantec Corporation

Proactive Defense Against Malicious Code.

Anti virus software is an important part of a well devised security policy, but reactive virus detection is not versatile enough for the demands that will be made on businesses engaged in e-commerce. The year 1999 began with the birth of the Happy 99 virus - a harbinger of things to come. Happy 99, plus Melissa, PrettyPark and the worm are all examples of third generation of malicious replicating code, designed to exploit the Internet for their rapid proliferation. A variant of, called MiniZip, managed to hide itself from anti viral utilities and spread at an amazing rate around the Internet at the end of 1999. Such programs, which launch new malicious code attacks, create "first strikes" against systems and networks. Allowing un-trusted code to execute on the corporate network may not be suitable for your organization. But corporate security policies that block network executables adversely affect the evolution of the Internet, extranet, and intranet. While no security implementation is absolute, functionality is not achieved by disconnecting users from the network and preventing access to programs. Therefore, proactive defense against first strike attacks is required today.

Ron Moritz is the Senior Vice President and Chief Technical Officer at Symantec Corporation where he serves as primary technology visionary. As a key member of the senior management team interfacing between sales, marketing, product management, and product development, Ron helps establish and maintain the company's technological standards and preserve the company's leadership role as a developer of advanced Internet security solutions. Ron was instrumental in the organization of Finjan's Java Security Alliance and established and chairs Finjan's Technical Advisory Board. He is currently chairing the Common Content Inspection API industry standards initiative. Ron is one of a select group of Certified Information Systems Security Professionals. He earned his M.S.E., M.B.A., and B.A. from Case Western Reserve University in Cleveland, Ohio.

Jeff Thompson, Software Evangelist and Visionary, Argus Systems Group, Inc.

Making Unix secure for the Internet with Trusted Operating Systems.

It is clear that today's operating systems are not adequate to secure systems against penetration on public networks.  One simply has to look at the ongoing stream of application exploits that emerge daily.  By utilizing Trusted Operating System concepts and technology it is possible to build a system that is resistant to these attacks and keep attackers from gaining system wide access to your machines. In the talk you will learn how you can give out the root account on your systems and still not worry about system penetration.  I will also be discussing strategies for building more secure applications using Trusted OS concepts.

Note: This speech complements Job De Haas's talk.

Mr. Thompson is a Director at Argus Systems Group, Inc. with title Software Evangelist and Visionary. Argus is an international vendor of Internet security software and engineering services providing E-commerce systems security solutions. Security technologies developed by Argus facilitate the use of the Internet as a platform for conducting real-time, direct commercial transactions, allowing users from the Internet to directly and securely interact with commercial back-end data systems.

Mr. Thompson joined Argus Systems Group in 1996 after completing his Computer Science degree at the University of Illinois at Champaign-Urbana. Mr. Thompson has extensive experience in the development of enhanced security operating systems platforms and has performed security assessments and architecture reviews for some of the worlds largest financial institutions and corporations.

You may also know Mr. Thompson as Mythrandir who has been involved on and off in the underground community for many years.


Hard-core web defacement statistics trends and analysis.

Dale Coddington is a Systems Security Engineer with eEye Digital Security, a computer security products and consulting company located in Southern California. In the past Dale has conducted training courses at several Nasa Centers, State of Washington, Naval Justice Center, and the U.S. Department of Justice. In 1999 Dale was appointed one of two technical consultants by the Defense Team of Kevin Mitnick. 

Jason Garms, Microsoft Corporation.

Defending Windows 2000 on the Internet.

During a three month period in 1999, Microsoft placed a group of Windows 2000 servers on the Internet without the benefit of firewalls or network filters and invited people to attack them. The site was created to test Microsoft Windows 2000 technologies in a real-world Internet-based scenario.  This presentation summarizes the process of designing and building the site to withstand adverse conditions (including massive denial service attempts), and discusses the lessons learned and the measures taken to address these attacks.

Jason Garms is a Lead Program Manager at Microsoft Corporation. He works in the Windows Security organization on security design reviews of Windows features. Previously Jason was involved in Windows Server product planning, the creation of the Microsoft Security Response Center, and at one time worked for Microsoft Consulting Services servicing US Federal government customers. Jason is an author of numerous Windows NT-related books, articles, and papers, and is a frequent speaker on Windows NT security.

Track B - More Technical
Dominique Brezinski, Security Engineer.

Anatomy of Common Programming Security Issues.

Many computer security vulnerabilities are caused by common programming errors.  We will look at several classes of vulnerabilities and the programming problems that cause them.  Descriptions of the problems, explanations of how the problems are exploited, and methods for writing secure code will be discussed.  The presentation is intended for those with some background in programming.  A majority of code examples will be in C. 

Dominique Brezinski is a Technical Guru at In-Q-Tel, a non-profit technology incubator formed by the CIA.  He is tasked with analyzing developing technologies and weighing them against the needs of the CIA and commercial market place.  Mr. Brezinski is even allowed to interject his own paranoid security ideas.  This is much cooler work than what he previously did at, Secure Computing, Internet Security Systems, CyberSafe, and Microsoft.

Simple Nomad, Nomad Mobile Research Centre.

Strategies for Defeating Distributed Attacks.

With the advent of distributed Denial of Service (DoS) attacks such as  Trinoo, TFN, TFN2K and stacheldraht [1], there is an extreme interest in finding  solutions that thwart or defeat such attacks. This paper tries to look not just at distributed DoS attacks but distributed attacks in general.  The intent is not to devise or recommend protocol revisions, but to come up with useable solutions that could be implemented at a fairly low cost.  This paper is also written with the idea that probably 90% of the problems surrounding distributed attacks can be easily solved, with the last 10% requiring some type of long-range strategies or new code to be written.

Brian Oblivion,

Secure Hardware Design.

Abstract: Hardware devices and embedded systems are becoming increasingly more popular in the computer security industry. With the launching of a multitude of hardware tokens, smart cards, cryptographic accelerators, and a plethora of Internet appliances, doors are opened to a new breed of attacks. Detailed product analysis and reverse engineering techniques threaten the assumed security of the devices. Gone are the days of security through hardware obscurity, since vendors and distributors now publicly and freely offer development toolkits used to evaluate and examine the devices. This talk will describe the necessary criteria and details surrounding the design of secure electronic devices to prevent unauthorized access.

Job De Haas, ITSX bv

Getting rooted and never knowing it.

What happens when you can't protect your kernel.

Most if not all intrusion detection and integrity checking software depends on the integrity of the kernel. That they can no longer be depended on when this integrity is violated has been known for a long time. Working examples of such kernel modifications have existed years  before the issue was publicly demonstrated by half-life in an article in Phrack in 1997. Since then several snippets of code have become available for a range of operating systems all reusing most of the examples that were presented then. Still in all these years the level of kernel protection has not much changed. The biggest change happened for the free and open source Unices. Several types of additional access control were proposed and implemented. However, for most commercial unices those solutions never came or were only made available as separate solutions. As often with such issues nothing much happens until a real life working implementation becomes available that demonstrates the issues clearly.

This presentation is about such a demonstration tool, which performs a modification for the Solaris operating system. The implementation of the module is shown in detail. Features that it currently has are hiding of files, hiding of directories, hiding of processes and their children (/proc only), redirection of execve() for hidden backdoors and surviving a reboot.  Additional features that are being worked on include hiding of network connections, hiding of processes through /dev/kmem, and redirection of network traffic for stealth network backdoors. When discussing the various tricks, also possible counter measures for detection are discussed and also possible ways a modification could defeat those in turn. The current measures are already sufficient to successfully defeat Tripwire detection. A live demonstration will show it's use and effectiveness.

