Black Hat Digital Self Defense Europe 2005
briefings

Black Hat Europe 2005 Conference Overview

Black Hat Europe 2005 Briefings Speakers Black Hat Europe 2005 Briefings Schedule Black Hat Europe 2005 Sponsors Black Hat Europe 2005 Training Black Hat Europe 2005 Hotel & Venue Black Hat Europe 2005 Registration
training
details Current Sponsors for Black Hat Briefings Europe 2005
Black Hat Europe 2005 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Europe 2005 Sponsor

Europe 2005 Presentations are online.

Black Hat Speakers
Keynote
Simon Davies, Privacy International

Simon Davies is widely acknowledged as the world’s foremost privacy advocate. His work in the fields of civil rights, consumer protection and technology policy has spanned almost twenty years. Simon is perhaps best known as the founder and Director of the watchdog group Privacy International, but is also an academic, journalist, broadcaster and author.

Simon has worked extensively in more than 40 countries on issues ranging from national security, media privacy and human rights reform, through to international law and government data systems. He is the author of five books and more than a thousand articles, and writes regularly for publications such as the Los Angeles Times, the New York Daily News, the San Francisco Chronicle, Wired, The Daily Telegraph (London), The Guardian, The International Herald Tribune and the Sunday Times.

Simon has been a Visiting Law Fellow at both the University of Greenwich and the University of Essex, and since 1997 has been Visiting Fellow in the Department of Information Systems in the London School of Economics.

He has also advised a wide range of corporate, government and professional bodies including UNESCO, the European Parliament, the British Medical Association, UNISYS, the RAND Corporation, IBM and the UK Government.

Return to the top of the page

Yersinia, A Framework For Layer 2 Attacks
David Barroso, Security Consultant, S21SEC Company
Alfredo Andres Omella, Security Consultant, S21SEC Company

Yersinia is a framework for performing layer 2 attacks. The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol(STP), Virtual Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, Cisco Discovery Protocol and, finally, the Dynamic Host Configuration Protocol (DHCP). Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack or both. In addition, some of them will be first released to the public since there aren’t any public implementation. Yersinia will definitely help both pen-testers and network administrators in their daily tasks.

David Barroso has been involved in the security field for many years, playing around in different subjects like incident response or network security. He currently holds CISSP, GSEC and GCIA certifications, and there are two papers available in the internet: A practical approach for defeating Nmap OS-Fingerprinting and The Rise of the spammers

He has also coded some exploits, mainly for the pen-testing task. The last public exploit published is 'sslbomb', a DoS against IIS (MS04-11). He participates in several open source projects in the internet, and submit patches when possible (libnet, bins, linux counter, drac, ...) He also runs a mailing list for discussing forensics issues in spanish.

Alfredo Andres has always been interested in network security, coding different applications, both public and private. One of the public tools available is SING (http://sing.sf.net) used in some papers like Ofir Arkin’s ICMP usage in scanning. Besides, he usually help the community in different projects, submiting patches (tcpdump, libnet). He also holds the CISSP certification and has also coded some exploits, mainly for the pen-testing task. The last public exploit published is 'sslbomb', a DoS against IIS (MS04-11).

Return to the top of the page

Hacking PGP
Jon Callas, CTO, CSO, and Co-Founder, PGP Corporation

PGP is the most secure, most widely used cryptosystem there is. But for every move there is a countermove. For every lock, there's a way to pick it.

Assume that you want to break a system that uses PGP as an underlying component. How would you do it? What would you do, how would you do it? This talk discusses how you would attack PGP cryptographically, in the network, in the computer system, and in the larger use system. More importantly, the techniques that will be discussed don't apply to PGP, they apply to *any* cryptosystem that you might use.

Jon Callas joined PGP Corporation in July 2002 as Chief Technology Officer and Chief Security Officer. He co-designed the next-generation PGP products and was one of the main presenters to venture capital during the fund-raising for PGP Corporation. He is an innovator and an acknowledged expert in all major aspects of contemporary business security, including cryptography, operating system security, public key infrastructure, and intellectual property rights. He is the principal author of the Internet Engineering Task Force’s (IETF’s) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues.

Return to the top of the page

Hacking Windows Internals
Cesar Cerrudo, Application Security Inc.

This presentation will show some internal Windows mechanims that still have flaws and that could be used as new explotation/attack vectors. Basically the presentation will cover some Windows IPC (Inter Process Communication) mechanisms that have been weakly designed or implemented. During this presentation methods and tools for helping in exploiting and detecting these new flaws will be showed.

Cesar Cerrudo is a security researcher specialized in application security. Cesar currently works for Application Security, Inc. Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft and Black Hat.

Return to the top of the page

Symbian Security
Job de Haas, Technical Director, ITSX

The presentation will cover a basic intro into Symbian from a security perspective. It will show that it basically is security from the era of Windows 98. Possible topics include analysis of known viruses and trojans, attack demonstrations, tools to aid reverse engineering of Symbian OS programs or the OS itself. Show some differences between the different Symbian licensees such as Nokia and SonyEricsson. Show the security measures that have been taken or that could or should be taken.

Job de Haas got involved in the area of Internet and security in 1991, during his studies in Electrical Engineering, when he responded to internet providers offers to hack their sites and win a free account. Following post-graduate studies in Control Engineering and three years of work in aerospace robotics at the Netherlands National Aerospace Laboratory, he worked for DigiCash, where he acquired experience in cryptographic techniques used in secure, anonymous payment systems for the Internet. Now, after leading ITSX for five years, Job moved to the position of Technical Director where he leads and supervises the penetration testing teams.

Return to the top of the page

A New Password Capture on Cisco System Devices
Stephen Dugan, 101Labs

This talk will show a new way to get a password from a Cisco administrator. This technique utilizes a couple of the most basic default settings within a Cisco box. Admittedly most admins turn this particular default off, not for security reasons, just because its down right annoying. Anyone willing to bring a laptop, plug into the test lab, an act the part of an administrator will get a first hand look into how this exploit works. This exploit is relatively simple in relation to understanding Cisco devices. Anyone attending, regardless of Cisco knowledge should be able to understand how this works.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

Building Zero-Day Self-Defending Web Applications: Enforcing Authoritative Action to stop Session Attacks
Arian J. Evans, Senior Security Engineer, FishNet Security

Web applications today suffer from state issues, weak session handling, and lack of stateful authorization. Many of the issues are well known, but the techniques for building secure applications are still relatively ignored. This is due to lack of documentation and awareness of the threats and attack methods; that landscape is rapidly changing.

Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will summarize and clarify State, Session, and Authorization attacks in a simple, effective Taxonomy, disclosing new Session and Authorization attacks disclosed in recent months.

Then we will detail new methods for defending web applications against Session and Authorization attacks, and along the way we might just limit what XSS and XST workflow-bypasses can accomplish. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs.

Arian Evans has spent the last seven years pondering information security, and disliking long bios. His focus over the years has been on intrusion detection and application security. In 2001 at the Seabeckcon "conference" he proposed 'reverse-IDS' for applications, was criticized, and later vindicated by the swelling of NBAD and ABAD devices that don't work.

He currently works in the assessment services group for FishNet Security. His focus is on researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security. He has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response.

Arian has contributes to the information security communitay in the form of vulnerability research & advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything.

Return to the top of the page

Network Flows and Security
Nicolas Fischbach, Senior Manager, European Network Security Engineering, COLT Telecom & Co-founder Sécurité.Org

Network flows have been ignored for a long time. During the last couple of years they have been used as a key information to detect and characterize DDoS attacks on the Internet. That's not their only interesting use. On an internal network (be it a large management network or a global entreprise IT network for example) they enable early detection of worm breakouts, infected workstations and covert channels to list a few examples. Network flows are also very helpful for forensics since quite often a full traffic dump isn't available (for multiple reasons: size, scalability, bandwidth, etc). Linking these two together gives a macroscopic view (netflow) of the network that can be linked with a microscopic view (full dump) "on demand". Network flows is to use them to build a baseline and detect policy violations, this enables the security administrator to "enforce" the security policy and detect people trying to circumvent it (using tunnels for example). We'll go through deployment scenarii and for each application show and list some examples of what to look for.

This is the experience from a telco/carrier doing a european wide Netflow deployment!

Nicolas Fischbach is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts, an informal security research group and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC.

More details and contact information on his homepage.

Return to the top of the page

Compare, Port, Navigate
Halvar Flake, Reverse Engineer, Black Hat
Rolf Rolles

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

Rolf Rolles moved to security through malware analysis instead of vulnerability research. He also spends most of his screen time in a disassembler (or developing extensions for the disassembler), and also spends too much time on math. Some of the results of his work are built into the products of SABRE Security GmbH.

Halvar and Rolf had known each other years ago, and only recently teamed up to share ideas on using math for reverse engineering and obscure quotes from interviews with dead rappers.

Return to the top of the page

Hacking in a Foreign Language: A Network Security Guide to Russia
Kenneth Geers

Has your network ever been hacked, and all you have to show for your investigative efforts is an IP address belonging to an ISP in Irkutsk? Are you tired of receiving e-mails from Citibank that resolve toMuscovite IP addresses? Would you like to hack the Kremlin? Or do you think that the Kremlin has probably owned you first? Maybe you just think that Anna Kournikova is hot. If the answer to any of the above questions is yes, then you need an introduction to the gulag archipelago of the Internet, the Cyberia of interconnected networks, Russia.

Do not let the persistent challenges of crossing international boundaries intimidate you any longer. In this briefing, we will follow several real-world scenarios back to Russia, and you will learn valuable strategies for taking your investigations and operations one
big geographical step further. A brief introduction to Russia will be followed by 1,000 traceroutes over the frozen tundra explained in detail, along with an explanation of the relationship between cyber and terrestrial geography.

Quick: name one significant advantage that Russian hackers have over you. They can read your language, but you cannot read theirs! Since most Westerners cannot read Russian, the secrets of Russian hacking are largely unknown to Westerners. You will receive a ten-minute primer of the Russian language, to include network security terminology, software translation tools, and cross-cultural social engineering faux-pas (btw, this methodology will apply to cracking other exotic languages as well).

Finally, I will tie up, both in practical and in philosophical terms, a new methodology for crossing international frontiers in cyberspace. The briefing paves the way for amateur and professional hackers to move beyond their lonely linguistic and cultural orbit, in order to do battle on far-away Internet terrain. Contact information and resources for Russian hacking groups and law enforcement personnel will be provided, along with the results of personal interviews with Russian law enforcement figures conducted in Russian and translated for this briefing.

Kenneth Geers (M.A., University of Washington, 1997) is an accomplished computer security expert and Russian linguist. Hiscareer includes many years working for the United States government as a translator, programmer, website developer and analyst. The oddest job he has had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested grapes in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and set his alarm clock for 3 AM in a Trappist monastery. He loves to read computer and network logs of all types. In his free time, he plays chess and serves as a SANS mentor in the Washington D.C. area. He loves Russia, his wife Jeanne, and daughters Isabelle and Sophie.

Return to the top of the page

Can You Really Trust Hardware? Exploring Security Problems in Hardware Devices
Joe Grand, President & CEO, Grand Idea Studio, Inc.

Most users treat a hardware solution as an inherently trusted black box. "If it's hardware, it must be secure," they say. This presentation explores a number of classic security problems with hardware products, including access to stored data, privilege escalation, spoofing, and man-in-the-middle attacks. We explore technologies commonly used in the network and computer security industries including access control, authentication tokens, and network appliances. You'll leave this presentation knowing the consequence of blindly trusting hardware.

Joe Grand is the President of Grand Idea Studio, a San Diego-based product development and intellectual property licensing firm, where he specializes in embedded system design, computer security research, and inventing new concepts and technologies. Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty" and a co-author of "Stealing The Network: How to Own A Continent". Joe holds a Bachelor of Science degree in Computer Engineering from Boston University.

Return to the top of the page

The Art of Defiling: Defeating Forensic Analysis
the Grugq

The Grugq has been at the forefront of forensic research for the last six years, during which he has been pioneering in the realm of anti-forensic research and development. During this time, he has also worked with a leading IT security consultancy and been employed at a major financial institution. Most recently he has been involved with an innovative security software development start-up company. Currently the Grugq is a freelance forensic and IT security consultant. While not on engagements, the Grugq continues his research on security, forensics and beer.

