Black Hat Briefings & Training Asia 2003

Black Hat Windows 2004 Overview

Black Hat Windows 2004 Call for Papers Black Hat Windows 2004 Speakers Black Hat Windows 2004 Briefings Schedule Black Hat Windows 2004 Sponsors Black Hat Windows 2004 Training Black Hat Windows 2004 Hotel & Venue Black Hat Windows 2004 Registration
details Current Sponsors for Black Hat Briefings Windows 2004
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Day 1 Keynote
Dan Geer Jr., Sc.D, Principal, Geer Risk Services, LLC & VP/Chief Scientist, Verdasys, Inc.

Dr. Geer is an entrepreneur, author, scientist, consultant, teacher, and architect. Most recently, he served as CTO with @stake, a leading digital security consulting firm. Previously, Dr. Geer ran the development arm of MIT's Project Athena, where Kerberos, the X Window System, and much of what we take for granted in distributed computing was pioneered by his staff on his watch. For many years he has provided high-level strategy in all manners of digital security and in promising areas of security research to industry leaders, especially in engineering and finance as a consultant and as an officer in a series of relevant startups. He is a widely noted author in scientific journals, the technology press, and has co-authored several books on risk management and information security.

Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice, and the Institute for Information Infrastructure Protection.

Geer holds several security patents, received an Sc.D. in Biostatistics from Harvard and an S.B. in Electrical Engineering from MIT. He serves both fiduciary and nonfiduciary roles for a number of promising startups. He is also Past President of the USENIX association.

Return to the top of the page

Day 2 Keynote
Broken Windows: What Security Looks Like When Gollum Gets the Ring
Richard Thieme,

We all know the story, the issues, the lay of the land. Depending on how it's defined and who's defining, Windows security is both impossible and essential. So how we describe the problem IS the problem.

Thieme shows how focusing on the security context instead of granular content illuminates the content that's critical and the path to it that's optimal. As well as how to think about the problem.

Richard Thieme ( is a Contributing Editor for Information Security Magazine and, according to The Linux Journal, a "hacker philosopher journalist sage" whose presentations at security and hacking conventions are always well-attended and well-received. He speaks eloquently about the relationships between technology, people, and spirituality and always speaks straight to the heart of important matters right at the front of the audience's collective mind. He is very subtle ... and extremely deep."

Thieme consults, writes, and speaks about "life on the edge," in particular the human dimensions of technology and the work place. His focus these days is on security and identity - how to play chess while the board is disappearing.

Thieme has published widely. Translated into German, Chinese, Japanese, Slovene, Danish and Indonesian, his articles are taught at universities in Europe, Australia, Canada, and the United States. His column, "Islands in the Clickstream," has been published in Singapore, Toronto, and Capetown and is distributed to subscribers in 60 countries. Archives are at

Return to the top of the page

MOSDEF Tool Release
David Aitel, Immunity, Inc.

Dave Aitel is the founder of Immunity, Inc. and the primary developer of CANVAS and the SPIKE Application Assessment Suite. His previous experience, both within the US Government and the private sector has given him a broad background in exploit development, training, and speaking. He has discovered numerous new vulnerabilities in products such as Microsoft IIS, SQL Server 2000, and RealServer.

Immunity, Inc. is a New York City based consulting and security software products firm. CANVAS, Immunity's flagship product, is a sophisticated exploit development and demonstration framework.

Return to the top of the page

Trusted Computing 101
David Blight, Ph.D., Security Architect, Voyager Systems

Trusted Computing is a controversial security initiative led by Microsoft which takes security improvements beyond the Operating System by requiring significant changes in PC hardware. Trusted Computing has evoked much debate, and many misunderstanding exists about its capabilities and intentions. This presentation will detail the components of Trusted Computing including: Next Generation Secure Computing Base (NGSCB) which represents Windows OS changes; Trusted Computing Group (TCG) initiatives which require a TPM chip in hardware; Intel’s LaGrande and AMD SEM plans which bring changes in the CPU; and BIOS changes which are already being included in new systems. This presentation will use a technical analysis of the plans to show the strengths, weaknesses, and potential capabilities of Trusted Computing. The role of Trusted Computing in DRM will be examined, the potential role of Linux will be discussed, and determine whether Trusted Computing is something to fear or embrace?

