Advanced Buffer Overflow Techniques

This is a technical talk aimed at people who have already been exposed to buffer overflows and want to learn more.  The talk assumes the audience has at least some knowledge of CPU's and Processes.  For those of you who already understand buffer overflows, this talk will be a refreshing discourse on technique.  We will show how the injection method can be decoupled from the payload.  We then explore the details and challenges of  injecting code into a remote process.  We will also explore the payload, the encoding methods, and how to dynamically load new functions.  Lastly, we discuss the possible effects of a payload, including network worms, virus, and rootkits. 

Greg Hoglund is a software engineer and researcher.  His most notable achievement was the creation of the Asmodeus Security Scanner, a Windows NT based port scanner and ethernet sniffer, which he later sold to Webtrends, Corp.  Additionally, Hoglund has written several white papers on content based attacks, kernel patching, and forensics.  He currently works as a researcher for Tripwire Security Systems, exploring forensics issues.

Casing the Joint.  What we already know about your network. 

An overview of what an attacker already knows about your network.  The information is described using an ASN.1 template for possible integration into autonomous agents, conspicuously similar to the ones described in Caezars presentation. 

Batz is an independent security researcher and Evil Super Villain who caused a stir last year by bringing to light some serious concerns with BGP4 configuration and implementation at Blackhat Briefings 99 in Las Vegas Nevada. 

Malicious Information Gathering

As in physical surveillance, information can be gathered about a target network without penetrating its security perimeter.  Using computer virus and worm techniques to surround the target, an opponent can monitor and collect web and e-mail traffic.  Critical business communications could be altered in transit or halted altogether.  This discussion will cover independent autonomous agents, information filtering and malicious code propagation.

Routers, Switches & more: The glue that binds them all together.

By now, anyone with an inkling about security knows that they need to protect their assets.  We've all heard we need a firewall, and we all know that we need to lock down machines.  What about the glue that binds them all together?  The routers, switches, network administration protocols, authentication protocols...what about that stuff?  This talk will go in to the security flaws you don't even think about, realize are there, or have dismissed as being inconsequential. 

Jeremy Rauch has been involved in discovering and researching security vulnerabilities from a number of different perspectives.  Working with vendors, he has identified and helped fix over two dozen major security vulnerabilities.  Jeremy is currently a developer at one of the largest security vendors, where part of his duties include the identification and reporting of security risks.  Jeremy is also one of the founders of Security Focus, Inc. a centralized online security resource offering security news, products, events, books, tools, and one of the most comprehensive vulnerability listing on the net.

Dave has been working with network and Unix security for a number of years and is a founding member of Security-Focus.com.  He has dealt with both general Unix auditing and intrusion detection as well as secure software development.  Dave is the co-host of Info.Sec.Radio, a radio show airing twice a month on both a Canadian radio station and the Internet via a RealAudio stream.

Intrusion Detection and Network Forensics.

Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall, whitehouse.gov, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons.

Auditing NT - 

This talk will be the third in a series to address the issue of auditing an NT box after a break in. Specifically, we will extend our look under the hood to find places where altered files can hide as well as examine the evidence left behind by an intruder. This talk will also cover a set of tools that can uncover various hidden aspects of NT's Internal state. NT's built in tools are not sufficient in most cases for examining system state, so this talk include a small tutorial on a suite of free tools I have made 
to aid Windows NT intrusion research. Details will include:

Examine NTFS file time stamping
Examine NT Drivers behavior
Examining permissions/file attributes
Examining COM security backdoors Part III
Looking for trojan behavior Part III
Finding for backdoors in Windows NT

International Legal issues surrounding computer hacking.

A global computer network poses special questions in computer crime prevention and punishment.  There is no international consensus on what a computer crime is or what should be prohibited conduct.  Nor are there agreements on procedural matters such as transborder searches, data preservation, standard of proof or jurisdiction.  This presentation will review the points of contention, discuss current efforts towards obtaining consensus and highlight the benefits and detriments of international consensus to investigators and civil libertarians alike.

Jennifer Stisa Granick is a defense lawyer practicing in the areas of high tech and computer crime from her office in San Francisco.  She defends unauthorized access, trade secret theft, and email interception cases nationally.  Granick has written articles on wiretapping, workplace privacy and trademark law for Wired.  Additionally, she has spoken at previous Black Hat Briefings and to NASA computer security professionals about computer crime laws, digital forensics and evidence collection.

Responding to Cyber Threats.

IT and the Internet are fast becoming important parts of our national competitiveness. With the emerging globalization and worldwide connectivity, Internet security threats in other parts of the world can quickly translate into security issues that are potentially damaging to the local IT community. It is crucial for Singapore to be able to respond efficiently and effectively to Internet computer incidents and security breaches. It is important to have a localized CERT effort that offers security incident resolution services in a timely and effective manner. 

This talk will introduce the Singapore Computer Emergency Response Team (SingCERT) and cover the various programmes and initiatives that SingCERT offers to its constituency. It will also touch on the experience and lessons learnt through the handling and resolution of security incidents and highlight some of the trends in incidents reported to SingCERT. 

Martin is an Assistant Director with the Infocomm Development Authority (IDA) of Singapore. He takes charge of security incident management where he oversees a group of IT Security Consultants in providing security services to the various government organizations. He is also the Programme Manager of the Singapore Computer Emergency Response Team (SingCERT) which is the national level security incident response center charged with the prevention, detection and resolution of computer security incident on the Internet and Singapore ONE. He manages a group of Security Consultants providing incident resolution and security awareness promotion services to the local IT industry and the general IT users. Martin is a frequent speaker on subjects regarding security and incident handling. He last spoke at the PKI Conference on "Instilling Trust for Secure eCommerce" organized by CommerceNet Singapore in October 1999.

Internet Age: Why Security Architectures Fail (The Story of the Maginot Line Under Attack)

Why are so many companies, organizations and agencies regularly hacked? Some of these regularly hacked organizations have however invested huge amounts in crafting their IT architectures.  Security products, both hardware and software, are available off-the-shelf. Some of them underwent strong security certifications, and they are widely used in the Internet, even by the companies mentioned above.

So, what's wrong with the strategy?

In a 1998 survey on the 'barriers and inhibitors to eCommerce,' four out of the five most important inhibitors were security-related; the same survey in '99 showed these security-related inhibitors pushed back to rank 20 to 50! Does this mean that security is no longer an inhibitor to eCommerce? Or does this imply something else?

Prior to the second World War, the French Army erected the Maginot Line to protected themselves against invasion. Pride of the nation, the Maginot line proved to be totally useless, and the invasion of France took place at a very rapid pace. Can we possibly transpose this story to the IT world?

With a series of 'field' observations, Pierre will discuss the reasons for security weaknesses, and derive simple paths to reducing these exposures.

Pierre Noel is currently the CEO of ICSA.net Asia Pacific and the president and founder of Burton & Brooks International, a consulting firm specialized in IT security for large enterprises and governments. As president of Burton & Brooks, Pierre is charged with the role of chief technical officer for the Hong Kong Post Public Key Infrastructure and Root Certification Authority project.

Previously, Pierre was first the director of security best practice, Asia for PLATINUM technology, before he was promoted to vice president for Security Consulting Worldwide after Computer Associates' acquisition of PLATINUM.  Pierre has more than 10 years of experience in providing independent consultancy worldwide. He specialized in the fields of Enterprise Security and large scale mission critical OLTP systems. Pierre was chief consultant and architect at the Open Software Foundation, then known as The Open Group.

Computer Crime: The law enforcement perspective with case studies.

Advanced Windows NT Security.

In his talk, he will walk you through the exploitation of an unpublished real world Windows NT based buffer overflow exploit as an example discussing the following:

* A reverse engineering approach to Windows NT software security exploration. How advanced tools like IDA and SoftICE can be utilised  to analyze software and OS for vulnerabilities. (Who cares about source!)
* Advanced Win32 shellcode techniques and how the most protected systems can be broken with innovative shellcode (including shellcode techniques unpublished to date).
* Shellcode considerations specific to the Windows NT (including issues unpublished to date).
* Protection from exploitation! discussion of innovative new buffer overflow prevention technology and advanced backdooring prevention for Windows NT.

Joey__ is the CTO of SecureSolv.com, Sri Lanka's pioneering IT security consultancy firm specializing in IT security for e-Businesses, advanced security research, auditing,  reverse-engineering services as well as technical consultancy for security products and services.  With more than 6 years of experience in the industry, Joey__ specializes in Windows NT / Windows 2000 kernel architecture, security, systeem internals exploration, exploitation and intrusion protection techniques. He early work includes publishing the internal workings of  Windows NT Native Call Interface which was undocumented at the time.