RSS feed logo header graphic


Black Hat USA 2008 Speaker List

Black Hat USA 2008 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Keynote: Complexity in Computer Security: a Risky Business

Ian O. Angell, Professor of Information Systems. London School of Economics

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.

Ian Angell has been Professor of Information Systems at the London School of Economics since 1986. Prior to that he researched and taught Computer Science at Royal Holloway College, and University College London.

Angell has very radical and constructive views on his subject, and is very critical of what he calls the pseudo-science of academic Information Systems. He has gained a certain notoriety worldwide for his aggressive polemics against the inappropriate use of artificial intelligence and so-called knowledge management, and against the hyperbole surrounding e-commerce.

His main research work concentrates on organizational and national I.T. policies, on strategic information systems, and on computers and risk (both opportunities and hazards), particularly the systemic risks inherent in all socio-technical systems and the security threats posed to organisations by the rapidly diffusing international information infrastructure.

Winning the Race to Bare Metal – UEFI Hypervisors

Don Bailey, Martin Mocko

Track: Turbo Talk

Combining UEFI with hypervisors paves the way for a new class of vulnerability. We will present a discussion and demonstration on the threat and opportunity that UEFI based hypervisors pose to and for system security. The emerging support for UEFI in commodity OSes (Microsoft Vista SP1) makes a rich set of pre-OS capabilities possible. The advent of processors that support virtualization in silicon over the past few years have made high performing commodity hypervisor a reality. We will discuss and demostrate loading a hypervisor via the pre-OS features of UEFI.

Don Bailey

Don is founder and CEO of Hypervista Technologies (, a Northern Virgina company focused on providing hypervisor based security solutions. Prior to founding Hypervista, Don spent 25 years at CIA developing, managing and deploying cutting edge technical systems. Don has been a keynote speaker at the annual multi-national conference sponsored by NSA. Don has alsp presented at CIA's Emerging Technologies Conference. Don has spent the past three years developing a custom lightweight hypervisor and a runtime hypervisor debugger.

Martin Mocko

Born 8th Jan 1986 in Myjava, Slovakia. Area of expertise:System-level C/Asm development, Machine code manipulation (x86, ARM), Reverse engineering. Experience:10 years Independent C/Asm development and Reverse engineering; 3 years Copy Protection; 1 year Virtualization

Keynote: TBD

Rod Beckström, Director of the National Cyber Security Center

Rod Beckström is the Director of the National Cyber Security Center (NCSC) in the U.S. Department of Homeland Security and reports to Secretary Michael Chertoff.

Rod co-authored The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations that presents a new model for analyzing organizations, leadership style and competitive strategy. He has co-authored three other books including one on Value at Risk (VAR), a fundamental theory of financial risk management now used to regulate banking globally.

As an entrepreneur Rod started his first company when he was 24 in a garage apartment and subsequently grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles and Hong Kong. The company, CAT•S Software Inc., went public and was later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of advisors and directors, respectively.

Rod also co-founded Mergent Systems with Dr. Amos Barzilay and Assistant Professor Michael Genesereth of the Stanford Graduate School of Computer Science. Mergent was a pioneer in inferential database engines and was sold to Commerce One for $200 million. He also co-founded TWIKI.NET, a company offering service and support for an open source wiki and collaboration software system.

From 1999 to 2001 Rod served as the Chairman of Privada, Inc. Privada was a pioneer in technology to enable private, anonymous and secure credit card transaction processing over the internet.

Rod has helped to start numerous non-profit groups and initiatives. In 2003 he co-founded a peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. This group took symbolic actions which led to opening the borders to citizens, trade and contributed to ending the most recent Indo-Pak war. He serves on the boards of the Environmental Defense Fund and the Jamii Bora Trust (micro-lending) in Africa.

Rod graduated from Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland.

RE:Trace - Applied Reverse Engineering on OS X

Tiller Beauchamp, David Weston

Track: Reverse Engineering

This paper will detail the newest developments in RE:Trace, a reverse engineering framework based on Ruby and DTrace. We will discuss implementations for walking and searching the heap on OS X, tracing for kernel and driver vulnerabilities, pinpointing format string bugs and leveraging custom application probes, such as those built into browser and database software.

Tiller Beauchamp

Tiller Beauchamp works as a senior security consultant for SAIC providing security auditing services to large commercial, state and DoD customers. His areas of expertise include network penetration testing, web application security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer Science from the University of Oregon with a specialization in software engineering. He has worked as the lead developer for Team Defend, SAIC's portable computer and network defense exercise. Beauchamp is also responsible for maintaining the company's penetration toolkit and penlab.

David Weston

David Weston is a Security Engineer in the Windows Experience team at Microsoft. He is an experienced security researcher and has discovered vulnerabilities in software from Microsoft, Immunity, and the Defense Information Systems Agency. He has an undergraduate degree from the University of California at Santa Barbara and is currently pursuing a graduate degree with a research emphasis on vulnerability exploitation.

Predictable RNG in the Vulnerable Debian OpenSSL package, the What and the How

Luciano Bello, Maximiliano Bertacchini

Track: Network

Recently, the Debian project announced an OpenSSL package vulnerability which they had been distributing for the last two years. This bug makes the PRNG predictable, affecting the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn). We will talk about this bug, its discovery and publication, its consequences, and exploitation. As well, we will demonstrate some exploitation tools.

Luciano Bello

Luciano Bello is an Engineer (Information Systems) and works as a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina. He has been a Debian Developer since 2007.

Maximiliano Bertacchini

Maximiliano Bertacchini is a PhD student in Computer Engineering at ITBA (Technological Institute of Buenos Aires). He is a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina.

When Lawyers Attack: Dealing With the New Rules of Electronic Discovery

John Benson, Electronic Discovery Consultant

Track: Deep Knowledge

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

John Benson currently works as an Electronic Discovery Consultant for a large Midwestern law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the Chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at

No More 0-Days (or Code-Based Intrusion Detection by Korset)

Ohad Ben-Cohen

Track: 0-Day Defense

In order to identify malicious activity, Host-based Intrusion Detection Systems often monitor the system calls emitted by a process, and then compare them to a pre-constructed model of normal behavior. The model can either be learned during a training session, or manually written by the user. Alas, the former suffers from false positives, and therefore repeatedly requires user intervention, and the latter is tedious and demanding.

In this talk we present an automated, zero false alarm, whitebox approach that effectively targets 0-day code injection exploits:

By statically analyzing an application's source/object code, we build its control flow graph (CFG), which is then used by the Kernel to verify the legitimacy of the issued system calls and their order. This method enjoys a powerful property of provable zero false positives, since a deviation from a (non self-modifying) program's CFG can only be explained as an intrusion.

We present Korset, an Open Source Linux prototype which implements this approach via:

  • An automatic analyzer that builds the CFG as part of the compilation process
  • A kernel agent that enforces the policy induced by the CFG, and terminates subverted processes.

We have successfully used Korset to automatically construct CFGs for the entire GNU C library, and demonstrated its ability to block buffer overflow attacks.

Korset introduces a viable IDS methodology that can stop future, or publicly-unknown exploits. Furthermore, run time performance measurements of Korset show negligible overheads.

In collaboration with Avishai Wool, Tel-Aviv University.

Ohad Ben-Cohen

Ohad Ben-Cohen is a Linux Kernel developer and consultant, bringing years of Information Security expertise and Free / Open Source Software know how. His recent Open Source work includes writing the Bluelink Linux driver, Bluetooth power management support for the OMAP2430 kernel and the Linux port of TI's FM and Bluetooth stack. He teaches System Programming at Tel-Aviv University, where he conducts his research and develops Korset.

Free-Space Quantum Key Distribution at GHz Transmission Rates

Joshua Bienfang

Track: Turbo Talks

Quantum mechanics make possible some things that are impossible in the "classical" world of ordinary experience, and which even seem to contradict common sense. Some of these spooky effects are coming into practical use in security applications. The Quantum Spookshow of the National Institute of Standards and Technology (NIST) and the National University of Singapore (NUS) demonstrates quantum cryptography and quantum entanglement on a four-node quantum network, which supports quantum encrypted streaming video and violations of local realism. Participants are encouraged to interact with the light beams that constitute the physical link of this network, and to meet physicists who have designed and built quantum networks. Quantum mechanics provides methods of encryption that are secure from eavesdropping attacks against the quantum channel, but in any actual system there are points of vulnerability, e.g. correlations of classical noise in the operation of quantum elements. Participants will have a chance to discover vulnerabilities by hands-on interaction with our systems. Dr. Joshua Bienfang will give a Turbo Talk on quantum encryption at Black Hat at 4:45 p.m. on Thursday, August 7. This demo to run 1330 to 1930 on Wednesday, 1200 to 1800 on Thursday, in Turin Room located on the Third Floor. For further information, see

Joshua Bienfang

Active 802.11 Fingerpinting: a "Secret Handshake" to Kknow Your APs

Sergey Bratus

Track: OTA

Wireless devices that speak 802.11a/b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences can suffice to distinguish between APs and other devices from different vendors, and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore ``noisy'', but works (unlike other previously presented fingerprinting methods) without either establishing or observing established associations. We also explore timing characteristics of the responses to refine our fingerprint.

Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that it is what it claims to be. It will be useful when one does not trust the suspicious AP (or one's own driver/OS) enough even to engage in a cryptographic exchange to authenticate it. It will also serve as a cautionary tale for the designers of future wireless L2 protocol implementations.

This is joint work with Daniel Peebles and Cory Cornelius (Institute for Security Technology Studies, Dartmouth College).

Sergey Bratus

Sergey Bratus is a Senior Research Associate at the Institute for Security Technology Studies at Dartmouth College. His current research focus is on applications of data organization and other AI techniques to log and traffic analysis. His other interests include Linux kernel security (kernel exploits, LKM rootkits and hardening patches to various security policy mechanisms) and wireless networking. Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.

SmartCard APDU Analysis

Ivan Buetler, Presenter

Track: Hardware

SmartCards are commonly used for authentication, or securing e-mails or transactions. The concept armors crypto functions to a tamper proof architecture. Software cannot be protected by Software - and this paradigm forces the need for secure devices. But how does it work? How does a Windows computer communicate to the SmartCard device? Can hackers inject malware in between the communication? This presentation addresses this items. The Compass Security APDU debugger allowes you to halt, alter, intercept APDU commands and disclose hidden secrets. The APDU debugger is part of the presentation.

Ivan Buetler co-founded Compass Security AG Switzerland in February 1999 where he works as a Security Analyst and Managing Director. Additionally, Ivan works as a teacher with both the University of Applied Sciences Rapperswil and Lucerne University of Applied Sciences and Arts. He is also the author of various publications on IT and internet security. In his spare time he heads up the annual Hack&Learn Wargames Switzerland.

Insane Detection of Insane Rootkits: Chipset Based Approach to Detect Virtualization Malware

Yuriy Bulygin, Presenter, Security Center of Excellence

Track: Root Kit Arms Race

This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.

Yuriy Bulygin so enjoyed watching the Chernobyl Nuclear Power Plant burn at age 7 he decided to learn how things work and why they fail. Yuriy recieved his Masters in Applied Math and Physics while attempting to hack the physics of Jupiter's atmosphere which appeared to be too far from the Earth. He then received his Ph.D. in Crypto from Moscow Institute of Physics and Technology (Phystech) in Russia. Yuriy works for Intel's Security Center of Excellence where he leads security analysis and pen-testing of Intel hardware/software and teaches secure coding to Intel engineers. He is also a core member of Intel PSIRT. Prior to joining Intel Yuriy was a member of the technological research team at Kaspersky Lab in Russia.

FLEX, AMF 3 and BlazeDS: An Assessment

Jacob Carlson, Kevin Stadmeyer

Track: App Sec 1.0 / 2.0

Adobe FLEX with BlazeDS offers developers a streamlined application development paradigm, letting them create rich Internet applications with little exertion. As always, though, ease of implementation often results in incomplete engineering. In this presentation Jacob Carlson and Kevin Stadmeyer offer their assessment of the FLEX and BlazeDS application architectures as well as a detailed examination of the Action Message Format version 3. We will provide developers and administrators clear examples of how to do things wrongly, how to do them rightly and explain exactly how each component works internally.

Jacob Carlson

Jacob Carlson has been a professional security researcher, consultant and developer for over 10 years. His experience includes application assessment, reverse engineering, hostile binary analysis, exploit development, architecture review and penetration testing. He has presented at conferences and private training engagements across Europe and the United States and was a co-author of "Internet Site Security", published by Addison-Wellesley in 2002. He is a Project Lead in the Trustwave development team and spends an unhealthy portion of his free time performing protocol and binary analysis.

Kevin Stadmeyer

Kevin Stadmeyer has been a security researcher and consultant for the last 5 years. He has worked on a variety of applications over those years across all major industries. His expertise is in application assessment, application-layer protocols analysis and penetration testing as well as developer training and a variety of fine English gins. Kevin works for Trustwave in the SpiderLabs Application Penetration Testing team.

Cisco IOS Shellcodes/Backdoors

Gyan Chawdhary, Varun Uppal


It has been more than three years since Michael Lynn first demonstrated a fully interactive shell code at Blackhat 2005 for Cisco's proprietary Internetworking Operating System (IOS). However, due to the legal obligations imposed by Cisco and ISS, the technical information surrounding this research could not be revealed in greater detail, which stifled continued security research in this area. The presentation will cover significant advances in IOS shell code development and looks at its subsequent impact on modern day routing infrastructure. IOS specific payloads including bind shell, reverse shell, 2 byte shell codes and bypassing the check heaps process in IOS 12.4 shall all be covered from both a practical and theoretical standpoint as well as a detailed overview of IRM's techniques used to develop these payloads. Furthermore, building a complete IOS debugging environment and identifying new attack vectors will also be covered in the presentation, allowing researchers to establish a fully working environment to develop IOS specific code, execution payloads, memory resident backdoors and to conduct vulnerability research on Cisco embedded devices.

Gyan Chawdhary

Gyan Chawdhary is a Senior Consultant heading up the Embedded Systems Center of Excellence at IRM’s European Technical Centre in UK. He is a key member of IRM’s Code auditing & AP team and performs a range of consultancy services which include code auditing, software security and vulnerability assessments. With over 9 years of experience in Information Security, Gyan’s experience includes a broad range of market verticals with specialization in the financial services space. Prior to joining IRM, Gyan was a Managing Consultant at Mahindra British Telecom, where he was involved in establishing and managing MBT’s Vulnerability Assessment Centre and conducting research and product assessments for various in-house and commercial applications.

Varun Uppal

Varun Uppal is a Senior Consultant at Information Risk Management Plc where he heads the Application Risk Assessment and Code Review Centers of Excellence. With an experience spanning over 5 years and a gamut of verticals, Varun has worked on a variety of commercial and non-commercial research engagements covering areas such as high speed messaging protocols, embedded devices and application risk modeling. Prior to IRM Plc, Varun designed and implemented the application security practice at Kanbay (Capgemini, Financial Services SBU), where he consulted to clients from the financial vertical.

