Black Hat Digital Self Defense USA 2004

Black Hat Main Conference Overview

Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat Sponsors Black Hat Training Black Hat Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings USA 2004
Black Hat USA 20004 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat USA 2004 Sponsor

Thinking Outside the Box–Embracing Globalization
Paul Simmonds, Global Information Security Director (CISO), Jericho Forum/ICI Plc.

The days of the corporate network, completely isolated with a well-secured outer shell are long gone; yet we continue to cling to this model. Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners.

Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line and the CISO is seen to be a true partner in corporate strategic thinking? What does business need from its suppliers to make this a feasible reality? What do you need to be doing now to achieve this goal?

The problem has been defined. Now, the solution is being acted upon. This presentation will discuss significant new developments in the past three months towards embracing globalization.  

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI (, working for the CIO Office in London.

Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a deperimiterised environment.

In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites.

He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

Return to the top of the page

Privacy, Economics and Immediate Gratification: Why Protecting Privacy Is Easy But Selling It Is Not
Dr. Alessandro Acquisti, Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University; Research Fellow, Institute for the Study of Labor (IZA), and co-founder & former CEO, PGuardian Technologies, Inc.

Surveys have repeatedly identified privacy as one of the most pressing concerns of those using new information technology. Only in terms of Internet sales, billions of dollars are said to be lost every year because of privacy fears. At the same time, academic research and security industry efforts have developed protocols and technologies to protect individuals' privacy in almost any conceivable scenario— from browsing the Internet to purchasing on- and off-line. There is a demand, and there is an offer. So, why is there no market clearing?

This talk will combine analysis of technology, economic tools, and behavioral psychology to explain why privacy enhancing technologies have failed to gain widespread adoption, while privacy and security of personal information have remained a concern for many.

Acquisti will apply lessons from the research on behavioral economics to understand the individual decision making process with respect to privacy. He will show that it is unrealistic to expect individual rationality in this context. Models of so-called "self-control problems" and "immediate gratification" offer more realistic descriptions of the decision process and are more consistent with currently available data. In particular, Acquisti will show why individuals who may genuinely want to protect their privacy might not do so because of psychological distortions well documented in the behavioral literature; he will show that these distortions may affect not only 'naive' individuals but also 'sophisticated' ones; and he will prove that this may occur also when individuals perceive the risks from not protecting their privacy as significant.

Lastly, Acquisti will present preliminary evidence from an ongoing series of surveys and experiments aimed at testing the rationality assumption in privacy-related decision making, and will recommend strategies that developers and security experts may consider when building usable privacy enhancing technologies.

Alessandro Acquisti is the Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University; a Research Fellow at the Institute for the Study of Labor (IZA); and the co-founder and former CEO of PGuardian Technologies, Inc, a provider of Internet security and privacy services.

Alessandro's work investigates the economics of privacy and information security, economics of computers and AI, ecommerce, and cryptography. His research in these areas has been disseminated through journals, books, and leading international conferences, including Financial Cryptography, ACM Electronic Commerce, WEIS, WISE, AAMAS, AAAI Symposia. He has been committee member for the PET workshop in 2003 and 2004 and for the Workshop on Economics and Information Security in 2004. In his current research, Alessandro combines economic methodologies and cryptographic tools. Alessandro also maintains the resource page on the economics of privacy:

Prior to joining CMU Faculty, Alessandro Acquisti researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group; at JP Morgan London, Emerging Markets Research, with Arnab Das; and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey. At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station.

In 2000 he co-founded PGuardian Technologies, Inc. in Palo Alto, CA. PGuardian Technologies is a provider of Internet security and privacy services, for which Alessandro designed two currently pending patents. In a previous life, Alessandro worked as classical music producer and label manager (, arranger, lyrics writer (BMG Ariola/Universal), and soundtrack composer for theatre, television (RAI National Television), and indy cinema productions.

Alessandro Acquisti has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and in the San Francisco bay area, where he worked with John Chuang, Doug Tygar, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California at Berkeley.

Publications and further information can be found at:

Return to the top of the page

Phishing–Committing Fraud in Public
Phillip Hallam-Baker, Principal Scientist, VeriSign Inc.

In late 2003 the rate of phishing fraud suddenly began to escalate leading to widespread media reports. Phishing fraud is impersonating a trusted party such as a bank in order to steal personal information such as credit card numbers of account details. This talk will describe real life phishing incidents experienced by one of the largest on-call response teams in the field and the actions being taken by the industry to prevent or discourage future attacks.

Dr Phillip Hallam-Baker has been active in the development of security protocols for the World Wide Web since 1992. He has since made substantial contributions to many Internet protocols including HTTP, X.509/PKIX, OCSP, XKMS, SAML and WS-Security. He is currently the editor of the XKMS specification, a co-editor of the WS-Security specification and a co-author of various related specifications. He is also the editor-emeritus of the SAML specification. His research interest in countering phishing fraud began as part of his work on stopping spam. In addition to his extensive work in the security area Dr Hallam-Baker has a long-standing research interest in online collaboration systems.

Dr Phillip Hallam-Baker holds a degree in Electronic Engineering from Southampton University and a doctorate from the Nuclear Physics Department at Oxford University. He has held research positions at DESY, CERN and MIT and is currently Principal Scientist at VeriSign Inc.

Return to the top of the page

Information Security Law Update: The Emerging Trend Toward Programmatic Information Security Management
Brad Bolin, Senior Security Consultant, Shavlik Technologies

There is an emerging trend from ad hoc information security practices toward more a strategic, programmatic approach to information security. Generally speaking, this means a trend toward more structured, comprehensive and documented information security management plans. This change to programmatic approaches is primarily driven by new laws, regulations and standards. We'll begin with a description of the evolution of these laws, regulations and standards, and their impact on information security, highlighting their increasingly regimented, programmatic nature. The presentation will then culminate in a prediction of what we can expect in the next few years in terms of new requirements placed on information security, and what security professionals can do to prepare for (as opposed to react to) these requirements.

Brad Bolin is a senior security consultant who brings an uncommon blend of experience and training to Shavlik’s information security consulting practice. As a licensed attorney, he is uniquely positioned to advise corporations on strategic risk management issues, such as the implications of contemporary data security laws and regulations. As a Certified Information Systems Security Professional (CISSP) with over 6 years of experience in network and security administration, including risk assessment and mitigation at a number of Minnesota’s largest companies, Brad possesses a wide variety of technical skills upon which to draw when confronting the issues faced by Shavlik’s clients.

Return to the top of the page

Acting in Milliseconds—Why the Defense Process Needs to Change
Dominique Brezinski, Pyrogen

Why are attackers and worms so successful? Because the process we use to defend systems is too slow to protect against an opponent that uses a superior, faster process. Come watch me argue the case for this hypothesis and how the defense process might be changed in response.

A scenario is presented where a new vulnerability is disclosed at the same time a patch is made available and attackers and defenders are waiting to make use of the patch for their opposing purposes. The process both sides go through will be deconstructed using Boyd’s OODA loop model, and from the analysis we will see the attacker can win too often. Great.

Re-thinking the defense process, we will step back to see what we can generalize about vulnerabilities and the systemic conditions that make exploitation easier. We will also enumerate some general conditions that imply an exploit succeeded. From there I will take the stance that the defense process must be something that can be automated and discuss potential attributes of an automated response process. To put some meat on them bones there will be a demonstration of an implementation of an automated response system consistent with the one described. The demonstrated system will be made available, so you can tinker with it. We all love to tinker.

The presentation will try to stay out of the weeds and clouds, but still present some low-level technology and philosophical ideas. Attendees should gain some insight into the current state of attacker tools and methodologies and the possible future of computer defense. If nothing else attendees will be left with some Linux kernel modules and Python code that does some cool, geeky security juju. Come on, what more could you ask for?

Dominique Brezinski dabbles in things, from intrusion detection and response system developer to former AVP of Technology at In-Q-Tel. He has been employed by, Decru, In-Q-Tel, Secure Computing, Internet Security Systems, Cybersafe, and Microsoft in various security engineering, consulting, testing, research, and management roles over the past decade. Dominique currently serves on the technical advisory board of Sana Security. When not in front of the keyboard writing kernel modules or hacking with Python, he spends time climbing rock, since it is the only thing that makes the code go away.

Return to the top of the page

VICE - Catch the Hookers!
Jamie Butler, Director of Engineering, HBGary, LLC
Greg Hoglund, Founder, & HBGary, LLC

Rootkits are the backbone of software penetrations. They provide stealth and consistent access to a computer system. Rootkits employ technology for covert ex-filtration of data, IDS evasion, and anti-forensics. Rootkit technology is now incorporated into the most deadly of threats, network worms. Serious security professionals must understand rootkit technology in detail. Commercial anti-virus technology is woefully inadequate at dealing with the threat. There is no magic security tool that will protect your system. Rootkits now employ specific methods to evade many security utilities, including host-based intrusion prevention systems (HIPS).

This talk focuses on specific rootkit threats and more importantly, how intrusion-prevention software can be designed to detect these threats. Illustrated threats include direct kernel object manipulation (DKOM), hooking, and runtime code patching. We will release a new version of our freeware tool, called 'VICE', that can detect many of these rootkit threats.

Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at

Greg Hoglund has spent the last few years working on automated reverse engineering problems. He has released several open source tools and presented on the subject matter at many security conferences. He founded HBGary, Inc. last year, his second commercial startup in the software security testing space. Hoglund recently authored the very successful book "Exploiting Software" (Addison Wesley). He offers the training program "Aspects of Offensive Rootkit Technology" several times a year. His side-projects include running the website.

Return to the top of the page

Google Attacks
Patrick Chambet, IT Security Senior Consultant, EdelWeb - ON-X Group

How knows that Google is a powerful attack tool for pen-testers but also for other kind of black hats ? Few people are aware of how much critical information Google can display with some carefully crafted searches: IP addresses, network architectures, machine roles, sometimes passwords.

In this talk, we will consider ourselves as pen-testers. We won’t talk about classical spying and information warfare. The personal pen-tester experience of the speaker will be presented and some real-life cases will be described.

Patrick Chambet is a Senior Consultant within Edelweb SA (ON-X Group), a leader French company in the IT Security domain. With 8 years of experience in this domain, he is an expert in the security of Windows NT/2000/XP/2003 architecture, and in security audits and pen tests.

He managed a lot of missions in highly secured environments, including in classified environments, and leaded numerous audits and pen tests for big companies in several sectors.

He regularly talks in international briefings (INFOSEC, EUROSEC, SPIRAL, SSTIC, BlackHat Europe, JIP, ...). He teaches IT Security in some universities, and very often writes articles in professional newspapers. He collaborated to the creation of a newspaper about IT Security in France, called "MISC", read in Europe and Canada.

He is also an active member of the rstack team.

More information on his personal website.

Return to the top of the page

Managing MSIE Security in Corporate Networks by Creating Custom Internet Zones
Patrick Chambet, IT Security Senior Consultant
EdelWeb - ON-X Group

Everyone is aware of MSIE vulnerabilities (real or potential), but a great number of administrators have to cope with MSIE in their corporate network. Few of them know and use some advanced security configuration options like Internet Zones and Policies.

This talk will explain how to create your own Internet Zones, how to configure them to respect your security policy and how to allow some ActiveX only but not all of them.

Some demonstrations will show that you can rather secure the browsing habits of your users even if they use MSIE on your corporate network.

Patrick Chambet is a Senior Consultant within Edelweb SA (ON-X Group), a leader French company in the IT Security domain. With 8 years of experience in this domain, he is an expert in the security of Windows NT/2000/XP/2003 architecture, and in security audits and pen tests.

He managed a lot of missions in highly secured environments, including in classified environments, and leaded numerous audits and pen tests for big companies in several sectors.

He regularly talks in international briefings (INFOSEC, EUROSEC, SPIRAL, SSTIC, BlackHat Europe, JIP). He teaches IT Security in some universities, and very often writes articles in professional newspapers. He collaborated to the creation of a newspaper about IT Security in France, called "MISC", read in Europe and Canada.

He is also an active member of the rstack team.

More information on his personal website.

Return to the top of the page

Program Semantics-Aware Intrusion Detection
Tzi-cker Chiueh, Professor, Stony Brook University/Rether Networks Inc.

One of the most dangerous cybersecurity threats is "control hijacking'' attacks, which hijack the control of a victim application, and execute arbitrary system calls assuming the identity of the victim program's effective user.

These types of attacks are viperous because they do not require any special set-up and because production-mode programs with such vulnerabilities appear to be wide spread. System call monitoring has been touted as an effective defense against control hijacking attacks because it could prevent remote attackers from inflicting damage upon a victim system even if they can successfully compromise certain applications running on the system. However, the Achilles' heel of the system call monitoring approach is the construction of accurate system call behavior model that minimizes false positives and negatives. This presentation describes the design, implementation, and evaluation of a Program semantics-Aware Intrusion Detection system called PAID, which automatically derives an application-specific system call behavior model from the application's source code, and checks the application's run-time system call pattern against this model to thwart any control hijacking attacks.

