Black Hat USA 2008 Speaker List

Winning the Race to Bare Metal – UEFI Hypervisors

Don Bailey, Martin Mocko

Track: Turbo Talk

Combining UEFI with hypervisors paves the way for a new class of vulnerability. We will present a discussion and demonstration on the threat and opportunity that UEFI based hypervisors pose to and for system security. The emerging support for UEFI in commodity OSes (Microsoft Vista SP1) makes a rich set of pre-OS capabilities possible. The advent of processors that support virtualization in silicon over the past few years have made high performing commodity hypervisor a reality. We will discuss and demostrate loading a hypervisor via the pre-OS features of UEFI.

Don Bailey

Don is founder and CEO of Hypervista Technologies (http://hypervista-tech.com), a Northern Virgina company focused on providing hypervisor based security solutions. Prior to founding Hypervista, Don spent 25 years at CIA developing, managing and deploying cutting edge technical systems. Don has been a keynote speaker at the annual multi-national conference sponsored by NSA. Don has alsp presented at CIA's Emerging Technologies Conference. Don has spent the past three years developing a custom lightweight hypervisor and a runtime hypervisor debugger.

Martin Mocko

Born 8th Jan 1986 in Myjava, Slovakia. Area of expertise:System-level C/Asm development, Machine code manipulation (x86, ARM), Reverse engineering. Experience:10 years Independent C/Asm development and Reverse engineering; 3 years Copy Protection; 1 year Virtualization

When Lawyers Attack: Dealing With the New Rules of Electronic Discovery

John Benson, Electronic Discovery Consultant

Track: Deep Knowledge

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

John Benson currently works as an Electronic Discovery Consultant for a large Midwestern law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the Chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at http://www.john-benson.com.

Free-Space Quantum Key Distribution at GHz Transmission Rates

Joshua Bienfang

Track: Turbo Talks

Quantum mechanics make possible some things that are impossible in the "classical" world of ordinary experience, and which even seem to contradict common sense. Some of these spooky effects are coming into practical use in security applications. The Quantum Spookshow of the National Institute of Standards and Technology (NIST) and the National University of Singapore (NUS) demonstrates quantum cryptography and quantum entanglement on a four-node quantum network, which supports quantum encrypted streaming video and violations of local realism. Participants are encouraged to interact with the light beams that constitute the physical link of this network, and to meet physicists who have designed and built quantum networks. Quantum mechanics provides methods of encryption that are secure from eavesdropping attacks against the quantum channel, but in any actual system there are points of vulnerability, e.g. correlations of classical noise in the operation of quantum elements. Participants will have a chance to discover vulnerabilities by hands-on interaction with our systems. Dr. Joshua Bienfang will give a Turbo Talk on quantum encryption at Black Hat at 4:45 p.m. on Thursday, August 7. This demo to run 1330 to 1930 on Wednesday, 1200 to 1800 on Thursday, in Turin Room located on the Third Floor. For further information, see http://havephotonswilltravel.com

Joshua Bienfang

Active 802.11 Fingerpinting: a "Secret Handshake" to Kknow Your APs

Sergey Bratus

Track: OTA

Wireless devices that speak 802.11a/b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences can suffice to distinguish between APs and other devices from different vendors, and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore ``noisy'', but works (unlike other previously presented fingerprinting methods) without either establishing or observing established associations. We also explore timing characteristics of the responses to refine our fingerprint.

Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that it is what it claims to be. It will be useful when one does not trust the suspicious AP (or one's own driver/OS) enough even to engage in a cryptographic exchange to authenticate it. It will also serve as a cautionary tale for the designers of future wireless L2 protocol implementations.

This is joint work with Daniel Peebles and Cory Cornelius (Institute for Security Technology Studies, Dartmouth College).

Sergey Bratus

Sergey Bratus is a Senior Research Associate at the Institute for Security Technology Studies at Dartmouth College. His current research focus is on applications of data organization and other AI techniques to log and traffic analysis. His other interests include Linux kernel security (kernel exploits, LKM rootkits and hardening patches to various security policy mechanisms) and wireless networking. Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.

Insane Detection of Insane Rootkits: Chipset Based Approach to Detect Virtualization Malware

Yuriy Bulygin, Presenter, Security Center of Excellence

Track: Root Kit Arms Race

This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.

Yuriy Bulygin so enjoyed watching the Chernobyl Nuclear Power Plant burn at age 7 he decided to learn how things work and why they fail. Yuriy recieved his Masters in Applied Math and Physics while attempting to hack the physics of Jupiter's atmosphere which appeared to be too far from the Earth. He then received his Ph.D. in Crypto from Moscow Institute of Physics and Technology (Phystech) in Russia. Yuriy works for Intel's Security Center of Excellence where he leads security analysis and pen-testing of Intel hardware/software and teaches secure coding to Intel engineers. He is also a core member of Intel PSIRT. Prior to joining Intel Yuriy was a member of the technological research team at Kaspersky Lab in Russia.

Cisco IOS Shellcodes/Backdoors

Gyan Chawdhary, Varun Uppal

Track:

It has been more than three years since Michael Lynn first demonstrated a fully interactive shell code at Blackhat 2005 for Cisco's proprietary Internetworking Operating System (IOS). However, due to the legal obligations imposed by Cisco and ISS, the technical information surrounding this research could not be revealed in greater detail, which stifled continued security research in this area. The presentation will cover significant advances in IOS shell code development and looks at its subsequent impact on modern day routing infrastructure. IOS specific payloads including bind shell, reverse shell, 2 byte shell codes and bypassing the check heaps process in IOS 12.4 shall all be covered from both a practical and theoretical standpoint as well as a detailed overview of IRM's techniques used to develop these payloads. Furthermore, building a complete IOS debugging environment and identifying new attack vectors will also be covered in the presentation, allowing researchers to establish a fully working environment to develop IOS specific code, execution payloads, memory resident backdoors and to conduct vulnerability research on Cisco embedded devices.

Gyan Chawdhary

Gyan Chawdhary is a Senior Consultant heading up the Embedded Systems Center of Excellence at IRM’s European Technical Centre in UK. He is a key member of IRM’s Code auditing & AP team and performs a range of consultancy services which include code auditing, software security and vulnerability assessments. With over 9 years of experience in Information Security, Gyan’s experience includes a broad range of market verticals with specialization in the financial services space. Prior to joining IRM, Gyan was a Managing Consultant at Mahindra British Telecom, where he was involved in establishing and managing MBT’s Vulnerability Assessment Centre and conducting research and product assessments for various in-house and commercial applications.

Varun Uppal

Varun Uppal is a Senior Consultant at Information Risk Management Plc where he heads the Application Risk Assessment and Code Review Centers of Excellence. With an experience spanning over 5 years and a gamut of verticals, Varun has worked on a variety of commercial and non-commercial research engagements covering areas such as high speed messaging protocols, embedded devices and application risk modeling. Prior to IRM Plc, Varun designed and implemented the application security practice at Kanbay (Capgemini, Financial Services SBU), where he consulted to clients from the financial vertical.

Commission on Cyber Security for the 44th Presidency

Panel Discussion

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency - the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. Hear what is going on with this Commission, ask questions, and provide input on what you think should be addressed at a Presidential level for the next administration.

Michael Assante

Michael J. Assante, a recognized security and infrastructure protection visionary and new product development leader, brings a powerful combination of leadership/domain experience, technological vision and strategy development to the Idaho National Lab (INL). Selected by his peers as the winner of the Information Security Magazine’s 2007 security 7 leadership award for his efforts as a “strategic thinker”.

Prior to assuming his strategic leadership position at INL, Mr. Assante was a vice president and Chief Security Officer at American Electric Power, the largest generator of electric power in the US, serving 5 million customers in eleven states. He provided leadership, developed and implemented strategies to enhance security and business continuity for AEP; he was also responsible for protecting and maintaining corporate facilities, critical operating assets and property; and ensured the security and continued preservation of all corporate information and proprietary data and the technology that supports it. Selected for outstanding contribution at the RSA 2005 Conference and awarded the outstanding achievement in the practice of security within an organization. He has been recognized by SC Magazine among all Chief Security Officers as one of two finalists for the global 2005 awards as CSO of the year. He was selected as a finalist for Information Security Executive of the Year of the Midwest in 2005. In 2003, Mr. Assante was awarded best governance program “The Best of the Best – Best Governance Program,” Information Security Magazine, December 2003 for the establishment of an enterprise executive security committee.

Prior to assuming a vice president’s position as Chief Security Officer at AEP, Mr. Assante as a reserve naval intelligence officer was filling a critical position at the National Infrastructure Protection Center. In 1997, Mr.Assante was named as a Naval Intelligence Officer of the Year. In 2002 Assante was selected as one of Columbus Ohio’s Top 40 people under 40.

Jerry Dixon

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tom Kellerman

Tom Kellermann is responsible for building Core's relationships with key industry and government partners, and helping further the acceptance of auditing security defenses to reduce organizations' operational risk.

Additionally, Kellermann represents Core at US, international and industry security working groups, helping these organizations promote improved security practices and policies. Specifically, Tom is a Commissioner and Chair of the Threats Working Group on The Commission on Cyber Security for the 44th Presidency. Tom also serves as the Chair of the Technology Working Group for the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Senior Data Risk Management Specialist the World Bank Treasury Security Team. Tom was responsible for Cyber-intelligence and policy management within the World Bank Treasury.

Tom regularly advised central banks around the world per their cyber-risk posture and layered security architectures.

Along with Thomas Glaessner and Valerie McNevin, he co-authored the book E-safety and Soundness: Securing Finance in a New Age and the White Paper, E-security: Risk Mitigation in Financial Transactions. Tom is also the author of numerous World Bank white papers on cyber security: Mobile Risk Management, The Digital Insider, Phishing in Digital Streams, Bots: Cyber Parasites, Zero Day, and Money Laundering in Cyberspace. See: http://www.worldbank.org/finance/esecurity

Tom is an active member of the IP Governance Task Force, The National Consumer League's Anti-Phishing Working Group, The New York Chapter of Infragard, the IPv6 Forum and is an active member of the American Bar Association's working group on Cyber-crime. Tom is a Certified Information Security Manager (CISM).

Marcus Sachs

Marcus Sachs is a member of the CSIS Commission on Cyber Security for the 44th Presidency and since 2003 has volunteered as the director of the SANS Internet Storm Center. He is a retired US Army officer, a former Presidential appointee to the staff of the National Security Council, and was part of the original cadre of DHS' National Cyber Security Division in 2003. He currently works at Verizon as an Executive Director of Government Affairs for National Security Policy. Prior to joining Verizon in 2007 he was the deputy director of SRI International's Computer Science Laboratory.

Amit Yoran

Amit Yoran led the management buyout of NetWitness from ManTech in 2006 and serves as the Chairman and CEO. Prior to NetWitness, he was appointed as Director of the National Cyber Security Division of Homeland Security, and as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. Formerly Mr Yoran served as the Vice President of Worldwide Managed Security Services at the Symantec Corporation. Mr. Yoran was the co-founder of Riptech, a market leading IT security company, and served as its CEO until the company was acquired by Symantec in 2002. He served as an officer in the United States Air Force in the Department of Defense's Computer Emergency Response Team.

Visual Forensic Analysis and Reverse Engineering of Binary Data

Greg Conti, Erik Dean

Track: Forensics & Anti Forensics

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of _all_ types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. Two open source visual analysis tools, each with a different perspective on visual reverse engineering and forensics, will be demonstrated and released, as well as a comprehensive survey of security visualization systems. If you read hex, you should attend this talk.

Greg Conti

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

Erik Dean

Erik Dean is a research programmer at the United States Military Academy and a graduate of the Rochester Institute of Technology. His research includes forensic analysis, information visualization, and construction of offensive and defensive information warfare training systems and networks.

Methods for Understanding Targeted Attacks with Office Documents

Bruce Dang

Track: App Sec 1.0 / 2.0

As more security features and anti-exploitation mechanisms are added to modern operating systems, attackers are changing their targets to higher-level applications. In the last few years, we have seen increasing targeted attacks using malicious Office documents against both government and non-government entities. These attacks are well publicized in the media; unfortunately, there is not much public information on attack details or exploitation mechanisms employed in the attacks themselves. This presentation aims to fill the gap by offering:
(1) A brief overview of the Office file format.
(2) In-depth technical details and practical analytical techniques for triaging and understanding these attacks.
(3) Defensive mechanisms to reduce the effectiveness of the attacks.
(4) Forensics evidence that can help trace the attacks.
(5) [If we have time] Static detection mechanism for these vulnerabilities (i.e., how to write virus signatures for these vulns).
(6) Techniques to help detect these attacks on the wire.
(7) A surprise. :)

Bruce Dang

I do vulnerability analysis in the Secure Windows Initiative (SWI) Group.

AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jared DeMott

Track: App Sec 1.0 / 2.0

For many years hackers have been reversing code, scanning source, fuzzing applications, and crafting lethal exploits. It’s time for security researchers, consultants, testers, and administrators to freshen up their skills by walking back through the computer science fundamentals of these techniques. This is a Deep Knowledge lecture series intended to bring newbs up from the ground, and to hone and challenge pros that have been at it for a while. Bring your Red Bull as the prior Prof. DeMott walks through 6 lectures that he designed for his security class.

Jared DeMott

Jared DeMott is a security researcher for Crucial Security, frequent speaker, former teacher, and just this summer a first time author (fuzzing book with Takanen and Miller). He has been deeply involved in the security community since he started coming to BlackHat in 2000. Jared is probably best known for the fuzzing tool, GPF, which he released in 2005.

Next Generation Collaborative Reversing with Ida Pro and CollabREate

Chris Eagle, Associate Chairman, Computer Science Department, Naval Postgraduate School
Tim Vidas, Research Associate, Computer Science Department, Naval Postgraduate School

Track: App Sec 1.0/ 2.0

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting looking challenges.

Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls

Arian Evans

Track: App Sec 1.0 / 2.0

Learn how to breathe new life into your old web application zero-day syntax attacks. Even learn how to alert(document.cookie) with new-found panache.

By properly encoding, double-encoding, and triple-encoding, or by utilizing newer undocumented, transcoding-attacks, it is possible to bypass many common web application security controls to successfully exploit the target parser.

Most importantly: These attacks are being used in the wild, right now, today. Starting in February 2008 the first double-encoded, layer mass SQL Injection attacks were discovered in the wild. As of May 1st they have compromised over 600,000 websites.

This presentation will discuss how these attacks work:
+ from creation
+ to exploit
+ to dependencies;
+ what software they target;

Finally we will demonstrate how to resolve these issues through modern software design and coding practices.

Arian Evans

Arian Evans is the Director of Operations at WhiteHat Security, leading a team of security engineers assessing over 600 production websites. Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many commercial organizations on Web application security and hacking incident-response. Arian consistently researches and discloses new attack techniques and vulnerabilities in Web application software, including commercial platforms like Cisco and Nokia. He designed the first public Web application firewalls (WAFs) with transparent anti-CSRF and anti-XSS protection:(Paraegis & Razorwire PoCs in 2004 and 2005). Previously, Arian built and led the Application Security Practice at FishNet Security. Prior to FishNet Security, Arian had extensive experience building, testing, and performing forensics on ecommerce and financial services software. Arian is a frequent speaker at industry conferences including Black Hat, OWASP, RSA, and WASC events, and was also a contributing author for "Hacking Exposed:Web Applications." Arian also likes combining mountains, mistresses, martinis, and motorcycles. Especially race V-twins that go "braap".

Hacker Court 2008: Hack MyFace

Carole Fennelly, Paul Ohm, Richard Salgado, Kurt Opsahl, Jennifer Granick, Richard Thieme, Peiter Zatko, Brian Martin, Simple Nomad, Jonathan Klein, Caitlin Klein, Ryan Bulat

Track: Reception, Day 1

This year's presentation will once again feature Simple Nomad as the defendant, a "l33t" hacker who frequently posts to a blog run by a journalist who investigates cases of identity theft and exposure of personal information. On one particular thread, our defendant claimed to have a zero-day exploit that could break through any social networking site. He is challenged by an undercover Federal Agent, going by the handle of "Mudge" to put up or shut up by demonstrating the exploit on a social networking site owned by Mudge known as "MyFace."

In actuality, the MyFace "site" is a honeynet Virtual Machine (VM) that is on a VM server that hosts about a dozen honeynets for other cases that Mudge is not involved in. Not only does Simple Nomad break the security of the MyFace site, in a moment right out of the Matrix, he breaks out of the VM and sees all the other VMs on the server.

This is not good for Mudge.

The other undercover operations have now been compromised. Simple Nomad has downloaded a document that describes the case that each VM is assigned to. The problem is, Mudge doesn't know who Simple Nomad is in real life or how to reach him. Mudge's agency leans on the journalist to get him to disclose the IP address of the defendant. Of course, our noble journalist refuses (and promptly gets cited for contempt of court). Unfortunately, for the defendant, there are other ways to track down an online identity and the defendant is arrested and charged with two counts: unauthorized transmission of a program and unauthorized access to a computer.

Defense attorney, Jennifer Granick defends Nomad on the pure legal grounds that (1) defendant was entrapped and (2) the access was authorized because Mudge told the defendant to hack his machine. Prosecutor argues (1) this is not entrapment and (2) access was not authorized because defendant thought it was a hack of a legitimate target and furthermore, when defendant left the virtual machine and got into the other virtual servers, he accessed machines Agent Mudge didn't have the intent or ability to authorize.

Both sides will argue their case on August 6, 2008 at the Palace 1 ballroom during the Gala Reception of Black Hat. Who will win? That's for the audience to decide! So grab some food and drink from the Gala and join us in the Palace 1 ballroom!

Carole Fennelly

Carole Fennelly is an information security professional with over 25 years of hands-on experience in the computing technology field. Starting as a Unix System Administrator in 1981, she was drawn into the developing information security field as the commercial Internet grew. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine. A frequent speaker at security conferences, such as the Black Hat Briefings, her technical background includes in-depth security and administration knowledge of UNIX operating systems. Ms. Fennelly is presently a Manager of Content and Documentation with Tenable Network Security, creators of the Nessus vulnerability scanner.

Paul Ohm

Paul Ohm joined the faculty of the CU School of Law in Spring of 2006. He specializes in the emerging field of computer crime law, as well as criminal procedure, intellectual property, and information privacy.

Prior to joining CU he worked as an Honors Program trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA School of Law where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as a computer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.

Richard Salgado

Richard P. Salgado is a Senior Legal Director with Yahoo! Inc., where he focuses on international privacy, security and law enforcement compliance matters. Prior to joining Yahoo!, Mr. Salgado served as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. As a federal prosecutor, Mr. Salgado specialized in investigating and prosecuting computer network cases, such as computer hacking, illegal computer wiretaps, denial of service attacks, malicious code and other technology-driven privacy crimes. Mr. Salgado also regularly speaks on the legal and policy implications of searching and seizing computers and electronic evidence, emerging surveillance technologies, digital evidence and related criminal conduct. Mr. Salgado is a lecturer in law at Stanford Law School, where he teaches a Computer Crime seminar; he previously served as an adjunct law professor at Georgetown University Law Center and George Mason Law School, and as a faculty member of the National Judicial College. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Kurt Opsahl

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal.

Jennifer Granick

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Richard Thieme

"Those seen dancing were thought insane by those who could not hear the music." - Frederick Nietzsche

Richard Thieme has been hearing the music for a long time. His track record includes hundreds of articles, dozens of short stories, one book with four more coming, several thousand speeches, and – in a former incarnation - hundreds of original sermons.

His sci-fi short story, “Silent Emergent, Doubly Dark” was chosen for /Subtle Edens/, an anthology coming in November in London. With nearly 30 stories published in the past few years, he is looking to bring out a collection (/More Than a Dream: Stories of Flesh and the Spirit/). His video interviews for the Hexen project on art and technology are showing up on walls in European galleries. He is happily contributing to the MUFON History Project documenting the response of the government to UFO phenomena in the 1940s and 1950s. In short, he manages to stay busy.

Peiter Zatko

Mr. Peiter “Mudge” Zatko was a Senior Security Architect/Engineer at BBN from 1994 to 1998, and he rejoined BBN in 2004 as a Division Scientist focusing on research and development activities in support of DARPA and Intelligence Community projects and is now a Technical Director for for BBN's National Intelligence Research and Applications division. He is an experienced and nationally known researcher. After leaving BBN he served as the CEO and Chief Scientist at LHI Technologies, was the Chief Scientist and Executive Vice President for R&D at @Stake Inc., and was the Chief Scientist at Intrusic Inc., all companies involved with network and information security. He has also served as on the advisory boards of several organizations, as an R&D Subcommittee Member to the Partnership for Critical Infrastructure Protection, and as a Research Subcommittee Member to the Office of Science and Technology. Mr. Zatko has testified to the United States Senate Committee on Government Affairs as a subject matter expert in regards to Government systems, and to the House and Senate Joint Judiciary Oversight Committee as a subject matter expert on legislation regarding cyber crime. He has also been an invited special guest contributor to projects and papers for the INFOSEC Research Council. He has published papers in ACM and CORE/CQRE refereed journals, and his architecture security analysis paper was published in the Usenix Security refereed journal. He has taught offensive cyber ware-fare techniques and tactics course at the Air Force Information Warfare Center, lectured on opposing forces threats and capabilities at the Army War College, lectured on future vulnerability areas of research at the Navy Post-Graduate College and at the National Security Agency, gave a lecture series as a at Georgetown University, was a Visiting Scientist at Carnegie Melon University, and conducted training courses for the I4/C4 groups at NSA. Mr. Zatko is the inventor of L0phtCrack, an industry standard Microsoft password auditing tool, of AntiSniff, the world’s first remote promiscuous system detector that was used across primary DoD entities, of Tempwatch, now a distributed component of Linux and BSD distributions, and of SLINT, a pioneering tool in automating source code analysis to discover security coding problems. Mr. Zatko was recognized by the National Security Council, Executive Office of the President, as a vital contributor to the success of the President’s Scholarship for Service Program. He was also recognized as contributing to the CIA’s critical national security mission. He is an honorary plank owner of the USS McCampbell (DDG-85).

Brian Martin

Brian Martin is an outspoken Nessus Subject Matter Expert with Tenable Network Security. With over ten years of professional security assessment experience, he has had the opportunity to provide cynical review of network and physical security for all types of business, government agency and military facility. With that experience, he now helps to develop and guide the Nessus vulnerability scanner and other Tenable products. Martin's training and articles have given people an accurate and honest picture of the dismal state of Information Security across all industries. In his spare time, he is the content manager for the Open Source Vulnerability Database and a champion of small misunderstood creatures.

Jonathan Klein

Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge.

Simple Nomad

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job. He speaks on security and privacy topics at conferences around the globe, as well as entertaining the press via interviews in television, print, and online mediums. In addition to being one of the most attractive hackers on the planet, he did not write his own bio. Really. Seriously. Ok...fine, I did. So sue me.

Caitlin Klein

Caitlin is a student with interests in gaming, computers, horse riding, dance, more gaming and lots of coffee…

Ryan Bulat

Ryan Bulat used to major in Computer Science until he decided that he much preferred writing…or psychology….or law….

Threats to the 2008 Presidential Election (and more)

Oliver Friedrichs, Director, Emerging Technologies in Symantec Security Response

Track: App Sec 1.0 / 2.0

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of phishing on an election.

Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.

Oliver Friedrichs is the Director of Emerging Technologies in Symantec Security Response, the organization responsible for the delivery of AntiVirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry’s first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing. Mr. Friedrichs has over 15 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.

Side-channel Timing Attacks on MSP430 Microcontroller Firmware

Travis Goodspeed

Track: Hardware

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.

Travis Goodspeed

Travis Goodspeed works at the Extreme Measurement Communications Center of the DOE Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas Instruments Developer Conference regarding stack overflow exploits for MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques, such as ASLR and code-auditing, to this platform.

Hacking and Injecting Federal Trojans.

Lukas Grunwald

Track: Forensics & Anti Forensics

Remote Forensic Software or "offensive security" is the new trend in law enforcement and the fight against terrorism.

The topic is known in Germany as "Federal Trojan". This talk will give an introduction to the needs and problems with classic lawful interception and new remote methods. The problem of poisoning of evidence after a "Trojan" attack from law enforcement, as well as new attack vectors for bad guys are discussed.

This talk will give a demonstration of an "infection proxy" which shows how to inject malware on the fly while downloading some software, how to bypass commercial security solutions like virii-scanner and anti-malware tools, and how effective Trojan attacks could be if your ISP is helping law enforcement. Methods for anti-remote-forensics are handled as well. Methods of detection of infection proxies and other lawful interception methods are shown.

Lukas Grunwald

Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting firm working mainly in the field of security solutions for enterprises and federal governments in Europe and Asia. He is also the head of the Hacking Lab where new technology is evaluated. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively at several conferences all over the world. Mr. Grunwald is co-author of RFDump an RFID attack and audit tool, that is free software and got some attention for the first time clone and attack the ePassport live at BlackHat.

Got Citrix, Hack It!

Shanit Gupta

Track: Turbo Talks

Citrix is a widely used remote desktop application utilized in many major corporations around the world. In addition to offering the typical benefits of RDP and Microsoft terminal services, it is capable of sandboxing and restricting the applications that can be executed by the user. Unfortunately, often times the Citrix environment can introduce a false sense of security within organizations. There are several ways to circumvent security controls within the Citrix framework and many system administrators are not aware of these attacks. During this presentation, we’ll demonstrate ways in which to compromise the Citrix environment using multiple attack vectors. Then we’ll show you the corresponding remediation strategies.

Shanit Gupta

Shanit is a Senior Security Consultant at Foundstone. Shanit is responsible for creating and delivering the threat modeling, code review, and application security service lines. Shanit is also responsible for the design, development, and release of the free tools by Foundstone. Shanit has strong computer science fundamentals and software development experience on UNIX and Windows. Prior to joining Foundstone, Shanit was involved in developing real-time operating systems and a survivable prototype of the Kerberos authentication service at Carnegie Mellon. Shanit also worked at Alcoa, Inc., as a software developer, building critical internal applications. Shanit has diverse experience in a number of areas of software development and security. In the last 4 years at Foundstone, Shanit has reviewed custom operating system kernels, device drivers, virtualization environments, and large complex trading infrastructures.

The Four Horsemen of the Virtualization Security Apocalypse

Christofer Hoff

Track: Virtualization

Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM's, we'll explore the real issues that exist today as well as those that are coming that aren't being discussed or planned for.

Christofer Hoff

Chris Hoff is currently Unisys' Chief Security Architect. Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy. Hoff obviously also enjoys referencing himself in the third person.

Protecting Vulnerable Applications with IIS7

Brian Holyfield

Track: Turbo Talks

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.

Following this presentation, the module will be available for free download and use.

Brian Holyfield

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the realm of information security for over 9 years, and has extensive security testing and consulting experience. Brian was also a contributing author for “Network Security Tools” (O'Reilly, 2005), where he outlined how to build an automated vulnerability detection and exploit scanner for web-based applications.

Virtually Secure

Oded Horovitz

Track: Virtualization

Virtualization is a disruptive technology in the data-center which opens the path for new solutions for old problems.

Specifically, virtualization allows the isolation of a particular workload (an application within a VM) from the underlining hardware, and enables the creation of software services which can run independent of the original workload.

The presentation will focus on the capabilities of the security application as services of the hypervior. How these new services compare with existing security agents which run inside virtual machines, and what is the possible future of workload security in a virtual data-center.

Oded Horovitz

I am currently part of VMware engineering organization as an architect for the VMsafe program. Being fascinated with building defense system for the past 10 years, I have been enjoying the opportunity to unleash the possibilities of hypervisor based defense capabilities. Previously to VMware, I have been working as an architect for Entercept now known as McAfee HIPS following Entercepts'acquisition back in early 2005. Having the opportunity of being part of the pioneering group for host-based-intrusion-prevention systems, I was lucky enough to learn anything there is to learn about vulnerabilities, and exploitations (yes, I'm referring mostly to the good old old-school overflow attacks and such, with all due respect to the XSS generation) and have shared some of my findings with the security community. My most popular publication was the work done with Matt Conover about the possibilities of reliable exploitation of windows heap overflows.

Black Ops 2008 -- Its The End Of The Cache As We Know It

Dan Kaminsky

Track: The Network

DNS is at the heart of every network -- when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct -- but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

Dan Kaminsky

Dan Kaminsky is a long time speaker at the Black Hat Briefings, delivering now his ninth talk. Dan has spent his entire career with Fortune 500 companies, having spent two years at Cisco, another two at Avaya, and most recently consulting at Microsoft. His research focuses on design characteristics of complex systems -- making old systems do new things, and lately, breaking new things in old ways. The Director of Penetration Testing for IOActive, Dan is based in Seattle.

New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices

Tadayoshi Kohno, Kevin Fu

Track:

Medical devices are becoming more sophisticated and wireless. We recently published an academic paper titled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses." In this paper we describe experiments with a real, common implantable defibrillator and show that risks are real, albeit small today. Using our own equipment, we are able to extract private information stored on the implantable defibrillator, change its settings, and even make it issue an electric shock. (We stress the patients should not be concerned about our current results, but that the community should demand stronger security mechanisms in future devices.)

Previously one of us (KF) made international news by exposing vulnerabilities in RFID credit cards, and the other of us (TK) was the first to publicly study the security of the Diebold electronic voting machine (in 2003). We've now turned our attention to implantable medical devices because we think that security will become increasingly important in the near future. Second, implantable medical device security i