Return to the top of the page

Attacking Distributed Systems: The DNS Case Study
Dan Kaminsky, Senior Security Consultant, Avaya

In "Black Ops of DNS", I examined how aspects of the domain name infrastructure could be repurposed into allowing illicit network access, attacker detection of incident response / forensic analysis, and even large scale data streaming. Here, I'll demonstrate further, more mature attacks against the DNS infrastructure, and document the analysis process by which one can "see a distributed protocol as a hacker might" using DNS as a case study. I will also discuss how the use of MD5 in distributed protocols opens up new and unexpected avenues for attack.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems.

He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings.

Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

Return to the top of the page

Mac OS X Kernel Insecurity
Christian Klein
Ilja van Sprundel

Kernel vulnerabilities are the new hot thing in the exploiting world. Removing all but the minimum of suid binaries and removing all non essential daemons is what every good administrator does nowadays.

But it is very hard to do the same with a kernel. And unlike many others userland applications kernels are HUGE programs, usually compromised of hundreds of thousands of lines of code or even more. These have vulnerabilities aswell.

This talk will focus on kernel level vulnerabilities in the macos X kernel also known as Darwin. A mix of mach 3.0 and (Free)BSD code. The specific types of bugs looked at will mainly be information leaks and stack/heap based bufferoverflows.

Attentands are expected to have a firm knowledge of stack and heap overflows (in userland) and some understanding of operating system concepts (specifically unix internals).

Christian Klein is a computer science student at the University of Bonn, Germany. After working in a consulting company for the industry and government, he dropped out to return to research and development.

Ilja van Sprundel is a university dropout with a passion for somewhat offensive computer security. Among other things he has previously implemented a secure credit card transaction solution. Ilja also attended the RWTH-Aachen summerschool of applied I.T security where he learned a great deal about offensive and defensive security mechanisms. He is also the winner of the 21c3 stacksmashing contest and a member of the Netric security research group.

Return to the top of the page

Database Rootkits
Alexander Kornbrust, Red-Database-Security

The talk describes how to transfer the concept of (OS) rootkits to the database world. Alexander Kornbrust demonstrates how to hide users/processes/jobs in a database to avoid detection from (dba) tools and security audits. He also explains how to identify rootkits/backdoors in a database with a special tool called repscan. Then he generalizes this problem to repository based system and explains how to modify applications in future to avoid these kinds of problems. A basic knowledge of databases is recommended.

Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialised in Oracle security. He is responsible for Oracle security audits and Oracle Antihacker trainings. Before that he worked several years for Oracle Germany, Oracle Switzerland and IBM Global Services as consultant. Alexander Kornbrust is working with Oracle products as DBA and developer since 1992. During the last 5 years found over 100 security bugs in different Oracle products. Publications and further information can be found at: http://www.red-database-security.com

Return to the top of the page

Bluetooth Hacking - Full Disclosure
Adam Laurie, The Bunker Secure Hosting Ltd.
Martin Herfurt,
trifinite.org
Marcel Holtmann, BlueZ.org

In November 2003, Adam discovered serious flaws in the authentication and data transfer mechanisms on some bluetooth enabled devices, and, in particular, mobile phones including commonly used Nokia, Sony Ericsson and Motorola models. Shortly thereafter, Martin Herfurt of Salzburg Research Forschungsgesellschaft mbH expanded on these problems, and teamed up with Adam to investigate further. At EuroFoo in August 2004, Adam and Marcel Holtmann met, and agreed to colaborate on looking into the underlying causes of the problems, as well as sharing information and resources to try and gain a better foothold for the opensource community within the official bluetooth organistaions.

This talk will cover the issues arising out of the flaws, as well as the actual atack methodolgies and tools used, and an update on the industry's response and progress since the original discoveries.

This will be a fun talk and a real eye-opener for those with bluetooth enabled devices, and will start with an introduction into the Bluetooth architecture and the security mechanisms offered by it so that it is possible to understand how and why the different attacks are working. Further there will be an introduction into the Linux Bluetooth stack BlueZ that will be used for doing the attacks and showing exactly how these attacks are working.

For further background information on the issue, see:
http://www.thebunker.net/release-bluestumbler.htm

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers - http://www.thebunker.net) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Martin Herfurt is a researcher at the Salzburg Research Forschungsgesellschaft m.b.H and lecturer in Telecommunications Engineering Degree Program at the Salzburg University of Applied Sciences and Technologies.

He completed his Telecommunications Engineering Degree at the Salzburg University of Applied Sciences and Technologies in 2001. Alongside his study Martin was involved in numerous industry projects, providing him with commercial programming practise.

In 2000 Martin followed up his formal study with a four-month internship at the telecommunications institute of TELCOT institute in San Ramon, California, USA.

Since the second half of 2000 Martin has been working as a full time researcher at Salzburg Research Forschungsgesellschaft m.b.H. His project responsibilities range from the co-ordination of a European IST project with a total budget of over 5 million Euro to software agents development.

Together with a Salzburg Research colleague, Martin began in the summer of 2003 a class on mobile data services at the Salzburg University of Applied Sciences and Technologies.

Martin is also currently working on a PhD in computer science at the University of Salzburg.

As part of his fascination with the rapid development in computer programming Martin has become a regular participant in the Chaos Communication Congress which is a yearly meeting of the German hacker association CCC.

Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel. In January 2004 he overtook the maintainer role from the original developer Max Krasnyansky.

Together with Jean Tourrilhes he maintains the OpenOBEX project. He is also responsible for the IrDA and Bluetooth integrations of the Gnokii project.

Return to the top of the page

SQL Injection & Data Mining Through Inference
David Litchfield, Founder, Next Generation Security Software

David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognised by Information Security Magazine who voted him as 'The World's Best Bug Hunter' for 2003. To date, David has found over 150 vulnerabilities in many of today's popular products from the major software companies (the majority in Microsoft, Oracle).

David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II.

In addition to his world leading vulnerability research and the continued development of cutting edge security assessment software, David has also written or co-authored on a number of security related titles including, "SQL Server Security", "Shellcoder's handbook" and "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle"

Return to the top of the page

Google Hacking For Penetration Testers
Johnny Long, CSC

Since Blackhat Vegas 2004, there's been little doubt that "Google Hacking" is for real, and it's here to stay. Attackers are using search engines like Google in amazing and sometimes unexpected ways. Leaping to the next level of the BH Vegas 2004 talk, this talk aims to raise the awareness of the community about the unbelievable things the bad guys are doing with Google. Attendees will witness first-hand how attackers can perform port scans and CGI scans, detect SQL injection points, perform full blown network recon, dig up email addresses, hostnames, usernames, passwords, social security numbers, and even financial information like credit card numbers and bank account info, all without sending a single packet to the target! This talk is great fun and has secured rave reviews from the community, but is handled with the seriousness the topic deserves. The world needs less targets. Learn how you can prevent this type of insidious attack and prevent serious information leakage from your networks! Still not convinced? OK, then come to the talk simply to witness the insanity of Johnny blazing through 170+ slides in under an hour... that's got to be some sort of record!

The speaker, Johnny Long, maintains the Internet's most comprehensive database of Google exposures on his website.

Johnny Long did not develop his skills within the hallowed halls of higher learning but rather by spending way too many late nights huddled in front of his computer, developing his anti-social tendencies.

Mr Long (Johnny's professional alter-ego) has previously presented at SANS and other computer security conferences nationwide. In addition, he has presented before several government alphabet-soup entities including three starting with the letter 'A', four starting with the letter 'D', a handful starting with the letters 'F' and 'S' and two starting with the today's letter, the letter 'N'. During his career as an attack and penetration specialist, Mr Long has performed active network and physical security assessments (one in the cube is worth twenty on the net) for hundreds of government and commercial clients.

Johnny Long is the Author of 'Penetration Testing with Google', available December 2004 from Syngress Publishing.

Johnny drinks tea and taunts camels.

Return to the top of the page

Injecting Trojans via Patch Management Software & Other Evil Deeds
Chris Farrow, CISSP, GSEC, Director, Center for Policy & Compliance, Configuresoft, Inc.

Patch management is an essential part of the systems security management lifecycle, which has led to a proliferation of patch management product, vendors and methodologies, It is important to acknowledge is that there will always be a window of vulnerability between the time a new vulnerability is discovered and the time the patch is available. This talk will take a vendor and technology neutral look at the process used to retrieve, validate and deploy patches in a Microsoft Windows environment. It will point out ways that a less- than-honorable person could abuse these processes and use the very tools used to protect systems as a window to compromise them. In addition to various attack scenarios from both an external (Internet) and internal (Local LAN) point of view, the presenter will offer supporting research and deconstruct a proof-of-concept patch, designed to fool certain patch management systems.

Chris Farrow, Director, Center for Policy & Compliance, Configuresoft
With over 15 years of experience in systems engineering and security, Mr. Farrow has assisted many Fortune 1000 companies in securing their infrastructures. His background crosses several industries including the US Military, healthcare, manufacturing, investment banking and software development. Prior to his current position at Configuresoft, he has held positions as product manager and systems engineer for several well known vendors such NetIQ, Intrusion.com and BindView Corporation. Chris has been an industry resource on the topics of regulatory compliance, intrusion detection, and vulnerability management technologies and has publicly spoken at numerous conferences including SANS, Gartner IT-Expo, NetConnect, InfoSec, and ISACA. Mr. Farrow participates as a SANS local mentor in Colorado Springs, CO and holds the CISSP, GSEC, MCSE and CNE certifications.

Return to the top of the page

WLAN and Stealth Issues
Laurent Oudot, Security Expert, RSTACK Team

When we think about wireless security, the very first step of an aggressor is to find a signal. Then, it might be possible to launch different classes of attacks such as man in the middle, recording, cyphering attacks, denial of service, etc. To improve the security of such an architecture, it might be a good idea to limit access-point coverage to radiate out towards windows, but not beyond : but sometimes it might not stop attackers inside the company, and wireless devices become smaller and smaller (!). Most of the time, whitehats also try to harden wireless clients and AP, but recent attacks destroyed things like WEP, etc.

The purpose of this talk is to look at the weapons that might be used by whitehats in order to hide wireless devices and to prevent opportunistic attackers (wardrivers, etc). We will first look at usual solutions and their limitations (closed networks, etc). Then a new concept will be proposed, with interactive demos [bring your laptop and WLAN device, scanning will be allowed :-)]. This idea might help people at hiding their own AP, and proof of concept source code will be provided (for routers and laptops).

Though the goal is to propose new innovative whitehats concepts to hide such an architecture in some conditions, we must admit that parts of this talk might also give ideas to blackhats that would like to setup stealth or evil rogue access points...

Laurent Oudot (http://rstack.org/oudot) is a security expert currently employed by the CEA (french equivalent of the US DOE). On his spare time, he is a member of a team "RstAck" composed of security addicts and geeks.

Laurent's research focus on defensive technologies highly closed to blackhats activities like honeypots, intrusion prevention, intrusion detection, firewalls, sandboxes, mandatory access control, etc.

Laurent is the (co-)author of several research papers published and released at Security Focus, Institute of Internal Auditors, MISC magazine, etc. He has presented at national and international conferences and meetings such as annual Defcon, Black Hat USA&Asia, Cansecwest, Pacsec, Hope, Honeynet Project, etc.

Laurent teaches network and systems security, and has managed numerous security projects for about ten years. He is a member of the steering committee of the Honeynet Research Alliance.

Return to the top of the page

Revolutions in Web Server/Application Assessments
SensePost

Over the last few years the thinking on web server and web applications assessment tools haven't seen major changes. During this presentation SensePost would like to showcase some of the technologies that have been in development in the SensePost labs for the last 9 months as well as demonstrating our thinking and problem solving approaches on the topic. All of the tools and papers that will be used during the talk will be available for download to the public (at some stage - some are still in beta). These include:

  • Wikto version 1.6 (web server assessment tool)
  • Crowbar (generic web application brute force tool)
  • E-Or (web application assessment automation tool)

Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesnt drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

Defeating Automated Web Assessment Tools
Saumil Udayan Shah, Director, Net-Square Solutions

Saumil Udayan Shah, Founder and CEO, Net-Square Solutions Pvt. Ltd.

Saumil continues to lead the efforts in e-commerce security research and product development at Net-Square. His focus is on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker and trainer at security conferences such as BlackHat, RSA, etc.