The per-application behavior model is in the form of the sites and ordering of system calls made in the application, as well as its partial control flow. Experiments on a fully working PAID prototype show that PAID can indeed stop attacks that exploit non-standard security holes, such as format string attacks that modify function pointers, and that the run-time latency and throughput penalty of PAID are under 11.66% and 10.44%, respectively, for a set of production-mode network server applications including Apache, Sendmail, Ftp daemon, etc.

Dr. Tzi-cker Chiueh is currently an Associate Professor in Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in Electrical Engineering from National Taiwan University, M.S. in Computer Science from Stanford University, and Ph.D. in Computer Science from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995. Dr. Chiueh's research interest is on computer security, network/storage QoS, and wireless networking. Dr. Chiueh's group developed the world's fastest array bound checking compiler that incurs less than 10% run-time overhead than programs without checking under Gcc, and built the world's fastest disk-based logging system, which accomplishes a single-sector disk write operation within 450 micro-seconds.

Return to the top of the page

Hacking Without Re-Inventing the Wheel
Nitesh Dhanjani, Sr. Consultant, Ernst & Young's Advanced Security Center
Justin Clarke,
Manager, Ernst & Young's Rudolph W. Giuliani Advanced Security Center in New York

Home-grown applications and services are increasingly being implemented in order to suit corporate and invidual needs. These custom applications and services are also succepitble to vulnerabilities which must be scanned for quickly and effectively. In addition, closed source scanning tool vendors often do not release checks for vulnerabilities until its too late, and these costly scanning tools do not offer vulnerability checks against custom-made applications and services that may be widely deployed by a corporation. In order to cope with this, individuals and companies are forced to develop their own scanning tools in order to quickly scan for and identify vulnerabilities. This talk will offer solutions against developing scanning tools from scratch. There is no need to re-invent the wheel when open source tools such as Nessus, Hydra, and Nmap are flexible enough to allow for their functionality to be extended by offering appropriate API and plugin functionality. This talk will teach the audience how to develop custom plugins for these popular tools in order to accomplish custom vulnerability scanning and enumeration needs.

Nitesh Dhanjani is a senior consultant for Ernst & Young's Advanced Security Center. He has performed network, application, web-application, wireless, source-code, host security reviews and security architecture design services for clients in the Fortune 500.

Nitesh is the author of "HackNotes: Unix and Linux Security" (Osborne McGraw-Hill). He is also a contributing author for the best-selling security book "Hacking Exposed 4" and "HackNotes: Network Security".

Prior to joining Ernst & Young, Nitesh worked as consultant for Foundstone Inc. where he performed attack and penetration reviews for many significant companies in the IT arena. While at Foundstone, Nitesh both contributed to and taught parts of Foundstone s "Utimate Hacking: Expert" and "Ultimate Hacking" security courses.

Nitesh has been involved in various educational and open-source projects and continues to be active in the area of system and Linux kernel development. He has published technical articles for various publications such as the O'Reilly Network.

Nitesh graduated from Purdue University with both a Bachelors and Masters degree in Computer Science. While at Purdue, he was involved in numerous research projects with the CERIAS (Center for Education and Research Information Assurance and Security) team. During his research at Purdue, Nitesh was responsible for creating content for and teaching C and C++ programming courses to be delivered remotely as part of a project sponsored by IBM, AT&T, and Intel.

Justin Clarke is a Manager in Ernst & Young's Rudolph W. Giuliani Advanced Security Center in New York. He has over 6 years of security experience in network, web application, source code and wireless testing work for some of the largest organizations in the United States. Prior to joining E&Y in the US, Justin did corporate and government security work in New Zealand.

Justin is active in developing security tools for penetrating web applications, servers, and wireless networks and as a compulsive tinkerer he can't leave anything alone without at least trying to see how it works.  Justin got his Bachelor's degree in Computer Science from Canterbury University in New Zealand."

Return to the top of the page

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis
Roger Dingledine, The Free Haven Project

Tor (second-generation Onion Routing) is a distributed overlay network that anonymizes TCP-based applications like web browsing, secure shell, and instant messaging. We have a deployed network of 30 nodes in the US and Europe, and the code is released unencumbered as free software. Tor's rendezvous point design enables location-hidden services—users can run a standard webserver or other service without revealing its IP.

I'll give an overview of the Tor architecture, and talk about why you'd want to use it, what security it provides, and how user applications interface to it. I'll show a working Tor network, and invite the audience to connect to it and use it.

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. Currently he consults for the US Navy to design and develop systems for anonymity and traffic analysis resistance. Recent work includes anonymous publishing and communication systems, traffic analysis resistance, censorship resistance, attack resistance for decentralized networks, and reputation.

Return to the top of the page

Insecure IP Storage Networks: Problems with Network Attached Storage (NAS)
Himanshu Dwivedi,
Director of Security Architecture, @stake, Inc.

The presentation will discuss the security problems with enterprise storage architectures using Network Attached Storage (NAS) devices, such as filers, NAS heads, and NAS gateways. The key objective of the presentation is to show the exposure of sensitive data and confidential information sitting on NAS devices.  The presentation will demonstrate how storage devices, such as EMC and NetApp filers, are not any more secure than the weak protocols that they supports, such as NFS, CIFS, FTP, and even HTTP.   

The session will show common weakness with NAS devices supporting NFS and CIFS. Additionally, a demonstration of the attacks that can be executed on NAS filers supporting NFS or CIFS will be shown. Furthermore, the presentation will discuss how data stored in a default NAS installation is just as insecure as any default operating system, making NAS security equally as important as other entities in local area networks.

Himanshu Dwivedi is a Director of Security Architecture at @stake, Inc. At @stake, Himanshu leads the Storage Center of Excellence (CoE), which focuses research and training around storage technology, including Network Attached Storage (NAS) and Storage Area Networks (SAN). Himanshu is considered an industry expert in the area of SAN security, specifically Fibre Channel Security.  Himanshu has given numerous presentations and workshops regarding the security in SANs, including the SNIA Security Summit, BlackHat Security Conference, Storage Neworking World, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, etc. 

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals (U.S. Patent Serial No. 10/198,728). Additionally, Himanshu has written two published books and has written a storage security chapter on a third. The book titles include The Complete Storage Reference – Chapter 25 (McGraw-Hill/Osborne), Storage Security Handbook (Neoscale Publishing), and Implementing SSH: Strategies for Optimizing the Secure Shell (Wiley Publishing). Furthermore, Himanshu has also published two white papers. The first white paper Himanshu wrote is titled “Storage Security” ( and “Securing Intellectual Property” (

Return to the top of the page

Attacking Obfuscated Code with IDA Pro
Chris Eagle, Associate Chairman, Computer Science Department Naval Postgraduate School

Virtually every virus and worm that circulates the Internet today is "protected" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ASPack, and teLock has become standard. Protection of malicious code is not the only goal of binary obfuscators however which can be used to protect intellectual property. In the Linux world, tools such as Burneye and Shiva exist which can be used in ways similar to any Window's obfuscation tool.

To fight such methods, analysts have created specific tools or techniques for unraveling these code obfuscators in order to reveal the software within. To date, in the fight against malware, anti-virus vendors have had the luxury of focusing on signature development since obfuscation of malware has presented little challenge. To combat this, malware authors are rapidly morphing their code in order to evade quickly developed and deployed signature-matching routines. What will happen when malware authors begin to morph their obfuscation techniques as rapidly as they morph their worms?

While not designed specifically as a malware protection tool, one program, Shiva, aims to do exactly that. Shiva forces analysis of malicious code to be delayed while analysts fight through each novel mutation of Shiva's obfuscation mechanism. This, in effect, provides the malware a longer period of time to wreak havoc before countermeasures can be developed.

This talk will focus on the use of emulated execution within IDA Pro to provide a generic means for rapidly deobfuscating protected code. Capabilities of the emulation engine will be discussed and the removal of several types of obfuscation will be demonstrated. Finally, the development of standalone deobfuscation tools based on the emulation engine will be discussed.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 18 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering.

Return to the top of the page

Information Hiding in Executable Binaries
Rakan El-Khalil

Information Hiding techniques are much researched in the context of watermarking or fingerprinting images and sound files, mainly as a means of copyright protection and piracy prevention/detection. Those mediums offer a significant amount of redundancy, thus lending themselves to the implementation of robust IH systems. Executables however do not offer such amounts of redundancy, and have thus far proven to be a difficult and rarely used medium for steganographic and other IH purposes. The aim of this talk is to be an introduction to IH, with a thorough coverage of state of the art techniques for embedding into binaries. Hydan, a tool for performing such embeddings in machine code, will be presented. In addition to typical IH uses [steganography, watermarking], the tool and techniques shown can be used in anti-reverse engineering, trusted application execution, frustrate some buffer overflow attacks, and as an engine for metamorphic viruses. An interesting effect of the tool is that the executable remains the same size before and after embedding, while of course remaining functionally equivalent.

Rakan El-Khalil is currently on sabbatical in France. He is a recent MS CS graduate from Columbia University. While he was there he worked on a variety of projects at the CS Research Lab, such as an IDS that uses machine-learned models to detect network threats, and a syscall based permission system on OpenBSD [predating systrace]. He was also responsible for the short-lived official KaZaA Linux client `kza'. Currently he is involved with The Bastard, a powerful linux disassembler, and has been researching steganography and information hiding in machine code.

Return to the top of the page

The Laws of Vulnerabilities for Internal Networks
Gerhard Eschelbeck, Chief Technology Officer & Vice President of Engineering, Qualys, Inc.

New vulnerabilities to internal networks are discovered and published on a daily base. With each such announcement, the same questions arise. How significant is this vulnerability? How prevalent is this vulnerability? How easy is this vulnerability to exploit? Are any of my systems affected by this vulnerability? Due to lack of global vulnerability data, answers to these questions are often hard to find and risk rating is even more difficult.

As part of ongoing research, Gerhard Eschelbeck of Qualys, Inc. has been gathering statistical vulnerability information for more than two years. Those vulnerabilities have been identified in the real world across hundreds of thousands of systems and networks. Users of the QualysGuard network security audit and vulnerability management web service and any of its related free evaluation services are automatically generating the raw data. This data is not identifiable to individual users or systems. However, it provides significant statistical data for research and analysis, which enabled Gerhard to define the Laws of Vulnerabilities for Internal Networks.

The Laws of Vulnerabilities for Internal Networks is derived from vulnerability data gathered during the past 30 months from over five million scans of individual systems. During this timeframe a collective amount of more than three million vulnerabilities—reflecting five different levels of severity—has been identified. Furthermore, the responses to external events (i.e. availability of an exploit or worm taking advantage of a vulnerability) have been studied for the declaration of this new law.

The presentation will also update the Laws of Vulnerabilities for Network Perimeters, originally presented at Black Hat in 2003.

Gerhard Eschelbeck is chief technology officer and vice president of engineering for Qualys, Inc. The QualysGuard network security audit and vulnerability management web service he created secures more than 150 Fortune 1000 companies. Among the company’s 1,400 customers are Hershey Foods, Hewlett Packard, and The Thomson Corporation. Gerhard is a respected teacher, speaker, researcher and writer. His published topics include Active Security, Automating Security Management, and Multi-Tier IDS. He holds several patents on inventions for security integration and security management. Gerhard is also founder of IDS GmbH, a secure remote tool company aquired by McAfee. Gerhard teaches on the field of network security at his alma mater, the University of Linz, Austria where he earned Masters and Ph.D. degrees in computer science. Gerhard speaks regularly at events such as RSA, InfoSec, SANS, and CSI. He can be reached at This is Gerhard’s second speech at Black Hat.

Return to the top of the page

Vulnerability Finding in Win32—A Comparison
FX, Phenoelit

There are several well known techniques to find a vulnerability in a closed source product running on the Windows family of operating systems. Researchers tend to prefer one over the other for many different reasons. But a person entering the field and facing the problem of choosing the techniques appropriate for one particular task is often not aware of the pros and cons of each technique.

This talk will compare the most widely used techniques, where their strong and weak points are and how to combine them to perform vulnerability analysis on closed source applications. The techniques covered are:

  • Strictly manual testing
    This method requires little to no extra tools and proves to still be one of the most effective when it comes to security vulnerabilities in custom applications, especially with proprietary protocols and interfaces.
  • Fuzzing
    In the last years, fuzzing became very popular as a vulnerability finding method. It can be done with home-grown scripting as well as with more or less professional tools. Both approaches and the tools available will be discussed.
  • Static Binary Analysis
    Static binary analysis is perhaps the most well-established method for analyzing binaries of all types, not only for security vulnerabilities. The results are often hard to find but high impact vulnerabilities in critical services. Required tools and prerequisite knowledge as well as ways to estimate the time required will be discussed.
  • Binary Diff
    This fairly recent method will be covered shortly, showing the effectiveness of static binary analysis combined with advanced techniques with a focus on the real world application of vulnerability analysis.
  • Runtime Analysis
    This method with it’s roots in ancient computer ages is lately less often used for vulnerability analysis but can prove very effective. Especially in situations were the other methods show unexpected weaknesses, runtime analysis can reduce the time required drastically.

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Return to the top of the page

Cyber Jihad and the Globalization of Warfare: Computer Networks as a Battle Ground in the Middle East and Beyond
Peter Feaver, Alexander F. Hehmeyer Professor of Political Science & Public Policy, Duke University
Kenneth Geers, Analyst, Computer Investigations and Operations, Navy NCIS

This briefing addresses the world's first global Internet war: the cyber skirmishes associated with the Palestinian intifadah. What started out as a localized conflict spread to battles around the globe as forces sympathetic to either the Israelis or the Palestinians joined the fray. With the Middle East cyber war as a backdrop, this presentation will cover the ways in which people can try to affect the course of world history through coordinated action in cyberspace.

The authors first describe the globalized and asymmetric nature of modern warfare, the asymmetry of computer hacking, and the psychology of subcultures. They outline the legal issues surrounding cyber warfare, from the perspective of a lone hacker to a massive government intelligence service, and discuss the problems inherent in cyber retaliation and in the prosecution of hackers.

On the technical side, this briefing discusses the targeting of Internet sites for attack, and the strategies used by hackers to bring them down or merely leverage them in more subtle ways to support their cause. The primary focus is the means used by cyber commanders to accomplish political and/or social goals, in particular the creation of Web portals through which their foot soldiers are able to unite and rain network packets down upon their enemies.

Finally, this briefing examines the difference between the perception and the reality of cyber attacks. We address the strategies that national governments are employing to combat the threat, the potential impact of cyber attacks on military operations, and the vexing problem of Denial of Service attacks, Web defacements, and free speech. The authors assess the threat and the limits of the more powerful weapons in the cyber arsenal, and consider who might be the biggest target of cyber attacks in the coming years.

Peter D. Feaver (Ph.D., Harvard, 1990) is the Alexander F. Hehmeyer Professor of Political Science and Public Policy at Duke University and Director of the Triangle Institute for Security Studies (TISS). Feaver is co-directing (with Bruce Jentleson) a major research project funded by the Carnegie Corporation, "Wielding American Power: Managing Interventions after September 11." Feaver is author most recently of "Armed Servants: Agency, Oversight, and Civil-Military Relations" (Harvard Press, 2003),and co-author, with Christopher Gelpi, of "Choosing Your Battles: American Civil-Military Relations and the Use of Force" ( Princeton University Press, 2004). He is co-editor, with Richard H. Kohn, of "Soldiers and Civilians: The Civil-Military Gap and American National Security" (MIT Press, 2001); and author of "Guarding the Guardians: Civilian Control of Nuclear Weapons in the United States" (Cornell University Press, 1992). He has published several other monographs and over thirty articles and book chapters on American foreign policy, nuclear proliferation, civil-military relations, information warfare, and U.S. national security. He won the Duke Alumni Distinguished Undergraduate Teaching Award in 2001 and the Trinity College Distinguished Teaching Award in 1994-95. In 1993-94, Feaver served as Director for Defense Policy and Arms Control on the National Security Council at the White House where his responsibilities included counterproliferation policy, regional nuclear arms control, the national security strategy review, and other defense policy issues. He is a Lieutenant Commander in the U.S. Naval Reserve (IRR). He is married to Karen Feaver, and they have three children, two sons and a daughter.

Kenneth Geers (M.A., University of Washington, 1997) is a Computer Investigations & Operations analyst with the Naval Criminal Investigative Service (NCIS). His career at the Department of Defense also includes work at the National Security Agency, the Defense Intelligence Agency, an SAIC nuclear arms control support team, the John F. Kennedy Assassination Review Board, and the U.S. embassy in Brussels, Belgium. He is an expert in French and Russian, who finished first in a class of seventy at the Defense Language Institute at the Presidio of Monterey. Mr. Geers is the author of training and testing software to prepare U.S. Army Major Commands for Russian strategic arms inspections, and he has designed multiple U.S. Army Space and Missile Defense Command websites devoted to arms control. These days, he spends his time analyzing computer and network logs of all types. In his free time, he plays chess and serves as a SANS mentor in the Washington D.C. area. Over the years, he has taken the opportunity to see the world, stopping long enough to wait tables in Luxembourg, harvest grapes in the Middle East, climb Mount Kilimanjaro, and set his alarm clock for 3 AM in a strict Trappist monastery. He loves his wife Jeanne, and daughters Isabelle and Sophie.

Return to the top of the page

Diff, Navigate, Audit: Three Applications of Graphs and Graphing for Security
Halvar Flake, Reverse Engineer, Black Hat

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

Return to the top of the page

Pocket PC Abuse: To Protect and Destroy
Seth Fogie, VP, Airscanner

When most people look at a PDA, they see a harmless device that is handy for keeping a few notes, or maybe playing solitaire. What they don't realize is that this seemingly innocuously device is vulnerable to many of the same standard security threats that its big brother, the PC, faces on a routine basis. As a result, these little computers are often passed over as a security risk, which is good news for those with malicious intent.

This talk will start with a short overview on reverse-engineering Pocket PC (Windows Mobile) binaries, followed by several examples that sequeway into demonstrations of a live Pocket PC backdoor/Trojan and a nasty little buffer overflow attack. From here we examine airborne viruses and finish with several examples/demonstrations of how a PDA can be useful as a malicious hacker's tool.

Seth Fogie is the VP of Dallas-based Airscanner Corporation where he oversees the development of security software for the Window Mobile (POcket PC) platform. Seth recently earned his Masters Degree in Information Technology, and has worked in several IT related fields, from IT Manager to ISP support specialist. He has co-authored four technical books on information security, including the top selling "Maximum Wireless Security" from SAMS, and the recently released "Security Warrior" from O'Reilly. Mr. Fogie frequently speaks at IT and security conferences, including Defcon (10 & 11), CSI, and Dallascon. In addition, Seth has co-authored the HIPAA medical education course for the Texas Medical Associate and is acting Site Host for Security at Pearson Education's "" website where he writes articles and reviews/manages weekly information security related books and articles.

Return to the top of the page

Managing Hackers: The Top 8 Rules for Creating Productive Security Teams
James C. Foster (CISSP, CCSE), Deputy Director, Global Security Development for CSC

While commonly entrenched within bleeding-edge technology, most forget the importance and art of management and getting the very best out of your personnel investment – a.k.a. your largest and most valuable corporate asset. This talk aims to address the eight critical focal points that all information security managers must recognize and take action upon to ensure the ongoing success for their team. Building from the lessons learned and implemented while at Harvard, Wharton, Guardent, Foundstone, and now CSC, Foster will overview the “Top 8” principles for building and managing world-class information security teams.

James C. Foster (CISSP, CCSE), Deputy Director, Global Security Development for CSC, is responsible for the technical vision and development of security solutions within CSC. Prior to joining CSC, Foster was the Director of R&D for Foundstone Inc. and responsible for all aspects of product and corporate R&D initiatives. Foster was also a Senior Advisor and Research Scientist with Guardent Inc.(Acquired by Verisign) and an adjunct author at Information Security Magazine(Acquired by TechTarget.) Foster has co-authored or contributed to books including Snort 2.0, Snort 2.1, Hacking Exposed 4th Ed, Special Ops Security, Intrusion Detection and Prevention, Anti-Hacker Toolkit 2nd Ed, Hacking the Code, and Anti-Spam Toolkit. Foster has an AS, BS, MBA and is currently a fellow at the University of Pennsylvania's Wharton School of Business.

Return to the top of the page

Antivirus Software Tests: What you Need to Know!
Sarah Gordon, Senior Research Fellow, Symantec Corporation

There are a plethora of antivirus software tests available—magazines, universities, and  commercial organizations abound with reports of antivirus software performance. However, you need to know what these tests actually measure in order to evaluate and interpret the test—and that may be more complicated than it sounds! For example, tests that show “100% detection” may not tell you that it took the product 4 tries to get there, or that the things its detecting aren’t even viruses; some testers may create or modify viruses for testing, creating a test that looks and sounds sexy and inviting—but that does not measure what users are likely to encounter. This faced-paced presentation examines the current state of affairs in antivirus software testing and takes a look at the strengths and weaknesses of available tests so that you can more critically evaluate the tests that help you make decisions about protecting your corporation’s data..

Sarah Gordon is a Senior Research Fellow at Symantec Security Response. Her current research areas include testing and standards for antivirus and security software, privacy issues, cyberterrorism and psychological aspects of human/computer interaction. She has been featured in diverse publications such as IEEE Monitor, The Wall Street Journal and Time Digital, and profiled by PBS, ITN, and CNN International. A highly sought-after speaker, Sarah has presented at conferences ranging from DEFCON to Govsec. She serves on the Editorial Board for Elsevier Science Computers and Security Journal, and is Senior Editor of Network Security Magazine. She also serves on the Advisory Board of Virus Bulletin, and is a both co-founder and board member of The WildList Organization International. She is just completing a four-year term as Technical Director of The European Institute for Computer Antivirus Research, where she also serves on the organization's conference committee.

Responsible for security testing and recommendation for The United Nations, Sarah participates in various initiatives for Homeland Security and Infrastructure Protection. She was chosen to represent the security industry in "Facts on File: Careers for Kids who Like Adventure"; her work in ethics, technology and profiling computer criminals is required coursework in various academic information security programs. She is committed to excellence in information security education, guest lecturing at Universities world-wide on topics ranging from virus writers and hackers to the truth about cyberterrorism.

Sarah's undergraduate work focused on special projects in both UNIX system security and ethical issues in technology. She holds a Master's Degree in Professional Counseling/Human Behavior. Prior to joining Symantec, she worked with the Massively Distributed Systems Group at IBM's Thomas J. Watson Research Laboratory in New York in the AntiVirus Research and Development Team. She lives with her husband Richard in Florida, where she enjoys singing, songwriting, swimming, shelties and sunsets.

Return to the top of the page

Privacy: Do As I Say….Not as I Do!
Sarah Gordon, Senior Research Fellow, Symantec Corporation

We’ve heard the saying “Do As I Say, Not as I Do”—and it applies now to information security! People say they value privacy—defined herein as the control of disclosure of information about themselves and/or their transactions. This is true almost universally, even when they differ on their definition of control or what is ‘private” data. However, despite this valuation, you may be shocked to learn that many people—specifically information security professionals—do not conform to functional behaviours that reinforce this control, putting valuable information of all types at risk. The study upon which this presentation is based showed that information security professional in the US, UK and EU often fail to take advantage of technical and policy solutions that could help mitigate risks to their corporation. It is a wake up call for corporations worldwide, and challenges the attendee to examine his or her own behaviour in light of his corporate security culture.

Sarah Gordon is a Senior Research Fellow at Symantec Security Response. Her current research areas include testing and standards for antivirus and security software, privacy issues, cyberterrorism and psychological aspects of human/computer interaction. She has been featured in diverse publications such as IEEE Monitor, The Wall Street Journal and Time Digital, and profiled by PBS, ITN, and CNN International. A highly sought-after speaker, Sarah has presented at conferences ranging from DEFCON to Govsec. She serves on the Editorial Board for Elsevier Science Computers and Security Journal, and is Senior Editor of Network Security Magazine. She also serves on the Advisory Board of Virus Bulletin, and is a both co-founder and board member of The WildList Organization International. She is just completing a four-year term as Technical Director of The European Institute for Computer Antivirus Research, where she also serves on the organization's conference committee..

Responsible for security testing and recommendation for The United Nations, Sarah participates in various initiatives for Homeland Security and Infrastructure Protection. She was chosen to represent the security industry in "Facts on File: Careers for Kids who Like Adventure"; her work in ethics, technology and profiling computer criminals is required coursework in various academic information security programs. She is committed to excellence in information security education, guest lecturing at Universities world-wide on topics ranging from virus writers and hackers to the truth about cyberterrorism.

Sarah's undergraduate work focused on special projects in both UNIX system security and ethical issues in technology. She holds a Master's Degree in Professional Counseling/Human Behavior, and a PhD in Computer Science. Prior to joining Symantec, she worked with the Massively Distributed Systems Group at IBM's Thomas J. Watson Research Laboratory in New York in the AntiVirus Research and Development Team. She lives with her husband Richard in Florida, where she enjoys singing, songwriting, swimming, shelties and sunsets.

Return to the top of the page

A Historical Look at Hardware Token Compromises
Joe Grand, President & CEO, Grand Idea Studio, Inc.

This talk examines the details behind successful hardware attacks of early authentication tokens: Two USB devices and one iButton device. We'll be looking at the methods used to compromise the devices and gain access to private data stored on them without having legitimate credentials. Our attacks were based on an approach of using only common, off-the-shelf tools, yet we still succeeded in defeating the security features. While learning from history is important to avoid repeating the same design mistakes, we'll also look at some of the newer authentication tokens and hypothesize about potential attacks.

Joe Grand is the President and CEO of Grand Idea Studio, a product development and intellectual property licensing firm.

A nationally recognized name in computer security, Joe's pioneering research on mobile devices, digital forensics, and embedded security analysis is published in various industry journals. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty", a co-author of "Stealing The Network: How to Own A Continent", and is a frequent contributor to other texts. As an electrical engineer, Joe specializes in the invention and design of breakthrough concepts and technologies. Many of his creations including consumer electronics, medical products, video games, and toys are licensed worldwide.

Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Air Force Office of Special Investigations and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Return to the top of the page

Introduction to Embedded Security
Joe Grand, President & CEO, Grand Idea Studio, Inc.

The design of secure hardware is often overlooked in the product development lifecycle, leaving many devices vulnerable to hacker attacks resulting in theft of service, loss of revenue, or a damaged reputation. Many times, products must be redesigned after a harmful incident, which raises overall development costs and increases time-to-market. This paper focuses on general concepts for secure hardware design coupled with practical examples. Topics in this talk include recommendations on incorporating security into the product development cycle, attack and threat models, and design solutions for enclosure, circuit board, and firmware layers.

Joe Grand is the President and CEO of Grand Idea Studio, a product development and intellectual property licensing firm.

A nationally recognized name in computer security, Joe's pioneering research on mobile devices, digital forensics, and embedded security analysis is published in various industry journals. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty", a co-author of "Stealing The Network: How to Own A Continent", and is a frequent contributor to other texts. As an electrical engineer, Joe specializes in the invention and design of breakthrough concepts and technologies. Many of his creations including consumer electronics, medical products, video games, and toys are licensed worldwide.

Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Air Force Office of Special Investigations and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Return to the top of the page

Legal Liability and Security Incident Investigation
Jennifer Stisa Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford University

Companies and governments use various techniques to investigate when computer break-ins happen, and to learn more about potential intruders. But these techniques can invade the privacy of entities other than the suspect, and violate privacy laws. Additionally, regulations may define different investigative techniques themselves as attacks or intrusions. There is little legal guidance in this area, and a lot of uncertainty. This talk will discuss the legality and of network scans, war driving, borrowing wireless connectivity, sniffers, "hack-back", social engineering and other techniques under U.S. law.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project , which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

RF-ID and Smart-Labes: Myth, Technology and Attacks
Lukas Grunwald, CTO, DN-Systems Enterprise Internet Solutions GmbH

This talk provides an overview of the RF-ID Smart-Labes, small labels on products with an embedded microchip and an antenna. Smart-Labes store product and serial-number, expiration date etc. and can be read from a distance.

The Industry is planning to put these labels with an international product code on every product within the next decade, effectively replacing the old bar-code system. Some stores already use Smart-Labes, for example certain pharmacies in the US, and in Europe the Metro Group in their Future Store.

At the end of this talk there is a practical demonstration of RF-DUMP, my tool to read and write Smart-Labes, check their meta-data and manipulate it.

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany)— a globally acting consulting office working mainly in the field of security and internet/eCommerce solutions for enterprises.

Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, Forensic Analysis, Audits and Active Networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT Conference.

Return to the top of the page

NoSEBrEaK - Defeating Honeynets
Thorsten Holz, RWTH-Aachen University
Maximillian Dornseif, RWTH-Aachen University

Honeynets are one of the more recent toys in the white-hat arsenal. They are usually assumed to be hard to detect and attempts to detect or disable them can be unconditionally monitored. Sometimes it is even suggested that deploying honenets is a way to incerase security.

We scrutinize this assumption and demonstrate a method how a host in a honeynet can be completely controlled by an attacker without any substantial logging taking place. We show how to detect honeynets, circumvent logging on a honeynet and finally 0wn a honeynet hard disabling all of a honeypots security features and present the tools to do so.

While being fairly technical the a basic knowledge how shellcode and the like works should be enough to follow the talk.

Maximillian Dornseif has studied laws and computer science at the University of Bonn, Germany where he wrote his PhD Thesis about the "Phenomenology of Cybercrime". He has been doing security consulting since the mid nineties. His clients included the industry but also government. At the moment he works on a third party founded research project about measurement of security and security breaches taking place at the Laboratory for Dependable Distributed Systems, RWTH Aachen University. He also oversees several other projects in the area of detection and documentation of security incidents. Dornseif has published in the legal and computer science fields on a wide range of topics.

Thorsten Holz is a research student at the Laboratory for Dependable Distributed Systems at RWTH Aachen University where he is trying to bring a solid scientific foundation to Honeynet research. He is going to graduate next spring and will probably continue his studies as a Ph.D. student.

Return to the top of the page

Blind SQL Injection Automation Techniques
Cameron Hotchkies,

Because of improper software design and implementation practices, the number of web-based applications vulnerable to SQL injection is still alarmingly high. Yet the actual steps used to exploit these applications remain very tedious and repetitive. This presentation will focus on methods available to automate the task of exploiting blind sql injection holes and will discuss the use of pattern recognition in the domain of web applications. This talk will also feature a new tool, "SQueaL" and explain some of the research, decisions and algorithms used in the creation of this tool.

Cameron Hotchkies, aka nummish, is a member of the digital think-tank. He currently works outside the security industry developing business based web applications  on the .NET platform. Outside of work, he generally spends most of his time writing code. Some people have suggested he get out more. He is currently struggling to write code to teach him how to properly pronounce the word "about".

Return to the top of the page

WorldWide WarDrive 4: An Analysis of Wireless Security Trends
Chris Hurley aka Roamer

The WorldWide WarDrive is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. Chris Hurley (aka Roamer), the founder of the WorldWide WarDrive will present a statistical analysis of the results from the fourth WorldWide WarDrive and an analysis of those results compared to past years.

Chris Hurley (aka Roamer) is an Information Assurance Engineer working in the Washington D.C. area and is the author of "WarDriving: Drive, Detect, Defend". A Guide to Wireless Security from Syngress Publishing. His experience ranges from Security Engineering and Architecture to vulnerability assessments and penetration testing on both wired and wireless networks. In addition to running the WorldWide WarDrive he organizes the annual DefCon WarDriving contest.

Return to the top of the page

The Black Ops of DNS
Dan Kaminsky, aka Effugas, Senior Security Consultant, Avaya's Enterprise Security Practice

The Domain Name System is a powerful, flexible, and integral part of the Internet. Somewhat analogous to the 411 information service offered throughout American telephone system, DNS's most common use is to translate names—such as—to addresses— But behind this deceptively simple operation lies a complex and interesting system, distributed widely but with a deeply centralized core. Though most commonly used to execute simple translations of the sort mentioned earlier, three aspects of the machinery lend themselves to more creative exploits. By creatively abusing the heirarchal, recursive, and cache-oriented nature of the multi-million-node DNS architecture, we can effect a range of unexpected functionality, including firewall penetration, bidirectional anonymous communication, large scale data transmission, and even "Voice over DNS".

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

You can contact dan at: kaminsky at avaya døt com and

Return to the top of the page

Nobody’s Anonymous—Tracking Spam and Covert Channels
Curtis Kret, Researcher, Secure Science Corporation

Viagra! Work from home! Who sends this stuff? And what if not all Spam is what appears to be? This talk discusses forensic methods for identifying forged emails and tracking individual senders who would otherwise be anonymous.

This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness.  Five spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel.

Curtis Kret has a Ph.D. in Computer Science and over 15 years of computer security experience. His current research focuses on methods to track “anonymous” people and applying the research to spam. Dr. Kret is a researcher for Secure Science Corporation’s External Threat Assessment Team.

Secure Science Corporation is a professional services and software company that develops advanced technology dedicated to protecting online assets.  Secure Science Corporation is pioneering innovative ways to transform the Internet into a secure environment for both online communications and transactions.

Return to the top of the page

Bluesnarfing - The Risk From Digital Pickpockets
Adam Laurie, Chief Security Officer, A.L. Digital Ltd & The Bunker
Martin Herfurt, Salzburg Research Forschungsgesellschaft mbH

In November 2003, Adam Laurie of A.L. Digital Ltd. discovered serious flaws in the authentication and data transfer mechanisms on some bluetooth enabled devices, and, in particular, mobile phones including commonly used Nokia and Sony Ericsson models. Shortly thereafter, Martin Herfurt of Salzburg Research Forschungsgesellschaft mbH expanded on these problems, and teamed up with Adam to investigate further.

This talk will cover the issues arising out of these flaws, including loss of personal data, identity theft, phone tapping, tracking, fraud and theft of service. The threat to individuals and corporates will be examined, and statistics and examples from the real world presented, as well as live demonstrations of each of the problems.

This will be a fun talk and a real eye-opener for those with bluetooth enabled devices.

For further background information on the issue, see:

Adam Laurie is Chief Security Officer and Director of AL Digital Ltd. and The Bunker. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Martin Herfurt is a researcher at the Salzburg Research Forschungsgesellschaft m.b.H and lecturer in Telecommunications Engineering Degree Program at the Salzburg University of Applied Sciences and Technologies.

He completed his Telecommunications Engineering Degree at the Salzburg University of Applied Sciences and Technologies in 2001. Alongside his study Martin was involved in numerous industry projects, providing him with commercial programming practise.

In 2000 Martin followed up his formal study with a four-month internship at the telecommunications institute of TELCOT institute in San Ramon, California, USA.

Since the second half of 2000 Martin has been working as a full time researcher at Salzburg Research Forschungsgesellschaft m.b.H. His project responsibilities range from the co-ordination of a European IST project with a total budget of over 5 million Euro to software agents development.

Together with a Salzburg Research colleague, Martin began in the summer of 2003 a class on mobile data services at the Salzburg University of Applied Sciences and Technologies.

Martin is also currently working on a PhD in computer science at the University of Salzburg.

As part of his fascination with the rapid development in computer programming Martin has become a regular participant in the Chaos Communication Congress which is a yearly meeting of the German hacker association CCC.

Return to the top of the page

All New Ø-Day
David Litchfield, Founder, Next Generation Security Software

This presentation will be entirely new and never seen before. Code included.

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

You got that with GOOGLE?
Johnny Long, CSC

This presentation explores the explosive growth of a technique known as "Google Hacking". When the modern security landscape includes such heady topics as "blind SQL injection" and "integer overflows", it's refreshing to see such a deceptively simple tool bent to achieve such amazing results; this is hacking in the purest sense of the word. Attendees will learn how to torque Google to detect SQL injection points and login portals, execute portscans and CGI scans, fingerprint web servers, locate incredible information caches such as firewall and IDS logs, password databases, SQL dumps and much more - all without sending a single packet to the target! Borrowing the techniques pioneered by malicious "Google hackers", this talk aims to show security practitioners how to properly protect clients from this often overlooked and dangerous form of information leakage.

The speaker, Johnny Long, maintains the Internet's most comprehensive database of Google exposures on his website.

Johnny Long did not develop his skills within the hallowed halls of higher learning but rather by spending way too many late nights huddled in front of his computer, developing his anti-social tendencies.

Mr Long (Johnny's professional alter-ego) has previously presented at SANS and other computer security conferences nationwide. In addition, he has presented before several government alphabet-soup entities including three starting with the letter 'A', four starting with the letter 'D', a handful starting with the letters 'F' and 'S' and two starting with the today's letter, the letter 'N'. During his career as an attack and penetration specialist, Mr Long has performed active network and physical security assessments (one in the cube is worth twenty on the net) for hundreds of government and commercial clients.

Johnny Long is the Author of 'Penetration Testing with Google', available December 2004 from Syngress Publishing

Return to the top of the page

The Evolution of Incident Response
Kevin Mandia, President, Red Cliff Consulting

During the course of 2003, Mr. Kevin Mandia responded to over 20 computer security incidents at some of America’s largest organizations.  Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of Intellectual Property, electronic discovery issues, and widespread compromise of sensitive data. During his efforts to resolve these incidents, many similar challenges and issues confronted each organization. During this presentation, Mr. Mandia re-enacts some of the incidents, provides examples of how these incidents impacted organizations, and discusses the challenges that each organization faced.  He demonstrates the “State-of-the-Art” methods being used to perform Incident Response, and how these methods have not really evolved since 1988. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks an organization faces from the liabilities the information age has brought. 

Kevin Mandia has amassed a wealth of experience and expertise as a Special Agent, consultant, and instructor. The FBI's National Infrastructure Protection Center, the Air Force Office of Special Investigations (AFOSI), state law enforcement, and corporate entities have all used his blend of law enforcement and technical skills on complex computer crimes. His experience runs the gamut from international computer intrusion cases to corporate insider hacking cases. Mr. Mandia was a Special Agent with the AFOSI specializing in computer intrusion cases. Upon leaving the AFOSI, Kevin developed a computer intrusion response course specifically designed for the FBI. Mr. Mandia trained over 400 FBI agents as well as personnel from the State Department, the CIA, NASA, the U.S. Postal Service, the Air Force, and other Government Agencies. In the last 3 years. Mr. Mandia has led incident response teams that have been involved in over 40 computer security incidents at eCommerce and Financial Service organizations. Mr. Mandia is co-author of “Incident Response: Performing Computer Forensics” (McGraw-Hill, 2003) and "Incident Response: Investigating Computer Crime" (McGraw-Hill, 2001).  He holds a B.S. in Computer Science from Lafayette College and a M.S. in Forensic Science from the George Washington University. He is a reserve Special Agent with AFOSI, a Certified Information Systems Security Professional (CISSP), and he continually assists the FBI, the US Attorneys Office, and other law enforcement on active cases.

