Black Hat Briefings & Training Europe 2005
briefings

Black Hat Europe 2005 Conference Overview

Black Hat Europe 2006 Briefings Speakers Black Hat Europe 2005 Briefings Schedule Black Hat Europe 2005 Sponsors Black Hat Europe 2005 Training Black Hat Europe 2005 Hotel & Venue Black Hat Europe 2005 Registration
training
details

See who our current Black Hat Europe 2006 Briefings Sponsors.

Black Hat Europe 2006 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Presentations are now on-line.

Black Hat Europe 2006 Sponsors
Return to the top of the page
Black Hat Speakers

Keynote: Stuck in the Middle
Eric Litt, Chief Information Security Officer, General Motors

Prudence requires that we act “reasonably” in making the decision whether or not to disclose or report computer vulnerabilities. Yet, researchers, corporations, software vendors, hackers, users and governments all have different definitions of “reasonable.” As the CISO of one of the world’s largest corporations Eric Litt will offer a unique perspective on balancing the myriad definitions to meet the imperative of moving faster and being prepared for our zero-day world including:

  • When do you disclose vulnerabilities and what are the appropriate mechanisms to allow those who find them to receive appropriate recognition?
  • What are the necessary improvements in policies, procedures and relationships, required to reach consensus on what constitutes reasonable disclosure?
  • How do you reasonably balance the needs or all those impacted by a vulnerability?

Eric Litt is responsible for development and execution of General Motors’s enterprise-wide IT security strategy and driving implementation of security related programs into each region/business unit. Eric is also responsible for development and implementation of corporate IT security and control policies and standards, as well as ensuring that appropriate tools and metrics are in place to allow for effective monitoring, measurement and control of risk as it relates to IT security.

Prior to accepting this role, Eric was the Global Systems Architect for GM’s Product Development Organization. He has been an independent consultant, as well as working for such prestigious organizations as Battelle Memorial Institute, and Lincoln Electric Company.

Return to the top of the page

Silver Needle in the Skype
Philippe Biondi, EADS/CRC
Fabrice Desclaux, EADS/CRC

Skype is a free (as in beer) voice over IP application. Many other VOIP applications exist, but some specific points make Skype very different, such as its peer-to-peer architecture, its ease to bypass firewalls and, last but not least, the impressive level of obfuscation that has been invested to prevent anybody from looking inside the software and its communications. This last point added to its increasing success gave birth to many myths on security issues around it.

This presentation will uncover some Skype secrets, hidden behind many levels of obfuscation, showing how bad security by obscurity can be. It will also describe many technics and tools used to go through obfuscation layers and speak Skype.

Can we snoop on your Skype communications? Can we decipher them from a dead capture? Can we impersonate you? Can we get information from your local network if you use Skype? Can we take control of your machine if you use Skype? To what extent the use of Skype can put your data and organisation at risk?  Here are some of the questions that will be answered.

Philippe Biondi works as a research engineer at EADS Corporate Research Center in the system information security lab. He gave many talks in security or open source conferences. He is the author of open source projects like Scapy, Shellforge, and was co-author of LIDS.

Fabrice Desclaux also works at the EADS/CRC in the SSI lab as a research engineer. He is the author of rr0d, the Rasta Ring 0 Debugger, the first OS independant ring 0 debugger.

Return to the top of the page

IBM iSeries For Penetration Testers: Bypass Restrictions and Take Over Server
Shalom Carmel

iSeries aka AS400 servers are used by manufacturers, banks, insurance companies, casinos and governments. Odds are that wherever there is an iSeries based application, is where the money is. With over 300,000 customers worldwide and millions of users, some people are bound to be rogue hackers looking for a way to exploit it for their own means. We will see how an attacker reconstructs the list of users on the server, how a limited access user can bypass the restrictions, how to take over an iSeries server via ODBC, and how to hijack from the iSeries connected workstations using terminal emulation clients. Prerequisite knowledge for the lecture is basics of TCP/IP application protocols, basics of database management, some programming understanding.

Shalom Carmel has been tinkering with computers since 1982. His previous jobs include managing all kinds of ERP projects, teaching at high-school, video editing, web marketing, founding a start-up, and a lot of information and technology consulting. He has published several security alerts on a variety of subjects, and a book titled "Hacking iSeries" avalable at www.venera.com.

Return to the top of the page

WLSI - Windows Local Shellcode Injection
Cesar Cerrudo, CEO, Argeniss

This talk is about a new technique to create 100% reliable local exploits for Windows operating systems, the technique uses a Windows operating systems design weaknesses that allow low privileged processes to insert data on almost any Windows processes no matter if they are running under higher privileges. We all know that local exploitation is much easier than remote exploitation but it has some difficulties. After a brief introduction and a description of the technique, a couple of samples will be provided so the audience will be able to write his/her own exploits.

Cesar Cerrudo is a security researcher & consultant specialized in application security. Cesar is running his own company, Argeniss (www.argeniss.com). regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua and CanSecWest.

Return to the top of the page

How to Automatically Sandbox IIS With Zero False Positive and Negative
Tzi-cker Chiueh, Professor, Stony Brook University

Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to grab the control of a victim application and possibly the underlying machine. The main barrier to the acceptance of this system call monitoring approach is the availability of accurate sandboxing policies, especially for Windows applications whose source code is unavailable. In fact, many commercial computer security companies take advantage of this fact and fashion a business model in which their users have to pay a subscription fee to receive periodic updates on the application sandboxing policies, much like anti-virus signatures. This paper describes the design, implementation and evaluation of a sandboxing system called BPAID that can automatically extract a highly accurate application-specific sandboxing policy from a Win32/X86 binary, and enforce the extracted policy at run time with low overhead. BPAID is built on a binary interpretation and analysis infrastructure called BIRD, supports application binaries with dynamically linked libraries, exception handlers, and multi-threading, and has been shown to work correctly for a large number of native Windows-based network applications, including IIS and Apache. The measured throughput and latency penalty for all the applications tested under BPAID, except one, is under 8%.

Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995, two Long Island Software Awards in 1997 and 2005, and has published over 130 technical papers in refereed conferences and journals in the areas of operating systems, networking, and computer security. He has developed several innovative security systems/products in the past several years, including SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion Detection), DOFS (Display-Only File Server), and CASH.

Return to the top of the page

Malware Cinema: A Picture is Worth a Thousand Packets
Gregory Conti, United States Military Academy

Security analysts and network administrators are faced with tremendous amounts of security related data. Unfortunately current tools quickly overwhelm us with too much or the wrong type of information. This talk explores solutions to this problem using carefully crafted security visualization systems that produce insightful images, animations and movies of security data. If properly constructed, the results can be dramatic and will help you quickly perform analysis and better communicate your results to clients, management and other analysts. This talk provides you with a security PVR (RUMINT) to record network traffic, play it back at a variety of speeds and identify events of interest via 20+ semantic visualizations.

We will examine such things as movies of buffer overflow attacks, TTL walking, network reconnaissance and Diffie-Hellman key exchanges as well as accompanying analysis. The source code for the PVR is included on the conference CD. Talk attendees should have a solid understanding of the OSI model and network protocols to get the most benefit from this talk.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. He holds a Masters Degree in Computer Science from Johns Hopkins University and a Bachelor of Science in Computer Science from the United States Military Academy. His areas of expertise include network security, information visualization and information warfare. Currently he is on a Department of Defense Fellowship and is working on his PhD in Computer Science at Georgia Tech. His work can be found at www.cc.gatech.edu/~conti and www.rumint.org.

Return to the top of the page

Separated By A Common Goal—Emerging EU and US Information Security and Privacy Law: Allies or Adversaries?
Bryan Cunningham, Principal, Morgan & Cunningham LLC
Amanda Hubbard, Fulbright Scholar, Norwegian Research Center for Computers and Law, Morgan & Cunningham LLC

This presentation is by two co-authors of the legal and ethics chapter of the recent authoritative textbook “Network Security Evaluation: Using the NSA IEM,” who have broad and deep experience in information security and privacy law, both in government and the private sector. They will provide unique insight into the coming clash between information security and privacy laws on either side of the Atlantic. The presentation will provide a comprehensive look at the evolving legal environment in which multi-national businesses and information security professionals must operate, and how conflicting laws can be successfully navigated to minimize liability and maximize protection of corporate assets. The presentation also will give an inside look at breaking developments in US national security and commercial law affecting multi-national businesses, as well as the privacy interests of Europeans and Americans. Finally, it will involve the audience in interactive discussions of several hypothetical—but all too potentially real—scenarios, to further illustrate the key points of the presentation. 

Bryan Cunningham (JD, Certified in NSA/IAM) has extensive experience in information security, intelligence, and homeland security matters, both in senior U.S. Government posts and the private sector. Cunningham, now a corporate information and homeland security consultant and Principal at the Denver law firm of Morgan & Cunningham LLC, most recently served as Deputy Legal Adviser to National Security Advisor Condoleezza Rice. At the White House, Cunningham drafted key portions of the Homeland Security Act, and was deeply involved in the formation of the National Strategy to Secure Cyberspace, as well as numerous Presidential Directives and regulations relating to cybersecurity. He is a former federal prosecutor, and founding co-chair of the ABA CyberSecurity Privacy Task Force, and, in January 2005, was awarded the National Intelligence Medal of Achievement for his work on information issues. Cunningham has been named to the National Academy of Science Committee on Biodefense Analysis and Countermeasures, and is a member of the Markle Foundation Task Force on National Security in the Information Age, as well as Senior Counselor at APCO Worldwide Consulting. [delete comma] He is a principal author of the legal and ethics chapter of the recent authoritative textbook “Network Security Evaluation: Using the NSA IEM.” Cunningham counsels corporations, higher education, and other institutions on information security programs and other homeland security-related issues and, working with expert technical information security consultants, guides and supervises information security assessments and evaluations.

Amanda Hubbard (JD, LL.M. expected Summer 2006) currently is a Fulbright Scholar at the Norwegian Research Center for Computers and Law working on research in cybercrime, data privacy, active response measures, and penetration testing methodologies. She also works as a consultant for Phalanx Technologies’ E-Profiling Division. Prior to selection into the Fulbright program, she worked as a trial attorney assigned to the Computer Crime and Intellectual Property Section of the United States Department of Justice, prosecuting a large computer intrusion case, and as an international negotiator for cross-border cybercrime issues. Earlier positions include assignments as an attorney for the U.S. Intelligence Community and the military, advising several federal agencies on issues of computer forensics, electronic evidence, encryption, network and cyber security, vulnerability assessments, critical infrastructure protection, criminal law, and information-sharing policies. Her international work includes contributions to policy and legal discussions on computer and information-security topics and cybercrime for the International Telecommunications Union, the United Nations, and the Council of Europe. She also serves as an Adjunct Professor at the Columbus School of Law, Catholic University, where she co-teaches a course titled "National Security Law in Cyberspace." Publications include portions of the 2002 ABA Committee on Cyberspace Law publication, “Patriot ‘Games’ No Longer: The Business Community’s Role in Cybersecurity,” and contributing authorship for the legal and ethics chapter of the recent textbook “Network Security Evaluation: Using the NSA IEM.”

Return to the top of the page

Project Paraegis Round 2: Using Razorwire HTTP proxy to strengthen webapp session handling and reduce attack surface
Arian J. Evans, Senior Software Security Engineer
Daniel Thompson, Senior Interface Programmer
Mark Belles, Senior Programmer

Web applications are constantly under attack, and many today are still unable to defend themselves.

This includes well-known, mission-critical COTS (commercial off-the-shelf software) that many of you know and use today, even from vendors that sell "security" widgets.

There are several key elements to building self-defending web applications, but the major of focus is given to input validation, output encoding, and error handling. Strong Session Handing and effective Authorization enforcement mechanisms are usually ignored or poorly implemented in web applications.

Many of the attacks are well known, but the techniques for building applications that can defend themselves against these attacks are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods.

 In 2005 alone, zero-day scripted session-riding/CSRF attacks were discovered in the wild for eBay at the exact time the Paraegis authors were presenting on the subject at BH Amsterdam 2005. Since the eBay CSRF attacks, 2005 brought a rapid increase in complexity and replication speed of script injection and session-stealing attacks.

From the Santy PHP worm, to the MySpace embedded xss attack, to the PHP XML-RPC worm; web-based script injection attacks are not only a reality, but increasingly sophisticated and automated.

So far we have been lucky web-based worms have lacked malicious payload.

Malicious Example: If the author of the MySpace worm had utilized last year's JPEG rendering overflow, or even worse, the recent WMF or Quicktime overflows, by including an embedded image file (of any content type that IE auto-content-interprets), the MySpace 'Sammy' worm could have owned local system on hundreds of thousands of Windows PCs in <24 hours.

We are clearly in the age of "Blaster in embedded web content", with NO order of complexity increase; merely embed malicious content on a high-traffic web site that contains self-replicating malware. That means Hacker-Defender installed through a malicious JPEG that's really an executable WMF or MOV.

This presentation will:

  • Summarize and categorize Session and Script Injection attacks.
  • Provide you with a simple Taxonomy for Script Injection (XSS) attacks.
  • Provide you with a deeper understanding of Cross-Site Scripting (XSS) attacks, who, what, when, where, how.
  • Show how attackers can target your internal network using your web browser and/or hacked web applications.
  • Release the Paraegis Project Razorwire proxy based on the HTTP/1.1 Razor Framework that includes
    • A .NET 1.1/HTTP/1.1 extensible programming framework, called Razor (HTTP/1.1)
    • Razorwire: the Paraegis Project RFC-compliant .NET 1.1 based HTTP/1.1 proxy
    • Announce an extensible, .NET 2.0-based HTTP/1.1 framework and proxy (Carbon)
    • HTTP Gateway/Proxy that can run local or distributed in front of any webserver on any OS
    • Based on .NET, can run on any .NET system and should run on Mono
    • Paraegis logic design which provides strong session handling via DATs (dynamic authorization tokens)
    • Paraegis logic design provides URL resource projection and HTTP verb restrictions to stop
    • XSS attacks from converting POSTs to GETs, or any verb to dangerous verbs like TRACE or PUT
    • Show how to reduce the attack surface of XSS & embedded scripts from "all people all the time" to
    • "one person one time" by use of Paraegis Logic URL encryption and one-time token implementation.

We gave up writing about techniques. We gave up trying to share code snippets with you.

Now we are just going to give you an http proxy that does it for you.

For free. :)

There are some distinct differences between what we've done and what current commercial WAFs have done, namely in our disregard for the immediate moment in the traditional regex string matching type content-blocking rules. See the BH Blog or Paraegis Project pages at for more details...

We had been demonstrating these attacks for some time, including our research in how to do these against Nokia's IPSO web interface since late 2002, early 2003. Common responses were "well you have to be inside the network for these to work".

Which wasn't true at all. We started to show how these could be executed remotely which even by 2004 most did not take seriously. The explosion of Phishing, Luring, and XSS attacks raised the visibility enough that people started listening and expressing concern, but not really taking any action.

And we also started seeing the purchase of hundreds of thousands of dollars of highly complex, often weakly implemented, web app firewalls (WAFs).