Previously, Saumil was the Director of Indian operations for Foundstone Inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of FoundScan - Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

Architectural Challenges in a Jericho World
Paul Simmonds, Global Information Security Director, ICI Plc.

This presentation shares some of the thinking that is going on within the Jericho Forum and other associated bodies on the architectural solutions that you may employ today or the near future to allow you to operate in a deperimiterised environment. The session looks at the flaws in the way systems are currently designed, and the change in mindset that is required when designing for tomorrow and covers the changes needed in protocols, systems, OS, and applications.

This presentation marks the launch of the Jericho Challenge, a global competition open to all, to design and operate a system that operates to de-perimiterised architectural principles that is capable of both operating and surviving directly on the Internet.

Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI, working for the CIO Office in London. Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and prior to that seven years with Motorola, again in a global information security role. In his career he has worked with many external agencies, and has also been directly involved in two successful criminal prosecutions, giving evidence in one case.

Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites. Paul was voted 36th in the 2004 list of the top 50 most powerful people in networking, by the US publication Network World Fusion, for his work with the Jericho Forum.

Return to the top of the page

Owning Anti-Virus: Weaknesses in a Critical Security Component
Alex Wheeler, Research Engineer, Internet Security Systems
Neel Mehta, Research Engineer, Internet Security Systems

The hype to stop hackers is making AV software more popular now than ever because of the percieved protection AV software gives you against hackers. Even the average person is aware they want AV on their computer (see AOL, Netscape, and other ISP television ads). In addition, most large organizations deploy multiple AV solutions within different teirs of their network because of the percived protection AV software provides. What if: Instead of protecting ppl from hackers AV software was actually making it easier for hackers? Our talk will focus on auditing AV for security issues that may be abused, and present examples of those issues in popular AV products.

Alex Wheeler is an up-and-coming talented researcher at ISS X-Force. His role with X-Force centers around auditing critical network applications and technologies for security vulnerabilities. His recent audit focus on AV products has lead to the discovery of serious systemic and point vulnerabilities in many major AV products.

Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Return to the top of the page

Automatically Detecting Web Application Vulnerabilities by Variable Flow Reconstruction
Stefano Zanero, Ph.D. Student, Politecnico di Milano University

Web application vulnerabilities have become a prominent security threat. Code auditing has proven to be ineffective in properly detecting all the paths leading to attacks. We are developing an automated and innovative code scanner for web applications which operates in a mostly language-independent fashion to track security vulnerabilities directly from the source code, by applying various language-theoretic procedures. Our work exploits the common underlying characteristics of most webapp vulnerabilities to give an unified framework for identifying them during the auditing phase. We will demonstrate a preliminary version of the auditing tool during the talk.

Stefano Zanero, M.S. in Computer Engineering, has graduated cum laude from the Politecnico of Milano school of engineering, with a Laurea (M.S.) thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Department of Electronics and Information of the same university. Among his current research interests, besides learning IDSs, are the performances of security systems, the security of web applications and clustering techniques. He has been a speaker at international scientific and technical conferences, and serves as a reviewer for "ACM Computing Reviews" and is a member of the board of the "European Research Journal on Computer Virology". He is a member of the IEEE and the ACM. Besides co-authoring books on information security and scientific articles, he is the author of the weekly "Security Manager's Journal" on Computer World Italy, and has been recently awarded a journalism award. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Stefano recommends visiting the Secure Network website (www.securenetwork.it) for up to date security information.

Return to the top of the page

Alfredo Andres

David Barroso

Jon Callas

Cesar Cerrudo

Job de Haas

Simon Davies

Stephen Dugan

Arian J. Evans

Chris Farrow

Nicolas Fischbach

Halvar Flake

Kennth Geers

Joe Grand

the Grugq

Martin Herfurt

Marcel Holtmann

Dan Kaminsky

Christian Klein

Alexander Kornbrust

Adam Laurie

David Litchfield

Johnny Long

Haroon Meer

Neel Mehta

Laurent Oudot

Ralf Rolles

Saumil Shah

Paul Simmonds

Roelof Temmingh

Charl van der Walt

Ilja van Sprundel

Alex Wheeler

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat