Black Hat Digital Self Defense

Black Hat USA 2003 Overview

Black Hat USA 2003 Speakers Black Hat USA 2003 Briefings Schedule Black Hat USA 2003 Sponsors Black Hat USA 2003 Training Black Hat USA 2003 Hotel & Venue Black Hat USA 2003 Registration
details Current Sponsors for Black Hat Briefings USA 2003
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win Admission to a future Briefings of your choice.

Philip R. Zimmermann, Creator, Pretty Good Privacy

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. That company was acquired by Network Associates Inc (NAI) in December 1997, where he stayed on for three years as Senior Fellow. In August 2002 PGP was acquired from NAI by a new company called PGP Corporation, where Zimmermann now serves as special advisor and consultant. Zimmermann currently is consulting for a number of companies and industry organizations on matters cryptographic, and is also a Fellow at the Stanford Law School's Center for Internet and Society.

Before founding PGP Inc, Zimmermann was a software engineer with more than 20 years of experience, specializing in cryptography and data security, data communications, and real-time embedded systems. His interest in the political side of cryptography grew out of his background in military policy issues.

He has received numerous technical and humanitarian awards for his pioneering work in cryptography. In 2001 Zimmermann was inducted into the CRN Industry Hall of Fame. In 2000 InfoWorld named him one of the Top 10 Innovators in E-business. In 1999 he received the Louis Brandeis Award from Privacy International, in 1998 a Lifetime Achievement Award from Secure Computing Magazine, and in 1996 the Norbert Wiener Award from Computer Professionals for Social Responsibility for promoting the responsible use of technology. He also received the 1995 Chrysler Award for Innovation in Design, the 1995 Pioneer Award from the Electronic Frontier Foundation, the 1996 PC Week IT Excellence Award, and the 1996 Network Computing Well-Connected Award for "Best Security Product." PGP was selected by Information Week as one of the Top 10 Most Important Products of 1994. Time Magazine also named Zimmermann one of the "Net 50", the 50 most influential people on the Internet in 1995.

In addition to the awards for versions of PGP developed before Zimmermann started a company, subsequent versions of PGP as refined by the company's engineering team continue to be recognized each year with many more industry awards.

Zimmermann received his bachelor's degree in computer science from Florida Atlantic University in 1978. He is a member of the International Association of Cryptologic Research, the Association for Computing Machinery, and the League for Programming Freedom. He is Chairman of the OpenPGP Alliance, serves on the Boards of Directors for Computer Professionals for Social Responsibility and Veridis, and is on the Advisory Boards for, Hush Communications, and Qualys.

Return to the top of the page

Keynote: Day 2
Following the Money: Security Proxies and Agenda
Bruce Schneier, Founder and Chief Technical Officer, Counterpane Internet Security

The strangest thing about security is that it so rarely has anything to do with security. Smart security is risk management, and risk management is about money. In our complex, technological society, people are ill-equipped to manage their own risks. Hence, they turn to proxies: regulatory agencies, legislators, companies, professional organizations, insurance companies, courts. The problem is these proxies don't have the same agendas as people who rely on them; they respond to outside pressures. For example, the FAA is entrusted with airline safety, but also responds to financial needs of airlines. This talk looks at security proxies and these externalities, and discusses how this affects security in ways profounder than the tactics of technological countermeasures.

Internationally renowned security technologist and author Bruce Schneier is the Founder and the Chief Technical Officer of Counterpane Internet Security, Inc., the world leader in Managed Security Monitoring. Counterpane provides security monitoring services to Fortune 2000 companies world-wide. He is the author of six books on security and cryptography, including the security best seller, "Secrets & Lies: Digital Security in a Networked World." His first book, "Applied Cryptography," has sold over 150,000 copies world-wide, and is the definitive work in the field. Schneier designed the Blowfish and Twofish encryption algorithms, and writes the influential "Crypto-Gram" monthly newsletter. He is a frequent lecturer on computer security and cryptography.

Return to the top of the page

Luncheon: Day 1
International Hacking: When The Cooperation is The Only Cure
Dario Forte, CFE, CISM, Security Advisor, European Electronic Crimes Task Force (EECTF)

In August 2002, fourteen Italian hackers known as the "Reservoir Dogs" almost all information security professionals were arrested by the Italian Financial Police. They were charged with hacking the networks of NASA, the U.S. Army, U.S. Navy and various universities around the world.

This talk, given by the Director of the Police Unit during that time who lead the investigation and made the arrests (called "Operation Rootkit), will illustrate the variety of techniques used by the attackers with particular reference to the insider threat.

In addition, this session will demonstrate how international cooperation is fundamental in hacking investigations. In Europe, the newly-formed Electronic Crime Task Force (EECTF) - supported by the U.S. secret service in Milan - gave strong assistance to the computer crime investigators, not only related to "Operation Rootkit" but also with regard to other cases.

For example, through its network of contacts EECTF was advised that leader of a worldwid credit card trafficking ring had been arrested in Cyprus. The EECTF was able to arrange for the travel of both the evidence and police officers involved in the case to its forensic lab in Italy, where Dario is Security Advisor.

Once in Italy, the EECTF was able to quickly conduct an initial forensic exam which recovered enough evidence to keep the defendants in jail until such time as a more complete investigation could be completed in the U.S. This will be covered as well.

Dario Forte, CFE, CISM, is Security Advisor for the newly-formed European Electronic Crimes Task Force (EECTF) supported by the U.S. Secret Service in Milan. He has been active in the field of information security since 1992. He is 34 years old, with almost 15 years as Police Investigator in the Drug and Organized Crime Enforcement, CyberCrime Unit.

Forte is a Member of the Computer Security Institute of San Francisco/USENIX and Sage, publishing technical articles all over the world while contributing at numerous international conferences on Information Warfare, including the RSA Conference Europe, the Computer Security Institute NETSEC, Computer Associates CAWorld and the Digital Forensic Research Workshop.

He teaches classes and presents lectures on Information Security Management and Incident Response/Forensics at universities and other accredited institutions worldwide. He is an Intrusion Instructor for the Department of Homeland Security Internet Forensics Training Program given at the Federal Law Enforcement Training Center.

For more than 10 years, Dario has worked with many government agencies worldwide including NASA, and the U.S. Army/Navy, supporting them in incident response and forensics procedures while solving many important hacking-related investigations. Now he provides security/incident response and forensics consulting to the Government, Law Enforcement and corporate world and is also involved with InfoSec projects at the international level.

Return to the top of the page

Luncheon: Day 2
Building a Global Culture of Security
Marcus Sachs, P.E., Cyber Program Director, Information Analysis and Infrastructure Protection, US Department of Homeland Security

Global interest in securing cyberspace is gaining momentum, not just as a reaction to the steady rise in denial of service attacks or increases in rapidly spreading worms and viruses, but also because of an understanding that to build a digital world there has to a significantchange in our global networking culture. To enable our digital futurewe need an infrastructure that is reliable and secure. We need new protocols, new processes, new ways of doing business. However, computer network security is no longer just a technical challenge - it also requires leader involvement, policy development, user education and awareness training, and international cooperation. This presentationwill cover the United States government's efforts to develop and implement a domestic national strategy for securing cyberspace, as well as international efforts to foster a global culture of security. We will explore lessons learned over the past few years in dealing with both physical and cyber incidents, discuss best practices for cyberspace security currently adopted by industry leaders, and will examine challenges coming our way in the near future.

Marcus Sachs is the Cyber Program Director in the Information Analysis and Infrastructure Protection Directorate, US Department of Homeland Security, where he is responsible for developing the implementation plan for the President's National Strategy to Secure Cyberspace. Marc was previously the Director for Communication Infrastructure Protection in the White House Office of Cyberspace Security and was a staff member of the President's Critical Infrastructure Protection Board. Marc retired from the United States Army in 2001 after serving over 20 years as a Corps of Engineers officer. He specialized during the later half of his career in computer network operations, systems automation, and information technology. His final assignment in the Army was with the Defense Department's Joint Task Force for Computer Network Operations where he was the Senior Operations Analyst and Technical Director.

Return to the top of the page

Web Based Email Forensics
Thomas Akin, CISSP, Founding Director, Southeast Cybercrime Institute A division of Continuing Education at Kennesaw State University

Web based email such as Yahoo! and Hotmail are the most prevalent email clients in use--Hotmail alone has over 118 million accounts worldwide. While providing great convenience, web based email clients leave a tremendous amount of information behind. This information can be reconstructed to determine what email has been sent, received, and deleted from the account. Additionally, dates & times, use of folders, address books, and login and password information can often be gathered. This presentation covers identifying and analyzing these files to reconstruct a users activity. Popular web mail systems such as Yahoo!, Hotmail, and more secure alternatives such as ZipLip and Hushmail will be analyzed. Finally, a perl scripts to help automate the process of analyzing webmail files will be announced and demonstrated.

Thomas Akin is a Certified Information Systems Security Professional (CISSP) who has worked in Information Security for almost a decade. He is the founding director of the Southeast Cybercrime Institute a division or Continuing Education at Kennesaw State University. He serves as chairman for the Institute's Board of Advisors and is an active member of the Georgia Cybercrime Task Force. Additionally, he is a frequent presenter at national conferences such as BlackHat, HealthSec, and InfoSec World.

One of Thomas' specialties is Email Forensics and he has performed numerous Email based investigations. He has presented on advanced forging techniques such as using SSH tunnels to obscure the original sending IP, and how to investigate such forgeries. Thomas is also on the review committee for the National White Collar Crime Center's upcoming Email Forensics course.

Thomas is the author of "Hardening Cisco Routers" from O'Reilly & Associates and the "Cybercrime: Response, Investigation, and Prosecution" chapter in the 5th edition of the Information Security Management Handbook. In addition to being a CISSP he is certified in Solaris, Linux, and AIX, Networking, and is a Cisco Certified Academic Instructor (CCAI). Thomas can be reached at takin<a>

Return to the top of the page

Revolutionizing Operating System Fingerprinting
Ofir Arkin, Founder, Sys-Security Group

Xprobe is an active operating system fingerprinting tool, which was officially released two years ago at the Blackhat briefings USA 2001. The first version of the tool was a proof of concept for the methods introduced in the “ICMP Usage in Scanning” project, which I have conducted. Two years after, and several versions later (mainly Xprobe2 v0.1 release), this talk would examine several issues with operating system fingerprinting we (Fyodor Yarochkin and myself) have encountered during the development of Xprobe and Xprobe2.

Mainly the talk will explain why traditional operating system fingerprinting methods suffer from a number of caveats, and how these issues directly affects the results different operating system fingerprinting tools relying on these methods produce (these issues will be explained along with different examples).

During the talk I will introduce several advancements in the field of operating system fingerprinting. The methods introduced greatly enhance the accuracy of operating system fingerprinting. Several new ways to gather information about a host OS will be uncovered along with ways to overcome many of the current issues of active operating system fingerprinting methods.

During the talk examples will be given, and the audience will be encouraged to participate in a discussion.

A paper release, and a new version of Xprobe2 will accommodate the talk.

Ofir Arkin is the founder of the Sys-Security Group, a non-biased computer security research and consultancy body.

Armed with extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several major European finance institutes were he played the role of Chief Security Architect and Senior Security Architect. In his role as Senior Security Architect, Ofir was responsible for assessing the future external and inter-bank IP communication security architecture for one of the world’s top 10 banks, analyzing the needs and solutions for an internal Single Sign-On (SSO) project for a world leading pharmaceutical company, securing the E-banking project for a leading Swiss bank, etc.. Ofir also acted as Chief Security Architect for a 4th generation telecom company, where he designed the overall security architecture for the company.

Ofir has published several papers as well as articles and advisories. The most known papers he has published are “Etherleak: Ethernet frame padding information leakage”, “Security Risk Factors with IP Telephony based Networks”, the “ICMP Usage in Scanning” research paper, xprobe2 (tool and paper), “The Cisco IP Phones Compromise”, and “Trace-Back”. He is currently conducting research on a number of TCP/IP protocols as well as Voice over IP. Ofir’s research has been mentioned in a number of professional computer security magazines.

Ofir is an active member with the Honeynet project and participated in writing the Honeynet’s team book, “Know Your Enemy” published by Addison-Wesley.

Return to the top of the page

Lawful Interception of IP: The European Context
Jaya Baloo

Lawful Interception (LI) is currently in development internationally and the area of IP interception poses significant regulatory, as well as implementation, challenges. The presentation attempts to elucidate major legal and technical issues as well as citing the vendors, operators and governments involved in creating the standards and solutions.

In the European context, all EU countries have been mandated to have LI capabilities in place and be able to provide assistance to other member states when tracking transborder criminals. Public Communications Providers must tread warily between privacy concerns and LI requirements. Especially with the new talks concerning Interpol, Enfopol, & Data Retention, communication over public channels is anything but private. The conditions for interception and the framework for oversight are not widely known.

As LI in Europe presents an example for the rest of the world attention should be given to the changing face of EU legislation. This is relevant not only to the EU expansion but also concerns EU influence over her eastern and western allies.

Jaya Baloo (CCNP, CISSP) has been working in InfoSec for 5 years, starting at Unisource in The Netherlands. After moving to KPN Telecom, she has worked internationally for the Dutch Telecom Operator in Namibia, Egypt, Germany, and Costa Rica designing secure IP infrastructures for national operators. More recently she has worked in Prague for Czech Telecom on Lawful Interception.

Return to the top of the page

Locking Down Mac OS X
Jay Beale, Lead Developer, the Bastille Project and Senior Research Scientist, George Washington University Cyber Security Policy and Research Institute

Apple's OS X operating system combines BSD Unix with easy-to-use Mac operating system components. This has produced an operating system that natively runs Microsoft Office, is friendly as can be finding you people with which to chat and exchange fileshares with, and yet still runs a command line! Needless to say, it could probably use some lockdown before you want to take it to Black Hat, or even to the airport, with the wireless card plugged in.

The speaker has ported Bastille Linux to OS X and learned a thing or two about locking down OS X in the process. This talk will demonstrate lockdown, showing you how to harden the OS X operating system against future attack.

Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and a core participant in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others.  A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through Baltimore-based JJBSec, LLC.

Jay writes the Center for Internet Security's Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense. He maintains the Center's Linux Security benchmark document and, as a core participant in the non-profit Center's Unix team, is working with private enterprises and US agencies to develop Unix security standards for industry and government.

Aside from his CIS work, Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for and He authored the Host Lockdown chapter in 'Unix Unleashed,' served as the security author for 'Red Hat Internet Server' and co-authored 'Snort 2.0 Intrusion Detection.'  Jay's currently finishing the Addison Wesley book, 'Locking Down Linux.'

Formerly, he served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution. He now works to further the goal of improving operating system security. To read Jay's past articles and learn about his past and future conference talks, take a look at his site.

Return to the top of the page

Automated Detection of COM Vulnerabilities
Frederic Bret-Mounet, Senior Security Architect, @stake

@stake announces COMbust – an automated COM object auditor Few scriptable objects published have mechanisms to prevent unauthorized execution. If an object presents security vulnerabilities, an attacker could use such objects to perform remote attacks, resulting in potentially serious consequences.

Until now, assessing COM objects required developing custom scripts and a security expertise few testing teams had. With COMbust, one can not only build automated regression tests for functionality testing, but also perform negative testing such as a hacker would do.

COMbust automatically executes methods of a COM object with boundary case arguments. In many cases, this will identify buffer overflows, file system or registry access, thus exposing the object’s vulnerabilities. COMbust also provides scripting capabilities to support creation and initialization of the target objects.

In addition to an introduction to COMbust, we will also cover two topics related to using Scriptable COM objects.

First, we will describe the implications of declaring objects scriptable. Why declare an object scriptable? How can your object be used as an attack vector?

Second, we will propose practical solutions to control who can execute your components. Several techniques will be presented ranging from controlling execution access to usage of cryptography.

This presentation will be a mix of slideshow and live demos. The audience is expected to have some understanding of the following technologies: Windows, COM, VB / JavaScript, and XML.

Frederic Bret-Mounet is a seasoned software engineering with 8 years of experience, 6 of those in information technology consulting. His professional experience includes application programming and security consultancy, with an emphasis on Web application design and implementation for Fortune 500 companies.

Prior to working with @stake, Fred was part of a consulting company where he completed multiple assignments with both dot-com and financial clients.

Fred’s skills cover a broad range of technical and managerial areas:

  • End to end knowledge of web and client/server architectures including client, presentation, middleware and backend tiers.
  • Expert in Windows, MFC, C++, VB, COM and Java.
  • Strong wireless networking (802.11) experience with all major current chipsets.

Areas of Research / Individual Accomplishments / Affiliations
n ApSniff – a WiFi access point sniffer for Intersil Prism chipset based cards.

  • CISSP certified.
  • COM / ActiveX R&D.

Return to the top of the page

Opensource Kernel Auditing/Exploitation
Silvio Cesare

For a period of up to 3 months in 2002, a part-time manual security audit of the operating system kernels in Linux, FreeBSD, OpenBSD, and NetBSD was conducted.

The aims of audit were to examine the available source code, under the presumption of language implementation bugs. Thus classic programming bugs, prevalent in the implementation language [C], exemplified in integer overflows, type casting, incorrect input validation and buffer overflows etc were expected. The initial introduction to auditing examined easily accessible entry points into the kernel including the file system and the device layer. This continued to an increased coverage and scope of auditing. From this work, identification of conjectured prevalent bug classes was possible. These results are in favour of the initial expectations; that bugs would be that in line of classical language bugs.

The results of this audit are surprising; a large [more than naively expected] number of vulnerabilities were discovered. A technical summary of these vulnerabilities will be treated in detail. Bug classes and [conjectured] less secure specific subsystems in the kernel will be identified. These conjectures support the the research of Dawson Engler's work in automated bug discovery in application to open-source kernel auditing.

Vulnerabilities after bug categorisation, are applied in the treatment of exploitation. The results are again surprising; exploitation sometimes being trivial, and primarily being highly reliable. The assumptions of exploitation difficulty, is conjectured to be a false belief due to lack of any serious focus on kernel auditing prior to this paper. This conjecture is supported by in-line documentation of kernel sources indicative of immediate security flaws.

Attack vectors are identified as a generalisation of bug classes. Risk management is touched upon to reduce the scope of attack, but is not the primary purpose of this paper.

Discussion is finally that of vendor contact, and the associated politics of vulnerabilities. First hand reports of acknowledgement times, problem resolution times and public dissemination policies are presented in candid. The author may be biased at this point, but it appears that in during this audit period, open-source holds up to the promise of security concern and responsibility in its community. Problem acknowledgement in at least one of the the cases presented is perhaps the fastest in documented history (less than three minutes).

The majority of the vulnerabilities discovered during the audit, were resolved and patched in co-operation with the open-source developers and community responsible for each respective operating system. A very large thanks must go to Alan Cox, Solar Designer and later followed by Dave Miller who made enormous efforts to continually resolve all issues uncovered.

Silvio Cesare has for many years, been involved in computer security and the many talented and lesser front page individuals behind it. In 2001, Silvio relocated from Australia to France to work in the development of managed vulnerability assessment, after the best part of the previous year in Australia establishing the legal requirements to make this possible. In 2002, he relocated again to the US, after cessation of product development in France. During the last months working in the US as scanner architect of the companies flagship MVA product, he spent his part time auditing open source operating system kernels. Silvio spoke at conferences in 2002, including CanSecWest on his reverse engineering work; for which he was at one time in negotiations for authoring a book on Unix Virus. After impending legal requirements to leave the US, Silvio returned back to Australia for 2003. During the current year, he has been quietly involved in Ruxcon, an Australian computer security conference, presenting the results of the previous years part-time auditing. Silvio spends his days currently in Australia as a System Administrator outside of industry interests in computer security.

Return to the top of the page

Hardening Windows CE
Josh Daymont, CTO, MobileSecure, Inc.

Hardening Windows CE will examine this new operating system from Microsoft in detail. Security requirements for CE in different uses will be examined, and specific security postures will be explained for Windows CE on PDAs and other types of devices. This presentation will assume limited knowledge of Windows system administration and software development, and significant knowledge of internet technologies. Some knowledge of embedded systems would be helpful. No prior knowledge of Windows CE is required.

This presentation will include demonstrations of Microsoft Platform Buildertm the software that Microsoft provides to OEM customers for building the Windows CE operating system with an emphasis on configuring security. A demonstration of the PocketPC 2002 version of windows CE will also be examined and several example exploits will be performed against the device, countermeasures to these exploits will also be shown.

Josh Daymont has worked on the cutting edge of information security research for the last seven years. His career began at Avalon Security Research, a not for profit full disclosure team. Later he joined Internet Security Systems where he co-founded the internal X-Force research team and held a variety of key technical and research management roles. Josh's personal research has been recognized in CERT advisories CA-96:08 and CA-98:06. His comments and articles have been written up in publications such as Secure Computing Magazine. Josh is the CTO of MobileSecure, Inc.

Return to the top of the page

Security Issues with Fibre Channel Storage Networks (SANs)
Himanshu Dwivedi, Managing Security Architect, @stake

This presentation will discuss security issues in Fibre Channel storage networks, specifically Storage Area Networks (SANs), as it pertains to four different categories, Fibre Channel fabrics and frames, Fibre Channel switches, SAN attacks, and possible solutions. The presentation describes a fibre channel overview, current weaknesses, potential future problems, current and future attacks, and short-term/long-term solutions.

The presentation will be a combination of detail technical discussion of security exposures and will continue to discuss tactical best practices. The technical discussion will focus on current attacks, future attacks, and fibre channel frame weaknesses that expose storage products and storage networks. Furthermore, high-level best practices will also be discussed as it pertains to storage solutions, device configurations, and architectural designs.

Himanshu Dwivedi is a Managing Security Architect at @stake, Inc. At @stake, Himanshu leads the Storage Center of Excellence (CoE), which focuses research and training around storage technology, including Network Attached Storage (NAS) and Storage Area Networks (SAN). Himanshu’s focus in security is networking technology and storage architecture, specifically Fibre Channel Security. Himanshu has given numerous presentations and workshops regarding the security in SANs, including the SNIA Security Summit, Storage Networking World, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, StorageWorld, etc.

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals. The patent is for a storage security design that can be implemented on enterprise storage products deployed in Fibre Channel storage networks. Additionally, Himanshu has co-authored two published books that discuss storage security. The book titles included, The Complete Storage Reference-Chapter 25 (McGraw-Hill/Osborne), and Storage Security Handbook (Neoscale/isitSTORAGE). Furthermore, Himanshu has also published two white papers. The first white paper is titled “Storage Security” which provides the basic best practices and recommendations in order to secure a SAN or a NAS storage network. Additionally, Himanshu has written a second white paper titled “Securing Intellectual Property”, which provides insight and recommendations on how to protect an organization’s network.

At @stake, Himanshu forms part of the San Francisco based Professional Services Organization (PSO) providing clients with network architecture assessments, attack & penetration services, secure network design, and secure server analysis. Additional to the PSO, Himanshu is also part of the @stake Academy where he is a lead instructor in several security classes, including Cyber Attacks and Countermeasures, Windows 2000 Security, and Storage (SAN and NAS) Security.

Return to the top of the page

More (Vulnerable) Embedded Systems
FX, Phenoelit

The talk focuses on more embedded systems - this time, looking into the mobile world of GSM as well. How can the infrastructures and protocols in the Internet enabled GSM world be used for attacks? This session will give you an introduction to the concepts of WAP and GPRS. Using this knowledge, some unforeseen applications of these protocols will be discussed, both in the provider backbone and from the client side.

The second part will show you the latest advancements in Cisco IOS exploitation. While Phenoelit showed you last year that it can be done, we will go on and show you this year that it can be done better, more reliable and more elegant.

FX of Phenoelit is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Return to the top of the page

BGP Vulnerability Testing: Separating Fact from FUD
Matthew Franz, Security Researcher, Cisco's Critical Infrastructure Assurance Group (CIAG)
Sean Convery, Security Researcher, Cisco's Critical Infrastructure Assurance Group (CIAG)

Recently the security of BGP has been called into question by the government, security experts, and the media. Perhaps by assuming that a compromise of the Internet routing infrastructure would be relatively trivial to accomplish, most of the recent attention has focused on replacements to BGP rather than ways to do the best with what we have. Because any possible replacement for BGP will not be widely deployed in the near-term, an understanding of the key threats and mitigation techniques against current BGP deployments needs to be better understood. Furthermore, since most of the existing work related to BGP vulnerabilities is largely theoretical, any new effort should be based in real testing on actual implementations that are commonly deployed by ISPs.

This talk presents the results of research in the area of BGP attacks. This research includes three main areas. First, specific attacks as
outlined in the BGP Attack Tree draft were tested against lab networks to gauge attack results, difficulty, and the availability of best practices which mitigate the attack's effects. Where appropriate, these attacks were conducted against multiple BGP implementations to more accurately determine the real risks to ISPs and the Internet— vs. what what was possible with a single vendor. Implementations were also evaluated using a BGP malformed message generator to determine their robustness and see whether BGP was susceptible to the same sorts of issues that have plagued SNMP, SIP, SSH, and other protocols. Third, the prevalence of generally accepted best practices on the Internet was measured by querying a representative set of the Internet's BGP routers on management interfaces including telnet, SSH, and HTTP. This survey also included the behavior of BGP implementations, based on their response to a valid BGP Open. Analysis of this data will be useful for operators looking to improve the security of their BGP networks today and to evaluate potential improvements to BGP in the future, especially given the challenge of balancing scalability and ease of deployment with security in any future "secure BGP."

Matthew Franz is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG) in Austin, Texas. Apart from work on BGP, interests include industrial automation (SCADA/DCS/Industrial Ethernet), security, and automated protocol test tools. Before joining CIAG, Matthew was senior security engineer in the Security Technologies Assessment team, where he conducted product security evaluations on a variety of Cisco products and network protocols. Before coming to Cisco in 2000, Matthew was a network security consultant and taught technical network security courses to government information warfare customers in San Antonio, Texas.

Sean Convery is a security researcher in Cisco's Critical Infrastructure Assurance Group (CIAG). While in CIAG Sean's research efforts have centered on Internet infrastructure issues including BGP and IPv6. Before coming to the CIAG, Sean worked primarily on the SAFE blueprint, and is an author of several whitepapers on the subject. Prior to his five years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking.

Return to the top of the page

OSI Layer 1 Security
Michael D. Glasser, Security Consultant

In today's corporate environment electronic physical security is a serious business. Every corporation has some form of access control and/or cctv system in place. There are only three really important questions to ask about it. Does it do what it's designed to do? Was is designed to do what it needs to do? WHO'S RESPONSIBLE AT THE END OF THE DAY?

This presentation will:

  1. Give in depth explanation of the different technologies used in Access Control and CCTV today.
  2. Give an overview of general system designs.
  3. Give the most common security flaws that are existing today.

Michael D. Glasser is currently employed as a Security Consultant in the New York Tri-State Area. He consults primarily on electronic physical security, as well as more conventional locking systems.

Glasser has been in the security industry for more then 10 years. He started as a technician in the field installing electronic security, and brodened his technical knowledge to cover all electronic and conventional security systems.

Glasser is Licensed by New York State and a Burglar and Fire Alarm Installer, Certified as a Locksmith, and has numerous electronic security certifications. He is a an active member of many local, state and national associations. He teaches classes on electronic security in the New York Area.

Prior speaking engagements of this type have been at both the DefCon series of conferences and at the 2600 sponsored HOPE conferences.

Glasser can be contacted at mglasser<a>

Return to the top of the page

Criminal Copyright Infringement and Warez Trading
Eric Goldman, Assistant Professor of Law, Marquette University Law School in Milwaukee, WI

This talk will discuss criminal copyright infringement and how it applies to warez trading. We will discuss what is legal and what isn’t, who has been prosecuted, why they were prosecuted and what happened to them, and why the law is bad policy. You should expect to leave the talk more knowledgeable about what activities are criminal and how great or small the risks are.

Eric Goldman is an assistant professor of law at Marquette University Law School in Milwaukee, WI, where he teaches cyberlaw, intellectual property and legal ethics. He has taught cyberlaw since 1995-96 and has authored dozens of articles and given dozens of speeches relating to Internet law issues. His article, A Road to No Warez: the Paradigm Misstep of the No Electronic Theft Act, will be published this year. Prior to joining the Marquette faculty, he was General Counsel of and, before that, a technology transactions attorney at Cooley Godward LLP.

Return to the top of the page

The Law of 'Sploits
Jennifer Stisa Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford University
A patchwork of laws arguably applies to vulnerability disclosure. Vendors and system administrators have struggled to find legal means to prevent or slow computer misuse, while security researchers are frightened by the possibility that they may be punished for the dissemination of security research. This talk reviews the major legal issues in vulnerability disclosure, including negligence, conspiracy to commit computer fraud, aiding and abetting computer fraud, the anti-circumvention provisions of the DMCA and the prospective implementation of the Council of Europe Convention on Cybercrime, as well as defenses, like the First Amendment.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

Runtime Decompilation
Greg Hoglund, Rootkit

Pure static analysis of machine code is both time consuming and, in many cases,incapable of determining control flow when branching decisions are based on user-supplied input or other values computed at runtime. Other problems include the lack of type information or the inability to identify all instructions. Although difficult if not impossible to solve using static analysis, many specific problems can be solved by running the program and observing its behavior. Hoglund presents a strategy that combines static analysis with runtime sampling to determine data flow and, more importantly, trace data from the point of user input to potentially vulnerable locations in code. His focus is directly on security auditing and techniques to significantly reduce the amount of time it takes to audit a binary executable. To get the most from this talk, attendees should have experience debugging code.

Greg Hoglund is a recognized speaker and business person working out of California. His work is focused on reverse engineering and exploiting software. Hoglund has developed several automated tools and commerical products. Hoglund most recently developed the fault-injection product called 'Hailstorm' and has now moved on to form a new company, HBGary, LLC. In his spare time, Hoglund hosts the popular internet site and takes his dog, Oreo, for walks on the beach.

Return to the top of the page

Honeynet Technologies: The Latest Technologies
The Honeynet Project

Focusing on Sebek and the latest advances in Honeynet Technologies. Includes a general overview of the Honeynet Project and Honeynet Technologies.

Return to the top of the page

Stack Black Ops: New Concepts for Network Manipulation
Dan Kaminsky, Senior Security Consultant, Avaya, Inc.

What can your network do? You might be surprised. Layer by layer, this talk will examine previously undocumented and unrealized potential within modern data networks. We will discuss aspects of the newest versions of scanrand, a very high speed port scanner, and the rest of the Paketto Keiretsu. Interesting new techniques will also discussed, including:

  • Bandwidth Brokering - a technique that allows market-based load balancing across administrative boundries using existing TCP protocols
  • DHCP-less Bootstrapping - a sub-optimal but effective strategy for bootstrapping network access for hosts that cannot directly acquire a DHCP lease
  • State Reconstruction - a design model that allows stateless network scanners (such as scanrand) to acquire deep knowledge about scanned hosts
  • Multihomed Node Detection - a simple set of techniques that expose firewalled hosts with alternate paths to an unfirewalled network link.
  • Generic ActiveX Encapsulation - a step-by-step methodology for safely launching arbitrary win32 tools (such as putty or a Cygwin OpenSSH environment) from a web page

We will also be discussing significant advances in data visualization, made necessary by the sometimes daunting amount of raw information these sorts of tools can expose one to.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems, and he is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

Return to the top of the page

Running the Matrix: Kerberos Extensions and Owning the Universe
Curtis E.A. Karnow, Partner, Sonnenschein Nath & Rosenthal LLP

The presentation will use the Kerberos encryption schema as an example of a public protocol that has been subject to proprietary (private) extensions. Proprietary protocols are especially dangerous in the digital network context, since control of one protocol can implicate control across the network. A short non-technical outline of the Kerberos system and topology is presented, as well as the means by which the public standard has been infiltrated by certain privately “owned” patents and trade secrets. This leads to a discussion of how public law— intellectual property law (copyright, patent, etc.)— is used to enforce private interests. Public law— usually the guarantor of a balancing of public and private rights— is used in this context to upset that balance to benefit private control. Fair use, a public right embodied in the copyright act, can be used to explore and avoid the impact of proprietary protocols and extensions; but new laws, such as the Digital Millennium Copyright Act and the proposed anti-terrorism statute “US Patriot Act II” undermine the utility of “fair use,” particularly in the context of examining proprietary encryption schemes. The presentation concludes with an endorsement of open standards and source.

Curtis Karnow is a partner at the law firm of Sonnenschein, Nath + Rosenthal and a member of the firm’s e-commerce, security and privacy, and intellectual property groups. He is the author of Future Codes: Essays In Advanced Computer Technology & The Law (Artech House, 1997). Mr. Karnow has counseled on public key infrastructure policies, electronic contracting, and digital signatures. Formerly Assistant U.S. Attorney in the Criminal Division, Mr. Karnow’s responsibilities included prosecution of all federal crimes, including complex white-collar fraud, from investigation and indictment through jury verdict and appeal. Since then, Mr. Karnow has represented defendants indicted for unauthorized access to federal interest computers; defended against a criminal grand jury investigation into high tech export actions; represented clients before federal grand juries investigating alleged antitrust conspiracies and securities violations; brought legal actions against internet-mediated attacks on client networks, and in a state criminal investigation represented a computer professional framed by a colleague in a complex computer sabotage. He has also advised on jurisdictional issues arising out of a federal criminal Internet-related indictment, and advises on liability and policy issues, including interfacing with law enforcement authorities, arising from computer security breaches and Internet privacy matters. He occasionally sits as a temporary judge in the California state court system.

Return to the top of the page

Digital Information, User Tokens, Privacy and Forensics Investigations: The Case of Windows XP Platform
Larry Leibrock, Ph.D, Associate Dean, CTO, McCombs School of Business Administration, The University of Texas

Incident Response and IT Security practitioners are aware that normal user interactions with digital devices create, delete and typically leave a range of data, metadata and residue (termed tokens) on differing systems media. We seek to explore the Microsoft Windows XP as an illustrative platform to review how these tokens are created, discovered and perhaps cleaned using some generally available privacy tool sets.

This paper explores a field study that intends to review extant knowledge, determination of the range of user tokens and current forensics used to discover evidentiary findings. The field study focuses solely on two variants (Windows XP Professional and Windows Tablet PC) commercially available Windows XP platforms in networked settings.

The paper describes the Windows XP platform from these perspectives: files, registry, system folders, special folders, media and forensics processes. A review of present data-hiding techniques (cryptography and steganography) is presented and demonstrated. Finally a set of data destruction algorithms and tools are described.

Lastly in the context of a teaching case, a set of public policy perspectives are presented for discussion. The purpose of the case is to set out a dialogue about individual privacy rights, privacy of information, ownership of data, protection of sensitive information and legal investigative processes in democratic settings.

Discussion topics in the presentation include the following:

  • Investigation and Privacy of Digital Data and Introductory
    Forensics Investigations: Practices/Procedures
  • An International Forensics Case discussion - law - privacy - ethics - law enforcement
  • Microsoft Windows XP - Media typology and morphology of data
  • Data Caches - files - registry - folders - metadata derivatives
  • Networking artifacts and residue
  • Introduction to information hiding techniques, data wiping tools - special hardware - some special tools
  • Extant political - public policy - legal systems perspectives

Larry Leibrock, Ph.D., is a member of the McCombs Business School – The University of Texas faculty and serves as the Associate Dean and Technology Officer for the McCombs Business School. He has held or currently holds clinical teaching and research appointments at McCombs Business School, Institute for Advanced Technology, The University of Texas Law School, Emory University, Helsinki School of Economics and Monterrey Technologica in Mexico City and Monterrey. He is a member of IEEE, ACM, Internet Society, FIRST and USENIX/SAGE. He is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He is the founder and CTO for eForensics LLC, a private technical services firm.

Larry has delivered expert digital evidence testimony at both civil and criminal trials. He has testified for the Presidential Commission for Protection of Critical Information Infrastructure and the Senate Science Committee. He recently presented forensics testimony at an invitational conference for the Executive Office of the President. He presently serves on the Texas Infrastructure Protection Advisory Committee formed by the Attorney General of Texas. He is also appointed to the Board of Directors - Texas Department of Information Resources. Larry is active in IT industry and government systems consulting projects in the areas of systems forensics, enterprise IT operations, security and incident investigations.

Return to the top of the page

Variations in Exploit Methods Between Linux and Windows
David Litchfield, Founder, Next Generation Security Software

This presentation will examine the differences and commonality in the way a vulnerability common to both Windows and Linux is exploited on each system.

David Litchfield is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed".

Return to the top of the page

Notes on Domino
Aldora Louw, Senior Associate, PricewaterhouseCoopers

Notes on Domino is a discussion on some of the rarely used Domino security features. Implementing these features often makes administration and configuration more difficult. The result of not implementing these security features can sometimes be devastating. This discussion will focus on analyzing these security features, describing and demonstrating the possible impact of not utilizing these features, and general Domino architecture and design. The context of the discussion will include the Lotus Domino web interface, as well as the often-overlooked conventional Notes interface.

Demonstrations will include exploiting weaknesses created by security mis-configurations. Methods of reducing the effectiveness of the demonstrated attacks will be presented. In each of the methods Lotus Domino 6 features will be compared and contrasted to Lotus Domino 4 and 5 features.

Real life examples will be utilized to reinforce the impact of ignoring available Domino security features.

Aldora Louw is a Senior Associate in the PricewaterhouseCoopers Security practice with more than 7 years experience in Security and Information Technology. She has extensive knowledge and experience in systems design and implementation, system integration, policy and procedure development, security penetration testing and implementing countermeasures to reduce or minimize Internet-based computer or network vulnerabilities. Aldora has provided security and infrastructure consulting to various organizations in the Energy, Financial and Professional Services sectors. Aldora has advanced technical experience with the following technologies/products: Firewalls, UNIX, Windows NT, Windows 2000, Cisco Routers, Lotus Domino, Intrusion Detection systems.

Aldora's article detailing different wireless communications and their security was recently published in "Information Strategy: The Executive's Journal".

Return to the top of the page

Introduction to Corporate Information Security Law
Andrea M. Matwyshyn, Adjunct Professor of Law, Northwestern University School of Law; Affiliate, Manufacturing and Technology Policy, University of Cambridge (UK)

Legal mechanisms can be efficient weapons in the battle to secure propriety information, particularly if used preemptively. Maximizing the leverage offered by these legal mechanisms generates a two-fold benefit for business entities. First, sound proprietary information security practices preserve strategic business advantage by contractually and otherwise hindering attempts by competitors to garner proprietary information for competitive advantage. The legal sources for protection of proprietary information and intellectual property assets are three-fold: (1) contract; (2) state level trade secret law; and (3) federal intellectual property and other law. Second, when proprietary information includes third party data, in particular consumer data, sound information security practices help limit liability associated with violation of privacy regulation and serve to demonstrate the exercise of due care in data management. In some instances, affirmative legal confidentiality and privacy obligations may pertain to entities engaged in certain types of information intensive businesses. For example, entities engaged in businesses which involve financial, health, children’s or European data trigger regulation both domestically and internationally. Noncompliance with such regulatory requirements can result in both enforcement actions by various governmental agencies and liability arising from civil suits. Through viewing contracts as tools for increasing future certainty and through instituting entity-wide information control policies and practices, entities can greatly diminish transactions costs associated with information leakage.

Andrea M. Matwyshyn is an Adjunct Professor of Law at Northwestern University School of Law in Chicago, Illinois, where she teaches in the area of information technology transactions, an Affiliate with the Manufacturing and Technology Policy Program at the University of Cambridge in the United Kingdom, and a practicing attorney. She has represented clients of all sizes, including both multinational corporations and entrepreneurs, in general corporate, information technology, and privacy counseling matters. She is currently finishing her dissertation and will soon complete a Ph.D. in Human Development and Social Policy, focusing on technology policy, also from Northwestern University.

Return to the top of the page

Leave the Theory Behind and Embrace the Code, A Practical Approach for Building a Security Data Correlation System
David Maynor, Application Developer, Georgia Tech
Correlation of data from security tools is a subject often discussed but products that do this are either expensive or lack cross vendor support. This presentation aims to demystify these tools and impart the audience with the knowledge to build and deploy their own correlation systems.

In addition to the design and development aspect a practical example will be released in the form of a correlation engine and agents. This presentation is most beneficial to security administrators and engineers of enterprise environments where the amount of information produced by security tools is overwhelming.

To take the most advantage, the attendees will need an understanding of current security tools (nessus, snort, iptables, and tripwire). In addition, since the focus of the talk will be on the development of this tool, participants will need to be familiar with C and python as well as socket programming and general networking concepts.

David Maynor has spent the last 2 years at GaTech, with the last year as a part of the Information Security group as a application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital tv development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Return to the top of the page

Advanced in ELF Runtime Binary Encryption - Shiva
Neel Mehta, Application Vulnerability Researcher, ISS X-Force
Traditionally runtime binary encryption has been limited to the Windows world, but attempts have been made to bring the technology to the UNIX world. This presentation will discuss the emerging field of ELF runtime binary encryption on Unix platforms. Although an overview and brief history of runtime binary encryption will be covered, the presentation will specifically focus on the ELF runtime binary encryption tool Shiva, and the new and novel techniques it implements. Shiva was co-authored by Shaun Clowes and Neel Mehta. Its technical aspects will be covered in depth, along with the challenges associated with runtime binary encryption, and its implications for binary forensics or reverse engineering and security in general. Lessons learnt and changes made since an initial beta release will also be covered.
Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Return to the top of the page

.NET from the Hacker's Perspective: Part 2
Drew Miller, Black Hat Consulting

Most people ask about all the great new exploits that exist in .NET applications and infrastructure. As usual, there is really nothing new under the sun. Part I of this talk focused on specific .NET only related functionality that had issues, however important they were.

Part II focuses on the technologies that are not being used by .NET developers and designers which would make attacks such as denial-of-service, authentication bypassing and information leakage detectable and leave the applications immune.

Many of the basic problems with local and network application technologies still exists even in .NET. We will focus on understanding where those vulnerabilities lie.

Though many of the points may be subtle, they apply to every line of code written for a .NET application. Default UI settings for text controls, the lack of using the easy-to-use cryptographic namespace in .NET continues the ability for hackers to access systems and data written with .NET technology. This does not have to be the case. Apply good processes and keep your data safe from everyone, including those disgruntled employees."

Drew Miller has been a software engineer for more than ten years. Drew has worked at many levels of software development, from embedded operating systems, device drivers and file systems at Datalight Inc. to consumer and enterprise networking products such as Laplink’s PCSync and Cenzic’s Hailstorm. Drew’s experience with many software genres combined with his passion for security give him a detailed perspective on security issues in a wide variety of software products.

Drew’s latest projects were the aided design and development of two security courses for Hewlett-Packard at the Hewlett-Packard Security Services Center. One course aimed at educating quality assurance personal and the other educating developers to the exposures that exist in present day network applications and how to avoid such exposures. Drew is currently an instructor for Black Hat Training, Inc.

Return to the top of the page

SPIDeR: A Distributed Multi-Agent Intrusion Detection and Response Framework
Patrick Miller, Computer Science Department, Eastern Washington University

The Synergistic and Perceptual Intrusion Detection Systems with Reinforcement (SPIDeR) framework coordinates the results from multiple intrusion detection agents distributed throughout a network. These agents are capable of utilizing widely different computational models ranging from fuzzy logic to regular expressions. The system centrally combines the agent’s results where they are used to produce an automated response. As the operational environment changes over time, agents and sensors are dynamically added and trimmed. This also allows an administrator to balance the use of system resources vs. system security. The use of heterogeneous sensor agents provides a level of immunity to attacks against the IDS that is not possible in single model architectures while simultaneously decreasing the rate of false-positives. These agents will, in addition to using diverse computational models, analyze diverse data sources.

During the presentation, Patrick Miller will discuss the ongoing research and development that is taking place on SPIDeR, a project proposed and supervised by Dr. Atsushi Inoue, the director of the Inland Northwest Security Systems Initiative (INSSI) within the Department of Computer Science at Eastern Washington University. Particular attention will be focused on the need for multiple, heterogeneous agents. Time will also be spent examining different detection methodologies and the computational models best suited to those in different environments.

Many automated response systems suffer from a high number of false-positives prohibiting an administrator from assigning the most appropriate response.These systems often also suffer from a prohibitive degree of rigidity. This presentation will explore the use of fuzzy logic systems, in coordination with administrator feedback to develop a more flexible, adaptive response system.

Patrick Miller has spent the last year and a half as a primary researcher and developer for the SPIDeR project, a knowledge-based distributed intrusion detection system, part of Eastern Washington University’s cyber security initiative. His recent publications and work have focused on the use of heterogeneous machine learning systems in real-time intrusion detection.

Prior to this research Patrick has performed a number of security audits, focusing on the unique security needs of colleges and universities and has been asked to present on this topic at both a local and national level.

Return to the top of the page

Brute Forcing Terminal Server Logons with TSGrinder
Timothy Mullen, CIO, Anchor IS
Ryan Russell

The "new and improved" version of "TSGrinder," the original terminal server brute force tool from Hammer of God, has just been completed and will be unvieled at Blackhat Vegas. This much-awaited release will include many new features such as single-session-multiple-password-attempts functionality, 1337 dictionary hashing, logon banner awareness, and more. This free tool will be made available for download immediately following this session.

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles. A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

Return to the top of the page

Click Next To Continue
Chris Paget, Security Consultant and Researcher, Next Generation Security Software

August 2002 saw the release of Shatter - the first of a new class of security vulnerabilities. Shatter attacks break Windows security by using pure GDI messages; Click Next to Continue explores the issues in more depth. Building upon the original white paper, this presentation explores in more detail the techniques involved in locating and exploiting a Shatter-style vulnerability, what can be accomplished with them, and how they can be fixed.

Two new exploits will be presented; a privilege escalation vulnerability in Windows 2000 along similar lines to the original WM_TIMER issue, and a second exploit which can circumvent virtually all personal firewalls. Also to be released is Smashing - a highly versatile exploit for the original WM_TIMER issue and a test-bed for further exploration.

Chris Paget is a security consultant and researcher for NGS Software, based in London.Chris has almost 20 years of experience in programming and security auditing, specialising in Win32 and Internet systems. He has performed audits for many of the largest banks and high-tech companies in the world, and has several years of experience teaching system administrators how to break into their own networks.

Return to the top of the page

Java Card 101 – Understanding Java-based Smartcard Security
Bruce Potter, Security Consultant

Smart cards have been popular internationally for years. Now they are gaining popularity in the United States, both in the public and private sector. Historically, smart cards have been expensive and difficult to deploy because each card was customized for the application it contained. With the advent of technologies such as Java Card, applications can be loaded on a card at any point of its lifetime. This allows for specialized, inexpensive, small-scale card deployments. Smart cards can now be used in any size organization to fit a number of security requirements.

This talk will cover the ins and outs of Java Card and its security architecture. It will provide perspective by briefly covering smart card history and basics. The presentation will explore reasons to deploy smart cards (and why to think twice about it). It will present the structure of the Java Card Virtual Machine and Runtime Environment as well as important off-card entities. Finally, the talk will cover best practices in Java Card application development through examples.

Bruce Potter has a broad information security background. From application security assessments to low-level smartcard analysis to wireless network deployments, Bruce has worked in both the open- and closed-source communities.Trained in computer science at the University of Alaska Fairbanks, Bruce now serves as a Senior Security Consultant for Cigital, Inc. in Dulles VA. Bruce is founder and President of Capital Area Wireless Network, a non-profit community wireless initiative based in Washington DC. In 1999 Bruce founded The Shmoo Group, an ad-hoc group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O’Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.

Return to the top of the page

Technical Security Countermeasures: The Real Story Behind Sweeping for Eavesdropping Devices
Jeffrey Prusan, President, Corporate Defense Strategies Inc.

As a corporate security advisor, former investigator, and TSCM technician, we will dispel the myths behing bugging and wiretapping. We will separate what tappers can and can not do (everything you see in the movies is not always true!!). What companies can do that will realistically protect themselves from eavesdropper and thereby help to protect their network, proprietary information, and intellectual property. We will explain and demonstrate the sophisticated electronic tools used by a professional sweep team, and describe what happens during the sweep process. We will demonstrate how phones are tapped in homes(analog phones), small businesses (KSU telephones systems), and larger companies (PBX systems). We will show how corporate spies attempt to infiltrate company telephone systems and ultimately compromise your network infra-structure. We show how anything purchased to detect eavesdropping from a "spy shop" will only waste your money and give you a false sense of security. We lay out the planning and execution of a successful sweep, and explain how to protect your company from threats in the future.

Jeffrey Prusan is the President of Corporate Defense Strategies Inc., a security consulting and security systems integration firm, founded in 1982, and located in Woodcliff Lake, New Jersey. Mr. Prusan has provided his services to; businesses ranging from Fortune 500 companies to small "Mom and Pop" businesses looking to protect their privacy and security. He and his company have worked and continue to provide security services for local, and county government agencies, law enforcement agencies, and the Federal Government. Mr. Prusan has a strong background in investigations and corporate security, and has successfully located, and assisted in the apprehension of a perpetrator that eluded law enforcement authorities after murdering a police officer. Mr. Prusan located and apprehended an international embezzler who had stolen $45 million dollars from his employer. Prusan was deployed by the United States Federal Government to travel to the Phillipines to conduct a fact finding mission regarding the bombing of the World Trade Center, and the bombing of a Philipine airliner bound for the United States. Jeffrey Prusan has worked with and advised law enforcement agencies on all levels as to bugs and wiretaps that were discovered as a result of Technical Security Countermeasures (TSCM) Sweeps. Mr. Prusan has performed eavesdropping detection services for offices, homes, cars, yachts, and corporate aircraft. Mr. Prusan is a member of the
American Society for Industrial Security, and is listed in Who's in Who in Security. Mr. Prusan has appeared on WNBC News on numerous occasions to discuss security, privacy, and protection topics. His company has appeared in print media such as; Bergen Record newspaper, Time Magazine (August 14, 2000), and Security Management. Articles written by Jeff Prusan have appeared on and, to name only a few. Mr. Prusan has also authored articles on electronic vehicle tracking, and technical Security Countermeasures.

Return to the top of the page

Modern Intrusion Practices
Gerardo Richarte, Core Security Technologies, Inc

Current pen-testing practices focus on hosts or networks as targets, and start with a noisy recognition and information gathering phase regardless of the mission. We’ll start reviewing this practices, and showing how some examples of targets not comonly used open new dimensions for planning attacks and creating new tools.

The main focus of this talk is to start walking the path to a new perspective for viewing cyberwarfare scenarios, by introducing different concepts tools (a formal model) to evaluate the costs of an attack, to describe the theater of operations, targets, missions, actions, plans and assets involved in cybernetic attacks. We’ll talk about current and immediate uses of this tools for attack and defense, as well as some future-but-not-sci-fi applications of it.

Gerardo Richarte - Core Security Technologies, Inc

Having worked formally for more than 10 years in the field, first in the public sector (University and Goverment) and latter in the private sector, gera is today leading the exploit development for CORE IMPACT penetration testing framewoork, he's been occasionally, doing penetration tests and teaching basic and advanced exploits writing techniques with Core's security consulting services.

In the last year, he has been a speaker in different computer security conferences, where he presented about automated pen-testing and exploit writing techniques and methodologies. He also published papers on low level security aspects, like format string exploitation or stack smashing protections bypassing, and was part of the jury for Honeynet's 2002 reverse engeneering challenge.

He doesn't drink or smoke, so he'll be easy to spot in Las Vegas for the "Where-Am-I face" that he'll be wearing (at least the first day).

Return to the top of the page

Advanced Windows 2000 Rootkits Detection (Execution Path Analysis)
Jan K. Rutkowski

One of the most important questions in computer security is how to check if given machine has been compromised or not.

This is very difficult task, because the attacker can exploit an unknown bug to get into the system and, most importantly, after break in, he can install advanced rootkits and backdoors in order to stay invisible.

This presentation will concentrate on rootkit and backdoor detection in Windows 2000 systems. First, some rootkit prevention programs will be discussed (Integrity Protections Driver, Server Lock) and some vulnerabilities in those products will be presented.

The main part of the presentation will be devoted to new approach of rootkit and backdoor detection in Windows kernel and system DLLs. This technique is based on Execution Path Analysis (EPA), which makes use of some Intel processor features, in order to analyze what has been really executed during some typical system calls. EPA is not limited to Windows 2000, author has also developed similar detection utility for Linux OS on Intel paltfrom.

Jan Rutkowski is independent security researcher. His main interests are in non trivial exploitations techniques (like heap corruption or smart payloads) and advanced aspects of rootkit and backdoor technology. Currently he focuses on Windows 2000 and Linux systems.

Return to the top of the page

Attacks on Anonymity Systems (Theory) and Attacks on Anonymity Systems (Practice)
Len Sassaman, Anonymizer, Inc.
Roger Dingledine, The Free Haven Project

Attacks on Anonymity Systems (Theory) will draw upon data gathered during real-world attacks on the Mixmaster network, a public Internet anonymity system.

The second presentation, Anonymity Systems (Practice) will build upon the information given in the first, and will demonstrate how these theoretical attacks can be exploited in practice. The two parts can be attended independently, though attendees are encouraged to attend part one if they are not already deeply familiar with anonymity systems.

Len Sassaman is a communication security consultant specializing in Internet privacy and anonymity technologies. Len has been a strong defender of personal rights through technology. As a volunteer, he has lent his expertise to human rights organizations, victim support groups, and civil liberties organizations.

Len is an anonymous remailer operator, and is currently project manager for Mixmaster, the most advanced remailer software available. Previously, he was a software engineer for PGP Security, the provider of the world's best known personal cryptography software. A returning Black Hat speaker, Len is also a frequent contributor to online discussions of electronic privacy issues, and has contributed to the development of free software privacy utilities.

Roger Dingledine is a security and privacy researcher. While at MIT under professor Ron Rivest, he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. After graduating he provided security expertise to a small startup in Boston, where he researched how to integrate reputation into p2p and other pseudonymous dynamic systems. Since then he has been on the program committee of almost a dozen conferences, including being program chair twice for the annual Privacy Enhancing Technologies workshop. Currently he consults for the US Navy to design and develop systems for anonymity and traffic analysis resistance. Recent work includes anonymous publishing and communication systems, traffic analysis resistance, censorship resistance, attack resistance for decentralized networks, and reputation.

Return to the top of the page

Putting The Tea Back Into CyberTerrorism

Many talks these days revolve around cyber terrorism and cyber warfare. Some experts suggest such attacks could be effective - others say that targetted country-wide cyberterrorism is just for the movies...or a Tom Clancy book. In this talk we look at very practical examples of possible approaches to Internet driven Cyber Warfare/Terrorism. The talk will include an online demo of a framework designed to perform closely focussed country-wide cyber attacks.

Roelof Temmingh is the technical director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is one of SensePost's senior technical specialists. He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including Black Hat Briefings. Haroon doesn’t drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

HTTP Fingerprinting and Advanced Assessment Techniques
Saumil Udayan Shah, Director, Net-Square Solutions

This talk discusses some advanced techniques in automated HTTP server assessment which overcome efficiency problems and increase the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A free tool - HTTPRINT which performs HTTP fingerprinting, shall be released along with this presentation.

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

Identity: Economics, Security, and Terrorism
Adam Shostack, Founder and CTO, Informed Security

An illegal immigrant from El Salvador, was paid only $100 to help one of the September 11th hijackers get a real Virginia ID card. "Identity: Economics, Security, and Terrorism" will explore issues of identity, id cards, terrorism, and the economics that doom all current efforts to secure identity. Topics covered will include privacy, economics, trust, and identity. The talk will close with advice to businesses and governments on how to build new systems to reduce these problems.

Adam Shostack is founder and CTO of Informed Security. Previously, he spent three years as Most Evil Genius at Zero-Knowledge Systems, building privacy technology that remains ahead of its time. He writes and speaks on a variety of security and privacy topics, with a focus on security, privacy, and economics. He has been an active cypherpunk, involved with issues of privacy, security, and cryptography for over a decade.

Return to the top of the page

Covering Your Tracks: NCrypt and NCovert
Simple Nomad, Founder, NMRC

Encryption and covert channels are nothing new, but using these types of tools to prepare and send messages across the Internet leaves openings for nefarious parties to recover messages and spot the communications. To thwart this, crypto tools need to secure the endpoints and communication tools need to leverage TCP/IP behavior to hide the endpoints. Two tools - ncrypt and ncovert - will demonstrate this capability.

Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology. By day he works as a Senior Security Analyst for BindView Corporation. He has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a frequently-sought lecturer at security conferences, and has been quoted in print and television media outlets regarding computer security and privacy.

Return to the top of the page

Masquerades: Tricking Modern Authentication Systems
Rick Smith, Ph.D., CISSP, Consultant, Cryptosmith

Authentication is the cornerstone of much of computer security, and a shaky one at that. This talk surveys today's authentication technologies and picks them apart one by one. Passwords fail in large scale applications as well as at the personal level, despite caution and strong motivation for security. Biometrics treat personal traits as secrets; we will survey a series of experiments that have demonstrated the folly of this belief. Even hardware authentication tokens fail to hold up against a determined attacker: this is shown through the tribulations of smartcard-controlled access to satellite television.

Rick Smith, Ph.D., CISSP, operates Cryptosmith, an information security consultancy, and is the author of two books: Authentication: From Passwords to Public Keys, and Internet Cryptography. Over the years, Rick has worked on cyber defense research, cryptographic systems, military guard systems, and commercial security products. He has also served as an information security consultant for a variety of Fortune 100 companies. Rick has recently been appointed to the faculty of the University of St. Thomas in St. Paul, Minnesota.

Return to the top of the page

Java Decompilation and Application Security
Kevin Spett, Senior Research Engineer, SPI Labs

This presentation discusses how decompilation can be used to discover vulnerabilities and weaknesses in Java applications and servers. Java decompilation is a technique that can be used to discover the source of Java programs which are distributed in executable form. Because Java decompilation gives you the ability to view source code, it can be used to quickly find issues that are too unique and subtle to be recognized by other means. There will be a demonstration of the discovery process and exploitation of a recent vulnerability in BEA Weblogic that can allow an attacker to execute arbitrary code on the server.

Kevin Spett is a senior research engineer at SPI Labs, the R&D division of SPI Dynamics. Kevin is a frequently cited expert and innovator in the field of web application security. He is a regular contributor to security discussion forums. Last year he presented his advances in SQL injection techniques against Oracle database servers.

Return to the top of the page

Lance Spitzner, Senior Security Architect, Sun Microsystems

Honeypots are an exciting, yet relatively unexplored, security technology. A security resource that is designed to be attacked, honeypots have many unique advantages (and disadvantages) when compared to other technologies. This presentation will define what a honeypot is, how it works, its values, and some demonstrations of different types of honeypots. It is hoped you will gain a better understanding of what honeypots are, the many different types and what they can do, and how they can apply to your organization.

Lance Spitzner, is a geek who constantly plays with computers, especially network security. He loves security because it is a constantly changing environment, your job is to do battle with the bad guys. This love for tactics first began in the Army, where he served for seven years. He served three years as an enlisted Infantryman in the National Guard and then four years as an Armor officer in the Army's Rapid Deployment Force. Following the Army he received his M.B.A and became involved in the world of information security. Now he fights the bad guys with IPv4 packets as opposed to 120mm SABOT rounds. His passion is researching honeypot technologies and using them to learn more about the enemy. He is founder of the Honeynet Project, moderator of the honeypot maillist, author of Honeypots: Tracking Hacker, co-author of Know Your Enemy and author of several whitepapers. He has also spoken at various conferences and organizations, including Blackhat, SANS, CanSecWest, the Pentagon, NSA, the FBI Academy, JTF-CNO, the President's Advisory Board, the Army War College, and Navy War College.

Return to the top of the page

Enterprise Security for Converging Technologies
Lee Sutterfield, Co-founder and President, SecureLogix Corporation
The Internet security software market is expected to reach $28 Billion in the next 4 years. The products serving this market include IP Firewalls, VPNs, Access Control Devices, authentication devices, encryption and intrusion detection systems. These technologies provide a fairly effective perimeter control capability, which is improving enterprise level information security. However, the traditional voice network has for years provided the "last big back door" into the data network via unauthorized user connected modems and poorly secured authorized modem connections. Lack of security on the phone network negates all efforts to secure the Internet connection. The solution to this intractable problem lies in the emerging technology base known as Telecom Firewalls.

Telecom Firewalls are the most revolutionary security technology to hit the market in 20 years. With the right architecture, Telecom Firewalls promise to solve numerous security problems on the phone network by supporting new, revolutionary security technologies to include: circuit switched VPNs, Telecom IDS, IP Telephony Firewalls, Secure SCADA systems and others. SecureLogix is the first company to place such an architecture and product set on the commercial market. SecureLogix will discuss the nature of the security issues at the phone and data network interface and present the technology designed to address these issues. SecureLogix will also discuss the implications of this emerging technology base on the ultimate convergence of the voice and data network at the enterprise level.

Lee Sutterfield joined SecureLogix Corporation in August 1998 as one of its four founders, serving as President. Before joining SecureLogix, he was a founder of WheelGroup Corporation where he served as Executive Vice President, Secretary and Board Member. WheelGroup was a privately owned security software company that was founded in September 1995 and acquired by Cisco Systems, Inc. in March 1998.

Previously, Mr. Sutterfield was the senior program manager for the US Air Force's pioneering information protection program while assigned with the Air Force Information Warfare Center in San Antonio, TX. As head of the Air Force Information Warfare Center's Countermeasure Engineering Team, he was responsible for the identification and analysis of computer and network vulnerabilities and the development of countermeasures. He also initiated the development of first-of-kind intrusion detection systems, automated vulnerability assessment products, network mapping tools, and threat analysis processes. He spearheaded the formation of the Air Force Computer Emergency Response Team and led the development of incident response processes that are widely used throughout the computer security community. Prior to his time at the Air Force Information Warfare Center, Mr. Sutterfield initiated groundbreaking work within the Department of Defense's intelligence community regarding the characterization of the threat to national information systems via worldwide interconnectivity. Mr. Sutterfield holds a Bachelor of Science degree in Electrical Engineering from Oklahoma State University.

Return to the top of the page

Man In The Middle Attacks
Marco Valleri, Co-creator "ettercap project"
Alberto Ornaghi,
Security Engineer & Co-creator "ettercap project"

Many powerfull tools have focused the attention on MITM attacks that are no longer considered as only theoretical. The presentation will show what an attacker can do once "in the middle" and how he can use "the middle" to manipulate traffic, inject malicious code, and break widley used cypher and VPN suites Each attack will be discussed and many demos will be presented to show their impact on a real scenario. The second part of the presentation will discuss how to intercept traffic in a LAN, some countermeasures to prevent it, and how to avoid some of these countermeasures.

Marco Valleri works in the Ethical Hacking Department of an Italian IT security company. He collaborates with many Italian groups to improve research in many field of the IT security world. He is one of the creators of the "ettercap project"

Alberto Ornaghi has recently got the bachelor degree at the University of Milan, department of coputer science. Now he works in an Italian IT security company as Security Engineer. He is one of the creators of the "ettercap project".

Return to the top of the page

The Superworm Manifesto
Brandon Wiley

Worms are a popular topic of news coverage in the computer security field. However, with the exception of the now ancient Morris worm, they have altogether failed to impress. The damage done by worms such as Code Red and Slammer was merely a sluggish Internet caused by the bandwidth wasted by the worms' inefficient methods of infection. Loss of income due to crashed servers, clogged connections, and time for disinfection fails to live up to the potential for anarchic apocalypse which we have been promised. This talk present the Superworm Manifesto, a critique of the flawed designs of modern worms and guide to designing a new breed of worms with novel capabilities for destruction, surveillence, and manipulation of the world's networking infrastructure. In addition to fortelling the eminent age of superworm warfare, the presentation will also propose a solution of sorts and detail the problems inherent in the solution.

Brandon Wiley is a respected member of the peer-to-peer hacker community. He helped establish the peer-to-peer movement by co-founding the Freenet project, a censorship-resistant publication system. After Freenet collapsed under the weight of its own politics, he moved on to create the Foundation for Decentralization Research, a non-profit organization promoting software projects to empower individuals and small groups through decentralized design. In his spare time he works to help people in China circumvent the Great Firewall, develops the next generation of censorship-resistant publication, and brings low-cost streaming Internet audio and video broadcasting to independent and pirate media stations.

Return to the top of the page

Forensics with Linux 101: How to do Forensics for Free
Chuck Willis

A growing number of organizations want in-house capability to conduct forensic media analysis, but do not use this capability often enough to justify the high cost of commercial forensic suites. The answer for many organizations is to use free tools available under the Linux operating system to conduct media analysis. This presentation will be an unbiased look at using Linux to conduct computer forensics, including specific recommendations on what tools to use and which to avoid. In addition, the current limitations of free Linux tools and pitfalls to avoid will be discussed. Basic Linux knowledge and command line experience are assumed.

Chuck Willis received his M.S. in Computer Science from the University of Illinois at Urbana-Champaign in 1998. Since then, he has spent the past five years conducting computer forensics and network intrusion
investigations as a U.S. Army Counterintelligence Special Agent. He is a Certified Information Systems Security Professional, as well as a Certified Forensic Computer Examiner. Chuck is currently in the process of separating from the military and will be starting a new career soon.

Return to the top of the page

IPsec: Opportunistic Encryption using DNSSEC
Paul Wouters, in close collaboration with NLnetlabs, RIPE NCC and the FreeSwan Project
With DNSSEC, it becomes possible to securely store public key information for various applications in the DNS hierarchy. We are going to use this ability to store and retrieve RSA keys to setup IPsec based VPN tunnels based on Opportunistic Encryption ("OE"). Hosts that support OE can secure communicate to each other through an IPsec tunnel, without prior arrangement or setup, and without prior secure out of bounds communication of their identity. This paves the way for a massive deployment of IPsec as the defacto way of communication over the internet.

Furthermore, an OE capable host can also be used to secure a whole subnet of machines which themselves do not support OE or even IPsec, such as a standard webfarm setup. Extending the DHCP with a special OE option, we can even secure WLAN's by extruding a new IP address for use over an OE negotiated IPsec tunnel, which results in encryption of all the wireless traffic.

These features will be deployed at the conference, and people will be available during the conference to assist you with setting up OE on your Linux laptop.

All the discussed features will of course also work with regular DNS to protect against passive attacks. However, with DNSSEC, you are also protected against active attacks. With more and more people using, and telcos deploying, Voice Over IP calls, we can use these technologies to create an end to end secure telephony infrastructure.

At the time of writing, OE is only supported on Linux using FreeS/WAN, but porting effords are underway to support OE on stock Linux 2.5 kernels. FreeS/WAN and OE already run on a variety of devices including the Sharp Zaurus handheld.

Paul Wouters has been involved with Linux networking and security since he co-founded the Dutch ISP "Xtended Internet" back in 1996. His first article about network security was published in LinuxJournal in 1997 Since then, he has written mostly for the Dutch spin-off of the German "c't magazine", focussing on Linux, networking and the impact of the digital world on society. He has presented papers at SANS, OSA, CCC and HAL.

He is currently involved with the FreeS/WAN project, a Linux IPsec stack that aims to bring Opportunistic Encryption to everyone. For this feature, a secure DNS is needed, which triggered his interest in assisting the widespread use of DNSSEC. Wouters received his Bachelors degree in Education in 1993

Return to the top of the page

[ Panel ] A Proposed Process for Handling Vulnerability Information: Finders and Vendors Collaborate
Scott Blake, VP Information Security, BindView Corp.
Scott Culp,
Senior Security Strategist, Microsoft Corp.
Andre Frech,
X-Force Research Team Lead, Internet Security Systems (ISS)
Rajiv Sinha,
Manager of Security Compliance, Oracle Corp.
Vincent Weafer,
Senior Director, Symantec Corp.
Chris Wysopal,
Director of Research and Development, @stake

The Organization for Internet Safety ( has published a process for handling security vulnerability information drawing on the combined experience of several major software vendors and security researchers. Panelists represent some of these organizations and will speak to many issues surrounding the process including its purposes, intended and unintended consequences, and plans for the future. Attendees are encouraged to ask the panel tough questions about the process and generally improve user safety on the Internet.

Scott S. Blake, CISSP
As BindView's Vice President of Information Security, Mr. Blake is responsible for the functioning of RAZOR, a team of security experts providing security expertise to all of BindView's technologies and performing original research in computer and network security, as well as supervising BindView's operational security, risk management, and emergency response team. Additionally, Mr. Blake is responsible for BindView's Public Policy group. Mr. Blake was Director of Security Strategy at BindView before being promoted. Prior to joining BindView, Mr. Blake was Director of Technical Services for Netect where he was responsible for the Technical Support, Information Technology, and Pre-Sale Engineering groups. He also participated in the design of HackerShield, an award-winning vulnerability assessment scanner. Before Netect, Mr. Blake was Network Security Architect for Internet Security Corporation where he designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities. Mr. Blake is frequently sought to speak at security and information technology conferences and by the media to comment on security issues. He is the author of several articles on various aspects of information security.

Mr. Blake is a Member Emeritus of the Common Vulnerabilities and Exposures Editorial Board, Member of the Open Vulnerability Assessment Language Editorial Board, and Chairperson of the Simon's Rock College Alumni Association Advisory Board. He holds a BA, cum laude, from Simon's Rock College, an MA in Political Sociology from Brandeis University, and is a Certified Information Systems Security Professional.

Scott Culp, Senior Security Strategist, Trustworthy Computing Team
Microsoft Corp.

Scott Culp is a Senior Security Strategist for Microsoft Corporation. He serves in this capacity as a member of the Trustworthy Computing Team, which has responsibility for catalyzing companywide improvements in Microsoft® products, services and infrastructures. Culp’s specific areas of focus include developing companywide security policies and procedures, evaluating the security of current Microsoft products and services, and conducting outreach to the critical infrastructure protection community.

Prior to his current role, Culp was a founder and then manager of the Microsoft Security Response Center (MSRC), where he helped develop and implement the processes associated with one of the industry’s leading security response capabilities. Before coming to Microsoft, Culp worked for 15 years in security-related fields, including communications security, cryptography and network defense.

Culp earned a master’s degree in computer science from Rensselaer Polytechnic Institute and a bachelor’s degree in computer science and math from Ohio Wesleyan University. He has two sons and has been married since 1990.

Andre Frech is a Team Lead, X-Force Research of Internet Security Systems, Inc. (ISS), a leading global provider of information protection solutions that secure IT infrastructure and defend key online assets from attack and misuse. By offering proactive security solutions for enterprise as well as small and medium business markets, Internet Security Systems is the trusted security provider for its customers, enabling safe, uninterrupted business operations. Established in 1994, Internet Security Systems is traded publicly on the Nasdaq (ISSX), and is one of the most widely recognized and valued information security brands in the world.

With over 10 years experience in documenting vulnerability research and technical analysis at leading technology companies, Frech is responsible for the X-Force Vulnerability and Threat Database, as well as a team of researchers maintaining the industry's most comprehensive online knowledge base on thousands of risks and threats addressed by Internet Security Systems products.

Prior to joining Internet Security Systems, Frech was previously employed as Senior Technical Writer at XcelleNet, Inc.

Frech holds a Bachelor’s degree in Information and Computer Science from the Georgia Institute of Technology.

Rajiv Sinha is Manager of Security Compliance at Oracle, the team he co-founded and responsible for Oracle's product security response center, internal security training and product security design and review, and establishment of secure development standards, practices and processes throughout Oracle. He plays an active role in the resolution of security vulnerabilities in Oracle's database, application and application server products, based on the weaknesses and vulnerabilities that his team, Oracle's internal hackers and other researchers identify and expose. Over his 8 years at Oracle, he has been a co-Security Product Manager for security of the Oracle Database, a software engineer for Oracle's Secure Network Services (now replaced by Oracle Advanced Security), and an active participant in 11 of Oracle's security evaluations to date. Rajiv holds undergraduate and graduate degrees in computer engineering and is pursuing an MBA from the University of California, Berkeley.

Vincent Weafer is responsible for the Symantec Security Response global research center teams. His mission is to advance the research into new computer threats & exploits and provide a comprehensive & rapid security response to today's blended security threats. His team has also been responsible for the development of key security technologies such as the Symantec extensible anti-virus engine technology, scanner heuristic detection technologies and threat acquisition and analysis infrastructure used by Symantec. Weafer has been quoted extensively in the global press and also speaks regularly at security conferences and seminars throughout the world.

Chris Wysopal is @stake's Director of Research and Development. As an associate of L0pht Heavy Industries he worked to expose the "snake oil" in the computer security industry and tried to make the general public aware of the just how fragile the Internet and software products are. He released security advisories detailing security flaws in operating systems and application servers such as Microsoft Windows NT/2000, Lotus Domino, and Microsoft IIS. He co-authored the famous Windows password cracking program, L0phtCrack. In May of 1998 he testified as a computer security expert before the Senate Governmental Affairs Committee and has appeared as a security expert on several TV documentaries and network news programs. Chris developed commercial software for over 10 years for Lotus, AT&T, and Radnet. He worked as a corporate IT security engineer for BBN trying to securely implement and maintain large networks and applications. Finally, as a research scientist for L0pht and @stake he has worked with vendors to identify and fix security problems.

Return to the top of the page

Adversary Characterization and Scoring Systems
Dave Farrell, Founder,, The Cyber Adversary Research Center
Toby Miller, independent security consultant,
Tom Parker, Director of Research, Pentest Limited (UK)
Matthew G. Devost, Founding Director, Terrorism Research Center

Cyber adversary characterization is a topic which was conceived by the panel members along side other members of the computer security and intelligence communities in an attempt to provide an accurate way to build profiles of cyber adversaries, much like the way in which criminal psychologists profile more traditional criminals.

The characterization metrics conceived attempt provide a characterization of both theoretical adversaries, classing them based on statistics harvested from the wild and an accurate way of characterizing an adversary at an incident response level by studying the methodologies used during the attack.

The panel will begin with an introduction to the topic, followed by in depth discussion regarding the various characterization metrics and their applications; toward the end, we will be taking questions from the floor.

Dave Farrell,, The Cyber Adversary Research Center - dave<a>
Dave founded the Cyber Adversary Research Center (CARC) after organizing and hosting a workshop on Cyber Adversary characterization and modeling in August 2002. He has been studying the adversarys tools, tactics and motives in order to gain the knowledge to better defend against them. The defensive mindset has proven ineffective against most of the cyber adversary spectrum. Dave has portrayed the high-end cyber adversary for some number of years on Red Teams working with DARPA, DoD as well as other government agencies and corporate entities. He has preformed vulnerability analysis in contained labs with early R&D prototypes as well as on live production networks. He has also been involved in the assessment of various cyber related components within our countrys critical infrastructure. He created a methodology called Adversary Perspective Analysis (APA) that has proven to be very effective in the vulnerability discovery process.

Mr. Farrell has been employed with startup security companies as well as National Laboratories performing security assessments of everything from low-level code within individual systems through complete complex integration efforts of multiple systems. Prior to that he made a living as a computer engineer, network/systems designer and administrator as well as being a mad dogprogrammer in his software engineering days, thus bringing together over 20 years related experience to apply to the field of information assurance.

Toby Miller,
Toby Miller is a independent Security Consultant. He holds a bachelor's degree in computer information systems and is currently worked towards his master's degree. Toby is a contributing author for Intrusion Signatures and Analysis and Maximum Security revision 3 and 4. Toby also publishes papers for Securityfocus and SANS. Toby has spoken at various SANS conferences. Toby is also a certified GIAC Analyst.

Tom Parker, Director Of Research, Pentest Limited (UK)
Tom Parker is one of Britain's most highly prolific security consultants. He regularly contracts with international firms to provide integral security services. Tom is well known for his vulnerability research on a wide range of platforms and commercial products, developing proof of concept code to demonstrate flaws. Whilst with GIS he played a leading role in developing key relationships between public and private sector security communities. Tom has taken part in closed door workshops on cyber adversary characterization and has furthered research into this topic under Pentest Limited, provider of security consultancy services throughout Europe. Tom is also known for his research into methodologies for secure transmission of video streams over corporate networks using satellite and multicast technology.

Matthew G. Devost, Founding Director, Terrorism Research Center
Mr. Devost is a Founding Director of the Terrorism Research Center, and currently serves as President and CEO overseeing all research, analysis, assessment, and training programs. In addition to his duties as President, Mr. Devost also provides strategic consulting services to select international governments and corporations on issues of counter-terrorism, information warfare, critical infrastructure protection, and homeland security. Mr. Devost also co-founded and serves as Executive Director of Technical Defense, Inc., a highly specialized information security consultancy.

Mr. Devost has been researching the impact of information technology on national security since 1993. Mr. Devost has provided support on Information Operations and information terrorism to the Department of Defense community, Presidential Commissions, and numerous other government, law enforcement and intelligence agencies. Mr. Devost has also provided information security consulting and intelligence analysis services to private corporations, including Fortune 500 companies and critical infrastructure owners.

Mr. Devost has appeared on CNN, MSNBC, FoxNews, NPR, CBS Radio, CBS News, BBC television, NWCN, Australian television and over four dozen other radio and television programs as an expert on terrorism and information warfare and has lectured or published for the National Defense University, the United States Intelligence and Law Enforcement Communities, the Swedish government, Georgetown University, American University, George Washington University, and a number of popular press books - magazines, academic journals and international conferences. Mr. Devost holds a B.A. degree from St. Michael's College and a Master of Arts Degree from the University of Vermont.

Return to the top of the page

[ Panel ] Hiring Trends in Information Security

Lee J. Kushner is the founder and CEO of L. J. Kushner and Associates, L.L.C. Mr. Kushner is a recruitment expert in the areas of Information Security, and Secure Electronic Commerce.

He is a leading authority on industry hiring trends and compensation and is regularly quoted in leading trade publications. He is a regular featured speaker on the topics of Security Hiring, Compensation Package Development, Industry Trends and Employee Retention. His conference speaking credits include: RSA, The Information Security Forum, The e-Security Conference, The Black Hat Briefings, Credit Card Fraud and Cybercrime and a number of ISSA chapters' annual conferences.

Mr. Kushner believes a successful recruitment professional must remain abreast of all developments in the Information Security industry. Accordingly, the firm's associates are regular attendees at conferences across the country. L.J. Kushner exhibits annually at leading conferences including Gartner, CSI, MIS Training Institute and several SANS Conferences.

Optimum sponsorship of the industry's leading associations, unparalleled commitment to the career goals of LJK's candidates and the firm's corporate clients in their quest to build winning teams have launched Mr. Kushner's reputation to the ranks of the most highly esteemed in the recruitment industry. Together with his savvy executive leadership and industry pledge he has positioned the firm as the premier and specialized Information Security recruitment services company, in the nation and around the world.

Mr. Kushner received a Bachelor of Science from East Carolina University and a Masters of Science from Ohio University.

Fred Rica, Partner – Global Risk Management Solutions, National Threat and Vulnerability Assessment Leader, PricewaterhouseCoopers

Fred Rica is a Partner in PricewaterhouseCooper’s Global Risk Management Solutions group and leader of the Threat and Vulnerability Assessment practice. Mr. Rica is a skilled technology professional with significant experience in managing the assessment, design and implementation of secure e*business environments and applications. Mr. Rica is a nationally recognized authority on the subject of security penetration studies and has performed or managed hundreds of penetration reviews of large and complex processing environments over the last ten years.

Mr. Rica has also been a frequent speaker and author on the subject of data security. Mr. Rica has spoken on the topic of computer security for many organizations and trade shows in North America, South America and the Far East such as Networks Expo, CSI and NetSec. Mr. Rica also served as Chairman of Web Defense and Co-Chairman of then-President Clinton’s Critical Infrastructure Assurance Office New York Summit. Mr. Rica was recently a panelist for the CIO Magazine Internet Security Forum and gave the opening remarks at the ITAA e-Security and Homeland Defense

Mr. Rica is a much sought after commentator on the topic of risk management. He has been quoted by numerous major print and on-line publications including The New York Times, The Wall Street Journal, USA Today, Forbes, and Newsweek. Mr. Rica's articles have appeared in Infosecurity News, Secure Computing Magazine, Information Week and the San Francisco Examiner

Mr. Rica is a regular contributor to the CNNfn shows “Digital Jam”, “New Economy Watch” and “Money and Markets”. Mr. Rica has also been a guest on CNBC’s “Power Lunch” and the CNN shows “Moneyline”, “Tough Call” and CNNdotCOM”, the CNNfn shows “Business Unusual”, “Money Morning”, “Business Day” and “Market Update”, ABC News, Fox News, Bloomberg Radio, CBS Radio, WTKK and KIRO Radio. Mr. Rica was also featured in a Discovery Channel special on computer hacking.

Mr. Rica has helped some of the world’s foremost users of technology solve complex risk management issues including AT&T, AT&T Wireless, Chase, Depository Trust Company, Euroclear, J.P.Morgan, Mastercard, Prudential, RJR Nabisco, Sony Electronics, S.W.I.F.T., Swiss Re, U.S. House of Representatives, Verizon Wireless and Viacom.

Mr. Rica is a member of the Institute of Management Consultants and a Certified Management Consultant. Mr. Rica is also a Senior Fellow and Board Member of the Applied Management Sciences Institute.

In 2002 Mr. Rica was selected by Crain’s New York Business as one of their “40 Under 40” rising stars of New York business under the age of forty.

Return to the top of the page

[ Panel ] Hacker Court

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand.

This presentation will enact a courtroom environment, complete with judge, jury, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining. For example, in a real court case, a juror would not be allowed to go to the bar for a drink during testimony.

Producer: Carole Fennelly
EmCee: Simple Nomad
Judge: Chief U. S. District Court Judge Philip M. Pro
Court Clerk: Caitlin Klein
Federal Marshal: Jack Holleran
Prosecutor: Richard Salgado
Defense Attorney: Jennifer Granick
Defendant: Weasel
Victim (Prosecution Witness): Brian Martin
CEO Getta Entertainment (Prosecution): Richard Thieme
Factual Witness (Prosecution): Ryan Bulat
Case Officer (Prosecution): Jesse Kornblum
Expert Witness (Prosecution): Edward Castanova (expert on gaming economy)
Expert witness (Defense): Jonathan Klein
Technical Assistant: Inertia

Carole Fennelly (producer):
Carole Fennelly is co-founder of the Wizard's Keys security consulting firm which has been providing security expertise to Fortune 500 clients in the New York Metropolitan area for more than ten years. Ms. Fennelly has also published numerous articles for IT World, Sunworld and Information Security Magazine. She has been a speaker at Blackhat and many other security conferences. She has over 20 years experience as a Unix Systems administrator specializing in security.

Richard Thieme
Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Speaking/consulting clients include: GE Medical Systems; Los Alamos National Laboratory; Apache Con; Microsoft; Network Flight Recorder; System Planning Corporation (SPC); InfraGard; Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.

