Black Hat DC 2010 //briefings

Grand Hyatt Crystal City • Feb 2 - 3

Register Now //speakers & topics

Chema Alonso

Connnection String Parameter Pollution Attacks

This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dinamicly a connection agains a Database server. This session will demonstrate the high risk in doing this unsecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the conneciton and taking adavance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are specialy dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Mike Bailey

Neat, New, and Ridiculous Flash Hacks

Flash is scary stuff. It's installed on just about everybody's web browser, used everywhere, and has a poor security track record. Even within the web application security community, its quirks are poorly understood. Known and intentional behavior can have serious consequences which merit exploration.

This talk is a discussion of new flash-based attacks, repurposing of old attacks, and demonstrations of working (and sometimes ridiculously complex) attacks on Gmail, Twitter, and other major websites.

Bill Blunden

An Uninvited Guest (Who Won’t Go Home)

While there are a multitude of battle-tested forensic tools that focus on disk storage, the domain of memory analysis is still emerging. In fact, even the engineers who work at companies that sell memory-related tools have been known to admit that the percentage of investigators who perform an in-depth examination of memory is relatively small. In light of this, staying memory resident is a viable strategy for rootkit deployment. The problem then becomes a matter of remaining inconspicuous and finding novel ways to survive a system restart. In this presentation I’ll look at rootkit technology that tackles both of these issues on the Windows platform.

Elie Bursztein and Jean-Michel PICOD

Reversing DPAPI and Stealing Windows Secrets Offline

The Data Protection API (DPAPI) plays a key role in Windows security: This API is meant to be the standard way on Windows OS to store encrypted data on the disk. DPAPI is used by many popular applications including Internet Explorer, Google Talk, Google Chrome, Skype, MSN (6.5-7) to encrypt their passwords. It is also used by Windows itself to store sensitive information such as EFS certificates and and Wifi (WEP and WPA) keys.

DPAPI use very opaque structures to store these encrypted data on disk and the available documentation is very sparse. Therefore prior to our work it was impossible to extract and analyze these secrets offline for forensic purpose. This is a particular huge issue for files encrypted using EFS because unless the EFS certificate protected by DPAPI is recovered these files can’t be decrypted and analyzed.

To address these issues, we did reverse the DPAPI and in this presentation will provide a complete walkthrough DPAPI and its structures. Afterward armed with this knowledge, anyone interested in windows forensic will be able to deal with data stored with DPAPI. We will cover the change made by Microsoft from Windows XP up to Windows Seven. Finally we will demonstrate and release DPAPick ( which we believe, is the first tool that allows to decrypt offline data encrypted with DPAPI.

Andrew Fried

Hardware is the New Software

Malware injecting emails and websites have reached epidemic proportions on the Internet. Virtually all spam originates from bot-infected systems, which have the capacity to send out millions of emails per hour. The sites hosting malware are often part of large fast flux botnets that are geographically dispersed and change with great frequency. The threats have gotten larger; they hit victims faster and have been causing unprecedented losses.

Historically, the primary defense against these attacks has been the anti-virus program. Today, however, antivirus products no longer provide adequate protection – detection rates of less than 20% are commonly seen on newly discovered malware.

The detection, suppression and mitigation of these threats require timely and coordinated efforts between security researchers, anti-virus/content filter vendors, realtime blackhole list maintainers and domain registrars/registries.

This presentation will provide a rare glimpse "behind the curtain" of the efforts undertaken by security researchers (represented by Internet Systems Consortium), domain registrars (represented by GoDaddy) and realtime blackhole providers (represented by The Spamhaus Project and SURBL).

Bolstered by the flourishing hobbyist electronics/do-it-yourself movement, easy access to equipment, and realtime information sharing courtesy of the internet, hardware is an area of computer security that can no longer be overlooked. In this session, Joe will explore the hardware hacking process and share some of his favorite attacks against electronic devices.

Joe Grand

Hardware is the New Software

Society thrives on an ever increasing use of technology. Electronics are embedded into nearly everything we touch. Hardware products are being relied on for security-related applications and are inherently trusted, though many are completely susceptible to compromise with simple classes of attacks that have been known for decades.

Bolstered by the flourishing hobbyist electronics/do-it-yourself movement, easy access to equipment, and realtime information sharing courtesy of the internet, hardware is an area of computer security that can no longer be overlooked. In this session, Joe will explore the hardware hacking process and share some of his favorite attacks against electronic devices.

Christian Kendi

Enhancing ZFS

ZFS is a revolutionary Open Source file system with many capabilities. Snapshots and Store pools open new ways on how to store data. Attacking the most valueable assets of a company, their data.

This Talk will focus on how to enhance ZFS and the Solaris Kernel by hijacking ZFS kernel symbols. Furthermore, a demo will be given a new 0day technique will be revealed on how to hide file systems and entire store pools from forensics.

Vincenzo Iozzo

0-Knowledge Fuzzing

Nowadays fuzzing is a pretty common technique used both by attackers and software developers. Currently known techniques usually involve knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary.

In the past since fuzzing was little-used obtaining good results with a small amount of effort was possible. Today finding bugs requires digging a lot inside the code and the user-input as common vulnerabilies are already identified and fixed by developers.

This talk will present an idea on how to effectively fuzz with no knowledge of the user-input and the binary. Specifically the talk will demonstrate how techniques like code coverage, data tainting and in-memory fuzzing allow to build a smart fuzzer with no need to instrument it.

David Litchfield

Hacking Oracle 11g

Joseph Menn

Hacking Russia: Inside an unprecedented prosecution of organized cybercrime

Almost all of the talk from Western law enforcement agencies of signs of cooperation by Russian authorities in the pursuit of master cybercriminals is an expression of hope, not experience. There is one major documented exception: the 2006 prosecution, conviction and imprisonment of three members of a criminal ring that organized and carried out dozens of denial-of-service attacks on business websites worldwide as part of an extensive extortion racket. Why that case succeeded where all others failed--and why its success has never been replicated, has never been explained.

Based on years of research including the only interviews with Russian authorities and the British police detective sent to work with the MVD, author and Financial Times correspondent Joseph Menn gives the highlights of the account in his just-published book, FATAL SYSTEM ERROR: The Hunt for the New Crime Lords Who Are Bringing Down the Internet.

Leonardo Nve

Playing in a Satellite Environment 1.2

This presentation is a warning call to those responsible for the companies that use or provide data connection (especially the Internet) via satellite, proving some of the attacks that are possible in this environment.

Nicholas J. Percoco

Global Security Report 2010

From January 1, 2009 to December 31, 2009, we performed approximately 2000* penetration tests (network, application, wireless, and physical) for organizations ranging from the largest companies on the planet to nimble start-ups. In addition, we also performed around 200* security incident and compromise investigations for organizations located in nearly 20 different countries around the world.

The data we have gathered from these engagements is substantial and comprehensive. This presentation will be the first viewing of the results of the analysis of the data gathered during 2009. The results will be presented both technical and business impact analysis with an emphasis on technical for the Black Hat audience.

This presentation will coincide with the release of the paper with the same title. The paper will be released after the conclusion of the talk.

* Trending numbers as of November 5, 2009.

Shane Powell

Cyber Effects Prediction

Once the sole domain of military planners, public sector organizations must begin to understand the extent to which cyber attacks may affect their ability to conduct mission essential operations. Various information security regulations and standards aid organizations with configuring information systems securely. Common processes are used to assess system vulnerabilities and assign risk. However, vulnerability and risk assessments can easily mislead system owners into a false sense of security. While vulnerabilities can be patched and risks may be mitigated, the end result is inevitable that someone must accept responsibility should their organization fall prey to cyber attack through exposures that remain.

The approach to Cyber Effects Prediction proposed in this paper harnesses traditional and emerging analytic methods to provide a deep understanding of the actual security state of an organization’s information system. Cyber Effects Prediction harnesses detailed knowledge of how an organization’s information systems are configured, business operations, continuity of operations planning, and external relationships. Determination can be made from this information of how information systems will likely be attacked, allowing for prediction of the cascading effects that result from successful cyber attack.

Knowledge derived from Cyber Effects Prediction allows for:

  • Understanding System Security Baseline Configurations
  • Assigning System Criticality According to Organizational Mission
  • Understanding Internal, External, or Hybrid Organizational Exposures to Cyber Attack
  • Understanding the Reach of Cyber Attacks Vectors crossing Organizational Exposures
  • Identifying Primary (Direct) Cyber Effects Affecting Systems
  • Predicting Secondary (Internally Cascading) Cyber Effects Affecting Distributed Services
  • Postulating Tertiary (Externally Cascading) Cyber Effects Affecting Operations and Mission
  • Demonstrating System Vulnerabilities through Targeted Penetration Testing
  • Identifying and Prioritizing Remediation Actions
  • Allocating Resources Efficiently in Support of Remediation Actions
  • Calculating Residual Risk either Qualitatively, or More Importantly, Quantitatively

The methodology described focuses on applying Cyber Effects Prediction to the defense of information systems.

Jason Ross

Malware Analysis for the Enterprise

Your organization has Anti-Virus deployed and is logging virus activity to a central location. Your IDS is watching the perimeter, and you have your systems on a regular patch cycle. Malware doesn't affect you, right?


This presentation shows where these technologies are falling short and why malware analysis is quickly becoming a need for companies other than Anti Virus vendors. We'll discuss the pros and cons to virtual machines and bare metal as they apply to the purpose of analyzing malicious software.

After talking about the "why", we'll move on to the "how" and walk through setting up a sandnet, or "virtual internet", comprised of a victim host and a server running multiple services so that you can:

  • Observe Operating System changes made by malware
  • Capture network traffic being sent by the compromised host
  • Intercept DNS calls and redirect them to services you control
  • Set up netcat to interact with unknown protocols

Using these methods, an organization can determine exactly what has been compromised on a host, and more importantly, determine where their data is going.

Armed with accurate information as a result of analyzing the malware an effective response to the incident can be formed.

Kevin Stevens

The Underground Economy of the Pay-Per-Install (PPI) Business

This presentation shows how hackers are recruiting hundreds of affiliates to join their Pay Per Install Affiliate Programs. While purporting to be programs that merely install adware, they are actually scams to install some of the most malicious malware and spyware out on the market today.

I will present different PPI programs as well as the forums where there are guides posted and tips on how to be successful in this business. I will also uncover some of the details of the people running these sites and some stats on how much money is being made.

Matthieu Suiche

Advanced Mac OS X Physical Memory Analysis

In 2008 and 2009, companies and governments interests for Microsoft Windows physical memory growed significantly. Now it is time to talk about Mac OS X. This talk will describe basis of Mac OS X Kernel Internals (and not a XNU kernel creation timeline) and how to retrieve various information like machine information, mounted file systems, processes listing and extraction and threads, kernel extensions listing and extraction and Rootkit detection.

Christopher Tarnovsky

Hacking the Smartcard Chip

Giovanni Vigna

Analysis of a Botnet Takeover

This briefing presents research into the Torpig/Mebroot by hijacking it.

Qing Wang

MS Office Document War: Parse Deeply, Fuzz Widely, Shoot Precisely and Measured Scientifically

The concepts of “Sample based,” “Logic oriented” and “Data type oriented” will bring us a lot of benefits if we use them in our security testing (fuzzing). Besides reducing thousands of useless cases with smart, accurate and efficient case generation strategies, they will also offer us a scientific measurement to evaluate our testing work. To demonstrate these concepts, a fuzzer with advanced fuzzing concepts, called Megatron (Yes, it is the name in the movie transformer A.K NBE1), will be shown up. Microsoft office document will be also used as a file format example to illustrate the file fuzzing concept.

With the tool we will release on the conference, you can generate malformed office documents smartly and easily. Programming is not necessary at all for it. Smart fuzzing won’t be the special skill which is only owned by security expert. The ease of use and the intelligence are the key points for the design of Megatron. All the QA engineers, even the middle school students, could generate complex fuzzing cases and crash the application if they have this tool.