Dr. Blight is currently security architect for Voyager Systems, an industry leader in wireless communications and services for the public safety industry. Previous to Voyager Systems, Dr. Blight has been a security consultant and founder of Marzenka Inc, and held research positions at Palm, Fujitsu Labs, TRLabs, and was an assistant professor at the University of Manitoba. Dr. Blight has lectured and published extensively in areas related to security, mobile computing, network management, software engineering, and system design.

Return to the top of the page

Without a Trace: Forensic Secrets for Windows Servers
Mark Burnett
James Foster,
Deputy Director, Global Security Solutions

Every day administrators around the world discover their server has been hacked but in their efforts to respond, they destroy crucial evidence. This presentation shows the importance of even the smallest pieces of evidence and demonstrates how you can use this evidence in a forensic investigation.

Many security experts find themselves as first or second responders to an incident and faced with the challenge of reconstructing the crime, finding the point of entry, and identifying the attacker. This presentation will show a side of forensics beyond hard drive imaging and keyword searching. This presentation will show how to use the many pieces of evidence to construct a solid understanding of what happened

Based on experiences from actual investigations, we explain techniques to gather evidence, including recreating a server environment and reproducing the steps of the hacker. Using little-known tricks, we’ll show how you can determine what applications were running or not running at the time of an intrusion. Even when an attacker deletes log files, you can still determine what icons an intruder clicked on or produce a timeline of events. Using tools such as Microsoft’s LogParser and many of the free Foundstone tools, we will teach tricks to determine exactly what the intruder did and just as important, what he didn’t do. Through the process of elimination and by gathering circumstantial evidence, you can often build a clear picture of what transpired and who was responsible.

Mark Burnett is a security consultant and author specializing in securing Windows-based servers. Mark is author of the book Hacking the Code (ISBN: 1-932266-65-8). He is co-author of the best-selling book Stealing the Network (ISBN: 1-931836-87-6) and co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (ISBN: 1-931836-69-8); Maximum Windows Security (ISBN: 0-672-31965-9); and Dr. Tom Shinder's ISA Server and Beyond (ISBN: 1-931836-66-3). Mark is a regular contributor to many industry-related magazines, newsletters, web sites, and other publications.

James C. Foster (CISSP, CCSE), Deputy Director Global Security Solutions for CSC Inc., is responsible for the technical vision and operation for all security solutions within CSC. Prior to joining CSC, Foster was the Director of R&D for Foundstone Inc. and responsible for all aspects of product and corporate R&D initiatives. Foster was also a Senior Advisor and Research Scientist with Guardent Inc. and an adjunct author at Information Security Magazine. Foster has co-authored or contributed to books including Snort 2.0, Hacking Exposed 4th Ed, Special Ops Security, Intrusion Detection and Prention, Anti-Hacker Toolkit 2nd Ed, Hacking the Code, and Anti-Spam Toolkit. Foster has an AS, BS, MBA and is currently a fellow at the University of Pennsylvania's Wharton School of Business.

Return to the top of the page

DKOM (Direct Kernel Object Manipulation)
Jamie Butler, Director of Engineering, HBGary, LLC

This talk will address insecurities in the current implementation of today's operating systems. Because of the lack of exclusive access to kernel objects used to track privileges, report processes, and do auditing, rootkits and other subversive programs can modify them without detection in many cases. Obscurity is no longer enough! Corporations and some private consumers have tried to secure themselves by buying third party products. However, these products are not enough to prevent an attacker using the DKOM method. DKOM writes directly to memory without calling the kernel functions used to protect these objects thus bypassing the protection mechanisms of the kernel and third party tools such as HIPS (Host Intrusion Prevention Systems).

Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at

Return to the top of the page

Data Hiding On A Live (NTFS) System
Harlan Carvey

The presentation walks through various data hiding techniques, demonstrating those that have been used (and continue to be used) since the days of MS-DOS. Other techniques for hiding data are newer, developed more recently as Microsoft has increased the functionality and usability of its products. While some of the techniques will simply hide data from casual users, others can be used to hide data from system administrators and even forensics analysts. Each of these techniques will be covered thoroughly using demonstrations and real world examples. This presentation contains the single most comprehensive treatment of NTFS alternate data streams available to date.

Harlan Carvey’s interest in information security began while he was an officer in the military, during which time he earned his master’s degree. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also worked in the area of incident response and forensics, performing internal and external investigations as the network security professional for a now-defunct telecommunications firm. He has presented at Usenix, DefCon 9, and Black Hat, and has had articles published in the Information Security Bulletin and on the SecurityFocus web site.

Return to the top of the page

Auditing ActiveX Controls
Cesar Cerrudo

In the last year many vulnerabilities have been found on ActiveX controls massively deployed, right now millons of computers are still running vulnerable ActiveX controls, most of Activex vulnerabilities can be easily exploited to compromise systems. This talk discusses how to perform a black box security audit on ActiveX controls. The process of auditing an ActiveX is not a very complex task and the audience will learn how to manually do it in a few minutes with great success with the help of free available tools.

Cesar Cerrudo is a independent security researcher/consultant specialized on application security. In the latest years he has found many vulnerabilities on top software such as MS SQL Server, MS Biztalk Server, MS Commerce Server, MS Windows 2000, Oracle database server, Yahoo! Messenger, etc. He has presented about SQL Server security at Black Hat and Microsoft in the last year.

Return to the top of the page

Information Security in Mergers & Acquisitions
Chris Conacher, Black Hat Consulting

This talk will look at the unique problems that the Mergers & Acquisition (M&A) process poses and possible solutions to those problems.

The talk will provide an understanding of:

  • The risk to both your organization and the target organization
  • The role of Information Security
  • Business drivers and approaches to dealing with them
  • The different phases of the M&A process
  • How risk changes in relation to the different phases
  • Key actions that need to be taken at each phase within the process

Chris Conacher has over 6 years experience in formal Information Security roles. This time has been spent with the Fortune 500 companies BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE Systems Airbus and Intel Corporation. He has also worked for the Information Risk Management consultancy practice of 'Big 5' firm KPMG LLP where he specialized in 'High-Tech' companies. Chris' time in Information Security has seen him working in England, France, Germany, Greece, Russia and the USA. His specialties include the development, deployment and review of corporate information security programs; the secure integration of Mergers & Acquisitions; data protection in disaster recovery planning; and information security business impact analysis. Chris has a strong understanding of the strategic business impact of information security and works to align information security to complement corporate operating models. He is also an experienced trainer, project manager and has held numerous speaking engagements to internal and external clients and professional groups.

Return to the top of the page

"They'll never see it coming!"
Stephen Dugan, CCSI

This talk will focus on the dangers of unprotected routing protocols. By injecting a route into a companies or ISPs routing table we can assume the identity of ANY internet site. Worse the affected site has no countermeasure or method of detection that the attack is occurring. There will be a step-by-step demo with a Cisco Network showing this attack.

We will be asking for audience participation, so bring your laptop and wireless card. During the demo you will be able to watch as the site is hijacked with route injection.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

Automated Binary Reverse Engineering
Halvar Flake, Reverse Engineer, Black Hat

The presentation will focus on some advanced topics of automated reverse engineering. Algorithms (and plug-ins for IDA that implement them) for detecting programmatic changes between two versions of the same executable and for detecting memory-copying or -decoding loops in executables will be explained and demonstrated.

There are several applications for these techniques, for example porting debug info that a vendor might have accidentally left in an older version of a product to a newer version of the same program or reverse engineering the details of a bug if the vendor has only provided sketchy details. Detection of memory-copying loops has some interesting applications in vulnerability research and code analysis.

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

Return to the top of the page

Lessons Learned When the Cisco Guys Went to Windows land
FX, Phenoelit

The speech covers stack based buffer overflows in Win32 applications and services where the buffer content consists of wide characters. Techniques for finding return addresses as well as practical wide character shellcodes (so-called venetian shell code) will be discussed. There will also be some side notes on ASCII based overflows and format string vulnerabilities. This talk is to provide the intermediate security pro with a few more usefull tricks for her/his sleeve using one of SAP's Internet architectures as example targets.

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Return to the top of the page

WinCE PDA Insecurity
Bryan Glancey, Vice President of Research & Development, Mobile Armor

Palmtops are going in power and popularity. How is the security on these devices and what can be easily bypassed. We will look at the HP 5455 , the pinnacle of Palmtop security and see how easily it's biometric security can be overcome. We will also cover basic security holes present in all palmtops - regardless of model.

Bryan Glancey is the Vice President of Research and Development of Mobile Armor. Mobile Armor is a provider of Enterprise Mobile Data Security Solutions for large enterprises.