Return to the top of the page

Trust No-one, Not Even Yourself OR The Weak Link Might Be Your Build Tools
David Maynor, Research Engineer, ISS X-force

Many advances have happened in the security arena over the last few years. With new technologies being deployed attackers are having to attack in and stealthier ways. The most impact would come from attacking an application before its built, or while its in the process of being built. Through a series of examples it will be clear that not only should you worry about what is in your code, but how it is built. Trojaning a compiler to automatically backdoor every binary being built is not only possible, its easy. This talk will show how the attack can occur and the results of it. This attack is not just limited to opensource compilers, Microsoft Visual Studio will be attacked as well.

David Maynor is a research engineer with the ISS Xforce R&D team. Before ISS Maynor spent the 3 years at GaTech, with the last two years as a part of the Information Security group as a application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital tv development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Return to the top of the page

Managing Election Data: The California Recall
Rebecca Mercuri, Notable Software, Inc.
Bev Harris, author of Black Box Voting

The California recall election, held October 7, 2003, was controversial on a number of levels. It was the first such Gubernatorial challenge in the state's history, it sported a slate of 134 candidates (from computer gurus to actors), and it was nearly delayed by a legal challenge from the ACLU on the grounds of potential disenfranchisement of certain population groups. The complex set of resulting vote data, from 58 counties using a diverse range of equipment, was subsequently misinterpreted to promote various agendas. This talk will lend insight on what may await the US in November 2004 by providing an analysis that dispels erroneous assertions about the benefits of electronic voting, while raising strong questions about both the accuracy of election systems and the reports generated from them.

Dr. Rebecca Mercuri became an overnight celebrity during the media frenzy that ensued when the U.S. Presidential election ended in a dead heat in November 2000. A few weeks earlier, she had successfully defended her Doctoral Dissertation "Electronic Vote Tabulation: Checks and Balances" at the University of Pennsylvania, and then found herself writing testimony in the now-legendary Bush v. Gore case that was working its way through the legal system. Her testimony was presented to the U.S. 11th Circuit Court of Appeals and referenced in the briefs to the U.S. Supreme Court. Since then, she has provided formal testimony on voting systems to the House Science Committee, Federal Election Commission, U.S. Commission of Civil Rights, and the U.K. Cabinet, has been quoted in the U.S. Congressional Record, and has played a direct role in municipal, state, federal, and international legislative initiatives. Rebecca's comments on election technology are frequently cited by the media, and she authors the quarterly "Security Watch" column in the Communications of the Association for Computing Machinery (archived at Having recently completed a research fellowship at the John F. Kennedy School of Government in their Belfer Center for Science and International Affairs, Dr. Mercuri will be moving to Harvard University's Radcliffe Institute in the Fall.

Bev Harris, author of "Black Box Voting: Ballot-Tampering in the 21st Century," began writing on the subject of electronic voting machines in October 2002. Her investigative journalism has since been cited in The New York Times (three times), and on CBS, Fox News, and CNN. In writing Black Box Voting, Harris spent over two thousand hours researching voting machines, and interviewed hundreds of witnesses including many election officials and even voting machine programmers who work directly for the firms that build these machines. During the course of writing Black Box Voting, Harris discovered that one of the largest voting machine companies, Diebold Election Systems, had committed a massive security breach, leaving thousands of sensitive voting system program files on an unprotected Web site. These files have now triggered a national investigation and activism movement to restore clean, trustworthy voting systems.

Return to the top of the page

Introduction to the Global Security Syndicate
Gregory S. Miles, President, Security Horizon, Inc. on behalf of the Global Security Syndicate
Travis Schack, President, Vitalisec, Inc. on behalf of the Global Security Syndicate

The Global Security Syndicate (GSS),, is a not for profit group of security professionals focused on identifying and implementing best security practices. The GSS will provide important feedback to the security community through focused projects around specific security related topics. The GSS will also serve as a source of information related to international security organizations that have a proven track record in meeting the security needs of customers in specific security topic areas. Come attend this TurboTalk and participate in the kickoff of the GSS.

Gregory S. Miles, Ph.D., CISSP, CISM
Greg is a 16 year + technology and information security veteran and serves as the President and CFO for Security Horizon, a Colorado Springs based information security professional services firm. He is a United States Air Force Veteran and has served in military and contract support for the National Security Agency, Defense Information Systems Agency, Air Force Space Command, and NASA supporting world-wide security efforts. Greg has planned and managed Computer Incident Response Teams (CIRT), Computer Forensics and INFOSEC training capabilities. He has experience with International and U.S. based security legislative requirements and standards to include ISO 17799, Gramm-Leach-Bliley Act (GLBA), HealthCare Information Portability and Accountability Act (HIPAA), and NIST 800 series. He has served in various information security positions throughout his career to include Director, Cyber Crime Response, INFOSEC Program Manager, Chief Engineer and Senior INFOSEC Engineer. Greg has been published in multiple periodicals to include “The Security Journal” and “The International Journal on Cyber Crime”.  He has also co-author of “Security Assessment: Case Studies for Implementing the NSA IAM”. Greg holds a BS in Electrical Engineering from the University of Cincinnati, an MS in Management from Central Michigan University, and a Ph.D. in Engineering Management from Kennedy-Western University. Greg is an instructor for the University of Advancing Technology (UAT) in their security degree program.

Travis Schack, CISSP, CCNA
Travis is an 10 year + technology and information security veteran and is the President of Vitalisec, a Denver based information security professional services firm. Travis is versed in Information Security Management; Security Policy Development and Implementation; Disaster Recovery Planning; Intrusion Detection Development; Implementation and Administration; Firewall Administration; Incident Handling and Reporting Procedures; Physical Security Management; LAN-WAN Engineering and Architecture; Windows and Unix System Administration; Risk and Vulnerability Assessment; Penetration Testing. Travis has worked as a Security Professional in the network communications and financial industries, where he performed numerous security application reviews as well as network attack and penetration tests against UNIX, Linux, and Windows systems. He has extensive knowledge in the area of attack methodologies, attack tools, wireless networking, computer security policy and standards, and intrusion detection. Travis is an instructor for Denver University's Master's program in Information Security.

Return to the top of the page

Evasion and Detection of Web Application Attacks
K. K. Mookhey, Founder & CTO, Network Intelligence India Pvt. Ltd.

Intrusion detection systems that work at the application layer appear to be the next new wave of security products to hit the market. As with network IDSs, some of the products in the application security space work with signatures, while others are anomaly based. This presentation looks at typical patterns produced by some of the more common web application attacks—SQL injection, cross-site scripting, directory traversal, buffer overflows, etc. It discusses how these attacks can be matched using regular expression based signatures on the Snort IDS. However, the difficult part comes in trying to write signatures that cannot be easily evaded, while still keeping false positives at an acceptable level.

Advanced attacks to try and evade these signatures and modifications to the original set of signatures are discussed. The original concept is expanded to use these signatures with mod_security for Apache, and SecureIIS for IIS. We then discuss the security attacks that cannot be detected by signature-based methods. Anomaly-based methods of detecting web application attacks are also briefly covered.

The attendees are expected to be familiar with regular expressions and the basics of typical web application attacks.

K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence (, an information security consulting firm. He has provided security consulting services to Fortune 500 companies and industry segment leaders in India, Middle East, and North America. He has pioneered the development of the AuditPro suite of security auditing software, as well as initiated the research efforts within the company. His vulnerability research team has found security vulnerabilities in products from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to the Infocus series of articles on SecurityFocus, as well as various industry journals such as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and Controls" commissioned by the Information Systems Audit and Control Association (ISACA). He is also the author of the chapter on “Web Application Attacks” in the upcoming version of the OWASP Guide.

Return to the top of the page

Shoot the Messenger— Using Window Messages to Exploit Local win32 Applications
Brett Moore, CTO,

The windows GDI interface uses messages to pass input and events to windows. As there is currently no way of determining who the sender of the message is, it is possible for a low privileged application to send messages to and interact with a process of higher privilege.

This presentation will cover in details some of the flaws exposed through these messages, and demonstrate how they can be exploited to conduct privilege escalation and other attacks. Attendees should be familiar with the shatter attack concept and may want to review the following documents before attending:

  • Shatter Attacks - How to break Windows, Chris Paget
  • Win32 Message Vulnerabilities Redux, Oliver Lavery
  • Shattering by Example, Brett Moore

Brett Moore leads the security research and network intrusion teams at He has been credited with the discovery of multiple security vulnerabilities in both private and public software vendors’ products including Microsoft web products.

Return to the top of the page

The History of the Future
Robert Morris, former chief scientist for the NSA

Robert Morris received a B.A. in Mathematics from Harvard University in 1957 and a M.A. in Mathematics from Harvard in 1958. He was a member of the technical staff in the research department of Bell Laboratories from 1960 until 1986. On his On his retirement from Bell Laboratories in 1986 he began work at the National Security Agency. From 1986 to his (second) retirement in 1994, he was a senior adviser in the portion of NSA responsible for the protection of sensitive U.S. information.

Return to the top of the page

Digital Active Self Defense
Laurent Oudot, Computer Security Engineer, Rstack team

In a cyberworld of never ending struggles, defenders might have a new weapon in the future in order to defeat attackers. This talk will focus on those possibilities called: digital active self defense.

For example, after a compromission, a victim might want to react and even hack back the aggressor. This potentialy natural idea might not be legal most of the time, and many drawbacks exist. Think about the case where an aggressor would use a connectionless attack; the source of the intrusion could not be the real one (spoofing) so that a retaliation would not be a good idea!

This presentation aims at sharing ideas about digital active self defense to focus on the essential current questions: why and when should we try to react like that? How could we play with incoming aggressors in order to limit the risks? What would be the limitations of such solutions (legal and technical issues)?

As a conclusion, we will evaluate the potential hidden by those technologies used for Information Assurance and imagine future kind of solutions, digital active self defense systems.

Laurent Oudot is a French security expert who works for the CEA. He is also a member of a team called "rstack" composed of security addicts and geeks. Oudot's research focus on defensive technologies highly closed to blackhats activities like honeypots, intrusion prevention, intrusion detection, firewalls, sandboxes, MAC, etc.

Laurent is the (co-)author of several research papers recently published and released at, MISC magazine and Linux Magazine France. He has presented at national and international conferences and meetings such as annual Honeynet Project meeting (Chicago), Libre Software Meeting (Metz), FOSDEM (Bruxelles), etc.

In his spare time, Laurent co-organized security events such as the Libre Software Meeting (co-chairman of the Security Topic with Bradley Spengler from Grsecurity), Symposium Sécurité des Technologies de l'Information et de la Communication (SISTIC), etc.

Laurent teaches network and systems security, and has managed numerous security projects..

Recently with Nicolas Fischbach, he co-created the French Honeynet Project which is part of the international Alliance of Honeynets.

Return to the top of the page

The Black Hat Surveys
Dr. Larry Ponemon, Chairman of Ponemon Institute

Ponemon Institute recently conducted two independent surveys concerning individual privacy rights. The first study examines the public's perception concerning the safety and security of e-voting systems. The second study explores the public's reaction to the U.S. government's CAPPS II proposal that requires airlines to share personal data about passengers with the Department of Homeland Security. Dr. Larry will present an analysis that compares and contrasts the "Black Hat" community to members of the general public in terms of perceptions and beliefs about privacy issues.

Dr. Larry Ponemon is Chairman of Ponemon Institute, a "think tank" dedicated to privacy, data protection and information security policy research. He is also serves as an adjunct professor of privacy and ethics at Carnegie Mellon University's CIO Institute and CyLab.

Return to the top of the page

Tracking Prey in the Cyberforest
Bruce Potter, The Shmoo Group
Brian Wotring, The Shmoo Group

No matter where we go online or in the real world, we are being tracked.  Security cameras, web logs, and cell towers know where we were, what we bought, and who we were with. As technology has advanced the ability to track users has become more widespread. And with huge companies like Microsoft, T-mobile, and Google, tracking information from multiple sources can be correlated and used to obtain a deep understanding of each one of us.

The privacy ramifications of this technology are far reaching. However, in order to fully understand the privacy ramifications, we must understand the technology used for tracking and how this technology is currently being used.  This talk will attempt to lend clarity to the privacy issues created because of user tracking by describing the landscape of tracking technologies employed today. Wireless, biometric, and logical techniques will be described.  Real world examples will be discussed so you have a clear idea of what you are exposed to on a daily basis. For each example, the privacy ramifications will be discussed as well as mechanisms for defeating the tracking itself.

During this talk, there will be a demonstration and release of a proximity-based Bluetooth tracking tool. Audience members who wish to participate will be asked to leave their phone in discoverable mode throughout the conference so they can be tracked via a conference-accessible webbrowser.

Bruce Potter is a Senior Associate with Booz Allen Hamilton. Mr. Potter is the founder of the Shmoo Group of security professionals. His areas of expertise include wireless security, large-scale network architectures, smartcards and promotion of secure software engineering practices. Mr. Potter coauthored the books "802.11 Security", published in 2003 by O’Reilly and Associates, and "Mac OS X Security" published by New Riders in May 2003. Mr. Potter is coauthoring "Master FreeBSD and OpenBSD Security" with O’Reilly and Associates with a publication date in summer 2004. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks.

Return to the top of the page

Steganography, Steganalysis, & Cryptanalysis
Michael T. Raggo, Principal Security Consultant, VeriSign

This presentation will present Steganography and techniques for Steganalysis (identifying files with hidden messages). A review of Steganography will provide the basis for identifying and dissecting carrier files. There will also be a demonstration of carrier file analysis and disection. There will also be a demo of my new Steganography detection program, StegSpy. Cracking and reverse-engineering Steganography programs will also be covered. A cryptanalysis case study will review the steps necessary to reverse engineer and reveal a hidden message. Additionally, other steganalysis and password cracking tools will be highlighted.

Michael T. Raggo (CISSP, IAM, CCSA, CCSE, CCSI, MCP, SCSA) is a Principal Security Consultant for VeriSign, Inc. As a consultant, Mr. Raggo architects and deploys firewalls, intrusion detection systems, and PKI solutions. In addition, he also performs security assessments, penetration tests, and forensics investigations. He is also an instructor for VeriSign’s suite of security classes including Applied Hacking and Countermeasures and the author of StegSpy, a steganography detection program.

Mr. Raggo is a guest speaker at nationwide conferences including SANS, WebSec and InfoSec. Prior to joining VeriSign, Mr. Raggo was Supervisor of System Administration for at the NASDAQ Stock Market. Mr. Raggo has 15 years experience in the information systems field including experience as a UNIX System Administrator, Network Administrator, and Firewall Administrator.

Mr. Raggo conducted graduate work in Information Systems at Johns Hopkins University. Prior to that, he earned his BSET in Electrical Engineering from Rochester Institute of Technology.

Return to the top of the page

The Keys to the Kingdom: Understanding Covert Channels of Communication
Russ Rogers, CEO, Security Horizon

Security professionals see the compromise of networked systems on a day to day basis. It's something they've come to expect. The blatant exploitation of operating systems, applications, and configurations is a common event and is taken into account by most security engineers. But a different type of security compromise threatens to crumble the underlying security of the modern organization.

There are forms of communication that transfer sensitive data outside of organizations every day. Covert channels are used to move proprietary information in and out of commercial, private, and government entities on a daily basis. These covert channels include things such as Steganography, Covert network channels, Data File Header and Footer Appending, and Alternate Data Streams. Media to be covered include images, audio files, TCP covert channels, Word substitution mechanisms, the Windows file system and others.

This presentation will show the attendees common means of covert communication by hiding information through multiple means. We'll also discuss the future of Covert Channels and how hidden information is becoming more and more difficult to detect. Detection of these forms of communication is trailing well behind the technology creating them, this presentation will discuss some of the newest concepts in utilizing Covert Channels and Steganography.

Russ Rogers is the CEO of Security Horizon, a Colorado Springs based information security professional services firm and is a technology veteran with over 13 years of technology and information security experience. He has served in multiple technical and management information security positions that include Manager of Professional Services, Manager Security Support, Senior Security Consultant and Unix Systems Administrator. Mr. Rogers is a United States Air Force Veteran and has supported the National Security Agency and the Defense Information Systems Agency in both a military and contractor role. Russ is also an Arabic Linguist. He is a certified instructor for the National Security Agency's INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) courses. He holds his M.S. degree from the University of Maryland is also a Co-Founder of the Security Tribe (, a security think tank and research organization.

Return to the top of the page

The Anonymity Toolkit
Len Sassaman

Today's Internet is fraught with privacy dangers. Users in both the consumer and enterprise environments are becoming increasingly aware of the need for privacy protection services to accompany their Internet access, but the available solutions are less than intuitive.

We present a model of privacy measurement as the ability to remain anonymous to attackers with varying degrees of sophistication, and identify the key components to a total anonymity solution. We review and evaluate the many competing privacy and anonymity software solutions which fulfill the requirements for each component in the total solution, and describe the situations under which each excels or fails.

Explanations of the theoretical basis for the more advanced anonymity and privacy software featured in the talk will be given. The less advanced privacy software will be debunked. Some of the software solutions to be discussed include the Java Anonymous Proxy, The Onion Router, Privoxy, Middleman, Freenet, and GNUnet.

Len Sassaman is a communication security consultant specializing in Internet privacy and anonymity technologies. Formerly the security architect for Anonymizer and a software engineer for PGP Security, Len is now focusing on research in the area of practical attack-resistant anonymity systems which can be widely deployed and used by large groups. Additionally, Len is an anonymous remailer operator, and maintainer of the oldest actively-used anonymity software, Mixmaster.

Return to the top of the page

When the Tables Turn

Until now network security defences have largely been about building walls and fences around the network. This talk revolves around spiking those walls & electrifying those fences! During this talk we will highlight techniques (and tools) that can be used to turn the tables on prospective attackers with passive-Strike-Back. We will explore the possibilities across the assesment spectrum responding to the standard assesment phases of Intelligence gathering, Reconnaissance & Attack with Disinformation, Misdirection, Camouflage, Obfuscation & Proportional Response.

Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesnt drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

Defeating Automated Web Assessment Tools
Saumil Udayan Shah, Director, Net-Square Solutions

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

Web Application Session Strength
Michael Shema, Director of Research, NT Objectives

Web applications handle user session management in a variety of ways and levels of security. The most common technique uses a session token such as a Cookie, HTTP Header, HTML form input element, or URL parameter. If this token is created and manipulated in an insecure manner, then the application is vulnerable to identity theft attacks, user impersonation, privilege escalation, and authentication bypass. Unlike SQL injection or Cross-Site Scripting, which rely on syntax attacks, a session attack is not affected by validation filters or application-level firewalls. Consequently, it is necessary to understand how secure tokens are created, encoded, and encrypted to prevent unauthorized manipulation and minimize the impact of a stolen value. Real-life examples are included, along with secure coding countermeasures to protect session tokens from prediction and manipulation attacks.

Mike Shema is Director of Research & Development at NT Objectives where he focuses on assessment and mitigation strategies for all aspects of web application security.

Prior to joining NT OBJECTives, Mr. Shema worked as a Principal Consultant at Foundstone where he performed network penetration tests, web application security assessments, and wireless network security audits. In this time Mr. Shema led security audits for Fortune 100 companies, financial institutions, and large software development companies. Diverse clients and application platforms have enabled Mike to field-test and expand security methodologies, techniques, and tools across the entire enterprise security industry.

Mr. Shema previously worked at a product development company where he configured and deployed high-capacity Apache web and Oracle database servers for numerous Internet clients; and also worked at Booz Allen Hamilton where he conducted security assessments for government and military networks across the country.

His experience with Web application security has led to several Bugtraq advisories, co-authorship of "Hacking Exposed: Web Applications", and authoring "Hack Notes: Web Application Security". He has also co-authored "The Anti-Hacker Toolkit", now in its second edition. He has taught at the Black Hat conferences in Las Vegas, Singapore, and Amsterdam, and continues to speak regularly at premier industry conferences and events around the world.

Mr. Shema's other writing credits include technical columns about Web server security for Security Focus and DevX and technical editor for Incident Response: Investigating Computer Crime. He holds B.S. degrees in Electrical Engineering and French from Penn State University.

Return to the top of the page

A Comparison of Buffer Overflow Prevention Implementations and Weaknesses
Peter Silberman, Security Engineer, iDEFENSE
Richard Johnson, Senior Security Engineer, iDEFENSE

Buffer overflows are historically the most commonly exploited software vulnerability in the security world. The last year has seen effective automated attacks such as the MS Blaster worm and SQL Slammer worms. Due to the rapid growth of worm technology and readily available automated worm generation tools, the need for buffer overflow protection software has dramatically increased.

This presentation will give the attendee an overview of the methods used by current stack protection technology.

We will discuss the varying types of stack overflow protection available for the Linux and Windows operating environments and the weaknesses that lie within each implementation. This will also be the first public discussion of available third-party buffer overflow prevention software for the Windows operating system. The test suite used to analyze the exploitability of common software vulnerabilities has been modified with specialized shellcode to be used against buffer overflow protection methods. A demonstration will be provided and the tool is available to attendees for future testing of protection software.

The attendee should have basic knowledge of buffer overflow exploitation, but the presentation will build on itself, and in the end offer a tool that anyone can use to test their buffer overflow protection software.

Peter Silberman is a Security Engineer at iDEFENSE. Peter works in the iDEFENSE labs where he conducts vulnerability research. He is especially interested in advanced exploitation of the win32 platform, buffer overflow protection methods, and windows forensic analysis. Peter has been a professional vulnerability researcher for a year, and has spent two or three years as an independent researcher.

Richard Johnson is a Senior Security Engineer at iDEFENSE. He works in the iDEFENSE Labs where he is responsible for conducting vulnerability research, malicious code analysis, and developing reverse code engineering tools and methodologies. Areas of interest include run-time process modification, live kernel patching, embedded systems reverse engineering, and seeing how much beer a man can drink in an evening. With three years professional vulnerability research experience, and many more as a hobbist, he is considered a valuable resource with a wide breadth of knowledge at iDEFENSE Labs.

Return to the top of the page

Advanced Return Address Discovery using Context-Aware Machine Code Emulation
Derek Soeder, Software Engineer, eEye Digital Security
Ryan Permeh, Senior Software Engineer, eEye Digital Security
Yuji Ukai, Researcher and Software Engineer, eEye Digital Security

Payloads intended to execute attacker-provided code typically require a static address of code already existing in the vulnerable process's address space, in order to redirect execution back into code accompanying the payload. Historically, exploit authors have resorted to finding the addresses of byte sequences that perform a call or jump to the address loaded in a register at the moment when execution can be hijacked. These "return addresses" are typically infrequent in an address space and may vary with the version of the program being attacked, making the discovery of version-independent or character-restricted addresses extremely rare. With the "EEREAP" (eEye Emulating Return Address Purveyor) project, we aim to revolutionize the practice of return address discovery by employing machine code emulation and exceptionally more finely-grained context awareness in order to exhaustively locate the addresses in an address space that are suitable to redirect execution into payload data. In this presentation, we will discuss how EEREAP works, how to use it as a tool for exploit coding, and what can be accomplished with this new generation of return address enumeration technology.

Derek Soeder is a Software Engineer and after-hours researcher at eEye Digital Security. In addition to participating in the ongoing development of eEye's Retina Network Security Scanner product, Derek has also produced a number of internal technologies and is responsible for the discovery of multiple serious security vulnerabilities. His main areas of interest include operating system internals and machine code-level manipulation.

Ryan Parmeh is a Senior Software Engineer at eEye Digital Security. He focuses mainly on the Retina and SecureIIS product lines. He has worked in the porting of nmap and libnet to Windows, as well as helping with disassembly and reverse engineering, and exploitation efforts within the eEye research team.

Yuji Ukai is a researcher and software engineer with eEye Digital Security. After completing his Ph.D. in computer science at the National University of Tokushima, he began his employment at an appliance vendor in Japan where he developed embedded operating systems. Over the last several years he has discovered several important security holes affecting various software products as well as pioneered new trends in wireless security technologies.

Return to the top of the page

IKE-Test - Testing IKE Implementations
Ralf Spenneberg

The IKE protocol is the key protocol in modern VPN solutions based on IPsec. It is a well known and standardized protocol. The protocol has undergone several audits and weaknesses have been found and are commonly known. Yet many more weaknesses and vulnerabilities are hidden within the IKE implementations by the different vendors.

This talk will present a new toolset written in Perl to test the different IKE implementations in a scientific and reproducable way. This toolset offers the generation and modification of each IKE-message using simple Perl commands. The examiner can inject arbitrary values, keys and algorithms in each message. Using this toolset very simple as well as complex vulnerabilities may be found. The talk will demonstrate at least the detection of the recent KAME-racoon authentication vulnerability on Linux and *BSD systems (CVE: CAN-2004-0155).

Ralf Spenneberg has used Linux since 1992 and worked as a system administrator since 1994. During this time he was responsible for numerous Windows, Linux and UNIX systems. The last 6 years he has been  working as a freelancer in the Linux/UNIX field.

Most of the time he provides Linux/UNIX training. His specialty is network administration and security (firewalling, VPNs, intrusion detection and penetration testing).

He has developed several training classes used by Red Hat and and other IT training companies in Germany.

He has spoken on several SANS conferences and even more UNIX/Linux specific conferences. He was chosen to be member of the program comittee of the Linux Kongress and the GUUG Frühjahrsfachgespräch.

Return to the top of the page

Metasploit: Hacking Like in the Movies
spoonm, Independent Security Researcher
HD Moore, Co-Founder Digital Defense, Inc., Independent Security Researcher

The Metasploit Framework has progressed from a simple network game to a powerful tool for administrators and security analysts alike. Over the past several months, the Framework has been enhanced with improved exploit techniques and a truly advanced suite of payloads. This presentation provides a background on what exploit frameworks are, what they can provide you, and why you should be using one. A live demonstration will highlight many of the advanced features of the Framework, describe how they can be used to accomplish a variety of tasks, and show that the technology for "hacking like in the movies" is already available today. Attendees will be provided with an early-access copy of version 2.2 of the Metasploit Framework; which includes a number of techniques and exploit modules that are not publicly available anywhere else. Additionally, this release is the first version of the Framework to include a development kit for creating your own custom modules.

Spoonm is currently pursuing a Bachelors degree in Software Engineering. Much to the detriment of his early morning classes, he is an active researcher in many different security areas, most notably in the exploitation and post-explotation process. He has developed several post-exploitation tools, and between working as a security consultant, and asm wielding, he currently spends most of his time working on the Metasploit Framework.

HD Moore is one of the founding members of Digital Defense, a security firm that was created in 1999 to provide network risk assessment services. In the last four years, Digital Defense has become one of the leading security service providers for the financial industry, with over 200 clients across 43 states. Service offerings range from automated vulnerability assessments to customized security consulting and penetration testing. HD developed and maintains the assessment engine, performs application code reviews, develops exploits, and conducts vulnerability research.

Return to the top of the page

Next Generation Application Proxies: What Check Point & NetScreen Understand But Are Afraid To Admit
Andrew Stevens, Product Manager, Secure Computing

Great confusion has set in over the last 18 to 24 months around the role of the firewall in the application security and intrusion prevention arena. A common reaction to the increased volume and effectiveness of high-profile attacks we hear about in the news today is, “I have a firewall, but these attacks are still getting inside my network. I thought my firewall was supposed to protect my network and applications!?”

This presentation will discuss the nature of known (already identified and understood) threats, and unknown (first-time day-zero) threats, and how various perimeter gateway (firewall) technologies deliver from strong to weak attack protections against application level attacks.   In particular, next generation application proxy technology will be compared and contrasted with Check Point's Application Intelligence and NetScreen's Deep Inspection technologies (using specific examples of how they handle a variety of attacks).

Andrew Stevens has been involved with network security at Secure Computing for over 8 years and has a background in computer networking for close to 15 years. He is frequently called upon to make presentations for enterprise customers to recommend application proxy firewall technologies and speak at many industry and security conferences. Prior to joining Secure Computing, Mr. Stevens held several computer and networking positions with education, federal and local government organizations. Mr. Stevens has a degree in Business Information Systems from Algonquin College in Ottawa, Ontario, Canada.

Return to the top of the page

Attacking Host Intrusion Prevention Systems
Eugene Tsyrklevich, CTO, Security Architects

Host Intrusion Prevention Systems (HIPS) is the latest buzzword in the security arena. But is it just that? A buzzword?

This presentation will give a brief introduction to Host Intrusion Prevention Systems, explain how they work and show examples of how some HIPS implementations can be successfully attacked and bypassed.

Eugene Tsyrklevich is Chief Technical Officer for Security Architects, a security company based in London specializing in advanced security solutions. Eugene has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military environments. Eugene holds both a Bachelor and a Masters degree in Computer Science from the University of California, San Diego.

Return to the top of the page

Introduction to the Certification and Accreditation Process (C&A) Within the U.S. Government
Jeff Waldron, CISSP, SCSA, Artel Inc.

The United States Federal Government has recently become very active in the arena of Information Assurance (IA) procedures. One such area is the Certification and Accreditation (C & A) of Information Technology (IT). The first document used by the U.S Government for C & A was published in 1993. It was called the Department of Defense Trusted Computer System Evaluation Criteria, also known as the Orange Book. Other directives to deal with the modern threat to IT have recently superceded the Orange Book. These new processes are the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and the National Information Assurance Certification and Accreditation Process (NIACAP).  Both attempt to bring the U.S Government into the modern times of IT security because much has changed since the creation of the Orange Book.

The goal of this paper is to provide an understanding of the C & A process from what documents need to be reviewed to what steps need to be taken to obtain accreditation. This information is critical not only to workers but to every U.S. citizen as portions of the U.S. Government’s IT is of a classified nature that is critical to National Security. During the C & A process, all parties involved must agree on what needs to be done, who will accomplish the tasks and what the estimated timeline is for completion. While this may sound like an unnecessary process, a closer look reveals that each step is extremely critical to ensuring successful deployment of security into an existing IT environment. Understanding the process for Certification and Accreditation is not only a matter of national security, it is the very basis for security in any IT environment in any country.

Jeff Waldron, CISSP has over 13 years of IT experience – over 9 of those years are IT Security specific.  Has supported both Commercial, State, Federal and DoD IT security environments.  Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies

Return to the top of the page

Cryptographic Port-Knocking
David Worth

Port-knocking has recently become a popular concept, and a common source of discussion. Many groups and communities have argued about the importance and viability of port-knocking as a security concept, or as an additional security measure. One of the main complaints about port-knocking is that one can implement trivial replay attacks against any static port-knocking system. This problem can be remedied by implementing a cryptographic system in tandem with a traditional port-knocking ideas. One of the simplest means of implementing a cryptographic port knock is by using a one-time-password system (otp or s/key). Such a system has been implemented in COK, which is trivially extensible, and flexible enough to be useful in a production environment, which will allow for port-knocking from public locations with a minimum amount of pain.

David Worth is a graduate student in pure mathematics who has been tinkering with security in general for many years. He acted as security officer for a high-performance computing center but focuses mainly on academics now. And he can drink you under the table.

Return to the top of the page

Windows WaveSEC Deployment
Paul Wouters, Xelerance

Paul Wouters has been involved with Linux networking and security since he co-founded the Dutch ISP "Xtended Internet" back in 1996. His first article about network security was published in LinuxJournal in 1997 Since then, he has written mostly for the Dutch spin-off of the German "c't magazine", focussing on Linux, networking and the impact of the digital world on society. He has presented papers at SANS, OSA, CCC and HAL.

He is currently involved with the FreeS/WAN project, a Linux IPsec stack that aims to bring Opportunistic Encryption to everyone. For this feature, a secure DNS is needed, which triggered his interest in assisting the widespread use of DNSSEC. Wouters received his Bachelors degree in Education in 1993

Return to the top of the page

Detecting Ø-days Attacks With Learning Intrusion Detection Systems
Stefano Zanero, Politecnico di Milano University, Milano, Italy

Traditional anomaly-based Intrusion Detection Systems, relying on pattern matching and static signatures, are not really able to keep up with the creation of new forms of attacks, and particularly with zero-day attacks. In this talk we will analyze the problem, and present new types of misuse detection systems, based on unsupervised learning techniques, that can complement well traditional IDS systems and help detect zero-days techniques of attack and various other misbehaviours. A proof of concept based on our current research prototypes will be also presented.

Stefano Zanero, M.S. in Computer Engineering, has graduated “cum laude” from the Politecnico of Milano school of engineering, with a “Laurea” (M.S.) thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Department of Electronics and Information of the same university. Among his current research interests, besides learning IDSs, there are performance metrics for security systems and clustering techniques. He has been a speaker at international scientific, technical and legal conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery). Besides co-authoring books on information security and scientific articles, he is the author of the weekly “Security Manager’s Journal” on Computer World Italy, and has been recently awarded a journalism award. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Stefano recommends visiting the Secure Network website ( for up to date security information.

Return to the top of the page

The Black Hat Testimonies
Joseph Ansanelli, CEO, Vontu
Mary Ann Davidson, CSO, Oracle
Panel of Experts:
Michele Drgon, Senior Director of Data Protection/Privacy, Motorola
Mark McGovern, Senior Analyst, In-Q-Tel
Adam Shostack, Consultant

In the past twelve months, the House has held two Congressional testimonies on the issue of protecting customer data. Witnesses from these hearings will present updated testimonies to a committee of security experts at the Black Hat Briefings. These updates will also include an analysis of action since the Hearings. The session will be structured like the Congressional Hearings with the addition of audience preparation and participation. The audience will have an opportunity to question and comment during the live forum. Original testimonies are available at and

Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania.

Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, corporate infrastructure security and security policies, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC) and is on the editorial review board of the Secure Business Quarterly. Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.

Committee Members:
Michele Drgon, Senior Director of Data Protection/Privacy for Motorola, has created the Motorola Privacy Council Office which oversees all internal Privacy policy and compliance management. Additionally she is involved with driving Privacy technology and product strategies across the Motorola product sectors. Michele has recently been the Advisory Council Representative to the W3C and on the Board of Directors of the Open Group and the International Security, Trust and Privacy Alliance. She has also been a member of the Information Technology Industry (ITI) Council’s Chief Privacy Officers Working Group and was co-chair of the DRM Technical Working Group.

Mark McGovern is a senior analyst with In-Q-Tel and leads their mobility and privacy technology investment programs. Mark has more than 16 years of experience developing and deploying secure systems. He's worked with a variety Fortune 500 clients including Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Mark began his career as an engineer with the Central Intelligence Agency. As an agency engineer he developed a wide variety of systems to support intelligence activities. In addition to these experiences, Mark has assisted the American Red Cross in designing computer and communications systems to support disaster service efforts. He's adapted submarine technologies for use in "Star Wars" missile defense systems, designed and built equipment for use on NASA's space shuttle, and developed software models to predict intercontinental ballistic missile trajectories. Mark holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now a independant consultant.

Return to the top of the page

Hacker Court ’04: Pirates of the Potomac
Carole Fennelly, President, Wizard’s Keys Corp

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand.

This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining.

Trial Presentation:
Chief Judge Philip M. Pro – Chief United States District Court Judge for the District of Nevada
Richard Salgado, Senior Counsel, Computer Crime and Intellectual Property Section of the United States Department of Justice
Erin Kenneally M.F.S., J.D Forensic Analyst, San Diego Supercomputer Center
Simple Nomad, BindView: Occam Theorist, NMRC: Hacker
Jesse Kornblum, Captain, USAF, United States Naval Academy
Jack Holleran, Former NSA
Brian Martin, Security Consultant
Richard Thieme, CEO, Thiemeworks, Inc
Jonathan Klein, Senior Manager, Security, Calence, Inc
Ken Olthoff , Emcee
Caitlin Klein, Court Clerk

Carole Fennelly (producer and contact) (fennelly at
Carole Fennelly is an author, speaker and information security consultant. She was co-founder of the Wizard's Keys security consulting firm which has been providing security expertise to Fortune 500 clients in the New York Metropolitan area for more than ten years. Ms. Fennelly has also published numerous articles for IT World, Sunworld and Information Security Magazine. She has been a speaker at Blackhat and many other security conferences. Her technical background includes an in-depth security and administration knowledge of UNIX operating systems.

Honorable Philip M. Pro, Chief United States District Court Judge for the District of Nevada
Judge Pro was appointed United States District Court Judge for the District of Nevada, at Las Vegas, on July 23, 1987.

Judge Pro also served as United States Magistrate Judge for the District of Nevada from 1980 until his elevation to the District Court, during which he supervised pretrial proceedings in the MGM Grand Hotel Fire Litigation. Judge Pro received his J.D. degree from Golden Gate University School of Law in June 1972

Erin Kenneally, M.F.S., J.D.
Ms. Kenneally is a licensed Attorney who holds Juris Doctorate and Master of Forensic Sciences degrees. She consults, researches, publishes, and speaks on prevailing and forthcoming issues at the crossroads of information technology and the law. This includes evidentiary, procedural, and policy implications related to digital forensics and information security. She has lectured and

helped coordinate training conferences for officers of the court, law enforcement, and industry professionals concerned with digital evidence and information forensics. She is a Forensic Analyst at the San Diego Supercomputer Center, liaises and holds leadership positions with the Computer and Technology Computer High Tech Task Force (CATCH) and High Technology Computer Investigation Association (HTCIA) and provides thought leadership to numerous private and government advisory committees engaged in information technology law issues.

Paul Ohm (Paul dot ohm at
Paul Ohm used to write code for a living. Then he went to law school, and he's never really been the same. He now works for the U.S. Department of Justice.

Raven Alder
Raven Alder is a Senior Security Engineer with True North Solutions. She has spoken about security, cryptography, and network engineering at a variety of conferences, including Linux World Expo, AusCERT, and DefCon. In addition to doing consulting for enterprise networks, she has contributed to a book on Snort, and currently spends too much of her time peering at Packets That Should Not Be, and writing about them.

Richard Thieme (rthieme at
Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Speaking/consulting clients include: GE Medical Systems; Los Alamos National Laboratory; Apache Con; Microsoft; Network Flight Recorder; System Planning Corporation (SPC); InfraGard; Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of  Texas.

Jonathan Klein (Jklein at
Jonathan Klein is a senior security manager with Calence Inc, a networking company located in Tempe Arizona. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Brian Martin (Jericho at
Brian Martin is an outspoken security consultant in the Denver, Colorado area. Brian has the relatively unique experience of being on both sides of an FBI investigation. His daily work takes him in and out of commercial and government networks, usually without sparking law enforcement investigation. His work revolves around making recommendations based on cynical review of network and system security. He will be survived by his three cats.

Jesse Kornblum
Captain Jesse Kornblum is an instructor in the Computer Science Department at the United States Naval Academy. Before this assignment, he was an agent with the Air Force Office of Special Investigations, and served as Chief of Research and Development for that agency. A graduate of the Massachusetts Institute of Technology, his research is focused on computer forensics and computer security. Contact: research [at] jessekornblum [dot] com.

Jack Holleran (Jholleran at
Jack Holleran, CISSP, currently teaches Information Security at several colleges and the Common Body of Knowledge review for ISC2. In a past life, he was the Technical Director of the National Computer Security Center at the National Security Agency and Chair of the National Information Systems Security Conference.

Richard P. Salgado (Richard dot salgado at
Richard Salgado serves as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. Mr. Salgado specializes in investigating and prosecuting computer network cases, such as computer hacking, denial of service attacks, illegal sniffing, logic bombs, viruses and other technology-driven privacy crimes. Often such crimes cross international jurisdictions; Mr. Salgado helps coordinate and manage the investigation and prosecution of those cases. Mr. Salgado participates in policy development relating to emerging technologies such as the growth of wireless networks, voice-over Internet Protocol, surveillance tools and forensic techniques. Mr. Salgado serves as a lead negotiator on behalf of the Department in discussions with communications service providers to ensure that the ability of the Department to enforce the laws and protect national security is not hindered by foreign ownership of the providers or foreign located facilities. Mr. Salgado also regularly trains investigators and prosecutors on the legal and policy implications of emerging technologies, and related criminal conduct. Mr. Salgado is an adjunct law professor at Georgetown University Law Center where he teaches a Computer Crime seminar, and is a faculty member of the SANS Institute. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Weasel (Weasel at
Weasel is a freelance security consultant specializing in Intrusion Detection, Policy, Incident Response, Digital Forensics, Penetration Testing, and Security Awareness. He is also a charter member of an industry Information & Sharing Analysis Center and is a member of Nomad Mobile Research Centre.

Ryan Bulat (Shadow at
Ryan Bulat is an intern at Wizard’s Keys, where he is responsible for web site support. His interests  are in Science and Technology as well as programming. When school doesn’t intrude, he is also an avid gamer who wonders why game stats aren’t included in college admissions along with SAT scores.

Jennifer Granick (Jennifer at
Jennifer Stisa Granick is the Litigation Director of the public interest law and technology clinic at Stanford Law School's Center for Internet and Society. Ms. Granick's work focuses on the interaction of free speech, privacy, computer security, law and technology. She is on the Board of Directors for the Honeynet Project and has spoken at the NSA, to law enforcement and to computer security professionals from the public and private sectors in the United States and abroad. Before coming to Stanford Law School, Ms. Granick practiced criminal defense of unauthorized access and email interception cases nationally. She has published articles on wiretap laws, workplace privacy and trademark law.

Rebecca Bace (Infomom at
Rebecca Bace is the President/CEO of Infidel, Inc., a network security consulting practice, headquartered in Scotts Valley, CA. She is also a Venture Partner for Trident Capital, a venture capital firm in Palo Alto. Bace provides strategic and operational consulting services for clients that include security point product developers, legal firms, and Internet solutions providers, and also directs investments in security startups. She is a noted author on topics in intrusion detection, network security, and forensic testimony with credits including the white paper series for ICSA's Intrusion Detection Consortium, a book on "Intrusion Detection" (published by Macmillan in 2000) and a book on "Forensic Testimony" (with Fred Smith), published by Addison Wesley in October, 2002.

Return to the top of the page

Hacking with Executives
JD Glaser, CEO, NT Objectives
Steve Brower, Partner, SORT Law
David Mortman, Director of Global Security, Siebel Systems
Paul Simmonds, CISO, ICI
Justin Somaini, VeriSign

The issue of security testing between banks and corporate networks is one of the most important and delicate concerns facing consumers and businesses today. It is where fraud takes place, financial information is leaked, and often the lowest common denominator targeted by attackers. To solve the problem takes cooperation. Until the reality of this situation is communicated and the problem engaged, both the consumer and business sectors remain at risk of personal information theft and loss of revenue.

The solution to this concern lies in a cooperative understanding of the threat by all partners, and a top-down, coordinated effort to secure interdependencies. JD Glaser, renowned security freeware author, will present a new free tool and research concerning virtual fraud and the crucial interconnection issues companies have with their partners and financial institutions. After JD's presentation, he will lead a panel discussion with executives confronting this issue.

To be released at Black Hat, ntoinsight is a free command line web crawler capable of scanning even the largest websites: analyzing site content, architecture and external interdependencies. ntoinsight crawls all site links/resources and catalogues them with their resources attributes (i.e. filetype, forms, mail ids, applets/objects, hidden fields, cookies, authentication, SQL connections and more). ntoinsight generates XML and HTML reports that graphically communicate all findings, including web server platforms, response codes, resources details and site interdependencies (links leaving the domain, passing information, etc.). Furthermore, ntoinsight identifies “Attack Points†targeted by hackers, thus communicating the extent of site threat exposure.

Jassen "JD" Glaser is President and CEO of NT OBJECTives, a company he founded originally in 1997 to deliver the first Windows NT based security tools to the information security community. Widely heralded as one of the top industry luminaries, JD continues to develop a legacy of excellence in building the industry's top security technologies and services to this day. JD brings over a decade of experience in security assessment and application development.

Previously, JD worked as the Director of Engineering at Foundstone, a leader in information security services and technology. In his position, JD was the primary architect for FoundScan. Prior to Foundstone, JD founded NT OBJECTives and developed some of the most widely used security tools in the industry, with over 100,000 subscribers at its peak. JD also wrote the first Windows NT compatible version of Tripwire, a benchmark technology for data integrity. JD has previously worked with companies such as Intel, Hewlett Packard and Columbia Sportswear in architecting and building enterprise network database systems.

JD has been a regular instructor at the Black Hat conferences, and is a speaker at top industry conferences and trade shows. He has provided instructional courses on security tactics and techniques to numerous Global 100 companies and the government.

David Mortman, Director of Global Security for Siebel Systems, Inc., and his team are responsible for Siebel Systems' worldwide IT security infrastructure, both internal and external. He also works closely with Siebel's product groups and the company's physical security team. Previously, Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE, and speaker at RSA's 2002 security conference, Mortman earned a BS in Chemistry from the University of Chicago.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI (, working for the CIO Office in London. Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a de-perimeterised environment.

In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites.

He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible for managing all aspects of network and information security for VeriSign. With over 10 years of Information Security and Corporate Audit experience, Justin has leveraged his knowledge of audit and large organizations to remediate global infrastructure problems and create a full risk identification and remediation Information Security group. Previously, Justin was the Director of Information Security Services for Charles Schwab Inc., where he was responsible for all aspects of Information Security Operations. Before that he was a Manager with PricewaterhouseCoopers LLP where he spent several years developing their attack and penetration leadership and audit practice.

Return to the top of the page

Web Application Security Crossfire: "Different Views On Web Application Security"
David Rhoades,
Principal Consultant, Maven Security Consulting Inc.
Jeremiah Grossman, Founder and CEO, WhiteHat Security
Paul E. Proctor, CISSP, CISM, Vice President, Security & Risk Strategies, META Group, Inc
Frank Lam, CISSP, Senior Manager, Deloitte & Touche LLP
Caleb Sima, CTO and Co-Founder, SPI Dynamics

As a result of insecure custom application code and unpatched web servers, web application security vulnerabilities are one of the most prolific attack vectors for hacking into organizations. The threat is very real and the risk lies not only in known vulnerabilities, but those vulnerabilities yet to be discovered. For web application attacks, you not only need to concern yourself with the well-known issues, but the unknown as well. For eBusiness web sites, these previously unknown vulnerabilities are found in over 90% of the web sites tested. Web application security is fairly new and the best practices for combating these threats are just starting to emerge.

With different viewpoints from the participating panelists, the discussion will focus on the many approaches to web application security. Each panelist possesses a different background— corporate security, security consulting, security product, and security research— with interesting perspective on how to effectively protect a web site and web-based applications. The panelists will share their day-to-day, in-the-trenches experiences and will answer questions from the audience.

Panel Topics:

  • The "Real" Top Security Vulnerabilities
  • What are companies doing and what aren't they doing to protect their critical assets from web application attack. Are the solutions working?
  • Do application scanners, firewalls and codewalkers really work?
  • Is offshore application development affecting the security landscape.

David Rhoades is a principal consultant with Maven Security Consulting Inc. Maven Security Consulting Inc. is headquartered outside Washington DC and provides information security assessments and training.

David's expertise includes web application security, network security architectures, and vulnerability assessments for networks and telecommunication systems. Past customers have included domestic and international companies in various industries, as well as various US government agencies. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore).

David was the concept creator for Achilles, the first publicly released general purpose web application security assessment tool

David teaches domestically and internationally at various security conferences, and has taught for the SANS Institute, the MIS Training Institute, ISACA, USENIX, and ISACA.

David has a bachelor's degree in computer engineering from the Pennsylvania
State University.

Jeremiah Grossman, Founder and Chief Executive Officer, WhiteHat Security
Jeremiah Grossman is the founder and CEO of WhiteHat Security, Inc. Prior to WhiteHat, Mr. Grossman was a former information security officer for Yahoo!, where he was responsible for performing security reviews on the company's hundreds of web applications.

A 6-year security industry veteran, Mr. Grossman’s research has been featured in USA Today, NBC, and ZDNet while exploring all areas of web security. He is a world-renowned leader in web security and frequent speaker at the Blackhat Briefings, NASA, Air Force and Technology Conference, Washington Software Alliance, ISSA, and Defcon.

Jeremiah Grossman is a founder of the Web Application Security Consortium (WASC), co-founder of the Open Web Application Security Project (OWASP), as and contributing member of the Center for Internet Security Apache Benchmark Group.

Paul E. Proctor, CISSP, CISM, Vice President, Security & Risk Strategies, META Group, Inc
Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation host-based intrusion detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health
Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to 9/11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder, and Practical Security. Mr. Proctor holds a BS in Mathematics/Computer Science from the University of Illinois.

Frank Lam, CISSP, Senior Manager, Deloitte & Touche LLP
Frank Lam is a senior manager in the Deloitte & Touche's Enterprise Risk Services practice, delivering enterprise-wide risk and security consulting services. He has over eight years' experience in the field of information systems and security management and systems design and integration. Frank is responsible for the overall delivery and quality assurance of network, system, and application security engagements. He has performed consulting services in the areas of system and network penetrations as well as implementation dealing with databases, firewalls, IDS, encryption, and remote access solutions. For the past 4 years, Frank has focused and led numerous application-based assessments and penetration tests. He has contributed to articles and researches in media, such as Security Management Magazines and MSNBC, and is a member of CISSP and CISM.

Caleb Sima, CTO & Co-Founder SPI Dynamics
In early 2000, Caleb Sima co-founded SPI Dynamics, the expert in application security assessment, where he currently holds dual roles of CTO and director of SPI Labs, the highly regarded application R&D security team within SPI Dynamics. Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems (ISS), an industry pioneer and global leader in Internet security. Caleb was a member of ISS’ elite X-Force team, led the creation of the first penetration testing team and drove enterprise security assessments for the company. Caleb began his career in 1996 as a security engineer for S1 Corporation, where he was responsible for testing the security of software products for the banking and finance industries. Caleb's engineering exploits have gained media attention in publications such as the New York Times and the Washington Post. He has also contributed to Baseline Magazine and SC Magazine and was featured, along with the ISS X-Force, in US News and World Report and Security World Magazine. A frequent speaker at industry events and tradeshows, including the 2002 Cyber Security in the Financial Services Sector Executive Summit, the 2003 SouthEast CyberCrime Summit, Comdex 2003, Information Systems Security Association (ISSA) and RSA 2004. Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS.

Return to the top of the page

Dr. Alessandro Acquisti

Joseph Ansanelli

Phillip Hallam-Baker

Brad Bolin

Dominique Brezinski

Steve Brower

Jamie Butler

Patrick Chambet

Justin Clarke

Mary Ann Davidson

Nitesh Dhanjani

Roger Dingledine

Maximillian Dornseif

Michele Drgon

Stephen Dugan

Himanshu Dwivedi

Chris Eagle

Rakan El-Khalil

Gerhard Eschelbeck


Peter Feaver

Halvar Flake

Hacker Court

Seth Fogie

James C. Foster

Kenneth Geers

JD Glaser

Sarah Gordon

Joe Grand

Jennifer Granick

Jeremiah Grossman

Lukas Grunwald

Bev Harris

Martin Herfurt

Greg Hoglund

Thorsten Holz

Cameron Hotchkies

Chris Hurley

Richard Johnson

Dan Kaminsky

Curtis Kret

Frank Lam

Adam Laurie

David Litchfield

Johnny Long

Kevin Mandia

David Maynor

Mark McGovern

Haroon Meer

Dr. Rebecca Mercuri

Gregory S. Miles

KK Mookhey

Brett Moore

HD Moore

Robert Morris

David Mortman

Laurent Oudot

Ryan Permeh

Larry Ponemon

Bruce Potter

Paul E. Proctor

Michael Raggo

David Rhoades

Russ Rogers

Len Sassaman

Travis Schack

Saumil Udayan Shah

Michael Shema

Adam Shostack

Peter Silberman

Caleb Sima

Paul Simmonds

Derek Soeder

Justin Somaini

Ralf Spenneberg


Andrew Stevens

Roelof Temmingh

Eugene Tsyrklevich

Yuji Ukai

Charl van der Walt

Jeff Waldron

David Worth

Brian Wotring

Paul Wouters

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat