Black Hat Digital Self Defense USA 2006

Black Hat USA 2006 Main Conference Overview

Black Hat USA 2006 Briefings Speakers Black Hat USA 2006 Briefings Schedule Black Hat USA 2006 Sponsors Black Hat USA 2006 Training Black Hat USA 2006 Hotel & Venue Black Hat USA 2006 FAQ Black Hat Registration

See who our current Black Hat USA 2006 Briefings Sponsors.

Black Hat USA 2006 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Europe 2006 Sponsors
Return to the top of the page
Black Hat Speakers

Fighting Organized Cyber Crime – War Stories and Trends
Dan Larkin, Unit Chief, Internet Crime Complaint Center, Federal Bureau of Investigation

As one of the pioneers of partnerships for the FBI, Dan Larkin of the FBI’s Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra “make it personal” has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and law enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat.

Dan Larkin became unit chief of the Internet Crime Complaint Center (IC3), which is a join initiative between the FBI and the National White Collar Crime Center (NW3C) in January 2003. Before that he was a supervisory special agent (SSA) in the White Collar Crime area for ten years. In that capacity he supervised and coordinated numerous joint agency initiatives on both regional and national levels involving corruption and fraud associated with a variety of federal, state, and local agencies. SSA Larkin acted as the congressional investigative team leader in the “Operation Illwind” Pentagon scandal corruption investigation. The combined effort of this team led to record settlements and convictions involving numerous top defense contractors, as well as public officials.

Prior to his current assignment UC Larkin developed and supervised the High Tech Crimes Task Force in Western Pennsylvania, one of the first such initiatives in the United States. UC Larkin also developed a national initiative known as the National Cyber Forensics and Training Alliance (NCFTA) This progressive initiative maximizes overlapping public/private sector resources, in identifying and proactively targeting escalating cyber-crime perpetrators both domestically and abroad. This project also serves to attract a perpetual stream of key Subject Matter Experts (SME's) from industry, government and academia, creating a dynamic cyber-nerve-center, for tactical and proactive response, forensics and vulnerability analysis, and the development of advanced training. UC Larkin also co-authored the FBI’s re-organization plan in 2002 which established Cyber Crime as a top priority, and underscored the need for additional Public/Private Alliances in combating priority cyber crimes word-wide.

SSA Larkin holds a BA in criminology with concentrations in industrial safety and security from Indianan University of Pennsylvania.

Return to the top of the page

WiFi in Windows Vista: A Peek Inside the Kimono
Noel Anderson, Group Manager, Wireless Networking Group, Microsoft Corporation
Taroon Mandhana, Software Development Lead, Wireless Networking team at Microsoft

Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface.

But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista.

Noel Anderson is a Group Manager in the Wireless & Mobility team at Microsoft. Noel has worked in Windows Networking since 1997 and his current focus is software architecture for wireless & mobility. Previous Microsoft projects include the RTC, HTTP & Peer-to-Peer networking stacks. He also led development of the SIP server which is now at the heart of the Office Live Communication Server. Prior to joining Microsoft Noel designed and developed embedded systems for Telecoms, Automotive Electronics, Avionics and Aircraft Weapon Systems.

Taroon Mandhana is a Software Development Lead in the Wireless Networking team at Microsoft. Taroon has worked in Windows Networking since 2001 and his current focus is Wireless Security and Manageability. Prior to Microsoft, Taroon worked at Information Sciences Research Center at Bell Labs. Taroon holds a masters degree from University of Texas at Austin and bachelors from I.I.T Delhi.

Return to the top of the page

Bypassing Network Access Control (NAC) Systems
Ofir Arkin

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks.

A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal – controlling the access to a network using different methods and solutions.

This presentation will examine the different strategies used to provide with network access controls.

Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market.

Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks.

Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors.

Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: “ICMP Usage in Scanning”, “Security Risk Factors with IP Telephony based Networks”, “Trace-Back”, “Etherleak: Ethernet frame padding information leakage”, etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2.

Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member.

Ofir is the founder of (Sys-Security Group), a computer security research group.

Return to the top of the page

Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems
Robert Auger, Security Engineer, SPI Dynamics Inc., Co-Founder, Web Application Security Consortium
Caleb Sima, CTO and Co-Founder, SPI Dynamics

This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. 

As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack.

Robert Auger is a Security Engineer for SPI Dynamics where he is responsible for Web application security R&D. He is a known expert on Web application security vulnerabilities and exploits and currently runs a popular Web application security resource Web site Robert co-founded the Web Application Security Consortium (WASC)—a group dedicated to developing and promoting "security standards of best practice" for the World Wide Web—in 2004 where he currently leads the WASC-Articles project. He has also contributed attack signatures to SNORT, an open source network intrusion detection system (IDS), as well as served as an expert technical advisor to the media on stories related to Internet security.

Caleb Sima is the co-founder and CTO of SPI Dynamics, a Web application security company. Caleb is responsible for directing the lifecycle of the company’s Web application security solutions and is the director of SPI Labs R&D team within SPI Dynamics. Caleb has been engaged in the Internet security arena since 1996, and has become widely recognized as an expert in Web security, penetration testing and for identifying emerging security threats. His pioneering efforts and expertise in Web security have helped define the direction the Web application security industry has taken. Prior to co-founding SPI Dynamics in early 2000, Caleb worked for Internet Security Systems’ elite X-Force R&D team and as a security engineer for S1 Corporation. Caleb is a frequent speaker and expert resource for the press on Internet attacks and has been featured in the Associated Press. He is also a contributing author to various magazines and online columns, and is a co-author of the book titled, Hacking Exposed Web Applications Second Edition. Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).

Return to the top of the page

Investigating Evil Websites with Monkeyspaw: The Greasemonkey Security Professional's Automated Webthinger
Tod Beardsley, Lead Counter-Fraud Engineer, TippingPoint, a division of 3com

Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits.

More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment.

About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation.

Tod Beardsley is the Lead Counter-Fraud Engineer at TippingPoint (division of 3Com). He researches, prevents and occasionally invents network-based exploits and vulnerabilities in support of TippingPoint‚s award-winning line of Intrusion Prevention System products. Tod has 16 years of experience with data and telephony network security, and has held IT security positions at Dell and Westinghouse. His greatest professional achievement was second place in a nerd beauty pagent.

Return to the top of the page

Finding Gold in the Browser Cache
Corey Benninger, Security Consultant, Foundstone, a Division of McAfee

Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side.

Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers.

Return to the top of the page

IPS Shortcomings
Renaud Bidou, Radware

Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth....

The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects:

  • conceptual weaknesses and ways to detect "transparent" inline equipments
  • signatures issues
  • hardware architecture limitations and common jokes
  • performance vs security necessary trade-off and consequences
  • behavioral, heuristics, neuronal stuff etc. reality and limitations

Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you.

Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases.

In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France.

Return to the top of the page

Automated Malware Classification/Analysis Through Network Theory and Statistics
Daniel Bilar, Hess Fellow, Wellesley College, Visiting Assistant Professor, Colby College

Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful.

Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks.

Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME).

Return to the top of the page

Taming Bugs: The Art and Science of Writing Secure Code
Paul Böhm, Lord Protector and Defender of the Crown at SEC-Consult

If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal.

Paul Böhm was a founding member of TESO Security in 1998, and has spent a lot of time breaking code. In 2003 he has worked on quantum cryptography at the University of Vienna where he has developed and implemented an improved efficiency qc protocol. His current interest is in Vulnerabilty Defense and Secure Software. He works as a Security Consultant for SEC Consult.

Return to the top of the page

Physical Memory Forensics
Mariusz Burdach, Senior Consultant, CompFort Meridian, Polska Sp. z o.o.

Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines.

During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory.  As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. 

Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system.

Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland.

Return to the top of the page

Fuzzing Selected Win32 Interprocess Communication Mechanisms
Jesse Burns, Principal Partner, iSECPartners

This presentation prepares attackers and defenders to perform automated testing of some popular Windows® interprocess communication mechanisms. The testing will focus on binary win32 applications, and will not require source code or symbols for the applications being tested. Attendees will be briefly introduced to several types of named securable Windows communication objects, including Named Pipes and Shared Sections (named Mutexes, Semaphores and Events and will also be included but to a lesser degree). Audience members will learn techniques for identifying when and where these communication objects are being used by applications as well as how to programmatically intercept their creation to assist in fuzzing. iSEC will share tools used for interception and fuzzing including tools for hooking arbitrary executable's creation of IPC primitives. Working examples of fuzzers with source code written in Python and C++ will demonstrate altering of data flowing through these IPC channels to turn simple application functionality tests into powerful security-focused penetration tests.

Attendees should be familiar with programming in C++ or Python, and have a security research interest in win32. Developers, QA testers, penetration testers, architects and researchers are the primary target audience for this somewhat technical talk.

Jesse Burns is a Principal Partner at iSEC Partners, where he works as a penetration tester. Previous to founding iSEC Partners, Jesse was a Managing Security Architect with @Stake and a software developer who focused on security-related projects on Windows® and various flavors of Unix®. Jesse presented in December of 2004 at the SyScan conference in Singapore on exploiting weakness in the NTLM authentication protocol. He has also presented at OWASP, Directory Management World and for his many security consulting clients on issues ranging from cryptographic attacks to emerging web application threats. He is currently working on a book with Scott Stender and Alex Stamos on attacking modern web applications for publication with Addison Wesley.

Return to the top of the page

R^2: The Exponential Growth in Rootkit Techniques
Jamie Butler, CTO Komoku, Inc.
Nick Petroni
William A. Arbaugh,
President, Komoku, Inc.

Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods.

James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN.

William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia.

Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley.

Return to the top of the page

Device Drivers
johnny cache
David Maynor,
Senior Researcher, SecureWorks

Application level security is getting better. Basic stack based string overflows have become rare, and even simple heap overflows are getting hard to find. Despite this fact there is still a huge avenue of exploitation that has not been tapped yet: device drivers. Although they don’t sound very interesting, they are full of simple security programming errors as they are often developed for performance and in tight time frames. The traditional thinking is that although the code is bad an attacker can’t really get to it. Development of reliable off the shelf packet injection techniques combined with the excessive complexity of the 802.11 protocol creates a perfect combination for security researchers. Ever seen a laptop owned remotely because of a device driver? Want to?

David Maynor is a Senior Researcher, SecureWorks. He was formerly a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Johnny Cache is currently attending school and will receive a Masters in computer security in September at which point he will be looking for a job. He as also currently working on "Hacking Exposed: Wireless". His latest creation is Airbase, a suite of 802.11 utilities all tied together with a single core C++ library for packet creation and manipulation. Currently Cache is working on a tool to allow for remote chipset/driver detection of various 802.11 devices. 

Return to the top of the page

Thermoptic Camoflauge: Total IDS Evasion
Brian Caswell, Research Engineer, Sourcefire
HD Moore, Director of Security Research, BreakingPoint Systems

Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be.

Brian Caswell is a member of the Snort core team, where he is the primary author for the world's most widely used intrusion detection rulesets. He was most recently the technical editor and "go to guy" for the book, "Snort 2.0 Intrusion Detection." He is a member of the Shmoo group, an international not-for-profit, non-milindustrial independent private think tank. Currently, Brian is a Research Engineer within the Vulnerability Research

Team for Sourcefire, a provider of one of the world's most advanced and flexible Intrusion Management solutions. Before Sourcefire, Brian was the IDS team leader and all around supergeek for MITRE, a government sponsored think tank. Not only can Brian do IDS, he was a Pokémon Master Trainer for both Nintendo and Wizards of the

Coast, working throughout the infamous Pokémon Training League tours.In his free time, Brian likes to teach his young son Patrick to write perl, reverse engineer network protocols, and autocross at the local SCCA events.

HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the

Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Return to the top of the page

Microsoft Security Fundamentals: Engineering, Response and Outreach
Andrew Cushman, Director, Microsoft Security Response, Engineering and Outreach Team

You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered—“is this change real or is it just lip service?” You may also have asked yourself “self, why did they do that?” This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates.

Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator.

Return to the top of the page

I’m Going To Shoot The Next Person Who Says VLANs
Himanshu Dwivedi, Principal Partner, iSEC Partners

Booksigning: Hacker’s Challenge 3 with Jeremiah Grossman and Himanshu Dwivedi at 12:30 on Thursday, August 3 at the BreakPoint Books booth.

Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. 

The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation.

The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products.

Himanshu Dwivedi is a founding partner of iSEC Partners, an independent information security organization, with 12 years experience in security and information technology. Before forming iSEC Partners, Himanshu was the Technical Director for @stake’s Bay Area practice, the leading provider for digital security services. Himanshu has focused his security experience towards storage security, specializing in SAN and NAS security. His research includes iSCSI and Fibre Channel (FC) Storage Area Networks as well as IP Network Attached Storage.

Himanshu has three published books (two of them within the last year), including "Securing Storage: A Practical Guide to SAN and NAS Security" (Addison Wesley Publishing), "Hackers Challenge 3" (McGraw-Hill/Osborne), and "Implementing SSH" (Wiley Publishing). Himanshu also has a patent pending on a storage design architecture.

Return to the top of the page

Attacking Apple’s Xsan
Charles Edge, Partner and Lead Engineer, Three18

A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity.

SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network.

Charles Edge began his consulting career working with Support Technologies, Andersen Consulting and Honda to name a few. In January of 2000 Charles arrived at Three18, a boutique consulting firm in Santa Monica, California. At Three18, Charles has worked with Network Architecture and Design for film, commercial production, post-production, advertising and design clients. As a partner at Three18 Charles manages a team of engineers and programmers.

Charles maintains an MCSE with Microsoft, a Network+ with Comptia and an ACSA with Apple. The Apple Certifications are those he is most proud of, having obtained the top certification of Apple Certified System Administrator. His first book, Mac Tiger Server Little Black Book is available through Paraglyph Press. His second book, Web Admin Scripting Little Black Book is also available through Paraglyph Press.

Return to the top of the page

“Sidewinder”: An Evolutionary Guidance System for Malicious Input Crafting
Shawn Embleton, University of Central Florida
Sherri Sparks, University of Central Florida
Ryan Cunningham, University of Central Florida

Black box testing techniques like fuzzing and fault injection are responsible for discovering a large percentage of reported software vulnerabilities. These techniques typically operate by injecting random or semi random input into a program and then monitoring its output for unexpected behavior. While their high potential for automation makes them desirable, they frequently suffer from a lack of “intelligence”. That is, the random nature of input space exploration makes the probability of discovering vulnerabilities highly non-deterministic. Black box inputs are similar to unguided missiles. In this talk, we will discuss how we might turn these inputs into guided missiles by intelligently driving their selection using ideas borrowed from probability theory and evolutionary biology.

Shawn Embleton is a PhD student at the University of Central Florida currently researching optical network routing for the NSF. He has recently become interested in genetic algorithms and automated reverse code engineering. Shawn enjoys software engineering in general and prefers to work on new problems when the opportunity presents itself. New problems come with a fresh mix of challenges and provide the chance to learn new ideas. He is a “student for life” and still going strong after over 23-21 years.

Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Engineering and subsequently switched to Computer Science after developing an interest in application security. Currently, her research interests include offensive / defensive malicious code technologies and automated reverse code engineering. She has published articles in Usenix Login; Security Focus, and Phrack magazine.

Ryan Cunningham is a theory guy. CFG stands for context-free grammar in his world. He pursues his work and interests in the fields of information theory, formal languages, evolutionary biology, genomics, machine learning, and computer security as a graduate student at the University of Central Florida. He is also handsome, smart, and funny. No one should suggest that this biography might be biased simply because he wrote it himself.

Return to the top of the page

Hacking VoIP Exposed
David Endler, Director of Security Research, TippingPoint, a division of 3Com
Mark Collier, CTO SecureLogix

Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. 

We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. 

As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge.

David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools.  Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University.

Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University.

Return to the top of the page

Breaking Crypto Without Keys: Analyzing Data in Web Applications
Chris Eng, Director of Security Services, Veracode

How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next—ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it?

This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high–level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience.

This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers.

Chris Eng is the Director of Security Services with Veracode.

His primary areas of expertise include application and network security assessments, with a focus on penetration testing and vulnerability analysis. Additional areas of interest include binary analysis, exploit development, and cryptography.

Previously, he served as a Consulting Manager with Symantec (formerly @stake), where he helped numerous Fortune 500 companies assess the security of their networks, web applications, and commercial software. Prior to joining @stake, he was a computer scientist at the NSA, where he spent a portion of his time performing penetration tests against US government-owned networks. He holds a BS degree in Electrical Engineering and Computer Science from the University of California.

Return to the top of the page

Analysing Complex Systems: The BlackBerry Case
FX, Phenoelit & SABRE Labs

When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness.

FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions.

Return to the top of the page

MatriXay—When Web App & Database Security Pen-Test/Audit Is a Joy
Yuan Fan, Founder, DBAppSecurity Inc. 
Xiao Rong

This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool "MatriXray" was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).

Return to the top of the page

How to Unwrap Oracle PL/SQL
Pete Finnigan, Principal Consultant, Siemens Insight Consulting

PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this.

What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques—if you know where to look!

Pete Finnigan is well known in the Oracle community for hosting his Oracle security website,, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course.  Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews.  He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers.

Return to the top of the page

Carrier VoIP Security
Nicolas Fischbach, Senior Manager, European Network Security Engineering, COLT Telecom & Co-founder Sécurité.Org

VoIP, IMS, FMC, NGN, PacketCore, MPLS. Put those together and you are looking at the next security nightmare when it comes to Service Provider infrastructure security. Carriers are already moving away from basic data and VoIP services towards the Next Generation Network, where you have one Packet-based Core network which is going to carry "junk" Internet traffic, "secure" Multi-Protocol Label Switching VPNs, "QoS guaranteed" voice, etc. And soon, thanks to new handhelds you'll see more and more Fixed and Mobile Convergence which enables you to roam anywhere inside and outside of the entreprise and access new interactive content thanks to the IP Multimedia Subsystem.

During this talk we will present such an architecture (based on a real large scale deployment with 4 major vendors), the security and architecture challenges we ran (and still run) into, and how we mitigate the risks (denial of service, interception, web apps security, fraud, etc).

Nicolas Fischbach is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts, an informal security research group and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC.

More details and contact information on his homepage.

Return to the top of the page

RE 2006: New Challenges Need Changing Tools
Halvar Flake, CEO of Sabre Security

Reverse Engineering has come a long way—what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed.

Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Return to the top of the page

Black Hat Stand-up Take Two: So What If I Don’t Sell My Vulnerabilities…
James C. Foster, Deputy Director, CSC

Encoring last year’s early morning stand-up act, Foster will return armed and ready to fire again at the world’s worst security blunders. In an eye-opening fashion, Foster will crack the audience with a twenty minute overlay of the current problems in the security industry relating to publications, free tools, company incentives, the Google demographic and more. Come take part in some straight-up fun.

Sit back, relax, and enjoy Black Hat Standup Take Two: So what if I don’t sell my vulnerabilities.

James C. Foster, Fellow, is the Deputy Director of CSC Global Security. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate R&D initiatives. Prior to joining Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc (acquired by Verisign) and an editor at Information Security Magazine(acquired by TechTarget Media), subsequent to working as an Information Security and Research Specialist for the Department of Defense. Foster's core competencies include high-tech management, international software development and expansion, web-based application security, cryptography, protocol analysis, and search algorithm technology. Foster has conducted numerous code reviews for commercial OS components, Win32 application assessments, and reviews on commercial and government cryptography implementations.

Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Foster holds degrees in Business Administration, Software Engineering, and Management of Information Systems and has attended the Yale School of Business, Harvard University, the University of Maryland, and is a Fellow at University of Pennsylvania's Wharton School of Business.

Foster is also a well published author and has authored, contributed, or edited for major publications to include "Snort 2.0", "Snort 2.1" 2nd Edition, "Hacking Exposed" 4th Ed and 5th Edition, "Special Ops Security", "Anti-Hacker Toolkit" 2nd Ed, "Advanced Intrusion Detection", "Hacking the Code", "Anti-Spam Toolkit", "Programmer's Ultimate Security DeskRef", "Google for Penetration Testers", "Buffer Overflow Attacks", "Writing Security Tools and Exploits", "Hacking Exposed: Wireless", "Pen Tester’s Open Source Toolkit", and "Sockets/Porting/and Shellcode".

Return to the top of the page

Case Study: The Secure Development Lifecycle and Internet Explorer 7
Rob Franco, Security Program Manager, Internet Explorer, Microsoft Corporation

Tony Chor will discuss Microsoft’s security engineering methodology and how it is being applied to the development of Internet Explorer 7. He will detail key vulnerabilities and attacks this methodology revealed as well as how the new version of IE will mitigate those threats with unique features such as the Phishing Filter and Protected Mode.

Rob Franco lives to make browsing safer for internet users. Rob led Security improvements in Internet Explorer for Windows Server 2003, Windows XP SP2, and IE 7. Prior to that, Rob worked on Corporate deployment features such as Group Policy and the Internet Explorer Administration Kit. When he’s not working, he can usually be found cycling around the Seattle area or boating on a nearby lake.

Return to the top of the page

The Speed of (In)security: Analysis of the Speed of Security vs. Insecurity
Stefan Frei, Security Researcher, ETH Zurich
Dr. Martin May, Senior Scientist, ETH

To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community.

In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure.

Content may be reviewed after the start of the conference.

Stefan Frei received his ETH diploma (Dipl.El.Ing.ETH) in 1995, having completed his studies at the Swiss Federal Institute of Technology (ETH) in Zurich and the école nationale supérieure des télécomunications (Telecom) in Paris. A student he worked for the IBM Research Laboratory Zurich and has specialised in network and Internet application design, deployment and analysis later. Stefan Frei worked as a Senior Security Consultant in the ISS X-Force Security Assessment Services Team in Zurich and London from 2000 to 2004. End of 2004 he joined ETH Zurich for a PhD Research Position in information security under supervision of Prof. Bernhard Plattner. Stefan Frei homepage. more about him.

Martin May homepage.

Return to the top of the page

Finding and Preventing Cross-Site Request Forgery
Tom Gallagher, Security Test Lead, Microsoft

There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented.

Tom Gallagher has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".

Return to the top of the page

The NetIO Stack: Reinventing TCP/IP in Windows Vista
Abolade Gbadegesin, Architect, Windows Core Networking, Microsoft Corporation

TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack—a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. 

Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade.

Return to the top of the page

Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"
Jeremiah Grossman, Founder and CTO of WhiteHat Security, Inc.
T.C. Niedzialkowski, Sr. Security Engineer, WhiteHat Security, Inc.

Booksigning: Hacker’s Challenge 3 with Jeremiah Grossman and Himanshu Dwivedi at 12:30 on Thursday, August 3 at the BreakPoint Books booth.

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.

Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it.

During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats.

You’ll see:

  • Port scanning and attacking intranet devices using JavaScript
  • Blind web server fingerprinting using unique URLs
  • Discovery NAT'ed IP addresses with Java Applets
  • Stealing web browser history with Cascading Style Sheets
  • Best-practice defense measures for securing websites
  • Essential habits for safe web surfing

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (, where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology.

Return to the top of the page

New Attack to RFID-Systems and their Middleware and Backends
Lukas Grunwald, CTO DN-Systems Enterprise Internet Solution GmbH Germany

This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features.  Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks.

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises.

Return to the top of the page

Open to Attack; Vulnerabilities of the Linux Random Number Generator
Zvi Gutterman, CTO of Safend, Ltd.

Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator.

This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices.

Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering.

Return to the top of the page

Ajax (in)security
Billy Hoffman, Security Researcher, SPI Dynamics, Inc.

Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder.

This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications.

Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design.

Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus.

Return to the top of the page

Analysis of Web Application Worms and Viruses
Billy Hoffman, Security Researcher, SPI Dynamics, Inc.

Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse.

This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats.

Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design.

Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus.

Return to the top of the page

Hacking World of Warcraft®: An Exercise in Advanced Rootkit Design
Greg Hoglund

Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual—it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden".

In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable.

Greg Hoglund is the founder of, has been involved in many software security companies, and currently works for HBGary, Inc. Hoglund has authored several books on software security. He has frequently spoken at conferences and offered training on reverse engineering and rootkit development. His new training class, co-trained w/ Jamie Butler, "Advanced Second Generation Digital Weaponry" is now offered through Blackhat.

Return to the top of the page

Faster PwninG Assured: Hardware Hacks and Cracks with FPGAs
David Hulton, Researcher, OpenCiphers
Dan Moniz, The Shmoo Group

This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively.

Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty—but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty.

What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably.

CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo.

Lanman hashes have been broken for a long time and everyone knows it's faster to do a Rainbow table lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a Rainbow table lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features.

David Hulton and Dan Moniz will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware.

David Hulton has been in the security field for the past 7 years and currently specializes in FPGA Logic Design, 802.11b Wireless Security, Smart Card, and GSM development specifically to exploit its various inherent strengths and weaknesses. David has spoken at numerous international conferences on Wireless Security, has published multiple whitepapers, and is regularly interviewed by the media on computer security subjects. He is one of the founding members of Pico Computing, Inc., a manufacturer of compact embedded FPGA computers and dedicated to developing revolutionary open source applications for FPGA systems. He is also one of the founding members of Dachb0den Research Labs, a non-profit security research think-tank, is currently the Chairman of the ToorCon Information Security Conference and has helped start many of the security and Unix-oriented meetings in San Diego, CA.

Dan Moniz is an independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of  information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The

Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003, he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec.

Return to the top of the page

Black Ops 2006
Dan Kaminsky

The known topics for this year include:

  1. The Worldwide SSL Analysis—There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan.
  2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps—without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data.
  3. Everything else

Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.

Return to the top of the page

Code Integration-Based Vulnerability Auditing
William B Kimball, Undergraduate Student, University of Dayton

There is a growing need to develop improved methods for discovering vulnerabilities in closed-source software. The tools and techniques used to automate searching for these vulnerabilities are either incomplete or non-existent. Fuzz-testing is a common technique used in the discovery process but does not provide a complete analysis of all the vulnerabilities which may exist. Other techniques, such as API hooking, are used to monitor insecure imported functions while leaving inlined functions still waiting to be found. LEVI is a new vulnerability auditing tool (Windows NT Family) which addresses both of these issues by using a code integration-based technique to monitor both imported and inlined functions.  Using this approach provides a more complete analysis of the vulnerabilities hidden within closed-source software.

William Kimball is extremely passionate about computer security and is an undergraduate student at the University of Dayton studying Computer Science. He recently received the Learn, Lead and Serve Award for his research in Binary Vulnerability Auditing and participated in this years’ Ohio Academy of Science. Kimball has also worked in security and networking for a Fortune 500 company.

Return to the top of the page

Oracle Rootkits 2.0: The Next Generation
Alexander Kornbrust, CEO, Red-Database-Security GmbH

This presentation shows the next (2.) generation of Oracle Rootkits. In the first generation, presented at the Blackhat 2005 in Amsterdam, Oracle Rootkits were implemented by modifying database views to hide users, jobs and sessions.

The next generation presented at the BH USA is using more advanced techniques to hide users/implement backdoors. Modifications on the data dictionary objects are no longer necessary so it’s not possible to find the new generation of rootkits by checksumming the data dictionary objects.

Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground.

Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products.

Return to the top of the page

You Are What You Type: Non-Classical Computer Forensics
Dr. Neal Krawetz, Hacker Factor Solutions

In an online world, anonymity seems easy. Network addresses can be cloaked and files can be manipulated. People rapidly change virtual names, genders, and skills. But even with these precautions, anti-anonymity techniques can track people. Habitual patterns and learned skills are subtle, appearing in everything we type. This presentation discusses profiling methods for identifying online people and breaching anonymity. The topics covered include methods to identify skillsets, nationality, gender, and even physical attributes.

Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience.  His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions.  He is the author of "Introduction to Network Security" (Charles River Media, 2006).

Return to the top of the page

Security Engineering in Windows Vista
John Lambert, Security Group Manager, Security Engineering and Communications Group

This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else.

John Lambert, Security Group Manager, Microsoft Corporation, has been at Microsoft six years. He is a group manager in the Secure Windows Initiative team responsible for driving adoption of the Security Development Lifecycle (SDL) across Microsoft products. Previously at Microsoft, John worked in the Windows Security group.

Return to the top of the page

All New Zero Day
David Litchfield, Founder, Next Generation Security Software

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

Death of a Thousand Cuts: Finding Evidence Everywhere!
Johnny Long, Penetration Specialist, Computer Sciences Corporation

In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways.

Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at

Return to the top of the page

Hacking, Hollywood Style
Johnny Long, Penetration Specialist, Computer Sciences Corporation

If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments.

Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at

Return to the top of the page

The State of Incidence Response
Kevin Mandia, President, Mandiant

During the course of 2005 and 2006, we have responded to dozens of computer security incidents at some of America’s largest organizations. Mr. Mandia was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Our methods of performing incident response have altered little in the past few years, yet the attacks have greatly increased in sophistication. Mr. Mandia addresses the widening gap between the sophistication of the attacks and the sophistication of the incident response techniques deployed by “best practices.”    

During this presentation, Mr. Mandia re-enacts some of the incidents; provides examples of how these incidents impacted organizations; and discusses the challenges that each organization faced. He demonstrates the “state-of-the-art” methods being used to perform Incident Response, and how these methods are not evolving at a pace equal to the threats. He outlines the need for new technologies to address these challenges, and what these technologies would offer. He concludes the presentation by discussing emerging trends and technologies that offer strategic approaches to minimize the risks that an organization faces from the liabilities the information age has brought.     

Kevin Mandia is an internationally recognized expert in the field of information security. He has been involved with information security for over fifteen years, beginning in the military as a computer security officer at the Pentagon. He has assisted attorneys, corporations, and government organizations with matters involving information security compliance, complex litigation support, computer forensics, expert testimony, network attack and penetration testing, fraud investigations, computer security incident response, and counterintelligence matters. Mr. Mandia established MANDIANT specifically to bring together a core group of industry leaders in this field and solve client’s most difficult information security challenges.

Prior to forming MANDIANT, Kevin built the computer forensics and investigations group at Foundstone from its infancy to a multi-million dollar global practice that performed civil litigation support and incident response services. As technical and investigative lead, Mr. Mandia responded on-site to dozens of computer security incidents per year. He assisted numerous financial services and large organizations in handling and discretely resolving computer security incidents. He also led Foundstone’s computer forensic examiners in supporting numerous criminal and civil cases. He has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.

Return to the top of the page

Windows Vista Heap Management Enhancements: Security, Reliability and Performance
Adrian Marinescu, Lead Developer, Windows Kernel Team, Microsoft Corporation

All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista.

Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits.

Return to the top of the page

Next Week’s Arms Race
David Maynor

Mr. Maynor is a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS, Maynor spent 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that, Maynor contracted with a variety of different companies in a diversity of industries, ranging from digital TV development, to protection of top 25 websites, to security consulting and penetration testing, to online banking and ISPs.

Return to the top of the page

The BlueBag: A Mobile, Covert Bluetooth Attack and Infection Device
Claudio Merloni, Senior Consultant, Secure Network S.r.l.
Luca Carettoni, Senior Consultant, Secure Network S.r.l.

How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone?

In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag!

Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics.

Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom.

Return to the top of the page

Defending Against Social Engineering with Voice Analytics
Doug Mohney, News & Online Editor, VON Magazine

Voice analytics—once the stuff of science fiction and Echelon speculation—is now commercially available and is being used by call centers processing hundreds of thousands of calls per day to authenticate identity, spot key words and phrases, and even detect when a caller is angry or frustrated. It is also being used by large financial institutions for fraud prevention. These same tools can be applied to detect and deter social engineering attacks. This presentation will discuss the current off-the-shelf applications of voice analytics and how these methods can be applied to detecting and preventing social engineering attacks.

Doug Mohney is the News and Online Editor for VON Magazine, writing about VoIP and IP Communications, including security issues relating to VoIP, wireless and corporate IT management. He also contributes to The Inquirer website and Mobile Radio Technology magazine on a regular basis. In his pre-media life, he was involved with two Internet start-ups (DIGEX, SkyCache/Cidera), watching one grow big and one go bust.

Return to the top of the page

Six Degrees of XSSploitation
Dan Moniz, Member, The Shmoo Group
HD Moore, Director of Security Research for BreakingPoint Systems, Founder, The Metasploit Project

Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors.

We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more.

Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec.

HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the

Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Return to the top of the page

Metasploit Reloaded        
HD Moore, Director of Security Research, BreakingPoint Systems 

Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols.

HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Return to the top of the page

Building Security into the Software Life Cycle, a Business Case
Marco M. Morana, Senior Consultant, Foundstone Professional Services, a Division of McAfee

The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization.

Marco Morana serves as a Senior Consultant at Foundstone. His consulting activity consists on providing Software Application Security Services (SASS) for several Foundstone clients. SASS activities to which Marco has been involved are security code reviews, threat modeling/risk analysis and secure software development processes (S-SDLC). Marco responsibility is also to teach Foundstone’ s Building Secure Software class.

Return to the top of the page

Runtime Packers: The Hidden Problem?
Maik Morgenstern, AV-Test GmbH
Tom Brosch, AV-Test GmbH

Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there.

Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future.

Maik Morgenstern has been interested in computer security and reverse engineering for several years before he joined in September 2004. He is mainly involved in the analysis of malware as well as in testing of antivirus and other security software. In 2001 Maik started his studies in Computational Visualistics at the Otto-von-Guericke University Magdeburg and is now working towards his diploma.

Tom Brosch was born in Magdeburg, Germany, in 1983. He has been interested in programming and computer security for several years before he joined in 2005. He focuses on automating malware analysis and antivirus tests. In 2003 Tom started his studies in Computational Visualistics at the Otto-von-Guericke University, Magdeburg.

Return to the top of the page

Defending Black Box Web Applications: Building an Open Source Web Security Gateway
Shawn Moyer, CISO, Agura Digital Security

Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly.

If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing “own me” sign, this talk is for you.

We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well.

Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major financial companies, credit card vendors, and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences. His 2-year-old daughter knows what a daemon is, though she still can't quite make it through an OpenBSD install unassisted.

Return to the top of the page

SQL Injections by Truncation
Bala Neerumalla, Security Software Developer, Microsoft

In this talk, I will discuss some ways to circumvent common mitigations of SQL Injection vulnerabilities in dynamic SQL. I will then suggest ways to protect against them.

Bala Neerumalla specializes in finding application security vulnerabilities. He worked as a security engineer for SQL Server 2000 and SQL Server 2005. He is currently working as a security engineer for Exchange Hosted Services.

Return to the top of the page

Vulnerabilities in Not-So Embedded Systems
Brendan O'Connor

Printers, scanners, and copiers still have a reputation of being embedded systems or appliances; dumb machines that perform a specific, repetitive function. Today's devices are far different than their predecessors, but still do not receive the same level of security scrutiny as servers, workstations, routers, or even switches. The goal of this talk is to change the way we look at these devices, and leave the audience with a better awareness of the security implications of having these devices in their environments. Although the concepts in this talk can apply to many different devices, the primary focus will be on vulnerabilities, exploitation, and defense of the new Xerox WorkCentre product line. Previously undisclosed vulnerabilities will be released, along with exploit code that turns a dumb printer, copier, or scanner into a network attack drone. Steps administrators can take to harden these devices will also be covered.

Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works in Information Security for a major financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft.

Return to the top of the page

Bluetooth Defense Kit
Bruce Potter, The Shmoo Group

In the last 3 years, Bluetooth has gone from geeky protocol to an integral part of our daily life.  From cars to phones to laptops to printers, Bluetooth is everywhere. And while the state of the art with respect to Bluetooth attack has been progressing, Bluetooth defense has been lagging. For many vendors, the solution to securing Bluetooth is to simply "turn it off." There are very few tools and techniques that can be used today to secure a Bluetooth interface without resorting to such extreme measures.

This talk will examine contemporary Bluetooth threats including attack tools and risk to the user. The meat of this talk will focus on practical techniques that can be employed to lock down Bluetooth on Windows and Linux. Some of these techniques will be configuration changes, some will be proper use of helper applications, and some will be modifications to the Bluez Bluetooth stack designed to make the stack more secure. Finally, we will release the Bluetooth Defense Kit (BTDK), a tool geared towards the end user designed to make Bluetooth security easy to install and maintain on Bluetooth enabled workstations. Ultimately, security tools need to be usable to be useful, and BTDK has been designed with usability in mind.

Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.

Return to the top of the page

The Trusted Computing Revolution
Bruce Potter, The Shmoo Group

Trusted computing is considered a dirty word by many due to its use for Digital Rights Management (DRM). There is a different side of trusted computing, however, that can solve problems information security professionals have been attempting to solve for more than three decades. Large scale deployment of trusted computing will fundamentally change the threat model we have been using for years when building operating systems, applications, and networks. This talk will examine the history of trusted computing and the current mindset of information security. From there, we will attempt to demystify the trusted computing architecture and give examples of where trusted computing is being used today. Then, we'll discuss how security constructs that we know an love today (such as firewalls and SSL transactions) fundamentally change when a trusted hardware component is added. Finally, new tools will be released to allow users to examine trusted components in their system.

Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.

Return to the top of the page

Do Enterprise Management Applications Dream of Electric Sheep?
Tom Ptacek, Matasano Security, LLC
Dave Goldsmith, Matasano Security, LLC

Thomas Ptacek and Dave Goldsmith present the results of Matasano Security's research into the resilience of Enterprise Agents: the most dangerous programs you've never heard of, responsible for over $2B a year in product revenue, running on the most critical enterprise servers from app servers to mainframes.


  1. Enterprise Agents are their own worms, preinstalled for the convenience of attackers. We found critical, show-stopping vulnerabilities in every system we looked at.
  2. It's a whirlwind tour of the landscape of internal security. We reversed proprietary binaries, deciphered custom protocols, and cracked encryption algorithms.
  3. It's a call to arms. Applications running behind the firewall aren't getting audited. While vulnerability research talent fights over the scraps of Windows OS security, hundreds of thousands of machines remain vulnerable to attacks most people thought were eliminated in the early '90s    

For the past 12 months, Matasano Security has conducted a research project into the security of internal applications. Our theory? That any code which doesn't run in front of a firewall, exposed to Internet hackers, is unaudited, wide open—fertile ground for ever-adapting attackers. Our findings? Tens of applications reversed, proprietary protocols deciphered, "state-of-the-art" XOR encryption algorithms cracked, and it's worse than we thought. Perhaps more than any other software, save the operating system itself, insecure systems management applications pose a grave threat to enterprise security. They're the Agobot that your administrators installed for you.

Internal security is a nightmare, and things are going to get worse before they get horrible.        

Thomas Ptacek
Thomas Ptacek brings over 10 years of product development and security research experience to Matasano. Thomas has owned technical operations at Chicago’s most popular ISP, authored Insertion, Evasion, and Denial of Service, a landmark paper which broke every shipping intrusion detection product on the market, and at Arbor Networks led the development of a security product deployed on the backbone of virtually every tier-1 ISP worldwide.

Dave Goldsmith
Co-author of the first published i386 stack overflow, David Goldsmith is a respected consultant, trainer, and researcher with over eleven years of experience. David co-founded @stake, managed its critical NYC office, and led Symantec Security Academy. David co-invented firewalking, which reverse-engineers firewall rules from remote firewalls and authored security tools for ISS and Network Associates.

Return to the top of the page

PDB: The Protocol DeBugger
Jeremy Rauch, Matasano Security, LLC

It's late. You've been assigned the unenviable task of evaluating the security of this obtuse application suite. 2006! Why doesn't everything just use SSL as its transport? No time for excuses. Deadlines loom, and you need to figure this out. And when you do figure it out, write your own fuzzer client.

This sucks.

(pdb) module add MyAction cifs-ruby.rb
(pdb) rule add MyRule dst port 445
(pdb) rule action MyRule MyAction
(pdb) rule list
MyRule: dst port 445
Action 0: debugger
Action 1: MyAction
(pdb) go
(pdb) print
00000000: 45 10 00 3c 70 86 40 00 E...p...
00000008: 40 06 00 00 c0 a8 02 06 ........
00000010: c0 a8 02 56 d8 a0 01 bd ...V....
00000018: 1e 76 1b 71 00 00 00 00 .v.q....
00000020: a0 02 ff ff 14 1b 00 00 ........
00000028: 02 04 05 b4 01 03 03 00 ........
00000030: 01 01 08 0a 20 4a 7c b1 .....J..
00000038: 00 00 00 00 ....
(pdb) x/b 0x8
(pdb) e/b 0x8 0x20
(pdb) print
00000000: 45 10 00 3c 70 86 40 00 E...p...
00000008: 20 06 00 00 c0 a8 02 06 ........
00000010: c0 a8 02 56 d8 a0 01 bd ...V....
00000018: 1e 76 1b 71 00 00 00 00 .v.q....
00000020: a0 02 ff ff 14 1b 00 00 ........
00000028: 02 04 05 b4 01 03 03 00 ........
00000030: 01 01 08 0a 20 4a 7c b1 .....J..
00000038: 00 00 00 00 ....
(pdb) continue
cifs-ruby.rb performing packet alteration...

But wait, whats this? A tool chain geared around dissecting protocols like a code debugger slices through code? A protocol generation and manipulation framework with a clean, consistent interface, thats scripted instead of compiled? And a fuzzing framework to go along with it? You're saved! Or at least, maybe you'll get to sleep before the sun comes up.

PDB is a Protocol DeBugger. GDB meets a transparent proxy. Conditionally break based on BPF filters. Modify protocol contents on the fly. Build custom actions that let you manipulate how you speak on the network. Or manually edit protocol fields and send the packets along.

Racket is a protocol generation and manipulation library, in Ruby. Why Ruby? Why not. Use it as a way of writing PDB actions, or on its own. We're flexible that way.

Ramble is a Ruby based fuzzing framework. Set it going, and it just goes on and on and on. We know people like that—but unlike them, Ramble is helpful. Automates the protocol testing you're going to have to do to get full coverage. Do the hard stuff by hand. Use Ramble to do the repetitive stuff.

Jeremy Rauch
For over 10 years Jeremy Rauch has been at the forefront of information security. An original member of the ISS X-Force and a co-founder of SecurityFocus, Jeremy is the discoverer of numerous security vulnerabilities in widely-deployed commercial products. Jeremy is also a former principal engineer for optical switching at Tellium.

Return to the top of the page

RFID Malware Demystified
Melanie Rieback, RFID Security/Privacy Researcher, Vrije Universiteit, Amsterdam

Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications.

Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature.

Return to the top of the page

Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska, Senior Security Researcher, COSEINC

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems.

A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques.

She currently works as a security researcher for COSEINC, a Singapore based IT security company.

Return to the top of the page

SIP Stack Fingerprinting and Stack Difference Attacks
Hendrik Scholz, Freenet Cityline GmbH

VoIP applications went mainstream, although the underlying protocols are still undergoing constant development. The SIP protocol being the main driver behind this has been analyzed, fuzzed and put to the test before, but interoperability weaknesses still yield a large field for attacks. This presentation gives a short introduction to the SIP protocol and the threats it exposes; enough to understand the issues described. A SIP stack fingerprinting tool will be released during the talk which allows different stacks to be identified and classified for further attacks. The main part focuses on practical attacks targeting features from caller ID spoofing to Lawful Interception. Various attack vectors are pointed out to allow further exploit development.

Hendrik Scholz is a lead VoIP developer and Systems Engineer at Freenet Cityline GmbH in Kiel, Germany. His daily jobs consist of developing server side systems and features as well as tracking down bugs in SIP stacks. He earned his Bachelor in Computer Science from the German University of Applied Sciences Kiel in 2003. While studying abroad in Melbourne, Australia and working as Unix developer in Atlanta, GA and Orlando, FL, he contributed to FreeBSD and specialized in networking security issues. He released Operating System level as well as Application Layer fingerprinting tools.

Having access to present and upcoming VoIP devices, hacking on these has become a spare time passion.

Return to the top of the page

Phishing with Asterisk PBX
Jay Schulman

As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks.

Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign.

Return to the top of the page

A Tale of Two Proxies

During this presentation SensePost will discuss and demonstrate two pieces of new technology - the Suru WebProxy and the SP_LR Generic network proxy.

The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch.

SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. Its a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer).

Both proxies serve distinct masters and will be valuable tools in any analysts arsenal..

Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesnt drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

Writing Metasploit Plugins - from Vulnerability to Exploit
Saumil Udayan Shah, CEO & Founder, Net-Square Solutions

This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a "proof-of-concept" exploit.

The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms.

In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered.  Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework.

Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit's internal modules and how to integrate custom exploits with the Metasploit framework.

Saumil Shah continues to lead the efforts in e-commerce security research at Net-Square. His focus is on researching vulnerabilities with various e-commerce and web-based application systems. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than nine years experience with system administration, network architecture, integrating heterogeneous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker at security conferences such as BlackHat, RSA, etc.

Previously, Saumil was the Director of Indian operations for Foundstone Inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of FoundScan - Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996).

Return to the top of the page

RAIDE: Rootkit Analysis Identification Elimination v1.0
Peter Silberman
Jamie Butler,
CTO Komoku, Inc.

In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection.

This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions.

The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all.

Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to in his spare time.  Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills.

Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN.

Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at

Return to the top of the page

Hotpatching and the Rise of Third-Party Patches
Alexander Sotirov, Reverse Engineer, Determina Inc.

Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005.

The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching.

The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes.

Alexander Sotirov has been involved in computer security since 1998, when he became one of the editors of Phreedom Magazine, a Bulgarian underground technical publication. For the past nine years he has been working on reverse engineering, exploit code development and research in automated source code auditing. His most well-known work is the development of highly reliable exploits for Apache/mod_ssl, ProFTPd and Windows ASN.1. He graduated with a Master's degree in computer science in 2005. His current job is as a reverse engineer on the security research team at Determina Inc.

Return to the top of the page

$30, 30 Minutes, 30 Networks
Jonathan Squire, CISSP, Senior Information Security Technical Architect, Dow Jones and Company

Have you ever walked into your local Global Mega Super Tech Store and wondered how cheaply you could build a device that could play your digital music, display pictures, and listen to your neighbor's wireless network? 

Project Cowbird is part of an on-going research project to chart the various predators and prey within the information security landscape into a pseudo-ecology.  Project Cowbird demonstrates the reuse of a $30 wireless media adapter as a kismet server.

The small form factor of the device, in addition to its abundant hardware features (TV out, PCMCIA slot, prism2 card, 10/100 Ethernet), make the use of this device as a development platform for security tools very intriguing.  A brief glimpse into the current and future research of the paper "The Ecology of Information Security" will also be covered.

Jonathan Squire is a founding member of the Dow Jones Information Security Group, and is credited with accomplishments that include developing an Information Security model for the enterprise, architecting the security infrastructure for, a Dow Jones and Reuters Company, and architecting a secure, centralized credit card processing solution. Mr. Squire is an active member of the Enterprise Architecture Group within Dow Jones, the group that provides direction of technology initiatives within the enterprise. He is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more the $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble.

Return to the top of the page

Auditing Data Access Without Bringing Your Database To Its Knees 
Kimber Spradin, Sr. Manager Security & Compliance Products, Embarcadero Technologies         
Dale Brocklehurst, Principal Software Consultant, Embarcadero Technologies

Today’s privacy requirements place significant additional auditing burdens on databases. First you have to know which databases in your environment contain regulated Personally Identifiable Information (PII) or Protected Health Information (PHI), then you have to monitor ALL activity surrounding that data—not just changes to it. In the world of databases, this means auditing all SELECT statements—something many native database auditing tools are not very good at. This presentation will demonstrate how you can log this activity across multiple database platforms (without bringing your database to its knees), and then what to look for in those reams of log entries your auditors made you record.

Kimber Spradin recently joined Embarcadero Technologies, bringing more than 10 years experience in the Information Security industry. She started her career at Ernst & Young specializing in IT compliance; helping Fortune 500 organizations meet both regulatory and internal information security requirements. This included developing risk assessment, compliance, policy management, and product evaluation programs. She then spent 5 years at NetIQ, responsible for driving the strategy and marketing around the company’s policy-based security products and sharing her regulatory compliance expertise with customers in all types of industries. She also regularly works with industry analysts from such firms as Gartner, META (now Gartner), and Forrester on these topics. Kimber has a bachelor’s degree in Accounting from Baylor University, an MBA from Michigan State, and has received the Certified Public Accounting, the Certified Information Systems Auditor, and the Certified Information Systems Security Professional designations.

Dale Brocklehurst has been applying his business development and teaching skills to the design, development, and management of enterprise databases in a wide range of environments for more than 25 years. Dale is a faculty member at University of Phoenix where he teaches Database Management courses. As Principal Software Consultant for Embarcadero Technologies, Dale is responsible for providing consulting, assuring customer satisfaction, performing technical sales presentations, managing software installations, and providing customer training. Prior to joining Embarcadero Technologies, he has held positions in project management, data modeling, customer support management, and training management at MCI, Compassion International, and Cibar, Inc. Dale has earned Bachelors degrees in both Secondary Education and Mathematics from LeTourneau College and a Masters degree in Computer Information Systems Management from the University of Phoenix.

Return to the top of the page

Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0
Alex Stamos, Principal Partner, iSEC Partners
Zane Lackey, Security Consultant, iSEC Partners

The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of “Web 2.0” technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of “Web 2.0” is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript.

Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent.

We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. 

Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley.

Zane Lackey is a Security Consultant with iSEC Partners, LLC, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. 

Return to the top of the page

Attacking Internationalized Software
Scott Stender, Principal Partner, iSEC Partners

Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation.

Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface.

If we go back to the "three stages model" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system.  Most defenses have evolved to prevent malicious data from entering the system.  This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems.  Attack and defense methodologies based on years studying core technologies and real software systems will be presented.

Scott Stender is a founding partner of iSEC Partners and brings with him several years of experience in large-scale software development and security consulting. Prior to iSEC Partners, Scott worked as an application security analyst with @stake where he led and delivered on many of @stake's highest priority clients. Before @stake, Scott worked for Microsoft where he was responsible for security and reliability analysis for one of Microsoft's distributed enterprise applications. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Scott has previously presented at conferences such as Black Hat USA, OWASP, and the Software Security Summit. He holds a BS in Computer Engineering from the University of Notre Dame.

Return to the top of the page

Punk Ode—Hiding Shellcode in Plain Sight
Michael Sutton, Director, iDefense Labs iDefense/VeriSign
Greg MacManus, Senior Security Engineer, iDefense Labs, iDefense/VeriSign

Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files.

Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music.

Return to the top of the page

Rootkits: Attacking Personal Firewalls
Alexander Tereshkin, Senior Research Engineer, Codedgers, Inc

Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit.

This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented.

Alexander Tereshkin specializes in the NT kernel mode coding, focusing on the network interaction. He is interested in rootkit technology in its both offensive and defensive sides. He has worked on various projects that required comprehensive knowledge of Ke, Mm, Ps NT kernel subsystems as well as NDIS internals. His x86 code analyzing engines are used in a few commercial products. In addition to his day work, Alex likes to reverse engineer malware samples. He is also a contributor to

Return to the top of the page

The Statue of Liberty: Utilizing Active Honeypots for Hosting Potentially Malicious Events
Philip Trainor, Network Security Engineer, Imperfect Networks Inc

The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service.

The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite.

Philip Trainor is currently an employee of Imperfect Networks where he creates remote exploits and audits security devices and practices being used for network equipment manufacturers, antivirus companies, telcom's, and several departments within the US federal Government.

Return to the top of the page

Wi-Fi Advanced Stealth
Franck Veysset, France Télécom R&D
Laurent Butti, France Télécom R&D

Wireless stealth was somewhat expensive some years ago as we were required to use proprietary radios and so on… Thanks to increasingly flexible low-cost 802.11 chipsets we are now able to encode any MAC layer proprietary protocol over 2.4 GHz/5 GHz bands! This could mean stealth to everybody at low-cost!

This presentation will focus on two techniques to achieve a good level of stealth:

  • a userland technique exploiting a covert channel over valid 802.11 frames;
  • a driverland technique exploiting some 802.11 protocol tweaks.

These techniques are somewhat weird! That’s one reason they resist the action of scanners and wireless IDS!

The tools that will be released are proof-of-concepts and may be improved both in terms of features and code cleanups!

Franck Veysset is a network security expert working for France Telecom R&D security labs. His activities are focused on Wi-Fi security, honeypot, and more generally IP security.

He has presented at numerous technical and security conferences (ToorCon, Shmoocon, Eurosec, First, LSM). He is also a program chair member of different conferences (FIRST, SSTIC, JSSI). Aside from these activities, he is member on the board of the French Information Systems and Network Security Observatory, and a member of the French chapter of the Honeynet project.

Laurent Butti is a network security senior expert working at France Telecom R&D labs. His areas of research are focused on wireless security (IEEE 802.11, IEEE 802.16…), honeypots and worms. He spoke at numerous security focused conferences (ToorCon, ShmooCon, FIRST, EuroSec). He is also the author of several Open Source tools.

Return to the top of the page

VOIP Security Essentials
Jeff Waldron

The VoIP Security Essentials presentation will introduce the audience to voice over IP (VoIP) technology. The practical uses of VoIP will be discussed along with the advantages and disadvantages of VoIP technology as it is today. Key implementation issues will be addressed to ensure product selection for VoIP technology will integrate into the organization’s current infrastructure. The presentation will look at some of the latest VoIP security issues that have surfaced and the vendor/industry responses to those issues.

Jeff Waldron, CISSP, ISSAP, SCSA has over 15 years of IT experience—over 10 of those years are IT Security specific. Has supported both Commercial, State, Federal and DoD IT security environments. Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies along with UNIX-based security configurations. Has presented at Black Hat USA 04 and a facility member with The Institute for Applied Network Security.

Return to the top of the page

Web Application Incident Response & Forensics: A Whole New Ball Game!
Chuck Willis, Senior Consultant at Mandiant
Rohyt Belani, Director, Mandiant

Web applications are normally the most exposed and the most easily compromised part of an organization's network presence. This combination requires that organizations be prepared for web application compromises and have an efficient plan for dealing with them. Unfortunately, traditional techniques for forensics and incident response do not take into account the unique requirements of web applications. The multi-level architecture, business criticality, reliance on major database and middleware software components, and custom nature of web applications all create unique challenges for the security professional. Responding to a web application attack brings many unique issues, often with no clear right and wrong answers, but this talk will provide useful information to guide attendees down this bumpy path.

Chuck Willis is a Senior Consultant with Mandiant, a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development and application security. Prior to joining MANDIANT, Chuck performed security software engineering, penetration testing, and vulnerability assessments at a large government contractor and also conducted computer forensics and network intrusion investigations as a U.S. Army Counterintelligence Special Agent. Chuck holds a Master of Science in Computer Science from the University of Illinois at Urbana-Champaign and has previously spoken at the Black Hat Briefings USA, the IT Underground security conference in Europe, and DefCon. Chuck has contributed to several open source security software projects and is a member of the Open Web Application Security Project, a Certified Information Systems Security Professional, and a Certified Forensic Computer Examiner. Chuck's past presentations are available on his Web site.

Rohyt Belani is a Director at Mandiant and specializes in assisting organizations with securing their network infrastructure and applications. His expertise encompasses the areas of wireless security, application security and incident response. Rohyt is also an experienced and talented instructor of technical security education courses. Prior to joining MANDIANT, Rohyt was a Principal Consultant at Foundstone. Earlier in his career, he was a Research Group Member for the Networked Systems Survivability Group at the Computer Emergency Response Team (CERT). Rohyt is a frequent author of articles on SecurityFocus and is also a contributing author for "Hack Notes—Network Security" and "Extrusion Detection: Security Monitoring for Internal Intrusions". Rohyt is a regular speaker at various industry conferences and forums like OWASP, HTCIA, FBI-Cyber Security Summit, ASIS, HP World, New York State Cyber Security Conference, HackInTheBox-Malaysia, and CPM. Rohyt holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University and is a Certified Information Systems Security Professional (CISSP).

Return to the top of the page

NIDS: False Positive Reduction Through Anomaly Detection
Emmanuele Zambon
Damiano Bolzoni,
PhD student at Twente University

The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure.

Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture.

Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness).

Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper.

Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management.

Return to the top of the page

Host-Based Anomaly Detection on System Call Arguments
Stefano Zanero, Post-doc researcher, Politecnico di Milano T.U. and CTO & Co-founder, Secure Network S.r.l.   

Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies.

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE
Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

Hardware Virtualization-Based Rootkits
Dino Dai Zovi, Principal, Matasano Security, LLC

Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk.  This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected.

Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards.

Return to the top of the page

PANEL: Center for Democracy and Technology Anti-Spyware Coalition Public Forum on Corporate Spyware Threats
Moderator: Ari Schwartz, Deputy Director, Center for Democracy and Technology
Researchers: Ron Davidson, CTO, Mi5 Networks
Gerhard Eschelbeck, CTO, Webroot
John Heasman, Principal Security Consultant, NGS
Dan Kaminsky, Dox Para Research
Corporate:  Andre Gold, CISO, Continental
Phil Harris, CISO, Providian
Drew Maness, Senior Security Strategist, The Walt Disney Company
Regulators: Eileen Harrington, FTC
Jerry Dixon, Deputy Director, Operations, National Cyber Security Division United States Computer Emergency Readiness Team Preparedness Directorate, U.S. Department of Homeland Security
Michele Iversen

This session will examine the threat of spyware to corporations. What does the threat currently look like and how is it evolving? What market forces are at play? How big of a threat is spyware for corporations now and in five years? What countermeasures work now and in the future?  How are regulators working to combat this threat?

Ari Schwartz is the Deputy Director of the Center for Democracy and Technology (CDT). Ari's work focuses on increasing individual control over personal and public information. He promotes privacy protections in the digital age and expanding access to government information via the Internet. Ari regularly testifies before Congress and Executive Branch Agencies on these issues. Prior to working at CDT, Ari worked at OMB Watch researching and analyzing the nonprofit sector's engagement in technology, government performance, access to government information, and government information technology policy.

Andre Gold is head of Information Security at Continental Airlines, one of the world's largest and most successful commercial and freight transportation providers. Before assuming his current role, Mr. Gold served as Technical Director of Internet Services, responsible for Continental's property, which contributes over a billion dollars a year in revenue for Continental. Prior to Continental Airlines, Inc. Mr. Gold worked as a consultant in the IT industry. Mr. Gold has a BBA in Computer Information Systems from the University of Houston-Downtown and received his commission in the Army from Wentworth Military Academy. In addition to his position at Continental, Mr. Gold servers on the Microsoft Chief Security Officer Council, the Skyteam Data Privacy and Security Subcommittee, as well as eEye Digital Security's Executive Advisory Council.

Phil Harris advises executives at large corporations on strategic security initiatives.  Harris previously served as Chief Information Security Officer (CISO) for Providian Financial Services, Safeway, Inc., and the Institutional Trust business of J.P. Morgan Chase. He was also Managing Director and Practice Manager for Schwab’s Information Security Risk Management program.  Harris has over twenty years of experience in banking, finance, insurance, manufacturing, and consumer retail including extensive engineering experience in application and platform controls, cryptography, and network and physical protection.   

Drew Maness, Senior Security Strategist, The Walt Disney Company A Senior Security Strategist for Disney's Enterprise Security Strategy and Policy Group, Drew Maness provides guidance and support to the enterprise by evaluating and offering direction on emerging trends in information security. Working with Enterprise IT and the various business segments, is responsible for creating plans to develop secure services and infrastructures through policies and controls, and for interpreting and guiding the implementation of industry best practices. Currently, Drew is a team lead for Payment Card Industry (PCI) Data Systems Security within the enterprise, responsible for providing leadership for the company's compliance initiative.

Before joining Disney, Drew was a Principal Consultant for an INC-500 security services firm, specializing in security posture assessments and penetration testing. Prior to that, he served as the Director of West Coast Consulting for Trident Data Systems/Veritect, where he spent several years developing their consulting, assessment, and penetration-testing practices. He joined TDS as a network specialist, to lead their information security consulting initiatives throughout the western region of the U.S..

Drew holds a number of technical certifications from Cisco, Microsoft, and Check Point, including Check Point's Instructor certification (CCSI), and is a Certified Information Systems Security Professional (CISSP). He is currently pursuing his Master of Science degree in Information Assurance from Norwich University.

Dr. Ron Davidson recently moved to the United States to join Mi5 Networks as VP of Threat Research. Ron previously spent his entire professional career with the elite technological unit of the Israeli Intelligence. Ron held executive positions in the unit, responsible for guiding business and R&D activities, and providing technological solutions for an array of acute operational needs. He received several awards during his service, including the Israeli National Defense Award, granted by the President of Israel for a significant technological contribution to the nation's security. Ron retired from the Israeli Defense Forces in late 2004. Ron acquired extensive formal education (with honors) from top Israeli universities and from Stanford University School of Engineering (Ph.D. in Engineering-Economic Systems).

Dan Kaminsky, also known as Effugas, was formerly a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings.

Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Seattle.

John Heasman is a Principal Security Consultant for NGS Software. He has worked as a security consultant for three years and has been certified as a CHECK Team Leader. He has invaluable experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, PostgreSQL, Apple Quicktime and RealNetworks Realplayer. Furthermore he has a strong interest in database security and was a co-author of the Database Hackers Handbook (Wiley, 2005).

Gerhard Eschelbeck is the chief technology officer and senior vice president of engineering at Webroot Software, Inc., and is responsible for developing and driving the company’s overall product strategy. He also manages Webroot’s development and threat research teams, and further expands the capabilities of Webroot’s Phileas, the industry’s first and only automated spyware research system.

Widely regarded as one of the foremost experts on vulnerabilities and network security, Gerhard has presented his research to the U.S. Congress and at numerous major security conferences including RSA, Black Hat and CSI. He was named one of InfoWorld’s 25 Most Influential CTO’s in 2003 and 2004 and is a frequent contributor to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. Gerhard is also a highly regarded author and is perhaps best known for publishing the "Laws of Vulnerabilities." He is one of the inventors of the Common Vulnerability Scoring System (CVSS) and holds numerous patents in the field of managed network security.

Eileen Harrington, an attorney, is Deputy Director of the Federal Trade Commission’s Bureau of Consumer Protection. The Bureau of Consumer Protection’s mandate is to protect consumers from deceptive, unfair, or fraudulent practices. The Bureau enforces a variety of consumer protection laws enacted by Congress, as well as trade regulation rules issued by the Commission. Its actions include individual company and industry-wide investigations, administrative and federal court litigation, rulemaking proceedings, and consumer and business education. In addition, the Bureau contributes to the Commission’s on-going efforts to inform Congress and other government entities of the impact that proposed actions could have on consumers. Current Bureau priorities include data security, the Do Not Call rule, spam, spyware, childhood obesity, the deceptive marketing of health products and services, and consumer fraud. 

Prior to becoming Deputy Director of the Bureau of Consumer Protection, Ms. Harrington was Associate Director for Marketing Practices. In that role, she led the Commission’s consumer fraud law enforcement effort, and oversaw some of its most visible regulatory work, including the National Do Not Call initiative and implementation of the CAN-SPAM Act. She also led development of the Commission’s Internet Fraud enforcement program and coordinated domestic and international  law enforcement programs to detect and halt fraud against consumers on the Internet. 

Ms. Harrington joined the FTC as Assistant Director for Marketing Practices in 1987, and served as Associate Director for Marketing Practices from 1991 to 2005. In 1997, President Clinton conferred on Ms. Harrington the rank of Distinguished Executive in the Senior Executive Service for "sustained extraordinary accomplishments" in organizing and leading interagency enforcement, education and regulatory efforts to halt consumer fraud.  In 2004, she was awarded a Service to America Medal for her work on the National Do Not Call Registry.

Mr. Jerry Dixon currently serves as the Deputy Director for the National Cyber Security Division's United States Computer Emergency Readiness Team. He is responsible for coordinating incident response activities across federal, state, local government agencies, and private sector organizations. Mr. Dixon routinely briefs on cyber security topics and emerging cyber threats to the White House Homeland Security Council, National Security Council, and Office of Management & Budget. His team focuses on emerging threats, vulnerability handling, incident response & coordination, and malware analysis in support of the US-CERT mission & National Strategy to Secure Cyberspace.

In prior roles, he was the founding Director of the Internal Revenue Service's Incident Response team, and Director of Information Security at Marriott International.

Return to the top of the page

PANEL: Disclosure Discussion
Intro and Summary: Jeff Moss, Black Hat
Moderators: Paul Proctor, Gartner
David Mortman, former CISO of Siebel
Vendors: John Stewart, Cisco
Derrick Scholl, Sun
David Litchfield, NGS
Researchers: Michael Sutton, Raven, Tom Ptacek
Customers: Pamela Fusco; Scott Blake, CISO, Liberty Mutual
Jerry Dixon, Deputy Director, Operations, National Cyber Security Division United States Computer Emergency Readiness Team Preparedness Directorate, U.S. Department of Homeland Security

Technology vendors, security researchers, and customers - all sides of the vulnerability disclosure debate agree that working together rather than apart is the best way to secure our information. But how? This working group will bring all parties together in one room to address the issues and develop a beneficial working relationship extending beyond the conference.

Jeff Moss, founder of Black Hat and DEFCON, is a renowned computer security scientist who works regularly with federal agencies, large corporations, and hackers to solve the most complex security problems. Prior to Black Hat, Jeff was a director at Secure Computing Corporation where he helped form and grow their Professional Services Department in the United States and Pacific Rim. Before Secure Computing Corporation, Jeff worked for Ernst & Young, LLP in their Information System Security division. Jeff graduated with a BA in Criminal Justice from Gonzaga University. Halfway through law school, he went back to his first love, computers, and started his first IT consulting business in 1995. Jeff has been CISSP certified, and is a member of the American Society of Law Enforcement Trainers

David Mortman is former Chief Information Security Officer for Siebel Systems, Inc. where he and his team were responsible for Siebel Systems' worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and was leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, he was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist at InfoSecurity 2003, Blackhat 2004 and 2005 as well as Defcon 2005. He sits on a variety of advisory boards including Qualys, Teros, and Sygate amongst others. Mr. Mortman holds a BS in Chemistry from the University of Chicago.

Paul Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies.

Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.Derrick Scholl

Derrick Scholl is the Sr. Manager of Security Engineering and Coordination
at Sun. Since 2000 he has been responsible for the team that handles Sun's response to potential vulnerabilities in any of their products. During this time he has been responsible for a number of security service enhancements at Sun including Security Sun Alerts and quickly available Interim Security Relief. He holds a BS in Computer and Electrical Engineering from Purdue University and an MBA from Santa Clara University.

Scott Blake is Chief Information Security Officer for Liberty Mutual Insurance Group and is responsible for information security strategy and policy. Prior to joining Liberty, Scott was Vice President of Information Security for BindView Corporation where he founded the RAZOR security research team and directed security technology, market, and public affairs strategy. Scott has delivered many lectures on all aspects of information security and is frequently sought by the press for expert commentary. Since 1993, Scott has also worked as a security consultant, IT director, and network engineer. He holds an MA in Sociology from Brandeis University, a BA in Social Sciences from Simon's Rock College, and holds the CISM and CISSP security certifications.

Pamela Fusco is currently Presidental Advisor to the ISSA and an EVP in the public sector. She was previously Executive Global Information Security Professional for Merck & CO., Inc. Pamela has accumulated over 19 years of substantial experience within the Security Industry. Her extensive background and expertise expand globally encompassing all facets of security inclusive of logical, physical, personal, facilities, systems, networks, wireless, and forensic investigations.

Michael Sutton is a Director for iDEFENSE/VeriSign where he heads iDEFENSE Labs and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP).

Prior to joining iDEFENSE, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences.

He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

Raven Alder. After being bitten by a radioactive router, mild-mannered network engineer Raven Alder found herself staying up until all hours of the night drinking tea, fixing network and security infrastructure, and fighting crime. With a dual background in ISP engineering and network security, she specializes in assessing the security of backbone networks and the associated infrastructure. Raven has contributed to several books on network security software, as well as the technical fiction "Stealing the Network" series.

Thomas Ptacek brings over 10 years of product development and security research experience to Matasano. Thomas has owned technical operations at Chicago’s most popular ISP, authored Insertion, Evasion, and Denial of Service, a landmark paper which broke every shipping intrusion detection product on the market, and at Arbor Networks led the development of a security product deployed on the backbone of virtually every tier-1 ISP worldwide.Thomas Ptacek.

John N. Stewart, Vice President and Chief Security Officer, Corporate Security Programs Organization, Cisco Systems, Inc. In his current role, Mr. Stewart provides leadership and direction to multiple corporate security teams throughout Cisco Systems, Inc. strategically aligning with Business Units and the IT organization to generate leading corporate security practices, policies, and processes. He is responsible for overseeing the security for the electronic commerce infrastructure supporting Cisco’s more than $25 billion business.

Mr. Stewart’s longstanding career in information security has included numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a Research Scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. His professional experience also includes software development, systems and network administration, software specialist, author, and instructor. He has given numerous tutorials and presentations at various security forums including SANS, USENIX, and the Java Security Alliance.

Throughout his career, he has been an active member of the security industry community. Currently, Mr. Stewart sits on technical advisory boards for Grand Central Communications, Ingrian Networks, and Tripwire, Inc.

Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.

Mr. Jerry Dixon currently serves as the Deputy Director for the National Cyber Security Division's United States Computer Emergency Readiness Team. He is responsible for coordinating incident response activities across federal, state, local government agencies, and private sector organizations. Mr. Dixon routinely briefs on cyber security topics and emerging cyber threats to the White House Homeland Security Council, National Security Council, and Office of Management & Budget. His team focuses on emerging threats, vulnerability handling, incident response & coordination, and malware analysis in support of the US-CERT mission & National Strategy to Secure Cyberspace.

In prior roles, he was the founding Director of the Internal Revenue Service's Incident Response team, and Director of Information Security at Marriott International.

Return to the top of the page

PANEL: Executive Women’s Forum and Reception:  No More Geek Speak
Moderator:  Joyce Brocaglia, Founder, EWF
Panelists: Dena Haritos Tsamitis, Director of the Information Networking Institute (INI) at Carnegie Mellon University
Merike Kaeo, Chief Network, Security Architect at Double Shot Security
Becky Bace, Trident Capital
Rhonda MacLean, CEO, MacLean Risk Partners, LLC

Delivering the right message to the right people in whole numbers and primary colors makes all the difference. Industry leaders share insights on how they convey solutions to complex issues and problems in a way that is meaningful and adds value to their organization.

Joyce Brocaglia is president and chief executive officer of Alta Associates (, the premier executive recruitment firm for the information security industry. In 2003, Brocaglia founded the Executive Women’s Forum ( In September of 2003, Information Security Magazine honored her with a “Women of Vision” award naming her one of the 25 most influential women in the information security industry. She is the career advisor of CSO Magazine and author of the monthly “Career Corner” column for the Information Systems Security Association (ISSA) Journal Magazine. Ms. Brocaglia also serves on the board of advisors for the Information Systems Security Association and ISC2.

Dena Haritos Tsamitis is the Director of the Information Networking Institute (INI) at Carnegie Mellon University, and is responsible for the academic, administrative, and fiscal operations of the INI, which offers graduate programs in information networking (MSIN), information security technology and management (MSISTM), and information technology - information security (MSIT-IS) at Carnegie Mellon's campus in Pittsburgh, as well as in Athens, Greece and Kobe, Japan through hybrid distributed education formats. As Director of Education, Training, and Outreach for Carnegie Mellon CyLab, she is responsible for the strategic planning, implementation, and assessment of information security/assurance executive education, capacity building, and outreach programs.

In her position as Director of Education, Training, and Outreach for CyLab, Tsamitis is designing and developing awareness initiatives aimed at making 10 million citizens “cyberaware” worldwide, starting with 20,000 households in the Pittsburgh area. In order to accomplish this vision of cyberawareness, she has been working to build and leverage relationships with local Pittsburgh school districts, universities, and other educational organizations. Tsamitis is also leading the education initiatives of the Situational Awareness for Everyone (SAFE) NSF center at CyLab, which explores ways to improve computer defenses by incorporating models of human/computer/attack interactions into the defenses themselves.

Additionally, Tsamitis represents Carnegie Mellon on two prominent national task forces: the Department of Homeland Security (DHS) Task Force for Information Security Education and Awareness and the EDUCAUSE Security Education and Awareness Working Group. As a member of the DHS task force, she is involved in implementing the President’s National Strategy to Secure Cyberspace through a national awareness program to empower all Americans to secure their own parts of cyberspace. Through the EDUCAUSE working group, she is involved in raising awareness of information technology security issues amongst university and college computer and network users, administrators, and executives.

Becky Bace is an information security veteran with a wide array of interests and accomplishments in the field. Ms. Bace has worked in security since the 1980s, leading the first major intrusion detection research program at the National Security Agency, where she received a Distinguished Leadership Award. She transitioned from the research to the operational world in the mid 1990s, serving as the Deputy Security Officer for the Computing Division of the Los Alamos National Laboratory. She is currently President and CEO of Infidel, Inc., a security consulting firm, a venture consultant for Trident Capital, where she works with Trident's security-related investment portfolio, and Chief Strategy Officer for KSR, a security services startup. Ms. Bace has been a technical advisor to many successful startups, including TriCipher, Security Focus, Tripwire, Arxan, Qualys, SecureWorks, @Stake, Sygate Technologies, Thor Technologies, and Intruvert Networks. Her publication credits include the books "Intrusion Detection" (Macmillan, 2000) and (with Fred Chris Smith) "A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as An Expert Technical Witness", (Addison-Wesley, October, 2002) and "NIST Special Publication SP 800-31 Intrusion Detection" and the chapter on intrusion detection for the "Computer Security Handbook", 4 Ed., (Wiley, 2003) , considered the definitive practice handbook for information security professionals. A 2003 recipient of Information Security Magazine's Women of Vision Award, she is recognized as one of the most influential women in Information Security today.

Merike Kaeo is Chief Network Security Architect at Double Shot Security. She is the author of "Designing Network Security", published by Cisco Press, which has been published in eight languages and is being used as a curriculum textbook in a variety of network security courses. The second edition was published in November 2003.

Merike was a lead member of the first Cisco security initiative, has acted as a technical advisor for numerous security start-up companies, and has been an instructor and speaker at a variety of global security-related conferences. Merike is a regular presenter at world-wide ISP conferences including NANOG, RIPE, APRICOT and SANOG.

Rhonda MacLean serves as an Adjunct Distinguished Senior Fellow with Carnegie Mellon University’s CyLab, helping CyLab to continue to pursue an aggressive research and development agenda that integrates technology, policy and management by bringing together security professionals, researchers and policymakers. With more than 25 years of information technology industry expertise, Ms. MacLean is founder of MacLean Risk Partners LLC, a consulting firm that provides strategic consulting services for Fortune-ranked business enterprises, governments, industry associations and product companies specializing in risk management solutions. Prior to founding MacLean Risk Partners, LLC, Rhonda MacLean was leader of Bank of America’s Corporate Global Information Security Group where she was responsible for the company’s security policies and procedures; information risk management; security technology implementations, including perimeter and internal system defense; cyber investigations; computer forensics; and general information security awareness for the company’s leadership, associate base, and outside suppliers. Immediately before joining Bank of America in 1996, she was responsible for information security at The Boeing Company, managing Boeing proprietary and government programs.

Return to the top of the page

PANEL: Hacker Court 2006: Sex, Lies and Sniffers
Carole Fennelly
Chief Judge Philip M. Pro – Chief United States District Court Judge for the District of Nevada
Paul Ohm
Kevin Bankston
Simple Nomad 
Jesse Kornblum
Jack Holleran
Brian Martin
Jonathan Klein
Caitlin Klein
Ryan Bulat
Kay Petersen

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand.

This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining.

Carole Fennelly is a free-lance security consultant with over 25 years experience in IT, starting as a Unix Systems Administrator in 1982. Shehas specialized in IT Security since 1992 and has a wide range of experience in all aspects if IT security, with particular emphasis on vulnerability assessments, computer forensics, security policy development and architecture review. Ms. Fennelly has been widely published and has been a frequent speaker at the Black Hat security conference in Las Vegas, Nevada. Her work experience includes firewall migration and support for a large Wall St. brokerage, security consulting for a large NY pension fund, development of a Computer Forensics course for Sun Microsystems, and security assessments and policy developments for a number of small and mid-size companies.

Kevin Bankston, a staff attorney specializing in free speech and privacy law, was the Electronic Frontier Foundation's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001
from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Paul Ohm joined the faculty of the CU School of Law in Spring of 2006. He specializes in the emerging field of computer crime law, as well as criminal procedure, intellectual property, and information privacy. Prior to joining CU he worked as an Honors Program trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA School of Law where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as acomputer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.

Honorable Philip M. Pro, Chief United States District Court Judge for the District of Nevada Judge Pro was appointed United States District Court Judge for the District of Nevada, at Las Vegas, on July 23, 1987. Judge Pro also served as United States Magistrate Judge for the District of Nevada from 1980 until his elevation to the District Court, during which he supervised pretrial proceedings in the MGM Grand Hotel Fire Litigation. Judge Pro received his J.D. degree from Golden Gate University School of Law in June 1972.

Jonathan Klein is a Director of Security Solutions with Calence Inc, a networking company located in Tempe Arizona. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Jack Holleran, CISSP, currently teaches Information Security at several colleges and the Common Body of Knowledge review for ISC2. In a past life, he was the Technical Director of the National Computer Security Center at the National Security Agency and Chair of the National Information Systems Security Conference.

Jesse Kornblum is a Principal Computer Forensics Engineer for ManTech’s Computer Forensics and Intrusion Analysis Group. Based in the Washington DC area, his research focuses on computer forensics and computer security. He has authored a number of computer forensics tools including the widely used md5deep suite of cryptographic hashing programs and the First Responder’s Evidence Disk. A graduate of the Massachusetts Institute of Technology, Mr. Kornblum has also served as a Computer Crime Investigator for the Air Force Office of Special Investigations, an instructor in the US Naval Academy’s Computer Science Department, and as the Lead Information Technology Specialist for the Department of Justice Computer Crime and Intellectual Property Section. According to Mr. Kornblum, the most useful animals are members of the Capra family.

Brian Martin is an outspoken independent security consultant in the Denver, CO area. His daily work takes him in and out of commercial and government networks, usually without sparking law enforcement investigation. His work typically revolves around making recommendations based on cynical review of network and system security. Brian has been a speaker at security conferences worldwide and is the content manager for the Open Source Vulnerability Database and a founding member of (

Ryan Bulat used to major in Computer Science until he decided that he much preferred to be a writer.

Return to the top of the page

PANEL: The Jericho Forum and Challenge
Presenter: Paul Simmonds, CISO, ICI
Judges: Bob West, CEO, Echelon One
Henry Teng, CISO, Philips
Justin Somaini, VeriSign

 In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include:

  1. De-perimeterization - the business imperative
  2. From protocols to accessing the web - the technical issues
  3. What should be implemented today - current and near term solutions
  4. Planning for tomorrow - future solutions and  roadmap

The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a “technology demonstrator” with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one “office” PC and one laptop. The finals and judging will occur in 2007.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI, working for the CIO Office in London. Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and prior to that seven years with Motorola, again in a global information security role. In his career he has worked with many external agencies, and has also been directly involved in two successful criminal prosecutions, giving evidence in one case. Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites. Paul was voted 36th in the 2004 list of the top 50 most powerful people in networking, by the US publication Network World Fusion, for his work with the Jericho Forum.

Henry Teng is the Enterprise Security compliance officer, Senior Director for Philips International B.V. He is currently based in The Netherlands. Henry is responsible for the global Enterprise Security Compliance Management Program including information security and IT security for Philips in the Americas, Europe, and Asia Pacific. Philips International has annual revenue of about $36 billion and a worldwide employee population of 126,000.

Henry has over nineteen years of IT security, information security, risk and compliance management experience for fortune 500 companies ranging from financial services, e-commerce, to electronics manufacturing. He is the author of three patents on security related areas granted by the U.S. Patent Office.

Prior to Philips Henry worked for a number of large enterprises such as eBay as their chief of Information Security, for Charles Schwab as their Managing Director of Security Engineering & Design, and for KPMG LLP in the Risk & Advisory Services.

Henry is a Certified Information Systems Security Professional (CISSP), and a Certified Information Security Manager (CISM). He served as a Board membe for the Information Systems Security Association (ISSA) Silicon Valley Chapter for two years, which won the ISSA National Best Chapter Award for 2003. He was also one of the founding members of an industry consortium against distributed denial of service (DDoS) attacks and served as its
chairperson from 2000 to 2002.

Bob West, Founder and Chief Executive Officer for Echelon One, is responsible for creating and executing Echelon One’s corporate strategy. He has over 20 years of experience in information security, strategic planning, governance, organizational change, relationship management, computer network design, implementation and management.

Bob a frequent speaker on the subject of information security and a member of the TriCipher Advisory Board, the Executive Security Action Forum, the National Society for Hispanic MBAs, the United Way’s Toqueville Society, and the Information Systems Audit and Control Association. He has also been a member of RSA Security’s Customer Advisory Council, and the ISS Customer Advisory Council.

Previously, Bob was Chief Information Security Officer (CISO) at Fifth Third Bank in Cincinnati where he was responsible for the enterprise information security strategy. Prior to joining Fifth Third, Bob worked for Bank One in Columbus where he held several key leadership roles, including Information Security Officer for Bank One's Retail Group. Prior to joining Bank One, Bob was a manager with Ernst & Young’s Information Security Services practice in Chicago, and a Senior Systems Officer with Citicorp International in New York and Chicago.

Bob received the 2004 Digital ID World Conference award for Balancing Innovation and Reality, and a 2004 InfoWorld 100 Award for implementing cross-company authentication using SAML. Bob graduated from Michigan State University with a Bachelor of Arts in German and then received his Master of Science in Management Information Systems from North Central College.

Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible for managing all aspects of network and information security for VeriSign. With over 10 years of Information Security and Corporate Audit experience, Justin has leveraged his knowledge of audit and large organizations to remediate global infrastructure problems and create a full risk identification and remediation Information Security group. Previously, Justin was the Director of Information Security Services for Charles Schwab Inc., where he was responsible for all aspects of Information Security Operations. Before that he was a Manager with PricewaterhouseCoopers LLP where he spent several years developing their attack and penetration leadership and audit practice.

Return to the top of the page

PANEL: Meet the Feds:  OODA Loop and the Science of Security
Panelists:  Jason Beckett, New South Wales Police in Sydney Australia
SA Ovie Carroll, US Postal Inspector General (IG)
James Christy, DC3
SA Andy Fried, Internal Revenue Service (IRS)
Mike Jacobs, SRA
Ken Privette, USPS OIG
Keith Rhodes, CTO, Government Accountability Office (GAO)
Dave Thomas, FBI
Robert Lentz, DOD
Michele Iversen, Information Assurance staff for the DOD CIO
Bob Hopper, Manager Computer Crimes Section, NW3C Computer Crimes
Hilary Stanhope, CIA
Tim Fowler, Marine Special Agent, Naval Criminal Investigative Service (NCIS)
Tim Kosiba, FBI

The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement.

The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop.

SA Jim Christy, Director, Defense Cyber Crime Institute (DCCI)
Supervisory Special Agent Jim Christy, is the Director of the Defense Cyber Crime Institute (DCCI), Defense Cyber Crime Center (DC3). The DCCI is responsible for the research & development and test & evaluation of forensic and investigative tools for the DoD Law Enforcement and Counterintelligence organizations. The Institute is also charged with intelligence analysis, outreach, and policy for DC3. Jim is an Air Force Office of Special Investigations, Computer Crime Investigator. SA Christy has been a computer crime investigator for over 20 years.

Jason Beckett, New South Wales Police in Sydney Australia;
Jason Beckett is the Director of the State Electronic Evidence Branch of the Special Services Group for the New South Wales Police in Sydney Australia. A former Inspector with the Special Services Group before moving to the corporate world as the Director of forensics for a multinational consultancy firm. In 2003 he was invited back to the New South Wales Police Force to establish Australia's largest forensic computing laboratory. Jason has more than a decade of experience in Electronic Evidence and forensic computing. He has trained nationally and internationally in forensic computing and electronic evidence including training with many international law enforcement agencies. He holds numerous tertiary qualifications in Computer Science, Engineering and Forensic computing and is currently completing a PhD in forensic computing.

Michael J. Jacobs, Vice President and Director, Cyber and National Security Program SRA International, Inc.
Michael Jacobs joined SRA in October 2002 as a Senior Advisor following his retirement from the Federal Government after 38 years of service. In March 2003 he was appointed Director of SRA’s Cyber and National Security Program. Prior to SRA, Mr. Jacobs was the Information Assurance (IA) Director at the National Security Agency (NSA). Under his leadership, NSA began implementing an Information Assurance strategy to protect the Defense Information Infrastructure and as appropriate, the National Information Infrastructure. He was responsible for overseeing the evolution of security products, services, and operations to ensure that the Federal Government’s national security information was free-flowing, unobstructed and uncorrupted.

Mr. Jacobs had a long and distinguished career at the National Security Agency where he served in key management positions in both the Intelligence and IA mission areas. He served as the Deputy Associate Director for Operations, Military Support where he was responsible for developing a single, coherent military support strategy for NSA. During his 38 years of NSA service, Jacobs was a leader in Information Systems Security production and control, policy and doctrine and customer relations. He has testified before Congress on defense issues and has spoken widely on topics ranging from IA to cultural diversity. For his vision, dedication, and accomplishments, he has been recognized by the Department of Defense with the Distinguished Civilian Service Medal; by the Director Central Intelligence with the Intelligence Community’s Distinguished Service Award; and by NSA with the Exceptional Civilian Service Award. In addition, he has been awarded the National Intelligence Medal of Achievement and was twice awarded the Presidential Rank Award for Meritorious Achievement.

He earned his B.S. degree in Business Administration from King’s College and completed the Senior Managers in Government Program at Harvard University’s Kennedy School.

Mr. Jacobs resides in College Park, Maryland with his wife Ethel and their five children. From 1997 through 2001 he served as the City’s elected Mayor following fourteen years as an elected member of the City Council.

Ken Privette, USPS OIG
Ken presently works as the Special Agent in Charge of the Computer Crimes Unit (CCU) at the USPS Office of Inspector General. His unit conducts computer intrusion investigations and provides computer forensics support to a force of over 450 agents who conduct fraud investigations for the U. S. Postal Service. Ken spent most of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters, in adition to an assignment with the Defense Information Systems Agency Computer Emergency Response Team.

Keith Rhodes, CTO, Government Accountability Office (GAO)
Mr. Rhodes is currently the Chief Technologist of the U. S. Government Accountability Office and Director of the Center for Technology & Engineering. Mr. Rhodes has been the senior advisor on a range of assignments covering continuity of government & operations, export control, computer security & privacy, e-commerce & e-government, voting systems, and various unconventional weapons systems. Before joining GAO, he was a supervisory scientist leading weapons and intelligence programs at the Lawrence Livermore National Laboratory.

David Thomas, FBI
David A. Thomas was designated a Special Agent of the FBI in 1989. After completing more than a dozen years of supervisory and leadership roles in areas such as violent crime, domestic terrorism, and national infrastructure Protection, Mr. Thomas was appointed Chief of the Cyber Division’s Criminal Computer Intrusion Unit in 2001. As Chief of CCIU, Mr. Thomas directed the FBI’s efforts on many large-scale cyber investigations. He was promoted to Assistant Special Agent in Charge of the St. Louis Field Office in April 2003. In July 2004, Mr. Thomas was promoted to the position of Chief of Counterterrorism/Counterintelligence and Criminal computer intrusion investigations. Additionally, he is responsible for development of the FBI’s Cyber Intelligence Unit and Cyber Action Teams, which deploy domestically and internationally in response to major cyber events.

Michele Iversen 
Ms. Iversen currently serves on the Information Assurance staff for the DOD CIO. As the DoD Computer Network Defense (CND) Architect, Ms. Iversen works with members of the operational and engineering communities to design, develop, and implement a CND Architecture to defend DoD networks. She oversees and provides guidance on DoD Computer Network Defense policy and has led efforts in CND Data Strategy, CND Managed Service Provider Programs, as well as CND Education Training, and Awareness. Additionally, Ms. Iversen serves as a co-chair to the National Cyber Response Coordination Group to improve interagency information sharing and response. 

Ms. Iversen has served as an Information Systems Security Engineer and as a Global Network Vulnerability Analyst in both the Intelligence and DoD Communities. She has held numerous technical and management posi-tions focused on computer security, vulnerability analysis, and applying computing technology to analytic problems. Ms. Iversen served twelve years on active duty as a Signal Officer in the United States Army where in addition to a diverse background in strategic and tactical communications systems she participated in the establishment of the Joint Task Force for Computer Network Defense.  Ms. Iversen is currently a Reserve Officer serving with the 1st Information Operations Command at Ft. Belvoir VA.

Ms. Iversen holds a B.A. in Speech Communications from Iowa State University and is completing a Master of Science degree in Computer Science. Throughout her career she has attended numerous military courses in communications and information operations.  Ms. Iversen has been a guest lecturer on information security at the Army Command and General Staff College, the Joint Information Operations Course, Stetson University and George Washington University.

Tim Fowler, NCIS
Tim is an active duty Marine Special Agent who has worked as a Cyber Agent for the NCIS Cyber Department in Washington, DC, for the last six years. Tim has 19 years of active duty service in the U.S. Marine Corps working in the fields of military police, polygraph, criminal investigations and computer crime investigations and operations. While working as a Cyber Agent for NCIS, Tim specializes in conducting criminal, counterintelligence and counter-terrorism computer crime investigations and operations. Tim also has extensive knowledge and experience conducting media exploitation operations in hostile environments. In 2004, Tim was awarded the Bronze Star with combat Valor device by the Secretary of the Navy for his media exploitation efforts in Iraq.

Ovie L. Carroll
Ovie Carroll is the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing computer forensic and other technical support to CCIPS and other DOJ attorneys as it applies to implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

Mr. Carroll has 20-years law enforcement experience. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Computer Crimes Unit at the United States Postal Service, Office of Inspector General, responsible for all computer intrusion investigations within the USPS network infrastructure and for providing all computer forensic analysis in support of USPS-OIG investigations and audits.

Mr. Carroll has also served as the Chief, Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force. He has extensive field experience applying his training to a broad variety of investigations and operations.

Bob Hopper, Manager Computer Crimes Section, NW3C Computer Crimes
Mr. Hopper manages NW3C Computer Crimes instructor cadre who provide computer forensics training to state and local Law Enforcement throughout the United States. The Computer Crimes Section offers basic, intermediate and advance training in computer forensics and computer crimes as well as provides technical assistance and research and development for computer forensic examiners.

Mr. Hopper retired with nearly thirty years service with the Arizona Department of Public Safety and thirty seven years in Law Enforcement. Mr. Hopper’s Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime and Organized Crime. Mr. Hopper also developed and managed the Arizona DPS Regional Computer Forensic Lab. This computer forensic lab grew from a two man unit in 1998 to a state of the art computer forensic lab that, in 2005 when he retired, had grown to seven state, local and federal agencies and nearly twenty five computer forensic examiners.

Return to the top of the page

Noel Anderson

William Arbaugh

Ofir Arkin

Robert Auger

Becky Bace

Kevin Bankston

Jason Beckett

Tod Beardsley

Rohyt Belani

Corey Benninger

Renaud Bidou

Daniel Bilar

Scott Blake

Paul Böhm

Damiano Bolzoni

Joyce Brocaglia

Dale Brocklehurst

Tom Brosch

Ryan Bulat

Mariusz Burdach

Jesse Burns

Jamie Butler

Laurent Butti

johnny cache

Luca Carettoni

Ovie Carroll

Brian Caswell

James Christy

Mark Collier

Ryan Cunningham

Andrew Cushman

Ron Davidson

Jerry Dixon

Himanshu Dwivedi

Charles Edge

Shawn Embleton

David Endler

Chris Eng

Gerhard Eschelbeck


Yuan Fan

Carole Fennelly

Pete Finnigan

Nicolas Fischbach

Halvar Flake

James C. Foster

Tim Fowler

Rob Franco

Stefan Frei

Andy Fried

Pamela Fusco

Tom Gallagher

Abolade Gbadegesin

Andre Gold

Dave Goldsmith

Jeremiah Grossman

Lukas Grunwald

Zvi Gutterman

Eileen Harrington

Phil Harris

John Heasman

Billy Hoffman

Greg Hoglund

Jack Holleran

Bob Hopper

David Hulton

Mike Jacobs

Merike Kaeo

Dan Kaminsky

William Kimball

Caitlin Klein

Jonathan Klein

Jesse Kornblum

Alexander Kornbrust

Dr. Neal Krawetz

Zane Lackey

John Lambert

Dan Larkin

David Litchfield

Johnny Long

Taroon Mandhana

Kevin Mandia

Adrian Marinescu

Rich Marshall

Brian Martin

Martin May

David Maynor

Greg MacManus

Claudio Merloni

Doug Mohney

Dan Moniz

HD Moore

Marco Morana

Maik Morgenstern

David Mortman

Jeff Moss

Shawn Moyer

Bala Neerumalla

TC Niedzialkowski

Brendan O'Connor

Paul Ohm

Nick Petroni

Ken Pfeil

Bruce Potter

Ken Privette

Hon. Philip M. Pro

Paul Proctor

Tom Ptacek

Jeremy Rauch


Keith Rhodes

Melanie Rieback

Joanna Rutkowska

Derrick Scholl

Hendrik Scholz

Jay Schulman

Ari Schwartz


Saumil Shah

Peter Silberman

Caleb Sima

Simple Nomad

Paul Simmonds

Justin Somaini

Alexander Sotirov

Kimber Spradin

Jonathan Squire

Sherri Sparks

Alex Stamos

Hilary Stanhope

Scott Stender

John Stewart

Michael Sutton

Henry Teng

Alexander Tereshkin

Dave Thomas

Philip Trainor

Dena Haritos Tsamitis

Franck Veysset

Jeff Waldron

Bob West

Chuck Willis


Emmanuelle Zambon

Stefano Zanero

Dino Dai Zovi

Black Hat Logo
(c) 1996-2007 Black Hat