A presentation on this topic would not be complete with a view at the possible solutions to this problem. As mentioned before, the free unices have started to adopt several implementations of countermeasures. Best known is the securelevel approach, which is also known for its coarse nature. More recent techniques aim at reducing the need for the root account by introducing several 'capabilities' or 'privileges'. Thereby decreasing the chances of root getting compromised and the kernel getting compromised. Also specific solutions to prevent modification of kernel tables are known. These techniques suffer from the chicken and egg problem: the one to get to the kernel first can theoretically always trick the other in believing things are all right. Another track is adding protection to the mechanism of loading kernel modules. For instance by adding trusted and immutable paths and modules.

From the presentation on the issues above it can be concluded that the problem is a serious one that justifies good solutions. The practice of today is one of some proper implementations, a lot of development for free unices and little work from the vendors of 'off the shelve' commercial operating systems.

Note: This speech complements Jeff Thompson's talk.

Job de Haas, like many others in the IT and Internet industry, started his career in another technical field. Shortly before finishing his Electrical Engineering studies, in 1991, he came into contact with the Internet. From that moment on, he's been interested in computer security.

In the beginning this interest was a hobby, albeit a very time consuming one. This was noticed by the first Internet providers that started to appear in The Netherlands. Their systems were almost never secure, and Job cleverly used their offers to give him free Internet access in trade for pointing out security flaws in their systems. This exercise in breaking security has proved to be an invaluable asset when protecting systems, since one can only protect what one can crack.

Apart from this, Job has been a cryptographic programmer at DigiCash, which has developed a cryptographically secure anonymous payment system for the Internet.

David LeBlanc, Microsoft Corporation.

Real-world techniques in network security management.

Managing network security determines the difference between the security that is theoretically possibly and the level of security which is actually achieved. Real-world techniques in network security management will be presented.

David LeBlanc is a Senior Technologist for Microsoft Corporate Security. He works on Microsoft's internal red team doing penetration testing and writing internal-use security tools. Prior to joining Microsoft, he worked at Internet Security Systems and led the team which produced the Windows NT version of the Internet Scanner. Dr. LeBlanc has a B.S. and M.S. in Aerospace Engineering, and a Doctorate in Environmental Engineering from the Georgia Institute of Technology. Despite not having a way-cool title like "Guru", "Visionary", "Senior Wizard", or "Grand Wazoo", he thinks he has the most fun job at Microsoft.

Joey - 

Advanced Windows NT/2K Security (II).

This time the focus is on Windows NT/2000 security exploitation beyond spawning a remote command shell. Information will be presented on how a remote attacker could violate the TCB (Trusted Computing Base) of the operating system using an array of special techniques. Discussion will shed new light into the alarming extent these special techniques can be utilized, all in a remote exploit, to violate a systems integrity with virtually know visible signs of violation. When your kernel is compromised, there is no one you can trust.

With more than 6 years of experience in the industry, Joey__ specializes in Windows NT / Windows 2000 kernel architecture, security, system internals exploration, exploitation and intrusion protection techniques.  His early work includes publishing the internal workings of  Windows NT Native Call Interface which was undocumented at the time.

Mudge, VP of R&D, @Stake

An analysis of tactics used in discovering "passive" monitoring devices. 

Formerly CEO and Chief Scientist at renowned "hacker think tank", the L0pht, Mudge is considered one of the nations leading "grey-hat hackers". He, along with the other members of the L0pht, are now heading up @Stake's research labs ensuring that the company is at the cutting edge of Internet security. 

A recognized name in crytpanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking - CQRE International Exhibition and Congress. 

He is the original author of L0phtCrack the award winning NT password auditing tool. In addition, Mudge co-authored Anti-Sniff, the world's first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools -- many of which resulted in numerous CERT advisories, vendor updates, and patches.

John McDonald, TUV data protect GmbH
Thomas Lopatic, TUV data protect GmbH
Dug Song, CITI, University of Michigan

A Stateful Inspection of FireWall-1.

This presentation will be a live demonstration of several original techniques for penetrating FireWall-1 protected networks. We will discuss and demonstrate attack methods based on the following four areas:

1. VPN Encapsulation
2. Stateful Infection (TM)
3. Assorted Small Vulnerabilities
4. FW-1 Authentication

We will discuss how to appropriately prevent these kinds of attacks, and how to defensively configure your FireWall-1 to help mitigate the risk of future attacks.

John and Thomas are security consultants for the Munich, Germany based security firm, TUV data protect. They have both been active vulnerability researchers for several years, and have documented several security issues in core Internet software.

Dug Song is a research programmer at CITI, the Center for Information Technology Integration at the University of Michigan. His current research interests include smartcards, distributed filesystems, mobile and wireless computing, intrusion detection, and security middleware in general.

Greg Hoglund -

Advanced Buffer Overflow Techniques.

This is a technical talk aimed at people who have already been exposed to buffer overflows and want to learn more.  The talk assumes the audience has at least some knowledge of CPU's and Processes.  For those of you who already understand buffer overflows, this talk will be a refreshing discourse on technique.  We will show how the injection method can be decoupled from the payload.  We then explore the details and challenges of injecting code into a remote process.  We will also explore the payload, the encoding methods, and how to dynamically load new functions.  Lastly, we discuss the possible effects of a payload, including network worms, virus, and rootkits.

Greg Hoglund is a software engineer and researcher who has traditionally focused on the inner workings of the Windows NT operating system.  He has written and been involved with many commercial security products.  He has written several papers on the subject of 'buffer overflows', content-based attacks, and kernel-modifying rootkits.  Hoglund sponsors the research of a Windows 2000 rootkit at  Currently, Hoglund is involved in a new startup, ClickToSecure, Inc.,  that builds tools for software reliability testing.

White Hat - Management Issues
Jennifer Granick, Attorney at Law
Mark Eckenwiler, Attorney for the Department of Justice

What Internet Service Providers Need to Know About the Law.

Jennifer Stisa Granick is a defense lawyer practicing in the areas of high tech and computer crime from her office in San Francisco.  She defends unauthorized access, trade secret theft, and email interception cases nationally.  Granick has written articles on wiretapping, workplace privacy and trademark law for Wired.  Additionally, she has spoken at previous Black Hat Briefings and to NASA computer security professionals about computer crime laws, digital forensics and evidence collection. 

Mark Eckenwiler is Senior Counsel at the Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice.  His areas of expertise include the Electronic Communications Privacy Act, federal wiretap law, computer search and seizure, and computer intrusion investigations.  A Net veteran for more than 15 years, he writes and lectures frequently about the Internet and criminal law, and serves on the ABA Task Force on Technology and Law Enforcement.  Mark holds an A.B. cum laude from Harvard (1982), an M.A. in Classics (Ancient Greek) from Boston University (1986), and a J.D. cum laude from New York University School of Law (1991).

Lee Kushner, CEO - L. J. Kushner and Associates, L.L.C.

Hiring trends, desired skill sets, and the state of employment in the information security industry.

Lee J. Kushner is the founder and CEO of L. J. Kushner and Associates, L.L.C., an executive recruitment firm based in Freehold, New Jersey. The firm is considered to be the Industry Leader in the recruitment of Technical and Sales Professionals in the areas of Information Security and Secure Electronic Commerce.   L J  Kushner represents over forty corporations across the United States and performs nationwide recruitment services for these companies.  The corporate clients range from Fortune 500 Corporations to Big Five Consulting Firms to Pre-IPO Startup Companies.  The areas of concentration range from Product Firms to Consulting Firms to Application Service Providers (ASPās). 

Lee Kushner has been focusing, exclusively, in the Information Security Arena for the past four years.  Included in his accomplishments was leading the initiative for the successful recruitment of one hundred thirty (130) Security Professionals for a Big Five Consulting Firm.  Mr. Kushner is an authority on industry hiring trends and compensation and has been quoted in several trade publications.

Mr. Kushner sought out to build a firm that provides the candidate a personalized recruitment process.  While the Internet is a superb source for the dissemination of information and the conducting of commerce, it will never be a substitute for the ćpersonal approachä required in dealing with professionals.  Matching an individual with a company involves more than just salary and skill considerations.  The companyās Corporate Culture and the ability of the professionals to flourish within that culture are critical.  Mr. Kushner trains his recruitment professionals to deal with the person; not the position.

Lee Kushner believes a successful recruitment professional must remain abreast of all developments in the Information Security Industry.  The firm exhibits at six to eight conferences every year and Mr. Kushner has been an annual attendee of Black Hat and DefCon.  He has also attended numerous other industry conferences including CSI (Computer Security Institute); Gartner Group; SANS; InfoSec World; RSA Data Security; Net Sec; HealthSec; Vanguard; and The Tivoli Partners Exchange.  Mr. Kushner received a Bachelor of Science from East Carolina University and a Masters of Science from Ohio University.

Edward G. Schwartz, CISSP, CISA, Vice President, Chief Information Security Officer - Nationwide.

Data Privacy: What should the CIO and CISO be doing?

Data Privacy, the protection of individually identifiable personal information is the #1 concern among Americans these days -- even above domestic terrorism.  Emerging legislation at the federal level; such as the Gramm-Leach/Bliley Act (S.900/H.R.10), the Health and Human Services (HHS) draft regulations to support the Health Insurance Portability and Accountability Act (HIPAA,); and international requirements such as the European Community Data Privacy Directives will have a profound effect on consumer privacy and permitted government and corporate uses of personal data. Universal interest in this topic means that Chief Information Officers and Information Security professionals have an important role in the creation and stewardship of a successful data privacy compliance program.

This presentation will provide an overview of both individual concerns and business issues associated with data privacy, and a recap of the regulatory space and controversy governing this environment.  The focus of the presentation will be a walk through of the specific activities that comprise an effective data privacy management initiative and what both CIOs and Information Security professionals must be doing to manage this risk area.  By the end of the session, attendees will have a ćcookbookä for devising, establishing and managing the organization, business process, information technology and compliance activities for their own data privacy program.

Eddie is Vice President and Chief Information Security Officer for the Nationwide family of companies.  He has enterprise-wide responsibility for information assurance and information risk management activities including business continuity, information security, and data privacy.  He has over 20 years experience as an information technology professional and as an information risk management and security practitioner.  He has created information risk management business processes and enterprise information assurance and technical security architectures for numerous large commercial and U.S. Government entities.  Prior to joining Nationwide, Eddie was National Director of the Information Risk Management practice for a large Midwest consulting firm; Technical Director of an information security laboratory for a U.S. Government agency; a Senior Computer Scientist for Computer Sciences Corporation, and a Foreign Service Officer with the U.S. Department of State.  Eddie is a member of numerous industry organizations, a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and has received numerous other technical and security-specific certifications.

Diana Kelly, Director, Professional Services, LockStar, Inc.

From Policy to Technology, Translating U.S. Privacy Regulations for Implementation.

This presentation examines the security planning implications of HIPAA and Gramm Leach Bliley.  We review the basic requirements of the acts at a high level, examine available technologies for meeting those requirements, and then detail ways in which organizations can begin to take control of their own compliance by creating workable security and privacy frameworks.

Diana Kelley has nine years of professional experience creating secure network architectures and system management solutions. Prior to joining LockStar, Kelley was the Senior Security Analyst for Hurwitz Group and a Manager in KPMG's Financial Services Consulting practice, where her clients included Bank of America, GE, Merrill Lynch, MetLife and The Travelers. She was also the co-owner of an independent security and technology planning consulting firm, manager of Corporate Systems Administration for Dataware Technologies, Inc. Kelley frequently speaks and writes on a number of security related issues. She holds a bachelor's degree, summa cum laude, from Boston College. 

Ian Poynter - Jerboa, Inc.
Diana Kelley - VP, Corporate Development, LockStar, Inc.

The truth about ASPs.

Application Service Providers (ASPs) are generating a lot of news lately as a way for small and medium size companies to take advantage of large scale, enterprise level resources.  ASPs offer outsourcing of a wide variety of services, from the management of calendaring and meeting schedules, sales force contact lists, and data backup, to analytic processing of corporate data.  Being able to harness the power of a large ASP can bring valuable business benefits, but this power may come with a high price.  Because the very data that the ASP is collecting, managing and processing for their clients is the data that forms the heart of a company's most valuable asset: intellectual property and corporate intelligence. 

Before jumping into the ASP fray, organizations need to ask themselves some hard questions: how well do you know your ASP's security model?  Could you be sacrificing security for convenience?  Who is liable if your corporate data is compromised?  This session will examine some of the most popular ASPs and the services they provide.  We review security risks that any organization must understand before outsourcing their most valuable corporate data to a third party.  We'll also turn the tables and discuss what ASPs should be doing to improve their security position as a marketing and promotional tool. 

Ian Poynter has been active for more than 16 years in technology industries, focusing on networking and human-computer interfaces. Since founding Jerboa in 1994, he has developed strategic planning initiatives for leading national and international corporations. Poynter works within a wide range of industries to design solutions for corporate network and Internet security.

Poynter has provided firewall and Internet security training to key corporate information systems personnel around North America and frequently speaks at professional meetings, including The Internet Security Conference (TISC), the COMMON (IBM Users Group) Conference and Networld+Interop. 

Poynter holds a B.Sc. First Class in Computer Science from the University College London.

Terry Losonsky - NSA.

National Information Assurance Partnership.

The National Information Assurance Partnership (NIAP) is a U.S. Government initiative developed to meet security testing needs of both information consumers and producers.  NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their responsibilities under PL 100-235 (Computer Security Act of 1987).  The partnership combines the security experience of both Agencies to promote the development of technically sound security requirements for information technology products and systems and measures for evaluating those products and systems.

Terry Losonsky, Deputy Director for the National Information Assurance Partnership (NIAP), has over 27 years experience in Information assurance.  He's served as a system security accreditor, trusted system designer, security profile developer, internal EDP auditor, product security tester, laboratory assessor and defense security policy developer.  He taught computer security / science at the DoD Computer Institute and Jacksonville University.  His master's thesis on risk analysis was referenced in several Federal Information Processing Standards (FIPS).

Gordon Reichard Jr., President, CEO, Telenisus Corporation.

Trust, Security, Partnership...Strategies in Selecting a Managed Service Provider.

Gordon Reichard, Jr., is president, chief executive officer and director of Telenisus Corp., a complete e-business service provider.  In this position, Reichardās responsibilities include creating and implementing Telenisusā vision and overseeing all aspects of the companyās business.

Reichard has drawn from his 18 years of experience to build a highly qualified executive management team that understands how to design, build and manage reliable and secure Internet-based communications services.

Reichard, former president of Ameritech Advanced Data Services, built and grew Ameritechās data services from nearly zero to $1 billion in five years.  Through internal growth and acquisition, he was able to enhance Ameritechās position in the data and Internet segments.  He was also responsible for executive leadership in data network services, network management, and network integration of customer enterprise networking.  Before joining AADS, Reichard was regional manager for the systems engineering divisions in 3Com Corporationās north and central districts.  He was also brand manager for U.S. Robotics

Reichard received a bachelorās degree in electrical engineering from Southern Illinois University at Carbondale, Ill., and a masterās degree in business administration from Lake Forest Graduate School of Management in Lake Forest, Ill. Reichard holds a number of patents for the design of local area network (LAN) and wide area network (WAN) equipment.

Scott Blake, Security Program Manager, RAZOR Team, BindView Corporation.

The Pros and Cons of Hiring Hackers.

We hear a lot about hackers in the media, but what's the real story?  Are hackers socially-challenged teenage boys with technical talent?   Who are they really?  While they are certainly individuals, there are trends and commonalities that can be observed.  If you're interested in securing your computers and networks, you certainly can't ignore them.  Getting them on your side might even be the best approach, but what are the dangers, concerns, and pitfalls of that approach?  In this talk, you'll learn the benefits of having hackers on your side as well as the potential problems of letting them in your front door.

As BindView's Security Program Manager, Blake is responsible for the functioning of a worldwide team of security experts providing security expertise to all of BindView's technologies and performing original research in computer and network security.  Prior to joining BindView, Blake designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities.  Blake occasionally teaches a course, "Technology, Society and Culture," at Simon's Rock College of Bard. He holds a BA in Social Sciences from Simon's Rock College and an MA in Sociology from Brandeis University.

Deep Knowledge
Continuation of Kingpin and Brian Oblivion

J.D. Glaser, Senior Software Engineer, Foundstone, Inc.

Defending your network with Active Directory Services.

A joint talk by Raymond Forbes and JD Glaser, that examines the new ADS technology in detail and discusses the most effective use of it in your network.  Topics will include: 

Domain to ADS migration, Migration security issues, ADS security configuration issues, How to accurately audit ADS services and accounts, Applying secure Distributed File Services to your network, Auditing your new file system, Potential weaknesses, Configuration Tips for a secured network.

In order to deal with the increasing number of network attacks, better defense techniques need to be put into place. This talk will equip you with an improved knowledge set in applying defensive measures to your network.

JD Glaser is the senior software engineer for Foundstone, Inc., a new security company headed by George Kurtz and Stuart McClure. Previous projects included building the company, NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT, file system filters for real-time intrusion detection systems, and now, specialized security tools for the Foundstone Tiger Team.

Lunch Speakers
Richard Thieme, CEO,

The Strategies of Sun Tzu and Multiple Levels of Deception: How to play chess while the board is disappearing.

Creating a "trusted network" in electronic terms does not resolve the most critical security problems because those problems begin at the interface of the network and the human user. The global theater of information warfare rewards the ability to establish points of reference on the fly while sustaining an image of ultimate intentions. This presentation provides a template for managing people, ideas, and possibilities in a quantum world.  You will learn: how to manage people, ideas and possibilities in a constantly changing environment, how to examine assumptions that worked before and don't work now, and how to think of security in complex systems in terms of the human dimension.

Thieme was born in Chicago, Illinois, in 1944 and graduated from Northwestern University in 1965 with a B.A. in English literature (highest honors, Phi Beta Kappa). His non-academic education included working with the Daley political organization. After living in Madrid, Spain for a year, he attended the University of Chicago (Title IV NDEA Fellow) and received an M.A. in English literature. He taught literature and writing at the University of Illinois-Chicago and wrote fiction in his twenties. Then, after two years in England and a three-year professional Master's degree from Seabury-Western Theological Seminary, he became an Episcopal priest and led parishes for sixteen years in three very different cultures: Salt Lake City, Utah; the Hawaiian island of Maui; and Milwaukee, Wisconsin. 

He bought an Apple II computer in the early eighties and life was never the same. He realized that the way he was affected by his interaction with the computer was exactly how society would be affected by the computer revolution. He began writing about topics like "Computer Applications for Spirituality: the Transformation of Religious Experience," but ÷ as one editor wrote ÷ "only three of you care about this."

The internet changed all that, making the transformation visible. His diverse experiences working with symbols in speech and literature and communities bound together by symbols translated effortlessly into the digital world. His passion for exploring the impact of technology on institutions and organizations ÷ business, education, government, religion ÷ and his extensive experience with leadership, management, organizational dynamics, and cultural diversity led him to establish ThiemeWorks in 1993 to pursue a career of professional speaking, consulting, and writing. 

Hal McConnell - Retired NSA, and National Cryptologic Museum Docent.

Threats from Organized Crime and Terrorists.