KEYNOTE: A Story About Digital Security in 2017
Richard Clarke, Chairman, Good Harbor Consulting

To those who seek truth through science, even when the powerful try to suppress it.

KEYNOTE: The NSA Information Assurance Directorate and the National Security Community
Tony Sager, Chief, Vulnerability Analysis and Operations Group, Information Assurance Directorate, National Security Agency

The Information Assurance Directorate (IAD) within the National Security Agency (NSA) is charged in part with providing security guidance to the national security community. Within the IAD, the Vulnerability Analysis and Operations (VAO) Group identifies and analyzes vulnerabilities found in the technology, information, and operations of the Department of Defense (DoD) and our other federal customers. This presentation will highlight some of the ways that the VAO Group is translating vulnerability knowledge in cooperation with many partners, into countermeasures and solutions that scale across the entire community. This includes the development and release of security guidance through the NSA public website (www.nsa.gov) and sponsorship of a number of community events like the Cyber Defense Initiative and the Red Blue Symposium. It also includes support for, or development of, open standards for vulnerability information (like CVE, the standard naming scheme for vulnerabilities); the creation of the extensible Configuration Checklist Description Format (XCCDF) to automate the implementation and measurement of security guidance; and joint sponsorship, with the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA), of the Information Security Automation Program (ISAP), to help security professionals automate security compliance and manage vulnerabilities.

The presentation will also discuss the cultural shift we have been making to treat network security as a community problem, one that requires large -scale openness and cooperation with security stakeholders at all points in the security supply chain—operators, suppliers, buyers, authorities and practitioners.

Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group, part of the Information Assurance Directorate at the National Security Agency. The mission of the VAO organization is to identify, characterize, and put into operational context vulnerabilities found in the technology, information, and operations of the DoD and the national security community and to help the community identify countermeasures and solutions. This group is known for its work developing and releasing security configuration guides to provide customers with the best options for securing widely used products. The VAO Group also helps to shape the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), partnering with National Institute for Standards and technology (NIST) on the Information Security Automation Program (ISAP), developing the eXtensible configuration checklist description format (XCCDF), and for hosting the annual Cyber Defense Exercise and the Red Blue Symposium. Mr. Sager is active in the public network security community, as a member of the CVE (Common Vulnerabilities and Exposures) Senior Advisory Council and the Strategic Advisory Council for The Center for Internet Security. He is in his 29th year with the National Security Agency, all of which he has spent in the computer and network security field.

KEYNOTE: The Psychology of Security
Bruce Schneier, Founder and CTO, BT Counterpane

Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. In the industry, we tend to discount the feeling in favor of the reality, but the difference between the two is important. It explains why we have so much security theater that doesn't work, and why so many smart security solutions go unimplemented. Two different fields—behavioral economics and the psychology of decision making—shed light on how we perceive security, risk, and cost. Learn how perception of risk matters and, perhaps more importantly, learn how to design security systems that will actually get used.

Bruce Schneier is an internationally renowned security technologist and CTO of BT Counterpane, referred to by The Economist as a "security guru." He is the author of eight books—including the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography"—and hundreds of articles and academic papers. His influential newsletter, Crypto-Gram, and blog "Schneier on Security," are read by over 250,000 people. He is a prolific writer and lecturer, a frequent guest on television and radio, has testified before Congress, and is regularly quoted in the press on issues surrounding security and privacy.

Dangling Pointer
Jonathan Afek, Senior Security Researcher, Watchfire

A Dangling Pointer is a well known security flaw in many applications.

When a developer writes an application, he/she usually uses pointers to many data objects. In some scenarios, the developer may accidentally use a pointer to an invalid object. In such a case, the application will enter an unintended execution flow which could lead to an application crash or other types of dangerous behaviors.

Jonathan Afek is a senior security researcher for Watchfire, a market-leading provider of software and service to help ensure the security and compliance of websites.

In his role as senior security researcher Jonathan is responsible for researching new web application vulnerabilities, performing application security audits and developing security related features for Watchfire’s market leading AppScan solution. Jonathan specializes in network and web application security, reverse engineering and exploit development.

Fuzzing Sucks! (or Fuzz it Like you Mean it!)
Pedram Amini, Lead, Security Research and Product Security Assessment Team at TippingPoint, a division of 3Com
Aaron Portnoy, Researcher, TippingPoint Security Research Team (TSRT)

Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now.

This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

Pedram Amini currently leads the security research and product security assessment team at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer—developing automation tools, plug-ins and scripts. His most recent projects (aka "babies") include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has previously presented at DefCon, RECon, ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University, finds his current commander in chief rather humerous and recently co-authored a book on Fuzzing titled "Fuzzing: Brute Force Vulnerability Discovery".

Aaron Portnoy, aka deft, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: RSA, Citrix, Symantec, Hewlett-Packard, IBM and others.

Additionally, Aaron has contributed mind share and code to OpenRCE, PaiMei, and various white papers and books. On a more personal note, Aaron is the proud owner of a Rottweiler/German Shepherd puppy and he also drives really (really) fast.

Kick Ass Hypervisoring: Windows Server Virtualization
Brandon Baker, Security Developer, Windows Kernel Team, Microsoft

Virtualization is changing how operating systems function and how enterprises manage data centers. Windows Server Virtualization, a component of Windows Server 2008, will introduce new virtualization capabilities to the Windows operating system. This talk will focus on security model of the system, with emphasis on design choices and deployment considerations. Aspects of virtualization security related to hardware functions will also be explored.

Brandon Baker is a security developer in the Windows kernel team working on the Windows hypervisor and leading security development and testing for the Windows Server Virtualization project. For the past five years he has worked on security and separation kernels at Microsoft of one form or another. Prior to joining Microsoft, Mr. Baker was a security architect at a managed data center company. He has been working in the computer security field since 1997, when at NSA he co-authored the first guide for the secure configuration of Windows NT for the DoD. Mr. Baker has a B.S. in Computer Science from Texas A&M University.

Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation
Andrea Barisani, co-Founder and Chief Security Engineer, Inverse Path Ltd.
Daniele Bianco

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems.

All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America.

The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator.

We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection/jamming can play in social engineering attempts (hitmen in the audience will love this!).

In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts.

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Smoke 'em Out!
Rohyt Belani, Managing Partner, Intrepidus Group.
Keith J. Jones, Owner and Senior Partner, Jones Rose Dykstra & Associates

Tracing a malicious insider is hard; proving their guilt even harder. In this talk, we will discuss the challenges faced by digital investigators in solving electronic crime committed by knowledgeable insiders. These challenges will be presented in light of three real world investigations conducted by the presenters. The focus of this talk will on the technicalities of the attacks, the motivation of the attackers, and the response techniques used by the investigators to solve the respective crimes.

The first case is the high-profile U.S. v Duronio trial, in which Keith Jones testified as the DoJ's computer forensics expert. Mr. Jones testified for over five days about how Mr. Duronio, a disgruntled employee, planted a logic bomb within UBS's network to render critical trading servers unusable. His testimony was key in the prosecution of the accused on charges of securities fraud and electronic crime. Mr. Jones will present the information as he did to the jury during this trial.

The second incident involved a recently fired employee at a large retail organization. The irked employee made his way from a store wireless network into the company's core credit card processing systems. The purpose of the attack was to malign the company's image by releasing the stolen data on the Internet. We will discuss the anatomy of the "hack", the vulnerabilities exploited along the way, and our sleepless nights in Miami honing in on the attacker.

The final case presented will focus on the technicalities of web browser forensics and how it facilitated the uncovering of critical electronic evidence that incriminated a wrong-doer, and more importantly freed an innocent systems administrator at a law firm from being terminated and facing legal music.

The common thread in all these cases—a malicious insider!

Rohyt Belani is a regular speaker at various industry conferences including Black Hat, OWASP, InfoSec World, Hack In The Box, and several forums catering to the FBI and US Secret Service agents. He currently co-teaches a class at Carnegie Mellon University and has been invited to guest lecture at the University of Wisconsin.

As an industry expert he has opined on security issues via columns for online publications like Securityfocus and SC magazine, and interviews with BBC UK Radio.

He is also a contributing author for Osborne's Hack Notes—Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.

Keith J. Jones is an owner and Senior Partner with Jones Rose Dykstra & Associates, a specialized services company which provides Computer Forensics, Electronic Evidence Discovery, Litigation Support and training to commercial and government clients. Mr. Jones is the Senior Partner responsible for the electronic evidence discovery and litigation support practices.

Mr. Jones is an industry-recognized expert in computer security with over ten years experience in computer forensics and incident response. His expertise also includes information security consulting, application security, software analysis and design.Mr. Jones has been an expert witness on several high-profile cases.

Before partnering with Mr. Curtis W. Rose and Brian Dykstra, Mr. Jones was the Director of Computer Forensics, Incident Response and Litigation Support and a founding member of MANDIANT where he managed and directed technical teams which conducted computer intrusion investigations, forensic examinations, litigation support and e-discovery efforts.

Prior to becoming a co-founder of MANDIANT (formerly known as Red Cliff Consulting, LLC), Mr. Jones was the Director of Incident Response and Computer Forensics at Foundstone, where he led the service line's engagements and was a developer and lead instructor of several technical education courses. Earlier in his distinguished career, Mr. Jones served as a Senior Security Administrator at a biotechnology company, responsible for the corporation's entire information security model, where he developed a security and network infrastructure from conception to completion; and managed a team of developers at SYTEX, Inc, a Department of Defense contractor, on several software development projected projects, where he was in charge of building specialized tools for log analysis, attack and penetration, defensive measures and vulnerability assessments.

Mr. Jones is an accomplished author, and his works include "Real Digital Forensics: Computer Security and Incident Response", Addison-Wesley, published in March 2005 and "The Anti-Hacker Toolkit", McGraw-Hill, copyright 2002, recognized in the security industry as a definitive reference on critical applications for security practitioners.

Mr. Jones holds two Bachelor of Science degrees in Electrical Engineering and Computer Engineering.He also earned a Master of Science degree in Electrical Engineering from Michigan State University. Mr. Jones earned and maintains the Certified Information Systems Security Professional (CISSP) certification and is an associate member of the American Bar Association (ABA). He also holds several lifetime memberships in the engineering, electrical engineering, and mathematical honor societies.

Sphinx: An Anomaly-based Web Intrusion Detection System
Damiano Bolzoni, PhD student at Twente University
Emmanuele Zambon

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx “learns” automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS).

For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis.

Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties’ software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.

Damiano Bolzoni is currently a PhD student at the University of Twente, Netherlands. He received a MSc in Computer Science from the University of Venice, Italy, with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. His research topics are IDS and risk management.

Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper.