Mr. Glancey was formerly Vice President of Sales Engineering for Pointsec Mobile Technologies, a leader in Mobile Device Security software. He has led implementations of Enterprise security solutions at companies including Cisco Systems, CitiGroup, and Bank of America.

Mr. Glancey’s innovative security ideas have led to five patent pending software security solutions . He has spoken extensively on information security, PDA Security, and Enterprise Security at conferences including The Internet Security Conference (TISC), SANS (System Audit Network Security), Defcon, Black Hat and PlanetPDA. He has been quoted on PDA security on Reuters.

Mr. Glancey holds a Bachelors Degree in Physics from Clarkson University where he participated in research studies for the National Science Foundation, and the US Air Force.

Return to the top of the page

Legal Risks of Vulnerability Disclosure
Jennifer Stisa Granick, Lecturer in Law and Executive Director of the Center for Internet and Society (CIS) at Stanford University
A patchwork of laws arguably applies to vulnerability disclosure. Vendors and system administrators have struggled to find legal means to prevent or slow computer misuse, while security researchers are frightened by the possibility that they may be punished for the dissemination of security research. This talk reviews the major legal issues in vulnerability disclosure, including negligence, conspiracy to commit computer fraud, aiding and abetting computer fraud, the anti-circumvention provisions of the DMCA and the prospective implementation of the Council of Europe Convention on Cybercrime, as well as defenses, like the First Amendment.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime, national security and constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

The Challenges of Automated Web Application Scanning: "Why automated scanning only solves half the problem."
Jeremiah Grossman, CEO, WhiteHat Security, Inc.

Web application scanning presents many unique challenges. The biggest challenge is that the increasing complexity and diversity of Web applications make it extremely difficult for any scanner to effectively identify security issues. The goal in typical network vulnerability scanning is to identify "known security issues in known code." Unfortunately, the problem is more complex in Web application vulnerability scanning, where the mission is to identify "known security issues in unknown code." With this in mind, we will dive into the specific details that make Web application vulnerability scanning difficult, discussing the lessons learned and recommended solutions. Scanning a Web application for vulnerabilities is akin to remotely black-box testing an unknown piece of code. The remote scanner does not have access to source code, knowledge of what programming language was used, what actions the software performs, and it won't even know on what platform the application resides. The benefit of known security issues is lost within web application vulnerability scanning and the scanner must resort to identifying classes of vulnerabilities, such as cross-site scripting and SQL injection. However, there are security issues that go beyond simple classes and target exploitation of the flow in application business logic. These business logic issues are arguably impossible for any automated process to uncover and yet are some of the most dangerous. The list of challenges faced by today's web application vulnerability scanner is endless.

Jeremiah Grossman is the founder and CEO of , Inc. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of web applications.

A 6-year security industry veteran, his research has been featured in USA Today, NBC, and ZDNet and touched all areas of web security. Mr. Grossman is a world-renowned leader in web security and frequent speaker at the Blackhat Briefings, NASA, Air Force and Technology Conference, Washington Software Alliance, ISSA, and Defcon.

Mr. Grossman is a founder of the Web Security Consortium and Open Web

Application Security Project (OWASP), as well as a contributing member of the Center for Internet Security Apache Benchmark Group.

Return to the top of the page

Integrating Security Into Agile Development/Testing
Matt Hargett, co-Founder, BugScan, Inc

Integrating security into a development and testing process is hard, and there is not a lot of documentation that covers the entire process. This talk is a walkthrough of how to integrate security into a development process starting at requirements and ending at deployment. Applying regular QA best practices to black box fault injection for improved and consistent exploitation results is also covered.

Matt Hargett has done security quality assurance for more than 6 years, applying his skills to security scanner, firewall, encryption, intrustion detection, operating system, fault injection, and static analysis products. He recently co-founded BugScan, Inc and is principal developer on the BugScan 2003 product line, which involves staring at disassembly until he can no longer comprehend or speak english. In his spare time, he reads too much Discworld and Harry Potter; writes and arranges songs; and does work on his house where he lives with his partner and their dog.

Return to the top of the page

ISA Server: Best Practices from the Field
Jim Harrison, Microsoft,
Jim Edwards,

The main focus of this presentation is ISA Server 2000 planning, deployment and configuration with special focus on three core areas:

  • Security
  • Reliability
  • Performance

each of which deals with specific settings and configuration options that can be applied to Windows and ISA to create a more stable, secure and efficient environment.

Supported registry settings for Windows and ISA Server will be included as well as overall system configuration, logging settings, Widows and ISA hotfixes and ISA policies recommendations.

We will include links to existing documents as appropriate (KB, TechNet, MSDN,,, etc.) to illustrate any points and to lend credence to the recommendations.

Return to the top of the page

Preventing Intrusions and Tolerating False Positives
Steve Hofmeyr, Ph.D, Chief Scientist, Sana Security

Intrusion prevention systems are becoming increasingly essential to combat today's automated threats. However, people are wary of using these systems because blocking false positives will result in a loss of legitimate functionality. In this presentation, wediscuss the false positive issue in relation to intrusion prevention, and what the implications are for system design. In particular, we borrow some ideas from immunology to better understand how to design systems that are false positive tolerant and robust in today's complex environments.

Dr. Steve Hofmeyr received a Ph.D. in Computer Science in 1999 from the University of New Mexico (UNM), focusing on immunological approaches to computer security. During his studies, he spent a year at the Artificial Intelligence Lab at MIT. After finishing his Ph.D. he was a post-doctoral researcher at UNM, and closely associated with the Santa Fe Institute for Complexity Studies. Dr. Hofmeyr has authored and co-authored many papers published in conference proceedings and peer-reviewed journals on computer security, immunology and adaptive computation. In 2003, MIT's Technology Review named Dr. Hofmeyr as one of the top 100 young innovators under 35.

Return to the top of the page

Digital Security: Policies & The Law
Curtis E.A. Karnow, Partner, Sonnenschein Nath & Rosenthal LLP

Curt Karnow moves through a fast-paced assessment of legal problems stemming from security breaches, followed by a review of polices which can help mitigate that liability. Following a quick look at types of breaches and trends, the presentation maps out the wide variety of liabilities that follow these breaches—such as trade secret disclosure, privacy, HIPAA, Sarbanes-Oxley, breach of contract, California's new laws such as SB 1368—and many others. It then focuses on indirect liability for security breaches—when site manages and owners are found liable for third party attacks, such as with distributed denial of service. The balance of the talk spotlights the key role policies have in working with law enforcement and reducing legal exposure. Curt Karnow concludes with a look at inadequate, conflicting, and badly-followed policies- and why those lead directly to new rounds of legal problems.

Curtis E.A. Karnow specializes in intellectual property litigation and technology law including computer, Internet, and multimedia issues. He is the author of Future Codes: Essays in Advanced Computer Technology and The Law (Artech House: London/Boston, 1997) and currently represents Sun in the landmark technology antitrust case, Sun Microsystems v Microsoft.

Mr. Karnow has handled numerous software licensing, electronic commerce, website and other computer-related transactions involving parties including, Capcom Entertainment, Excite@Home, ASCII Corporation, Charles Schwab & Co., Inc., Cisco, Sony Computer Entertainment of America, and PGP (Pretty Good Privacy). He has advised a global home entertainment corporation on trademark and gray market import matters; counseled a computer peripheral manufacturer on the evaluation, licensing, and enforcement of patents; advised a web navigation company on Internet legal issues, and prepared a variety of Internet-related commercial agreements. He has defended a national engineering firm against allegations of software copyright violations; defended a variety of clients against allegations by the Business Software Alliance (BSA) and the Software Publishers’ Association (SPA) of software copyright infringement; counseled an international game company on Internet copyright and trademark issues; represented a software encryption company on licensing issues; and represented a developer of encryption products on export control and related grand jury and intellectual property issues.

From 1978-1980, Mr. Karnow was an Assistant United States Attorney for the Eastern District of Pennsylvania. There, his responsibilities included prosecution of all federal crimes, including complex white collar fraud, from investigation and indictment through jury verdict and appeal. Since then, he has represented defendants indicted for unauthorized access to federal interest computers; defended against a criminal grand jury investigation into high tech export actions; represented clients before federal grand juries investigating alleged antitrust conspiracies; and in a state criminal investigation represented a computer professional framed by a colleague in a complex computer sabotage. He has also counseled on jurisdictional issues arising out of a federal criminal Internet-related indictment, and advises on legal issues (including working with law enforcement and in particular the FBI) arising from third party computer security breaches.

Return to the top of the page

Nobody's Anonymous— Tracking Spam
Curtis Kret, Researcher, Secure Science Corporation

Viagra! Work from home! Who sends this stuff? And what if not all Spam is what it appears to be? This talk discusses forensic methods for identifying forged emails and tracking individual senders who would otherwise be anonymous.

This presentation demonstrates how to apply data forensics to spam in order to identify the sender of specific spam messages. Some senders can be identified by name, while others can be distinguished by attributes such as preferences, nationality, religion, and even left-handedness. Four spam categories are provided that classify spam by function, including List Makers, Scams, and Covert Communication channels. The examples provided include full-disclosure case studies: a phishing gang that targets bank customers with malware and impersonations, and an IRC group that uses spam as a covert communication channel.

Curtis Kret (pseudonym) has a Ph.D. in Computer Science and over 15 years of computer security experience. His current research focuses on methods to track “anonymous” people and applying the research to Spam. Dr. Kret is currently working with Secure Science Corporation, a professional services and software company that develops advanced technology dedicated to protecting online assets. Secure Science Corp. is pioneering innovative ways to transform the Internet into a secure environment for both online communications and transactions.

Return to the top of the page

Windows Heap Overflows
David Litchfield, Founder, Next Generation Security Software

This presentation will be entirely new and never seen before. Code included.

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

Application Intrusion Detection
Drew Miller, Black Hat Consulting

As corporations begin to embrace secure mitigation techniques, we hope to see a visible decline in application specific exploits. Applications operate on a higher level than the operating system and must trust many components in the system to just work. There is not much that an application can do to verify a third-party component. However, it is completely possible for an application to monitor the things that the application mitigates and the things that he application cannot mitigate.

An infrastructure for the application that allows auditing, monitoring and statistical analysis of events and related data can allow an application to know when a user is attempting to buffer overflow the application. The application can know when a hacker is bypassing the client validation outines. The application can know when all these events occur. You write the programs, so learn how to add monitoring to give you application the edge on hackers in a network environment

Drew Miller has been a software engineer for more than ten years. Drew has worked at many levels of software development, from embedded operating systems, device drivers and file systems at Datalight Inc. to consumer and enterprise networking products such as Laplink’s PCSync and Cenzic’s Hailstorm. Drew’s experience with many software genres combined with his passion for security give him a detailed perspective on security issues in a wide variety of software products.

Drew’s latest projects were the aided design and development of two security courses for Hewlett-Packard at the Hewlett-Packard Security Services Center. One course aimed at educating quality assurance personal and the other educating developers to the exposures that exist in present day network applications and how to avoid such exposures. Drew is currently an instructor for Black Hat Training, Inc.

Return to the top of the page

Hardening Windows Servers
Derek Milroy, the Corp-Sec Project

The approach presented focuses on both efficiency and effectiveness, while minimizing the breaking of application functionality. This presentation will focus on implementing hardening in environments of all sizes. The checklists and methodologies presented can be modified to fit attendees’ environments. This presentation will also point out potential pitfalls and ways to avoid them. The checklists and scripts presented during the session will be made freely available to attendees.

Derek has been implementing security in corporate environments, as both an internal employee and a consultant, for five years. Although he has implemented firewalls, IDSs, and VPNs for various employers and clients he focuses heavily on securing Microsoft hosts and Domain structures. He has hardened hundreds of hosts in environments ranging from less than a dozen servers to enterprise environments with over 1000 servers and thousands of users. In conjunction with hardening he has also crafted and implemented Standards, Policies, and Procedures to maintain the security of his employer's/client's environments.

Return to the top of the page

Security in the Development Lifecycle
Gunnar Peterson, CTO, Arctec Group

Let's face it: life in Layer Seven is hard. Your application is forced to trust layers one through six which are suspect at best. Even if the lower levels are set to run securely, your application still must stand up to intentional and unintentional misuse and abuse from users and other systems. On top of that application security problems can be among the most difficult to root out in the design phase and, worse, detect when they occur at runtime. There are no silver bullets to remedy this situation.

In order to improve this state of affairs, a mutli-faceted approach is required. This session targets a set of design, process, and organizational aspects geared towards helping your enterprise build and deliver more robust and secure software. Through understanding the phases, activities, and artifacts of the development process, we will find ways that the security team can positively influence the end result: the application. We will focus on tools and techniques which help achieve this goal like Threat Modeling, Misuse Cases, and Unit Hacking.

Gunnar Peterson is a Software Security Architect. He designs secure, stable, and scalable solutions for complex problem spaces. Over his ten year career, he has been dedicated to design and development of distributed middleware Object-Oriented and Component systems for clients ranging from large enterprises to start ups. Currently, Gunnar is CTO of Arctec Group. Arctec Group's primary focus is designing "Strategic Technology Blueprints" for enterprise.

Return to the top of the page

Capturing Windows Passwords Using The Network Provider API
Sergey Polak

There are a variety of methods for capturing user passwords, from keystroke loggers to hardware devices. I will discuss a software method that uses Windows APIs to capture users’ passwords on a Windows (95/NT/2000/XP) system. I will provide step-by-step instructions and examples on how to write your own simple DLL that will, once installed on the target machine, capture the password of any interactive log-on session on that computer without giving the slightest visible indication that this is happening. This technique can be useful for administrators of corporate networks that need to build a database of user passwords or to enforce password complexity policies.

Sergey Polak has a BS in Computer Science from Pace University. For the past 6 years he has worked at the law offices of Fish & Neave in New York, where he currently holds the position of Senior Programmer. As an in-house developer Polak has worked extensively with various vendor APIs to write custom applications for the firm. In addition to writing code Polak performs the duties of the DBA and am responsible for a variety of network administration tasks for Windows and NetWare systems.

Return to the top of the page

Windows XP: Improving Resiliency
Steve Riley, Microsoft Senior Consultant, MCS Trustworthy Computing Services

In Microsoft Windows XP Service Pack 2, Microsoft is introducing a set of security technologies that will help to improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms. The technologies include network protection, memory protection, safer e-mail handling, more secure browsing, and improved computer maintenance. Together, these security technologies will help to make it more difficult to attack Windows XP, even if the latest updates are not applied. These security technologies together are particularly useful in mitigation against worms and viruses. Included in this presentation are examples and details of the technology changes in Service Pack 2 and implications for developers.

Steve Riley is a product manager in Microsoft's Security Business Unit in Redmond, Washington, USA. Steve specializes in network and host security, communication protocols, network design, and information security policies and process. His customers include various ISPs and ASPs around the United States, as well as traditional enterprise IT customers, for whom he has conducted security assessments and risk analyses, deployed technologies for prevention and detection, and designed highly-available network architectures. A router-rooter almost from birth, Steve grew up in networking and telecommunications; the simple telephone still provides endless hours of exploratory joy. Steve is a frequent and popular speaker at Microsoft conferences. Besides lurking in the Internet's dark alleys and secret passages, he enjoys mountain biking, clubbing and the occasional rave, freely sharing his opinions about the intersection of technology and culture, and hanging with his family and friends in the center of the universe otherwise known as Seattle, Washington.

Return to the top of the page

Win2K3 Terminal Server
Laura Robinson

Can a Windows Server 2003 Terminal Server be Bulletproofed? Microsoft has significantly extended Terminal Services functionality, manageability and security in Windows Server 2003, but if you aren't utilizing new features, you're leaving your server open to attack. Is it possible to truly "bulletproof" a TS box? In this session, we'll examine both the strengths and weaknesses of Windows Server 2003 Terminal Services, including:

  • Terminal Services network security
  • Appropriate permissioning of Terminal Services users and connections
  • User data and profile configuration
  • New Group Policy Terminal Services configuration and management options
  • Software Restriction policies in conjunction with Terminal Services-what works, what doesn't, and where are the tradeoffs?
  • Authorization Manager in Windows Server 2003- can it help you to secure your TS implementation?
  • Terminal Services auditing and logging- does it exist?
  • Utilizing information provided in other Black Hat sessions to assist in the Terminal Services hardening process

Laura Robinson is a network architecture and Microsoft security specialist
who is currently working for a large financial services company in New York City. She has extensive experience in Active Directory design and Microsoft product security, having acted as a consultant on implementations ranging from 300 to 100,000 users, in a variety of industries. Laura was a contributor to the Microsoft Press TCP/IP Protocols and Services Technical Reference for Windows 2000, a technical editor for the Microsoft Press Windows Security Resource Kit, author of the Microsoft Windows Server 2003 Customer Readiness content and has been a regular presenter at various Microsoft- and security-related conferences.

Return to the top of the page

Addressing Complete Security to Save Money
Russ Rogers, Chief Technical Officer, Security Horizon, Inc

One of the biggest issues in information security is the dependence on technical solutions, by themselves, to solve the problem of security posture within the organization or company. Companies are inundated with security organizations that tout the latest and greatest security product. From the redundant firewall product with high availability to the latest string of honey pot products, companies are told what they need in order to secure their organizations. Unfortunately, technical solutions, when implemented by themselves, fail to address the inherent problem in the system.

Poor security posture can only really be improved when the organization understands what information is critical to their operations. What information do we use, day in and day out, that is required to serve our customer and meet our mission goals? By defining specific information types that are critical to the organization, we can better define the actual impact that the loss of those information types will have on the organization. If we further define the process by measuring the loss of Confidentiality, Integrity, Availability, Accountability, etc of each of these information types, we can better realize more effective security measures to mitigate risk. This increases the cost effectiveness of security solutions that are implemented within the organization.

The key here is that once we’ve defined our information types and the impact to the organization of their loss, we are now better able to define on what actual systems these information types reside. More in-depth evaluations on these key systems can now take place, allowing the organization to focus on higher risk servers and network components. Solutions are implemented within the organization based on these factors, providing more effective and financially responsible security solutions that will dramatically improve the security posture within the organization.

Russ Rogers is the CEO and CTO of Security Horizon, a Colorado Springs based information security professional services firm and is a technology veteran with over 12 years of technology and information security experience. He has served in multiple technical and management information security positions that include Manager of Professional Services, Manager Security Support, Senior Security Consultant and Unix Systems Administrator. Mr. Rogers is a United States Air Force Veteran and has supported the National Security Agency and the Defense Information Systems Agency in both a military and contractor role. Russ is also an Arabic Linguist. He is a certified instructor for the National Security Agency’s INFOSEC Assessment Methodology (IAM).

Return to the top of the page

Fingerprinting through Windows RPC
Hidenobu Seki, aka

Many Windows 2000/XP/2003 functions depend on RPC service. By enumerating Windows RPC endpoint-map elements, you will differentiate between the followings: Windows NT 4.0 SP3 or before and Windows NT 4.0 SP4 or later, Windows 2000 SP2 or before and Windows 2000 SP3 or later, default Windows XP and Windows XP SP1, Windows XP Home Edition and Windows XP Professional. This presentation will show what differences are there between Windows 2000/XP/2003.

Hidenobu Seki, aka Urity works as a network security specialist at SecurityFriday Co., Ltd in Japan. He has published many tools, ScoopLM/BeatLM/GetAcct/RpcScan etc. He has been a speaker at the Black Hat Windows Security 2002 and 2003.

Return to the top of the page

HTTP Fingerprinting and Advanced Assessment Techniques
Saumil Udayan Shah, Director, Net-Square Solutions

This talk discusses some advanced techniques in automated HTTP server assessment which overcome efficiency problems and increase the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A free tool - HTTPRINT which performs HTTP fingerprinting, shall be released along with this presentation.

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

Terrorism and Immigration: The Economics of
Secure Identity
Adam Shostack, Privacy Curmudgeon

Adam Shostack is a Privacy Curmudgeon. Previously, he spent three years as Most Evil Genius at Zero-Knowledge Systems, building privacy technology that remains ahead of its time. He writes and speaks on a variety of security and privacy topics, with a focus on security, privacy, and economics. He has been an active cypherpunk, involved with issues of privacy, security, and cryptography for over a decade.

Return to the top of the page

David Aitel

David Blight

Mark Burnett

Jamie Butler

Harlan Carvey

Cesar Cerrudo

Chris Conacher

Stephen Dugan

Jim Edwards

Halvar Flake

James Foster


Bryan Glancey

Dan Geer

Jennifer Stisa Granick

Jeremiah Grossman

Jim Harrison

Steve Hofmeyr

Curtis EA Karnow

Curtis Kret

David Litchfield

Drew Miller

Derek P. Milroy

Gunnar Peterson

Sergey Polak

Steve Riley

Laura Robinson

Russ Rogers

Hidenobu Seki

Saumil Udayan Shah

Richard Thieme

Black Hat Logo
(c) 1996-2007 Black Hat