RSS feed logo header graphic

Black Hat Europe 2008 Speaker List

Black Hat Europe 2008 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.


Aseem "@" Jakhar, Technical Lead, IBM Internet Security Systems

Spamming has been a major PITA for any organization/person. Spammers have evolved with time and so the Anti-Spam engines. I'll discuss about how spammers operate, various algorithms(Statistical, heuristic, reg exp) and protocols(SPF, DKIM, DNSxLs etc) used for Stopping Spam and how to evade those techniques. For Example: Evading Grey listing by resending a 4XX Error mail, Targeting a low priority MX host, testing your spam with freely available tools and free webmail services etc.

Aseem "@" Jakhar is a programmer by day, a hacker by night. He has worked on Heuristic Anti-Spam engines, Advanced attachment filters, Dynamic web filters. @'s Area of Expertise is in Messaging Security and his skill set is in C, C++, Perl, Linux kernel, and network security.

LDAP Injection & Blind LDAP Injection

Chema Alonso, Microsoft

Jose Parada Gimeno, Microsoft

The increase in the number of web applications based on LDAP services has made code injection attacks an important threat.

If one of these web applications accepts inputs from a client and executes these inputs without first validating them, the attackers are free to execute their own queries and therefore, to extract the content of the LDAP tree associated to the Web application.

In this presentation a deep analysis of LDAP injection techniques is presented with new ways to perform them.

All the demos will be executed using Webapp and OpenLDAP/ADAM Ldap services.

The presentation will show several demos about how an attacker could exploit LDAP Injection vulnerabilities and to understand their consequences.

Chema Alonso - Computer Engineer. Microsoft MVP of Windows Security (2004-2008) Security consultant.

Jose Parada Gimeno - Microsoft IT Pro Evangelist, Frequent Speaker at Microsoft Technet Conferences.

Malware on the Net - Behind the Scenes

Iftach Ian Amit, Director of Security Research, Finjan

Modern Crimeware is a term that has been coined for what the recent web related attacks look like. It is a step up from the “old” days of virus and malware where the motive was fame and the means were crude. Modern crimeware is fueled by financial motive and has evolved an intricate economy of supply and demand, distributors, affiliations, pricing models, and everything needed for a thesis paper on the matter…

With over 10 years of experience in the information security industry,  Iftach Ian   brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

Keynote: Digital Security: a Risky Business

Ian O. Angell, Professor of Information Systems. London School of Economics

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.

Ian Angell has been Professor of Information Systems at the London School of Economics since 1986. Prior to that he researched and taught Computer Science at Royal Holloway College, and University College London.

Angell has very radical and constructive views on his subject, and is very critical of what he calls the pseudo-science of academic Information Systems. He has gained a certain notoriety worldwide for his aggressive polemics against the inappropriate use of artificial intelligence and so-called knowledge management, and against the hyperbole surrounding e-commerce.

His main research work concentrates on organizational and national I.T. policies, on strategic information systems, and on computers and risk (both opportunities and hazards), particularly the systemic risks inherent in all socio-technical systems and the security threats posed to organisations by the rapidly diffusing international information infrastructure.


Nick Breese, Security Consultant,

An implementation of MD5 using vector computing, rather than typical scalar computing, has yielded incredible gains in calculation time. I have been working on a project currently dubbed "Crackstation" for the past 6 months to implement common ciphers and hash functions using vector computing. The current focus has been on the SSE extensions for x86-based processors and the Cell Broadband Engine ("CBE" ) within the PlayStation 3. Other vector processing technologies may also be applicable, but are currently untested.

The SPU processors within the PlayStation 3's CBE are effectively vector processors with enhanced features. Per-core local storage memory, a high number of general purpose registers and their self-contained nature make the SPU processors excellent choices for specific vector-based cryptography implementations.

Benchmarks have been conducted to assess the potential for vector calculation within password cracking. While the results are strictly only to be used as a guideline, they are encouraging. The MD5 hash benchmark was performed using 7 byte values on a 2.2GHz Intel mobile Core2 Duo Processor and a PlayStation 3 running Fedora Core 7. The x86 SSE2 implementation can conduct over three times the number of MD5 calculations than the scalar equivalent. The PlayStation 3 manages to conduct over 1.4 billion MD5 calculations a second.

Vector processing is known commonly as Single-Instruction, Multiple Data (SIMD). Unlike scalar operations which conduct a single mathematical calculations to a single piece of data; SIMD allows a single mathematical operation to be applied to a data group. This method is not intended to conduct each operation faster. The concept is to apply the same operation to multiple pieces of data, which yields in a greater number of results.

At it's core, the MD5 hash function operates on 32bit unsigned integers. Both SSE2 and the Cell SPU use a 128bit general purpose register file for vector data groups. This in turn allows for four 32bit concurrent MD5 values to co-exist at the same time. Each mathematical calculation of MD5 is applied against the vector data group, resulting in four separate MD5 calculation streams to be conducted concurrently. Using Linux under the PlayStation 3 hypervisor allows access to six SPUs in total, giving 24 concurrent MD5 calculations.

Pure vector-based cryptographic implementations can aide certain attacks. The most obvious would be password cracking as these operations can be run in parallel quite well.

Calculation time to brute-force a particular cryptographic function is a commonly-used metric. This time is calculated using the current high-end x86 processors. Due to their ever-increasing performance and ubiquity, using x86-based processors has been reasonable. These early results suggest that x86 should possibly not be used as a baseline in the future.

Nick Breese is a gamer who has had an interest in security and open source for many years. He currently works as a security consultant for in Wellington, New Zealand. Past work experience has generally been focused on various IT projects for public sector organizations.

Recently, he accidentally got into cryptography while attempting to justify his company's purchase of a PlayStation 3 for him. He intends on repeating this exercise in order to obtain other new gadgets to play with.

Bad Sushi - Beating Phishers at Their Own Game

Nitesh Dhanjani, Senior Manager and Leader of Application Security Services, Ernst & Young LLP

Billy Rios,Microsoft

This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.

Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.

This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.

This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.

Nitesh Dhanjani, In addition being an actual reincarnation of Dawkins' Spaghetti Monster, Nitesh Dhanjani is also a rare type of Blowfish that is poisonous to phishermen across the world. Once netted, Dhanjani's poison quickly disables the phishermen and spreads to the their prized lines and lures. Currently, only two individuals, namely Chuck Norris and Bruce Schneier, are known to handle this toxic poison without fear of death.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Side Channel Analysis on Embedded Systems. Impact and Countermeasures

Job DeHaas, Senior Specialist, Riscure

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. While embedded systems often have a lower security profile, such attacks are also becoming real for these devices. An example is the latest attack on the Xbox 360. This talk explores the use and impact of Side Channel Analysis on embedded systems. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.

Job DeHaas, holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, PDAs, VoIP enabled devices and a range of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics that are based on Sparc, MIPS, Intel and ARM processors.

At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has researched the security features and weaknesses of embedded technology for many years.

Job has a long speaking history at international conferences, including talks on kernel-based attacks, security of mobile technologies such as GSM, SMS and WAP, and the reverse engineering of embedded devices.

New Viral Threats of PDF Language

Eric Filiol, Head Scientist Officer, Virology and Cryptology Lab, French Signals Academy

Adobe Portable Document Format has become the most widespread and used document description format throughout the world. It is also a true programming language of its own, strongly dedicated to document creation and manipulation which has accumulated a lot of powerful programming features from version to version. Until now, no real, exploratory security analysis of the PDF and of its programming power with respect to malware attacks has been conducted. Only a very few cases of attacks are known, which exploit vulnerabilities in the management of external programming languages (Javacript, VBS).

This paper presents an in-depth security analysis of the PDF programming features and capabilities, independently from any vulnerability. The aim is to exhaustively explore and evaluate the risk attached to PDF language-based malware which could successfully subvert some of PDF primitives in order to conduct malware based attacks. Along with a dedicated PDF document analysis and manipulation tool we have designed, this paper presents two proof-of-concepts on an algorithmic point of view, which clearly demonstrate the existence of such a risk. We also suggest some security measures at the users'level to reduce this risk.

Eric Filiol, Head Scientist Officer of the Virology and Cryptology Lab, at the French Signals Academy in Rennes, France. He holds a PhD in mathematics and Computer Science, a PhD HDR in computer science as well as an Engineer Diploma in Cryptology.

Mr. Filiol would like to acknowledge Alexandre Blonce and Laurent Freyssignes for their hard work and contribution to this presentation as co-authors. Alexandre Blonce and Laurent Freyssignes are French Navy officers and are working with the Virology and Cryptology Lab.

0-Day Patch -Exposing Vendors (In)Security Performance

Stefan Frei, ETH Zurich, Communications Systems Group

Bernard Tellenbach, ETH Zurich, Communications Systems Group

We introduce the 0-day patch rate as metric to measure the evolution of the security ecosystem and the performance of software vendors to protect their customers. The 0-day patch rate is the number of patches a vendor is able to release at the day of the public disclosure of the vulnerability. We directly compare the performance of Microsoft and Apple over the last 6 years. Further, this metric allows us to measure the effectiveness of the coordinated vulnerability disclosure process. The long-term analysis of patches available at 0, 30, 90 and 180 days after the disclosure gives insight into the vendors processes and the evolution of the security ecosystem. We discover trends and discuss their implications.

Stefan Frei received the master degree in electrical engineering from the Federal Institute of Technology of Zurich (ETH Zurich) in 1995. As a winner of an ERASMUS scholarship, he wrote the master thesis in optical communication at the école nationale supérieure des télécomunications (ENST) in Paris, France. Until 2000, he was mainly involved in networking security and the development and operation of secure web and mail applications. He then joined ISS X-Force EMEA to provide technical expertise and security consulting for international clients. He specialized in vulnerability research, networking and web application security. In 2005, he rejoined ETH Zurich for a Ph.D. research position in information security under supervision of Prof. Bernhard Plattner and as lecturer of the networking security course. His research interests are vulnerability analysis and networking security. He received his master of advanced studies in management, technology and economics from ETH Zurich in 2007.

Bernhard Tellenbach received the master degree in Electrical Engineering and Information Technology from the Swiss Federal Institute of Technology of Zurich (ETH Zurich) in 2005. After his master degree he joined the communication systems group lead by Prof. Bernhard Plattern for a Ph.D. research position with focus on network- and system security. In parallel to his Ph.D. position, he became a lecturer for computer science at the university of applied science Rapperswil in 2006 and started his own security consulting business in 2007.

Intercepting Mobile Phone/GSM Traffic

David Hulton, Security Researcher, Pico Computing, Inc.

Steve, Security Researcher, Pico Computing, Inc.

This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for 900 USD. The second part of the talk unravels a practical solution to crack the GSM encryption A5/1.

David Hulton and Steve are enthusiastic security researchers.

Biologger - A Biometric Keylogger

Matthew Lewis, IRM plc

Biometric systems comprise electronic devices, and as such can utilize common electronic transports for the transmission of biometric related data. With biometric access control and identification systems, users will typically present their biometric to a sensing device, which in turn may transmit data pertaining to that biometric to a server or secondary processing unit to perform biometric comparisons and auditing functions. Following this matching process, further electronic signals will be generated, perhaps to open a door, or to issue a message to a terminal to inform whether or not a user has been identified/verified. In this presentation we realize a proof-of-concept implementation of a biometric keylogger, or “Biologger”. While conventional keyloggers are typically used to obtain passwords or encryption keys to circumvent specific security measures, our Biologger will aim to capture biometric-related data between a biometric device and other processing units, to be used and exploited in a number of potential attack vectors against the biometric system.

While the research surrounding this presentation focused on specific fingerprint access control devices, the overall aim of this presentation is to highlight the possible attacks and risks within this domain. We postulate that without adequate protection of biometric data and control signals, similar techniques to those described in this presentation may be successfully applied to other biometric modes, such as face and iris recognition access control systems.

Matthew Lewis is a Security Consultant at Information Risk Management Plc (IRM) where he performs a range of consultancy services including providing advice to clients about the use of biometrics. Prior to working at IRM, Matthew spent three years at CESG (the UK Government's Information Assurance arm) researching the security capabilities of biometric systems and advising Government about their use. Matthew has presented at many international conferences on the subject of biometrics and co-administered the UK Biometrics Working Group.

Developments in Cisco IOS Forensics

Felix "FX" Lindner, Recurity Labs GmbH

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform. This talk will show new developments in this sector and query the audience for their experience, input and wishes.

Felix "FX" Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments.

FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

URI Use and Abuse

Nathan McFeters, Senior Security Advisor, Ernst & Young

Rob Carter, Security Advisor, Ernst & Young

Billy Rios, Microsoft

URIs link us to commands and programs which have been written by developers and are subject to all of the same code flaws that any other system might be, what is most interesting is that the usage of URIs links us to that back end application through a browser, making Cross Site Scripting attacks a possible trigger for any flaws we may discover.

This presentation will discuss the subject of URI attacks, glossing over several 0-days that were originally discussed at DEFCON 15, Black Hat Japan 2007, and Black Hat Federal 2008 and will move into more recent research that exposes applications functionality resulting in some scary attacks. Examples will include stack overflows, command injections, format string flaws, utilizing an application to send all of a user's pictures to an arbitrary server, etc. All of these attacks are leverage able thru XSS exposures, and thus XSS, CSRF, Phishing, and Anti-DNS Pinning attacks will be combined with the URI attacks to devastating effect.

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Chicago, IL. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box.

Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.

Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

Rob Carter is a Security Advisor for Ernst & Young's Advanced Security Center in Houston, TX. He has performed web application, internet, intranet, and wireless reviews and penetration tests for multiple Fortune 500 clients.

Rob's primary area of interest is in web application security research and tool development. He has an undergraduate degree from Western Michigan University in Computer Science.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Mobile Phone Spying Tools

Jarno Niemelä, Senior Anti-Virus Researcher, F-Secure

Mobile phone spying tools are tools that are used to spy on persons private information and usage of the phone. Spying tools range from simple SMS forwarding tools to tools that can reveal all private information that the phone has, be it phone book, call history or current physical location.

The authors of mobile spying tools claim that such tools should be used only for legal purposes, such as monitoring your children or track stolen phones.

However with the capabilities provided by such tools they can just as easily used for stalking or corporate espionage.

This talk will give more information about currently available mobile spying tools and threats they represent. The talk will cover currently available tools, what they are capable of and how to detect that phone is being spied on.

Jarno Niemelä joined F-Secure Corporation in year 2000 as Mobile Anti-Virus researcher and currently serves as Senior Anti-Virus researcher in same company. He has followed the mobile malware and security field for over six years and has seen the development of the threats from the first Palm OS trojan to current Symbian malware.

The Fundamentals of Physical Security

Deviant Ollam, The Open Organization of Lockpickers

As a veteran trainer in the field of locks and physical security, Deviant has given innumerable presentations geared towards security professionals who are in charge of overseeing facilities. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Discussion as well as direct example will be used to demonstrate the grave failings of low-grade hardware... much of which will be opened by audience members with no prior training. What features to look for in locks and safes will be covered, and how to invest in systems that are easiest to manage in large environments will be discussed.

While paying the bills as a network engineer and security consultant, Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at ShmooCon, DefCon, HOPE, HackCon, HackInTheBox, and the United States Military Academy at West Point.

Client-side Security

Petko D. Petkov, Founder, GNUCITIZEN

Client-side software generally refers to a class of computer programs that are executed on the client, by the user's supporting environment, instead of the server. Both clients and servers are in constant interaction. In a Web environment, the client is represented by the user's web browser, while the server is the remote computer which serves dynamic content. In a much broader context, the client-server relationships can be represented by a network client connected to a WiFi network.

This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

Petko D. Petkov, a.k.a pdp (architect), is the founder and leading member of the GNUCITIZEN Cutting Edge Think tank. He is a widely recognized information security researcher, penetration tester and published author who has contributed to numerous best-selling books, popular blogs and online magazines. PDP is also popular as the editor in chief of Hakiri - Hackers' Lifestyle web magazine.

Antiphishing Security Strategy

Angelo P.E. Rosiello Business Analyst, The European House - Ambrosetti

In this presentation we are going to introduce phishing phenomenon and anti-phishing countermeasures.

The aim of the presentation is to discuss some solutions proposed in the literature, trying to understand their advantages and limitations.

We will also analyze black-list and page-analysis based methods and their real effectiveness, comparing Microsoft Internet Explorer 7 and Mozilla Firefox 2. To conclude, a new innovative approach, based on the layout similarity of WebPages will be illustrated.

Angelo P.E. Rosiello, Angelo P.E. Rosiello, has a Masters degree cum laude in computer science engineering and a ITIL Service Management Foundation certification. He initially worked at Accenture (consulting workforce) for the Security Strategy Service Line and is now employed by the strategy management consulting firm The European House–Ambrosetti.

Roseillo has written many articles about security topics such as: "A hash-based approach for functional regularity extraction during logic synthesis", IEEE Computer Press; "A Layout-Similarity-Based Approach for Detecting Phishing Pages", IEEE International Conference on Security and Privacy in Communication Networks (SecureComm; Attacking Adjacent Memory Regions in the Stack(Best paper Award, NSS Pisa 2006); "The Basics of Shellcoding";"Shadow Software Attacks"; "Stack Overflow Analysis and Exploiting Ways"; "Udp Remote Controls"; "ARC: A Synchronous Stream Cipher from Hash Functions" and many more in HackerJournal and Hakin9 magazines.

Angelo was a speaker at:

  • SyScan '06 - Singapore
  • NoCoNName '06 - Palma de Maiorca
  • ITUnderground '06 - Warsaw
  • AtSystem '06 - CNR Pisa (Best Paper Award)
  • ITUnderground '07 - Prague
  • Confidence '07 - Krakow

Attacking Anti-Virus

Feng Xue (a.k.a Sowhat), Technical Lead, Nevis Labs

This is perhaps the first comprehensive presentation that combines two important topics: How to exploit anti-virus software and how to audit it.

People have talked about AV security before. Alex Wheeler spoke about it from the reverse engineering point of view and Sergio Alvarez's presentation did not mention too much about the exploitation and technical detail.

This talk will concentrate on:

  • Why AV security is critical
  • Why AV is full of holes
  • What are the ways in which attackers can exploit AV vulnerabilities
  • How to audit AV
  • What should the vendors, researchers, and end-users do
This talk will also be seriously questioning the security of "security products".

Feng Xue is a Technical Lead at Nevis Labs. His emphasis is on uncovering vulnerabilities and analyzing them. He has discovered over 30 vulnerabilities in popular applications from companies like Microsoft, Symantec, Apple, Trend Micro, HP and Real Networks, among others. He is a frequent speaker at conferences and has presented at XCON 2005. Feng Xue was scheduled to present at 22C3 and PACSEC, but unfortunately, had to cancel it due to personal reasons.

Security Failures in Secure Devices

Christopher Tarnovsky, Flylogic Engineering, LLC.

Semiconductor manufacturers world-wide produce devices they claim are "secure". The security is typically implied from the documentation for a device but is rarely tested. The end-user simply believes what they read. They trust their intellectual-property (IP) will be safe and secure inside the device.

This is commonly found to be far from reality. In fact, most of these devices are extremely simply for an equipped attacker to "break".

Practical attacks on commonly found devices will be discussed and what could have been done to help prevent it or at least make it harder. The discussion will include real-world examples of failures in secure devices.

Flylogic Engineering, LLC. specializes in analysis of semiconductors from a security "how strong is it really" standpoint. We offer detailed reports on substrate attacks which define if a problem exists. If a problem is identified, we explain in a detailed report all aspects of how the attack was done, level of complexity and so on. This is something we believe is unique and allows the customer to then go back to the chip vendor armed with the knowledge to make them make it better (or possibly use a different part).

Investigating Individuals and Organizations Using Open Source Intelligence

Roelof Temmingh, Founder, Paterva

Chris Böhme, co-founder, Pinkmatter Solutions

In this presentation we will show how the abundance of information on the Internet (using the 'surface web' as well as the deep web) can be used to create a comprehensive profile of a person or a group / organization. The presentation will include a real world, live demo of the Maltego framework for data collection and correlation. The demo will cover collection and visualization of both open source and internal data sources and will show how n-th order relationships can be found and analyzed using the tool.

Furthermore we will discuss (with live examples) how the lack of true identity on the net (think websites, social networks, email, IM) can result in the creation of virtual communities which can be used for anything from stock market manipulation to political gain. Finally we will discuss possible solutions to the problem and ways to detect and protect yourself.

Born in South Africa, Roelof Temmingh studied at the University of Pretoria and completed his Electronic Engineering degree in 1995. He worked as developer, and later system architect at an information security engineering firm from 1995 to 2000. Early in 2000 he started the security assessment and consulting firm SensePost along with some of the leading thinkers in the field. During his time at SensePost he was the Technical Director in charge of the assessment team and later headed the Innovation Centre for the company. Roelof spoke at various international conferences such as Blackhat, Defcon, CanSecWest, RSA, Ruxcon, HiTB and FIRST. He also contributed to books such as "Stealing the network: How to own a continent", "Google Hacking for Penetration Testers (E2)" and was a lead trainer in the "Hacking by Numbers" training course. Roelof authored the initial releases of several well known security testing applications like Wikto, Crowbar, BiDiBLAH and Suru. At the start of 2007 Roelof founded Paterva in order to pursue R&D in his own capacity. Here he created the information collection, correlation and visualization tool known as Maltego.

As a qualified electronic engineer Chris Böhme started out in the network security field in 1994. Since then he has worked for a number of companies as developer and software architect building, network appliances, communication security systems and statistical simulations. As a co-founder of Pinkmatter Solutions he now spends his time engaging in interesting software projects. Chris don't eat things with eyes that move.

Exposing Vulnerabilities in Media Software

David Thiel, Security Consultant, iSEC Partners

Deep codec fuzzing presents a rich opportunity for turning up hard to find bugs, and can be a useful tool for developers to ensure the robustness of code. It also requires techniques different than those used in traditional, bit-flipping file fuzzers. This presentation explores techniques and results of media codec fuzzing, using several modern audio codecs as examples. Also discussed will be a number of unique characteristics of media container formats that make the writing of exploits fairly easy compared to other binary stream formats.

Following up on the tools and vulnerabilities reported at Black Hat USA in Las Vegas, this presentation will include new attacks on transcoders, and a new Fuzzbox version will be released with support for fuzzing new and popular media formats.

David Thiel is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. His areas of expertise are web application penetration testing, network protocols, and fuzzing. Research interests include media software vulnerabilities, mobile and embedded device exploitation, and attack vectors in emerging web application technologies.

Before joining iSEC Partners, David was Security Architect at In his free time, he pursues various audio interests, and is a committer to the FreeBSD project.

Hacking Second Life

Michael Thumann, CSO, ERNW GmbH

Beyond being an online game SecondLife is a growing marketplace for big companies where lot of money is made. Living and acting in a virtual world gives the people the opportunity to do things they would never do in real life. Therefore it is not surprising that SecondLife has increasingly attracted real world hackers.

The talk will cover the basic architecture of SecondLife and point out the possible attack vectors against SecondLife itself, but will also demonstrate hacks from the inside of SecondLife against real-life systems in the internet. So watch out what virtualization can do for the "Bad Guys".

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas - a Cisco Password Cracker', 'ikeprobe - IKE PSK Vulnerability Scanner' or 'dnsdigger - a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) German Pen-Test Book that has become a recommended reading at german universities.

In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Iron Chef Black Hat: John Henry Challenge

Jacob West, Fortify Software

Pravir Chandra, Principal Consultant, Cigital

Brian Chess, Chief Scientist, Fortify Software

Sean Fay, Lead Engineer, Fortify Software

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network's cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the 'Iron Hacker' face off in a frenetic security battle. The guest panel will judge the tools created and techniques used to determine which who's hack-fu will be victorious and who will be vanquished.

Remember, our testers have only one hour to complete their challenge and they will be restricted to their respective choice of bug-finding techniques: One team will use automated tools they themselves have built, while the other will flex their security muscles through manual code review. Watch as the masters wield their weapons of choice. What will they concoct? Who will come out victorious? Will the steam-powered static analysis team conquer a team wielding only their own brawn?

Visit 'Vulnerability Stadium' and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tool, presentation of the number of bugs, and creativity of using the tool when searching for vulnerabilities. So Black Hat attendees... with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. When he is not in the lab, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Pravir Chandra is a Principal Consultant at Cigital. Pravir is widely recognized in the industry for his expertise in security-based code analysis, and also for his ability to apply this knowledge strategically from a business perspective. He was most recently affiliated with Secure Software, Inc., where he was Co-Founder and Chief Security Architect. Previously, he managed an Operations Security group at AOL Time Warner where he supervised the build-out and maintenance of critical security infrastructure for the company and spent time as a research associate at Cigital. Pravir's book, Network Security with Open SSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes serving as Project Lead for the Comprehensive Lightweight Application Security Process (CLASP) project with the Open Web Application Security Project (OWASP) Foundation.

Brian Chess is the Chief Scientist at Fortify Software. His work focuses on practical methods for creating secure systems. Brian draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters. Brian has his Ph.D. in computer engineering from UC Santa Cruz. Brian has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Sean Fay works at Fortify Software, where he is the lead engineer for Fortify Source Code Analysis. Sean holds a degree in Literature and a degree in Computer Science, both from the Massachusetts Institute of Technology. None of Sean's diverse set of hobbies are suitable for print in a family-oriented publication.

DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife

David Weston, Science Applications International Corporation (SAIC)

Tiller Beauchamp, Science Applications International Corporation (SAIC)

Security researchers face many challenges when searching for vulnerabilities and reverse engineering applications. Simple fuzzing can be time consuming and fruitless and require many different tools to fully instrument the target. Applications and malware can detect and evade traditional debuggers and generate phantom exceptions. Kernel and driver bugs can be difficult to discover and debug. This paper will examine how DTrace, a kernel based dynamic scriptable tracer, can help security researchers overcome these challenges.

DTrace, created by SUN and originally intended for performance monitoring, is one of the most exciting additions to OS X Leopard and is being ported to Linux and BSD. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we explore and build upon the use of DTrace as a security research tool.

Many of the features of DTrace can be leveraged to discover new exploits, unobtrusively monitor malware and even protect against buffer overflow attacks. We will walk the reader through the interesting applications of DTrace, showing how to trace fuzz data through vulnerable system calls, generate code coverage graphs of vulnerable and network accessible functions and trace code paths in target applications over the network visually with IDA Pro, all without the overhead of stopping and starting the application that traditional debuggers impose. In order to overcome the limitations of DTrace, we will introduce a DTrace-based programmatic framework written in Ruby. This framework supports vulnerability discovery through binary instrumentation by offering function level code coverage, stack visualization and integration with the IDA debugger. Finally we illustrate how the framework is used to efficiently discover vulnerability and engineer an exploit.

David Weston is security researcher and penetration tester at Science Applications International Corporation. Pursuing a graduate degree his research interests include: Fuzzing and Reverse Engineering. He has an undergraduate degree from the University of California at Santa Barbara

Tiller Beauchamp works as a senior security consultant for SAIC providing security auditing services to large commercial, state and DoD customers. His areas of expertise include network penetration testing, web application security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer Science from the University of Oregon with a specialization in software engineering. He has worked as the lead developer for Team Defend, SAIC's portable computer and network defense exercise. Beauchamp is also responsible for maintaining the company's penetration toolkit and penlab.

1997-2008 Black Hat ™