SQL Injection Worms for Fun and Profit

Justin Clarke

Track: Turbo Talks

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Justin Clarke

Justin is a Principal Consultant with Gotham Digital Science. He is the co-author of "Network Security Tools" (O'Reilly, 2005), a contributing author to "Network Security Assessment" (O'Reilly, 2007), and has spoken at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years of security testing and consulting experience in network, application, source code and wireless testing work for some of the largest commercial and government organizations in the United States, United Kingdom, and New Zealand. Justin is active in developing security tools for penetrating and defending applications, servers, and wireless networks (e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything alone without at least trying to see how it works.

Commission on Cyber Security for the 44th Presidency

Panel Discussion

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency - the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. Hear what is going on with this Commission, ask questions, and provide input on what you think should be addressed at a Presidential level for the next administration.

Michael Assante

Michael J. Assante, a recognized security and infrastructure protection visionary and new product development leader, brings a powerful combination of leadership/domain experience, technological vision and strategy development to the Idaho National Lab (INL). Selected by his peers as the winner of the Information Security Magazine’s 2007 security 7 leadership award for his efforts as a “strategic thinker”.

Prior to assuming his strategic leadership position at INL, Mr. Assante was a vice president and Chief Security Officer at American Electric Power, the largest generator of electric power in the US, serving 5 million customers in eleven states. He provided leadership, developed and implemented strategies to enhance security and business continuity for AEP; he was also responsible for protecting and maintaining corporate facilities, critical operating assets and property; and ensured the security and continued preservation of all corporate information and proprietary data and the technology that supports it. Selected for outstanding contribution at the RSA 2005 Conference and awarded the outstanding achievement in the practice of security within an organization. He has been recognized by SC Magazine among all Chief Security Officers as one of two finalists for the global 2005 awards as CSO of the year. He was selected as a finalist for Information Security Executive of the Year of the Midwest in 2005. In 2003, Mr. Assante was awarded best governance program “The Best of the Best – Best Governance Program,” Information Security Magazine, December 2003 for the establishment of an enterprise executive security committee.

Prior to assuming a vice president’s position as Chief Security Officer at AEP, Mr. Assante as a reserve naval intelligence officer was filling a critical position at the National Infrastructure Protection Center. In 1997, Mr.Assante was named as a Naval Intelligence Officer of the Year. In 2002 Assante was selected as one of Columbus Ohio’s Top 40 people under 40.

Jerry Dixon

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tom Kellerman

Tom Kellermann is responsible for building Core's relationships with key industry and government partners, and helping further the acceptance of auditing security defenses to reduce organizations' operational risk.

Additionally, Kellermann represents Core at US, international and industry security working groups, helping these organizations promote improved security practices and policies. Specifically, Tom is a Commissioner and Chair of the Threats Working Group on The Commission on Cyber Security for the 44th Presidency. Tom also serves as the Chair of the Technology Working Group for the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Senior Data Risk Management Specialist the World Bank Treasury Security Team. Tom was responsible for Cyber-intelligence and policy management within the World Bank Treasury.

Tom regularly advised central banks around the world per their cyber-risk posture and layered security architectures.

Along with Thomas Glaessner and Valerie McNevin, he co-authored the book E-safety and Soundness: Securing Finance in a New Age and the White Paper, E-security: Risk Mitigation in Financial Transactions. Tom is also the author of numerous World Bank white papers on cyber security: Mobile Risk Management, The Digital Insider, Phishing in Digital Streams, Bots: Cyber Parasites, Zero Day, and Money Laundering in Cyberspace. See:

Tom is an active member of the IP Governance Task Force, The National Consumer League's Anti-Phishing Working Group, The New York Chapter of Infragard, the IPv6 Forum and is an active member of the American Bar Association's working group on Cyber-crime. Tom is a Certified Information Security Manager (CISM).

Marcus Sachs

Marcus Sachs is a member of the CSIS Commission on Cyber Security for the 44th Presidency and since 2003 has volunteered as the director of the SANS Internet Storm Center. He is a retired US Army officer, a former Presidential appointee to the staff of the National Security Council, and was part of the original cadre of DHS' National Cyber Security Division in 2003. He currently works at Verizon as an Executive Director of Government Affairs for National Security Policy. Prior to joining Verizon in 2007 he was the deputy director of SRI International's Computer Science Laboratory.

Amit Yoran

Amit Yoran led the management buyout of NetWitness from ManTech in 2006 and serves as the Chairman and CEO. Prior to NetWitness, he was appointed as Director of the National Cyber Security Division of Homeland Security, and as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. Formerly Mr Yoran served as the Vice President of Worldwide Managed Security Services at the Symantec Corporation. Mr. Yoran was the co-founder of Riptech, a market leading IT security company, and served as its CEO until the company was acquired by Symantec in 2002. He served as an officer in the United States Air Force in the Department of Defense's Computer Emergency Response Team.

Visual Forensic Analysis and Reverse Engineering of Binary Data

Greg Conti, Erik Dean

Track: Forensics & Anti Forensics

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of _all_ types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. Two open source visual analysis tools, each with a different perspective on visual reverse engineering and forensics, will be demonstrated and released, as well as a comprehensive survey of security visualization systems. If you read hex, you should attend this talk.

Greg Conti

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at and

Erik Dean

Erik Dean is a research programmer at the United States Military Academy and a graduate of the Rochester Institute of Technology. His research includes forensic analysis, information visualization, and construction of offensive and defensive information warfare training systems and networks.

iRK - Crafting OS X Kernel Rootkits

Jesse D'Aguanno

Track: Rootkits Arms Race

Over the last few years, OS X has captured much attention in the security industry. Techniques in shellcode development, exploits, etc. have been widely publicized and spoken on, yet the subject of covertly maintaining access once gained has not been adequately covered.

This talk will build on previous rootkit research, applying rootkit and kernel subversion techniques from the Windows, Linux and BSD worlds to Apple's OS X operating system as well as taking advantage of some of the unique features of OS X. It will detail topics such as: Introducing code into the XNU kernel (Basic KEXT development), Hooking, Direct Kernel Object Manipulation, Patching Running Kernel Memory, etc. It will cover some of the pitfalls encountered while developing rootkits for OS X and how to overcome them.

Finally, we will combine these techniques and demonstrate a useful PoC rootkit which can form the foundation for your own real-world rootkit.

Jesse D'Aguanno

Jesse "x30n" D'Aguanno is a Security Researcher and Software Engineer who has been involved in the security industry and "underground" for over 10 years. As a software engineer he has contributed to numerous opensource and commercial projects. As a researcher, he has written and published many papers and proof of concept tools. His current research interests are primarily focused on binary reverse engineering, anti-forensics, exploit development and network attack. He is a frequent presenter at different industry conferences and events. By day he works as the Director of Professional Services and Research for Praetorian Global, a security services company in California. In his "spare" time, he is the team captain for Digital Revelation, a security think tank most known as the two time winners (And almost annual participants) of Defcon CTF.

Methods for Understanding Targeted Attacks with Office Documents

Bruce Dang

Track: App Sec 1.0 / 2.0

As more security features and anti-exploitation mechanisms are added to modern operating systems, attackers are changing their targets to higher-level applications. In the last few years, we have seen increasing targeted attacks using malicious Office documents against both government and non-government entities. These attacks are well publicized in the media; unfortunately, there is not much public information on attack details or exploitation mechanisms employed in the attacks themselves. This presentation aims to fill the gap by offering:
(1) A brief overview of the Office file format.
(2) In-depth technical details and practical analytical techniques for triaging and understanding these attacks.
(3) Defensive mechanisms to reduce the effectiveness of the attacks.
(4) Forensics evidence that can help trace the attacks.
(5) [If we have time] Static detection mechanism for these vulnerabilities (i.e., how to write virus signatures for these vulns).
(6) Techniques to help detect these attacks on the wire.
(7) A surprise. :)

Bruce Dang

I do vulnerability analysis in the Secure Windows Initiative (SWI) Group.

AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jared DeMott

Track: App Sec 1.0 / 2.0

For many years hackers have been reversing code, scanning source, fuzzing applications, and crafting lethal exploits. It’s time for security researchers, consultants, testers, and administrators to freshen up their skills by walking back through the computer science fundamentals of these techniques. This is a Deep Knowledge lecture series intended to bring newbs up from the ground, and to hone and challenge pros that have been at it for a while. Bring your Red Bull as the prior Prof. DeMott walks through 6 lectures that he designed for his security class.

Jared DeMott

Jared DeMott is a security researcher for Crucial Security, frequent speaker, former teacher, and just this summer a first time author (fuzzing book with Takanen and Miller). He has been deeply involved in the security community since he started coming to BlackHat in 2000. Jared is probably best known for the fuzzing tool, GPF, which he released in 2005.

Bad Sushi: Beating Phishers at Their Own Game

Nitesh Dhanjani, Senior Manager

Billy Rios, Microsoft

Track: Bots and Malware

This talk will expose the tools and tactics used in the phishing underground. What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers.

Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by phishers, determine if these phishers are really the Einsteinian Ninja Hackers the media portrays them to be, uncover how phishers phish other phishers, and discover the sites where real life identities are being bought and sold.

Nitesh Dhanjani is an actual reincarnation of Dawkins' Spaghetti Monster, Nitesh Dhanjani is also a rare type of Blowfish that is poisonous to phishermen across the world. Once netted, Dhanjani's poison quickly disables the phishermen and spreads to the their prized lines and lures. Currently, only two individuals, namely Chuck Norris and Bruce Schneier, are known to handle this toxic poison without fear of death.

Billy Rios lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.

Next Generation Collaborative Reversing with Ida Pro and CollabREate

Chris Eagle, Associate Chairman, Computer Science Department, Naval Postgraduate School
Tim Vidas, Research Associate, Computer Science Department, Naval Postgraduate School

Track: App Sec 1.0/ 2.0

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting looking challenges.

A New Breed of Rootkit: The System Management Mode (SMM) Rootkit

Shawn Embleton, CTO, Clear Hat Consulting
Sherri Sparks, President, Clear Hat Consulting

Track: Root Kit Arms Race

Virtualization rootkits have been a hot topic for the past couple of years. In this talk, we will discuss a new type of malware with potentially even greater stealth: The System Management Mode (SMM) Rootkit. System Management Mode, a relatively obsecure mode on Intel processors, provides an isolated memory and execution environment. SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. We will demo a proof of concept SMM rootkit that functions as a chipset level keylogger. Our rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly exfiltrating sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.

Shawn Embleton is the CTO of the Florida company, Clear Hat Consulting, Inc. Shawn spoke at Black Hat in 2006 on the topic of using evolutionary computation for automated vulnerability analysis and co-authored a prototype intelligent fuzz testing tool, named Sidewinder. During 2007, Shawn co-taught the Black Hat Offensive Aspects of Rootkit Technology class with Sherri Sparks and co-founded Clear Hat Consulting, Inc. Some of his current interests include hardware virtualization and chipset level rootkit technology.

Sherri Sparks is President of the Florida company, Clear Hat Consulting, Inc. Currently, her research interests include offensive / defensive stealth code technologies and digital forensics. She has spoken at Black Hat on these topics and has taught the Black Hat Offensive Aspects of Rootkit Technology. Her published articles have appeared in Usenix Login; ACSAC, Security Focus, and Phrack magazine. With an increasing involvement in providing consulting / training services for independent clients, she co-founded the company Clear Hat Consulting, Inc. in early 2007. Clear Hat Consulting specializes in Windows kernel and hypervisor development as it relates to stealth rootkit technology, digital forensics, and other custom software security solutions.

Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls

Arian Evans

Track: App Sec 1.0 / 2.0

Learn how to breathe new life into your old web application zero-day syntax attacks. Even learn how to alert(document.cookie) with new-found panache.

By properly encoding, double-encoding, and triple-encoding, or by utilizing newer undocumented, transcoding-attacks, it is possible to bypass many common web application security controls to successfully exploit the target parser.

Most importantly: These attacks are being used in the wild, right now, today. Starting in February 2008 the first double-encoded, layer mass SQL Injection attacks were discovered in the wild. As of May 1st they have compromised over 600,000 websites.

This presentation will discuss how these attacks work:
+ from creation
+ to exploit
+ to dependencies;
+ what software they target;

Finally we will demonstrate how to resolve these issues through modern software design and coding practices.

Arian Evans

Arian Evans is the Director of Operations at WhiteHat Security, leading a team of security engineers assessing over 600 production websites. Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many commercial organizations on Web application security and hacking incident-response. Arian consistently researches and discloses new attack techniques and vulnerabilities in Web application software, including commercial platforms like Cisco and Nokia. He designed the first public Web application firewalls (WAFs) with transparent anti-CSRF and anti-XSS protection:(Paraegis & Razorwire PoCs in 2004 and 2005). Previously, Arian built and led the Application Security Practice at FishNet Security. Prior to FishNet Security, Arian had extensive experience building, testing, and performing forensics on ecommerce and financial services software. Arian is a frequent speaker at industry conferences including Black Hat, OWASP, RSA, and WASC events, and was also a contributing author for "Hacking Exposed:Web Applications." Arian also likes combining mountains, mistresses, martinis, and motorcycles. Especially race V-twins that go "braap".

Hacker Court 2008: Hack MyFace

Carole Fennelly, Paul Ohm, Richard Salgado, Kurt Opsahl, Jennifer Granick, Richard Thieme, Peiter Zatko, Brian Martin, Simple Nomad, Jonathan Klein, Caitlin Klein, Ryan Bulat

Track: Reception, Day 1

This year's presentation will once again feature Simple Nomad as the defendant, a "l33t" hacker who frequently posts to a blog run by a journalist who investigates cases of identity theft and exposure of personal information. On one particular thread, our defendant claimed to have a zero-day exploit that could break through any social networking site. He is challenged by an undercover Federal Agent, going by the handle of "Mudge" to put up or shut up by demonstrating the exploit on a social networking site owned by Mudge known as "MyFace."

In actuality, the MyFace "site" is a honeynet Virtual Machine (VM) that is on a VM server that hosts about a dozen honeynets for other cases that Mudge is not involved in. Not only does Simple Nomad break the security of the MyFace site, in a moment right out of the Matrix, he breaks out of the VM and sees all the other VMs on the server.

This is not good for Mudge.

The other undercover operations have now been compromised. Simple Nomad has downloaded a document that describes the case that each VM is assigned to. The problem is, Mudge doesn't know who Simple Nomad is in real life or how to reach him. Mudge's agency leans on the journalist to get him to disclose the IP address of the defendant. Of course, our noble journalist refuses (and promptly gets cited for contempt of court). Unfortunately, for the defendant, there are other ways to track down an online identity and the defendant is arrested and charged with two counts: unauthorized transmission of a program and unauthorized access to a computer.

Defense attorney, Jennifer Granick defends Nomad on the pure legal grounds that (1) defendant was entrapped and (2) the access was authorized because Mudge told the defendant to hack his machine. Prosecutor argues (1) this is not entrapment and (2) access was not authorized because defendant thought it was a hack of a legitimate target and furthermore, when defendant left the virtual machine and got into the other virtual servers, he accessed machines Agent Mudge didn't have the intent or ability to authorize.

Both sides will argue their case on August 6, 2008 at the Palace 1 ballroom during the Gala Reception of Black Hat. Who will win? That's for the audience to decide! So grab some food and drink from the Gala and join us in the Palace 1 ballroom!

Carole Fennelly

Carole Fennelly is an information security professional with over 25 years of hands-on experience in the computing technology field. Starting as a Unix System Administrator in 1981, she was drawn into the developing information security field as the commercial Internet grew. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine. A frequent speaker at security conferences, such as the Black Hat Briefings, her technical background includes in-depth security and administration knowledge of UNIX operating systems. Ms. Fennelly is presently a Manager of Content and Documentation with Tenable Network Security, creators of the Nessus vulnerability scanner.

Paul Ohm

Paul Ohm joined the faculty of the CU School of Law in Spring of 2006. He specializes in the emerging field of computer crime law, as well as criminal procedure, intellectual property, and information privacy.

Prior to joining CU he worked as an Honors Program trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA School of Law where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as a computer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.

Richard Salgado

Richard P. Salgado is a Senior Legal Director with Yahoo! Inc., where he focuses on international privacy, security and law enforcement compliance matters. Prior to joining Yahoo!, Mr. Salgado served as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. As a federal prosecutor, Mr. Salgado specialized in investigating and prosecuting computer network cases, such as computer hacking, illegal computer wiretaps, denial of service attacks, malicious code and other technology-driven privacy crimes. Mr. Salgado also regularly speaks on the legal and policy implications of searching and seizing computers and electronic evidence, emerging surveillance technologies, digital evidence and related criminal conduct. Mr. Salgado is a lecturer in law at Stanford Law School, where he teaches a Computer Crime seminar; he previously served as an adjunct law professor at Georgetown University Law Center and George Mason Law School, and as a faculty member of the National Judicial College. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Kurt Opsahl

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal.

Jennifer Granick

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Richard Thieme

"Those seen dancing were thought insane by those who could not hear the music." - Frederick Nietzsche

Richard Thieme has been hearing the music for a long time. His track record includes hundreds of articles, dozens of short stories, one book with four more coming, several thousand speeches, and – in a former incarnation - hundreds of original sermons.

His sci-fi short story, “Silent Emergent, Doubly Dark” was chosen for /Subtle Edens/, an anthology coming in November in London. With nearly 30 stories published in the past few years, he is looking to bring out a collection (/More Than a Dream: Stories of Flesh and the Spirit/). His video interviews for the Hexen project on art and technology are showing up on walls in European galleries. He is happily contributing to the MUFON History Project documenting the response of the government to UFO phenomena in the 1940s and 1950s. In short, he manages to stay busy.

Peiter Zatko

Mr. Peiter “Mudge” Zatko was a Senior Security Architect/Engineer at BBN from 1994 to 1998, and he rejoined BBN in 2004 as a Division Scientist focusing on research and development activities in support of DARPA and Intelligence Community projects and is now a Technical Director for for BBN's National Intelligence Research and Applications division. He is an experienced and nationally known researcher. After leaving BBN he served as the CEO and Chief Scientist at LHI Technologies, was the Chief Scientist and Executive Vice President for R&D at @Stake Inc., and was the Chief Scientist at Intrusic Inc., all companies involved with network and information security. He has also served as on the advisory boards of several organizations, as an R&D Subcommittee Member to the Partnership for Critical Infrastructure Protection, and as a Research Subcommittee Member to the Office of Science and Technology. Mr. Zatko has testified to the United States Senate Committee on Government Affairs as a subject matter expert in regards to Government systems, and to the House and Senate Joint Judiciary Oversight Committee as a subject matter expert on legislation regarding cyber crime. He has also been an invited special guest contributor to projects and papers for the INFOSEC Research Council. He has published papers in ACM and CORE/CQRE refereed journals, and his architecture security analysis paper was published in the Usenix Security refereed journal. He has taught offensive cyber ware-fare techniques and tactics course at the Air Force Information Warfare Center, lectured on opposing forces threats and capabilities at the Army War College, lectured on future vulnerability areas of research at the Navy Post-Graduate College and at the National Security Agency, gave a lecture series as a at Georgetown University, was a Visiting Scientist at Carnegie Melon University, and conducted training courses for the I4/C4 groups at NSA. Mr. Zatko is the inventor of L0phtCrack, an industry standard Microsoft password auditing tool, of AntiSniff, the world’s first remote promiscuous system detector that was used across primary DoD entities, of Tempwatch, now a distributed component of Linux and BSD distributions, and of SLINT, a pioneering tool in automating source code analysis to discover security coding problems. Mr. Zatko was recognized by the National Security Council, Executive Office of the President, as a vital contributor to the success of the President’s Scholarship for Service Program. He was also recognized as contributing to the CIA’s critical national security mission. He is an honorary plank owner of the USS McCampbell (DDG-85).

Brian Martin

Brian Martin is an outspoken Nessus Subject Matter Expert with Tenable Network Security. With over ten years of professional security assessment experience, he has had the opportunity to provide cynical review of network and physical security for all types of business, government agency and military facility. With that experience, he now helps to develop and guide the Nessus vulnerability scanner and other Tenable products. Martin's training and articles have given people an accurate and honest picture of the dismal state of Information Security across all industries. In his spare time, he is the content manager for the Open Source Vulnerability Database and a champion of small misunderstood creatures.

Jonathan Klein

Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge.

Simple Nomad

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job. He speaks on security and privacy topics at conferences around the globe, as well as entertaining the press via interviews in television, print, and online mediums. In addition to being one of the most attractive hackers on the planet, he did not write his own bio. Really. Seriously. Ok...fine, I did. So sue me.

Caitlin Klein

Caitlin is a student with interests in gaming, computers, horse riding, dance, more gaming and lots of coffee…

Ryan Bulat

Ryan Bulat used to major in Computer Science until he decided that he much preferred writing…or psychology….or law….

Passive and Active Leakage of Secret Data from Non Networked Computer

Eric Filiol


This talk addresses the issue of stealing data from computer or systems that are never or quite never connected to any network, due to their critical status. The security target assumes that the attacker may have a very limited direct (physical access) or indirect access (through any innocent user) to the computer, for a very small amount of time and at the initial part of his attack. His problem is to collect data from the computer he manages to compromise (active attack) or which has been identified as containing some exploitable weakness, but without using any network connection (including wireless -- WiFi, Bluetooth... -- communication protocols).

In this talk we are going to recall the very few open existing techniques and then present some new approaches that we design in our lab, based on mathematical signal treatment. A demo will be made with respect to our new technique.

Eric Filiol

Eric is the Head Scientist Officer of the Operational Cryptology and Operational Computer Virology Lab at the French Army Signals Academy in Rennes and at the ESIEA Engineer Academy in Laval, France. He holds a PhD in Applied Mathematics and Computer Science, a Habilitation Thesis in computer science, as well as, an engineer diploma in cryptology. My main research interests are operational cryptanalysis of symmetric cryptosystems, and malware modelization.

Threats to the 2008 Presidential Election (and more)

Oliver Friedrichs, Director, Emerging Technologies in Symantec Security Response

Track: App Sec 1.0 / 2.0

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of phishing on an election.

Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.

Oliver Friedrichs is the Director of Emerging Technologies in Symantec Security Response, the organization responsible for the delivery of AntiVirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry’s first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing. Mr. Friedrichs has over 15 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.

Taking the Hype Out of Hypervisors

Tal Garfinkel

Track: Virtualization

The adoption of virtual machine technology is one of the most dramatic changes to enterprise computing in the last decade, unsurprisingly these changes have substantial implications for system security. Unfortunately, much of the current debate around virtual machine security focuses on issues that are either intractable, such as the probability of virtual machine escapes failures, trivial, such as discrepancies between current virtual and real network gear, or red herrings, such as virtual machine based rootkits.

This talk offers an antidote for the current state of affairs. To begin, I help put these previous points of debate into perspective. Next, I move on to explore more fundamental changes brought on by the move to virtualization such as rapid scaling and increased diversity, increased mobility, loss of machine identity and problems of accountability, discrepancies between real and virtual time, and how these changes have created new operational challenges as well as posing difficulties for existing security architectures. Finally, I discuss what virtual infrastructure vendors and security technology developers need to do to cope with these challenges.

Tal Garfinkel

Tal Garfinkel has been working on system security research for the past 10 years. His work has appeared in many of the worlds top academic conferences, and has seen commercial adoption by VMware and others. Offensive techniques developed in his work have been used to break practical systems such as Systrace and Bitlocker. Tal is a recognized authority on virtual machine security, and in addition to his own work, has served on numerous program committee's and panels, as well as being a founder of the Usenix Workshop on Offensive Technology (WOOT). Tal has consulted for VMware on and off since 2003,and is currently employed as a researcher in VMware's Advanced Development group. He is also working on completing a PhD at Stanford University, where his thesis focuses on novel applications of virtual machines based technology to security. He holds a bachelors degree with honors from the University of California at Berkeley.

Side-channel Timing Attacks on MSP430 Microcontroller Firmware

Travis Goodspeed

Track: Hardware

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.

Travis Goodspeed

Travis Goodspeed works at the Extreme Measurement Communications Center of the DOE Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas Instruments Developer Conference regarding stack overflow exploits for MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques, such as ASLR and code-auditing, to this platform.

Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"

Jeremiah Grossman, Arian Evans

Track: Web 2.0

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Jeremiah Grossman

Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at major industry events around the globe, a Black Hat veteran, and has been invited to present at a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Arian Evans

Hacking and Injecting Federal Trojans.

Lukas Grunwald

Track: Forensics & Anti Forensics

Remote Forensic Software or "offensive security" is the new trend in law enforcement and the fight against terrorism.

The topic is known in Germany as "Federal Trojan". This talk will give an introduction to the needs and problems with classic lawful interception and new remote methods. The problem of poisoning of evidence after a "Trojan" attack from law enforcement, as well as new attack vectors for bad guys are discussed.

This talk will give a demonstration of an "infection proxy" which shows how to inject malware on the fly while downloading some software, how to bypass commercial security solutions like virii-scanner and anti-malware tools, and how effective Trojan attacks could be if your ISP is helping law enforcement. Methods for anti-remote-forensics are handled as well. Methods of detection of infection proxies and other lawful interception methods are shown.

Lukas Grunwald

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting firm working mainly in the field of security solutions for enterprises and federal governments in Europe and Asia. He is also the head of the Hacking Lab where new technology is evaluated. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively at several conferences all over the world. Mr. Grunwald is co-author of RFDump an RFID attack and audit tool, that is free software and got some attention for the first time clone and attack the ePassport live at BlackHat.

Decompilers and Beyond

Ilfak Guilfanov


Disassemblers are routinely used for reverse engineering but their inherent limitations make them ineffective for modern large applications. In order to cope with the volume and complexity, we have to switch to the next level of binary code analysis: decompilation.

In this presentation we will discuss the process of decompiler construction, the encountered problems and solutions. Our slides will show the decompilation process step by step.

Decompilers open the way to new tools and analysis methods - we will also briefly have a discussion on them.

Ilfak Guilfanov

Mr. Guilfanov, the founder and CEO of Hex-Rays SA, holds BSc in Mathematics from Moscow State University. He is the senior architect of several highly regarded software packages including the widely used IDA Pro, a multi-platform, multi-processor, disassembler and debugger. Mr. Guilfanov is also known for having released, on 31 Dec 2005, a highly publicized unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system.

Got Citrix, Hack It!

Shanit Gupta

Track: Turbo Talks

Citrix is a widely used remote desktop application utilized in many major corporations around the world. In addition to offering the typical benefits of RDP and Microsoft terminal services, it is capable of sandboxing and restricting the applications that can be executed by the user. Unfortunately, often times the Citrix environment can introduce a false sense of security within organizations. There are several ways to circumvent security controls within the Citrix framework and many system administrators are not aware of these attacks. During this presentation, we’ll demonstrate ways in which to compromise the Citrix environment using multiple attack vectors. Then we’ll show you the corresponding remediation strategies.

Shanit Gupta

Shanit is a Senior Security Consultant at Foundstone. Shanit is responsible for creating and delivering the threat modeling, code review, and application security service lines. Shanit is also responsible for the design, development, and release of the free tools by Foundstone. Shanit has strong computer science fundamentals and software development experience on UNIX and Windows. Prior to joining Foundstone, Shanit was involved in developing real-time operating systems and a survivable prototype of the Kerberos authentication service at Carnegie Mellon. Shanit also worked at Alcoa, Inc., as a software developer, building critical internal applications. Shanit has diverse experience in a number of areas of software development and security. In the last 4 years at Foundstone, Shanit has reviewed custom operating system kernels, device drivers, virtualization environments, and large complex trading infrastructures.

Attacking the Vista Heap

Ben Hawkes

Track: 0-Day

This presentation explores the cutting edge of heap exploitation theory and practice on Windows Vista. The focus is on finding previously unknown attack vectors resulting from memory corruption on the heap. These include techniques for controlling execution flow by attacking only the heap implementation and not the application itself, and techniques for attacking the application in conjunction with the heap. Additionally, several design changes to further improve the security of the Vista heap will be suggested.

The heap is the userland component in charge of dynamic memory management. It is present and used to some extent in every Windows Vista process. Memory corruption on the heap (heap overflow) is common, seen in nearly every application and making up a large portion of reported vulnerabilities. With Windows Vista, Microsoft introduced several security features to the heap, effectively hardening it from classic heap overflow exploit techniques.

Ben Hawkes

Ben Hawkes is an independent researcher from New Zealand specializing in computer security and cryptanalysis. He is studying mathematics and computer science at Victoria University of Wellington, New Zealand.

The Four Horsemen of the Virtualization Security Apocalypse

Christofer Hoff

Track: Virtualization

Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM's, we'll explore the real issues that exist today as well as those that are coming that aren't being discussed or planned for.

Christofer Hoff

Chris Hoff is currently Unisys' Chief Security Architect. Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy. Hoff obviously also enjoys referencing himself in the third person.

Circumventing Automated JavaScript Analysis Tools

Billy Hoffman


JavaScript is fast becoming the vehicle of choice for malware authors. Over the last 3 years we’ve seen how attackers can use vanilla JavaScript to create powerful payloads such as intranet port scanning and hijacking, information theft, and even full web security assessments and SQL injection attacks. Even traditional browser or operating system attacks are being delivered to victims through the browser encased inside a JavaScript packed IFrame. Obfuscated JavaScript payloads are the norm thanks to malware frameworks like MPACK. With so many security threats being launched through JavaScript it is crucial to explore the capabilities of the tools researchers have to analyze malicious JavaScript as well as countermeasures that can be taken against them.

In this presentation we will explore the tit-for-tat battle between malicious JavaScript authors and security researchers. We will look at the current tricks and techniques used to protect malicious JavaScript from analysis, such as dynamic encoding (JS/Wonka), deliberate tool breaks (, etc), unmodifiable functions, and network nonce. We will how see how researcher tools such as CaffineMoney and Decrypt JS attempt to defeat these current tricks and analyze basic obfuscated JavaScript.

Next we explore multiple new techniques to circumvent the current generation of automated analysis tools by detecting their presence from inside malicious JavaScript. (JSPill? hmmmm) These methods include HTTP/browser fingerprinting, DOM testing and encrypting, Doman and Network testing, Execution environment testing, and cross plugin communication testing. We will demonstrate malicious JavaScript detecting analysis tools using these methods and refusing to give up its secrets until its running in the web browser of choice. We’ll demonstrate encrypting JavaScript to only run in particular browsers or environments. We’ll also demonstrate a couple other tricks, such as encoding malicious JavaScript as nothing but white space, and function clobbering for fun and profit.

Finally we discuss countermeasures to the countermeasures, and offer feature ideas and advice for researchers developing the 3rd generation of automated JavaScript analysis tools.

Billy Hoffman

Billy Hoffman is the manger for HP Security Labs of HP Software where he leads research focused on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and web crawling technologies. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Billy is regular presenter at hacker conferences including Toorcon, Shmoocon, Phreaknic, Summercon, and Outerz0ne and is active in the South East hacking scene. Occasionally the suits make him takes off the black t-shirt and he speaks at more mainstream security events including as RSA, Infosec, AJAXWorld, and Black Hat. Billy is also the author of the book Ajax Security published by Addison Wesley in December 2007.

Protecting Vulnerable Applications with IIS7

Brian Holyfield

Track: Turbo Talks

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.

Following this presentation, the module will be available for free download and use.

Brian Holyfield

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the realm of information security for over 9 years, and has extensive security testing and consulting experience. Brian was also a contributing author for “Network Security Tools” (O'Reilly, 2005), where he outlined how to build an automated vulnerability detection and exploit scanner for web-based applications.

Metamorphic / Polymorphic Malware DNA

Chet Hosmer

Track: Turbo Talks

Malware impacts on digital investigations go far beyond the Trojan horse defense as the proliferation of stealthy polymorphic and metamorphic malware continues to evolve. Digital investigators must understand the subtle nuisances of sophisticated threats in order to solve sophisticated digital crimes. Traditional forensic investigation methods fall-short in providing investigators vital information regarding the signature, behavior, remnants or characteristics of metamorphic/polymorphic malware.

This presentation and accompanying paper quantifies the impact of polymorphic and metamorphic threats on the digital investigator and explores non-traditional approaches to investigation. The paper provides a DNA Taxonomy approach for examining and discovering characteristics (live and postmortem) exhibited by these advanced threats.

Chet Hosmer

Virtually Secure

Oded Horovitz

Track: Virtualization

Virtualization is a disruptive technology in the data-center which opens the path for new solutions for old problems.

Specifically, virtualization allows the isolation of a particular workload (an application within a VM) from the underlining hardware, and enables the creation of software services which can run independent of the original workload.

The presentation will focus on the capabilities of the security application as services of the hypervior. How these new services compare with existing security agents which run inside virtual machines, and what is the possible future of workload security in a virtual data-center.

Oded Horovitz

I am currently part of VMware engineering organization as an architect for the VMsafe program. Being fascinated with building defense system for the past 10 years, I have been enjoying the opportunity to unleash the possibilities of hypervisor based defense capabilities. Previously to VMware, I have been working as an architect for Entercept now known as McAfee HIPS following Entercepts'acquisition back in early 2005. Having the opportunity of being part of the pioneering group for host-based-intrusion-prevention systems, I was lucky enough to learn anything there is to learn about vulnerabilities, and exploitations (yes, I'm referring mostly to the good old old-school overflow attacks and such, with all due respect to the XSS generation) and have shared some of my findings with the security community. My most popular publication was the work done with Matt Conover about the possibilities of reliable exploitation of windows heap overflows.

Pointers and Handles, A Story Of Unchecked Assumptions In The Windows Kernel

Alex Ionescu

Track: 0-Day

This presentation will discuss several vulnerabilities in Win32k.sys, the Windows NT kernel-mode library responsible for the Windows GUI Subsystem, ranging from privileged-path denial-of-service attacks due to bad assumptions regarding the validity of pointers before they are dereferenced, to the more dangerous unprivileged attacks, which leave any Windows NT-based operating system vulnerable to a local denial-of-service attack from a user with logon privileges (including a guest account).

First, a couple of unchecked pointer dereferences will be exposed, caused by a typical programming bug of assuming the occurrence of a certain initialization stage, which actually may not have actually occurred (either by design, or due to timing). These kinds of bugs are amplified when the code makes assumptions due to the undocumented nature of the interface, and uses this assumption in lieu of pointer validation.

The second programming error that will be exposed is a combination of incorrect trust of user-mode accessible handles, especially non-privileged access, and incorrect usage of Nt versus Zw APIs when dealing with user-mode data. The kernel mechanism of “protect from close”handles will be explained, as well as to how it can be used to attack Win32k.sys

This second part will be the most focused part of the presentation, since it is a pretty new kind of vulnerability that has been overlooked until now, mostly because it typically only allows DoS or information leaks -- in today's Terminal Services/Multi-User world however, it simply cannot continue to be ignored.

Alex Ionescu

Alex Ionescu's experience in OS design and kernel coding dates back to his early adolescence, when he first played with John Fine's educational OS, Kernel, and Boot Loader code. Since then, he has been active in the area of NT kernel development, offering help and advice for driver developers, as well as in the NT reverse engineering and security field, where he has published a number of articles and source code, such as documentation for the Linux NTFS project, extensive papers on the Visual Basic Metadata and Pseudo-code format, and NTFS Structures and Data Streams. During the last 3 years, he had been working on the ReactOS project as the lead kernel developer, and responsible for writing most of its Windows Server 2003-based kernel. In the past year, he has been contracted to be the principal writer of the updated content in the 5th Edition of the Windows Internals book series, and he is also an instructor for David Solomon Expert Seminars, a well-known seminar company owned by David Solomon, co-author of the Windows Internals books. Alex speaks at technical conferences including Recon 2006 where he gave a talk about a new NT Kernel exploit that allowed a user to access kernel memory from user-mode and BlackHat 2008, where he will be presenting four new Windows kernel exploits. In his spare time, he publishes tools and articles on his blog,

Black Ops 2008 -- Its The End Of The Cache As We Know It

Dan Kaminsky

Track: The Network

DNS is at the heart of every network -- when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct -- but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

Dan Kaminsky

Dan Kaminsky is a long time speaker at the Black Hat Briefings, delivering now his ninth talk. Dan has spent his entire career with Fortune 500 companies, having spent two years at Cisco, another two at Avaya, and most recently consulting at Microsoft. His research focuses on design characteristics of complex systems -- making old systems do new things, and lately, breaking new things in old ways. The Director of Penetration Testing for IOActive, Dan is based in Seattle.

Vista and ActiveX Controls

Su Yong Kim

Track: Turbo Talks

This presentation, will address the differences in ActiveX control vulnerabilities between Vista and XP. Internet Explorer is more secure on Vista due to UAC (User Account Control) and protected mode. However, ActiveX control vulnerabilities on Vista have nearly the same effect as those on XP. The reason for this is that ActiveX controls for Vista have been developed with a focus on compatibility, not security only. Vista needs additional techniques to successfully exploit File/Registry writing vulnerability, process execution vulnerability, and buffer overflow vulnerability. In this presentation, these techniques will be addressed in detail.

There is a common mistake that developers are liable to make with Vista. Developers sometimes install program files in low integrity folders, because they wish to update them silently. However, program files with low integrity can be overwritten easily by malicious users. I developed a tool to identify this problem.

There are two ways developers elevate privilege of ActiveX control - explicit or implicit. Implicit privilege elevation is more dangerous, because it does not require a user agreement. Implicit privilege elevation does not elevate the privilege of ActiveX control itself but uses another higher-privileged surrogate process. If privilege-elevated ActiveX controls have a critical vulnerability, malicious users can obtain higher privilege by exploiting this vulnerability. Therefore, the developer should not overuse implicit privilege elevation when writing a secure ActiveX control. Analyzers should take implicit privilege elevation of ActiveX control into consideration when they inspect ActiveX controls on Vista.

Su Yong Kim

Su Yong Kim is a senior member of the engineering staff in the attached institute of ETRI. His research focuses on finding vulnerabilities in software, especially ActiveX control. He developed YMFAC to manually inspect ActiveX control. He presented his paper about ActiveX control security at the CanSecWest 2007 conference.

New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices

Tadayoshi Kohno, Kevin Fu


Medical devices are becoming more sophisticated and wireless. We recently published an academic paper titled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses." In this paper we describe experiments with a real, common implantable defibrillator and show that risks are real, albeit small today. Using our own equipment, we are able to extract private information stored on the implantable defibrillator, change its settings, and even make it issue an electric shock. (We stress the patients should not be concerned about our current results, but that the community should demand stronger security mechanisms in future devices.)

Previously one of us (KF) made international news by exposing vulnerabilities in RFID credit cards, and the other of us (TK) was the first to publicly study the security of the Diebold electronic voting machine (in 2003). We've now turned our attention to implantable medical devices because we think that security will become increasingly important in the near future. Second, implantable medical device security is exactly the right tool to talk about how security community will evolve -- it's no longer just about PCs and network security -- small embedded systems are now life critical.

Come to this talk and learn about the directions of implantable medical devices, the security and privacy risks that we have experimentally discovered, and our predictions for the field. And, as a bonus, learn what drives the academic security research community and why, collectively, we've dedicated our time to studying e-voting, credit cards, and implantable medical devices, and what we think the community might turn to next. And learn some principles that will help your future systems -- whether embedded, or medical, or not -- be more secure from the start.

Tadayoshi Kohno

Kohno is an Assistant Professor of Computer Science and Engineering at the University of Washington. He worked as a cryptography and computer security consultant with Bruce Schneier, back when Counterpane Systems had less than a handful of full-time cryptographers and before the days of Counterpane Internet Securities, Inc. Since then he's published security analyses of technologies as varied as:electronic voting machines, implantable wireless defibrillators, file encryption systems, popular consumer devices, and ISP ad injectors. Kohno has a Ph.D. in Computer Science (cryptography) from the University of California at San Diego.

Kevin Fu

Dr. Kevin Fu, PhD, is an assistant professor in the Department of Computer Science at the University of Massachusetts Amherst. He serves as the principal investigator of the RFID Consortium on Security and Privacy ( and the co-director of the Medical Device Security Center ( Dr. Fu investigates how to ensure security and privacy for devices that must defend against malicious parties. His contributions include the security and threat model analysis of several systems ranging from contactless "no swipe" credit cards and wireless medical devices to access-controlled Web sites and automated software updates. Dr. Fu's research has led to improvements in security and privacy of pervasive devices, promoting the vision of safer and more effective technology for consumers. Dr. Fu received his Ph.D. in Electrical Engineering and Computer Science at the Massachusetts Institute of Technology. He has served on numerous program committees of prestigious conferences in computer security and cryptography, and has given dozens of invited talks world-wide to industry, government, and academia on the topic of security and privacy. His research has appeared in The New York Times and The Wall Street Journal.

Jinx - Malware 2.0

Itzik Kotler, Jonathan Rom

Track: Bots & Malware

Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API's and a generous variety of high-level OOP languages simplifying the task.

Itzik Kotler

Itzik Kotler is Radware's Security Operation Center Team's Leader. He manages a team of researchers that follows him into exciting adventures in the dark world of networking, where every standard and rule can be bent and vulnerabilities are lurking on every bit and byte. Radware SOC is a vulnerability research center that develops updated signatures and new techniques to defend known and undisclosed application vulnerabilities. Prior to joining Radware, Itzik held a number of security research positions and served in an Elite Intelligence unit in the Israeli Defense Force (IDF).

Jonathan Rom

Jonathan Rom is currently a Security Researcher at Radware, Inc. where he focuses on protocol analyzing and anomalies. Jonathan has worked as a UNIX/Security counselor for both government and private sectors and has over 10 years of experience. He has a bachelor degree in computer science from the Interdisciplinary Center in Herzelia.

Mobile Phone Messaging Anti-Forensics

Zane Lackey, Senior Security Consultant, iSEC Partners

Luis Miras, Independent Security Researcher

Track: Forensics

With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection. Additionally, during this talk we will release and demonstrate a tool for sending and receiving covert SMS messages. Finally, we will release SMS fuzzing tools to allow vendors and users of mobile phone forensics software to test the reliability of the tools they rely upon.

Zane Lackey is a Senior Security Consultant with iSEC Partners—a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications, VoIP, and mobile phone security. Zane has spoken at top security conferences including BlackHat, Toorcon, MEITSEC, and the iSEC Open Forum. Additionally, he is a co-author of "Hacking Exposed: Web 2.0" (McGraw-Hill/December 2007) and contributing author of "Hacking VoIP" (No Starch Press/Fall 2008). Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.

Luis Miras is an independent security researcher. He has worked for both security product vendors and leading consulting firms. His interests include vulnerability research, binary analysis, and hardware/software reverse engineering. In the past he has worked in digital design, and embedded programming. He has presented at CanSecWest, Black Hat, CCC Congress, XCon, REcon, Defcon, and other conferences world-wide. Recently Luis co-authored "Reverse Engineering Code with IDA Pro" (Syngress/2008). When he isn't head down in IDA or a circuit board, you will likely find him boarding down some sweet powder.

Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation

Eric Laspe

Track: Turbo Talks

The Deobfuscator is an IDA Pro plug-in that neutralizes anti-disassembly code and transforms obfuscated code to simplified code in the actual binary. This plug-in uses emulation techniques to remove obfuscated code and replace it with a simplified, transformed equivalent. It can be used alone to modify an IDA Pro database for static analysis, or in conjunction with a binary injector to ease dynamic analysis.

We developed this tool in assessing strengths of protections and malware analysis for DoD government entities and commercial companies. Since its inception, the Deobfuscator has proven to reduce analysis tasks that previously took days into ones that take mere minutes.

Eric Laspe

Eric Laspe has worked at Riverside Research Institute for two years. Since joining their Red Team in 2006, he has broken software protections for commercial entities, reverse engineered malware, and worked with the Team developing a variety of innovative RE tools. Eric has a B.S. in Computer Engineering from Wright State University, and has co-authored IEEE papers on binary obfuscation removal and specialized debugging tools.

Highway to Hell: Hacking Toll Systems

Nate Lawson, Founder, Root Labs

Track: OTA

Toll payment systems, such as FasTrak and E-ZPass, promise quick travel and more revenue for the state. While privacy issues with such systems have been discussed in general, little is known about their actual implementation and security. We reverse-engineered the RFID internals and analyzed the protocol to find out just what's going on inside. We'll explain the low-level details we found, problems, and possible ways to build a more safe and secure system

Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects

Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities

Andrew Lindell

Track: OTA

The Bluetooth protocol for close-range wireless communication has been a huge success. It is a widely adopted standard and is used for a wide range of devices, from cellphones to PDAs to laptops and more. Due to its ubiquity and importance, its security has become a critical issue. In the new version 2.1 released in July 2007, a complete overhaul of the pairing procedure was carried out with the express aim of making it more secure. In this paper we show that the Bluetooth pairing protocol in passkey entry mode completely leaks the password. In addition, we show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long. Our attacks demonstrate that passkey entry mode can only be used with a different random password each time. Unfortunately this is not possible for devices that use a fixed password (like many hands-free car kits). In addition, due to human behavior, this is unlikely to be the case when the user enters the password into two devices in order to pair them. Thus, devices who leave it to the user to enter a password (instead of randomly generating it on one of the devices) will be vulnerable to attack.

Andrew Lindell

Andrew Lindell is the Chief Cryptographer at Aladdin Knowledge Systems and an Assistant Professor at Bar-Ilan University in Israel. Andrew attained a Ph.D. at the Weizmann Institute of Science in 2002 and spent two years at the IBM T.J.Watson research lab as a Postdoctoral fellow in the cryptography research group. Andrew has carried out extensive research in cryptography, and has published more than 50 conference and journal publications, as well as an undergraduate textbook on cryptography and a book detailing secure protocols. Andrew has presented at numerous international conferences, workshops and university seminars, and has served on program committees for top international conferences in cryptography. In addition to Andrew's notable academic experience, he joined Aladdin Knowledge Systems in 2004. In his position as Chief Cryptographer, he has worked on the cryptographic and security issues that arise in the design and construction of authentication schemes, smartcard applications, software protection schemes and more. Offering a unique combination of academic and industry experience, Andrew brings a fresh and insightful perspective on many of the crucial security issues that arise today.

Developments in Cisco IOS Forensics

Felix Lindner, Head of Recurity Labs

Track: Forensics

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform.

This talk will show new developments in this sector and how a slightly adjusted network infrastructure configuration together with new tools finally allows to separate crashed, attacked and backdoored routers from each other. We walk through the known types of backdoors and shellcodes for IOS as well as their detection and the challenges in doing so.

Felix "FX" Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

Oracle Forensics by David Litchfield

Track: Forensics & Anti Forensics


The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation

Nathan McFeters, John Heasman, Rob Carter

Track: App Sec 1.0 / 2.0

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws... after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center (ASC) and is currently serving in a Security Evangelist role for the ASC based out of Chicago, IL. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area. Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

John Heasman

John Heasman is the VP of Research for the US arm of NGSSoftware, a UK-based company with offices in Seattle. NGS carries out sophisticated security assessments for the world's leading software vendors and financial institutions. Heasman is a prolific security researcher having published numerous advisories in enterprise level software including Microsoft Windows, Exchange, Outlook, OpenOffice, PostgreSQL, Apple QuickTime, RealNetworks RealPlayer and Sun Microsystem's Java. He has a strong interest in database security and co-authored The Database Hacker's Handbook (Wiley, 2005) and The Shellcoder's Handbook, 2nd Edition (Wiley, 2007). He is a regular speaker at international security conferences and has presented at Black Hat, Defcon, LayerOne, OWASP AppSec and the Computer Enterprise Incident Conference on a variety of topics ranging from firmware rootkit implementations to browser-based attacks. He maintains a vulnerability research blog at

Rob Carter

Rob Carter is a Security Advisor for Ernst & Young's Advanced Security Center in Houston, TX. He has performed web application, internet, intranet, social engineering and wireless penetration tests for EY's Fortune 500 clients. Rob's primary area of interest is in web application security research and tool development. He has an undergraduate degree from Western Michigan University in Computer Science.

Braving the Cold: New Methods for Preventing Cold Boot Attacks on Encryption Keys

Patrick McGregor

Track: 0-Day Defense

We can prevent Cold Boot attacks. We present a new set of software-driven techniques for protecting cryptographic keys in various encryption systems. These software techniques do not involve the use of any specialized hardware or encryption chips. Instead, the techniques utilize specialized cryptographic transformations, memory system and operating system operations, and certain architectural features of general-purpose processors such as Pentiums. The methods can defend against Cold Boot attacks on machines that have been shut off, on machines in hibernate and sleep modes, and even on machines in screen lock mode.

Patrick McGregor

CEO Patrick McGregor is a founder of BitArmor. Since 2003, he has led the company's financing, operations, and technical initiatives. Dr. McGregor holds a Ph.D. from Princeton University in computer engineering, an M.A. from Princeton University in computer engineering, and both an M.S. and a B.S. from Carnegie Mellon University in electrical and computer engineering. He is an expert in computer security and computer architecture, and he has authored and presented many research papers for refereed conference and journal publications. Dr. McGregor has also filed for several pending patents involving cryptography and security software. His experience includes technical positions at Hewlett Packard Laboratories and several other software companies. A sought-after speaker, Dr. McGregor has presented at numerous industry events, including the RSA Conference in 2008, and has given guest lectures at his alma mater, Carnegie Mellon. His security research has been cited in national publications including The New York Times and was most recently referenced in the Princeton University research report on Cold Boot Attacks.

Pushing the Camel through the Eye of a Needle


Track: Web 2.0

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through! With some updated SensePost tools, and some brand new ones, we will demonstrate how to convert your simple SQL Injection attacks (against well hardened environments) into point and click (well, type and click) ownage, how the framework management pages you never knew you had, can double as our network proxies and why despite all of the hype around SQL Server 2005, we still enjoy finding it behind vulnerable web applications. The talk is fairly technical and expects that the attendees understand the basics of Web Application and Web Browser based attacks. Attendees will leave with new attack vectors, a couple of new tools and some thoughts on future directions of these attacks.

Haroon Meer is the Technical Director of SensePost. He joined SensePost in 2001 and has not slept since his early childhood. He has co-authored several technical books on Information Security and has spoken and trained at conferences around the world. He has played in most aspects of IT Security from development to deployment and currently gets his kicks from reverse engineering, application assessments and similar forms of pain.

Marco Slaviero is a SensePost Associate and finds long bios amusing.

Meet the Feds 2008

Panel Discussion

Join some of the longest running cybercops in a reality session not made for TV. Hang out on the front lines to learn about the most sophisticated attacks happening so far this year. We don't expect to win an Emmy, but we might get a Pwnie. This year we will have so many feds representing their federal agencies that we will break it up into two separate panels an hour each:

IA Panel: Information assurance, CERTS, first responder’s organizations from agencies

LE Panel: Law enforcement, counterintelligence agencies

Each of the agency reps make an opening statement regarding their agencies role, then open it up to the audience for questions. Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.

Panel Discussion

  • Jim Christy - DC3
  • Mike Convertino - AFCC
  • Cynthia Cuddihy - RCMP
  • James Finch - FBI
  • Barry Grundy - NASA
  • David Helfen - NCIS
  • Bob Hopper - NW3C
  • Ray Kessenich - DCITA
  • Tim Kosiba - NSA
  • Mischel Kwon - USCERT
  • Rich Marshall - NSA
  • Marc Moreau - RCMP
  • Tom Pownall - RCMP
  • Ken Privette - USPS IG
  • Linn Wells - NDU

SA (Ret) Jim Christy

Supervisory Special Agent Jim Christy, is the Director of the Defense Cyber Crime Futures Exploration Directorate, Defense Cyber Crime Center (DC3). FX is responsible for informing and educating members of the other Department of Defense organizations, federal agencies, state and local law enforcement, international partners, the private sector, and academic institutions on the mission and activities of all DC3 programs. SA Christy is a retired Air Force Office of Special Investigations Computer Crime Investigator. SA Christy was an AFOSI computer crime investigator for over 18 years.

In Oct 03, the Association of Information Technology Professionals, awarded SA Christy the 2003 Distinguished Information Science Award for his outstanding contribution through distinguished services in the field of information management. Previous recipients of this prestigious award include Adm. Grace Hopper, Gene Amdahl, H. Ross Perot, LtGen. Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch Kapor.

From 17 Sep 01 – 1 Nov 03 SA Christy was the Director of Operations, Defense Computer Forensics Lab, DC3. As the Dir of Ops for the DCFL he managed four sections with over 40 computer forensic examiners that supported Major Crimes & Safety, Counterintelligence and Counterterrorism, as well as Intrusions and Information Assurance cases for the Department of Defense.

From May 98 – Sep 01 Mr. Christy was assigned to the Defense-wide Information Assurance Program, Assistant Secretary of Defense for Command, Control Communications and Intelligence (ASDC3I) as the Law Enforcement & Counterintelligence Coordinator and Infrastructure Protection Liaison.

SA Christy served as the DoD Representative to the President’s Infrastructure Protection Task Force (IPTF) from Sep 96 – May 98. The President signed Executive Order, 13010 on 15 Jul 96, creating IPTF to protect the Nation’s critical infrastructure from both physical and cyber attacks.

Prior to the IPTF, SA Christy was detailed to Senator Sam Nunn’s staff on the Senate, Permanent Subcommittee on Investigations as a Congressional Fellow, Jan - Aug 96. Senator Nunn specifically requested SA Christy’s assistance for the Subcommittee to prepare for hearings in May - Jul 1996, on the vulnerability and the threat to National Information Infrastructure from cyberspace. SA Christy authored the Subcommittee’s investigative report and testified twice before the Subcommittee.

From 1986-1998, SA Christy was the Director of Computer Crime Investigations, and Information Warfare for AFOSI and established the first computer forensic lab which evolved to become the DoD Computer Forensic Lab.

In 1986, SA Christy obtained some notoriety as the original case agent in the “Hanover Hacker” case. This case involved a group of German hackers who electronically penetrated DOD computer systems all over the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s Egg”, by Dr. Cliff Stoll. The Public Broadcast system has also produced a docu-drama on this case.

In a murder investigation in 1991, the suspect cut two floppy diskettes into 23 pieces with pinking shears. No agency was able to recover any of the data until Jim and his deputy developed a technique for less then $150. Mr. Christy was able to recover 85%-95% of the data from each piece of diskette. The suspect when confronted with the evidence, confessed, pled guilty and was sentenced to life in prison. This case was profiled on the “New Detectives” series on the Discovery Channel, 2 Jan 99.

Some of SA Christy’s notable firsts in Computer Crime Investigations:

1st civilian computer crime investigator in the U.S. Government

Colonel S. Michael Convertino II, AFCYBER

Colonel Convertino holds bachelors and masters degrees in computer engineering, information systems management, and international security studies and has held numerous assignments supporting intelligence collection and communications operations at both the National Security Agency and the Central Intelligence Agency. He has served as a communications and information squadron commander twice, once deployed to Bosnia in support of Predator intelligence drone operations and once in-garrison leading hundreds of airmen in operating of over $300 million in signals intelligence and mission-critical communications assets. He was assigned to the Joint Staff where he overhauled joint data interchange requirements and standards to focus on interoperable intelligence capabilities after 9/11. He has also served as a four-star generals Aide, responsible for planning, coordination and execution of policy statements, public speeches and congressional responses.

Special Agent Barry J. Grundy, NASA

Barry J. Grundy has worked as a Special Agent for the NASA Office of Inspector General (OIG), Computer Crimes Division (CCD) for the past seven years. He currently serves as the Resident Agent in Charge of the Eastern Region of the NASA OIG CCD, responsible for the supervision of criminal investigations related to cyber events at eight NASA Centers. Before working for the NASA OIG, SA Grundy was employed as a Special Agent for the Ohio Attorney General’s Office, Health Care Fraud Unit, where he was responsible for the computer seizure and forensic media analysis support for the unit in addition to maintaining a normal health care fraud case load.

SA Grundy has acted as an instructor for a number of federal, state, and local law enforcement training courses, including the Seized Computer Evidence Recovery Specialist (SCERS) course at the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia, various courses at the Ohio Peace Officers Training Academy in London, Ohio and at the National Specialist Law Enforcement Centre in Wyboston, England. He has also conducted presentations at the Northeast Ohio United States Attorney’s Office Computer Crimes Conference, meetings of the High Technology Crime Investigator’s Association, and the Department of Defense Cyber Crime Conference. SA Grundy has written the Law Enforcement and Forensic Examiner’s Introduction to Linux, a Beginner’s Guide, a document distributed by many computer forensic training organizations in the United States and overseas.

Prior to his law enforcement career, Grundy served for six years in the United States Marine Corps. All of his active duty service was spent in Reconnaissance Battalions, eventually as a Recon Team Leader, Scout/Sniper, and Combat Diver.

Bob Hopper, NW3C

Mr. Hopper is Manager of NW3C Computer Crime Section is responsible for all aspects of management within the section including staff assigned throughout the country. Mr. Hopper retired with nearly thirty years service with the Arizona Department of Public Safety and thirty-seven years in Law Enforcement. Mr. Hopper’s Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime, Organized Crime and Advanced Officer Training. Mr. Hopper developed and managed the Arizona Department of Public Safety Regional Computer Forensic Lab. This computer forensic lab grew from a two-man unit in 1998 to one of the most state of the art computer forensic labs in the country. The DPS computer forensic lab is housed at the Arizona Counter Terror Information Center in Phoenix, Arizona ACTIC and continues to be a trendsetter and looked to nationally as a model for the future of the discipline. During his police career, Mr. Hopper developed entry level as well as advanced computer forensic training curriculum that was taught to police officers from agencies throughout Arizona as well as police departments from around the nation.

Mr. Hopper has developed police training programs ranging from Police Search and Seizure for academy as well as advanced officer training, Advanced Wiretap Procedures and Investigation, Police Master Instructor curriculum, Undercover Operations Survival training, Narcotics Air Smuggling Training and numerous other police training curriculum. Mr. Hopper has produced and directed police training videos and the video unit he supervised received a number of national awards for their productions. Along with more than 30 years of law enforcement experience, Mr. Hopper has more than 20 years of law enforcement academic leadership and has been recognized by the Department of Justice Law Enforcement Coordinating Committee, Arizona Attorney Generals Office, Arizona Counter Terror Information Center, and others for his accomplishments in the field.

Mr. Hopper received his teaching credentials through the Arizona Community College board and has developed classroom and web based computer forensic curriculum for Rio Salado Community College in Phoenix, Arizona and taught law enforcement courses within the Arizona Community College system for over ten years.

Mr. Hopper is a member of the Scientific Working Group on Digital Evidence and participated in the development of two NIJ publications in the area of digital evidence, Electronic Crime Scene Investigation: A Guide for First Responders, and Forensic Examination of Digital Evidence: A Guide for Law Enforcement.

Raymond Kessenich, DC3/DCITA

Special Agent Raymond Kessenich is currently detailed to the Defense Cyber Crime Center in Linthicum, MD, as the Director of the Defense Cyber Investigation Training Academy. Special Agent Kessenich is an employee of the Naval Criminal Investigative Service and a 28 year law enforcement professional.

Mischel Kwon, DHS

Mischel Kwon, an IT professional with more than 26 years of experience, was named the Director of Operations for the United States Computer Emergency Readiness Team (US-CERT) in June 2008. As the Director of Operations for the US-CERT, Kwon is responsible for the operational mission of the US-CERT. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities in Federal networks, disseminating cyber threat warning information, and coordinating incident response activities.

Kwon brings a unique blend of hands on experience, academic research and training, and a seasoned understanding of how to build operational organizations from inception. Among her successes at the United States Department of Justice (DOJ), where she was Deputy Director for IT Security Staff; she built and deployed the Justice Security Operations Center (JSOC) to monitor and defend the DOJ network against cyber threats. In addition, she served as the lead project manager for the Trusted Internet Connections (TIC) project at DOJ. The TIC project is a jointly led project between OMB and DHS. This experience provides a unique perspective in her operational mission at DHS.

In addition to the operational role, Kwon lends her experience and drive for providing superior customer service to DHS. Kwon is leading the effort to enhance the US-CERT’s ability to disseminate reasoned and actionable cyber security information to key stakeholders, including: federal agencies, industry, the research community, and state and local governments. In tandem with this effort, Mischel is in the process of building and enhancing US-CERT’s capability to better protect our nation's Federal Internet infrastructure by coordinating actionable mitigation against and response to cyber attacks.

Ms. Kwon holds a Master of Science in Computer Science and a graduate certificate in Computer Security and Information Assurance. In addition, she serves as an adjunct professor at George Washington University in Washington, DC, where Ms. Kwon also runs the GW Cyber Defense Lab. Her interests branch out into cryptology, wireless networks, and antenna theory.

Richard H.L. Marshall, NSA

Mr. Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA’s Legislative Affairs Office is the Agency’s point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he has led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law. Mr. Marshall is also an Honor Graduate of the USAF Squadron Office School, the USAF Air Command and Staff College, the NDU Industrial College of the Armed Forces, the USAF Judge Advocate General (JAG) School and the Army JAG School (both Basic and Advanced).

Mr. Marshall’s Prior Positions have included:

  • Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce, 1999-2003.
  • Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency, 1990-1999.
  • Military Career: Director of Civil Law, HQ USAFE, Ramstein AB, FRG; Deputy Legal Advisor, HQ USEUCOM, Stuttgart, FRG; Director of International Law and Deputy Staff Judge Advocate, Clark AB, RP; Director of Military Affairs, 8th AF, LA; Chief of Military Justice, 3902nd ABW, Offutt AFB, NE; competitively selected participant first Air Force Funded Legal Education Program at SAC/HQ; and Air Force Intelligence Officer during the Vietnam War, as an Intelligence Officer and F-105G combat crewmember (Iron Hand/Wild Weasel) in Thailand.

An avid reader, runner, biker, swimmer, snowboarder and horseman, Mr. Marshall resides in Columbia, MD. He also enjoys theater and the arts and has appeared in a cameo role on stage at the Kennedy Center. Active in the American Bar Association, he is a member of the ABA Standing Committee on Law and National Security.

Ken Privette, USPS

Ken works as the Special Agent in Charge of the Technical Investigations Division (TID) at the USPS Office of Inspector General. TID consists of three programs including the Polygraph Program and two digital evidence programs – Technical Operations Unit and the Computer Crimes Unit (CCU). The TID conducts computer crime investigations and provides computer forensics support to a force of 600 agents who conduct fraud and internal crime investigations for the U. S. Postal Service. Over the past two years, Ken’s team has doubled in size, now managing a forensic workload of more than 1000 requests per year. Through a creative partnership with the Postal Service’s CIO, his team has pioneered new digital forensics initiatives such as remotely imaging computers across the Postal Service infrastructure. The team has also developed custom digital forensic applications for leveraging vast Postal data resources.

Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters.

Linton Wells II, Ph.D., NDU

Dr. Linton Wells II is a Distinguished Research Professor and serves as the Transformation Chair at National Defense University (NDU). Prior to coming to NDU he served in the Office of the Secretary of Defense (OSD) from 1991 to 2007, serving last as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). In addition, he served as the Acting Assistant Secretary and DoD Chief Information Officer for nearly two years. His other OSD positions included Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) and Deputy Under Secretary of Defense (Policy Support) in the Office of the Under Secretary of Defense (Policy).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; and C3I.

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying. He has three times been awarded the Department of Defense Medal for Distinguished Public Service.

Reverse DNS Tunneling Shellcode

Ty Miller

Track: 0-Day

Remote exploitation of client-side vulnerabilities are falling short due to the shellcode often failing to connect back to the attacker. The creation of "Reverse DNS Tunneling Shellcode" will allow client-side exploits to be much more effective by using DNS as a tunneling protocol. This increases the success rate of client-side exploitation attempts by using this more stable tunneling technique.

The number of vulnerabilities found within external systems and services are decreasing making it less likely to directly exploit externally accessible systems to gain access to an internal network. Thankfully for Hackers and Penetration Testers client-side vulnerabilities are still rampant, such as in web browsers, plugins, local software and operating systems. This has increased interest in creating and using exploits for client-side vulnerabilities. It is quite common for an exploit to be successful, however, still fail to connect back to the attacker due to firewalls preventing direct outbound connections, HTTP tunneling failing to detect, connect or authenticate out via proxies, or complexities in hijacking established connections, if they exist.

Reverse DNS Tunneling shellcode is a new technique for shellcode that increases the success rate of client-side exploit attempts by using the DNS protocol. DNS provides a number of advantages over other protocols. Most remote exploitation attempts of client-side vulnerabilities aim to attack workstations. Workstations are almost always pre-configured to use an internal DNS server, which we can use to tunnel our connection out. DNS also does not require authentication, where as HTTP tunneling does, which means that DNS has fewer barriers to bypass in order to escape the internal network. This is important since it means that the chance of successful exploitation is much higher when using Reverse DNS Tunneling Shellcode.

So how does Reverse DNS Tunneling Shellcode work? The client-side exploit kicks off the shellcode, which then creates unique DNS probes using subdomains of the attacker's domain. These probes get sent from the workstation to the internal DNS server, and then out to the DNS servers throughout the Internet, eventually making it back to the attacker's DNS server. At this point the attacker's custom DNS server (currently written in Perl) receives the probe and prompts the attacker with a command line (attacker smiles). The attacker can now enter commands to be executed on the remote victim system. The custom DNS server then encodes the command with Base32 encoding, splits and delimits the encoded command to fit within the DNS protocol specifications, and sends the encoded command back in the DNS response. The Reverse DNS Tunneling Shellcode on the victim host then receives and decodes the DNS response to reveal the underlying command, and then executes it on the victim system. The output of this command is then Base32 encoded, split, delimited, numbered, and sent back to the attacker across numerous DNS requests. The custom DNS server will then use the request IDS to reconstruct the encoded DNS request data to reveal the command output to the attacker (who smiles again). Once this process has completed, the shellcode then reverts back to probing the attacker for their next command.

There are ways to protect against this type of attack, such as implementing Split DNS that will allow organizations to prevent DNS requests from exiting their internal network. This would prevent the DNS probes from getting to the attacker. From experience, most organizations do not currently use Split DNS (except for larger, more security aware organizations), and therefore, this attack still has an extremely high success rate. Network IDS systems could also potentially be configured to detect trends of multiple large DNS requests to a single domain. One downfall of this technique is the shellcode size limitations that specific vulnerabilities may have. This is not the case when exploiting heap overflows using the "Heap Feng Shui" technique developed by Alexander Sotirov.

Since Reverse DNS Tunneling shellcode can be stopped by Split DNS configurations, I will be extending this shellcode on to become "Reverse Multi-Protocol Tunneling Shellcode". This extended shellcode will try a number of current and new reverse connection and tunneling techniques to find multiple ways out of the internal network and back to the attacker. These techniques include;
- Reverse DNS Tunneling
- Reverse ICMP Tunneling
- Reverse FTP Tunneling
- Reverse TCP and UDP Port Scanner (to find open outbound ports)
- Reverse HTTP Tunneling
- Reverse HTTPS Tunneling
- Direct Reverse Connection (80/TCP, 443/TCP, 53/TCP, and 53/UDP)
- SMTP Port Scanning (find SMTP server and email attacker to notify of successful exploit)
- Reverse SMTP Tunneling (a little trickier to implement)

This allows an attacker to detect and take advantage of a number of different ways out of the organization, enabling multiple sessions to be created on the victim host. This would again dramatically increase the success rate of client-side exploits, and also has the added advantage of creating multiple redundant sessions to the attacker for connection stability.

Ty Miller

Ty Miller is the Chief Technical Officer and Penetration Tester for Pure Hacking in Sydney, Australia. Ty has performed penetration tests against thousands of systems for large Banking, Government, Telecommunications, and Insurance organizations worldwide, and has designed and managed large security architectures for a number of Australian and Multi-national organizations within the Education and Airline industries. Ty is one of the authors of the next edition of the Hacking Exposed Linux book, where he wrote the web application hacking chapter. He holds a Bachelor of Technology in Information and Communication Systems from Macquarie University, Australia. Ty is a certified ISECOM OPST and OPSA Instructor, and contributes to the Open Source Security Testing Methodology Manual. Ty was also involved in the development of the CHAOS Linux distribution, which aimed to be the fastest, most compact, secure and straight-forward openMosix cluster platform available. His other interests include web application hacking, as well as exploit and shellcode development.

Satan is on My Friends List: Attacking Social Networks

Shawn Moyer and Nathan Hamiel

Track: App Sec 1.0 / 2.0

Social Networking is shaping up to be the perfect storm An implicit trust of those in ones network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML. Yikes.

But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks.

Shawn Moyer and Nathan Hamiel

Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major multinational corporations and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences.

Shawn is currently working on a slash fanfic adaptation of 2001:A Space Odyssey, told from the perspective of Hal9000. He only accepts friend requests on Facebook if they include a DNA sample and a scanned copy of a valid driver's license or passport.

Nathan Hamiel is a Senior Consultant for Idea Information Security and the founder of the Hexagon Security Group. He is also an Associate Professor at the University of Advancing Technology. Nathan has previously presented at numerous other conferences including DefCon, Shmoocon, Toorcon, and HOPE.

Natahan spent much of DefCon 15 without shoes and is planning ahead this year with a defense-in-depth approach that includes failover footwear. He has 1,936 people in his extended network, and finds that disturbing on a number of levels.

Viral Infections in Cisco IOS

Ariel Futoransky

Track: Rootkit Arms Race

Rootkits are very common in most popular Operating Systems like Windows, Linux, Unix and any variant of those but they are rarely seen in embedded OS's.

This is due to the fact that most of the time embedded OS's are closed source, hence internals of the OS are unknown and reverse engineering process is harder than usual. In real life, it's very common that once an attacker takes control of a system he or she needs to maintain access to it so a rootkit is installed.

The rootkit seizes control of the entire system running on that hardware by hiding files, processes, network connections, allowing unauthorized users to act as system administrators, etc..

This paper demonstrates that a rootkit with those characteristics can be easily created and deployed for a closed source OS like IOS and run unnoticed by system administrators by surviving to most, if not all, of the security measures given by experts on the field.

As a proof of this, different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

Ariel Futoransky

Ariel Futoransky, a co-founder of Core, is the head of CoreLabs, the company's research and development center. As such, he is responsible for all day-to-day research and publishing activities. Since 1996, Futoransky has been working to transform promising technologies into competitive advantages for the company and its customers. Prior to co-founding Core, Futoransky served as a member of the Special Projects Group at the Argentine tax agency and served as a consultant for several government agencies and corporations. Futoransky has distinguished himself as a multiple award winner in the International Olympiad in Informatics (IOI), where he won a silver medal in Stockholm in 1994, three gold medals in Buenos Aires in 1991-1993, and a bronze medal in 1992 in Bonn, Germany.

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

Junichi Murakami

Track: Virtualization

Recently malware has become more stealthy and thus harder to detect, than ever before. Current malware uses many stealth techniques, such as dynamic code injection, rootkit technology and much more. Moreover, we have seen full kernel mode malware like Trojan.Srizbi.

Many detection tools were released that specialize in kernel mode malware and especially in the detection of rootkits. However, these tools are a cat and mouse game, because they and the malware are executed on the same privilege level.

This is why we developed an IPS based on a hypervisor, which uses features of hardware virtualization. It is executed on Ring-1 and thus runs with higher privileges than the OS layer.

In this session, we will talk about stealth mechanisms used by recent malware and demonstrate how to protect against such malware using Hypervisor IPS.

Junichi Murakami

Junichi Murakami is a Senior Research Engineer at Fourteenforty Research Institute, Inc, and a member of the Alpha Unit Research & Development team. He is interested in kernel space related security technology on both Windows and Linux. He has developed LKM(Loadable Kernel Module) rootkits and rootkit detectors for Linux as a student. His work can be found in chkrootkit and StMichael projects. He also developed a comprehensive honeypot system for collecting malware. Currently, he focuses on Windows based malware and the reverse engineering thereof.

Mifare -- Little Security, Despite Obscurity

Karsten Nohl

Track: Hardware

Radio Frequency Identification (RFID) tags are becoming ubiquitous and can already be found in touch-less entry systems, all major credit cards, most car keys, and many ticketing systems. Mifare are the most widely deployed brand of cryptographic RFID tags and their security relies on proprietary security, in spite of the well known fact that security-through-obscurity does not work.
We find the secret algorithms from Mifare tags by using a combination of image analysis of circuits and protocol analysis. In this process, we open silicon chips, take pictures under a microscope, employ and adapt computer vision algorithms, design and build radio equipment, simulate circuits, and finally use cryptanalysis to assess the security of the discovered algorithms. Our project is the first non-classified work to provide a methodology for hardware reverse-engineering and corrects the belief that this process is necessarily expensive.
Our analysis of the widely used Mifare RFID tags reveals that its actual security is well below the claimed security level due to a number of design flaws. The security of the analyzed tag is clearly insufficient for many of its applications. Consequently, ever since news of our results first surfaced, several current deployments of the tags have been brought under public scrutiny. Most notably, a nationwide ticket system for public transport in the Netherlands must now be re-engineered. During a parliamentary discussion on this subject, politicians have called for proprietary technology to be avoided in favor of open designs.

Karsten Nohl

Karsten hacks hardware with folks at CCC and some of the Shmoos. He is currently finishing his PhD at UVa where his research bridges theoretical cryptography and hardware implementation. Some of his current projects deal with RFID crypto, privacy protection, and the value of information.

Living in the RIA World: Blurring the Line Between Web and Desktop Security

Justine Osborne, Security Consultant, iSEC Partners

Track: App Sec 1.0 / 2.0

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.

Justine Osborne is a Security Consultant with iSEC Partners where she specializes in the security analysis of complex web and Win32 applications. Her research interests include web applications and dynamic vulnerability assessment tools. She holds a BS in Computer Science from Mills College.

Mobitex Network Security


Track: OTA

This talk will give an overview of the Mobitex wireless networking technology and infrastructure ( A detailed presentation of the authentication (subscriber identity) and privacy (anti-sniffing) features will be presented and fundamental weaknesses in both will be presented along with suggested improvements and "best practice" advice for implementors of applications built on Mobitex and other wide-area coverage wireless network standards.

olleB has been working in the IT-security industry since 1999 and has a background in UNIX systems administration. In his spare time he enjoys tinkering with tech and building security related tools under the banner of the Toolcrypt group ( He has held numerous security training courses of the "hands on/attacker perspective" type on behalf of past employers and has presented at T2 and CanSecWest security conferences.

Software Radio and the Future of Wireless Security

Michael Ossmann, Information Security Researcher, Institute for Telecommunications Sciences, US Department of Commerce

Track: OTA

Radios are everywhere. We use them daily in car stereos, cordless phones, car key fobs, proximity access cards, laptops, television tuners, garage door openers, mobile phones, and headsets, to name a few. To build one of these radio devices in the traditional manner, you would need some electronic components (including, in many cases, a microprocessor), a soldering iron, and a fairly advanced knowledge of electronic circuit design. All that is changing, however, with the emergence of software radio. The digital technologies that revolutionized the audio world over last thirty years are now bringing the same revolution to the radio world. General purpose computers are becoming fast enough to function as sophisticated radio devices with minimal hardware peripherals. In the future, all radios will be software radios, and all practical wireless security tools will be implemented with software radio.

This presentation will describe the state of software radio, discuss future trends, and point out current and future applications of software radio technologies to wireless security research. Particular attention will be given to tools and resources that are available today, helping attendees without a background in RF technology to get started in the field. Practical attacks will be demonstrated using GNU Radio and the Universal Software Radio Peripheral.

Michael Ossmann is an information security researcher for the Institute for Telecommunication Sciences at the U. S. Department of Commerce Boulder Laboratories. He has served as the information security officer for a hospital system, as a consultant, and as a system and network administrator. Michael is best known for his 2004 article, WEP:Dead Again, and the 5-in-1 Network Admin's Cable featured in the premiere issue of Make.

Playing by Virtual Security Rules: How Virtualization Changes Everything and What to Do about It

Steve Pate

Track: Turbo Talks

Virtualization completely changes the risk to information theft. Traditional physical security systems become ineffective, disk encryption no longer protects the operating system, and sensitive data becomes more portable than ever before. This talk will cover the security risks of virtualized environments, common hacking techniques, how virtualization effects traditional security practices, and presents a new model for securing virtualized environments.

Steve Pate

Steve Pate is CTO of Vormetric and has 20 years of operating system technology experience primarily in the areas of filesystem and storage technologies. He has been involved in projects using numerous versions of UNIX, Linux and microkernel technologies. Most recently he has been involved in several startups building distributed storage technology. Steve spent 8 years in the Veritas filesystem group where he was responsible for delivering solutions across multiple versions of UNIX and Linux. Prior to that he was responsible for the architecture of SCO's UNIX and microkernel developments. Steve began his career with International Computers Limited (ICL) where he led the Development of a microkernel-based implementation of System V Release 4 UNIX. Steve is a published author with two books on UNIX operating system and filesystem internals.

Client-side Security

Petko D. Petkov

Track: App Sec 1.0 / 2.0

Client-side software generally refers to a class of computer programs that are executed on the client, by the user's supporting environment, instead of the server. Both, clients and servers are in constant interaction. In a Web environment, the client is represented by the user's web browser, while the server is the remote computer, which serves dynamic content. In a much broader context, the client-server relationship can be represented by a network client connected to a WiFi network.

This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based on the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

If Apple responds before the event, I will drop the details of a QuickTime 0day for Windows Vista and XP.

Petko D. Petkov

I enjoy breaking things, researching stuff and in general hacking whatever I am interested in. I am running GNUCITIZEN, an ethical hacker outfit.

Malware Detection Through Network Flow Analysis

Bruce Potter, Founder, Shmoo Group

Track: The Network

Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient to use.

This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow implementation available on almost all their routers, has been used for years for network engineering purposes. And while there has been some capability for security analysis against these flows, there has been little interest until recently. This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis tool, and show specific examples of how to detect malware on live networks.

Bruce Potter is the founder of the Shmoo Group which is made up of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders.

Temporal Reverse Engineering

Danny Quist, Colin Ames

Track: Reverse Engineering

Reverse engineering a program requires considerable patience and skill. The amount of information that has to be analyzed can be overwhelming, and often times the relevant portions of code represent a very small part of the overall program. One of the most effective methods for reverse engineering a program is to analyze the changes in memory state. This provides a fine grained view of execution, intent, and functionality. To analyze changes of state correctly you have to use a combination of static and dynamic methods. We will present our work on the use of process checkpointing as a means to track the changes in program state. Visualization changing process state can be used to reduce the amount of time necessary to analyze a program. As a demonstration we will analyze information protection systems, a known piece of malware, the Storm worm and a benign application.

Danny Quist

Danny Quist is currently CEO and co-founder of Offensive Computing, LLC, a security vulnerability consulting company. He is a Ph.D. candidate at New Mexico Tech working on automated analysis methods for malware using software and hardware assisted techniques. He holds a patent for a network quarantine system. His research interests include reverse engineering and exploitation methods.

Colin Ames

Colin Ames is a security researcher with Offensive Computing LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Reverse Engineering, Malware Analysis and Steganographic research.

Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World

Mike Reavey, Steve Adegbite, Katie Moussouris

Track: Deep Knowledge

Has Microsoft lost its mind??!! Yes and no! Three top security dudes (one technically being a dudette) at Microsoft have come up with three new programs that will change the face of the vulnerability industry.

Mike Reavey

As group manager of the Microsoft Security Response Center (MSRC) at Microsoft Corp., Mike Reavey works with security teams to proactively identify and communicate critical software vulnerabilities to customers. Building on Microsoft’s commitment to Trustworthy Computing, Mr. Reavey’s responsibilities include responding to vulnerability reports, engaging with the security community, and collaborating with internal product groups to provide updates to customers and help protect them from computing security threats. Part of a collective initiative to better protect software users from such threats, Mr. Reavey’s team is constantly evolving its response capabilities. Reavey was deeply involved in Microsoft’s work combating the Zotob, Sasser and Blaster outbreaks, and has helped MSRC continually prove its ability to respond to attacks and blended threats. His goal for the group is to continue to evolve in the wake of new threats and serve as the first and best source of information for customers and internal teams.

Steve Adegbite

Stephen aka Capn Steve Adegbite is a Senior Security Strategist in the MSRC Security Ecosystem Strategy Team, working in the group that is responsible for securing current and future Microsoft products. Steve started off in the computer field as a scared 10 year old who discovered his father TRS-80 and proceeded to take apart to see how it worked. He then couldnt put it back together. He later discovered the early NYC hometown BBS and the kind people on it, who took pity on him and helped him to put it back together and learn the early Art of hacking (not the bad kind of course ?).

Steve went on to hone his chi on vulnerability intelligence, application security and Information assurance through many years in the Marine Corps Communication and signal Intelligence community. While there he founded the first ever Information Assurance red team charge with adversarial testing of the Marine Corps Enterprises Network (MCEN). He also at time was the officer in charge of the Marine Corps Emergency Response Team (MAR-CERT) component to the Joint Task Force Global Network Operation Center (JTF-GNO). Following that, he worked as an Information Operations specialist for various light and dark places within the US government.

Katie Moussouris

Katie Moussouris is a Security Strategist in the MSRC Security Ecosystem Strategy Team, working in the group that is responsible for securing current and future Microsoft products. Katie began her nerdy life programming her C64 in grade school, writing her own Zork-like text-based adventure – which was of limited use, since she had no friends and she knew all the puzzles in her own game. Good thing she eventually left her room and found some like-minded people at a local 2600 meeting.

Katie’s professional background is application security, having come from Symantec by way of the @stake acquisition. Katie founded and ran the Symantec Vulnerability Research Program, the first program of its kind in Symantec's history to allow the publication through Responsible Disclosure of original vulnerability advisories discovered by Symantec researchers. In addition to performing security research, Ms. Moussouris has been an application penetration tester for fortune 500 companies across numerous industries. She has uncovered serious vulnerabilities during the course of her work before they could be widely exploited by hooligans and criminals for either fun or profit, respectively.

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler UsingTraffic Profiling

Ivan Ristic, Ofer Shezaf

Track: 0-Day Defense

Web application security is a big problem, yet there is never enough time to dedicate to solving the issue or, at least, making it smaller. To help with this, we embarked on a project that would enable you to tighten the security of your web applications with little effort. The project, called ModProfiler, aims to provide best-possible protection for web applications by analysing web application traffic passing by. This new open source tool builds on the success of ModSecurity (also open source), which is generally considered to be the most widely deployed web application firewall.

The premise is simple: ModProfiler works by observing what's valid and what's not, resulting with a tight application shield designed around the positive security model concept. The process of shield construction is not as simple, but the complexity is hidden away. This talk, presented by Ivan Ristic and Ofer Shezaf, the authors of the tool, will give you an insight into the technology behind the scenes, and enable you to get the most out of it.

Ivan Ristic

Ivan Ristic is an open source advocate, entrepreneur, writer, programmer and application security researcher. He is the principal author of ModSecurity (, the open source intrusion detection and prevention engine for web applications, considered by many to be the most widely deployed web application firewall. Through ModSecurity and by leading the Web Application Firewall Evaluation Criteria project, Ivan works to make the web application firewall technology available to everyone, honestly discussing its advantages and disadvantages at the same time. His book, Apache Security (, is a concise yet comprehensive web security guide for the Apache web server. Ivan is an active participant in the web application security community, officer the Web Application Security Consortium and the leader of the OWASP London Chapter. Ivan's blog is at

Ofer Shezaf

Ofer Shezaf is VP Security Research at Breach Security Inc. and leads IT security research at the company. He is responsible for defining security features for Breach Security’s products and driving the diverse research activities of Breach Security Labs, the research arm of Breach Security. Ofer's research program is focused on the design and operations of web application firewalls including leading the Core Rule Set project, an open source project for generic detection of application layer attacks. Ofer serves as an officer of the Web Application Security Consortium (WASC) where he leads the Web Hacking Incidents Database project. He also leads the Israeli chapter of the Open Web Application Security Project (OWASP). Prior to joining Breach Security, Shezaf was a group manager and later a special advisor on national infrastructure protection for the Israeli government and intelligence forces

Alternative Medicine: The Malware Analyst's Blue Pill

Paul Royal

Track: Reverse Engineering

Modern malware contains a myriad of anti-debugging, anti-instrumentation, and anti-VM techniques that pose challenges to security professionals who want to understand an instance’s malicious runtime behavior. Static analysis of malware can be similarly stymied by code obfuscations created using custom or best-of packers, and execution-based unpacking must deal with the same challenges as those focusing on runtime behavior. Robust tracing programs and automated deobfuscation tools help the analysis process, but given that nearly all of these approaches reside in or emulate part of the guest OS, the result is a fast-moving, ever-escalating detection/detection-prevention arms race.

In an effort to evolve the nature of the obfuscation/deobfuscation game played between malware authors and security practitioners, this presentation will discuss the design and implementation of completely external malware analysis approaches that operate through the use of hardware virtualization extensions (e.g., Intel’s VT). To motivate their need, highlights of detection attacks for existing in-guest or emulation-based approaches will also be presented.

In addition to showing how virtualization extensions can be carefully leveraged to create tracing and instrumentation techniques, construction of and source code for a (KVM-based) simple prototype allowing for fine-grained tracing and instrumentation will be provided. Test cases showing that the prototype prevents a malware instance from inferring that it is being spied upon or that the environment is not baremetal will also be presented.

Paul Royal

Paul Royal is Principal Researcher at Damballa, Inc., an Atlanta-based company whose primary focus is botnet detection and remediation. In his role at Damballa, Paul collaborates with researchers and engineers to design new techniques for and apply ongoing research efforts in the implementation of sandboxes, sensors and analyzers used for the discovery and identification of bot behavior. Paul received his Bachelor and Master of Science in Computer Science from the Georgia Institute of Technology in 2004 and 2006, respectively. As a graduate student he studied binary analysis under Dr. Wenke Lee, focusing on the topics of automated malware processing and transformation.

Detecting & Preventing the Xen Hypervisor Subversions

Joanna Rutkowska, Rafal Wojtczuk

Track: Virtualization

We discuss various anti-subverting techniques (IOMMU/VT-d, Xen’s driver- and stub- domains, etc) and whether they really can protect the Xen (or similar) hypervisor from compromises. After demonstrating that those mechanisms can be bypassed, we will switch to discussing hypervisor integrity scanning and will present some prototype solutions to this problem.

This presentation is the second one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience to attend the “Subverting the Xen hypervisor” presentation before coming to this talk. The follow up presentation is titled:
“Bluepilling the Xen hypervisor”.

Joanna Rutkowska

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world.

Rafal Wojtczuk

Rafal Wojtczuk has 10 years experience with computer security. He has found vulnerabilities in popular operating systems and virtualization software. He has published articles on advanced exploitation techniques, among others about exploiting buffer overflows in partially randomized address space environment. He is also the author of libnids, a low-level packet reassembly library. In July 2008 he joined Invisible Things Lab, the company known for research in hypervisor security.

Bluepilling the Xen Hypervisor

Alexander Tereshkin, Joanna Rutkowska

Track: Virtualization

We discuss how to insert Bluepill on top of the running Xen hypervisor (x64). We will show how to do that both with and without restart (i.e. on the fly). To make this possible, our Bluepill needs to support full nested virtualization, so that Xen can still function properly. We will also discuss how the “Bluepill detection” methods proposed over the last 2 years, as well as the integrity scanning methods discussed in the previous speech, fit into this new scenario and how far we are from the stealth malware’s Holy Grail ;)

This presentation is the last one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience to attend the “Subverting the Xen hypervisor” and “Detecting and Preventing the Xen hypervisor subversions” presentations before coming to this talks.

Joanna Rutkowska

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world.

Alexander Tereshkin

Alexander Tereshkin, principal researcher of Invisible Things Lab, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology, kernel exploitation and hardware virtualization security. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. He has done significant work in the field of virtualization based malware and kernel protection bypassing. He is a co-author of "Understanding Stealth Malware" course taught with Joanna Rutkowska.

Return-Oriented Programming: Exploits Without Code Injection

Hovav Shacham

Track: 0-Day

We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.

New computations are constructed by linking together code snippets that end with a "ret" instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.

W^X and DEP, along with many other ecurity systems, make the assumption that preventing the introduction of malicious code is sufficient to prevent the introduction of malcious computation. With the return-oriented computing approach, this assumption is false: subverting control flow on the stack is sufficient to construct arbitrary computation from "known-good" code.

On the x86 one can obtain useful instruction sequences by jumping into the middle of intended instructions, but return-oriented programming is possible even on RISC platforms that are very different from the x86.

Hovav Shacham

Hovav Shacham joined UC San Diego’s Department of Computer Science and Engineering in Fall 2007. Shacham received his Ph.D. in computer science in 2005 from Stanford University, where he had also earned, in 2000, an A.B. in English. His Ph.D. advisor was Dan Boneh. In 2006 and 2007, he was a Koshland Scholars Program postdoctoral fellow at the Weizmann Institute of Science, hosted by Moni Naor. Shacham’s research interests are in applied cryptography, systems security, and tech policy. In 2007, Shacham participated in California Secretary of State Debra Bowen’s “Top-to-Bottom” of the voting machines certified for use in California. He was a member of the team reviewing Hart InterCivic source code; the report he co-authored was cited by the Secretary in her decision to withdraw approval from Hart voting machines.

Meet The Owner Of a Real Hacked Company - Forensic Investigation

Mark Shelhart


Meet Jimmy,

Jimmy owns a restaurant that was compromised by credit card hackers. Hear his story told by Jimmy, as well as the forensic investigator that worked the case.

We will cover details of what the attacker specifically did, along with EnCase screenshots. We will also let Jimmy talk about what this meant to him, his family, and his business.

Mark Shelhart

Mark Shelhart has over 14 years experience in Information Security. Mark is the Forensic Practice Manager within Trustwave's SpiderLabs team focusing his expertise on investigating system and network compromises. Mark's case work involves data security breaches, intellectual property theft and litigation support for businesses, government, and universities worldwide. As a speaker, Mark often presents on current threats and technology seen as part of forensic investigations. Recently, he has been presented on behalf of EnCase, Infragard, Tripwire, and VeriFone.


Val Smith, Colin Ames

Track: App Sec 1.0 / 2.0

When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistant host access, priviledge escalation, trust relationships, aquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.

This paper will first cover the technical details of these topics as well as some examples of manual methods currently in use during penetration tests. Next we will present some improvements to these techniques and demonstrate some tools we have developed which can be integrated with other popular applications such as Metasploit. We will also demonstrate automated methods for using collected password intelligence to penetrate massive numbers of systems. Finally we will suggest some future directions for this area.

Val Smith

Val Smith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.

Colin Ames

Colin Ames is a security researcher with Offensive Computing LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Reverse Engineering, Malware Analysis and Steganographic research.

How To Impress Girls With Browser Memory Protection Bypasses

Alexander Sotirov, Mark Dowd

Track: App Sec 1.0 / 2.0

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. We will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, we will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more.

Alexander Sotirov

Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past ten years he has been working on advanced exploitation, reverse engineering and vulnerability research. His recent work includes the discovery of the ANI vulnerability in Windows Vista and the development of the Heap Feng Shui browser exploitation technique. Alexander is one of the organizers of the Pwnie Awards. He is currently employed as a security researcher at VMware.

Mark Dowd

Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at ISS, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Asssessment", and has spoken at several industry-recognized conferences.

Deeper Door - Exploiting the NIC Chipset

Sherri Sparks, President, Clear Hat Consulting
Shawn Embleton, CTO, Clear Hat Consulting

Track: Root Kit Arms Race

In this presentation we will discuss a couple of significant problems in existing IDS / Firewall technology and present a proof of concept "chipset" level rootkit / network backdoor that is capable of bypassing virtually all host based firewall and intrusion detection software on the market. These, of course, include popular, widely deployed software like Snort and Zone Alarm Security Suite. Our backdoor operates at an even deeper level than previous backdoors (e.g. Joanna's "DeepDoor" rootkit) because it interacts directly with the chipset interface of the NIC hardware. Capabilities include the ability to both covertly send AND recieve packets. We use both of these capabilities to implement a simple command and control interface. Implications for security vendors include the exfiltration of sensitive information and delayed detection of malware threats like DDOS attacks, Botnes, and Worms.

Sherri Sparks is President of the Florida company, Clear Hat Consulting, Inc. Currently, her research interests include offensive / defensive stealth code technologies and digital forensics. She has spoken at Black Hat on these topics and has taught the Black Hat Offensive Aspects of Rootkit Technology. Her published articles have appeared in Usenix Login; ACSAC, Security Focus, and Phrack magazine. With an increasing involvement in providing consulting / training services for independent clients, she co-founded the company Clear Hat Consulting, Inc. in early 2007. Clear Hat Consulting specializes in Windows kernel and hypervisor development as it relates to stealth rootkit technology, digital forensics, and other custom software security solutions.

Shawn Embleton is the CTO of the Florida company, Clear Hat Consulting, Inc. Shawn spoke at Black Hat in 2006 on the topic of using evolutionary computation for automated vulnerability analysis and co-authored a prototype intelligent fuzz testing tool, named Sidewinder. During 2007, Shawn co-taught the Black Hat Offensive Aspects of Rootkit Technology class with Sherri Sparks and co-founded Clear Hat Consulting, Inc. Some of his current interests include hardware virtualization and chipset level rootkit technology.

A Fox in the Hen House (UPnP IGD)

Jonathan Squire

Track: Turbo Talks

Easy is the mantra of consumer devices these days. “Just plug it in and it works. No configuration needed.” All this simplicity hopefully causes one to pause and wonder, how is this possible?

This presentation will demonstrate the dangers of the often overlooked Universal Plug and Play (UPnP) Internet Gateway Device (IGD) profile. UPnP IGD is commonly enabled on modern home cable modem/wireless routers. UPnP IGD allows applications such as games and chat clients to request needed port forwards without the user’s intervention. Many of these routers do not even display these port mappings in their administrative interfaces.

In this presentation we will walk the audience through the simple steps needed to modify the port mappings on a common wireless router and discuss some of the potential attacks that can be performed. Sample code will be demonstrated that dynamically adds and removes port forwarding rules from the router to expose internal services to the internet. This simple attack is performed without any need for authentication and the new forwarding rules generally aren’t visible in the web interface of the router.

Jonathan Squire

Jonathan Squire is a founding member of the Information Security Group of a well known publishing and media company. While working at his day job, Jonathan is credited with accomplishments that include developing an Information Security model for the enterprise, architecting a secure, centralized credit card processing solution, and guiding the design of the security infrastructure deployed throughout many customer facing properties. Mr. Squire is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more than $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble.

Living in the RIA World: Blurring the Line Between Web and Desktop Security

Alex Stamos, Founding Partner, iSEC Partners

Track: App Sec 1.0 /2.0

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.

Alex Stamos is a Founding Partner of iSEC Partners and is an experienced security engineer and consultant specializing in application security and incident response. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Infragard, Microsoft BlueHat, Toorcon, the Web 2.0 Expo and OWASP AppSec. He holds a BSEE from the University of California, Berkeley, and spends his spare time chasing his baby son and sailing on the SF bay.

Concurrency Attacks in Web Applications

Scott Stender

Track: App Sec 1.0 / 2.0

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.

This presentation will provide deep technical background against this class of flaw, enumerate testing techniques that help identify when flaws are present, and demonstrate tools that automate the process.

Scott Stender

Protocols and Encryption of The Storm Botnet

Joe Stewart

Track: Bots & Malware

This talk will provide an in-depth, detailed explanation of how the network and encryption protocols of the Storm botnet work together to create a massive and resilient peer-to-peer network capable of sending billions of spams per day.

Joe Stewart

Joe Stewart is Director of Malware Research with SecureWorks. As a leading expert on malware and Internet threats, he is a frequent commentator on security issues for leading media outlets such as The New York Times, MSNBC, Washington Post, USA Today and others. Joe has presented his security research at many conferences such as RSA, Black Hat, DEFCON, ShmooCon, RECON, Netsec and others.

Xploiting Google Gadgets: Gmalware and Beyond

Tom Stracener

Track: Bots & Malware

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various javascript hacks via malicious (or useful) gadgets, depending on your point of view. We've already ported various javascript attack utilities to Google Gadgets (like PDP's javascript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat. This talk will be given
by Robert Hansen (Rsnake) and Tom Stracener (Strace)

Tom Stracener

Robert "RSnake" Hansen

Robert Hansen is CEO and Founder of SecTheory. Mr. Hansen (CISSP) has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Robert sits on the advisory board for the Intrepidus Group, Just Thrive, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen authors content on O'Reilly, Dark Reading and co-authored "XSS Exploits" by Syngress publishing. He sits on the Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also speaks at SourceBoston, Secure360, GFIRST/US-CERT, Toorcon, APWG, ISSA, TRISC, OWASP/WASC, Microsoft's Bluehat, Blackhat, DefCon and Networld+Interop. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.

Windows Hibernation File for Fun and Profit.

Matthieu Suiche

Track: Deep Knowledge

This presentation aims to describe Windows hibernation file format and his modification since Windows 2000. Hibernation provides an official way to dump the physical memory into a specific file called hiberfil.sys. This last one is fully undocumented and until now there is no documentation about it.

Matthieu Suiche

Matthieu Suiche is a 19 freelance security researcher. He worked as intern for EADS, and is currently participating to Google Summer of Code. He has been speaker in various talks in France for Microsoft and others events, and in Japan during PacSec. Matthieu focuses on the following application of reverse engineering:software security, advanced threat research, malware protection and analysis, and computer forensics. His website can be found at

REST for the Wicked

Bryan Sullivan

Track: Web 2.0

Let's face it: SOAP sucks. Especially when it comes to Web 2.0 applications. Many high-profile web sites have come to this same conclusion: Amazon, MySpace, Yahoo, and others are abandoning SOAP in favor of REST. REST (Representational State Transfer), and particularly REST used in combination with JSON, is faster, more scalable, and easier to implement than SOAP. But, do all these benefits come at the cost of security?
REST can be especially susceptible to attacks like Cross-Site Request Forgery and JavaScript Hijacking; and worse, the usual remediation tactics that developers use to defend their apps against these attacks do not apply to REST services. In this presentation, I will demonstrate threats facing RESTful web services, myth-bust commonly proposed defense techniques, and provide appropriate development practices for defending REST.

Bryan Sullivan

Bryan is a Security Program Manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on web application security topics. His first book, "Ajax Security" was published by Addison-Wesley in 2007.

Inducing Momentary Faults Within Secure Smartcards / Microcontrollers

Christopher Tarnovsky, Flylogic Engineering, LLC.

Track: Hardware

This presentation is intended for individuals with an understanding of the Intel 8051 and Motorola 6805 processor families from an Assembly language perspective. This will be an interactive presentation with the audience.

Log files will be examined that have been taken from the targets (smartcards) at every clock cycle of the CPU during its runtime. We will discuss our possibilities and determine points in time (clock cycle periods) to momentarily induce a fault within the target.

Our goal will be to override the normal behavior of the target for our own use such as

  • Temporary changes- Readout of normally private records from the device
  • Permanent changes- Change non-volatile memory to create a back-door or completely rewrite behavior model

Both smartcards contain a Cryptographic co-processor and are known to have been used to secure Data, PCs, laptops and Sun-Ray terminals.

Flylogic Engineering, LLC. specializes in analysis of semiconductors from a security "how strong is it really" standpoint. We offer detailed reports on substrate attacks which define if a problem exists. If a problem is identified, we explain in a detailed report all aspects of how the attack was done, level of complexity and so on. This is something we believe is unique and allows the customer to then go back to the chip vendor armed with the knowledge to make them make it better (or possibly use a different part).

ePassports Reloaded

Jeroen van Beek, Security Consultant

Track: Privacy & Anonymity

In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008, the rumor goes that Elvis is still alive or at least his passport is. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms.

Jeroen van Beek is a Security Consultant and Security Researcher with over 6 years of professional experience in network security and penetration testing. In 2007 he presented the world’s first publicly available full blown cracker for Oracle 11g. vonJeek is a well-known guest speaker at several Dutch universities. Besides security, he likes sleeping, drinking wine, the sun and fast red Italian motorcycles.

Nmap: Scanning the Internet

Fyodor Vaskovich

Track: The Network

The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project.

He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

Fyodor Vaskovich

Fyodor (known to his family as Gordon Lyon) authored the open source Nmap Security Scanner in 1997 and continues to coordinate its development. He also maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has authored seminal papers on stealth port scanning, remote operating system detection, version detection, and the IPID Idle Scan. He is a founding member of the Honeynet project and co-author of the books "Know Your Enemy:Honeynets" and "Stealing the Network:How to Own a Continent". His newest book, Nmap Network Scanning, is due for release this year. Fyodor is President of Computer Professionals for Social Responsibility (CPSR), which has been promoting free speech, privacy, and useful technology since 1981.

Iron Chef: Fuzzing Challenge

Jacob West, Fortify Software
Brian Chess, Chief Scientist, Fortify Software
Charlie Miller, Principal Analyst, Independent Security Evaluators
Sean Fay, Lead Engineer, Fortify Software
Geoff Morrison

Track: 0-day

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network's cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the 'Iron Hacker' face off in a frenetic security battle. The guest panel will judge the tools created and used to determine who's hack-fu will be victorious and who will be vanquished.

Remember, our testers have only one hour to complete their challenge and they will be restricted to their respective choice of bug-finding techniques: One team will use static analysis, while the other will employ fuzzing. Watch as the masters wield their weapons of choice. What will they concoct? Who will come out victorious? Which techniques will prove most effective in a high-pressure every-minute-counts environment? Come and see for yourself!

Visit 'Vulnerability Stadium' and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tools, presentation of the number of bugs, and creativity of using the tools when searching for vulnerabilities. So Black Hat attendees... with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. When he is not in the lab, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Brian Chess is the Chief Scientist at Fortify Software. His work focuses on practical methods for creating secure systems. Brian draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters. Brian has his Ph.D. in computer engineering from UC Santa Cruz. Brian has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Sean Fay works at Fortify Software, where he is the lead engineer for Fortify Source Code Analysis. Sean holds a degree in Literature and a degree in Computer Science, both from the Massachusetts Institute of Technology. None of Sean's diverse set of hobbies are suitable for print in a family-oriented publication.

Subverting the Xen Hypervisor

Rafal Wojtczuk

Track: Virtualization

Bluepill and Vitriol are well-known projects that install a malicious hypervisor in run-time. Can one achieve the same stealth backdoor functionality when a legal hypervisor is already present, by modifying its code? Such attempt would face at least the following difficulties:

a) the hypervisor may protect itself against modification in runtime

b) it may be nontrivial to integrate foreign code with the hypervisor

This presentation will demonstrate how to subvert Xen hypervisor (on 32bit x86 platform) to gain backdoor functionality. The following topics will be covered:

a) brief overview of Xen architecture

b) practical ways to stealthly use DMA to control all physical memory

c) Xen loadable backdoor modules framework - description of a set of tools allowing to easily load compiled C code into Xen hypervisor (similarly to how Linux kernel modules work)

d) implementation of a backdoor residing in hypervisor space (so, invisible from the hosted operating system), allowing for remote commands execution

e) implementation of a backdoor residing in a hidden, unprivileged domain, allowing for remote commands execution in dom0

The code implementing the above will be demonstrated.

Attendees should know the basics of virtualization technologies and Linux kernel internals.

This presentation is the first one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. The remaining talks are: “Detecting and Preventing the Xen hypervisor subversions” and “Bluepilling the Xen hypervisor”.

Rafal Wojtczuk

Rafal Wojtczuk has 10 years experience with computer security. He has found vulnerabilities in popular operating systems and virtualization software. He has published articles on advanced exploitation techniques, among others about exploiting buffer overflows in partially randomized address space environment. He is also the author of libnids, a low-level packet reassembly library. In July 2008 he joined Invisible Things Lab, the company known for research in hypervisor security.

Leveraging the Edge: Abusing SSL VPNs

Mike Zusman

Track: The Network

Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. Such security devices are usually thought to add security to the enterprise network, while increased client side attack surface from required mobile code (ActiveX/Java) goes ignored.

This presentation will discuss programming and infrastructure flaws permitting abuse of the server, remote code execution on vulnerable clients, as well as appropriate countermeasures.

Mike Zusman

Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients. Mike has also founded a number of successful entrepreneurial ventures including Global Uplink Solutions Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish Uplink LLC, a leader in satellite TV subscription activations in the US. Mike holds the CISSP certification.

Privacy Policy | Sponsorship Inquiry | DEFCON | Black Hat Main RSS Feed
1997-2009 Black Hat ™