To help counter a complex problem with what should be a simple solution, we first preached for people to change their code, and make their apps self-defending. This didn't work. Next we tried to release snippets of code and documented concepts that would be easy to implement. Lacking business requirements to implement and regression test new "security feature" code, this didn't work either.

Then we decided to bundle everything together in a set of ISAPI filters, which was platform limited and had several implementation limitations in session handling.

Which lead us to the Razor Framework:

And starting over from scratch and creating a fast, flexible proxy for our security needs that can be extended to even user-specific session awareness. Yes, yes, we've given in and created a WAF. Or rather, we are slowly growing one, but ours has some neat new features and will eventually embrace all the old WAF stuff too (regex string matching, whitelists, etc.)

It should be noted that this is a slightly different approach to a webapp security proxy than most of the current generation commercial offerings. Instead of focusing on content security like regex string matching to catch XSS and SQL injection, or putting hashes on cookies, we have focused on session handling and what will become, in essence, a more global viewstate for any app/language.

This was approached first due to benefits of transparency in many situations. The expansion of rule-based content matching will definitely come next, but a quick win against xss and some anti-automation benefits were the initial target of the project.

Arian Evans
Arian Evans has spent the last eight years pondering how he fell into information security. His focus has been on application security and IDS. 

He currently works researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping clients design, deploy, and defend their applications. Arian works with clients worldwide on appsec issues, has worked with the Center for Internet Security, FBI, and numerous commercial organizations on web application security and related hacking incident-response.

Arian occasionally is allowed to disclose and publish vulnerability research & advisories, relishes working with unresponsive vendors, and questions everything. He frequently breaks things, and rarely figures out how to put them back together again.

Daniel Thompson
Daniel Thompson is an interface developer for Secure Passage, a software company specializing in network device change-management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to forge currency & documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targets .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game.

Dan became interested in information security when Arian Evans started reading his email, and maintains a policy of open email access through trustfully compiling any random source that Arian or Mark chose to send him.

Mark Belles
Mark is a coder. He likes to code. See Mark code. See Mark Code6. Code, Mark, code.

Mark likes to code in C# and C++. He likes to code for .NET. Mark likes to make web frameworks he can extend and control.

 Mark wrote the Razor framework, and now the .NET 2.0 Carbon framework, and has since become the key coder behind the Paraegis Project proxy engine. Mark isn't very smart and while he has written a lot of excellent code to bring this dream to a reality, he didn't write this BIO. We wrote it for him.

Return to the top of the page

Analysing Complex Systems: The BlackBerry Case
FX, Phenoelit & SABRE Labs

When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness.

FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions.

Return to the top of the page

Attacks on Uninitialized Local Variables
Halvar Flake, Founder, SABRE Labs

Buffer overflows have been abused in order to compromise software systems for the better part of the last 25 years. In recent years, many restricted solutions to curb their negative effect (stack canaries, frontlink/backlink verification for heap implementations, reordering of local variables) have been proposed and implemented in most popular compilers and operating systems. What is commonly overlooked is that the 'general' problem is the ability of attackers to trigger behaviour that is 'undefined' by the ANSI C99 standard, not the (relatively small) subclass of 'buffer overflow'.

A common programming mistake is a situation where under some exceptional conditions a local variable is not initialized prior to its first use. As the local variables are usually allocated on the stack, the memory thus used is not zeroed and may contain values 'left over' from other parts of the program. Most discussions of this topic imply that these values cannot be controlled by an attacker in a meaningful manner, and thus use of uninitialized variables means no security risk beyond a denial-of-service (e.g. application crash). This talk proposes methods with which an attacker can determine the set of functions in a program that are accessing the same memory range that will later on be re-used by the faulty function. By constructing several specialized graphs from the disassembly of a program, it is possible to determine the set of functions that might be used to control the 'uninitialized' values.

Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

Implementing and Detecting An ACPI BIOS Rootkit
John Heasman, Principal Security Consultant, NGSSoftware

As rootkit detection tools become more sophisticated, the rootkit writer must strive to leave less of a footprint and inhabit areas that detection tools do not currently interrogate. One such area, the BIOS, has many associated difficulties in development and deployment but offers numerous benefits over ‘traditional’ rootkits—namely it leaves no trace on disk and can survive reinstallations in order to infect new operating systems. 

This talk discusses how a generic rootkit may be developed for an ACPI-compliant BIOS. With the aid of several demonstrations, it covers implementing BIOS rootkits for both Windows and Linux. The latter part of the talk considers the defense perspective, investigating the steps required to detect and remove such a rootkit. As software-based rootkit detection and protection tools continue to evolve, this talk broaches the important topic of hardware protection and how current protection and detection models designed to combat a BIOS virus may be insufficient to defend against a BIOS rootkit. Finally we discuss the impact of initiatives such as the Trusted Computing Platform Alliance (TCPA) on rootkit deployment.

John Heasman is a Principal Security Consultant for NGS Software. He has worked as a security consultant for three years and has been certified as a CHECK Team Leader. He has invaluable experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, PostgreSQL, Apple Quicktime and RealNetworks Realplayer. Furthermore he has a strong interest in database security and was a co-author of the Database Hackers Handbook (Wiley, 2005).

Return to the top of the page

Exploiting Embedded Systems
Barnaby Jack, Senior Research Engineer, eEye Digital Security

From Automobiles and cell phones, to routers and your kitchen microwave—Embedded systems are everywhere. And wherever there is code, there are flaws.

In this presentation I will be discussing ARM based on-chip architectures—purely due to the popularity of the chipset. The same techniques I will be demonstrating are also applicable to other architectures. I will cover the JTAG and UART interfaces, and how these interfaces can be used in conjunction with an In-Circuit Emulator for real-time on-chip debugging.

You will learn about the components that make up an embedded system, how to disable certain implemented features that thwart hacking attempts, and how to interface with the system to debug the ROM code.

I will walkthrough the remote exploitation of a popular hardware router, demonstrate some nifty shell code, and hopefully open some eyes to the threat insecure embedded devices pose.

As a bonus, I will be giving away a “wiggler” ICE unit and the relevant software.

No toasters are safe.

Barnaby Jack is a Senior Research Engineer at eEye Digital Security. His role at eEye involves developing internal technologies, malicious code analysis, vulnerability research—and applying this research to the eEye product line. His main areas of interest include reverse engineering and operating system internals. He has been credited with the discovery of numerous security vulnerabilities, and has published multiple papers on new exploitation methods and techniques.

Return to the top of the page

Hacking fingerprint Scanners - Why Microsoft's Fingerprint Reader Is Not a Security Feature
Mikko Kiviharju

In this paper we describe the findings from the tests performed with Microsoft Fingerprint Reader. In the driver installation files Microsoft warns against using this product as a security device, but does not explain why. The tests indicate twofold reasons: the lack of online encryption between the MSFR device and the corresponding drivers, and the optical nature of the scanner, which seems to allow duplicated fingers with little effort. Because of the lack of encryption and the use of third party hardware, the MSFR testing also revealed a fingerprint image forgery prevention mechanism present in the third party hardware, and opens up another replay attack along with fake fingers. We also present a key management omission in Griaule SDK‚s biometric information encryption.

Mikko Kiviharhju has worked several years as a research scientist in the fields of data security and cryptology within Finnish government

Return to the top of the page

Bluetooth Hacking - The State of The Art
Adam Laurie, Technical Director, The Bunker Secure Hosting Ltd.
Martin Herfurt, Researcher, trifinite.org
Marcel Holtmann, Chief Developer, BlueZ.org

This talk will provide an overview of all currently known Bluetooth exploits, as well as live demonstrations, including Bluebugging, Snarfing, Dumping, PIN cracking and Car Whispering.

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers - http://www.thebunker.net) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel. In January 2004 he overtook the maintainer role from the original developer Max Krasnyansky.

Together with Jean Tourrilhes he maintains the OpenOBEX project. He is also responsible for the IrDA and Bluetooth integrations of the Gnokii project.

Martin Herfurt is the founder of the trifinite.group. He completed his Telecommunications Engineering Degree at the Salzburg University of Applied Sciences and Technologies in 2001.

Alongside his study Martin was involved in numerous industry projects, providing him with commercial programming practice. In 2000 Martin followed up his formal study with a four-month internship at the telecommunications institute of TELCOT institute in San Ramon, California, USA.

Since the second half of 2000 Martin has been working as a full time researcher at an Austrian Research facility. His project responsibilities range from the co-ordination of a European IST project with a total budget of over 5 million Euro to software agents development. Together with a colleague, Martin began in the summer of 2003 a class on mobile data services at the Salzburg University of Applied Sciences and Technologies.

In February 2004, Martin discovered a major security loophole in several popular cellphones which is referred to as BlueBug in the media. Martin is also currently working on a PhD in computer science at the University of Salzburg. As part of his fascination with the rapid development in computer programming Martin has become a regular participant in the Chaos Communication Congress which is a yearly meeting of the German hacker association CCC.

Return to the top of the page

Death of a Thousand Cuts- Finding Evidence Everywhere!
Johnny Long, Penetration Tester (*snicker*)

In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we’ll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today’s society. We’ll look at iPods (and other MP3 players), Sony PSP devices (and other personal video products), digital cameras, printers, fax machines, all-in-one devices, dumb phones, “smart” phones, cell phones, various network devices and even wristwatches, sunglasses, pens and all sorts of other devices that contain potential evidence. For each device, we’ll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious “oh I knew that” path of forensics investigation. All this will of course be tempered with Johnny’s usual flair, some fun “where’s the evidence” games, and some really cool giveaways.

Johnny Long was a relative forensics newbie who was faced with the challenge of hunting down the amazingly agile and paranoid “Knuth” from the best-selling Syngress “Stealing the Network” book series. In the story, Knuth melted down his hard drive platters and USB sticks before leaving the country, leaving any investigator next to no digital evidence. Fortunately for the good guys, Knuth left behind some oft-neglected hardware that left him open to a “death by a thousand cuts”. As a result of the writing experience, Johnny learned to look in oft-neglected places for digital evidence, and has been given a whole new perspective on digital forensics. Johnny has authored and co-authored several books, including “Stealing the Network: How to own the Identity” by Syngress publishing.

Return to the top of the page

Hacking, Hollywood Style
Johnny Long, Penetration Tester (*snicker*)

If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments.

Johnny Long was a relative forensics newbie who was faced with the challenge of hunting down the amazingly agile and paranoid “Knuth” from the best-selling Syngress “Stealing the Network” book series. In the story, Knuth melted down his hard drive platters and USB sticks before leaving the country, leaving any investigator next to no digital evidence. Fortunately for the good guys, Knuth left behind some oft-neglected hardware that left him open to a “death by a thousand cuts”. As a result of the writing experience, Johnny learned to look in oft-neglected places for digital evidence, and has been given a whole new perspective on digital forensics. Johnny has authored and co-authored several books, including “Stealing the Network: How to own the Identity” by Syngress publishing.

Return to the top of the page

Skeletons in Microsoft's Closet - Silently Fixed Vulnerabilities
Steve Manzuik
Andre Protas

For years vendors have been criticized over the practice of silently fixing security flaws and not releasing bulletins to notify their customers.  While it is easy to find many researchers and experts criticizing alike, it is typically hard to find actual proof that this practice remains ongoing. Regardless of personal opinions over the rational vendors use to justify silently fixing bugs, the reality is that many defensive technologies rely on specific signatures to detect potential attacks and identify specific vulnerabilities as they were reported in vendor advisories.

The basic argument against silently fixing vulnerabilities lies in the above fact. If a security device is signature based, it cannot reliably detect something it does not know exists and most security vendors do not have the resources or time to manually verify that the software vendor has been upfront with all of the threats that were fixed in the patch. 

This talk will outline the steps taken to identify potential vulnerabilities silently fixed in a major update release, namely Update Rollup 1 for Microsoft Windows 2000 SP4. In addition, specific vulnerabilities will be identified and a demonstration showing how various signature based technologies will not defend against these issues will be given.

Steve Manzuik has more than 13 thirteen years of experience in the information technology and security industry, with a particular emphasis on operating systems and network devices. In 2001, Mr. Manzuik founded and was the technical lead for Entrench Technologies. Prior to Entrench, Mr. Manzuik was a manager in Ernst & Young's Security & Technology Solutions practice, where he was the solution line leader for the Canadian Penetration Testing Practice. Before joining Ernst & Young, Mr. Manzuik was a security analyst for a world wide group of white hat hackers and security researchers on BindView RAZOR Team. Mr. Manzuik has co-authored “Hack Proofing Your Network” Second Edition (ISBN:/ /1928994709). In addition, he has spoken at Defcon, Pacsec, and CERT conferences and has been quoted in industry publications including CNET, CNN, InfoSecurity Magazine, Linux Security Magazine, Windows IT Pro and Windows Magazine. As the Founder and Moderator of VulnWatch (www.vulnwatch.org) and a member of the OSVDB Project (www.osvdb.org), Mr. Manzuik has contributed to multiple research projects both in the public and private sector that have helped increase the security of many products.

Andre Derek Protas is a researcher with an academic background. He holds dual BS degrees in Computer Science and Criminal Justice, as well as being enrolled for a Masters Certificate in Information Assurance from the National Defense University. Mr. Protas is heavily involved in both the academic and industry-specific communities for information security including IEEE, ACM, USENIX, and LISTA. Mr. Protas also possesses a limited law enforcement history by working with the DOD DCIS as well as the Texas Alcoholic Beverage Commission. Mr. Protas also participates in the Los Angeles and Dallas chapters of the FBI’s InfraGard organization, a federally-funded organization dedicated to being the liaison between law enforcement and civilian communities regarding the protection of the national infrastructure. Mr. Protas has performed security assessments for financial institutions across the Dallas-Fort Worth Metroplex as well as for a Fortune 100 company located in Dallas. Mr. Protas brings with him the technical history from his education and personal research, as well as the high-level insight that he has gained by working with multiple enterprise level production environments.

Return to the top of the page

Combatting Symbian malware
Jarno Niemelä, Senior Anti-Virus Researcher, F-Secure

Viruses worms and trojans that operate on Symbian devices are becoming from a technical curioisity to a threat. The localized outbreaks caused by Cabir and Commwarrior worm variants indicate, that in any large organization, the possibility of employee phones being infected by mobile malware is increasing with time.

While the current Symbian malwares are still technically rather primitive, they can be rather difficult to handle and disinfect without proper knowledge how to operate with Symbian based smartphones.

The purpose of this talk is to give information how to handle, analyze and disinfect Symbian based malware threats. The presentation will give overview of Symbian OS from malware point of view, most common Symbian malware, brief overview how to malware works, and how to counter malware infection both on the network and individual phone level.

Jarno Niemelä was born in Helsinki in 1975. He graduated from EVTEK Institute Of Technology in 1999 with Bachelor of Engineering Degree. During and after studies he worked as smartcard and driver programmer in Setec Ltd, which at that time specialized in smartcards, printed money and passports. At 2000 he joined F-Secure Corporation as Mobile Anti-Virus researcher and currently serves as Senior Anti-Virus researcher in same position. He has followed the mobile malware and
security field for almost five years and has seen the development of the threats from the first Palm OS trojan to current Symbian malware. In addition of his day work he teaches information security to engineers EVTEK and Stadia polytechnics in Helsinki region. He is married and lives in Espoo. During his free time he enjoys food and beer gastronomy, running and teaching.

Return to the top of the page

Stopping Automated Application Attack Tools
Gunter Ollmann, Director of X-Force, Internet Security Systems, Inc.

Relying on client-side scripting as a positive security mechanism has been generally regarded as not a particularly smart idea—after all, it can be bypassed by the attacker. Unfortunately, this is an outdated view. With a little understanding, client-side code can be turned into an effective weapon capable of combating the latest generation of application assessment tools and most automated attack vectors.

This talk covers the methods application developers and security departments have at their disposal to halt (and sometimes break) an attack being conducted by an automated tool or script—whether the attack be initiated from a single host or a distributed network.

Gunter Ollmann serves as director of X-Force for Internet Security Systems, Inc. (ISS). With more than 18 years of service within the information technology field, Ollmann is responsible for ISS’ overall security research and development efforts, including all security content for ISS' products and services, zero-day vulnerability analysis, observation and analysis of global security trends, and vulnerability discovery. Ollmann was previously the former head of X-Force security assessment services for EMEA. In his role Gunter managed a distributed team of highly skilled consultants in multiple locations throughout Europe, pioneered specialist methodologies and techniques for the successful assessment of custom software solutions and increased the growth and application of the ISS global center of excellence in security assessment and penetration testing. 

Prior to joining Internet Security Systems, Ollmann was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. He was responsible for the development of business relationships, including building NGS’ international clientele, and defining the direction of research activities and development of the company’s vulnerability-based knowledge services. Ollmann grew NGS consulting service while dispensing cutting-edge security advice to product vendors to aid them in the development of commercial technology.

Since 2002, Ollmann has been a contributor to multiple leading international IT and security focused magazines and journals, including a dedicated monthly “Consultants Corner” column in SC Magazine.  He has authored, developed and delivered a number of highly technical courses on Web Application Security.  He has provided technical advice to various UK government agencies and is often invited to speak at many international security conferences.

Return to the top of the page

MPLS and VPLS Security
Enno Rey

In the last years Multi Protocol Label Switching (MPLS) has become the most important backbone technology for most (if not all) carriers/providers. There's a whole new range of MPLS based applications ('services') sold to customers, accompanied by the usual marketing hype. After some short introduction into the basic terms and concepts of MPLS this presentation will discuss if attacks against MPLS are feasible and how common attack vectors are addressed. The talk will then focus 'Virtual Private LAN Service' (VPLS, basically the emulation of an Ethernet-based LAN across an MPLS based backbone) which is the hottest new kid in carrier town currently. This combination of Layer 2 techniques and Layer 3 technologies will create new, yet unforeseen security problems. Their (possibly broad) implications will be analyzed and requirements for operating them securely (on the customer side) are developed. 

Enno Rey loves playing around with network protocols and devices since he first heard about the internet protocol family. Prior to founding a specialized team of security researchers (aka building up his own company) in 2001 he's been working as a sysadmin and network operator. He has vast experience in designing, operating, troubleshooting and securing laaarge networks. Furthermore he is one of the authors of the first and only German book on penetration-testing, has written several articles and white papers on security subjects and is a frequent speaker on conferences throughout Europe.

Enno's twelve years of information security experience include a wide variety of information security topics, amongst them cryptography, pentesting/auditing, secure network design and technology risk evaluation.

Throughout the years he has acquired the usual security certifications (CISSP, CISA, BS 7799 Lead Auditor) and has provided security consultancy services to many Fortune 500 enterprises and governmental agencies.

He will be happy to share his deep knowledge about network protocols and their inner workings with the audience.

Return to the top of the page

Rootkits vs. Stealth by Design Malware
Joanna Rutkowska

Recently we can observe increased interest in rootkit technology all over the world. Eventually many AV companies started working on commercial rootkit hunting tools for the Smith family... But is rootkit detection the same as compromise detection? What about backdoors, key stroke loggers and other malware which is “stealth by design” and do not require rootkit technology as a protection? How does the current anti-rootkit technology work here?

The presentation will first focus on different types of system compromises and will explain how it is possible for the attacker to achieve full stealth without classic rootkit technology. Then it will discuss possible solutions for detecting these different types of compromises and compare them against “classic” rootkit detection approaches, introducing the need for explicit system verification. Those subjects will be discussed from the perspective of desktop computers as well as server machines.

The talk will be supported by live demos showing the limitations of current anti-rootkit tools against malware which is “stealth by design”. Author is also going to release new version of her Virginity Verifier – a tool for explicit compromise detection of Windows systems.

Joanna Rutkowska is an independent security researcher. Her main interest is in stealth technology, that is, in the methods used by attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She is interested in both detecting this kind of activity and in developing and testing new offensive techniques. She develops assessment and detection tools for various companies around the world. She lives in Warsaw, Poland.

Return to the top of the page

RAIDE: Rootkit Analysis Identification Elimination
Peter Silberman
Jamie Butler, CTO, Komoku, Inc.

In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. The rootkit technology is growing at an exponential rate, and is becoming a more everyday problem; spyware for example is using rootkits to hide its presence. There have been few public advances in the rootkit detection field since the conception of VICE, with the exception of Joanna Rutkowska VSS. After three years, its time for another run at rootkit detection.

This presentation will review rootkit detection, from the previously known ways of detecting rootkits to detailing new ways to detect hidden processes. A global problem with rootkit detection schemes will be introduced as well as a demo showing this problem. The session will conclude with the introduction and demo of RAIDE (Rootkit Analysis Identification Elimination), the new way to detect rootkits.

Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills.

James Butler is the CTO of Komoku, Inc., which specializes in high assurance, host integrity monitoring and rootkit detection. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller Rootkits: Subverting the Windows Kernel

Return to the top of the page

Beyond EIP
spoonm
skape

When we built Metasploit, our focus was on the exploit development process. We tried to design a system that helped create reliable and robust exploits. While this is obviously very important, it's only the first step in the process. What do you do once you own EIP? Our presentation will concentrate on the recent advancements in shellcode, IDS/firewall evasion, and post-exploitation systems. We will discuss the design and implementation of the technologies that enable complex payloads, such as VNC injection, and the suite of tools we've built upon them. We will then present a glimpse of the next generation of Metasploit, and how these new advances will serve as its backbone.

Spoonm:
Since late 2003, spoonm has been one of the core developers behind the Metasploit Project. He is responsible for much of the architecture in version 2.0, as well as other components including encoders, nop generators, and a polymorphic shellcode engine. A full-time student at a northern university, spoonm spends too much of his free time on security research projects.

Skape:
Skape is a lead software developer by day and an independent security researcher by night. He joined forces with the Metasploit project in 2004 where his many contributions have included the Meterpreter, VNC injection, and many other payload advances. Skape has worked on a number of open-source projects and has authored several papers on security related technologies. His current security related interests include post-exploitation technologies, payload development and optimization, and exploitation prevention technology.

Return to the top of the page

The Science of Code Auditing
Alex Wheeler, Research Engineer
Mark Dowd,
X-Force Research Engineer, ISS
Neel Mehta, X-Force Research Engineer, ISS

There has been great discussion about what vulnerabilities are, and how to exploit them. What is still somewhat a mystery is how these vulnerabilities are found. While each person has their own techniques, this speech will reveal some solid methodologies and secrets of the trade from a very successful group of professional security researchers.

While the presentation will discuss 0day, its scope is bigger than any individual vulnerability, as interesting as they may be. If you've ever wondered how security researchers find 0day, or wanted to learn a logical and concrete methodology for finding your own, this is the speech to attend.

Mark Dowd has been part of the ISS X-Force research and development team for the past 5 years. At X-Force he has uncovered a number of vulnerabilities in major widely-used software applications. A few examples include buffer overflows in Sendmail, Microsoft Exchange, OpenSSH, Internet Explorer, Mozilla, Checkpoint VPN, and Windows Encryption software (a PCT protocol in the MS SSL implementation). Prior to working at ISS, Mark uncovered a number of software vulnerabilities in several UNIX-based operating systems, including remote vulnerabilities in Linux, Solaris, *BSD, Tru64 and IRIX. Currently, he is co-authoring a book related to software analysis and finding security vulnerabilities.

Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Alex Wheeler is a security researcher specializing in auditing software for critical security vulnerabilities. His research experience was cultivated during his time with ISS X-Force, where he was tasked with performing code audits of critical network applications and technologies for remote security vulnerabilities. Alex's recent audit focus has lead to the discovery of remote systemic and point vulnerabilities in a substantial number of security products.

Return to the top of the page

Anomaly Detection Through System Call Argument Analysis
Stefano Zanero, Ph.D. Candidate, Politecnico di Milano T.U.; CTO & Founder, Secure Network S.r.l.

Traditionally, host based anomaly detection has dealt with system calls sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a markovian model of the sequence, which is then used to trace and flag anomalies.

Stefano Zanero, M.S. in Computer Engineering, has graduated “cum laude” from the Politecnico of Milano school of engineering, with a “Laurea” (M.S.) thesis on the development of an Intrusion Detection System based on unsupervised learning algorithms. He is currently a Ph.D. student in the Department of Electronics and Information of the same university. His current research interests include, besides learning IDSs, the security of web applications and computer virology. He has been a speaker at international scientific and technical conferences (including CanSecWest, Black Hat and IT Underground), and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", and various international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He is also a regular columnist of the “Security Manager’s Journal” on Computer World Italy, and has been awarded a journalism award. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

Mark Belles

Philippe Biondi

Jamie Butler

Shalom Carmel

Cesar Cerrudo

Tzi-cker Chiueh

Gregory Conti

Bryan Cunningham

Fabrice Desclaux

Mark Dowd

Arian J. Evans

FX

Halvar Flake

John Heasman

Martin Herfurt

Marcel Holtmann

Amanda Hubbard

Barnaby Jack

Mikko Kiviharju

Adam Laurie

Eric Litt

Johnny Long

Steve Manzuik

Neel Mehta

Jarno Niemelä

Gunter Ollmann

Andre Potas

Enno Rey

Joanna Rutkowska

Peter Silberman

skape

spoonm

Daniel Thompson

Alex Wheeler

Stefano Zanero

Black Hat Logo
(c) 1996-2007 Black Hat