Remote and Local Exploitation of Network Drivers
Yuriy Bulygin, Security Expertise Center of Excellence (SECoE) and PSIRT team at Intel Corporation

During 2006 vulnerabilities in wireless LAN drivers gained an increasing attention in security community. One can explain this by the fact that any hacker can take control over every vulnerable laptop without having any "visible" connection with those laptops and execute a malicious code in kernel.

This work describes the process behind hunting remote and local vulnerabilities in wireless LAN drivers as well as in other types of network drivers. The first part of the work describes simple and much more advanced examples of remote execution vulnerabilities in wireless device drivers that should be considered during vulnerabilities search. We demonstrate an example design of kernel-mode payload and construct a simple wireless frames fuzzer. The second part of the work explains local privilege escalation vulnerabilities in I/O Control device driver interface on Microsoft® Windows®, introduces a technique to uncover them. The third part of the work describes specific examples of local vulnerabilities in network drivers that can be exploited remotely and an exploitation technique. In the last part of the work we present case studies of remote and local vulnerabilities mitigated in Intel® Centrino® wireless LAN device drivers.

Yuriy Bulygin is a member of Security Center of Excellence (SeCoE) and Product Security Incident Response Team (PSIRT) at Intel Corporation. He focuses on (in)security analysis and penetration testing of various technologies, research in cryptography, exploitation techniques, malware and worm epidemics.

Prior to joining Intel Corporation in 2006 Yuriy Bulygin was a member of Technological Research team at Kaspersky Lab. He has previously been a member of 3G mobile networks security working group in Russia. Yuriy Bulygin holds Ph.D. in cryptography and Masters in applied math from Moscow Institute of Physics and Technology (MIPT), Moscow, Russia and a sole ISC2 SSCP record
issued in Russia. Yuriy was teaching Information Security classes at MIPT.

Blackout: What Really Happened...
Jamie Butler, Principal Software Engineer, MANDIANT
Kris Kendall, MANDIANT

Malicious software authors use code injection techniques to avoid detection, bypass host-level security controls, thwart the efforts of human analysts, and make traditional memory forensics ineffective. Often a forensic examiner or incident response analyst may not know the weaknesses of the tools they are using or the advantage the attacker has over those tools by hiding in certain locations.

This session provides a detailed exploration of code injection attacks and novel countermeasures, including:

1. The technical details of code injection starting with basic user land techniques and continuing through to the most advanced kernel injection techniques faced today.
2. Case study of captured malware that reveals how these techniques are used in real world situations.
3. Discussion of current memory forensic strengths and weaknesses.
4. New memory forensic analysis techniques for determining if a potential victim machine has been infected via code injection.
5. Post acquisition analysis.

James (“Jamie”) Butler II is a Principal Software Engineer at MANDIANT. He has a decade of experience researching offensive security technologies and developing detection algorithms. Jamie has a Master of Science degree in Computer Science and holds a Top Secret security clearance.

He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and "Advanced Second Generation Digital Weaponry". Jamie is also co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers, is a frequent speaker at computer security conferences.

Kris Kendall, a key leader of MANDIANT's technical team, has over eight years of experience in computer forensics and incident response. He provides expertise in computer intrusion investigations, computer forensics, and research & development of advanced network security tools and techniques. He is a former Special Agent in the United States Air Force Office of Special Investigations, and has developed several innovative tools that advanced the state-of-the-art in the rapidly evolving field of reverse engineering and binary analysis.

Mr. Kendall earned both a Bachelor of Science and a Master of Engineering degree from the Massachusetts Institute of Technology.

Intranet Invasion With Anti-DNS Pinning
David Byrne, Security Architect, EchoStar Satellite, owner of Dish Network

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not. DNS-pinning is a technique web browsers use to prevent a malicious server from hijacking HTTP sessions. Anti-DNS pinning is a newly recognized threat that, while not well understood by most security professionals, is far from theoretical.

This presentation will focus on a live demonstration using anti-DNS pinning techniques to interact with internal servers through a victim web browser, completely bypassing perimeter firewalls. In essence, the victim browser becomes a proxy server for the external attacker. No browser bugs or plug-ins are required to accomplish this, only JavaScript, and untrusted Java applets for more advanced features.

If anyone still thought that perimeter firewalls could protect their intranet servers, this presentation will convince them otherwise.

David Byrne is a seven year veteran of the Information Security industry specializing in web application security. He is currently the Security Architect for EchoStar Satellite, owner of Dish Network. David is also the founder and current leader of the Denver chapter of the Open Web Application Security Project (OWASP).

Traffic Analysis—The Most Powerful and Least Understood Attack Methods
Jon Callas, Chief Technology Officer & Chief Security Officer, PGP Corporation
Raven Alder
Riccardo Bettati, Associate Professor in the Department of Computer Science, Texas A&M University
Nick Matthewson, Developer, Tor privacy network

Traffic analysis is gathering information about parties not by analyzing the content of their communications, but through the metadata of those communications. It is not a single technique, but a family of techniques that are powerful and hard to defend against.

Traffic analysis is also one of the least studied and least well understood techniques in the hacking repertoire. Listen to experts in information security discuss what we know and what we don't.

Jon Callas (moderator): Jon Callas is Chief Technical Officer and Chief Security Officer of PGP Corporation. He has worried about traffic analysis for years.

Raven Alder is a security researcher with wide-ranging expertise, including systems and network architecture design and analysis.

Riccardo Bettati is Associate Professor in the Department of Computer Science at Texas A&M University. His group has been studying timing analysis and traffic analysis in general in the context of private communication, bot classification, and other - sometimes surprising - distributed systems settings.

Nick Matthewson is one of the developers of the Tor privacy network. Traffic analysis is an important part of designing privacy-enhanced systems.

Reverse Engineering Automation with Python
Ero Carerra, Reverse Engineering Automation Researcher, SABRE Security

Instead of discussing a complex topic in detail, this talk will discuss 4 different very small topics related to reverse engineering, at a length of 5 minutes each, including some work on intermediate languages for reverse engineering and malware classification.

Ero Carrera is currently a reverse engineering automation researcher at SABRE Security, home of BinDiff and BinNavi. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.

While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking.

Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering tools such as pydot, pype, pyreml and idb2reml.

Defeating Web Browser Heap Spray Attacks
Stephan Chenette, Senior Security Researcher for Websense Security Labs
Moti Joseph, Senior Security Researcher Websense Security Labs.

In 2007 black hat Europe a talk was given titled: "Heap Feng Shui in JavaScript"

That presentation introduced a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allowed an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with more reliability and precision.

Our talk is a defensive response to this new technique. We will begin with an overview of "in the wild" heap spray exploits and how we can catch them, as well other zero day exploits using our exploit-detection module. We will give an overview of the analysis engine we have built that utilizes this module and we will demonstrate scanning and detection of a "live" website hosting a heap corruption vulnerability.

The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

Stephan Chenette is a Senior Security Researcher for Websense Security Labs working on malcodedetection techniques, Stephan Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4+ years working in research and product development at eEye Digital Security

Moti Joseph has been involved in computer security since 2000. For the past 5 years he has been working on reverse engineering, exploit code and development of security products. His current job is as a Senior Security Researcher Websense Security Labs.

Iron Chef Blackhat
Brian Chess, Chief Scientist, Fortify Software
Jacob West, Manager Security Research Group, Fortify Software
Sean Fay, Lead Engineer, Fortify Source Code Analysis, Fortify Software
Toshinari Kureha, Technical Lead and Principal Member of, Fortify Software

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network’s cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the ‘Iron Hacker’ face off in a frenetic security battle. The guest panel will judge the tools created and used to determine which who's hack-fu will be victorious and who will be vanquished.

Remember, our testers have only one hour to complete their challenge and will only be able to use tools they themselves have created. Watch as the masters wield their own weapons. What will they concoct? Who will come out victorious? Which techniques will prove most effective in a high-pressure every-minute-counts environment? Come and see for yourself!

Visit ‘Vulnerability Stadium’ and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tool, presentation of the number of bugs, and creativity of using the tool when searching for vulnerabilities. So Black Hat attendees with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Brian Chess is the Chief Scientist at Fortify Software. His work focuses on practical methods for creating secure systems. Brian draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters. Brian has his Ph.D. in computer engineering from UC Santa Cruz. Brian has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. When he is not in the lab, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Sean Fay works at Fortify Software, where he is the lead engineer for Fortify Source Code Analysis. Sean holds a degree in Literature and a degree in Computer Science, both from the Massachusetts Institute of Technology. None of Sean's diverse set of hobbies are suitable for print in a family-oriented publication.

Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of Fortify's runtime product line, including Fortify Defender and Fortify Tracer. Prior to joining Fortify, Kureha was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects, including Oracle Grid Control, Oracle Exchange and BPEL Orchestration Designer. Prior to working with Oracle, Kureha worked as a lead developer at Formal Systems, a web-based computer testing and assessment system for use in the Internet/Intranet. Kureha holds a bachelor's degree in computer science from Princeton University and has spoken at Software Security Summit, MSDN Webcast and the Bay Area's .NET user group, among many other industry events.

Unforgivable Vulnerabilities
Steve Christey, Principal Information Security Engineer, The MITRE Corporation

For some products, it's just too easy to find a vulnerability. First, find the most heavily used functionality, including the first points of entry into the product. Then, perform the most obvious attacks against the most common vulnerabilities. Using this crude method, even unskilled attackers can break into an insecure application within minutes. The developer likely faces a long road ahead before the product can become tolerably secure; the customer is sitting on a ticking time bomb. This turbo talk will identify some of the Unforgivable Vulnerabilities that illustrate a systematic disregard for secure development practices. I will conclude with a call-to-arms for establishing Vulnerability Assessment Assurance Levels (VAAL), and nominate these Unforgivable Vulnerabilities as examplars of VAAL-0.

Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is a technical consultant to the Common Weakness Enumeration (CWE) project. He is a contributor to standards-based efforts such as the SANS Secure Programming exams, the Common Vulnerability Scoring System (CVSS), and others. His current interests include secure software development, vulnerability information management, post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.

Computer and Internet Security Law—A Year in Review 2006–2007
Robert Clark

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; Hewlett-Packard; active response; nondisclosure and non-competition agreements; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

Robert Clark is the principal point of contact in the Department of the Navy Secretariat and the Office of the General Counsel for legal issues regarding information management/information technology. As such he is responsible for advising on critical infrastructure protection; information assurance; FISMA; privacy; electronic government; identity management; spectrum management; records management; information collection; Open Source Software; and, infrastructure protection program both physical and cyber assets. Prior to this position Mr. Clark was the legal advisor on computer network operations to the Army Computer Emergency Response Team. Both these positions require coordination and consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He is a previous Black Hat lecturer and lectures at Def Con, the Army’s Intelligence Law Conference and the DoD’s Cybercrimes Conference.

Building an Effective Application Security Practice on a Shoestring Budget
David Coffey, Manager of Product Security, McAfee
John Viega, Vice President and Chief Security Architect, McAfee, Inc

Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible.

This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success.

David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices.

David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year.

John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.

Side Channel Attacks (DPA) and Countermeasures for Embedded Systems
Job de Haas, Director Embedded Technology, Riscure

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. Embedded systems in general have a much lower security profile. This talk explores the use and impact of Side Channel Analysis on embedded systems. These systems have their own specific need for security. This need can vary significantly between systems and in addition a much wider range of attacks is possible. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.

Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, PDAs, VoIP enabled devices and a range of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics that are based on Sparc, MIPS, Intel and ARM processors.

At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has researched the security features and weaknesses of embedded technology for many years.

Job has a long speaking history at international conferences, including talks on kernel-based attacks, security of mobile technologies such as GSM, SMS and WAP, and the reverse engineering of embedded devices.

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
Jared DeMott, President, VDA Labs
Dr. Richard Enbody, Associate Professor, Michigan State University
Dr. Bill Punch, Associate Professor, Michigan State University

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical).

We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS).

We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway.

This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts.

Jared DeMott is a vulnerability researcher, with a passion for hunting down and exploiting bugs in software. Mr. DeMott is the president of VDA Labs and is pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing. Mr. DeMott is a past DEFCON speaker.

Dr. Richard Enbody has been a professor at MSU since 1987. His research interests include computer security, computer architecture, web-based distance education and parallel processing.

Dr. Bill Punch is an associate professor in the computer science department of Michigan State University. He is co-director of the Genetic Algorithms Research and Applications Group or GARAGe. His main interests are genetic algorithms and genetic programming, including theoretical issues (parallel GA/GP) and application issues (design, layout, scheduling, etc.). He is also conducting active research in data mining, mostly focused on intelligent search approaches based on pattern-recognition techniques and GA/GP search.

VoIP Security: Methodology and Results
Barrie Dempster, Senior Security Consultant, NGSSoftware

As VoIP products and services increase in popularity and as the "convergence" buzzword is used as the major selling point, it's time that the impact of such convergence and other VoIP security issues underwent a thorough security review. This presentation will discuss the current issues in VoIP security, explain why the current focus is slightly wrong, then detail how to effectively test the security of VoIP products and services. With examples of real life vulnerabilities found, how to find these vulnerabilities and why many of them shouldn't be there in the first place.

Barrie Dempster has worked in voice and data network security in the financial and telecommunications sectors providing consultancy and research.
While focusing on voice and data networks he has spent much of his time researching vulnerabilities and performing code reviews and assessments of applications and services with stringent security requirements. Barrie has also published a number of books in his field. Barrie is currently employed as a senior security consultant for NGSSoftware where he is involved with vulnerability research as well as security reviews of products and services.

PISA: Protocol Identification via Statistical Analysis
Rohit Dhamankar, Senior Manager of Security Research, TippingPoint
Rob King, Senior Security Researcher, TippingPoint

A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems.

This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols.

This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.

Rohit Dhamankar is the Senior Manager of Security Research at TippingPoint, where he manages vulnerability research and Digital Vaccine development for the company's Intrusion Prevention Systems. In addition, he co-authors the SANS Institute's RISK newsletter, read by over 200,000 subscribers weekly. He is the Director for the SANS Top20 updates. He holds an MS in Electrical Engineering from the University of Texas and an MSc in Physics from the Indian Institute of Technology in Kanpur, India.

Rob King is a Senior Security Researcher at TippingPoint, where he researches security vulnerabilities and other topics with security implications. In addition, he co-authors the SANS Institute's at RISK newsletter, read by over 200,000 subscribers weekly. He also contributes to the SANS Top20 updates.

Tor and Blocking-resistance
Roger Dingledine, Security and Privacy Researcher

Websites like Wikipedia and Blogspot are increasingly being blocked by government-level firewalls around the world. Although many people use the Tor anonymity network to get around this censorship, the current Tor network is not designed to withstand a large censor.

In this talk I'll describe our plan for extending the Tor design so these users can access the Tor network in a way that is harder to block.

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users.

He is best known for leading the Tor project, an anonymous communication system for the Internet that has been supported by such diverse groups as the US Navy, the Electronic Frontier Foundation, and Voice of America. He organizes academic conferences on anonymity, speaks at many industry and hacker events, and also does tutorials on anonymity for national and foreign law enforcement. Last year Roger was identified by Technology Review magazine as one of the top 35 innovators under the age of 35.

Breaking C++ Applications
Mark Dowd
John McDonald, IBM Internet Security Systems
Neel Mehta, IBM Internet Security Systems

This presentation addresses the stated problem by focusing specifically on C++-based security, and outlines types of vulnerabilities that can exist in C++ applications. It will examine not only the base language, but also covers APIs and auxillary functionality provided by common platforms, primarily the contemporary Windows OSs. The topics that will be addressed in this presentation include object initialization/destruction, handling object arrays, implications of operator overloading, and problems arising from implementing exception handling functionality. Various STL classes will also be discussed in terms of how they might be susceptible to misuse, and unexpected quirks that can manifest as security problems. This presentation will include discussion of bug classes that have yet to be discussed or exploited in a public forum (to our knowledge) for the topic areas outlined.

Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at ISS, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Asssessment", and has spoken at several industry-recognized conferences.

Neel Mehta works as an application vulnerability researcher at IBM ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Something Old (H.323), Something New (IAX), Something Hollow (Security), and Something Blue (VoIP Administrators)
Himanshu Dwivedi, Founding Partner, iSEC Partners

The presentation will discuss the security issues, attacks, and exploits against two VoIP protocols, including IAX (a newer protocol) and H.323 (an existing VoIP protocol). H.323 is a well known technology; however, its security issues are not well publicized. While previous VoIP presentations and/or whitepapers discuss SIP security extensively, much is to be desired about H.323 security content and attack tools. Despite the fact that H.323 is most dominant VoIP session-setup protocol used in enterprise environments, it has not been given adequate attention in terms of security. The presentation will cover specific security attacks targeting H.323 authentication weaknesses, replay attacks, endpoint spoofing (E.164 alias), hopping attacks, and a sleuth of DOS attacks that can be executed with a few UDP packets. The presentation will also include a demonstration of new tool for H.323 security testing (H.323-me-ASAP.exe), which will be released at the conference.

In addition to the H.323 material, IAX security issues, attacks, and exploits will also be presented. While SIP/H.323 with RTP has been “face” of VoIP for many years, newer protocols such as IAX are gaining momentum (as shown with the popular open source Asterisk PBX system). IAX can be used for session setup as well as media transfer, providing a nice self-contained VoIP protocol that can be used to replace the combination of either SIP/H.323 with RTP. Similar to H.323, IAX has room for improvement in terms of security. The presentation will discuss security attacks on IAX, specifically authentication weaknesses that lead to offline dictionary attacks, pre-computed dictionary attacks, middle person attacks, and downgrade attacks on IAX clients. In addition to the authentication attacks, the presentation will show how DOS attacks can disrupt an IAX network and its devices quite easily. Each IAX attack shown will be demonstrated with three new attack tools for IAX security testing (IAX.Brute, IAXAuthJack, and IAXHangup), which will also be released at the conference.

The presentation will concluded with existing solutions to mitigate both the H.323 and IAX security issues discussed during the presentation.

Himanshu Dwivedi is a founding partner of iSEC Partners, an independent information security organization, with 12 years experience in security and information technology. Himanshu has focused his security research on storage security and VoIP. Himanshu's storage security research specializes in SAN and NAS security (see Blackhat USA talks from 2003 to 2006). His VoIP research focuses on H.323/RTP, IAX, as well as traditional protocols such as SIP/RTP.

Himanshu has three published books and two in process. The published books include "Securing Storage: A Practical Guide to SAN and NAS Security" (Addison Wesley Publishing), "Hackers Challenge 3" (McGraw-Hill/Osborne), and "Implementing SSH" (Wiley Publishing). Himanshu also has a patent pending on a storage design architecture.

Zane Lackey is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications and VoIP security. Zane has spoken at top security conferences including Black Hat and Toorcon. Additionally, he is a co-author of Hacking Exposed Web 2.0 and contributing author of VoIP Security. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.

Kernel Wars
Joel Eriksson, CTO of Bitsec
Christer Öberg, Security Researcher, Bitsec
Claes Nyberg, Security Researcher, Bitsec
Karl Janmar, Security Researcher, Bitsec

Kernel vulnerabilities are often deemed unexploitable, or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of several real-life kernel vulnerabilities. From a defender's point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determin if and how they can be reliably exploited and of course the exploits will be demonstrated in practice.

None of the vulnerabilities that will be used as examples had public exploits by the time they were exploited by us, and includes the (in)famous Windows 2000/XP GDI bug, the FreeBSD 802.11 bug and a local NetBSD vulnerability.

We will also demonstrate a full exploit for the remote OpenBSD ICMPv6 vulnerability found by CORE SDI, and discuss the payload techniques we used for it.

We've also thrown in a new 0-day to make things a bit more interesting, and for those of you that will be coming to see our talk at DefCon too, there will be more 0-days still. ;)

More info will be made available at: http://kernelwars.blogspot.com/

Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering.

Christer Öberg is a security researcher at Bitsec. Previous employers include Verizon and Swedish firewall manufacturer Clavister. He is interested in vulnerability research, exploit development and breaking any interesting systems he can get his hands on. Christer currently resides in the UK.

Claes Nyberg is a security researcher at Bitsec. Claes is interested in vulnerability research and a skilled developer of everything from tools to exploits. He is responsible for the development of Bitsec's in-house fuzzer Itchy, which has been used to find vulnerabilities in software ranging from Microsoft Office to various operating system kernels.

Karl Janmar is a security researcher at Bitsec. Karl is interested in vulnerability research, especially in the area of kernels. He finds exploit development to be a fun and good way to learn a system. He has worked for various companies developing software ranging from real-time applications to extending kernel network-stacks.

Estonia: Information Warfare and Strategic Lessons
Gadi Evron, Security Evangelist, Beyond Security

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population.

Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks.

Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space.

Gadi Evron works for the Mclean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
Ben Feinstein, Security Researcher, SecureWorks
Daniel Peck, Security Researcher, Secureworks

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today’s web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client.

The authors present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation.

The authors will present findings based on the deployment of a distributed network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits.

The authors will release a previously unpublished JavaScript evasion technique and demonstrate its use in evading a variety of present-day defensive technologies. Where present-day defenses have been demonstrated to be insufficient, the authors will present new ideas for ways mitigate the new threats.

Ben Feinstein is a Security Researcher at SecureWorks. He was introduced to IDS when working on a DARPA/Air Force contract 2000-2001 while getting his B.Sci in Computer Science at Harvey Mudd College. He is the author of RFC4765 and RFC4767. He has worked professionally designing and implementing security-related software since 2001. Feinstein worked in the areas of next-gen firewall systems, IDS/IPS, log analysis and visualization, vuln scanning, secure messaging, and security appliances, among other things.

Feinstein was a panelist at RAID and presented at ACSAC and several IETF meetings and achieved his CISSP certification in 2005.

Daniel Peck is a Security Researcher at Secureworks. His team is responsible for day to day discovery and documentation of vulnerabilities, as well as crafting countermeasures for several product lines and training security analysts to detect attacks patterns and trends. He has also been a critical team member in creating numerous internal tools and contributing to the design of future products and services. He has a BS in Computer Science from the Georgia Institute of Technology

Traditional exploitation techniques of overwriting heap metadata has been discussed ad-nauseum, however due to this common perspective the flexibility in abuse of the heap is commonly overlooked. This presentation examines a flaw that was found in multiple open-source Simple and Protected Generic Security Services API Negotiation (SPNEGO) modules with the talk focusing on the implementation provided by mod_auth_kerb, an Apache Kerberos authentication module, as a method for exploring heap structure exploitation and hopefully providing a gateway to understanding the true beauty of data structure exploitation.

This focuses on the dynamic memory management implementation provided by the GNU C library, particularly ptmalloc2 and presents methods for evading certain sanity checks in the library along with previously unpublished methods for obtaining control.

Justin Ferguson is a Computer Security Consultant and Researcher at IOActive.

Justin is involved with helping Fortune 500 companies understand and
mitigate risk introduced in complex software computing environments via
the Application Security Practice at IOActive. Justin has over 6 years
experience working as a reverse engineer, source code auditor, malware
analyst, and enterprise security analyst for industries ranging from
financial institutions to the Department of Energy. Justin
works along side a stable of experts fluent in helping clients
understand the SDL, Threat Modeling, Effective Fuzzing techniques, and
Secure Code Review and Design.

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Peter Ferrie began working with computers in 1981. In 1986, while still in school, Peter began developing anti-virus software for Apple II PCs. From 1992-98, he worked for a distributor of anti-virus software for IBM PCs, first Viruscan then F-Prot. In 1998, he joined Frisk Software International and worked on the F-Prot engine. In 2000, he joined Symantec Corporation.

Peter specialises in the detection and repair of Win32 malware, reverse engineering file formats, and developing engine enhancements for Symantec Anti-virus.

Peter is a regular contributor to Virus Bulletin. He joined CARO (Computer Anti-virus Research Organisation) in 2001.

Thomas Ptacek is a renowned security researcher and veteran software developer with over 10 years of industry experience. He is the author of one of the most widely-cited research results in TCP/IP implementation security challenges and former lead developer of a security product now deployed on the backbones of every major Internet Service Provider in the world, inspecting a substantial fraction of all the connections made across the Internet today.

Thomas is a principal, founder, and core team member at Matasano Security where his responsibilities include security consulting engagements as well as research and development.

Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects.

Databases are the single most valuable asset a business owns. Databases store and process critical healthcare, financial and corporate data, yet businesses place very little focus on securing and logging the underlying database transactions. As well, in an effort to trim costs, many organizations are consolidating several databases on to single mission critical systems which are frequently targeted by attackers. With large data security breaches occurring at an alarming rate, several database logging tools have been released in the industry, however adoption of these products is slow leaving these mission critical systems vulnerable and ill-equipped for traditional forensic analysis.

Database forensics is a relatively unknown area of digital investigation but critical to investigating data security breaches when logging tools are unavailable or inadequate. There is very limited information available today on this subject and, at the time of this writing, no known information targeting SQL Server 2005 forensics. This presentation provides attendees a "real world" view into SQL Server 2005 forensics and how to gather evidence from the hidden database repositories using forensically sound practices.

Kevvie Fowler is the Manager of Managed Security Services for Emergis Inc. where he is responsible for the delivery of specialized security and incident response services. Kevvie has more than 10 years of professional Information Security and IT experience within development, database and host/network platforms. Kevvie is a GIAC Gold Certified Forensic Analyst and holds several other industry certifications including, CISSP, MCTS, MCSD, MCDBA and MCSE. He is contributing author of "How to Cheat at Securing SQL Server 2005" and a member of the High Technology Crime Investigation Association.

The financial industry isn't built on HTTP/HTTPS and web services like everything else. It has its own set of protocols, built off of some simple building blocks that it employs in order to make sure: that positions are tracked in real time, that any information that might affect a traders action is reliably received, and that trades happens in a fixed timeframe.

Unlike the protocols that comprise the internet as a whole, these haven't been scrutinized to death for security flaws. They're written with performance in mind and security is often just an afterthought, if present at all. And there are dozens of them, with names you may have never heard of before...

This talk will discuss the security implications of the protocols and technologies used by the financial industry to maintain the beating heart of capitalism. We'll take a look at some of the most popular protocols used by financials to execute billions (trillions!) of dollars worth of trades, discuss the flaws inherent in them, some of the implementation flaws in them, and discuss how hiding your money under your mattress might not be the worst idea.

Jeremy Rauch
For over 10 years Jeremy Rauch has been at the forefront of information security. An original member of the ISS X-Force and a co-founder of SecurityFocus, Jeremy is the discoverer of numerous security vulnerabilities in widely-deployed commercial products. Jeremy is also a former principal engineer for optical switching at Tellium.

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out.

Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the Black Hat audience will hear about the future of cyber control, and the future of cyber resistance

Kenneth Geers has worked for many years in a wide variety of technical and not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of "Cyber Jihad and the Globalization of Warfare"; "Hacking in a Foreign Language: A Network Security Guide to Russia"; "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall"; and "IPv6 World Update". His website, chiefofstation.com, is devoted to the intersection of art, the fate of nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!

The simple decision by a researcher to tell what he or she has discovered about a software product or website can be very complicated both legally and ethically. The applicable legal rules are complicated, there isn't necessarily any precedent, and what rules there are may be in flux.

In this presentation, I will use Cisco and ISS's lawsuit against Michael Lynn (from Black Hat 2005) and HID's cease and desist letter to IOActive (from Black Hat 2006) to discuss major intellectual property law doctrines that regulate security research and disclosure. I will give the audience some practical tips for avoiding claims of illegal activity.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack.

One quote from a member of the community summed it way:

"The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left—including the "I'll just browse without JavaScript" mantra. Could you really call that browsing anyway?"
–Kryan

That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques—such as Browser Intranet Hacking, Port Scanning, and History Stealing—can still be perpetrated. From an enterprise security perspective, when users are visiting "normal" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network.

This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking/Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks.

You'll see:

• Web Browser Intranet Hacking/Port Scanning—(with and without JavaScript)
• Web Browser History Stealing/Login Detection—(with and without JavaScript)
• Bypassing Mozilla Port Blocking/Vertical Port Scanning
• The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.)
• Fundamentals of DNS Pinning and Anti-DNS Pinning
• Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, ISACA, CSI, OWASP, Vanguard, ISSA, OWASP, Defcon, etc. He has authored of dozens of articles and white papers, credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Robert Hansen (CEO of SecTheory) has been working with web application security since the mid 90’s, beginning his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Digital Island, Exodus, and Cable & Wireless beginning as a Sr. Security Architect and eventually leading the managed security services product management for intrusion detection, content integrity management systems, managed vulnerability management and security event correlation services. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies.

Mr. Hansen is probably best known for founding the web application security lab at ha.ckers.org, Dark Reading articles, and co-authoring “XSS Exploits”. He also speaks at Toorcon, Microsoft’s Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of WASC, IACSP, ISSA, and contributed to the OWASP 2.0 guide.

A Dynamic Technique for Enhancing the Security and Privacy of Web Applications
Ezequiel D. Gutesman, Researcher at Corelabs, a division of Core Security Technologies
Ariel Waissbein, Researcher, Core Security Technologies

Web applications are often preferred targets in today’s threat landscape. Many widely deployed applications were developed in haste and are often ridden with SQL injection, file inclusion and cross-site scripting bugs, creating weak links in any Internet-exposed environment.

In this presentation, CoreLabs researchers Ezequiel Gutesman and Ariel Waissbein will address this issue by introducing a new application protection technology that efficiently identifies and blocks several attack vectors “on the fly.” The protection technique is based on very granular run-time taint analysis of an application’s data and does not require access or changes to the application’s source code.

Applications written in the most common web scripting languages, including PHP, ASP, Python, Perl and Java, can be protected using this technology to prevent database injection, shell injection, cross-site scripting and directory-transversal attacks. A fully functional implementation of the protection technique for PHP will be described in detail.

Ezequiel Gutesman is a researcher at Corelabs, the research unit at Core Security Technologies and Computer Science student at University of Buenos Aires. The research I do is actually focused on web application security, this includes dynamic protection and static analysis.

Ariel Waissbeing has been a researcher at Core Security Technologies for the last 8 years, producing results relevant to industry and academy. Ariel has uncovered vulnerabilities for MySQL and SSH, researched and developed a new software protection tool, researched in botnet security and their future, automated source-code analysis of web applications, detection and protection methods for injection vulnerabilities and various aspects of penetration testing, and in particular, pentesting of web applications. Ariel will be completing a Ph. D in mathematics, and has held different teaching positions in universities, and currently co-leads and teaches at the computer security department in the Ph.D programme of ITBA university.

It is important for the security professional to understand the techniques used by those they hope to defend against. This presentation focuses on the anti-forensic techniques which malware authors incorporate into their malicious code, as opposed to relying solely on an external rootkit. In addition to describing a number of known but scarcely documented techniques, this presentation will describe techniques which have never been observed through the presenter's experience with incident response and malware reverse engineering. This presentation will contain a great deal of highly technical content which covers the specifics of the techniques down to the machine instruction level. For the security professional/enthusiast with a limited technical background in this area, this presentation will serve as an eye-opening overview of malware anti-forensic techniques as well as a limited introduction to forensic analysis.

Introduced in this presentation will be a new tool for identifying malicious executables, a toolkit to achieve data hiding, manipulation and infection of executable files and a new technique for manual process execution under unix.

Nick Harbour is a Senior Consultant with Mandiant. He specializes in both offensive and defensive research and development as well as reverse engineering, incident response and computer forensics. He also occasionally teaches malware analysis and reverse engineering. Nick's 8 year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics.

Nick is a developer of open source software including most notably dcfldd, the popular forensic disk imaging tool, and tcpxtract, a tool for "carving" files out of network traffic.

Nick is also a trained chef!

"Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries."
—Quote taken from http://www.apple.com/macosx/bootcamp/

The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits.