Black Hat Digital Self Defense
Current Organization and Media Sponsors for Black Hat Briefings USA 2002
Dave Aitel

Thomas Akin

Ofir Arkin

Rebecca Bace

Robert Baird

Scott Blake

Jay Beale

Maximiliano Caceres

Matthew Caldwell

Don Cavender

Richard Clarke

Shaun Clowes

Sean Convery

Chris Davis

Roger Dingledine

Mark Dowd

Stephen Dugan

Mark Eckenwiler

David Endler

Carole Fennelly

Nicolas Fischbach

Halvar Flake

Oliver Friedrichs


Richard George

JD Glaser

Ian Goldberg

David Goldman

Jennifer Granick

Dennis Groves

Jed Haile

Nishad Herath

Aaron Higbee

Greg Hoglund

Jack Holleran

Paul Holman

Honeynet Project

Jeff Jonas

Dan Kaminsky

Diana Kelley


Jonathan Klein

Paul Knight

Jesse Kornblum

Sébastien Lacoste-Séris

Elias Levy

Steve Lipner

David Litchfield

Debra Littlejohn Shinder

Mike Lynn

Kevin Manson

Robert Marotta

Brian Martin

Haroon Meer

Neil Mehta

Michael I. Morgenstern

Tim Mullen

Rich Murphey

Tom Parker

Bill Pennington

Bruce Potter

Ian Poynter

Rain Forest Puppy

Marcus H. Sachs

Richard P. Salgado

Len Sassaman

O. Sami Saydjari

Mike D. Schiffman

Marc Schönefeld

Simple Nomad

Rick Smith

Chris Spencer

Michael Sutton

Roelof Temmingh

Richard Thieme

Dan Veeneman

main speakers schedule sponsors training hotel

detailske me to..
Topic descriptions are listed alphabetically by speaker.
Presentations are now online and can be found beneath the speaker name on this page.
If you missed any of the talks or was not able to attend, audio and video is available from The Sound of Knowledge.

An Introduction to SPIKE, the Fuzzer Creation Kit
Dave Aitel, Immunity, Inc

SPIKE ( is a tool created in order to better analyze new or complex network protocols. Publicly, SPIKE is best known for locating 2 of the recent IIS vulnerabilies; privately, it has located many more.

Although SPIKE is a fuzzer, and there are many fuzzers, SPIKE has some unique theoretical underpinnings. These, and the SPIKE API itself, will be presented, along with some interesting demos.

Dave Aitel spent 6 years with the National Security Agency before joining @stake, heading up its Attack and Penetration Center of Excellence. He now works for Immunity, Inc.

Return to the top of the page

Cisco Router Forensics
Thomas Akin, CISSP
[ Intrusion Destection / Incident Response / Computer Forensics ]

Routers have long been used as resources for footprinting a network before an attack. Now they are increasingly becoming the target of attack themselves. A compromised router allows an attacker to not only easily map out the network, but provides means of rerouting traffic and bypassing firewalls and IDS systems. The outline for the presentation is below:

  1. Router Exploits & Their Implications
  2. Brief Router Hardware/Software Overview
    1. Details of Router Memory and Flash Storage
  3. Router Forensics v/s Traditional Forensics
  4. Router Incident Response
  5. Securely Accessing the Router
  6. Recording Your Analysis
  7. Router Forensic Imaging
  8. Evidence Preservation & Chain of Custody
  9. Evidence Discovery
    1. Volatile Evidence (RAM)
    2. Non-volatile Evidence (Flash)
    3. External Analysis
  10. Evidence Analysis
    1. IOS Vulnerabilities
    2. Logging Analysis
      1. Console, Buffer, Terminal, SNMP, AAA, Syslog Logging
      2. ACL Logging
    3. Timestamp Correlation
  11. Router
  12. Using Routers to Perform Real-time Analysis

Thomas Akin is a Certified Information Systems Security Professional (CISSP) who has worked in Information Security for almost a decade. He is the founding director of the Southeast Cybercrime Institute where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations.

Thomas is the author of "Hardening Cisco Routers" from O'Reilly and Associates. He also has a chapter titled "Cybercrime: Response, Investigation, and Prosecution" in the upcoming Information Security Management Handbook. He developed Kennesaw State University's highly successful UNIX, Cisco, and Computer Investigation training programs. Finally, in addition to his CISSP he is certified in Solaris, Linux, and AIX, is a Cisco Certified Academic Instructor (CCAI), and is a Certified Network Expert (CNX). Thomas can be reached at

Return to the top of the page

Cracking VoIP Architecture Based on the Session Initiation Protocol (SIP)
Ofir Arkin, Managing Security Architect, @stake
[ Routing & Infrastructure ]

" is no longer necessary to have a separate network for voice..."

Voice over IP (VoIP) is the next generation of telecommunications. It is combined from singling protocols (which establish, modify, and tear-down sessions), media transfer protocols (which carry the voice samples), and supporting protocols (which support the other two protocols with services they need such as routing, DNS, etc).

Security issues with VoIP based protocols are less highlighted than the hype about the technology. This talk will be focusing on the Security issues with the Session Initiation Protocol (SIP), a signaling protocol that is the crown contender of H.323, and with the Real-Time Transport Protocol (RTP) which is the most common vessel for carrying voice samples.

The presentation will highlight ways to take advantage of the design of these protocols. The talk will also examine ways to bypass any element in a VoIP architecture based on the Session Initiation Protocol. Among the issues we will be examining are free phone calls, call hijacks, call tracking, manipulation of conversations, fraud (and detection) and other gizmos.

Ofir Arkin has worked as a consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. His experience includes working for a leading European Swiss bank architecting the security of the bank's E-banking project.

Prior to joining @stake Ofir acted as chief security architect for a 4th generation telecom company, were he designed the overall security scheme for the company. Ofir has published several papers as well as articles and advisories. Most known are the "ICMP Usage in Scanning", and "Trace-Back" research papers. Some of his research was mentioned in professional computer security magazines. He is an active member with the Honeynet project and participated in writing the Honeynet's team book, "Know Your Enemy" published by Addison-Wesley.

Ofir Arkin is also the Founder of the Sys-Security Group, a web site dedicated to computer security research.

Return to the top of the page

Advanced 802.11b Attack
Robert Baird
Mike Lynn
[ Wireless ]

This presentation will initially open with an in depth discussion of theoretical wireless attacks. The centerpiece of this presentation will be a demonstration of an 802.11b wireless MITM. This will be a full Layer 1 insertion between the victim’s machine and the wireless infrastructure and NOT just simple redirection of upper level protocol packets (like IP). This attack is performed with custom software tools used to cause the victim machine to send all of its 802.11b frames through the attacking machine. This attack can be performed without close proximity to the victim and does not require any custom hardware. Additionally, as time permits we will explore the upper layer protocol vulnerabilities that can then be exploited by this technique.

Given adequate speaking time, we may also cover a number of additonal attacks on wireless implementations such as known plain text attack posibilities with WEP and the effects that shared key authentication has on them

All custom software tools and drivers will be made available on the BH2002 CD.

Robert Baird: Robert is a senior IT engineer with 17 years professional experience and 5 years security experience and holds a B.S. degree in Electrical Engineering and is a Certified Information Systems Security Professional. Robert has been researching wireless security and performing wireless assessments for 2 years.

Mike Lynn: Mike is a software engineer with over 5 years development experience and is currently working in the security field. Mike has been researching wireless networking and writing custom 802.11 drivers for 1 year.

Return to the top of the page

Attacking and Securing UNIX FTP Servers
Jay Beale, Founder & Principal Security Consultant, JJB Security Consulting & Training
[ Web, Mail, DNS & Others ]

The Unix FTP servers have been called 'the IIS of the Unix world' for their frequent and potent vulnerabilities. Each has provided remote exploits, usually at the root privilege level, on a consistent and frequent basis. WU-FTPd is the most popular Unix FTP server by far, shipping by default on most Linux distributions, and even on Solaris, and being installed most commonly on the rest of the Unix platforms. This talk will demonstrate working exploits on WU-FTPd, then show you how to configure WU-FTPd to defeat them. While the talk will use WU-FTPd as the primary example, we'll also discuss ProFTPd, the other major FTP daemon for Unix.

Jay Beale is the founder and principal security consultant for JJB Security Consulting and Training. He is the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux and HP-UX. Jay is the author of a number of articles on computer security, along with the upcoming book "Locking Down Linux the Bastille Way" to be published in the second quarter of this year by Addison Wesley. You can learn more about his articles, talks, courses and consulting via

Return to the top of the page

Politics of Vulnerability Reporting
Scott Blake, CISSP, Vice President of Information Security, Bindview Corporation
[ Web, Mail, DNS & Others ]

The vulnerability reporting process is rife with competing interests. Research is conducted by software vendors themselves, paid consultants, government agencies, professional and academic researchers, as well as people who make their living in other ways. Each of these groups have particular interests in the process. The vendor of the targeted software has their concerns. The public at large has an interest in the process (and its results), but it is unclear what the public should be concerned with. This talk explores vulnerability reporting from all angles, including that of the public good. Atendees will learn a rudimentary cognitive framework for understanding the powers in play in vulnerability reporting and apply that to understand the present and the future of security.

Scott S. Blake, CISSP
As BindView's Vice President of Information Security, Mr. Blake is responsible for the functioning of RAZOR, a worldwide team of security experts providing security expertise to all of BindView's technologies and performing original research in computer and network security, as well as supervising BindView's operational security, risk management, and emergency response team. Additionally, Mr. Blake is responsible for BindView's Public Policy group. Mr. Blake was Director of Security Strategy at BindView before being promoted. Prior to joining BindView, Mr. Blake was Director of Technical Services for Netect where he was responsible for the Technical Support, Information Technology, and Pre-Sale Engineering groups. He also participated in the design of HackerShield, an award-winning vulnerability assessment scanner. Before Netect, Mr. Blake was Network Security Architect for Internet Security Corporation where he designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities. Mr. Blake is frequently sought to speak at security and information technology conferences and by the media to comment on security issues. He is the author of several articles on various aspects of information security.

Mr. Blake is a Member Emeritus of the Common Vulnerabilities and Exposures Editorial Board and Chairperson of the Simon's Rock College Alumni Association Advisory Board. He holds a BA, cum laude, from Simon's Rock College, an MA in Political Sociology from Brandeis University, and is a Certified Information Systems Security Professional.

Return to the top of the page

Syscall Proxying - Simulating Remote Execution
Maximiliano Caceres, Product Engineer, CORE IMPACT, CORE SECURITY TECHNOLOGIES
[ Deep Knowledge ]

A critical stage in a typical penetration test is what we call the "Privilege Escalation" phase. An auditor typically encounters this stage when access to an intermediate host or application in the target system is gained, by means of a successful attack. Access to this intermediate target allows for staging of more effective attacks against the system. Webs of trust and a more privileged position in the target system's network topology allow for an "attacker profile" switch. This 'profile switch' is referred to as 'pivoting' along this document. Pivoting over a compromised host can often be an onerous task, sometimes involving porting tools and/or exploits to a different platform, deploying these tools, and even installing C compilers on the target system! Syscall Proxying is a technique aimed at simplyfing this stage. By providing an interface into the target's operating system it provides both a framework for developing new penetration-testing tools and isolates remote attacks from local configuration issues (for example, lowered privileges and chroot jails). Syscall Proxying transparently "proxies" operating system syscalls to a remote server, effectively simulating remote execution.

The presentation is structured into the following sections:

  1. Syscall Proxying. General concepts
    1.1.- UNIX syscalls
    1.2.- Windows "syscalls"
  2. A first into an implementation
    2.1.- An RPC client-server model
  3. Optimizing for size. Redefining the word "shellcode".
    3.1.- No more exec '/bin/sh'
    3.2.- Why? No more shellcode cutomization
    3.3.- A sample implementation for Linux
  4. The real world: applications
    4.1.- Exploiting buffer overflows / format strings
    4.2.- An example, breaking out of a chroot jail after attacking wu-ftpd

This is a fairly technical presentation, aimed at exploit and general pen-testing tool writers. It has a some assembly code and Python samples. The complete materials for the presentation will be a paper (in PDF), a powerpoint presentation (exclusively for this Black Hat conference) and couple of code samples, both for a syscall client and a syscall server, which will allow the audience to actually try the technology for themselves in their own systems.

Maximiliano Caceres is the head engineer for a CORE IMPACT, a revolutionary risk assessment product developed to professionalize the Penetration Testing practice. He's been part of the IS consulting services team at CORE-ST as a senior consultant, responsable for coordinating and executing penetration test, security architecture design and product security evaluation engagements. Maximiliano has also been involved in the research, discovery and reporting of computer security vulnerabilities during the last 8 years.

Return to the top of the page

Security Event Correlation – Security's Holy Grail?
Matthew Caldwell, CISSP, Chief Security Officer & Co-founder, GuardedNet
[ Intrusion Destection / Incident Response / Computer Forensics ]

Today, one of the main issues affecting the security teams of large organizations today is the management of their intrusion detection data. Security teams are inundated with enormous amounts of data from their intrusion detection systems, much of which is false positive. In addition, firewalls, routers, anti-virus solutions and all the other security point solutions provide a plethora of data that teams must manually pour through and analyze. This process is laborious, and prone to human error, such that analysts often miss the true threats to their networks or they find them too late. Organizations need a solution that automates the time-consuming, mundane tasks of aggregation and correlation of security event data, so that security analysts can focus on the tasks that require human intelligence such as trending and analysis, investigation and response.

Correlation tools are considered the Holy Grail for intrusion security professionals who are bogged down with log data overload. They hope that correlation can pull the needle out of the haystack – diminishing false positives and finding attacks that are ignored by individual point products. They imagine that correlation will put the "real" in real-time. But in reality, when it comes to stopping attackers, correlation is only the beginning of a complex threat analysis process.

During this presentation, Matt Caldwell from GuardedNet will discuss correlation of security data in detail. What is can do and what it can't do. You will learn the following:

  • The definition of correlation and the various types of correlation that
    can be used in a security infrastructure to glean attack information
  • The difference between Micro and Macro correlation and why Macro
  • The process of automating data correlation

Matthew Caldwell, CISSP, is chief security officer and co-founder of GuardedNet, a leading developer of security operations threat management software. He has 11 years of experience in the field of network security and development, working for organizations such as NCR, Intel, Solectron and Alcoa.

Before GuardedNet, Mr. Caldwell led the Security Audit Project for The State of Georgia. His group conducted covert penetration testing, defended against intrusion, and developed forensics for security incidents. He is an expert in IDS products, developing high-availability intrusion detection capabilities, and distributed war-dialing systems.

Previously, Mr. Caldwell was a Senior Security Analyst for VC3, an IT services firm, where he founded the security business. Additional prior experience includes Intel Inc., NCR Inc, AT&T, and a regional ISP. His advanced server group won "Best Server" at Comdex 1998. Mr. Caldwell is a frequent guest speaker on advanced hacker tools. He serves as a network forensics expert for the Georgia Bureau of Investigations and has created forensic methodologies with a baited system that traps and logs hackers.

Return to the top of the page

National Strategy for Securing Cyberspace
Richard Clarke, Office of Cyberspace Security
[ Keynote ]

Richard Clarke will discuss the National Strategy for Securing Cyberspace.

National Security Advisor Condoleezza Rice and Director of Homeland Security Governor Ridge announced in October the appointment of Richard A. Clarke as Special Advisor to the President for Cyberspace Security.

Mr. Clarke has served in several senior national security posts. Most recently he served as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism on the National Security Council. As National Coordinator, he led the U.S. government’s efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction, and international organized crime.

In the George H.W. Bush Administration, he was the Assistant Secretary of State for Politico-Military Affairs. In that capacity, he coordinated State Department support of Desert Storm and lead efforts to create post-war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff. He continued as a member of the NSC staff throughout the Clinton Administration. In the Reagan Administration, Mr. Clarke was the Deputy Assistant Secretary of State for Intelligence.

Richard Clarke is a career member of the Senior Executive Service, having begun his federal service in 1973 in the Office of the Secretary of Defense.

Mr. Clarke is a graduate of the Boston Latin School, the University of Pennsylvania, and the Massachusetts Institute of Technology.

Return to the top of the page

Fixing/Making Holes in Binaries: the Easy, the Hard, the Time Consuming
Shaun Clowes, IT Director, SecureReality
[ Application Security ]

The ability to modify a binary while on disk or as a running process provides an amazing array of opportunities for the systems programmer or blackhat/whitehat since it is then possible to modify a program to:

  • Insert debugging/profiling code
  • Render it invulnerable to a known security issue
  • Add malicious code (e.g a backdoor)

However, traditionally both in file and runtime binary modification have been sufficiently complex to limit their use to virus writers, black hats and others with a reasonably intimate understanding of systems level programming.

This talk will attempt to demystify both binary and runtime program modification, focusing on the modification of ELF binaries under Linux and Solaris. In particular a variety of methods will be discussed and demonstrated including:

  • Binary patching
  • Process memory patching
  • Library interception
  • Run time library interception

The talk will cover the basic approach behind each of the methods along with their advantages and disadvantages. The demonstrations will show how the methods can be used for evil but more importantly how they can empower administrators and systems programmers to protect applications for which they do not have the source from known security vulnerabilities (rather than falling at the mercy of the software vendors).

A substantial amount of the talk will be devoted to discussion about and demonstration of injectso, a recently released tool by the speaker that allows for simple run time patching of processes under Solaris (Sparc) and Linux (IA32 and Sparc) through the injection of shared libraries.

Shaun Clowes is the IT Director of SecureReality, a small cutting edge security consultancy based in Sydney, Australia. Shaun holds an honors degree in Computing Science from the University of Technology Sydney and has a wide technical background in IT including Unix systems programming, networking and systems/security administration. Shaun leads the vulnerability research arm of SecureReality which is broadly exploring the security landscape testing both the obvious targets and the glue that holds everything together.

Return to the top of the page

Hacking Layer 2: Fun with Ethernet Switches
Sean Convery, Security Researcher, Cisco
[ Routing & Infrastructure ]

Lots of time has been spent presenting L2 hacking from the attacker's perspective. What is needed is a focus on the network administrator and what he can and can't do to try and thwart these attacks. This session presents currently available L2 attack methods interspersed with details on mitigating the attack. The findings are the result of combined @Stake and Cisco testing. Security issues addressed include: ARP Spoofing, MAC Flooding, VLAN hopping, DHCP starvation, packet sniffing, and STP concerns. Common myths with Ethernet switch security will be either confirmed or debunked and security lockdown recommendations will be provided.

Sean Convery, CCIE #4232, is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG). The research arm of the CIAG is tasked to collaborate with various groups (primarily academia and national laboratories) on security issues 3-5 years in the future. Before coming to the CIAG, Sean worked primarily on the SAFE blueprint, and is an author of several whitepapers on the subject. Prior to his four years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking.

Return to the top of the page

Why Is Anonymity So Hard?
Roger Dingledine, the Free Haven Project
[ Privacy & Anonymity ]

With reasonable anonymity designs that are decades old, it seems clear that we should have a reliable, secure, and ubiquitous anonymity network by now. But apart from the purely technical challenges, there are social barriers as well. The complexity of distributing trust, problems funding the infrastructure or getting volunteers to run it, and challenge of making users comfortable all conspire to make deploying a strong anonymity system very difficult.

I'll describe several anonymity designs, each with its own strengths and weaknesses, and compare ease of deployment based on the above issues. I will focus on Onion Routing, a low-latency stream-based anonymous communication system under research and development. Throughout, I'll share some intuition about how to break these systems and fix them, including some new and very effective attacks.

Roger Dingledine, The Free Haven Project. As a cryptographer and network security expert, Roger Dingledine lives in that space between theory and practice. He prefers to tackle the really hard problems so one day we can build real solutions. Current interests include anonymous publishing and communication systems, censorship-resistance, attack-resistance for decentralized networks, and reputation.

Return to the top of the page

Professional Source Code Auditing
Mark Dowd, ISS X-Force
Nishad Herath, ISS X-Force
Neil Mehta, ISS X-Force
Chris Spencer
Halvar Flake,
Black Hat Consulting
[ Deep Knowledge ]

Finding security vulnerabilities in software is getting increasingly difficult as coders (particularly of open source products) are learning the potential dangers of using certain functions or doing unbounded memory copies and so fourth. Vulnerabilities of a more technical nature are beginning to be uncovered recently which are much more subtle than standard programming errors and due to this have gone undetected for quite some time.

This speech aims to address some interesting conditions that occur in many software applications as well as demonstrate the threat these vulnerabilities represent. Some techniques will be disclosed here that we have developed for auditing software and exposing interesting vulnerabilities in both UNIX and Win32 Applicatioins. Several examples will also be shown to relate the theory of software analysis to the real world and give listeners an idea of what coding errors are being commonly made in the software community.

Mark Dowd has been part of the ISS X-Force research and development team for the past year and a half. In that time he has uncovered a number of vulnerabilities in major widely-used software applications. Some examples include buffer overflows in the /bin/login program for Solaris (exploitable remotely), CDE vulnerabilities and a radiusd buffer overflow.

Prior to working at ISS, Mark was consulting and performing penetration tests for an Australian company, where he was able to develop his skills, and also uncovered a number of software vulnerabilities in a number of UNIX operating systems, including remote vulnerabilities (and proof of concept exploit code) in Linux, Solaris, *BSD, Tru64 and IRIX.

Nishad Herath is a respected member of the Win32 security community. He has an in depth understanding of Windows internals and has published a variety of papers discussing the Windows architecture and its' internal operation, as well as given speeches (including at previous blackhat briefings) on topics such as Win32 kernel code injection. He has also discovered a number of vulnerabilities in major software applications including remote Oracle weaknesses. Nishad has started working at ISS X-Force recently, but has been involved in research and development jobs for a number of years.

Neil Mehta is a recent addition to the research team at ISS X-Force, and specializes in reverse engineering and application security. His reverse engineering background was cultivated through his copy protection consulting business that was founded over two years ago. Neel has done extensive research into detecting subtle coding errors in C-based languages and within binaries, and has applied this research to detect many flaws in widely used software.

Chris Spencer

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Return to the top of the page

Putting 2 and 2 Together: Designing Security into Your Network Infrastructure
Stephen Dugan, CCSI
[ Routing & Infrastructure ]

This talk will focus on tying together your security within a well designed campus network. Understanding the layer 2 and layer 3 attacks against your Cisco network is one thing, learning how to apply methods to stop them within a structured design is another matter. Practical application of these security measures brings many challenges, compromises, and common mistakes.

We will tackle this from a couple different approaches. First we will look at some design models and show some possible security issues inherent with the model itself. What specific commands will be needed, and where will they be applied, within your network. Second we will look at some proactive testing. Start some sniffing at the user’s connection at look for things we shouldn’t see. If we see protocols like L3 Routing updates, CDP, STP or others where could we apply commands to stop the user from seeing network management protocols? Third we will look at some configurations and point out some common mistakes that lead to opening various security holes.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

The USA Patriot Act and Criminal Investigations: What Service Providers Need to Know
Mark Eckenwiler, Senior Counsel in the Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice
[ Privacy & Anonymity ]

The USA Patriot Act has been widely described as a "vast expansion of government surveillance authority." This session will challenge that assertion head-on by offering a detailed review of the federal criminal surveillance laws in effect for decades and describing the changes made by USA Patriot.

Mark Eckenwiler is Senior Counsel in the Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice. His areas of responsibility include federal wiretap law, computer search and seizure, and online investigations. An Internet veteran for almost two decades, Mark has written and spoken widely on such issues as anonymity and free speech, e-mail stalking laws, Internet jurisdiction, electronic privacy, and the Fifth Amendment implications of cryptographic keys. His articles have appeared in The National Law Journal, Legal Times, American Lawyer, Civil RICO Report, Internet World, and NetGuide. Recent speaking events include talks before Usenix, NANOG, and Computers, Freedom & Privacy Conference audiences, as well as an appearance at Black Hat 2000. Mark holds an A.B. cum laude from Harvard in History and Literature and an M.A. in Classics (Ancient Greek) from Boston University. After receiving his J.D. cum laude from New York University School of Law, he clerked for U.S. District Court Judge I. Leo Glasser in the Eastern District of New York.

Return to the top of the page

Web Application Brute Forcing 101 – “Enemy of the State (Mechanism)”
David Endler, CISSP, Director, iDEFENSE Labs
Michael Sutton, Senior Security Engineer, iDEFENSE Labs
[ Web, Mail, DNS & Others ]

Almost all of today’s “stateful” web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms — purposes for which they were not well designed.

It is already well known that a user’s web session is vulnerable to hijacking in a replay attack if these session IDs are captured or sniffed by an attacker. A replay attack involving a web application means that an attacker can use a session ID to log on to a user’s account without the appropriate username or password. For example, by sniffing a URL that contains the session ID string, an attacker may be able to hijack a session simply by pasting this URL back into a web browser.

What is not well known is just how easily many of these session IDs can be guessed or brute-forced in order to conduct a replay attack. This eliminates the need for an attacker to guess someone’s username and password on one of these websites.

A session ID is an identification string used to associate specific web page activity with a specific user so that a sense of state is preserved for a web application. Session IDs can be used to preserve knowledge of the user across many pages and across historical sessions, enabling websites to provide features such as site personification (, online retail shopping carts ( and web-based e-mail ( and Some web servers will generate a session ID for users after they visit any page on that server for the first time (Microsoft IIS, Apache, etc.). Additionally, other applications running on that web server (ATG Dynamo, BEA Weblogic, PHPNuke, etc.) may also generate more and different types of session IDs once the user has successfully authenticated.

This presentation focuses on the ease with which many of these session IDs can be brute-forced, allowing an attacker to steal a legitimate web application user’s credentials. While a somewhat narrow area of web application exploitation, the simplicity of the attacks and the prevalence of these vulnerabilities on the Internet make this an important topic. Malicious users can try (usually automated) combinations of well-known usernames and passwords, or indeed attempt all possible combinations of the accepted character set. However, the scope of a brute force attack can be greatly reduced when Session IDs are predictable in nature. The presentation will include an overview of the issues involved with exploiting predictable or “reverse-engineerable” web session ID’s and demonstrate some real world exploitation examples. It will conclude with a discussion on ways both users and developers can protect web applications from these types of attacks.

David Endler is the director of iDEFENSE’s security research group. Prior to iDEFENSE, Mr. Endler served with Deloitte and Touche LLP in the e-business security and technology practice. In previous lives, Mr. Endler also performed security research for Xerox Corporation, National Security Agency, and Massachusetts Institute of Technology. He has conducted numerous media interviews, published technical articles in trade journals, and has previously presented in the areas of intrusion detection, malicious code forensics, and web application security. Mr. Endler holds a B.S. and M.S. in Computer Science, is a member of the Open Web Application Security Project (OWASP), and is a Certified Information Systems Security Professional (CISSP).

Return to the top of the page

Hacker Court
Carole Fennelly, Partner, Wizard's Keys Corporation
Rebecca Bace, President/CEO, Infidel, Inc.
Richard Thieme, Thiemeworks
Jennifer Granick, Litigation Director of the Public Interest Law & Technology Clinic at Stanford Law School's Center for Internet & Society
Jonathan Klein, President & Co-founder, Wizard’s Keys Corporation
Brian Martin, Security Consultant, CACI-NSG
Don Cavender, Instructor, Internet & Network Investigations for FBI, Federal, State & Local Law Enforcement Investigators, Case Support & Consultation & Research
Jesse Kornblum,Chief of Research & Development for the Air Force Office of Special Investigations Computer Investigations and Operations Branch
Kevin Manson, Senior Instructor, Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC)
Simple Nomad, Nomad Mobile Research Centre
Richard P. Salgado, trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice
[ Panel ]

A panel of experts in law and computer forensics enacts typical computer crime issues to demonstrate how Computer Forensic investigations translate to a courtroom and jury. Three scenarios will be presented with time for Q&A between each.

The legal aspect of computing technology has barely been touched yet. We're at a critical phase where legislation and precedents set over the next few years will form the foundation for cyber-law. The conjunction of a legal system with inadequate technical understanding will result in cyber-legislation built on a foundation of sand.

We need cases that set clear precedents for the legal system. The challenge will be to present the facts of a case in a manner that non-technical juries can understand. As clearly demonstrated at the O.J. Simpson trial, technology doesn’t translate very well to the average person. To be effective in a courtroom, technical witnesses need to understand courtroom procedure and how to translate dry, technical facts to layman’s terms. It doesn’t matter how good the expert analysis is – it matters how much the jury believes it. From the legal side, attorneys and law enforcement need to understand what is actual evidence. Is possession of a few hacking tools evidence of the intent to commit a crime?

This presentation will enact a courtroom environment, complete with judge, jury, attorneys, and witnesses to demonstrate three key issues in computer crime cases. Each segment will last about 15 minutes with a break between each to answer audience questions. The judge and jury will decide how effectively the points were presented.

Validating the evidence
“No autopsy, no foul” is an expression murder investigators are familiar with. Simply having evidence to submit in court is not enough. The evidence must conform to rules of evidence gathering. The integrity and continuity of the evidence must be validated.
In this scenario, methods for evidence gathering and preservation will be presented and challenged. The goal in this phase is to simply validate the evidence, not interpret it.

Law enforcement, attorneys, defendant, victim

The battle of the expert witnesses
Conferences such as Black Hat and Usenix have accustomed technical presenters to a technical audience. When presenting a paper, the proof is often self-evident to the audience. Not so in a courtroom situation. We’ve all dealt with the pain of counseling non-technical family members through computing problems. Multiply this by a factor of 12.
In this scenario, expert witnesses for the prosecution and defense will interpret a given set of evidence for a non-technical jury (or as non-technical as we can get at Black Hat).

Expert witnesses, attorneys

Stereotyping the defendant
Far too often, prosecutors and law enforcement rely on the stereotyped image of the “hacker” to sway a jury. Often web logs are produced “proving” the defendant frequents “known hacker sites”. Such “evidence” certainly looks technical to the jury, but often isn’t evidence of a crime at all. Throw some techno-babble and Hollywood images in, and juries will typically swallow the case. In this section, we will demonstrate the methods used to stereotype the defendant and possible countermeasures.

Carole Fennelly (coordinator and contact) is a partner in Wizard's Keys Corporation, a security consultancy she founded in 1992 with her husband, Jonathan Klein. With 20 years as a Unix systems administrator and security consultant, Carole has a wealth of experience in both technical and managerial procedure. Her rather caustic articles, both technical and editorial, have been widely published and she has been quoted in numerous trade publications. Carole has little tolerance for FUD tactics.

Rebecca Bace is the President/CEO of Infidel, Inc., a network security consulting practice, headquartered in Scotts Valley. She provides strategic and operational consulting services for clients that include security point product developers, legal firms, and Internet solutions providers. She is also a noted author on topics in intrusion detection and network security, with credits including the white paper series for ICSA's Intrusion Detection Consortium. Her book on Intrusion Detection waspublished by Macmillan Technical Publishing in January, 2000.

Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Recent speaking/consulting clients include: Network Flight Recorder; System Planning Corporation (SPC); Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); National Intellectual Property Law Institute (NIPLI); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.

Jennifer Stisa Granick is the Litigation Director of the public interest law and technology clinic at Stanford Law School's Center for Internet and Society. Ms. Granick's work focuses on the interaction of free speech, privacy, computer security, law and technology. She is on the Board of Directors for the Honeynet Project and has spoken at the NSA, to law enforcement and to computer security professionals from the public and private sectors in the United States and abroad. Before coming to Stanford Law School, Ms. Granick practiced criminal defense of unauthorized access and email interception cases nationally. She has published articles on wiretap laws, workplace privacy and trademark law.

Jonathan Klein is president and co-founder of Wizard's keys, a security consultancy located in New Jersey. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose independent consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan , discovering there is more to being a technical witness than purely technical knowledge.

Brian Martin is an outspoken security consultant for CACI-NSG in the Washington DC area. Brian has the relatively unique experience of being on both sides of an FBI investigation.. His daily work takes him in and out of commercial and government networks, usually without sparking law enforcement investigation. His work at CACI-NSG revolves around making recommendations based on cynical review of network and system security. He will be survived by his three cats.

Don Cavender
SSA Cavender has twelve years experience as an FBI Agent. The past seven years he has been involved in high technology investigations and/or digital forensics. He is presently responsible for instruction in Internet and Network Investigations for FBI, Federal, State and Local Law Enforcement Investigators, case support and consultation and research.

Jesse Kornblum
SA Kornblum is the Chief of Research and Development for the Air Force Office of Special Investigations Computer Investigations and Operations Branch. A graduate of the Massachusetts Institute of Technology, he has experience running intrusion investigations and supporting other agents in more traditional investigations. He is currently responsible for developing tools and techniques to allow agents to conduct investigations.

Kevin Manson serves as a Senior Instructor with the Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC). In 1993, while an instructor with the FLETC Legal Division, he pioneered Internet training for the federal law enforcement community, created FLETC's first major computer security training component in 1997 ("Digital Officer Safety") and deployed the first working use of wireless networking in a FLETC training program. He is a co-founder of the Cybercop Secure Portal, which networks over 1,500 law enforcement and IT security professionals to strengthen our nation's "Cyber Civil Defense" as contemplated by Presidential Decision Directive 63 (A topic he addressed as co-keynote to last years July Blackhat conference). He is a member of the New York Electronic Crimes Task Force. His personal interests include the impact of technology on society, promoting industry and law enforcement cooperation in information age security and policing and use of Internet technology to deliver secure distance learning materials over the Internet to the laptops, palmtops and (future) wearable computers of those who serve behind the "thin digital blue line". His public service career also includes experience as a state prosecutor and magistrate and service as staff counsel with the US Senate Judiciary Committee for Senator Robert Dole.

Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology. By day he works as a Senior Security Analyst for BindView Corporation. He has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a regular lecturer at security conferences, and has been quoted in various media outlets regarding computer security. He also believes The Illuminati search his hotel room during his conference lectures.

Richard P. Salgado is a trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice. Mr. Salgado specializes in investigating and prosecuting computer network cases, such as computer hacking, denial of service attacks, illegal sniffing, logic bombs, viruses and other technology-driven privacy crimes. Often such crimes cross international jurisdictions; Mr. Salgado helps coordinate and manage the investigation and prosecution of those cases. Mr. Salgado also leads the Section's Team Technical Issues. In that capacity, he participates in policy development relating to emerging technologies such as the growth of wireless networks, voice-over Internet Protocol, surveillance tools and forensic techniques. Mr. Salgado serves as a lead negotiator on behalf of the Department in discussions with communications service providers to ensure that the ability of the Department to enforce the laws and protect national security is not hindered by foreign ownership of the providers or foreign located facilities. Mr. Salgado also regularly trains investigators and prosecutors on the legal and policy implications of emerging technologies, and related criminal conduct. Mr. Salgado is an adjunct law professor at Georgetown University Law Center where he teaches a Computer Crime seminar, and is a faculty member of the SANS Institute. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Return to the top of the page

IP Backbone Security
Nicolas Fischbach, Manager, IP Engineering Department, COLT elecom & Co-founder Sécurité.Org
Sébastien Lacoste-Séris, Security Officer & Manager, IP Research & Development Department, COLT Telecom & Co-founder, Sécurité.Org
[ Routing & Infrastructure ]

IP backbones and core networks of large companies and Service Providers are becoming more and more complex and are (still) the target of a lot of Denial of Service attacks. Redundancy, routing, hardware, cabling and large pipes are usually some of the key items in the network architecture, but security of the network, the equipment it's composed of
and proactive protection against (D)DoS are not.

We will discuss the security issues and features of major routing protocols (BGP, OSPF and IS-IS) and also of MPLS based VPNs. Why IS-IS ? Because a lot of Service Provider are changing their IGP from OSPF to IS-IS, usually in relation with MPLS, Traffic Engineering deployment or because they are looking for "subsecond" convergence. The second part of the talk will focus on DDoS detection based on Netflow data and DDoS prevention/protection with filtering techniques using BGP and latest additions to Cisco IOS.

Nicolas Fischbach is managing the IP Engineering Department and Sébastien Lacoste-Séris is the Security Officer and managing the IP Research & Development Department at COLT Telecom AG, a leading provider of high bandwidth data, Internet and voice services in Europe.

Nicolas and his team are working on network, system and security architectures for the Swiss network. Previously he was dealing with the Internet Solution Centre deployment and security processes/auditing for major financial institutes, insurance companies and large hosting/housing projects. He worked for a french ISP and he's also teaching network and security courses in engineering schools and universities. He has an Engineer degree in Networking and Distributed Computing.

Sébastien Lacoste-Séris is leading the Research and Development department for COLT Telecom AG and is also in charge of the security for Switzerland. His team is mainly working on the evaluation, integration and development of new IP based technologies. He previously worked for several major European ISPs as a network and security architect, he alsodid consulting and software auditing (ITSEC) for a security company. Sébastien holds a Degree in Computer and Network Engineering.

Nicolas and Sébastien are co-founders of Sécurité.Org a french speaking portal on computer and network security, and are frequent speakers at technical and security conferences. You can reach them at

Return to the top of the page

Graph-Based Binary Analysis
Halvar Flake, Reverse Engineer, Black Hat Consulting
[ Deep Knowledge ]

Though many Servers run Open-Source solutions these days, a lot of the critical infrastructure consists of commercial closed-source software: From IDS Sensors over VPN Gateways and Enterprise Database Servers to large Firewalls: Closed Source is still everywhere. An attacker who is proficient at reverse engineering can - given the right amount of time - find bugs in these critical programs and then attack the network with undisclosed bugs - which is every administrators Nightmare.

Binary analysis is a time-consuming and tedious process, and few people outside of government agencies are proficient at it. Even fewer people realize that a large part of the analysis process can be automated, and that binary analysis can at times even come up to the speed of source code analysis.

This presentation will explain some concepts & tools which can drastically improve the performance of a the reverse engineer when trying to find security-critical vulnerabilites such as buffer overruns. Various ideas and their implementation will be discussed- from graph-coloring using an interface to running a debugger to analysis of flowgraphs to automatically find buffer overruns.

The tools & methodologies presented will be tested 'in the wild' by letting them run over a few major commercial software packages.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

Attacking Networked Embedded Systems
FX, Phenoelit
kim0, Phenoelit
[ Routing & Infrastructure ]

Every device on a network that has a processor, some memory and a network interface can become a target. Using printers as an example, the talk will show how a seemingly innocent device can be used by attackers, ranging from attacks on the device itself to the point where the embedded system becomes an attack platform itself. Then, protection mechanisms and ways to include these devices in a company's security concept will be discussed.

FX of Phenoelit is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

kim0 is a member of the German Phenoelit group. His interest is in social engineering, mistakes made during implementation and configuration of networks effecting security, and security implications of protocols that are less-known.

kim0 previously worked as a contractor for various government and military organizations and is now a security consultant and leader of the security group with n.runs GmbH.

Return to the top of the page

Views On the Future Direction of Information Assurance
George, Technical Director of the Security Evaluations Group, NSA
[ Luncheon Speaker ]

This talk will discuss a brief history of Information Assurance evaluation at the National Security Agency. We will then proceed to discuss how communications systems have evolved over the past 30 years and the impact this has had on the security evaluation of these systems. This change includes the shift from purely Government produced security products to more reliance upon commercial products. We will discuss the role commercial
products will play in Department of Defense communications systems and how NSA plans to work with the private sector to achieve the security that is necessary in today's world.

Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 32 years as a cryptomathematician. He currently serves as the Technical Director of the Security Evaluations Group which is responsible for evaluating security solutions used by the Department of Defense and Intelligence Community.

Return to the top of the page

JD's Toolbox: Fire & Water
JD Glaser, President, NT OBJECTives, Inc
[ Application Security ]

JD Glaser is the President of NT OBJECTives, Inc. He specializes in Windows NT system software development and COM/DCOM application development. His most recent achievement was the successful formation of NT OBJECTives, Inc., a software company exclusively centered on building NT security tools. Since it's inception, over 100,000 of those security tools have been downloaded and put into practice. In addition, he has written several critical, unique intrusion audit pap ers on NT intrusion forensic issues. Currently, JD has been retained as a featured speaker/trainer for all the Black Hat Conferences on NT security issues.

Return to the top of the page

Off-the-Record Messaging
Dr. Ian Goldberg, Chief Scientist & Head Cypherpunk, Zero-Knowledge Systems
[ Privacy & Anonymity ]

Quite commonly on the Internet, cryptography is used to protect private, personal communications. However, most commonly, systems such as PGP are used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity.

We claim that most social communications online should have just the opposite of the above two properties; namely, they should have —perfect forward secrecy — and — repudiability. In this talk, we will describe a protocol for secure online communication called "off-the-record messaging'' which has properties better-suited for casual conversation than do systems like PGP or S/MIME.

We have so far implemented this protocol into an instant messaging client, but the same techniques also work for email communication.

This is joint work with Nikita Borisov and Eric Brewer, both of UC Berkeley.

Dr. Ian Goldberg is Chief Scientist and Head Cypherpunk of Zero-Knowledge Systems, a Canadian privacy technology company. Having been a founding member of UC Berkeley's Internet Security, Applications, Authentication and Cryptography group, his research interests focused on cryptography, security, and privacy. Dr. Goldberg is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours; breaking Netscape's implementation of the encryption system SSL; and breaking the cryptography in the GSM cellular phone standard.

Return to the top of the page

Securing Your Computing Environment to Conform to Privacy Regulations
David Goldman, PriceWaterhouseCoopers
Robert Marotta, PriceWaterhouseCoopers
[ Privacy & Anonymity ]

As security and privacy gain widespread press and notoriety, there has been increased pressure on regulatory bodies to act. To that end, several significant pieces of legislation have been passed that contain wide-ranging requirements from policy to technical implementation. These regulations already include: Health Insurance Portability and
Accountability Act (HIPPA), the Child Online Protection Act (COPA), the Graham-Leach-Bliley Act (GLBA), and CFR Part II. As such, businesses in fields from medicine and insurance to financial services and ecommerce sites must be diligent and informed to ensure compliance and avoid negative press and potential lawsuits.

In this session, we will discuss the significant components of these acts and how they relate to technological system configuration settings in business computing environments. We will view these components through scenario-based studies to view the risks from external sources, business partners, and internal/trusted personnel.

David Goldman is currently in PricewaterhouseCoopers Global Risk Management Services - Security consulting practice and is focusing on assisting businesses secure their online environments. Leveraging his background in e-business systems and Internet enabled application design, he facilitate the incorporation of sound security practices into corporate operations. Currently, he is managing the assessment, design, and implementations of security and controls on systems and applications across disparate environments. His specialty is Windows NT/2000 and has written several white papers and articles on the subject.

Robert Marotta. Prior to joining PricewaterhouseCoopers over five years ago, Robert was a U.S. Navy cryptologist specializing in Electronic Intelligence. During his time with PwC, he has specialized in conducting security penetration reviews in a variety of networking environments, in which he has evaluated the security controls afforded to remote access, internal, and external connections using automated and manual "hacking" tools and techniques. Robert has also conducted security diagnostic reviews of firewalls, routers, UNIX and Windows NT servers. Most recently, Robert has conducted IT security risk assessments for clients in the transportation and financial services industries, the evaluation of client's Computer Security Incident Response procedures and privacy regulation compliance for companies in the financial services industry. Rob also acts as a liaison between the Security and Insurance practices in the New York area.

Return to the top of the page

Web Application Security: "Stuff Your Mother Never Told You"
Dennis Groves, Director of Internet Security Consulting, Centerstance, Inc.
Bill Pennington, Principal Consultant & Technical Program Lead for Penetration Testing & Web Application Assessments, Guardent
[ Web, Mail, DNS & Others ]

Web Application Security is of paramount interest to everyone from corporations to consumers as society moves toward an ecommerce infrastructure. The design of the HTTP protocol simply does not allow for truly secure applications to exist. The only thing you can do is minimize your potential risk.

In the course of several years experience working in web application security, we as well as others, have discovered an overwhelming number of ways to attack any web applications. The conclusion of this can be drawn that potentially any Web-accessible system is vulnerable to attack. This presentation will discuss and demonstrate some of the more pervasive security weaknesses using Whitehat Arsenal.

Main Topics of Discussion:
Data Manipulation:
A variety of common web application vulnerabilities such as URL Manipulation, Parameter Tampering, Directory Traversal and HTTP Request Header Manipulation

Filter-Bypass Manipulation:
Defeating the security safeguards and filters using a variety of techniques. Method Switching, URL Encoded Strings, Double Hex Encoding, Long URLs, Case Sensitivity, XSS Filter-Bypass Manipulation, and Null Character Injection are possible avenues of attack.

Cross-Site Scripting:
An all to common and often misunderstood web attack. An easy to accomplish exploit used frequently by script kiddies and other malicious intruders.

Accompanying each attack vector, possible resolution and mitigation techniques will be discussed as well which will help protect you web applications.

Most of the web attack demonstrations with be executed using WhiteHat Arsenal. Whitehat Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make Whitehat Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis.

Dennis Groves is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan. He has spent the last five years pen-testing high profile websites, and web application security testing numerous significant ecommerce and financial companies. He is best known for having taught Jeff Moss to hack; and hopefully less known as the one who stole Jeff's 2400bps modem.

Bill Pennington is a Principal Consultant and Technical Program Lead for Penetration Testing and Web Application Assessments with Guardent. Bill has performed web application assessments for over three years in a variety of industry verticals including financial services, eCommerce, and biotechnology. Bill has six years of professional experience in information security, eleven in information technology. He is familiar with Linux, Solaris, Windows, and OpenBSD, and is a Certified Information Security Systems Practitioner and Certified Cisco Network Administrator (CCNA). He has broad experience in web application security, penetration testing, computer forensics and in intrusion detection systems. Bill also contributed several chapters to "Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios"

Return to the top of the page

Jed Haile, Nitro Data Systems
[ Firewall / Access Control ]

Hogwash is an intrusion prevention system based on the Snort intrusion detection system. Hogwash uses the Snort rules language, and is capable of detecting and stopping portscans, most known exploits, and other malicious activity.

The presentation will give an overview of how Hogwash works, what it is capable of doing, how rules are written, and will include a demonstration of Hogwash in action.

Jed Haile is the lead security architect at Nitro Data Systems. In his current job he designs high volume, large scale data management systems for security data. He is an active developer and deployer of intrusion detection systems, with contributions to Snort as well as Hogwash. He is a member of the Honeynet project where he is working to develop data and network control mechanisms for the second generation honeynets

Return to the top of the page

DC Phone Home
Aaron Higbee,
Security Consultant, Foundstone
Chris Davis, Senior Security Consultant, RedSiren
[ Deep Knowledge ]

DC Phone Home (DreamCast Phone Home, a pun on the well-known film ET: The Extraterrestrial) is a project that challenges conventional enterprise security models by showing the ease by which an attack to an organization’s network resources and infrastructure can be performed from an internal perspective. Simply put, once the DreamCast is deployed, it ‘phone’s home’ joining an organization’s internal network, with our network. We show that this type of attack can be performed easily with a variety of available hardware and software and in such a way that is not easily discovered by an organization’s employees or security resources.

Our presentation will include demonstrations of the attack tools that we have developed and are continuing to develop. The attack tools are comprised of a SEGA Dreamcast, a Compaq iPAQ handheld device, and a bootable x86 CD-ROM which can perform the attack using any available PC. Using opensource tools that we have ported to these platforms we have created devices that ‘phone’s home’ over known protocols.

In addition to describing and demonstrating the attack, we also propose methods by which this detected, if not entirely prevented. We emphasize security policies and procedures; network, firewall, and proxy configurations; and also introduce a new concept: policy-driven IDS. We would be remiss by not offering a solution alongside the attack.

Aaron Higbee has been working in information security for the past 4 years getting his start at Earthlink Network as a Network Abuse Administrator. In his capacity Aaron became intimately acquainted with the tactics of spammers, hackers, and every kind of network abuse imaginable. Later, while working as RoadRunner’s Senior Security Administrator, Aaron learned and responded to the network abuse problems that plague broadband connections. Working at two national service providers, Aaron was able to become an expert in the tactics of hackers and the mistakes that get them caught. This experience made his transition from incident response to penetration testing a natural one. Currently, Aaron works for Foundstone Inc. as a security consultant.

Chris Davis has been working in the field of information technology for 8 years, with a concentration on information security for the past 4 years. He has participated in secure systems development, information security consulting, penetration testing and vulnerability assessments, and information security R&D. He is a contributing author to Newrider’s recent publication Building Linux Virtual Private Networks(VPN) and continues to write and publish various papers. He has developed and instructed a number of courses, the most recent of which was a 3-month course on software vulnerability discovery and exploit coding. Currently, Chris is a Senior Security Consultant for Veritect.

About the Speakers
Aaron and Chris met while working as security consultants for Lucent Technologies. During that time, they coordinated efforts to discover new attacks and build the tools required to mount those attacks. After leaving Lucent Technologies, they have continued their joint efforts by developing the attacks, tools, and solutions as found in their upcoming paper “180-Degree Hacking.” Their presentation “DC Phone Home” is a detailed discussion on the attacks found in the above paper.

Return to the top of the page

Application Testing Through Fault Injection Techniques
Greg Hoglund, Founder, Cenzic, Inc.
[ Application Security ]

Our networks are based on billions of lines of horribly buggy code. Software development practices have not matured enough to build reliable software in the face of a hostile, ever-evolving network. Computers are no longer a choice or a hobby - they ingrain every part of our daily lives. The past few years have shown us that the industry cannot rely on ad-hoc testing and full-disclosure to guarantee quality, bug-free code. The software vendors and the consumers need to collectively understand that the bar has been raised - new development practices and testing methodologies are required to ensure reliable software. This talk focuses on repeatable methods that can be used to find security bugs and reliability problems in software. Some of these methods are new and some have been used for years by other engineering disciplines. This talk will give a high level tour of the options, including reverse engineering, source code review, attack and penetration, and "black box" testing.

Greg Hoglund has focused his career on the issues facing the security community. Capitalizing on his growing security knowledge, he wrote one of the earliest security scanners, which he sold to WebTrends, Inc. and joined the company in a strategic product-development role. Today, his scanner is renamed the WebTrends Security Analyzer and is installed in over half of the Fortune 500 companies. Hoglund later joined Tripwire, Inc. in a key R&D role at the computer security company.

Hoglund steadily expanded the breadth and intensity of his security knowledge, emerging as a recognized expert on many facets of security technology. He has been a frequent speaker at computer security conferences - including Blackhat, DefCon, Infosec, and SANS in the US, Europe and Asia-Pacific - and has authored several respected papers on security topics.

Hoglund's experience and expertise led directly to co-founding Cenzic Inc. with Penny Leavy in May of 2000 to provide a true security-QA platform that will effectively enable security risk management.

Return to the top of the page

Enterprise Email Security Made Practical
Paul Holman, Metasecura
[ Web, Mail, DNS & Others ]

Email has become the most fundamental communication mechanism for the modern enterprise. As such,email is the fulcrum against which all other security measures are leveraged. This presentation is based on our work architecting high-security email services for law-enforcement agencies,law-firms and human rights NGOs.These organizations have typically had difficulties adopting solutions,primarily due to poor usability.Recognizing this,our approach aims to keep email easy while making it vastly more secure for the whole enterprise.

This presentation is relevant for everyone interested in securing their organization’s email. Many lessons have been learned in our experiences and we’re eager to share them. We’ll classify the various approaches to securing email,discuss their comparative merits and consider their place in history and/or the future. The severe challenges of PKI trust models and key management will be made clear. Real-world solutions to countering spam and viruses are coverd. We’ll also predict how good email security could be in a perfect world versus our own. The techniques we present can be applied regardless of the email infrastructure currently in use.Listeners will obtain a thorough understanding of practical measure ’s they can take to secure their organization’s email infrastructure. We present a comprehensive architecture for email security that is in use by our clients,and discuss how other organizations can utilize this approach themselves.

Paul Holman has been working to secure email since before most people heard of it. He is a member of The Shmoo Group of security,crypto & privacy professionals,supporting numerous open-source development projects.He started the Shmoo Seizable Mail Server project two years ago and now heads up Metasecura,a boutique security consulting firm that builds and manages these servers for enlightened customers.

Return to the top of the page

Phase II - 2nd Generation Honeynet Technologies
The Honeynet Project
[ Intrusion Destection / Incident Response / Computer Forensics ]

Honeynets are a sophisticated type of honeypot used to gather information on the enemy. The Honeynet Project has made extensive advances in Honeynet technologies, what we call GenII systems. These technologies are easier to deploy, harder to detect, and capture
greater levels of information. The Project will discuss in detail how these technologies work, examples of deployments, and our findings. We will also discuss the Honeynet Research Alliance, an organization of Honeynets distributed around the world.

We will also be covering the Reverse Challenge and the binary in question.

We will conclude our presentation with a discussion panel. You will have the chance to ask Honeynet members question about Honeynets, how they work, their value, their findings, and the blackhat community in general.

The Honeynet Project is a non-profit, all volunteer security research organization dedicated to researching the blackhat community, and sharing the lessons learned. Made up of thirty security professional, the Project deploys Honeynet around the world to capture and analzye blackhat activity. These lessons are then shared with the security community. The Honeynet Project began in 1999 and continues to grow with the founding of the Honeynet Research Alliance. You can learn more about the Project at

Return to the top of the page

Non-Obvious Relationship Awareness (NORA) Technology
Jeff Jonas
[ Luncheon Speaker ]

A presentation on Non-Obvious Relationship Awareness (NORA) technology, how this technology is used to catch gaming cheats, and finally how it is being used to catch terrorists these days.

Jeff Jonas is President and founder of Systems Research & Development (SRD) and collaborates with senior management to design and develop strategic information systems.  Today companies rely on Mr. Jonas and his organization to design and implement leading edge technology solutions.  This work has been recognized on the Discovery Channel, MSNBC, The Learning Channel aswell as in Fortune magazine and ComputerWorld.

Mr. Jonas has been significantly involved in over 50 major system development projects.  With no area of specialty other than "inventing that which does not already exist", Mr. Jonas has acquired a most diverse knowledge ranging from engineering traits of sewer systems to transactional pattern fraud detection.  With this extensive practical experience, Mr. Jonas finds more commonality than not, between what otherwise appears as unrelated business problems.

Return to the top of the page

Black Ops of TCP/IP: Spliced NAT2NAT and Other Packet-Level Misadventures
Dan Kaminsky, Cryptotheorist, DoxPara Research
[ Deep Knowledge ]

The domain of modern TCP/IP networking has become truly astonishing— a trivial four bytes in the IP Destination Address field can determine whether a packet might travel a few feet or a couple thousand miles. All that code and all that hardware, with all of its ever growing complexity just disappears beyond the next closest hop— but it's still there, and as more than a few have pointed out, those machines are in a prime position to implement "man in the middle" style attacks against the endpoints.

However, I believe there's a more interesting class of attacks: Using collusion between the endpoints to extract new and unexpected classes of functionality from the growing intelligence of the middle. Rather than just breaking things, this approach appears to yield some reasonably unorthodox solutions to some of the more pressing problems in the post-firewall, IPV6/Multicast-free Internet. A preliminary list of techniques to be discussed and code to be made available(or at least updated) during this talk:

  • Establishing TCP Connectivity between two NATted hosts, using TTL hackery, source routing to a connection broker, and/or the birthday paradox.
  • RSIP And Beyond: Alternative Approaches To NAT, including TCP-Multiplexed ARP
  • Guerrila Multicasting through Layer 2 Broadcast GHosts
  • Stateless Pulse Scanning of networks, or "Scanning Class B's In Four Seconds"
  • Audience Challenges / Potpourri

Possible abuses of these approaches may be discussed as well, including some theory as to how it may be possible to falsify the outside party of a firewalled bidirectional TCP session. Also, the use of OpenSSH to secure these new communication paths should be explored in some depth.

Dan Kaminsky, also known as Effugas, worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He recently wrote the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University. He also does Bar Mitvahs.

Return to the top of the page

Single Sign-On 101: Beyond the Hype - What SSO Can, and Can’t Do For Your Business
Diana Kelley, Leader of Security Services, Baroudi Group
Ian Poynter, Independent Security, Consultant
[ Firewall / Access Control ]

SSO (Single Sign-On): most large companies have an initiative to implement or at least pilot an SSO solution sometime in the next 12 months. But how many of these companies are prepared to do so? Although the promise of SSO is tantalizing (only one password to remember!), there are many serious technological impediments as well as issues surrounding corporate policies that need to be addressed before an SSO solution can be deployed successfully.

This talk focuses on explaining the business reason companies can profit from SSO and helping them understand what they need to explore to create a useful RFP. We provide a brief taxonomy of the most common offerings in the SSO world (SiteMinder, ClearTrust, etc) and discuss basic authentication and authorization technologies (RADIUS, PKI, tokens, Kerberos, RACF, LDAP). We explain the special challenges facing companies that want to integrate myriad backend systems such S/390s and AS/400s into a predominantly web-based SSO world. And we give attendees a couple of real-word examples of where and when SSO can be implemented effectively into an organzation.

Attendees will walk away with a clear understanding of what differentiates SSO offerings and which SSO solution, if any, is the right one for them.

  • Understand business requirements for successful SSO deployment
  • Learn how SSO technologies work
  • Determine the right authentication methods
  • Real-word examples of SSO implementations

Diana Kelley is the leader of the Security Services practice at Baroudi Group and independent consulting and analyst firm in Arlington, MA.

Ms. Kelley has been working professionally for over 12 years- bringing real-world experience creating secure network architectures and online, business solutions for large corporations. Ms. Kelley was the Vice President of Security Technology for Safewww, Inc, a provider of strong, two factor authentication for online transactions. She served as the General Manager of a development group at Symantec Corp and was the Vice President of Corporate Development for LockStar, a security software vendor. Kelley was the Senior Security Analyst for Hurwitz Group, and served as a Manager in KPMG's Financial Services Consulting practice, where her clients included Bank of America, General Electric, Merrill Lynch, MetLife and The Travelers.

Kelley contributed the chapter on PKI and Directory Services to the book: “PKI: A Wiley Tech brief” and speaks frequently at major conferences, such as NetWorld/InterOp The Internet Security Conference, and ComDex, on security topics and has been quoted in publications such as “Information Security Magazine” and “The Wall Street Journal” as a security expert. She has contributed articles to Security Focus inFocus, Security Products Magazine, and was interviewed by WNBC on the topic of Internet security.

Ian Poynter is an independent security consultant. He has been active for more than 15 years in the technology industry, focusing on networking and human-computer interfaces. Since founding Jerboa in 1994, he has developed strategic planning initiatives for leading national and international corporations. He works with a wide range of industries to implement solutions for corporate network and Internet security.

He has delivered Internet security training to key corporate information systems personnel around the country and has appeared as an expert speaker at a variety of professional meetings including The Internet Security Conference (TISC), WebSec, Usenix Security and Networld+Interop. Mr. Poynter holds a B.Sc. First Class in Computer Science from University College London.

Return to the top of the page

Dynamic Routing inside IPsec VPNs - New Threats and Defenses
Paul Knight, Standards Engineer, Nortel Networks
[ Routing & Infrastructure ]

Within the last two years, IPsec gateways have begun to offer some capabilities to exchange private routing information among the sites participating in a secure Virtual Private Network (VPN). If the IPsec overlay topology is not a full mesh, the gateways can use the routing information to dynamically determine the best path among the sites. With any topology, dynamic routing carries information on newly-added IP networks or subnets at a site. This provides significant benefits in manageability and fault recovery for the VPN administrator, since entries for individual routes or subnets no longer need to be configured on each participating gateway. However, it also introduces new risks.

When dynamic routing protocols are used in an IPsec-based VPN, the IPsec Security Associations lose some ability to control traffic based on specific source and destination addresses. This presentation looks into the security weaknesses introduced by dynamic routing inside IPsec. It describes attack scenarios from inside and outside the VPN, and discusses the opportunities for security breaches due to unintentional misconfiguration. It presents methods of defending against the attacks and detecting misconfiguration. Finally, the presentation outlines the routing, filtering, and firewall capabilities which must be supported in IPsec gateways in order to maintain security while providing the benefits of dynamic routing among VPN sites.

Paul Knight is a Standards Engineer with Nortel Networks. He is currently a member of two design teams within the IETF's Provider-Provisioned VPN Working Group, focusing on issues related to IPsec VPNs and Virtual Routers. He is the lead author or editor of several current Internet Drafts, including "A Method to Signal and Provide Dynamic Routing in IPsec VPNs," "Network based IP VPN Architecture using Virtual Routers," and "Logical PE Auto-Discovery Mechanism."

Paul has worked in the field of network security for over fifteen years, designed networks for numerous corporate and government clients, and has held high-level security clearances. He managed the IP routing infrastructure for a Fortune 50 corporation, configuring inter-company security gateways and Internet gateway security. As a senior engineer with Nortel Networks, he consults on customer network security issues, and often develops and delivers training for security-related products and technologies for a wide variety of audiences. He has presented seminars on encryption, IP Security, and firewall technology to audiences in Beijing, Taipei, Tokyo, Johannesburg, Monte Carlo, Beirut, Barcelona, San Juan, and numerous North American locations.

Return to the top of the page

Building A Global Early Warning System for Internet Attacks
Elias Levy, Cofounder and Chief Technical Officer
Oliver Friedrichs, Cofounder and Director of Engineering, SecurityFocus
[ Intrusion Destection / Incident Response / Computer Forensics ]

Elias Levy is a well respected and sought after computer security spokesperson and visionary. He has been in countless publications, television, and radio shows with the press. Elias has hands-on, insider and an analyst's expertise in the security business. He learned security working for several large US corporations. He also has insider experience from his working with the security community as the former moderator and keeper of the Bugtraq vulnerability database and mailing list. Elias' seven years of experience with Bugtraq, first as a contributor and then as the moderator, gave him a daily pulse on the strengths and weaknesses in Information Security.

Oliver Friedrichs has worked in the Information Security field for over 10 years. Prior to cofounding SecurityFocus, Mr. Friedrichs was cofounder of Secure Networks Inc, where he served as Vice President of Engineering. Mr. Friedrichs was the chief architect of Secure Networks Inc.' award winning network security auditing software (Ballista). After Secure Networks' acquisition by Network Associates, Mr. Friedrichs continued to manage the development of Ballista, then renamed to CyberCop Scanner. Prior to Secure Networks Inc, Mr. Friedrichs played a key role in network security operations at the University of Manitoba. Mr. Friedrichs has given numerous presentations on computer security to organizations such as the Secret Service, IRS, DoD, AFOSI, NASA, and Canadian DND.

Return to the top of the page

Database Security - The Pot and the Kettle.
David Litchfield, Managing Director & Co-Founder, Next Generation Security Software
[ Web, Mail, DNS & Others ]

This talk will examine the database server offerings from both Microsoft and Oracle and show that, regardless of certification, market campaigns and slurs, each would be better spending their time writing a more secure product.

This will cover two new vulnerabilities that allow full compromise of a system running MS SQL Server 2000 with a single UDP packet and without needing to authenticate.

This will cover two format strings vulnerabilities and a buffer overrun that can be exploited without authentication.

The talk will end with what steps one can take to help prevent database system compromise.

David Litchfield is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed".

Return to the top of the page

Vulnerability Disclosure: What the Feds Think
Michael I. Morgenstern, Managing Partner, Global InterSec LLC
Richard George, Technical Director of the Security Evaluations Group, NSA
Marcus H. Sachs,
Director for Communication Infrastructure Protection, Office of Cyberspace Security; The White House
O. Sami Saydjari, Senior Principal Scientist, SRI International.
Steve Lipner, Director of Security Assurance, Microsoft Corp.
Tom Parker,
Director of Research, Global InterSec LLC.
[ Panel ]


  • An overview on vulnerability disclosure in the past
  • Potential impacts of irresponsible disclosure and “new threats” (terrorism etc).

The disclosure process

  • The vulnerability disclosure “food chain” (Pyramid metric)
  • The issues involved in the handling of a new vulnerability, from the perspective of a commercial software vendor.

Doing things responsibly

  • What "responsible disclosure" means.
  • The ideal disclosure metric, is it plausible?

A way forward?

  • Ways in which communities can work together better.

Marcus H. Sachs, Director for Communication Infrastructure Protection, Office of Cyberspace Security; The White House
As the Director for Communication Infrastructure Security in the White House Office of Cyberspace Security and a staff member of the President's Critical Infrastructure Protection Board, Marcus Sachs works with United States government agencies and the private sector on matters relating to the protection and security of the nation's telecommunication and Internet infrastructures. In addition, he is the primary action officer for coordination with the National Communications System and Department of Defence on matters relating to cyberspace security.

Sachs retired from the United States Army in January 2002 after serving over 20 years as a Corps of Engineers officer. He specialized during the later half of his career in computer network operations, systems automation, and information technology. His final assignment was with the Defence Department's Joint Task Force for Computer Network Operations where he was the Senior Operations Analyst and Technical Director. Sachs' other military assignments include tours to Germany, Ft. Belvoir, Ft. Bragg, and Ft. Hood, as well as deployments to Haiti and Panama. He was well known in the Defence Department as an information security expert and continues to be a popular speaker at conferences and public events.

Sachs holds a Bachelor of Civil Engineering from the Georgia Institute of Technology, a Master of Science in Science and Technology Commercialisation from the University of Texas, and a Master of Science in Computer Science with a concentration in Information Security from James Madison University. He is a registered Professional Engineer in the Commonwealth of Virginia.

Richard George, Technical Director of the Security Evaluations Group, NSA
Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 32 years as a cryptomathematician. He currently serves as the Technical Director of the Security Evaluations Group which is responsible for evaluating security solutions used by the Department of Defense and Intelligence Community.

Tom W. Parker, Director of Research, Global InterSec LLC.
Tom is one of Britain’s most highly prolific security consultants. Along side with contractual work for some of the worlds largest information technology firms, providing integral security services, Mr. Parker is also widely known for his vulnerability research on a wide range of platforms and commercial products.

Mr. Parker’s professional career begun writing technical papers and regular articles published in England’s largest computer magazine, the following years spent as an Internet security manager, securing the networks of some of England’s largest ISP’s and cooperates. Some of his more recent work includes the development of an embedded operating system and cryptographic code, for use on digital video band routers, deployed on the networks of hundreds of large organizations, including big 5 companies, around the globe.

As our director of research he plays a leading role in developing key relationships between GIS and the public and private sector security communities. He regularly develops proof of concept codes and advisories to demonstrate and document vulnerabilities in corporate and public products. He is also responsible for managing our growing team of vulnerability researchers and coordination with software vendors and other large organizations.

Michael I. Morgenstern, Managing Partner, Global InterSec LLC
Michael I. Morgenstern is an information and intelligence specialist and Managing Partner of Global InterSec – an international Computer Security firm focussing on anti-hacking and computer vulnerability research.

He regularly consults Members of Congress, foreign governments, and business leaders throughout the world on computer security issues and their threat assessments. He was recently appointed to Dan Burton’s "Terrorism and Non-Traditional Threats" advisory board.

Mr. Morgenstern’s recent foci at Global InterSec include improving industry practices of vulnerability disclosure, counter-terrorism plans and research, and creating mechanisms for protection against social engineering. In 2001, he was awarded a certificate of achievement by the Association for Security Educators and Trainers for outstanding contributions to the professionalization of security in the U.S. His most recent publications include articles on responsible disclosure that were published both in the United States and in Europe.

He is also one of the first people to research and illustrate the different paradigms for vulnerability propagation.

Mr. Morgenstern has held research and Chief of Staff positions at an International Finance firm, and is presently Vice President of Russell J. Wilson & Associates, in Washington, DC where he focuses on strategy, intelligence, and national security.
He earned his Bachelor of Arts from The Johns Hopkins University in Baltimore, and presently splits his time between northern New Jersey and Washington DC.

O. Sami Saydjari, Senior Principal Scientist, SRI International.
O. Sami Saydjari is a Senior Staff Scientist in SRI’s Computer Science Laboratory and founder of SRI’s Cyber Defence Research Centre. He has spent 18 years performing and directing information assurance research, including 13 years at the National Security Agency and 3 years at DARPA. His focus areas include high assurance operating systems, network security, public-key infrastructures and security architecture.

He spent his early career initiating and leading a research effort to create a very high assurance operating system with integrated cryptography under a program called LOCK, sponsored by the National Computer Security Centre. Mr. Saydjari then created a new research organization to address the problem of designing trustworthy distributed operating systems under an umbrella program called Synergy. The synergy program created and popularised the notion of a policy-neutral or policy-flexible design which has made its way into many technical papers and into DoD guidance documents including the DoD Goal Security Architecture (DGSA).

Before his assignment at DARPA, Mr. Saydjari was the technical director of the National Security Agency’s Office (NSA’s) of Network Security Infrastructure. In this role, he defined a goal architecture for the Multilevel Information System Security Initiative (MISSI), a next-generation design for a certificate-based infrastructure, and co-developed a sound investment strategy for the NSA’s Information System Security Organization. He then became DARPA’s Program Manager of Information Assurance where he was the Information Assurance Program Manager for the Information Systems Office. He created and drove the security architecture and technology for a common reference architecture for DARPA and DISA’s advanced programs.

Mr. Saydjari earned his Master’s of Science in Computer Science from Purdue University. The Director of NSA awarded Mr. Saydjari as an NSA fellow in 1993-1994. He has published over a dozen technical papers in the field of Information Security in fora such as the National Computer Security Conference and the IEEE Security and Privacy Conference. He is based in Wisconsin Rapids, Wisconsin.

Steve Lipner, Director of Security Assurance, Microsoft Corp.
As director of security assurance, Steve Lipner oversees Microsoft Corp.’s Security Response Center, which handles all reports of security vulnerabilities in Microsoft® products and develops programs to provide customers with the resources they need to use Microsoft products securely. In addition, Lipner oversees the Secure Windows® Initiative, which focuses on improving the security of all Microsoft products through development process improvement. Lipner also monitors government security evaluations of Microsoft products and oversees program management of the credential management and cryptography components of Windows.

Steve Lipner joined Microsoft in 1999, and has more than 30 years of experience as a researcher, development manager and general manager in IT security. He is currently serving his second term as a member of the U.S. National Computer Systems Security and Privacy Advisory Board. Lipner also is co-inventor on nine U.S. patents in the areas of computer security and cryptographic protocols.

Lipner holds bachelor of science and master of science degrees in engineering from the Massachusetts Institute of Technology (MIT), and attended the Harvard Business School’s Program for Management Development.

Return to the top of the page

Neutralizing Nimda: Technical, Moral, and Legal discussions of an Automated Strike-back
Timothy Mullen, CIO, AnchorIS.Com
[ Intrusion Destection / Incident Response / Computer Forensics ]

This session is more about questions than it is about answers. Though almost a year old, Nimda continues to propagate while it consumes bandwidth and resources in the process. Patches have been available since before Nimda struck and clean-up utilities are provided for free; yet we continue to log attacks against our servers on a daily basis. Nothing effective is being done: If you are lucky enough to get a response from an ISP, they will claim their hands are tied, and know-nothing administrators shrug as they delete notification emails.

So, what are your rights when it comes to defending yourself from attack? What are your rights to stop an attacking box from consuming your resources?

We have developed an automated strike-back method where a system can now defend itself against an attacker by neutralizing an attacking box. Currently, deployment of such a system would be considered illegal by many and immoral by others.

This session will discuss several technical methods one can use to stop such an attack (in varying degrees of "finality"), the moral and ethical ramifications of utilizing such a system, and will also attempt to broach legal questions such as "how much is too much," and discuss the application of physical law, i.e. "self defense," to internet events such as worm attacks. [Note- Mr. Mullen is not a lawyer. Though opinions and content may be contributed by practicing attorneys, this session is not an attempt to educate the public to the interpretation of law or provide legal guidance in any way.]

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

Return to the top of the page

Locking Down Your FreeBSD Install
Rich Murphey, NetIQ Corporation
[ Routing & Infrastructure ]

FreeBSD 4.5 contains many security features for hardening and controlling remote access to the system. This talk takes a policy-based approach to hardening, access control, assessment and monitoring. For each of these, we begin by defining policy in terms of services delivered to users. We then refine the various forms of access controls and protections at each layer, progressing from the network through the kernel to user land.

We highlight key hardening issues and refinements in access controls at each level, progressing from ipsec, firewall and inetd to various services such as SSH, FTP, HTTP and Samba. We then look at auditing and host and network-based intrusion detection to close the loop on policy management. For each tasks, we review the bundled tools and the key configuration issues and controls.

Finally, the contribution of the suite of tools the overall posture is reviewed in the context of a sample target system to be deployed for capture-the-flag. This talk leads in to a companion DefCon demonstration and review, ‘FreeBSD Exploits and Remedies’.

Rich Murphey was a founding core team member of FreeBSD and Xfree86. He received a PhD in Electrical and Computer Engineering from Rice University, was on the Faculty of the University of Texas Medical School in Galveston, and was Chief Scientist at PentaSafe before joining NetIQ recently. His main interests are development of Beowulf clusters and Intrusion Detection Systems.

Return to the top of the page

802.1x - What It Is, Why It's Broken, and How To Fix It
Bruce Potter, Founder, The Shmoo Group
[ Wireless ]

Every protocol designed to secure 802.11 wireless networks has been shot full of holes... and 802.1x is no exception. 802.1x is a protocol designed to authenticate clients accessing a network. It provides an extensible framework for utilizing different authentication mechanisms based on the level of assurance required. It also allows for data such as WEP keys to be passed to the client on a regular basis. 802.1x and its supporting protocols were designed for wired networks and applied to wireless networks after the fact. Unfortunately the threat model for wireless networks is so different from wired networks that 802.1x comes apart.

This talk will briefly cover the basics of 802.11 networking and, security including modulation types, MAC filtering, WEP, and problems with WEP. It will then move to describe the general structure of 802.1x, its goals, and the history behind it. From there, I will discuss the technical details of 802.1x including EAP and several common authentication mechanisms layered on top of EAP.

Once the audience has an understanding of how 802.1x works, I will examine the design principles 802.1x successfully implements in a wireless network. Then I will discuss 802.1x's weaknesses and what risks they pose in a live network. Finally I will talk about proposed changes and additions to 802.1x, such as the Temporal Key Integrity Protocol, that attempt to overcome the problems which have been uncovered.

Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals.He has worked on various open source security projects as well as organized the Washington DC chapter of SecurityGeeks with the help of John Viega. He is the founder of NoVAWireless, a community wireless networking group in Northern Virginia. Bruce has an upcoming book on Wireless Network Security being published through O'Reilly and Assoc.

Return to the top of the page

Novell: the Forgotten OS
Rain Forest Puppy, Chief Executive Puppy, rfp.labs
[ Application Security ]

Microsoft IIS is known to have some horribly gross CGI/web problems found in default installs. Well, seems Novell isn't any better--both Netware 5.1 and 6.0 contain some pretty scary stuff, which lets remote attackers 0wn the system with little effort. The talk will cover 8+ new, unpublished (as of the end of June) vulnerabilities...including discussion on why they are a problem and demonstrations on how to exploit them.

RFP is the Chief Executive Puppy of rfp.labs, an independant research lab nestled somewhere in the US. The mission of rfp.labs (if you choose to accept it) is to provided a synnergy of managed sarcasm services via P2P, B2B, P2B, B2P, and L2TP channels, in conjunction with creating innovating opensource security products using current technological advances reverse engineered from corporate vendors.

Return to the top of the page

Forensic Dead-Ends: Tracing Users Through Anonymous Remailers
Len Sassaman, Project Manager, Mixmaster
[ Privacy & Anonymity ]

Anonymity technologies can be an essential life-saving tool for whistle blowers, human rights workers, political dissidents of oppressive regimes, and can provide a safe mechanism for the free-sharing of controversial ideas while protecting an individual's personal reputation. However, like most powerful tools, services such as anonymous remailers can be used for harmful or illegal purposes as well as beneficial ones.

In this presentation, the audience will receive an explanation of how Mixmaster anonymous remailers work, a description of a typical Mixmaster remailer configuration, and a walk-through of the internals of a live remailer server.

This presentation will explain the philosophy behind the existence of anonymous remailers. It will detail some of the legitimate uses for anonymous remailers, and explain why they are beneficial to the Internet as a whole. It will then examine the potential for abuse of anonymity services, and explain what a remailer operator can and cannot reasonably be expected to do to aid in the investigation of remailer abuse.

Len Sassaman is a communication security consultant specializing in Internet privacy and anonymity technologies. Len has been a strong defender of personal rights through technology. As a volunteer, he has lent his expertise to human rights organizations, victim support groups, and civil liberties organizations.

Len is an anonymous remailer operator, and is currently project manager for Mixmaster, the most advanced remailer software available. Previously, he was a software engineer for PGP Security, the provider of the world's best known personal cryptography software. Len is a frequent contributor to online discussions of electronic privacy issues, and has contributed to the development of free software privacy utilities.

Return to the top of the page

The Need for an 802.11b Toolkit
Mike D. Schiffman, Director of Security Architecture, @stake, Inc.
[ Wireless ]

802.11 networks have enjoyed a meteoric rise and rapid adoption as the physical interfaces have become faster and the equipment less expensive. This rapid adoption has paved the way for security flaws, both in the protocol itself and in vendor specific implementations. This presentation will highlight the need for a robust toolkit to build security tools to test for arbitrary 802.11b-based vulnerabilities. Classes of security flaws will be discussed and further driven home via a live demonstration. From that, the Radiate toolkit will be introduced and fully described along with source code examples. As a value-add, integration with the libnet programming library is also discussed.

To get the most out of this presentation, attendees should be familiar with TCP/IP networking, 802.11b, and C programming.

Mike D. Schiffman is a Director of Security Architecture with @stake, the world’s leading digital security consultancy. @stake applies industry expertise and pioneering research to design and build secure business solutions. Previous to @stake, Schiffman was the Director of Research and Development at Guardent, Inc. where he was responsible for the integration of R&D into other business units inside the company including delivery, forensics, and managed security services. Prior to joining Guardent, Schiffman held senior positions at Internet Security Systems and Cambridge Technology Partners.

Schiffman’s primary areas of expertise are research and development, consulting, and writing. He is the original co-author of well-known network security tool firewalk, as well as author to the ubiquitously used low-level packet shaping library libnet. Schiffman has led security consulting engagements for fortune 500 companies in many industries, including financial, automotive, manufacturing, and software. As a sought after speaker, he has presented to industry professionals as well as government agencies including the NSA, CIA, DOD, FBI, NASA, AFWIC, SAIC, and Army intelligence.

Schiffman has authored several books on computer security; including Building Open Source Network Security Tools (Wiley & Sons); a how to book on building network security tools as well as the Hacker’s Challenge book series (Osborne McGraw-Hill), a line of books on computer security forensics and incident response. He co-authored and contributed to several other books, including Hacking Exposed (Osborne McGraw-Hill) and Hack Proofing Your Network: Internet Tradecraft (Syngress Media Inc.). He has written for numerous technical journals and authored many white papers on topics ranging from UNIX kernel enhancements to network protocol deficiencies.

Return to the top of the page

Security Aspects in Java Bytecode Engineering: A Tutorial
Marc Schönefeld
[ Application Security ]

  1. The architecture of the Java VM (JVM) (15 minutes)
  2. Codeset of the JavaVM (15 minutes)
  3. The Beansealers Toolset: Obfuscator, Jar, installanywhere
  4. The Beanbreakers Toolset: Javap, Jad and xemacs hex edit (15 minutes)
  5. Using the Knowledge, Unprotecting a secure program (30 minutes)
  6. Further aspects and profiling considerations (15 minutes)

Marc Schönefeld: As an experienced Java programmer and former nerd in C64 assembly I tried to bundle these both ends of experiences together.During work time I am busy being software architect for a large data centre in the finance field. My upcoming phd thesis is targeted to the topic of reengineering of legacy systems. Marc Schoenefeld has been a software developer and an software architect since during university time and after he became Master of Business Informatics in 1997. He specializes in large scale application development (CORBA) and was involved in a OMG success story describing the adaptation of CORBA principles to a large-scale high volume banking application as part of his future phd thesis. Bytecode hacking on the other hand is his hobby since he got his C64 in 1983. Therefore his interest for Java securiy is a rendezvouz of these both major interest areas.

Return to the top of the page

Scene of the Cybercrime: Assisting Law Enforcement in Tracking Down and Prosecuting Cybercriminals
Debra Littlejohn Shinder, MCSE
[ Intrusion Destection / Incident Response / Computer Forensics ]

Managers and CEOs are finding their organizations increasingly exposed to the threat of criminal activity - and in some cases, criminal liability - from persons both outside and within the organization, using computers and networks to commit illegal acts.

Your company's systems and IT infrastructure can be the victim of the crime, in cases involving unauthorized access, data theft, cybervandalism, digital espionage or denial of service. Or your computers and network can be used as a tool of the crime by employees or unethical consultants or even by outsiders in distributed DoS attacks and other exploits that unwittingly put you in the middle. Either way, you have a vested interest in working with law enforcement to track down and bring charges against the cybercriminals who cost you time and money and in some cases do irreparable damage to your company's reputation.

It is essential that you - and your IT team - understand how a criminal investigation works, your role in the investigation, and the special issues that pertain to the collection, preservation and presentation of digital evidence. Unfortunately, in many cases managers, IT professionals and law enforcement officers find themselves at odds in their efforts to reach a common goal: bringing the cybercriminal to justice. This is often due to a lack of understanding on all sides: police officers know the law but may know little about computer technology. IT professionals understand the technology but may be unaware of important legal aspects. Managers, who know that cybercrime is hurting their bottom line, are in a unique position to facilitate cooperation between the two.

This short presentation will provide an overview of methods and resources used by police for hunting down cybercriminals, how digital evidence is used to make a case that will stand up in court, and how you as a manager or CEO can make it easier for law enforcement and IT professionals to work as a team and minimize the damage when (not if) the growing cybercrime problem hits home at your company.

Debra Littlejohn Shinder is a technical trainer, author and consultant currently specializing in security issues. She is also a former police sergeant and police academy instructor, and her newest book, Scene of the Cybercrime, will be published by Syngress in July 2002. She combines her law enforcement and technical skills to provide computer networking and IT security training to both the public and private sectors as an instructor at Eastfield College, Mesquite TX, where she was taught since 1992.

Deb is author of Computer Networking Essentials for Cisco Press and over 100 articles for TechProGuild, 8Wire, CNET and other magazines and webzines. Deb and her husband Thomas W. Shinder authored Configuring ISA Server 2000, Configuring Windows 2000 Server Security, and Troubleshooting Windows 2000 TCP/IP for Syngress Media and served as series editors for Osborne/McGraw-Hill's Windows 2000 MCSE certification book series. Deb has also written white papers for Microsoft on security topics and contributed to New Riders' upcoming ICSA certification study guide.

Return to the top of the page

The Biometrics Dilemma
Rick Smith, CISSP
[ Firewall / Access ]

This talk looks at the problem of reliable authentication and at the unachieved promises of biometrics. We will review attacks on biometric systems and examine the technologies and costs required to protect against those attacks. In some cases, technical trade-offs involved in making biometric systems safer can yield other technical and administrative headaches that offset the apparent benefits. This can be seen by reviewing practical attacks against server-based and token-based biometric authentication systems.

Dr. Richard Smith has served as principal investigator and security architect for a series of federal research programs on information security and cyber defense. He has also served in Secure Computing's outside consulting group, and was lead systems engineer for the Standard Mail Guard, a network security system built for the National Security Agency.

Dr. Smith has published numerous articles and papers on information security in national journals and magazines. He has also spoken extensively, both nationally and internationally, on an array of topics concerning security technology. Dr. Smith is also the author of two books: "Authentication: From Passwords to Public Keys." and "Internet Cryptography".

Dr. Smith holds a Bachelor of Science degree from Boston University and a Masters and Ph.D. from the University of Minnesota.

Return to the top of the page

Setiri: Advances in Trojan Technology
Roelof Temmingh, Technical Director & Founding Member, SensePost
Haroon Meer, Technical Security Specialist, SensePost
[ Firewall / Access ]

The presentation will describe the inner workings of the Trojan "Setiri". Setiri leads a new wave of Trojan Horse technology that defeats most conventional security devices including personal firewalls, NAT, statefull inspection firewalls, IDS, proxy type firewalls and content level checking. The presentation will focus on the setting up of a bi-directional communication stream in non-conducive environments, rather than describing the features of the Trojan.

The presentation will include an online demonstration - a well-protected PC located inside a heavily protected environment will be Trojaned with Setiri. The computer will be taken over by a Controller that is situated outside of the network. At the same time network traffic will be manually inspected.

Roelof Temmingh is the technical director and a founding member of SensePost. After obtaining his degree in electronic engineering in 1995, he helped to establish SensePost along with some of South Africa's leading IT security minds. He is currently involved in the coding of proof of concept code, and the practical realization of complex security concepts. Roelof has been a speaker at the 2001 Summercon conference and the 2002 Black Hat Windows conference.

Haroon Meer joined SensePost as a Technical Security Specialist after over 7 years in the Networking/Security industry. He has a wide background in security & networking from writing code to administration of large Campus networks. He is currently heavily involved in the development of additional security tools and proof of concept code and has been a speaker at the recent Black Hat Windows Briefings in New Orleans.

Return to the top of the page

Wireless Overview: Protocols and Threat Models
Dan Veeneman
[ Wireless ]

Everything seems to be going wireless. There are now a number of wireless voice and data networks that are used routinely to carry sensitive business and personal information. This session will provide an introduction to the protocols, radio modulation techniques, and security features of CDPD, Bluetooth, digital mobile telephony (including SIM cards), SMS, 3G, two-way paging and private data networks.

We'll discuss the development of threat models and some corresponding mitigation techniques, as well as demonstrate several wireless tools and test equipment.

A question and answer session at the end of the presentation will allow participants to cover any additional issues they'd like to discuss.

Dan Veeneman has served in a number of management, technical and consulting positions since 1980. He has designed and implemented secure data networks for a number of government and civilian clients, encompassing video, audio and data delivered over telephone, satellite and the Internet. Dan is also the system architect for the United States Army's satellite-based two-way realtime messaging and geolocation system used on thousands of battlefield vehicles around the world.

Dan has been writing software for more than 25 years, coding everything from embedded firmware to distributed processing applications for a variety of small, midsize and Fortune 500 companies.

He writes a monthly magazine column covering wireless issues and edits a quarterly newsletter concerning cryptography. Dan holds an engineering degree from Northwestern University

Return to the top of the page

Vulnerabilities of Cellular and Satellite-based Voice and Data Networks
Dan Veeneman
[ Wireless ]

Businesses have come to rely on immediate and continuous access to wireless voice and data networks.

This session will provide an in-depth treatment of analog, digital TDMA, CDMA, and GSM voice networks from a security perspective. We'll discuss a number of amateur and professional hacks along with technical and legal responses from the cellular industry. We'll also talk about a variety of risks to these networks, ranging from
denial of service to financial fraud.

Voice and data have also been extended to satellite constellations, ranging from VSAT networks to low-earth orbit networks. We'll cover geostationary satellites as well as services from Orbcomm, Iridium and Globalstar, including their operational characteristics and current status. We'll also talk about how to track these satellites and possibilities for
monitoring some of their transmissions.

A question and answer session at the end of the presentation will allow participants to cover any additional issues they'd like to discuss.

Dan Veeneman has served in a number of management, technical and consulting positions since 1980. He has designed and implemented secure data networks for a number of government and civilian clients, encompassing video, audio and data delivered over telephone, satellite and the Internet. Dan is also the system architect for the United States Army's satellite-based two-way realtime messaging and geolocation system used on thousands of battlefield vehicles around the world.

Dan has been writing software for more than 25 years, coding everything from embedded firmware to distributed processing applications for a variety of small, midsize and Fortune 500 companies.

He writes a monthly magazine column covering wireless issues and edits a quarterly newsletter concerning cryptography. Dan holds an engineering degree from Northwestern University

Return to the top of the page

Black Hat Logo
(c) 1996-2007 Black Hat