Black Hat USA 2008 Speaker List

Winning the Race to Bare Metal – UEFI Hypervisors

Don Bailey, Martin Mocko

Track: Turbo Talk

Combining UEFI with hypervisors paves the way for a new class of vulnerability. We will present a discussion and demonstration on the threat and opportunity that UEFI based hypervisors pose to and for system security. The emerging support for UEFI in commodity OSes (Microsoft Vista SP1) makes a rich set of pre-OS capabilities possible. The advent of processors that support virtualization in silicon over the past few years have made high performing commodity hypervisor a reality. We will discuss and demostrate loading a hypervisor via the pre-OS features of UEFI.

Don Bailey

Don is founder and CEO of Hypervista Technologies (http://hypervista-tech.com), a Northern Virgina company focused on providing hypervisor based security solutions. Prior to founding Hypervista, Don spent 25 years at CIA developing, managing and deploying cutting edge technical systems. Don has been a keynote speaker at the annual multi-national conference sponsored by NSA. Don has alsp presented at CIA's Emerging Technologies Conference. Don has spent the past three years developing a custom lightweight hypervisor and a runtime hypervisor debugger.

Martin Mocko

Born 8th Jan 1986 in Myjava, Slovakia. Area of expertise:System-level C/Asm development, Machine code manipulation (x86, ARM), Reverse engineering. Experience:10 years Independent C/Asm development and Reverse engineering; 3 years Copy Protection; 1 year Virtualization

When Lawyers Attack: Dealing With the New Rules of Electronic Discovery

John Benson, Electronic Discovery Consultant

Track: Deep Knowledge

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

John Benson currently works as an Electronic Discovery Consultant for a large Midwestern law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the Chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at http://www.john-benson.com.

Free-Space Quantum Key Distribution at GHz Transmission Rates

Joshua Bienfang

Track: Turbo Talks

Quantum key distribution (QKD) systems can generate cryptographic key whose security is derived from sensitivity to an eavesdropper’s measurements on a quantum channel. Such channels are typically realized by transmitting and detecting single photons, and therefore suffer from dramatic reductions in throughput due to both channel loss and noise. We find that these shortcomings can be mitigated by applying telecommunications clock-recovery techniques to maximize the bandwidth of the single-photon channel and minimize the system’s exposure to noise. We demonstrate a QKD system operating continuously at a quantum-channel transmission rate of 1.25 GHz, with dedicated data-handling hardware and error-correction/privacy amplification. We discuss the design and performance of our system and highlight issues which currently limit our maximum operational transmission rate and key production rate. We identify potential security concerns associated with our technical implementation, and we present our solutions to achieve high rates over longer free-space links.

Joshua Bienfang

Active 802.11 Fingerpinting: a "Secret Handshake" to Kknow Your APs

Sergey Bratus

Track: OTA

Wireless devices that speak 802.11a/b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences can suffice to distinguish between APs and other devices from different vendors, and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore ``noisy'', but works (unlike other previously presented fingerprinting methods) without either establishing or observing established associations. We also explore timing characteristics of the responses to refine our fingerprint.

Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that it is what it claims to be. It will be useful when one does not trust the suspicious AP (or one's own driver/OS) enough even to engage in a cryptographic exchange to authenticate it. It will also serve as a cautionary tale for the designers of future wireless L2 protocol implementations.

This is joint work with Daniel Peebles and Cory Cornelius (Institute for Security Technology Studies, Dartmouth College).

Sergey Bratus

Sergey Bratus is a Senior Research Associate at the Institute for Security Technology Studies at Dartmouth College. His current research focus is on applications of data organization and other AI techniques to log and traffic analysis. His other interests include Linux kernel security (kernel exploits, LKM rootkits and hardening patches to various security policy mechanisms) and wireless networking. Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.

Insane Detection of Insane Rootkits: Chipset Based Approach to Detect Virtualization Malware

Yuriy Bulygin, Presenter, Security Center of Excellence

Track: Root Kit Arms Race

This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.

Yuriy Bulygin so enjoyed watching the Chernobyl Nuclear Power Plant burn at age 7 he decided to learn how things work and why they fail. Yuriy recieved his Masters in Applied Math and Physics while attempting to hack the physics of Jupiter's atmosphere which appeared to be too far from the Earth. He then received his Ph.D. in Crypto from Moscow Institute of Physics and Technology (Phystech) in Russia. Yuriy works for Intel's Security Center of Excellence where he leads security analysis and pen-testing of Intel hardware/software and teaches secure coding to Intel engineers. He is also a core member of Intel PSIRT. Prior to joining Intel Yuriy was a member of the technological research team at Kaspersky Lab in Russia.

Cisco IOS Shellcodes/Backdoors

Gyan Chawdhary, Varun Uppal

Track:

It has been more than three years since Michael Lynn first demonstrated a fully interactive shell code at Blackhat 2005 for Cisco's proprietary Internetworking Operating System (IOS). However, due to the legal obligations imposed by Cisco and ISS, the technical information surrounding this research could not be revealed in greater detail, which stifled continued security research in this area. The presentation will cover significant advances in IOS shell code development and looks at its subsequent impact on modern day routing infrastructure. IOS specific payloads including bind shell, reverse shell, 2 byte shell codes and bypassing the check heaps process in IOS 12.4 shall all be covered from both a practical and theoretical standpoint as well as a detailed overview of IRM's techniques used to develop these payloads. Furthermore, building a complete IOS debugging environment and identifying new attack vectors will also be covered in the presentation, allowing researchers to establish a fully working environment to develop IOS specific code, execution payloads, memory resident backdoors and to conduct vulnerability research on Cisco embedded devices.

Gyan Chawdhary

Gyan Chawdhary is a Senior Consultant heading up the Embedded Systems Center of Excellence at IRM’s European Technical Centre in UK. He is a key member of IRM’s Code auditing & AP team and performs a range of consultancy services which include code auditing, software security and vulnerability assessments. With over 9 years of experience in Information Security, Gyan’s experience includes a broad range of market verticals with specialization in the financial services space. Prior to joining IRM, Gyan was a Managing Consultant at Mahindra British Telecom, where he was involved in establishing and managing MBT’s Vulnerability Assessment Centre and conducting research and product assessments for various in-house and commercial applications.

Varun Uppal

Varun Uppal is a Senior Consultant at Information Risk Management Plc where he heads the Application Risk Assessment and Code Review Centers of Excellence. With an experience spanning over 5 years and a gamut of verticals, Varun has worked on a variety of commercial and non-commercial research engagements covering areas such as high speed messaging protocols, embedded devices and application risk modeling. Prior to IRM Plc, Varun designed and implemented the application security practice at Kanbay (Capgemini, Financial Services SBU), where he consulted to clients from the financial vertical.

Visual Forensic Analysis and Reverse Engineering of Binary Data

Greg Conti, Erik Dean

Track: Forensics & Anti Forensics

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of _all_ types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. Two open source visual analysis tools, each with a different perspective on visual reverse engineering and forensics, will be demonstrated and released, as well as a comprehensive survey of security visualization systems. If you read hex, you should attend this talk.

Greg Conti

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

Erik Dean

Erik Dean is a research programmer at the United States Military Academy and a graduate of the Rochester Institute of Technology. His research includes forensic analysis, information visualization, and construction of offensive and defensive information warfare training systems and networks.

Methods for Understanding Targeted Attacks with Office Documents

Bruce Dang

Track: App Sec 1.0 / 2.0

As more security features and anti-exploitation mechanisms are added to modern operating systems, attackers are changing their targets to higher-level applications. In the last few years, we have seen increasing targeted attacks using malicious Office documents against both government and non-government entities. These attacks are well publicized in the media; unfortunately, there is not much public information on attack details or exploitation mechanisms employed in the attacks themselves. This presentation aims to fill the gap by offering:
(1) A brief overview of the Office file format.
(2) In-depth technical details and practical analytical techniques for triaging and understanding these attacks.
(3) Defensive mechanisms to reduce the effectiveness of the attacks.
(4) Forensics evidence that can help trace the attacks.
(5) [If we have time] Static detection mechanism for these vulnerabilities (i.e., how to write virus signatures for these vulns).
(6) Techniques to help detect these attacks on the wire.
(7) A surprise. :)

Bruce Dang

I do vulnerability analysis in the Secure Windows Initiative (SWI) Group.

AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jared DeMott

Track: App Sec 1.0 / 2.0

For many years hackers have been reversing code, scanning source, fuzzing applications, and crafting lethal exploits. It’s time for security researchers, consultants, testers, and administrators to freshen up their skills by walking back through the computer science fundamentals of these techniques. This is a Deep Knowledge lecture series intended to bring newbs up from the ground, and to hone and challenge pros that have been at it for a while. Bring your Red Bull as the prior Prof. DeMott walks through 6 lectures that he designed for his security class.

Jared DeMott

Jared DeMott is a security researcher for Crucial Security, frequent speaker, former teacher, and just this summer a first time author (fuzzing book with Takanen and Miller). He has been deeply involved in the security community since he started coming to BlackHat in 2000. Jared is probably best known for the fuzzing tool, GPF, which he released in 2005.

Next Generation Collaborative Reversing with Ida Pro and CollabREate

Chris Eagle, Associate Chairman, Computer Science Department, Naval Postgraduate School
Tim Vidas, Research Associate, Computer Science Department, Naval Postgraduate School

Track: App Sec 1.0/ 2.0

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting looking challenges.

Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls

Arian Evans

Track: App Sec 1.0 / 2.0

Learn how to breathe new life into your old web application zero-day syntax attacks. Even learn how to alert(document.cookie) with new-found panache.

By properly encoding, double-encoding, and triple-encoding, or by utilizing newer undocumented, transcoding-attacks, it is possible to bypass many common web application security controls to successfully exploit the target parser.

Most importantly: These attacks are being used in the wild, right now, today. Starting in February 2008 the first double-encoded, layer mass SQL Injection attacks were discovered in the wild. As of May 1st they have compromised over 600,000 websites.

This presentation will discuss how these attacks work:
+ from creation
+ to exploit
+ to dependencies;
+ what software they target;

Finally we will demonstrate how to resolve these issues through modern software design and coding practices.

Arian Evans

Arian Evans is the Director of Operations at WhiteHat Security, leading a team of security engineers assessing over 600 production websites. Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many commercial organizations on Web application security and hacking incident-response. Arian consistently researches and discloses new attack techniques and vulnerabilities in Web application software, including commercial platforms like Cisco and Nokia. He designed the first public Web application firewalls (WAFs) with transparent anti-CSRF and anti-XSS protection:(Paraegis & Razorwire PoCs in 2004 and 2005). Previously, Arian built and led the Application Security Practice at FishNet Security. Prior to FishNet Security, Arian had extensive experience building, testing, and performing forensics on ecommerce and financial services software. Arian is a frequent speaker at industry conferences including Black Hat, OWASP, RSA, and WASC events, and was also a contributing author for "Hacking Exposed:Web Applications." Arian also likes combining mountains, mistresses, martinis, and motorcycles. Especially race V-twins that go "braap".

Hacker Court 2008: Hack MyFace

Carole Fennelly, Paul Ohm, Richard Salgado, Kurt Opsahl, Jennifer Granick, Richard Thieme, Peiter Zatko, Brian Martin, Simple Nomad, Jonathan Klein, Caitlin Klein, Ryan Bulat

Track:

This particular case involves the issues of entrapment, journalist privilege and wiretapping.. A journalist runs an online blog where he solicits information about identity theft and exposure of personal information from popular social network sites. Several hundred people respond with mostly useless and irrelevant comments, but one response is particularly interesting. This hacker claims to have a zero day vulnerability that would expose all the personal (in some cases *very personal*) information about the subscribers. An undercover Federal Agent challenges the hacker and goads him into producing proof of his claims. The Agent directs him to a particular site, MyFace, and target account. Unbeknown to the hacker, the target is a plant by the undercover agent. The hacker gets all the planted information, not knowing the target site is wiretapped. The agent wants the journalist who runs the blog site to release information on the hacker, which the journalist refuses to do since he wants to protect his source.

This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining.

Carole Fennelly

Carole Fennelly is an information security professional with over 25 years of hands-on experience in the computing technology field. Starting as a Unix System Administrator in 1981, she was drawn into the developing information security field as the commercial Internet grew. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine. A frequent speaker at security conferences, such as the Black Hat Briefings, her technical background includes in-depth security and administration knowledge of UNIX operating systems. Ms. Fennelly is presently a Manager of Content and Documentation with Tenable Network Security, creators of the Nessus vulnerability scanner.

Paul Ohm

Paul Ohm joined the faculty of the CU School of Law in Spring of 2006. He specializes in the emerging field of computer crime law, as well as criminal procedure, intellectual property, and information privacy.

Prior to joining CU he worked as an Honors Program trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA School of Law where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as a computer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.

Richard Salgado

Richard P. Salgado is a Senior Legal Director with Yahoo! Inc., where he focuses on international privacy, security and law enforcement compliance matters. Prior to joining Yahoo!, Mr. Salgado served as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. As a federal prosecutor, Mr. Salgado specialized in investigating and prosecuting computer network cases, such as computer hacking, illegal computer wiretaps, denial of service attacks, malicious code and other technology-driven privacy crimes. Mr. Salgado also regularly speaks on the legal and policy implications of searching and seizing computers and electronic evidence, emerging surveillance technologies, digital evidence and related criminal conduct. Mr. Salgado is a lecturer in law at Stanford Law School, where he teaches a Computer Crime seminar; he previously served as an adjunct law professor at Georgetown University Law Center and George Mason Law School, and as a faculty member of the National Judicial College. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Kurt Opsahl

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal.

Jennifer Granick

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Richard Thieme

"Those seen dancing were thought insane by those who could not hear the music." - Frederick Nietzsche

Richard Thieme has been hearing the music for a long time. His track record includes hundreds of articles, dozens of short stories, one book with four more coming, several thousand speeches, and – in a former incarnation - hundreds of original sermons.

His sci-fi short story, “Silent Emergent, Doubly Dark” was chosen for /Subtle Edens/, an anthology coming in November in London. With nearly 30 stories published in the past few years, he is looking to bring out a collection (/More Than a Dream: Stories of Flesh and the Spirit/). His video interviews for the Hexen project on art and technology are showing up on walls in European galleries. He is happily contributing to the MUFON History Project documenting the response of the government to UFO phenomena in the 1940s and 1950s. In short, he manages to stay busy.

Peiter Zatko

Mr. Peiter “Mudge” Zatko was a Senior Security Architect/Engineer at BBN from 1994 to 1998, and he rejoined BBN in 2004 as a Division Scientist focusing on research and development activities in support of DARPA and Intelligence Community projects and is now a Technical Director for for BBN's National Intelligence Research and Applications division. He is an experienced and nationally known researcher. After leaving BBN he served as the CEO and Chief Scientist at LHI Technologies, was the Chief Scientist and Executive Vice President for R&D at @Stake Inc., and was the Chief Scientist at Intrusic Inc., all companies involved with network and information security. He has also served as on the advisory boards of several organizations, as an R&D Subcommittee Member to the Partnership for Critical Infrastructure Protection, and as a Research Subcommittee Member to the Office of Science and Technology. Mr. Zatko has testified to the United States Senate Committee on Government Affairs as a subject matter expert in regards to Government systems, and to the House and Senate Joint Judiciary Oversight Committee as a subject matter expert on legislation regarding cyber crime. He has also been an invited special guest contributor to projects and papers for the INFOSEC Research Council. He has published papers in ACM and CORE/CQRE refereed journals, and his architecture security analysis paper was published in the Usenix Security refereed journal. He has taught offensive cyber ware-fare techniques and tactics course at the Air Force Information Warfare Center, lectured on opposing forces threats and capabilities at the Army War College, lectured on future vulnerability areas of research at the Navy Post-Graduate College and at the National Security Agency, gave a lecture series as a at Georgetown University, was a Visiting Scientist at Carnegie Melon University, and conducted training courses for the I4/C4 groups at NSA. Mr. Zatko is the inventor of L0phtCrack, an industry standard Microsoft password auditing tool, of AntiSniff, the world’s first remote promiscuous system detector that was used across primary DoD entities, of Tempwatch, now a distributed component of Linux and BSD distributions, and of SLINT, a pioneering tool in automating source code analysis to discover security coding problems. Mr. Zatko was recognized by the National Security Council, Executive Office of the President, as a vital contributor to the success of the President’s Scholarship for Service Program. He was also recognized as contributing to the CIA’s critical national security mission. He is an honorary plank owner of the USS McCampbell (DDG-85).

Brian Martin

Brian Martin is an outspoken senior security consultant with the Ethical Hacking group at BT. With over ten years of professional security assessment experience, he has had the opportunity to provide cynical review of network and physical security for all types of business, government agency and military facility. Martin's training and articles have given people an accurate and honest picture of the dismal state of Information Security across all industries. In his spare time, he is the content manager for the Open Source Vulnerability Database and a champion of small misunderstood creatures.

Jonathan Klein

Jonathan Klein is a Director of Security Solutions with Calence Inc, a networking company located in Tempe Arizona. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Simple Nomad

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job. He speaks on security and privacy topics at conferences around the globe, as well as entertaining the press via interviews in television, print, and online mediums. In addition to being one of the most attractive hackers on the planet, he did not write his own bio. Really. Seriously. Ok...fine, I did. So sue me.

Caitlin Klein

Caitlin is a student with interests in gaming, computers, horse riding, dance, more gaming and lots of coffee…

Ryan Bulat

Ryan Bulat used to major in Computer Science until he decided that he much preferred writing…or psychology….or law….

Threats to the 2008 Presidential Election (and more)

Oliver Friedrichs, Director, Emerging Technologies in Symantec Security Response

Track: App Sec 1.0 / 2.0

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of phishing on an election.

Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.

Oliver Friedrichs is the Director of Emerging Technologies in Symantec Security Response, the organization responsible for the delivery of AntiVirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry’s first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing. Mr. Friedrichs has over 15 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.

Side-channel Timing Attacks on MSP430 Microcontroller Firmware

Travis Goodspeed

Track: Hardware

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.

Travis Goodspeed

Travis Goodspeed works at the Extreme Measurement Communications Center of the DOE Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas Instruments Developer Conference regarding stack overflow exploits for MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques, such as ASLR and code-auditing, to this platform.

Hacking and Injecting Federal Trojans.

Lukas Grunwald

Track: Forensics & Anti Forensics

Remote Forensic Software or "offensive security" is the new trend in law enforcement and the fight against terrorism.

The topic is known in Germany as "Federal Trojan". This talk will give an introduction to the needs and problems with classic lawful interception and new remote methods. The problem of poisoning of evidence after a "Trojan" attack from law enforcement, as well as new attack vectors for bad guys are discussed.

This talk will give a demonstration of an "infection proxy" which shows how to inject malware on the fly while downloading some software, how to bypass commercial security solutions like virii-scanner and anti-malware tools, and how effective Trojan attacks could be if your ISP is helping law enforcement. Methods for anti-remote-forensics are handled as well. Methods of detection of infection proxies and other lawful interception methods are shown.

Lukas Grunwald

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting firm working mainly in the field of security solutions for enterprises and federal governments in Europe and Asia. He is also the head of the Hacking Lab where new technology is evaluated. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively at several conferences all over the world. Mr. Grunwald is co-author of RFDump an RFID attack and audit tool, that is free software and got some attention for the first time clone and attack the ePassport live at BlackHat.

Got Citrix, Hack It!

Shanit Gupta

Track: Turbo Talks

Citrix is a widely used remote desktop application utilized in many major corporations around the world. In addition to offering the typical benefits of RDP and Microsoft terminal services, it is capable of sandboxing and restricting the applications that can be executed by the user. Unfortunately, often times the Citrix environment can introduce a false sense of security within organizations. There are several ways to circumvent security controls within the Citrix framework and many system administrators are not aware of these attacks. During this presentation, we’ll demonstrate ways in which to compromise the Citrix environment using multiple attack vectors. Then we’ll show you the corresponding remediation strategies.

Shanit Gupta

Shanit is a Senior Security Consultant at Foundstone. Shanit is responsible for creating and delivering the threat modeling, code review, and application security service lines. Shanit is also responsible for the design, development, and release of the free tools by Foundstone. Shanit has strong computer science fundamentals and software development experience on UNIX and Windows. Prior to joining Foundstone, Shanit was involved in developing real-time operating systems and a survivable prototype of the Kerberos authentication service at Carnegie Mellon. Shanit also worked at Alcoa, Inc., as a software developer, building critical internal applications. Shanit has diverse experience in a number of areas of software development and security. In the last 4 years at Foundstone, Shanit has reviewed custom operating system kernels, device drivers, virtualization environments, and large complex trading infrastructures.

The Four Horsemen of the Virtualization Security Apocalypse

Christofer Hoff

Track: Virtualization

Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM's, we'll explore the real issues that exist today as well as those that are coming that aren't being discussed or planned for.

Christofer Hoff

Chris Hoff is currently Unisys' Chief Security Architect. Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy. Hoff obviously also enjoys referencing himself in the third person.

Protecting Vulnerable Applications with IIS7

Brian Holyfield

Track: Turbo Talks

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.

Following this presentation, the module will be available for free download and use.

Brian Holyfield

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the realm of information security for over 9 years, and has extensive security testing and consulting experience. Brian was also a contributing author for “Network Security Tools” (O'Reilly, 2005), where he outlined how to build an automated vulnerability detection and exploit scanner for web-based applications.

Virtually Secure

Oded Horovitz

Track: Virtualization

Virtualization is a disruptive technology in the data-center which opens the path for new solutions for old problems.

Specifically, virtualization allows the isolation of a particular workload (an application within a VM) from the underlining hardware, and enables the creation of software services which can run independent of the original workload.

The presentation will focus on the capabilities of the security application as services of the hypervior. How these new services compare with existing security agents which run inside virtual machines, and what is the possible future of workload security in a virtual data-center.

Oded Horovitz

I am currently part of VMware engineering organization as an architect for the VMsafe program. Being fascinated with building defense system for the past 10 years, I have been enjoying the opportunity to unleash the possibilities of hypervisor based defense capabilities. Previously to VMware, I have been working as an architect for Entercept now known as McAfee HIPS following Entercepts'acquisition back in early 2005. Having the opportunity of being part of the pioneering group for host-based-intrusion-prevention systems, I was lucky enough to learn anything there is to learn about vulnerabilities, and exploitations (yes, I'm referring mostly to the good old old-school overflow attacks and such, with all due respect to the XSS generation) and have shared some of my findings with the security community. My most popular publication was the work done with Matt Conover about the possibilities of reliable exploitation of windows heap overflows.

TBD

Dan Kaminsky, Speaker Title

Track: The Network

TBD

Dan Kaminsky presenter bio

New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices

Tadayoshi Kohno, Kevin Fu

Track:

Medical devices are becoming more sophisticated and wireless. We recently published an academic paper titled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses." In this paper we describe experiments with a real, common implantable defibrillator and show that risks are real, albeit small today. Using our own equipment, we are able to extract private information stored on the implantable defibrillator, change its settings, and even make it issue an electric shock. (We stress the patients should not be concerned about our current results, but that the community should demand stronger security mechanisms in future devices.)

Previously one of us (KF) made international news by exposing vulnerabilities in RFID credit cards, and the other of us (TK) was the first to publicly study the security of the Diebold electronic voting machine (in 2003). We've now turned our attention to implantable medical devices because we think that security will become increasingly important in the near future. Second, implantable medical device security is exactly the right tool to talk about how security community will evolve -- it's no longer just about PCs and network security -- small embedded systems are now life critical.

Come to this talk and learn about the directions of implantable medical devices, the security and privacy risks that we have experimentally discovered, and our predictions for the field. And, as a bonus, learn what drives the academic security research community and why, collectively, we've dedicated our time to studying e-voting, credit cards, and implantable medical devices, and what we think the community might turn to next. And learn some principles that will help your future systems -- whether embedded, or medical, or not -- be more secure from the start.

Tadayoshi Kohno

Kohno is an Assistant Professor of Computer Science and Engineering at the University of Washington. He worked as a cryptography and computer security consultant with Bruce Schneier, back when Counterpane Systems had less than a handful of full-time cryptographers and before the days of Counterpane Internet Securities, Inc. Since then he's published security analyses of technologies as varied as:electronic voting machines, implantable wireless defibrillators, file encryption systems, popular consumer devices, and ISP ad injectors. Kohno has a Ph.D. in Computer Science (cryptography) from the University of California at San Diego.

Kevin Fu

Dr. Kevin Fu, PhD, is an assistant professor in the Department of Computer Science at the University of Massachusetts Amherst. He serves as the principal investigator of the RFID Consortium on Security and Privacy (RFID-CUSP.org) and the co-director of the Medical Device Security Center (secure-medicine.org). Dr. Fu investigates how to ensure security and privacy for devices that must defend against malicious parties. His contributions include the security and threat model analysis of several systems ranging from contactless "no swipe" credit cards and wireless medical devices to access-controlled Web sites and automated software updates. Dr. Fu's research has led to improvements in security and privacy of pervasive devices, promoting the vision of safer and more effective technology for consumers. Dr. Fu received his Ph.D. in Electrical Engineering and Computer Science at the Massachusetts Institute of Technology. He has served on numerous program committees of prestigious conferences in computer security and cryptography, and has given dozens of invited talks world-wide to industry, government, and academia on the topic of security and privacy. His research has appeared in The New York Times and The Wall Street Journal.

Mobile Phone Messaging Anti-Forensics

Zane Lackey, Senior Security Consultant, iSEC Partners

Track: Forensics

With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection. Additionally, during this talk we will release and demonstrate a tool for sending and receiving covert SMS messages. Finally, we will release SMS fuzzing tools to allow vendors and users of mobile phone forensics software to test the reliability of the tools they rely upon.

Zane Lackey is a Senior Security Consultant with iSEC Partners—a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications, VoIP, and mobile phone security. Zane has spoken at top security conferences including BlackHat, Toorcon, MEITSEC, and the iSEC Open Forum. Additionally, he is a co-author of "Hacking Exposed: Web 2.0" (McGraw-Hill/December 2007) and contributing author of "Hacking VoIP" (No Starch Press/Fall 2008). Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.

Highway to Hell: Hacking Toll Systems

Nate Lawson, Founder, Root Labs

Track: OTA

Toll payment systems, such as FasTrak and E-ZPass, promise quick travel and more revenue for the state. While privacy issues with such systems have been discussed in general, little is known about their actual implementation and security. We reverse-engineered the RFID internals and analyzed the protocol to find out just what's going on inside. We'll explain the low-level details we found, problems, and possible ways to build a more safe and secure system

Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects

Developments in Cisco IOS Forensics

Felix Lindner, Head of Recurity Labs

Track: Forensics

Attacks on network infrastructure are no