Jennifer Granick
Jennifer Stisa Granick is the Litigation Director of the public interest law and technology clinic at Stanford Law School's Center for Internet and Society. Ms. Granick's work focuses on the interaction of free speech, privacy, computer security, law and technology. She is on the Board of Directors for the Honeynet Project and has spoken at the NSA, to law enforcement and to computer security professionals from the public and private sectors in the United States and abroad. Before coming to Stanford Law School, Ms. Granick practiced criminal defense of unauthorized access and email interception cases nationally. She has published articles on wiretap laws, workplace privacy and trademark law.

Jonathan Klein
Jonathan Klein is president and co-founder of Wizard’s keys, a security consultancy located in New Jersey. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose independent consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan, discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Honorable Philip M. Pro,
Honorable Philip M. Pro, Chief United States District Judge for the District of Nevada. Judge Pro was appointed United States District Judge for the District of Nevada, at Las Vegas, on July 23, 1987.

Judge Pro also served as United States Magistrate Judge for the District of Nevada, from 1980 until his elevation to the District Court, during which he supervised pretrial proceedings in the MGM Grand Hotel Fire Litigation. Judge Pro received his J.D. degree from Golden Gate University School of Law in June 1972.

Brian Martin
Brian Martin is an outspoken security consultant in the Washington DC area. Brian has the relatively unique experience of being on both sides of an FBI investigation.. His daily work takes him in and out of commercial and government networks, usually without sparking law enforcement investigation. His work revolves around making recommendations based on cynical review of network and system security. He will be survived by his three cats and his EverQuest character.

Jesse Kornblum
SA Kornblum is the Chief, Computer Investigations and Operations for the Air Force Office of Special Investigations. A graduate of the Massachusetts Institute of Technology, he has experience running intrusion investigations and supporting other agents in more traditional investigations. He is currently responsible for developing tools and techniques to allow agents to conduct investigations.

Jack Holleran
Jack Holleran, CISSP, currently teaches Information Security at several colleges and the Common Body of Knowledge review for ISC2. In a past life, he was the Technical Director of the National Computer Security Center at the National Security Agency and Chair of the National Information Systems Security Conference.

Richard P. Salgado
Richard Salgado serves as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. Mr. Salgado specializes in investigating and prosecuting computer network cases, such as computer hacking, denial of service attacks, illegal sniffing, logic bombs, viruses and other technology-driven privacy crimes. Often such crimes cross international jurisdictions; Mr. Salgado helps coordinate and manage the investigation and prosecution of those cases. Mr. Salgado participates in policy development relating to emerging technologies such as the growth of wireless networks, voice-over Internet Protocol, surveillance tools and forensic techniques. Mr. Salgado serves as a lead negotiator on behalf of the Department in discussions with communications service providers to ensure that the ability of the Department to enforce the laws and protect national security is not hindered by foreign ownership of the providers or foreign located facilities. Mr. Salgado also regularly trains investigators and prosecutors on the legal and policy implications of emerging technologies, and related criminal conduct. Mr. Salgado is an adjunct law professor at Georgetown University Law Center where he teaches a Computer Crime seminar, and is a faculty member of the SANS Institute. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Weasel is a freelance security consultant specializing in Intrusion
Detection, Policy, Incident Response, Digital Forensics, Penetration
Testing, and Security Awareness. He is also a charter member of an
industry Information & Sharing Analysis Center and is a member of Nomad Mobile Research Centre.

Ryan Bulat
Ryan Bulat is an intern at Wizard’s Keys, where he is responsible for web site support. His interests are in Science and Technology as well as programming ( C ). When school doesn’t intrude, he is also an avid gamer who wonders why game stats aren’t included in college admissions along with SAT scores.

Edward Castanova
Edward Castronova, PhD, has been an Associate Professor of Economics at Cal State Fullerton since the fall of 2000. From 1991 to 2000, he was an Assistant and later Associate Professor of Public Policy at the University of Rochester.

Paul Ohm
Paul Ohm used to write code for a living. Then he went to law school, and he's never really been the same. He now works for the U.S. Department of Justice.

Myles Roberts
Myles Roberts attends the School of Law at the University of Virginia and serves as an intern to the Computer Crime and Intellectual Property Section at the U.S. Department of Justice. Prior to law school, Mr. Roberts worked at the Federal Aviation Administration and ran their Internet perimeter. He hopes to represent the first computer program that claims protection under the 13th Amendment.

Return to the top of the page

[ Panel ] The Law of Vulnerabilities
Panel by Gerhard Eschelbeck, Ph.D., CTO, Qualys Inc.

Moderator: Richard Thieme
The Panel: Mary Ann Davidson, JD Glaser, Jeff Moss, Simple Nomad, Phil Zimmermann

New vulnerabilities are discovered and published on a daily base. With each such announcement, the same questions arise. How significant is this vulnerability? How prevalent is this vulnerability? How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? Due to lack of global vulnerability data, answers to these questions are often hard to find and risk rating is even more difficult.

As part of an ongoing research project, I have been gathering statistical vulnerability information for more than a year. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. Users of the QualysGuard Vulnerability Assessment Service and any of its free evaluation services are automatically generating the raw data. This data is by no means identifiable to an individual user or system. However, it provides significant statistical data for research and analysis, which enabled me to define the Law of Vulnerabilities.

The Law of Vulnerabilities is derived from vulnerability data gathered during the past 18 months from over 185,000 individual systems. During this timeframe a collective amount of 1,100,000 vulnerabilities - reflecting five different levels of severity - has been identified. Furthermore, the responses to external events (i.e. availability of an exploit or worm taking advantage of a vulnerability) have been studied for the declaration of this new law.

Exclusive Announcements planned during the panel include:

  • New Research and Law
  • New Free Tool
  • New Blog


I. Research Presentation

A. Research Overview
The largest database in the world correlating aggregate vulnerability data.

1. 185,000 systems on the Internet
2. 1,100,000 vulnerabilities

B. Vulnerability Trends

1. High Profile Vulnerabilities Exploited
2. High Profile Vulnerabilities w/o Exploits
3. Important Vulnerabilities w/o Active Exploits

C. Vulnerability Declarations

1. Declaration on lifetime, turnover and impact of external events on
2. Declaration on the impact of vulnerability severity on the resolution priority.
3. Declaration on the overall severity trend over time

D. The Law of Vulnerabilities
Correlation between severity, lifetime, trends and predictions on vulnerabilities in real-world environments determined by the above declarations.

E. Summary

II. Panel Discussion

A. Research Validity
B. The Law of Vulnerabilities Impact
C. Suggested Actions

III. Committee Action

A. Committee Creation
B. Blog Introduction
C. Tool Introduction
D. Action Items
E. Summary

Gerhard Eschelbeck, CTO, Qualys
Gerhard Eschelbeck currently manages the largest and most up-to-date vulnerability database in the world. He is also responsible for protecting over 1000 corporate networks, including Tower Record, Mercedes Benz, and BlueCross BlueShield, via his innovative web service. Gerhard is a respected teacher, speaker, researcher and writer. His most well-known publications include Active Security, Automating Security Management, Multi-Tier IDS. He holds several patents on related topics including security integration and security management. Gerhard is also founder of IDS GmbH, a secure remote tool company acquired by McAfee. Gerhard teaches on the field of network security at his alma mater, the University of Linz, Austria. Gerhard speaks regularly at events such as RSA, InfoSec, SANS, and CSI.

Mary Ann Davidson, Chief Security Officer, Oracle Corp.
Mary Ann Davidson is responsible for Oracle's product security, corporate infrastructure security and security policies, as well as security evaluations, assessments and incident handling. She joins Paul Gillin, VP editorial, TechTarget, on stage to discuss Oracle's security initiatives. You do not hear a sales pitch. On the contrary, Gillin poses questions to Ms. Davidson so you can best understand the pros and cons of Oracle's solutions and understand if they fit with your own security initiatives. The floor is then opened up for your own specific questions - a great nopportunity to acquire key advice from one of the industry's top security gurus.

Mary Ann represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC) and is on the editorial review board of the Secure Business Quarterly. Prior to joining Oracle in 1988, Ms. Davidson served as a commissioned officer in the US Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal. Ms. Davidson has a BSME from the University of Virginia and an MBA from the Wharton School of the University of Pennsylvania.

Richard Thieme, CEO, Thiemeworks, Inc
Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Speaking/consulting clients include: GE Medical Systems; Los Alamos National Laboratory; Apache Con; Microsoft; Network Flight Recorder; System Planning Corporation (SPC); InfraGard; Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong apital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.

JD Glaser, President & CEO, NT OBJECTives, Inc.
Mr. Glaser has over a decade of experience in security assessment, application, and defense development. Mr. Glaser's technical expertise and commitment to the security industry has been demonstrated through the many free network and forensic tools he has provided through his company, NT OBJECTives, Inc. Previously, Mr. Glaser has been tapped by Tripwire and Foundstone, Inc, to lead the development of their security products. Currently, NT OBJECTives, Inc has released the Fire and Water toolkit designed specifically to address large scale web security issues.

Jeff Moss, President & CEO, Black Hat Inc.
Jeff Moss founded Black Hat in 1997. He also began Def Con in 1992. In a previous life, Jeff worked for numerous firms including Ernst & Young and Secure Computing.

Simple Nomad, Founder, NMRC
Simple Nomad is the founder of the Nomad Mobile Research Centre, an international group of hackers that explore technology. By day he works as a Senior Security Analyst for BindView Corporation. He has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a frequently-sought lecturer at security conferences, and has been quoted in print and television media outlets regarding computer security and privacy.

Phil Zimmermann, Creator of PGP
A mythic figure in the computer industry, Philip Zimmermann is the creator of Pretty Good Privacy, for which he was the target of a three-year criminal investigation, because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc, which was subsequently acquired by Network Associates (NAI). Prior to PGP, Phil was a software engineer for more than 20 years, specializing in cryptography and data security, data communications, and real-time embedded systems. Phil is currently consulting for a number of companies and industry organizations on matters cryptographic. He has received numerous technical and humanitarian awards for his pioneering work in cryptography and is a member of many industry organizations and boards. Phil has a BS in Computer Science from Florida Atlantic University.

Return to the top of the page

Thomas Akin

Ofir Arkin

Jaya Baloo

Jay Beale

Frederic Bret-Mounet

Ryan Bulat

Edward Castanova

Silvio Cesare

Sean Convery

Mary Ann Davidson

Josh Daymont

Matthew G. Devost

Roger Dingledine

Himanshu Dwivedi

Gerhard Eschelbeck

Dave Farrell

Carole Fennelly

Dario Forte

Matthew Franz

Andre Frech


JD Glaser

Michael D. Glasser

Eric Goldman

Jennifer Stisa Granick

Hacker Court Panel

Hiring Trends Panel

Greg Hoglund

Jack Holleran

The Honeynet Project


Dan Kaminsky

Curtis E.A. Karnow

Jonathan Klein

Jesse Kornblum

Lee Kushner

Larry Leibrock

David Litchfield

Aldora Louw

Brian Martin

Andrea M. Matwyshyn

David Maynor

Neel Mehta

Drew Miller

Patrick Miller

Toby Miller

Timothy Mullen

Paul Ohm

Ken Olthoff

Alberto Ornaghi

Chris Paget

Tom Parker

Bruce Potter

Philip M. Pro

Jeffery Prusan

Fred Rica

Gerardo Richarte

Myles Roberts

Ryan Russell

Jan K. Rutkowski

Marcus H. Sachs

Richard Salgado

Len Sassaman

Bruce Schneier


Saumil Udayan Shah

Adam Shostack

Rajiv Sinha

Simple Nomad

Rick Smith

Kevin Spett

Lance Spitzner

Lee Sutterfield

Richard Thieme

Marco Valleri

Vincent Weafer


Brandon Wiley

Chuck Willis

Paul Wouters

Chris Wysopal

Philip R. Zimmermann

Black Hat Logo
(c) 1996-2007 Black Hat