Black Hat USA 2009 //Briefings

Caesars Palace Las Vegas, NV • July 25-30


Register Now //speakers & topics

Event AUDIO & VIDEO: The Source of Knowledge will be onsite to sell audio and video recordings of the Briefings sessions. Their booth will be located outside of the Fourth Floor (Promenade Level), Emperor's Ballroom. You can download the order form here or purchase the media onsite: [ PDF ]


Joshua "Jabra" Abraham, Robert "RSnake" Hansen

Unmasking You

Many people and organizations depend upon proxies and numerous other privacy techniques to mask their true identity. The problem is there are often flaws within these technologies.

This talk will demonstrate several of these flaws and as well as weaknesses in well known implementations. There will be several new anti-privacy 0days released.


Alessandro Acquisti

I Just Found 10 Million SSN's

We will show that information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN).

The SSN assignment scheme has been public knowledge for many years. It has been used, before, to estimate when and where a known SSN may have been issued. However, armed only with publicly available information, we observed a correlation between individuals' SSN digits and their birth data and discovered that: 1) the interpretation of the assignment scheme currently held outside the SSA is, in part, wrong; 2) although the SSA, which issues them, states that SSNs are "assigned randomly [...] within the confines of the area numbers allocated to a particular state," the assignment is -- for practical purposes -- not random; 3) the interpolation of demographics patterns with data about the SSNs assigned to deceased individuals can, therefore, allow the statistical inference of living individual's SSNs.

The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. We will discuss the initiatives which (unintentionally) inserted regularities in the assignment process that can now be exploited for such predictions; we will highlight the privacy consequences of complex interactions among multiple data sources; and we will analyze current policy initiatives in the area of identity theft.

The message of this talk is simple: SSNs were not designed to be used as authenticators, but as simple identifiers. Businesses and other third parties should stop using SSNs as if they were confidential passwords.

//BIO: Alessandro Acquisti

Alessandro Acquisti

Carnegie Mellon University

Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at the H. John Heinz III College, Carnegie Mellon University, and a member of Carnegie Mellon Cylab. His work investigates the economic and social impact of IT, and in particular the economics of privacy and the behavioral economics of privacy and information security. His research in these areas has been disseminated through journals (including Marketing Science, Journal of Comparative Economics, IEEE Security & Privacy, and Rivista di Politica Economica); edited books ("Digital Privacy:Theory, Technologies, and Practices." Auerbach, 2007); book chapters; and presentations and keynotes at international conferences. His findings have been featured in media outlets such as NPR Fresh Air, NBC, MSNBC.com, the Washington Post, the New York Times, and the New Scientist. Alessandro has received national and international awards, including the 2005 PET Award for Outstanding Research in Privacy Enhancing Technologies and the 2005 IBM Best Academic Privacy Faculty Award. He is and has been member of the program committees of various international conferences and workshops, including ACM EC, PET, WEIS, ETRICS, WPES, LOCA, QoP, and the Ubicomp Privacy Workshop at Ubicomp.

In 2007 he chaired the DIMACS Workshop on Information Security Economics and the WEIS Workshop on the Economics of Information Security. In 2008, he co-chaired the first Workshop on Security and Human Behavior with Ross Anderson, Bruce Schneier, and George Loewenstein. In the past, he has been a Research Fellow at the Institute for the Study of Labor (IZA) in Bonn, Germany. His research has been funded by the National Science Foundation, the Humboldt Foundation, the National Aeronautics & Space Administration, Microsoft Corporation, as well as CMU CyLab and CMU Berkman Fund. Prior to joining CMU Faculty, Alessandro researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group (as intern), and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey (as visiting student). At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station. In 2000 he co-founded PGuardian Technologies, Inc., a provider of Internet security and privacy services, for which he designed two currently pending patents. In a previous life, Alessandro worked as classical music producer and label manager (PPMusic.com), arranger, lyrics writer (BMG Ariola/Universal), and soundtrack composer for theatre, television (RAI National Television), and indy cinema productions; and raced a Yamaha 125TZ in the USGPRU national championship, which convinced him to keep his day job. Alessandro has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and Berkeley, where he worked with John Chuang, Doug Tygar, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California.

Dmitri Alperovitch, Keith Mularski

Fighting Russian Cybercrime Mobsters: Report from the Trenches

A Supervisory Special Agent from the FBI and a native Russian security researcher join forces to present an in-depth insider view of the most prominent cases against Russian and other Eastern European-based online crime syndicates of the past decade. Learn about their experiences gained from being in the middle of major international cybercrime investigations by US law enforcement. The talk will include an in-depth discussion of the investigation into the DarkMarket carding forum, the biggest cybercrime operation by the FBI of 2008, by the agent who has spent 2 years undercover working to identify and shutdown the leading criminals in the organization.

//BIO: Keith Mularski

Keith Mularski

Federal Bureau of Investigation, Cyber Division

Keith Mularski is a Supervisory Special Agent assigned to the Cyber Division of the Federal Bureau of Investigation (FBI). Mr. Mularski received his appointment to the position of Special Agent with the FBI in 1998. After attending the FBI Academy in Quantico, Virginia, Mr. Mularski was assigned to the FBI's Washington Field Office where he investigated National Security Matters for seven years. During this time Mr. Mularski worked on a number of high profile investigations such as the Robert Hanssen espionage investigation, and the 9/11 Terrorist attack on the Pentagon.

In 2005, Mr. Mularski transferred to the FBI's Cyber Division and is now detailed to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, Pennsylvania. The NCFTA is a joint partnership between law enforcement, academia, and industry which seeks to maximize overlapping public/private resource synergies creating a dynamic cyber-nerve-center for tactical and proactive responses to Cyber-Crime.

While detailed to the NCFTA, Mr. Mularski continues to successfully work with Private Industry Subject Matter Experts on a number of joint Cyber-Crime initiatives such as the Digital Phishnet and Slam Spam projects. Mr. Mularski's emphasis has been in the development of proactive initiative targeting of organized international Cyber-Crime groups. Most recently, Mr. Mularski worked undercover penetrating cyber underground groups which resulted in the dismantlement of the Darkmarket criminal carding forum.

Prior to joining the FBI, Mr. Mularski worked in private industry and is a 1992 graduate of Duquesne University in Pittsburgh, where he majored in History.

Andrea Barisani, Daniele Bianco

Sniff Keystrokes With Lasers/Voltmeters
Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage

TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data, are often mentioned by the security community, movies and wanna-be spies (or NSA employees, we guess).

While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched.

Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.

We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and power line leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.

We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.


Rod Beckstrom

Beckstrom's Law: A Model for Valuing Networks and Security

Beckstrom's Law is a new model or theorem of economics formulated by Rod Beckstrom. It purports to answer "the decades old question of 'how valuable is a network.'" It is granular and transactions based and can be used to value any network. It applies to any network: social networks, electronic networks, support groups and even the Internet as a whole. To read a white paper explaining the law and mathematics in detail, please see Economics of Networks. This new model values the network by looking from the edge of the network at all of the transactions conducted and the value added to each. It states that one way to contemplate the value the network adds to each transaction is to imagine the network being shut off and what the additional transactions costs or loss would be.

Beckstrom's Law differs from Metcalfe's Law, Reed's Law and other concepts that proposed that the value of a network was based purely on the size of the network, and in Metcalfe's Law, one other variable.

//BIO: Rod Beckstrom

Rod Beckstrom

Rod Beckstrom is the former Director of the National Cyber Security Center (NCSC) in the U.S. Department of Homeland Security where he reported to Secretary Michael Chertoff and Secretary Janet Napolitano, respectively.

Rod co-authored The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations that presents a new model for analyzing organizations, leadership style and competitive strategy. He has co-authored three other books including one on Value at Risk (VAR), a fundamental theory of financial risk management now used to regulate banking globally. He has recently developed a new economic model for valuing technical and social networks, referred to as Beckstrom’s Law.

As an entrepreneur Rod started his first company when he was 24 in a garage apartment and subsequently grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles and Hong Kong. The company, CAT•S Software Inc., went public under Rod’s leadership and was later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of advisors and directors, respectively.

Rod also co-founded Mergent Systems with Dr. Amos Barzilay and Assistant Professor Michael Genesereth of the Stanford Graduate School of Computer Science. Mergent was a pioneer in inferential database engines and was sold to Commerce One for $200 million. He also co-founded TWIKI.NET, a company offering service and support for an open source wiki and collaboration software system.

From 1999 to 2001 Rod served as the Chairman of Privada, Inc. Privada was a pioneer in technology to enable private, anonymous and secure credit card transaction processing over the internet. Rod has helped to start numerous non-profit groups and initiatives. In 2003 he co-founded a peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. This group took symbolic actions which led to opening the borders to citizens, trade and contributed to ending the most recent Indo-Pak war. He serves on the boards of the Environmental Defense Fund and the Jamii Bora Trust (micro-lending) in Africa.

In 2003, Rod co-founded a global peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. The group’s symbolic actions opened the borders to people and trade, and contributed to ending the most recent Indo-Pak conflict. It's one of several non-profit groups and initiatives Rod has started. He now serves on the boards of the Environmental Defense Fund, which Fortune Magazine ranked as one of the seven most powerful boards in the world and Jamii Bora Trust an innovative micro-lending group in Africa with more than 200,000 members.

Rod graduated from Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland.

Marc Bevand

MD5 Chosen-Prefix Collisions on GPUs

In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. Software techniques to achieve the breakthrough performance gain will be demonstrated.


Bill Blunden

Anti-Forensics: The Rootkit Connection

Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.


Hristo Bojinov, Dan Boneh, Elie Bursztein

Embedded Management Interfaces: Emerging Massive Insecurity

Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.

In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.


Michael Brooks, David Aslanian

BitTorrent Hacks

This is the journey of two pirates hacking BitTorrent. This talk will cover ways of abusing the BitTorrent protocol, finding vulnerabilities in BitTorrent clients and exploiting them. We will also cover counter measures to these attacks.


Jesse Burns

Exploratory Android Surgery

It's hard to resist open, Linux-based phones with sophisticated programming environments and a novel security model. Android has application-level isolation, new kernel primitives for communication, and fancy UI features wrapped around its open source heart. This talk will explore Android's fancy new kernel and user mode security mechanisms, how to test them, and how to mess around inside your droid.

Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.

In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.


K. Chen

Reversing and Exploiting an Apple® Firmware Update

I describe how an attacker can install malicious code into the firmware of an Apple aluminum keyboard.


Matt Conover

SADE: Injecting Agents into VM Guest OS

As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by virtual machines running on the same physical machine could significantly reduce the overall resource consumption. The refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine’s virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification.

To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.


Dino Dai Zovi

Advanced Mac OS X Rootkits

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.


Macsploitation with Metasploit

While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.


Datagram

Lockpicking Forensics

Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.


Mike Davis

Recoverable Advanced Metering Infrastructure

Smart Grid. Smart Meters. AMI. Certainly no one has escaped the buzz surrounding this potentially ground-breaking technology. However, equally generating buzz is the heightened threat of attack these technologies provide. Mike Davis and a team of IOActive researchers were able to identify multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The team was able to “weaponize” these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed Smart Meter capabilities, including remote power on, power off, usage reporting, and communication configurations.

In this presentation, Davis will discuss the broad, yet almost ubiquitous exploits and basic design flaws in today’s Smart Meter and Advanced Metering Infrastructure (AMI) technology. Typical attacker techniques such as buffer overflows, persistent and non-persistent root kits, and even self-propagating malicious software will be illustrated. Davis will even demonstrate a proof-of-concept worm attack and the general reverse engineering techniques used to achieve code execution. To show all is not hopeless, he will also cover the incident response impacts of possible worm attack scenario. Finally, building upon the analysis of the worm-able attack surface as well his hardware and software penetration testing research, Davis will suggest inherent design fixes that AMI vendors can implement to greatly mitigate these broad exploits.

//BIO: Mike Davis

Mike Davis

IOActive

Mike Davis is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. He and fellow IOActive researchers recently discovered significant security vulnerabilities in meters being deployed in the Smart Grid, and he helped disclose this information to White House officials. Davis is also responsible for driving IOActive’s efforts to perform cutting-edge security assessments on retailer point of sale terminals, advanced computing chipsets, and gas station management infrastructure

Davis is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA) with more than five years' experience in secure systems and binary-level reverse engineering. The designer of the world's first completely secure consumer plain-text instant messenger, he was also a guest speaker on secure instant messaging during 2004 at the HOPE and 21C2 conferences. Davis has been the source for and/or subject of numerous articles on instant messaging security issues for publications including Newsweek, PC World, Info World, and The Detroit News. He also was part of a team awarded a patent for groundbreaking work on Corestream, a distributed, decentralized network for streaming audio and video.

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

//BIO: Nitesh Dhanjani

Nitesh Dhanjani

Ernst & Young LLP

Nitesh Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly) and "HackNotes:Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes:Network Security" (Osborne McGraw-Hill). Dhanjani is a frequent speaker at some of the most well known information security events around the world, including Hack in the Box, RSA, the Black Hat Briefings, and the Microsoft Bluehat Briefings. Currently, Dhanjani is Senior Manager at Ernst & Young LLP where he is responsible for advising some of the largest corporations on how to establish enterprise wide information security programs and solutions. Dhanjani is also responsible for evangelizing brand new technology service lines around emerging technologies and trends such as cloud computing and virtualization.

Prior to E&Y, Dhanjani was Senior Director of Application Security and Assessments at Equifax where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & threat modeling, and managed the attack & penetration team. Before Equifax, Dhanjani was Senior Advisor at Foundstone's Professional Services group where, in addition to performing security assessments, he contributed and taught Foundstone's Ultimate Hacking security courses. Dhanjani graduated from Purdue University with both a Bachelor's and a Master's degree in Computer Science.

In summary, Dhanjani is probably the greatest human being who has ever lived.

Mark Dowd, Ryan Smith, David Dewey

The Language of Trust: Exploiting Trust Relationships in Active Content

Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes coupled with increasingly complex cross-communication layers has created a nuanced and precarious trust layer between many different previously unrelated components.

This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.


Muhaimin Dzulfakar

Advanced MySQL Exploitation

This talk focuses on how MySQL SQL injection vulnerabilities can be used to gain remote code execution on the LAMP and WAMP environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.


Michael Eddington

Demystifying Fuzzers

Fuzzing is an important part of the secure development lifecycle (SDL) and a popular tool for both defensive and offensive security researchers, consultants, and even software developers. With this popularity comes a plethora of fuzzers both open source and commercial. This briefing takes a look at these different fuzzers and provides insights in to "if" and "what" they should be used for. As the developer for Peach, I am often asked to compare various fuzzers and clarify terms tossed around such as Smart and Dumb fuzzing. Additionally the hidden costs and pitfalls will be addressed.


Egypt

Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit

The blackhat community has been using client-side exploits for several years now. Multiple commercial suites exist for turning webservers into malware distribution centers. Unfortunately for the pentester, acquiring these tools requires sending money to countries with no extradition treaties, taking deployed packs from compromised webservers, or other acts of questionable legality. To ease this burden, the Metasploit Project will present an extensible browser exploitation platform integrated into the metasploit framework.


Rachel Engel

Gizmo: A Lightweight Open Source Web Proxy

Gizmo is a free new open source web proxy designed to be lightweight, speedy, and responsive. When someone is performing a web pentest, they want a tool that lets them edit and search through requests quickly. The tool should let them search through and edit requests without slowing down web traffic or taking up the user's attention with heavyweight user interfaces. Gizmo was created with this in mind. The user interface is focused on the keyboard so that once the initial (very small) learning curve is over, the user can operate gizmo without their hands leaving the keyboard. A great deal of effort was also spent ensuring that gizmo proxies traffic snappily enough that a user's web browsing experience isn't hampered. The presentation will be focused on a presentation of the featureset of gizmo, and a demonstration of how snappy and responsive web proxies can be.


Stefan Esser

State of the Art Post Exploitation in Hardened PHP Environments

When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP's internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions. In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections.

This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.


Tony Flick

Hacking the Smart Grid

The city of Miami and several commercial partners plan to rollout a "smart grid" citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.


Andrew Fried, Paul Vixie, Dr. Chris Lee

Internet Special Ops: Stalking Badness Through Data Mining

Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.

//BIO: Paul Vixie

Paul Vixie

Internet Software Consortium

Paul Vixie is the author of several RFCs and standard UNIX system programs, among them SENDS, proxynet, rtty and Vixie cron. In 1988, while employed by DEC, he started working on the popular internet domain name server BIND, of which he was the primary author and architect, until release 8. After he left DEC in 1994, he founded Internet Software Consortium (ISC) together with Rick Adams and Carl Malamud to support BIND and other software for the Internet. The activities of ISC were assumed by a new company, Internet Systems Consortium in 2004.

In 1995 he cofounded the Palo Alto Internet Exchange (PAIX), and after Metromedia Fiber Network (MFN) bought it in 1999 served as the chief technology officer to MFN / AboveNet and later as the president of PAIX. In 1998 he cofounded MAPS (Mail Abuse Prevention System), a California nonprofit company with the goal of stopping email abuse. He also ran his own consulting business, Vixie Enterprises.

Along with Frederick Avolio, he co-wrote the book "Sendmail: Theory and Practice" (ISBN 1-55558-127-7 first edition, ISBN 155558229X second edition). He has also stated that he "now hold[s] the record for 'most CERT advisories due to a single author.'" Although working for ISC, the operator of the F root server, he at one point joined the Open Root Server Network project and operates their L root server.

Vixie was elected to the ARIN Board of Trustees in 2005, and was selected as Chairman in 2009.

Chris Gates

Breaking the "Unbreakable" Oracle with Metasploit

Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.


Travis Goodspeed

A 16 bit Rootkit and Second Generation Zigbee Chips

This lecture in two parts presents first a self-replicating rootkit for wireless sensors, then continues with recent research into the security of second generation Zigbee radio chips such as the CC2430/2431 and the EM250. A live demo and a vulnerability will be released as a part of this presentation.


Joe Grand, Jacob Appelbaum, Chris Tarnovsky

"Smart" Parking Meter Implementations, Globalism, and You

Throughout the United States, cities are deploying "smart" electronic fare collection infrastructures that have been commonplace in European countries for many years. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves.

In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.


Jennifer Granick

Computer Crime Year In Review: MySpace, MBTA, Boston College and More

Its been a booming year for computer crime cases as cops and civil litigants have pushed the envelope to go after people using fake names on social networking sites (the MySpace suicide case), researchers giving talks at DEFCON (MBTA v. Anderson), and students sending email to other students (the Calixte/Boston College case). The Electronic Frontier Foundation has been front and center in these cases, either filing amicus briefs or directly representing the coders and speakers under attack. At this presentation, Jennifer Granick and other EFF lawyers fresh from the courtroom will share war stories about these cases, thereby informing attendees about the latest developments in computer security law and giving pointers about how to protect yourselves from overbroad legal challenges.


Jeremiah Grossman, Trey Ford

Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way

Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.

Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.

Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.


Peter Guerra

How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession

This turbo talk will explore the links between US law, international cybercrime, malware proliferation, and the economics of botnets. During this time, I will present research into the impact the current worldwide economic crisis has had on cybercrime and the impact on security professionals. I will also use economics to link cybercrime activity to emerging markets countries (Brazil, Russia, India, and China) and show research into how the CAN-SPAM act created economic incentives for an increase in botnets, spam, malware, and phishing attacks.


Nathan Hamiel, Shawn Moyer

Weaponizing the Web: More Attacks on User-Generated Content

Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.

We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.


Nick Harbour

Win at Reversing: Tracing and Sandboxing through Inline Hooking

This presentation will discuss a new free tool for Reverse Engineering called API Thief, the "I Win" button for malware analysis. The unique way the tool operates will be explored as well as how it is able to provide better quality data than other tracing tools currently availible. Advanced usage of the tool for malware analysis will be demonstrated such as Sandboxing functionality and a new technique for automated unpacking.


Riley Hassell

Exploiting Rich Content

As RIA (Rich Internet Application) technologies flourish onto the marketplace many wonder what impact they will have on the security landscape. Routinely iSEC Partners performs assessments of emerging technologies to better understand their risks and how to remediate these risks in live deployments. As RIA technologies advance vendors move to complex file formats as a solution to deliver rich content. With this in mind iSEC Partners performed an assessment of various file formats used by the popular RIA implementations. During the assessment of these technologies several issues were discovered in the popular technologies. At initial glance these issues may appear harmless. This presentation will demonstrate how these often considered low risk issues can be carefully exploited to have a much deeper impact. Developers should be aware of these common programming mistakes when developing complex file formats, which are especially critical in Rich Internet Applications.

//BIO: Riley Hassell

Riley Hassell

iSec Partners

Riley Bruington Hassell is an internationally recognized security professional. He is an industry expert in the fields of application security assessment, software reverse engineering and malware analysis. Mr. Hassell discovered and disclosed of some of the most critical software vulnerabilities to date. Throughout the year 2000 and 2001 he was responsible for several critical vulnerabilities, each having major repercussions on the security industry at large. Most notably Mr. Hassell was responsible for the discovery of the first critical remote vulnerabilities in Windows 2000 and Windows XP. He also discovered the vulnerability that triggered the Code Red Internet worm. His initial dissection of the worm was used to develop and put in place protect measures to safeguard the network targeted by Code Red, the Whitehouse public network. Taking his research a step further he forecast future worm technologies and presented during presentations at the Blackhat security conference. During the year 2002 Mr. Hassell performed an assessment of the popular security products. During his assessment he discovered critical vulnerabilities in several leading security products, pushing security vendors to take a second look at their software. Mr. Hassell spent the following several years working with start up ventures to pioneer product technologies in the patch management, intrusion prevention, vulnerability analysis and malware analysis fields. Mr. Hassell is currently working with internationally renowned security assessment firm iSec Partners.

Extended Works: Mr. Hassell's research has been cited on several occasions by the Associated Press, the New York Times, Wall Street Journal, LA Times, Boston Globe, and various other major newspapers. Many of the citings were front page stories due to the critical nature of Mr. Hassell's findings. His research was also cited in Time, Wired Magazine, and other popular publications. Mr. Hassell co-authored "The Shellcoders Handbook: Discovering and Exploiting Security Holes." Riley Hassell has been an active presenter at Black Hat, ITU, and other conferences.

Cormac Herley, Dinei Florencio

Economics and the Underground Economy

The popular and trade presses are full of stories about the underground economy and the easy money to be made there. We are told that phishers and spammers harvest money at will from the online population. Even those without skills can buy what they need and sell what they produce on IRC markets. Estimates of the size of this underground economy vary, but common to most accounts is that it is large and growing rapidly.

In a careful examination of the evidence, we find that these claims are speculation, unsupported by evidence. Estimates of the cybercrime economy are enormous extrapolations from very noisy and poorly-sourced data. Reports that exploits like phishing and spam are worth billions appear to be off by orders of magnitude. Our analysis suggests that the laws of economics have not been suspended. Phishing and spam are subject to the tragedy of the commons so that returns are kept low. IRC channels are infested with rippers so that buying and selling is hard. Cybercrime is a ruthlessly competitive business, and low-skill jobs still pay like low skill jobs. Much as in the regular economy, to do well you need a rare skill or a barrier to entry.

However cybercrime is still a very big deal. The externalities (indirect costs) are far larger than the direct losses. For example, an unskilled phisher still causes significant economic damage, even if he doesn't gain much. The direct costs and externalities are often borne by different parties, leading to misaligned incentives. Ironically, defenders (i.e. the whitehat security community) energetically recruit their own opponents: by promoting the easy money mantra they ensure a steady supply of new entrants.


Billy Hoffman, Matt Wood

Veiled: A Browser-based Darknet

The concept of a darknet has been around for several years now: a hidden underground where people anonymously and securely communicate and share files with each other. Various projects like Tor, FreeNet, WASTE, decentralized peer to peer networks, and other services attempt to provide people with some of these properties. Regardless of how people use darknets, the concept of a private secure network where people can freely communicate ideas as well as distribute content is compelling from both a technological and a philosophical perspective. Unfortunately, the reality is not as clean as the idea. Darknets traditionally require various software programs or components to be installed and configured. This is not for the technically faint of heart. This and other barriers of entry limit those who can participate in a darknet.

In this talk we will discuss and demonstrate Veiled, a proof-of-concept browser-based darknet. A browser-based darknet allows anyone to join from any platform which has a web browser whether it be it a PC or an iPhone. Veiled embodies many of the traditional properties of a darknet. Users can communicate with each other through encrypted channels. Shared files are encrypted, fragmented, and redundantly stored locally across members of Veiled. Another feature, inspired by Ross Anderson's Eternity Service, provides a web-in-a-web where articles or webpages can be anonymously published into Veiled and can contain hyperlinks to other documents stored within Veiled.

In addition to discussing the technical implementation and challenges of such features, we also explore some interesting properties of browser-based darknets. For example, the zero footprint installation allows for darknets to quickly form and disperse. Groups can rapidly join and share in a darknet and leave just as easily. Simply closing your browser removes you from the darknet. If all users close their browsers the darknet ceases to exist and the only trace of its existence are a few encrypted fragments in the bowels of the web browser's history. Finally, we discuss future improvements and applications of temporal communication networks that exist solely in the browser.


Mikko Hypponen

The Conficker Mystery

Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. Apparently written in Ukraine, this worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.

Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.

But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.


Vincenzo Iozzo, Charlie Miller

Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone

IPhones are now widely used by people; as a consequence the number of factory phones is ever increasing. Until very recently, researchers focused on exploitation techniques for jailbroken phones. Most of these approaches are not usable on factory phones due to a number of protections including code signing and additional memory protections. For that reason, even with the ability to execute arbitrary code in an exploit, it is very hard to know what to do. This presentation will show how is it possible to effectively run high level payloads on a factory phone by defeating code signing protections after exploitation. Specifically by injecting an arbitrary non-signed library in the victim's process address space, an attacker is able to run his own code thus granting a much higher attack efficacy. This is especially important because on factory iPhones, there are no useful utilities, not even a shell. With this technique, an attacker can bring along their own tools, including the ability to get directory listing, upload and download files, even pivot attacks, in the form of Meterpreter!


Dan Kaminsky, Len Sassaman

Something about Network Security


Mike Kershaw

Kismet and MSF

Airpwn-style TCP stream hijacking on wifi networks inside the MSF Framework. "You want urchin.js? Sure, we can do that. Here it is. Trust me." Demo client attacks against popular websites by poisoning the TCP stream, feeding MSF payloads to clients, and tail-modification of already transmitted tcp streams.


Peter Kleissner

Stoned Bootkit

Stoned bootkit is a brand new Windows bootkit. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. You can use it to create your own boot software (diagnostic tools, boot manager, etc). It gives the user back the control to the system and has exciting features like integrated FAT and NTFS drivers, automated Windows pwning, plugins and boot applications, and much much more. It finally goes back to the roots - so in this way, your PC is now Stoned! ...again


Kostya Kortchinsky

Cloudburst: Hacking 3D (and Breaking Out of VMware)

Virtualization is everywhere, and VMware is a major actor in the domain. A MacOS user running a Windows only application in a Fusion guest. A malware researcher analysing the latest Conficker in a Workstation guest. A big company running a cloud virtualized on some ESX servers. All of them rely on the security offered by the virtualization software, as a breakout would have disastrous consequences.

Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.


Zane Lackey, Luis Miras

Attacking SMS

With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.

This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.

In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.


Aaron LeMasters, Michael Murphy

Rapid Enterprise Triaging (RETRI): How to Run a Compromised Network and Keep Your Data Safe

Imagine this scenario – routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?

Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.

Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.

Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we have developed a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.

NOTE: The Codeword tool is not available for public release at this time.


Felix "FX" Lindner

Router Exploitation

Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimens in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.


Johnny Long

Me to We

From scrubby C64 pirate to professional hacker to reluctant "Internet rockstar", the past five years of Johnny's journey have been interesting. The last few months, however, have been straight-up bizarre. While many strain to maintain and others scrape and scratch at the ladder, Johnny's jumped off the top rung. This is a story of what it takes to make it in this industry, and what the view's like from the top. This is a story about how utterly teh suck the view from the top really is and why you might want to just jump off now before it's too late. This is the story of a rise and fall and the crossover cable those terms require. This is a story that’s relevant if you’re in for the long haul. This is Johnny’s story, as only Johnny can tell it. Which means it might be funny.


Kevin Mahaffey, Anthony Lineberry, John Hering

Is Your Phone Pwned? Auditing, Attacking and Defending Mobile Devices

The world has never been more connected. Over a billion mobile devices ship every year, five times the number of PCs in the same period. The iPhone and Android have accelerated the mass adoption of smart devices, mobile applications, and high speed mobile networks. Meanwhile, mobile devices are now a material target: they contain sensitive personal and corporate data, access privileged networks, and routinely perform financial transactions. The question remains, how do we keep these devices safe?

Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.


Moxie Marlinspike

More Tricks For Defeating SSL

This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.

This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.


John McDonald, Chris Valasek

Practical Windows XP/2003 Heap Exploitation

As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and (in certain code) memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence.

The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.

Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "the new hotness," but it is still of tremendous relevance in the modern computing landscape. Our first goal in this presentation is to bring the audience up to speed on Windows Heap Manager internals and the current best of breed exploitation techniques. Once this foundation is established, we will introduce new techniques and original research, which, at the end of the day, can turn seemingly bleak memory corruption situations into exploitable conditions.

Specifically, we will cover techniques for attacking application data and heap meta-data, as well as tactics for creating predictable patterns in heap memory for use in supplying rogue data structures as part of exploitation. We'll also provide guidelines on which techniques one should employ in different corruption situations, and give brief pointers for advanced attendees as to potential areas of inquiry for developing new attack techniques.

After discussing all of this material in detail, we'll reinforce the knowledge by presenting two real-world case studies, with live demonstrations of the vulnerabilities and a discussion of the exploitation process. We'll then present tools and code that we've developed to model heap behavior, which will aid in both exploitation and defense. We'll round out our presentation by showing how to use these tools to analyze a case study vulnerability to demonstrate how we turned a theoretical memory corruption vulnerability into a concrete exploit.


Haroon Meer, Nick Arvanitis, Marco Slaviero

Clobbering the Cloud!

Cloud Computing dominates the headlines these days but like most paradigm changes this introduces new risks and new opportunities for us to consider. Some deep technical research has gone into the underlying technologies (like Virtualization) but to some extent this serves only to muddy the waters when considering the overall threat landscape. During this talk, SensePost will attempt to separate fact from fiction while walking through several real-world attacks on "the cloud." The talk will focus both on attacks against the cloud and on using these platforms as attack tools for general Internet mayhem. For purposes of demonstration we will focus most of our demos and attacks against the big players...


Erez Metula

Managed Code Rootkits: Hooking into the Runtime Environments

This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.

This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.


Charlie Miller, Collin Mulliner

Fuzzing the Phone in your Phone

In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). We show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, we present the results of this fuzzing and discuss their impact on smart phones and cellular security.


Graeme Neilson

Netscreen of the Dead: Developing a Trojaned ScreenOS for Juniper Netscreen Appliances

Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.

This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.


Steve Ocepek

Long-Term Sessions: This Is Why We Can't Have Nice Things

Whether it's a credit card sniffer, a chatty web application, or unauthorized remote control software, long-lived network sessions are frequently being used to establish bi-directional conduits into and out of our networks. Unlike traditional "pull" oriented sessions, long-life sessions create channels that last anywhere from several minutes to several days. This behavior is not inherently bad, but since each connection represents a direct path into a network resource, being able to scrutinize these pathways would certainly even the odds a bit.

This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.


Jeongwook Oh

Fight Against 1-day Exploits: Diffing Binaries vs Anti-diffing Binaries

This is about binary diffing vs anti-binary-diffing technique. Security patch is usually meant to fix security vulnerabilities. And it's for fixing problems and protect users and computers from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. Since being introduced by Halvar back in few years ago, binary diffing is now so common and easily affordable technique. Aside from expensive commercial tools like "bindiff," there are already 2-3 free or opensource tools that can be used to identify exact patched points in the patch files.

This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and theories they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches (typically takes few hours to few days).

From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. So now it became crucial to make theses practices more difficult and time-consuming so that earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused.

//BIO: Jeongwook Oh

Jeongwook Oh

Back in the mid-90s, I made the first commercial firewall in South Korea. I also worked as a security consultant for years in major security firms in Korea. In 2004, I decided to move to California and started working as a Software Engineer at "eEye Digital Security." I'm working on eEye's flagship HIPS product called "Blink." Blink can protect un-patched Windows machines against known and unknown attacks pro-actively by combining traffic analysis and host level protections. I make traffic analyzing modules that is monitoring and catching attacking signature traffics. But, the traffic analysis engine is smarter that just a binary matching ones. It understands and parses the traffic to identify the attack patterns. To provide those kinds of protections, it was crucial to understand the internals of patches Microsoft provides.

For the purpose of understanding the Microsoft security patches, I researched binary diffing technique in spare time to relieve the pain of eEye researchers' eyeballs in every Patch Tuesdays. Finally I made a tool called "eEye Binary Diffing Suite". It was originally used internally for a long time and finally released to the public as an opensource project. It was used by many researchers to analyze Microsoft patches and to make real exploits. Also there are some researches done by some university labs who used my tool to prove that automatic exploit writing is possible. Several books (including "The IDA Pro Book" and "Hacking Exposed Windows:Windows Security Secrets and Solutions" is introducing "eEye Binary Diffing Suite"). For more information visit www.darungrim.org

Alfredo Ortega, Anibal Sacco

Deactivate the Rootkit

There are three things that you should know about the Rootkit:

  1. If you have a notebook, you probably have The Rootkit.
  2. You can't erase the Rootkit, but you should know how to deactivate it.
  3. Finally, you should know how you (or somebody else) could activate the Rootkit.


Danny Quist, Lorie Liebrock

Reverse Engineering By Crayon: Game Changing Hypervisor Based Malware Analysis and Visualization

Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.


Tiffany Strauchs Rad, James Arlen

Your Mind: Legal Status, Rights and Securing Yourself

As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.

Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.


Daniel Raygoza

Automated Malware Similarity Analysis

While it is fairly straightforward for a malware analyst to compare two pieces of malware for code reuse, it is not a simple task to scale to thousands of pieces of code. Many existing automated approaches focus on run-time analysis and critical trait extraction through signatures, but they don't focus on code reuse. Automated code reuse detection can help malware analysts quickly identify previously analyzed code, develop links between malware and its authors, and triage large volumes of incoming data. The tool and approach presented is best suited for groups that often perform in depth analysis of malware samples (including unpacking) and are looking for methods to develop links and reduce duplicated effort.


Bruce Schneier

Re-conceptualizing Security

Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields–behavioral economics, the psychology of decision making, evolutionary biology–shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.

//BIO: Bruce Schneier

Bruce Schneier

Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies, was called by Fortune "[a] jewel box of little surprises you can actually use." Beyond Fear tackles the problems of security from the small to the large:personal safety, crime, corporate security, national security. His current book, Schneier on Security, offers insight into everything from the risk of identity theft (vastly overrated) to the long-range security threat of unchecked presidential power and the surprisingly simple way to tamper-proof elections.



Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.

Schneier also publishes a free monthly newsletter, Crypto-Gram, with over 150,000 readers. In its ten years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news.

Peter Silberman, Steve Davis

Metasploit Autopsy: Reconstructing the Crime Scene

Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?

During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes’ address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes’ memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session – completely from memory – and determine what the attacker was doing on the exploited machine.

The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.


Val Smith, Colin Ames, David Kerb

MetaPhish

Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.

In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.


Alexander Sotirov, Mike Zusman

Breaking the security myths of Extended Validation SSL Certificates

Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.

Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.


Kevin Stadmeyer, Garrett Held

Worst of the Best of the Best

This talk provides an overview of popular, and lesser known but similar sounding awards, and the correlation between them and security vulnerabilities found. The analysis will use publicly available information for statistics and sanitized examples of award-winning products that are clearly vulnerable to common attacks.


Alex Stamos, Andrew Becherer, Nathan Wilcox

Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade

Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the “big picture” problems for cloud computing. These include virtualized network devices, browser same-origin issues, credential management and many interesting legal challenges.

Our goal with this talk will be to explore the different attack scenarios that exist in the cloud computing world and to provide a comparison between the security models of the leading cloud computing platforms. We will discuss how current attacks against applications and infrastructure are changed with cloud computing, as well as introduce the audience to new types of vulnerabilities that are unique to cloud computing. Attendees will learn how to analyze the threat posed to them by cloud computing platforms as either providers or consumers of software built on these new platforms. Our platforms for discussion include Salesforce.com, Google Apps, Microsoft Office Live, Google AppEngine, Microsoft Azure, Amazon EC2, and Sun.

//BIO: Andrew Becherer
//BIO: Nathan Wilcox

Bryan Sullivan

Defensive Rewriting: A New Take on XSS/XSRF/Redirect-Phishing Defense

Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.

This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.


Chris Tarnovsky

What the hell is inside there?

An in-depth look inside the latest high-security smartcard devices commonly found inside GSM sim cards. Several different manufactuers have been torn down. Most are certified at the highest Common Criteria levels available. High-resolution images will be the focal point of the discussion as well as how secure really are these devices. Is the latest Comp128 algorithm secure or is there is a risk of exposure from one of these sim cards?


Alexander Tereshkin, Rafal Wojtczuk

Introducing Ring -3 Rootkits

Rootkit Evolution over the past decade:
Ring 3 == usermode rootkits

Ring 0 == kernelmode rootkits

Ring -1 == hypervisor rootkits (BluePill)

Ring -2 == SMM rootkits

Now, we're going to introduce Ring -3 Rootkits.


Steve Topletz, Jonathan Logan and Kyle Williams

Global Spying: Realistic Probabilities in Modern Signals Intelligence

When talking about the threat of Internet surveillance the argument most often presented is that “there is so much traffic that any one conversation or email won't be picked up unless there is reason to suspect those concerned; it is impossible that ‘they’ listen to us all”. Unfortunately this widely held belief is both flawed, and false. This presentation provides insight into the realistic feasibility and implementation of Internet mass surveillance.


Michael Tracy, Chris Rohlf, Eric Monti

Ruby for Pentesters

Getting up to speed quickly on projects where you're down deep reversing protocols or applications can be challenging at best and catastrophic at worst. In this talk we highlight our use of Ruby to solve the problems we're faced with every day. We use Ruby because it's easy to leverage its flexibility and power for everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications. Having a great set of tools available to meet your needs might be the difference between a successful result for your customer and updating your resume with the details of your former employer.

If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented "bag-o-tricks" approach. Then we dive into our real-world experiences using Ruby to quickly get up and running on a wide range of tasks. Real discussion of real problem solving on topics like:

  • Ripping apart static binaries and bending them to your will
  • Getting up close and personal with proprietary file formats
  • Becoming the puppet-master of both native and Java applications at runtime
  • Exposing the most intimate parts of exotic network services like JRMI and Web services
  • Trimming the time you spend decoding proprietary protocols and cutting directly to fuzzing them

As if all that wasn't enough, we'll show you how to make Ruby mash-ups of the stuff you already love. Make the tools you already rely on new again by getting them to work together, harder and smarter. When you're asked to get twice as much done in half the time, smile confidently knowing you have a secret weapon and the job will get done.


Dustin "I)ruid" Trammell

Metasploit Telephony

An important attack vector missing in many penetration testing and attack tools available today is the tried-and-true telephony dial-up. With the recent surge in popularity of VoIP connectivity, accessing such attack vectors has become both cheap and easy. Using the new Metasploit telephony components, users are now able to both scan for and dial up directly to telephony-accessible exploitation targets.

//BIO: I)ruid

Dustin "I)ruid" Trammell

BreakingPoint Systems

I)ruid is the founder of the Computer Academic Underground, co-founder of the Austin Hackers Association (AHA!), and is currently employed by BreakingPoint Systems, Dustin has over a decade of experience in various areas of information security including vulnerability assessment, penetration testing, secure network architecture, vulnerability research and development, and security research in specific areas related to network protocols, network applications, steganography, and VoIP.

Over the years Dustin has been involved with many security community projects such as design and development of Sender Policy Framework (SPF) for e-mail (RFC 4408) and contributing as a core developer for the Metasploit Project. Dustin has also released numerous security tools such as the infamous PageIt! mass-paging application, the hcraft HTTP exploit-crafting framework, and the SteganRTP VoIP steganography tool. He regularly releases vulnerability and exploit advisories, speaks at security related events and conferences, and is on the Technical Advisory Board of the Voice over IP Security Alliance (VoIPSA).

Prior to joining BreakingPoint, Dustin performed VoIP security research for TippingPoint as well as founded the VIPER Lab vulnerability research group at Sipera Systems. Before Sipera, I)ruid was a Security Researcher for Citadel Security Software (acquired by McAfee) responsible for vulnerability analysis, research, and remediation within the scope of the Linux, Solaris, AIX, and HP/UX platforms.

You can find a list of his previous speaking engagements here:
www.caughq.org/presentations

Eduardo Vela Nava, David Lindsay

Our Favorite XSS Filters and How to Attack Them

Present several techniques that have been used, are being used, and could be used in the future to bypass, exploit and attack some of the most advanced XSS filters. These would include the new IE8 XSS Filters, browser addons (NoScript), server side IDSs (mod_security, PHP-IDS), and human log-review. We will present innovative techniques that expand the scope of what we think we know about XSS filters. We will give you some ideas on what to do to find your own based upon some real world examples, discoveries, techniques and attacks.


Mario Vuksan, Tomislav Pericin

Fast & Furious Reverse Engineering with TitanEngine

A great challenge of modern reverse engineering is taking apart and analyzing binary protections. During the last decade, vast number of shell modifiers has appeared. At the same time protection tools have evolved from encryption that protects executable and data parts to sophisticated protections that are "packed" with tricks that are specifically tasked to slow down the reversing process. As the number of such techniques increase, we need to ask ourselves, can we keep up with the tools that we have?

Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.

TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:

  • In-depth description of integrated x86/x64 debugger
  • Debugger: software, hardware, memory, library and flex breakpoints
  • Dumping memory and loaded modules
  • Comprehensive description of integrated import resolving module
  • Repairing import table with a simple data gathering
  • Automatic scan for all known import redirections and eliminations
  • In-depth description of integrated PE file manipulation module
  • Working with PE header, imports, exports, relocations, resources
  • Complete description on how to use the engine to write an unpacker
  • Making an executable unpacker
  • Making a library unpacker

The talk will conclude with demos of two new tools that are based on the TitanEngine:

  • RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
  • ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports

This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.


Chris Weber

Unraveling Unicode: A Bag of Tricks for Bug Hunting

Web-applications are being exploited every day as attackers find new vectors for performing cross-site scripting attacks. This talk will cover ways which latent character and string handling can transform clever inputs into malicious outputs, bypassing XSS filters, WAF's, and other logic. Many application frameworks such as .NET and ICU enable these behaviors without the developer's knowledge. String transformations through best-fit mappings, casing operations, normalization, over-consumption and other means will be discussed, with inputs useful for testing. A testing tool is also planned for release.

The current state of visual spoofing attacks will also be discussed. Phishing attacks are pervasive on the Web, and well-designed URL's can increase an attack's chance of success. It's eye-opening to see these demonstrations of just how vulnerable modern Web browsers still are to many forms of visual spoofing attacks.


Jeff Williams

Enterprise Java Rootkits

How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.

This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.

What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.


Rafal Wojtczuk, Alexander Tereshkin

Attacking Intel® BIOS

We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed. As an extra bonus we describe yet-another-one, on-the-fly, previously undisclosed attack against SMM on Intel platforms affecting most of the recent chipsets.


Panel Discussion

The Laws of Vulnerabilities Research Version 2.0: Comparing Critical Infrastructure Industries

The Law of Vulnerabilities, version 2.0, is the updated version of the Laws research that was premiered at Black Hat in 2003. This research exposes findings on patch trends, prevalence, persistence and exploitability of vulnerabilities within global enterprise networks for internal and external systems.

What’s new in Laws 2.0? The research now focuses on 6 vertical industries that represent the critical infrastructure including Finance, Retails, Manufacturing, Healthcare, Energy and Services. The Laws examines the time-to-patch trends and derives a half-life period for each of these sectors (Half-life is the period it takes the industry to patch 50% of the vulnerabilities discovered after 1st advisory). This provides organizations within each of these industry sectors a benchmark to compare themselves to when it comes to patching critical vulnerabilities on their networks; so a CSO can use this data to ask this questions: are we doing a better job then the rest of our peers or do we need to ask for more budget to expedite our patching processes?

The sample data used to derive the 2.0 Laws is significant and order of magnitude larger than what was used in 1.0 as its based on 80 million IPs scanned in 2008 that discovered 270 million vulnerabilities, out of which 80 million+ vulnerabilities are critical (severity level 4 or 5). The data is completely anonymous and can’t be tied back to any specific IP or customer. This presentation will also closely examine the Conficker worm and the Windows RPC vulnerability behind and explains how fast the industry reacted to fix this critical issue and prevent infection within enterprise networks.

//BIO: Mark Weatherford

Mark Weatherford

CISO of the State of California

Mark Weatherford was appointed by Governor Arnold Schwarzenegger to his present position as Executive Officer of the California Office of Information Security and Privacy. In this role, he has broad authority over California’s cyber security activities and is responsible for state government information security program policy, standards, and procedures. He also oversees the first-in-the-nation Office of Privacy Protection, which provides information, education and privacy practice recommendations for consumers, business and other organizations on identity theft and other privacy issues.

Mr. Weatherford previously served as the Chief Information Security Officer for the State of Colorado where he was appointed by two successive governors to develop and lead the state information security program. A former U.S. Naval Cryptologic Officer, Weatherford led the U.S. Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team and as a member of the Raytheon company, he successfully built and established the San Diego Navy/Marine Corps Intranet Security Operations Center (SOC).

Mr. Weatherford holds a BS from the University of Arizona and an MS from the Naval Postgraduate School. He is a member of the Multi-State Information Sharing and Analysis Center, the National Association of State Chief Information Officers, the Information Systems Security Association, and the Information Systems Audit and Control Association. He also holds Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. Mr. Weatherford was recently awarded Information Security magazine’s prestigious “Security 7 Award” for 2008.

Panel Discussion

CSO Panel: Black Hat Strategy Meeting

A comprehensive inside look at the impact of the research being released at Black Hat this year. The panel will also discuss overall strategy with new vulnerabilities.

//BIO: Max Kelly
//BIO: Robert Lentz

Robert Lentz

OSD/NII

Robert Lentz is the Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance (CI&IA) in the Office of the Assistant Secretary of Defense, Networks and Information Integration/Chief Information Officer. Since November 2000, he has been the Chief Information Assurance Officer (CIAO) for the Department of Defense (DoD) and, in this capacity, oversees the Defense-wide IA Cyber Program, which plans, monitors, coordinates, and integrates IA Cyber activities across DoD.

Mr. Lentz is the Chairman of the National Space INFOSEC Steering Council (NSISC), DoD member of the Presidential Sub-Committee on National Security Systems (CNSS), the leader of the DoD IA Steering Council, and the IA Domain Owner of the Global Information Grid Enterprise Information Management Mission Area. In his capacity as the CIAO, Mr. Lentz is a member of the DoD CIO Executive Council. He is also the DoD liaison to several private sector boards, including the Center for Internet Security (CIS) Strategic Advisory Council, the Common Vulnerabilities & Exposures (CVE) Senior Advisory Council, the International Cyber Center Advisory Board and SAFEcode.

Mr. Lentz has over 26 years of experience with the National Security Agency (NSA) in the areas of financial management and technical program management. He has served as Chief of the Space and Networks IA Office, Chief Financial Officer of the NSA IA Directorate, Executive Assistant to the NSA SIGINT Collections and Operations Group and Field Chief of the Finksburg National Public Key Infrastructure/Key Management Infrastructure Operations Center.

Mr. Lentz has received the NSA Resource Manager of the Year Award, the Defense Meritorious Service Award, 2006 “Top 20” Excellence.gov Award, the 2003 Presidential Rank Award and the 2004 “Federal 100” award. In 2004, Mr. Lentz also received the highest-level honorary award the Department can bestow on a civilian employee, the prestigious Secretary of Defense Distinguished Civilian Service Award. In 2008, he was named Information Security government Executive of the year for the Middle Atlantic region, culminating in his award as the North American Executive of the year. In 2009, he was the recipient of the RSA award for Excellence in the Field of Security Practices.

Mr. Lentz is a graduate of the National Senior Cryptologic Course at the National Cryptologic School, Federal Executive Institute (FEI) and the Resource Management Course at the Naval Postgraduate School. He earned a Bachelor’s Degree with a double major in History and Social Science from Saint Mary's College of Maryland and a Masters Degree in National Security Strategy from the National War College.
//BIO: John Stewart

John Stewart

Echelon One

John Stewart provides leadership and direction to multiple corporate security and government teams throughout Cisco, strategically aligning with business units and the IT organization to generate leading corporate security practices, policies, and processes. His organization focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, eDiscovery, source code security, identification management, as well as special programs that promote Cisco, Internet, and national security. Additionally, he is responsible for overseeing the security for Cisco.com—the infrastructure supporting Cisco’s more than $35 billion business.

Mr. Stewart’s longstanding career in information security encompasses numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a research scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. He has professional experience in software development, systems and network administration, and is a software specialist, author, and instructor.

Throughout his career, Mr. Stewart has been an active member of the security industry community. He served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire, Inc. Currently, Mr. Stewart sits on technical advisory boards for Panorama Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, Inc. He is on the board of directors for KoolSpan, Inc., and a member of the CSIS commission on cyber security for the 44th Presidency.

Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.
//BIO: Bob West

Bob West

Echelon One

Bob West is Founder and CEO of Echelon One. He is responsible for creating and executing Echelon One’s corporate strategy using his 25 years of experience in corporate and startup environments.

Bob is a frequent speaker on the subject of information security and risk, and is on the board of managers for the Jericho Forum, advisory boards for Agilance, the Hispanic Information Technology Executive Council, Security Growth Partners, Trusteer, the University of Detroit Mercy’s College of Liberal Arts and Education, the University of Cincinnati’s College of Information Technology Advisory Board, and has also been on Securent’s advisory board (acquired by Cisco), TriCipher’s advisory board, a member of RSA Security’s Customer Advisory Council, and the ISS Customer Advisory Council. He is on the board of directors for the Cincinnati Information Systems Security Association (ISSA) and is quoted frequently in the press including the Wall Street Journal and BusinessWeek.

Previously, Bob was Chief Information Security Officer (CISO) at Fifth Third Bank in Cincinnati where he was responsible for the enterprise information security strategy. Prior to joining Fifth Third, Bob worked for Bank One in Columbus where he held several key leadership roles, including Information Security Officer for Bank One's Retail Group. Prior to joining Bank One, Bob was a manager with Ernst & Young’s Information Security Services practice in Chicago, and a Senior Systems Officer with Citicorp International in New York and Chicago.

Bob received the 2004 Digital ID World Conference award for Balancing Innovation and Reality, and a 2004 InfoWorld 100 Award for implementing cross-company authentication using SAML. Bob graduated from Michigan State University with a Bachelor of Arts in German and then received his Master of Science in Management Information Systems from North Central College.

Panel Discussion

Analyzing Security Research in the Media

This session will comprise a panel discussion on the ways in which the media affects the security research community, why some seemingly insignificant security stories are hyped while other quite legitimate stories are ignored, and how the advent of news and research blogs has changed the way that security news is covered. The media have made stars out of researchers such as Dan Kaminsky, David Litchfield, Dino Dai Zovi and others, eagerly reporting their every movement, no matter how insignificant, and regularly play up low-frequency, high-impact stories like electrical grid vulnerabilities and Chinese government hacking. This has led to a high level of frustration in both the security community and the press that the only stories that get covered are the sensational ones designed to drive traffic and get on Slashdot. The discussion will focus on what factors drive the coverage of security stories, whether coverage of vulnerabilities and new attacks is a net good and how the media influence which flaws are patched and how quickly they’re fixed.


Panel Discussion

DC Panel: Update from Washington

Washington is giving cyber security more attention. What does this mean for current cyber security bills? This panel will look at security and website liability, consumer privacy legislation, government access to cloud computing data, location privacy and international human rights issues.

//BIO: Leslie Harris

Leslie Harris

Center for Democracy & Technology

Leslie Harris is the President and CEO of the Center for Democracy & Technology. Ms. Harris is responsible for the overall vision, direction and management of the organization and serves as the organization’s chief spokesperson. Since joining CDT, she has been involved with a wide range of issues related to civil liberties and the Internet, including, government data- mining for counterintelligence, government secrecy, privacy, global Internet freedom, intellectual property, data security and Internet censorship.

Ms. Harris has over two decades of experience as a civil liberties, technology and Internet lawyer, public policy advocate and strategist in Washington. She testifies before Congress on issues related to technology, the Internet and civil liberties and writes, speaks on Internet issues and is regular contributor to several online publications and blogs.

Prior to joining CDT, Ms. Harris was the founder and president of Leslie Harris & Associates (“LHA”), a public policy firm committed to harnessing the power of new information technologies for public good. In that capacity, Ms. Harris played a lead role in shaping Internet legislation, including the E-rate program, which brought the power of the Internet to rural and inner city classrooms and public libraries, the Children’s Online Privacy Protection Act (“COPPA”) which mandated a privacy regime for children’s personal information on the Internet and the Technology Education and Copyright Harmonization Act, (TEACH) which amended copyright law to support the development of online learning. She was also a key strategist and spokesperson in the effort to defeat the Communications Decency Act.

Prior to establishing Leslie Harris & Associates, Ms. Harris served in senior leadership positions in two prominent civil liberties organizations. She was the Director of Public Policy for People for the American Way, (“PFAW”) where she directed the organization’s public policy program and served as a national spokesperson for the organization. Earlier, she served as the Chief Legislative Counsel for the Washington National Office of the American Civil Liberties Union.

She was also in private law practice in Washington.

Ms. Harris has served in leadership positions in the American Bar Association, including as a member and Chairperson of the Council of the Section on Individual Rights and Responsibilities. She has served on the Board of the Health Privacy Project and the Steering Committee for OpentheGovernment.org. She is also active in local community affairs and is a member of the Washington Women’s Forum.

Ms. Harris received her law degree cum laude from the Georgetown University Law Center and her BA at the University of North Carolina at Chapel Hill, where she graduated Phi Beta Kappa.
//BIO: Richard H. L. Marshall

Richard H. L. Marshall

National Security Agency

Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA's Legislative Affairs Office is the Agency's point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. Mr. Marshall has been instrumental in framing critical appreciation by key Senators and Representatives on Information Assurance and its impact on helping to protect the nation's critical infrastructures. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall is a sophisticated senior executive level leader. He is respected by White House (National Security Council and Homeland Security Council) and Congressional staffers, Department of Defense, Department of Homeland Security, Department of the Treasury and private sector leaders - particularly the financial services sector - for his subject matter expertise and skills in policy formulation and ardent advocacy. Mr. Marshall commands a deep understanding and appreciation for the full range of Information Assurance-related legal, legislative and policy issues. He interacts confidently in the most senior levels of government, business and academia.

He is a frequent keynote speaker, panelist and moderator at information technology, legal and policy symposia and conferences both here and abroad - to include Black Hat and DEFCON. He is a nationally recognized, respected and articulate advocate of the need for the private and public sectors to work together to improve information assurance and business continuity practices, policies and technology. He has addressed various international, Department of Defense, Army, Navy and Air Force legal conferences on information operations, information assurance and critical infrastructure assurance, twice sharing the podium with the Secretary of the Air Force and once with the former Vice-President of the United States.

He has testified before numerous Congressional subcommittees and has distinguished himself as a guest lecturer at the National Defense University (NDU), the Industrial College of the Armed Forces, Stanford University, George Mason University, George Washington School of Law, Boston University, Duke University, the University of Virginia, University of Detroit-Mercy, The Harvard Club, and numerous graduate and law schools on a myriad of legal issues related to national security and information assurance.

Mr. Marshall was selected by Dick Clarke, the Cyber Advisor to the President to serve as the Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce where he led a team of 40 dedicated professionals in coordinating and implementing the Administration's National Security for Critical Infrastructure Protection initiative to address potential threats to the nation's critical infrastructures. He persuasively articulated the business case for enhancing information assurance in government and private sectors, and championed national outreach and awareness of information assurance issues to key stakeholders such as owners and operators of critical infrastructures, opinion influencers, business leaders, and government officials.

Before being nominated by the DIRNSA and approved by the SECDEF to serve in an Executive Development assignment to help lead the CIAO, Mr. Marshall served with distinction as the Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency for over eight years. In that capacity, Mr. Marshall provided advice and counsel on national security telecommunications and technology transfer policies and programs, the National Information Assurance Partnership, the Common Criteria Mutual Recognition Arrangement, legislative initiatives and international law. Mr. Marshall was the legal architect for the Joint Chiefs of Staff directed exercise "Eligible Receiver 97" that spotlighted many of the cyber-vulnerabilities of our nation's critical infrastructures and helped bring focus on this issue at the national leadership level.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law.

Panel Discussion

VC Panel: Security Business Strategies During a Recession

All too often we forget that economics, not any collection of vulnerabilities, exploits, or technologies, affects the practice of security more than any other single factor. Economics determines what data the attackers target, what resources we have for defense, and what technologies are at our disposal. Over the past year we've seen all aspects of the global economy affected by the current recession, and security is no exception.

Our panel of investors and analysts will present their latest findings on the current state of the business side of the security industry, and how to best thrive in a down economy. Is cyber security immune, as some like to claim, or will enterprise budgets be slashed as new technologies wither without funding? Are startups better off now, or will security innovation have to migrate back to the large vendors? Can you take advantage of the downturn to pressure your vendors for better prices and services? Does the recession create opportunities to improve security strategies? How does the economy affect the offensive side of security? As we answer these questions, our panel will also review the major security business trends for the next three years, with specific predictions on which technologies and vendors will survive, which will die, and how it all affects the day-to-day practice of security.

//BIO: Becky Bace

Becky Bace

Trident Capital

Becky Bace is an internationally recognized expert in network security and intrusion detection. In 2007, Information Security Magazine named her one of the ten most influential people in the information security industry today; in 2005 she was named one of the five most influential women in information security and privacy. Becky has worked in security since the 1980s, leading the first major intrusion detection research program at the National Security Agency, where she received the Distinguished Leadership Award, serving as the Deputy Security Officer for the Computing Division of the Los Alamos National Laboratory, and, since 1997, working as a strategic consultant. She is currently President of Infidel, Inc., a security consulting firm, and a venture consultant for Trident Capital, where she is responsible for overseeing Trident’s security-related investment portfolio. Ms. Bace has served as a technical advisor to many successful startups, including Tricipher, Hytrust, Vantos, Airtight, Security Focus, Sygate, Tripwire, Arxan, Qualys, SecureWorks, @Stake, and Intruvert Networks. Her publication credits include the books Intrusion Detection (Macmillan, 2000), A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as An Expert Technical Witness, (Addison-Wesley, October, 2002) and the chapters on intrusion detection and vulnerability analysis for the Computer Security Handbook, 4th Edition (Wiley, April, 2002) and Computer Security Handbook, 5th Edition (Wiley, February, 2009).
//BIO: Rich Mogul

Rich Mogul

Securosis

Rich Mogul has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team where he also served as research co-chair for the Gartner Security Summit. Prior to his seven years at Gartner, Rich worked as an independent consultant and web application developer, software development manager at the University of Colorado, and a systems and network administrator. Rich is the Security Editor of TidBITS, a monthly columnist for Dark Reading, and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference and DefCon, and has spoken on every continent except Antarctica (where he’s happy to speak for free- assuming travel is covered).

Prior to his technology career, Rich also worked as a security director for major events such as football games and concerts. He was once a bouncer at the age of 19, weighing about 135 lbs (wet). He’s worked or volunteered as a paramedic, firefighter, ski patroller at a major resort (on a snowboard), and spent over a decade with Rocky Mountain Rescue. He currently serves as a responder on a federal disaster medicine and terrorism response team, where he mostly drives a truck and lifts heavy objects. He has a black belt, but does not play golf.

Panel Discussion

Meet the Feds: Feds vs. Ex-Feds

Did you ever wonder if the Feds were telling you the truth when you asked a question? This year we’re inviting you to "Meet the Feds and Ex-Feds" to answer your questions. The objective is to get you the answers to your questions without getting a public official fired! Come ask your question and compare the answers you get.

Each of the agency reps and ex-agency rep will make an opening statement regarding their agencies role, then open it up to the audience for questions.

Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.

+ FEDS

//BIO: Jim Christy

SA (Ret) Jim Christy

Department of Defense Cyber Crime Center (DC3)

Jim Christy is the Director, Futures Exploration (FX). FX is responsible for informing and educating members of the other Department of Defense organizations, federal agencies, state and local law enforcement, international partners, the private sector, and academic institutions on the mission and activities of all DC3 programs. SA Christy is a retired Air Force Office of Special Investigations Computer Crime Investigator. SA Christy was an AFOSI computer crime investigator for over 18 years.

In Oct 03, the Association of Information Technology Professionals, awarded SA Christy the 2003 Distinguished Information Science Award for his outstanding contribution through distinguished services in the field of information management. Previous recipients of this prestigious award include Adm. Grace Hopper, Gene Amdahl, H. Ross Perot, LtGen. Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch Kapor.

From 17 Sep 01 – 1 Nov 03 SA Christy was the Director of Operations, Defense Computer Forensics Lab, DC3. As the Dir of Ops for the DCFL he managed four sections with over 40 computer forensic examiners that supported Major Crimes & Safety, Counterintelligence and Counterterrorism, as well as Intrusions and Information Assurance cases for the Department of Defense.

From May 98 – Sep 01 Mr. Christy was assigned to the Defense-wide Information Assurance Program, Assistant Secretary of Defense for Command, Control Communications and Intelligence (ASDC3I) as the Law Enforcement & Counterintelligence Coordinator and Infrastructure Protection Liaison.

SA Christy served as the DoD Representative to the President’s Infrastructure Protection Task Force (IPTF) from Sep 96 – May 98. The President signed Executive Order, 13010 on 15 Jul 96, creating IPTF to protect the Nation’s critical infrastructure from both physical and cyber attacks.

Prior to the IPTF, SA Christy was detailed to Senator Sam Nunn’s staff on the Senate, Permanent Subcommittee on Investigations as a Congressional Fellow, Jan - Aug 96. Senator Nunn specifically requested SA Christy’s assistance for the Subcommittee to prepare for hearings in May - Jul 1996, on the vulnerability and the threat to National Information Infrastructure from cyberspace. SA Christy authored the Subcommittee’s investigative report and testified twice before the Subcommittee.
//BIO: John D. Garris

John D. Garris

NASA

John Garris is the Special Agent-in-Charge of the Computer Crimes Division, Office of Investigations, NASA Office of Inspector General.

During 2004, then Lieutenant Colonel Garris, was the Chief of the Law Enforcement and Counterintelligence Center for the Department of Defense’s (DoD) Joint Task Force for Global Network Operations, Arlington, VA. He was the senior DoD law enforcement agent responsible for coordinating the computer intrusion investigations of all five DoD criminal and counterintelligence investigative agencies.

From 2001 to 2004, he was the director, Special Operations Division, Head Quarters, Air Force Office of Special Investigations (AFOSI), Andrews AFB, MD. He was the U.S. Air Force’s single manager for computer crimes investigations, technical services countermeasures, polygraph, and counterintelligence support to Information Operations. While deployed in support of Operation Iraqi Freedom during this time period, he served both as the Squadron Commander for AFOSI personnel stationed in Turkey, and as the Counterintelligence Coordination Authority for Task Force – North, U.S. Central Command.

From 1999 to 2001, he was the commander of AFOSI Detachment 253, Lackland AFB, TX. In this position, he oversaw the establishment of the first office dedicated to law enforcement and counterintelligence support to Air Force computer network defense and information operations worldwide. His unit was responsible for the initial investigative response to 82 computer intrusions into Air Force and DoD information systems.

From 1997 to 1999, while assigned to the Pentagon, he was the Air Force Inspector General’s program manager for computer crime and information operations. He was instrumental in developing DoD’s first Computer Forensic Laboratory and Training Program. He also spearheaded the development of AFOSI’s participation in DoD’s first Joint Task Force for Computer Network Operations.

From 1995 to 1997, as AFOSI’s International Liaison Officer, he managed programs for international cooperation with counterpart law enforcement and security agencies. He created and directed AFOSI’s first program to locate and apprehended fugitives wanted for committing felony crimes. His efforts resulted in the capture of 24 fugitives.

From 1990 to 1993, Lt Col Garris was the commander of Det 522, Incirlik AB, Turkey. He directed counterintelligence and antiterrorism support to U.S. and multinational forces in Southeastern Turkey and Northern Iraq. He supervised several investigations of terrorist attacks against U.S. citizens, as well as directed a number of proactive anti-terrorism and criminal investigations in partnership with Turkish law enforcement authorities. He was selected as AFOSI’s Officer Special Agent of the Year for 1992.

From 1988 to 1990, he served as AFOSI District 69’s Counterintelligence Collections Manager, while assigned to Ankara, Turkey. From 1986 to 1987, he served as both Deputy Commander and Commander of the AFOSI Office, Tinker AFB, OK

Lieutenant Colonel Garris entered the Air Force in 1984 as a graduate of the Virginia Polytechnic University ROTC program. He commanded AFOSI units in combat zones during operations Desert Shield, Desert Storm, Provide Comfort, Northern Watch, and Operation Iraqi Freedom.

Lieutenant Colonel Garris is married to the former Andrea Harnad of Burke, Virginia. They have two children: Samuel and Maxwell.
//BIO: Shawn Henry

Shawn Henry

FBI

Shawn Henry began his career as a Special Agent with the FBI in 1989. His first office of assignment was the Washington Metropolitan Field Office, where he investigated a variety of matters, focusing primarily on public corruption, and was a member of the FBI SWAT team. In 1996, Mr. Henry was promoted to Supervisory Special Agent at FBIHQ.

In 1999, Mr. Henry was designated Chief of the Computer Investigations Unit within the National Infrastructure Protection Center at FBIHQ, with management responsibility for all FBI criminal computer intrusion matters. During this tenure, he was appointed as a representative for the United States’ delegation to the G8 as a member of the High-Tech Crimes Subgroup.

In 2001, Mr. Henry was promoted to field supervisor of the Computer Crimes Squad for the FBI's Baltimore Field Office. In 2003, he was named Assistant Inspector and Team Leader in the Inspection Division at FBIHQ where he led teams conducting evaluations and audits of FBI operations nationwide.

In 2004 Mr. Henry was selected as Assistant Special Agent in Charge of the Philadelphia Field Office, with oversight for Special Operations, Technical Services, and the Field Intelligence Group. Mr. Henry was subsequently detailed to FBIHQ to assist in the implementation of the National Security Branch (NSB). In 2006 he was selected as a member of the Senior Executive Service to serve as Chief of the Executive Staff to the Executive Assistant Director of the NSB.

In 2007, Mr. Henry was named Deputy Assistant Director of the FBI’s Cyber Division, with program management responsibility for all FBI computer investigations worldwide. In September 2008, he was selected to his current position as FBI Assistant Director of the Cyber Division. Mr. Henry has earned a Bachelor of Business Administration from Hofstra University in New York, and a Master of Science in Criminal Justice Administration from Virginia Commonwealth University. He is a graduate of the Naval Postgraduate School Center for Homeland Defense and Security, Homeland Security Executive Leaders Program.
//BIO: Mischel Kwon

Mischel Kwon

USCERT

Mischel Kwon, an IT professional with more than 27 years of experience, was named the Director for the United States Computer Emergency Readiness Team (US-CERT) in June 2008. As the Director for the US-CERT, Kwon is responsible for the operational mission of the US-CERT. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities in Federal networks, disseminating cyber threat warning information, and coordinating incident response activities.

Kwon brings a unique blend of hands on experience, academic research and training, and a seasoned understanding of how to build operational organizations from inception. Among her successes at the United States Department of Justice (DOJ), where she was Deputy Director for IT Security Staff; she built and deployed the Justice Security Operations Center (JSOC) to monitor and defend the DOJ network against cyber threats. In addition, she served as the lead project manager for the Trusted Internet Connections (TIC) project at DOJ. The TIC project is a jointly lead project between OMB and DHS. This experience provides a unique perspective in her operational mission at DHS.

In addition to the operational role, Kwon lends her experience and drive for providing superior customer service to DHS. Kwon is leading the effort to enhance the US-CERT’s ability to disseminate reasoned and actionable cyber security information to key stakeholders, including: federal agencies, industry, the research community, and state and local governments. In tandem with this effort, Mischel is in the process of building and enhancing US-CERT’s capability to better protect our nation's Federal Internet infrastructure by coordinating actionable mitigation against and response to cyber attacks.

Ms. Kwon holds a Master of Science in Computer Science and a graduate certificate in Computer Security and Information Assurance. In addition, she serves as an adjunct professor at George Washington University in Washington, DC, where Ms. Kwon also runs the GW Cyber Defense Lab. Her interests branch out into cryptology, wireless networks, and antenna theory.
//BIO: Robert Lentz

Robert Lentz

OSD/NII

Robert Lentz is the Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance (CI&IA) in the Office of the Assistant Secretary of Defense, Networks and Information Integration/Chief Information Officer. Since November 2000, he has been the Chief Information Assurance Officer (CIAO) for the Department of Defense (DoD) and, in this capacity, oversees the Defense-wide IA Cyber Program, which plans, monitors, coordinates, and integrates IA Cyber activities across DoD.

Mr. Lentz is the Chairman of the National Space INFOSEC Steering Council (NSISC), DoD member of the Presidential Sub-Committee on National Security Systems (CNSS), the leader of the DoD IA Steering Council, and the IA Domain Owner of the Global Information Grid Enterprise Information Management Mission Area. In his capacity as the CIAO, Mr. Lentz is a member of the DoD CIO Executive Council. He is also the DoD liaison to several private sector boards, including the Center for Internet Security (CIS) Strategic Advisory Council, the Common Vulnerabilities & Exposures (CVE) Senior Advisory Council, the International Cyber Center Advisory Board and SAFEcode.

Mr. Lentz has over 26 years of experience with the National Security Agency (NSA) in the areas of financial management and technical program management. He has served as Chief of the Space and Networks IA Office, Chief Financial Officer of the NSA IA Directorate, Executive Assistant to the NSA SIGINT Collections and Operations Group and Field Chief of the Finksburg National Public Key Infrastructure/Key Management Infrastructure Operations Center.

Mr. Lentz has received the NSA Resource Manager of the Year Award, the Defense Meritorious Service Award, 2006 “Top 20” Excellence.gov Award, the 2003 Presidential Rank Award and the 2004 “Federal 100” award. In 2004, Mr. Lentz also received the highest-level honorary award the Department can bestow on a civilian employee, the prestigious Secretary of Defense Distinguished Civilian Service Award. In 2008, he was named Information Security government Executive of the year for the Middle Atlantic region, culminating in his award as the North American Executive of the year. In 2009, he was the recipient of the RSA award for Excellence in the Field of Security Practices.

Mr. Lentz is a graduate of the National Senior Cryptologic Course at the National Cryptologic School, Federal Executive Institute (FEI) and the Resource Management Course at the Naval Postgraduate School. He earned a Bachelor’s Degree with a double major in History and Social Science from Saint Mary's College of Maryland and a Masters Degree in National Security Strategy from the National War College.
//BIO: Richard H. L. Marshall

Richard H. L. Marshall

National Security Agency

Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA's Legislative Affairs Office is the Agency's point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. Mr. Marshall has been instrumental in framing critical appreciation by key Senators and Representatives on Information Assurance and its impact on helping to protect the nation's critical infrastructures. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall is a sophisticated senior executive level leader. He is respected by White House (National Security Council and Homeland Security Council) and Congressional staffers, Department of Defense, Department of Homeland Security, Department of the Treasury and private sector leaders - particularly the financial services sector - for his subject matter expertise and skills in policy formulation and ardent advocacy. Mr. Marshall commands a deep understanding and appreciation for the full range of Information Assurance-related legal, legislative and policy issues. He interacts confidently in the most senior levels of government, business and academia.

He is a frequent keynote speaker, panelist and moderator at information technology, legal and policy symposia and conferences both here and abroad - to include Black Hat and DEFCON. He is a nationally recognized, respected and articulate advocate of the need for the private and public sectors to work together to improve information assurance and business continuity practices, policies and technology. He has addressed various international, Department of Defense, Army, Navy and Air Force legal conferences on information operations, information assurance and critical infrastructure assurance, twice sharing the podium with the Secretary of the Air Force and once with the former Vice-President of the United States.

He has testified before numerous Congressional subcommittees and has distinguished himself as a guest lecturer at the National Defense University (NDU), the Industrial College of the Armed Forces, Stanford University, George Mason University, George Washington School of Law, Boston University, Duke University, the University of Virginia, University of Detroit-Mercy, The Harvard Club, and numerous graduate and law schools on a myriad of legal issues related to national security and information assurance.

Mr. Marshall was selected by Dick Clarke, the Cyber Advisor to the President to serve as the Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce where he led a team of 40 dedicated professionals in coordinating and implementing the Administration's National Security for Critical Infrastructure Protection initiative to address potential threats to the nation's critical infrastructures. He persuasively articulated the business case for enhancing information assurance in government and private sectors, and championed national outreach and awareness of information assurance issues to key stakeholders such as owners and operators of critical infrastructures, opinion influencers, business leaders, and government officials.

Before being nominated by the DIRNSA and approved by the SECDEF to serve in an Executive Development assignment to help lead the CIAO, Mr. Marshall served with distinction as the Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency for over eight years. In that capacity, Mr. Marshall provided advice and counsel on national security telecommunications and technology transfer policies and programs, the National Information Assurance Partnership, the Common Criteria Mutual Recognition Arrangement, legislative initiatives and international law. Mr. Marshall was the legal architect for the Joint Chiefs of Staff directed exercise "Eligible Receiver 97" that spotlighted many of the cyber-vulnerabilities of our nation's critical infrastructures and helped bring focus on this issue at the national leadership level.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law.
//BIO: Dr. Lin Wells

Dr. Lin Wells

National Defense University

Dr. Lin Wells II is a Distinguished Research Professor and serves as the Transformation Chair at National Defense University (NDU). Prior to coming to NDU he served in the Office of the Secretary of Defense (OSD) from 1991 to 2007, serving last as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). In addition, he served as the Acting Assistant Secretary and DoD Chief Information Officer for nearly two years. His other OSD positions included Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence-C3I) and Deputy Under Secretary of Defense (Policy Support) in the Office of the Under Secretary of Defense (Policy). In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; and C3I. Recently he has been focusing on STAR-TIDES, a research project focusing on affordable, sustainable support to stressed populations and public-private interoperability (www.star-tides.net).

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, and scuba diving. He has thrice been awarded the Department of Defense Medal for Distinguished Public Service.

+ EX-FEDS

//BIO: Rod Beckstrom

Rod Beckstrom

Ex-DHS

Rod Beckstrom is the former Director of the National Cyber Security Center (NCSC) in the U.S. Department of Homeland Security where he reported to Secretary Michael Chertoff and Secretary Janet Napolitano, respectively.

Rod co-authored The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations that presents a new model for analyzing organizations, leadership style and competitive strategy. He has co-authored three other books including one on Value at Risk (VAR), a fundamental theory of financial risk management now used to regulate banking globally. He has recently developed a new economic model for valuing technical and social networks, referred to as Beckstrom’s Law.

As an entrepreneur Rod started his first company when he was 24 in a garage apartment and subsequently grew it into a global enterprise with offices in New York, London, Tokyo, Geneva, Sydney, Palo Alto, Los Angeles and Hong Kong. The company, CAT•S Software Inc., went public under Rod’s leadership and was later sold. Nobel Laureates Myron Scholes and William F. Sharpe served on the company's boards of advisors and directors, respectively.

Rod also co-founded Mergent Systems with Dr. Amos Barzilay and Assistant Professor Michael Genesereth of the Stanford Graduate School of Computer Science. Mergent was a pioneer in inferential database engines and was sold to Commerce One for $200 million. He also co-founded TWIKI.NET, a company offering service and support for an open source wiki and collaboration software system.

From 1999 to 2001 Rod served as the Chairman of Privada, Inc. Privada was a pioneer in technology to enable private, anonymous and secure credit card transaction processing over the internet. Rod has helped to start numerous non-profit groups and initiatives. In 2003 he co-founded a peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. This group took symbolic actions which led to opening the borders to citizens, trade and contributed to ending the most recent Indo-Pak war. He serves on the boards of the Environmental Defense Fund and the Jamii Bora Trust (micro-lending) in Africa.

In 2003, Rod co-founded a global peace network of CEO's which initiated Track II diplomatic efforts between India and Pakistan. The group’s symbolic actions opened the borders to people and trade, and contributed to ending the most recent Indo-Pak conflict. It's one of several non-profit groups and initiatives Rod has started. He now serves on the boards of the Environmental Defense Fund, which Fortune Magazine ranked as one of the seven most powerful boards in the world and Jamii Bora Trust an innovative micro-lending group in Africa with more than 200,000 members.

Rod graduated from Stanford University with an MBA and a BA with Honors and Distinction. He served as Chairman of the Council of Presidents of the combined Stanford student body (ASSU) and was a Fulbright Scholar at the University of St. Gallen in Switzerland.
//BIO: Jerry Dixon

Jerry Dixon

Ex-DHS

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.
//BIO: Greg Garcia

Greg Garcia

Ex-DHS

Now President of Garcia Strategies, LLC, a strategic business and government affairs advisory services firm, Gregory (Greg) T. Garcia served as the nation’s first Presidentially-appointed Assistant Secretary for Cyber Security and Communications (CS&C) for the U.S. Department of Homeland Security, from 2006-2008. Garcia led the strategic direction of CS&C, overseeing a $500 million budget for the National Cyber Security Division, the Office of Emergency Communications and the National Communications System.

During Garcia’s tenure, DHS affirmed the urgency of cyber security across the nation and embarked on a comprehensive cyber initiative that will measurably strengthen the security of our nation’s networks against domestic and international threats.

He established the Office of Emergency Communications, which collaborated with stakeholders across the country to develop a first-ever National Emergency Communications Plan and 56 state and territory plans to drive interoperable emergency communications for our federal, state and local first responders. His organization enhanced the availability, resiliency and priority service of communications for national security and emergency preparedness needs, and in disaster-stricken areas such as the Gulf States in the aftermath of Hurricanes Ike and Gustav in 2008.

Finally, he worked to integrate the Nation’s overall cyber and communications security strategy to align with the evolving architecture and risk profile of our national information infrastructure. Prior to joining the Department, Garcia served as Vice President for Information Security Programs and Policy with the Information Technology Association of America (ITAA), where, among other accomplishments, he worked with the Department of Homeland Security to co-found the National Cyber Security Partnership.

Before joining ITAA in April 2003, Garcia served on the staff of the House Science Committee where he was responsible for industry outreach and information technology and cyber security policy. Garcia had a lead role under Chairman Sherwood Boehlert (R-NY) in drafting and shepherding the enactment of the Cyber Security Research and Development Act of 2002.

Prior to his service on Capitol Hill, Garcia contributed to national policy development through several private sector organizations. He was the Director of 3Com Corporation’s Global Government Relations Office in Washington, DC, where he established and managed all aspects of the company’s strategic public policy formulation and advocacy.

He served as Coalition Manager for Americans for Computer Privacy, a high profile grassroots policy advocacy campaign dedicated to overturning U.S. export and domestic use regulation of encryption technology. This effort was successful after just one year of intense lobbying and high-end media strategies.

Garcia lobbied international trade policy for the American Electronics Association, including export controls, customs, European and multilateral trade negotiations.

His first career position was as a consultant with Newmyer Associates, Inc., a public policy consulting firm where he advised on international trade policy for Fortune 500 clients.

Garcia graduated with distinction from California State University at San Jose with a degree in Business Administration.
//BIO: Kevin Manson

Kevin Manson

Ex-FLETC

Kevin Manson

1970's - State Prosecutor and Magistrate.

1980's - Coined the term "Cybercop", Staff counsel on US Senate Judiciary Committee.

1990's - Co-founded Cybercop Portal, a Department of Homeland Security endorsed, secure online information sharing community with a DARPA pedigree serving over 12,000 law enforcement and industry users. Cybercop was founded to strengthen our nation's "CyberCivil Defense" as contemplated by Presidential Decision Directive 63 (URL: http://www.cybercopportal.com)

At the Federal Law Enforcement Training Center (FLETC), pioneered Internet investigations training and in the early 90's developed the Cybercop BBS, (Wildcat), the first online community for federal law enforcement agents.

Designed, developed and deployed new training initiatives for "Digital Officer Safety", Data Mining and Internet Investigations for federal agents at the FLETC. (URL: www.fletc.gov)

2000's - Co-Keynoted at Black Hat 2001 with FBI UNABOM'er profiler William Tafoya ("The elite are not those who destroy or cause havoc in cyberspace, but rather [those who work] to protect the Net.") "Meet the Fed" panelist. Member of the US Secret Service New York Electronic Crimes Task Force. Collaborating with field experimentation teams at the Naval Postgraduate School regarding Secure Trusted Proxy networks, UAV and Robotics technologies (Cooperative Operations and Applied Science and Technology Studies). Building Hastily formed technology accelerations teams for national security and public safety in support of those who serve behind the "thin digital blue line" with my group of "Usual Suspects."

Panel Discussion

A Black Hat Vulnerability Risk Assessment

Security professionals regularly fall into the trap that security is only about vulnerabilities and who has more. In reality, vulnerabilities need to be viewed in the context of how the system or 
application is deployed, what compensating controls may be in place, the value of the data being protected and how likely is it that an
attack will happen and how often it will be successful. In other 
words, you can't just count vulnerabilities but you have to perform a
risk assessment on all the current vulnerabilities you know about (or 
can predict) and appropriately prioritize patches and workarounds. We
will present a new methodology for doing this and as a demonstration 
perform risk assessments on the 0 days presented over the course of Blackhat USA 2009.

//BIO: Jerry Dixon

Jerry Dixon

Team Cymru

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Panel Discussion

The Pwnie Awards

The Pwnie Awards will return for the third consecutive year to the BlackHat USA conference in Las Vegas. The award ceremony will take place during the BlackHat reception on July 29, 2009 and the organizers promise an extravagant show.

The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:

  • Best Server-Side Bug
  • Best Client-Side Bug
  • Mass 0wnage
  • Most Innovative Research
  • Lamest Vendor Response
  • Most Overhyped Bug
  • Best Song
  • Most Epic FAIL
  • Lifetime Achievement award for hackers over 30

The deadline for nominations is Wed, July 15.

[ Submit nominations here by Wed, July 15: http://pwnie-awards.org

[ Pwnie Awards updates on Twitter: http://twitter.com/PwnieAwards


Panel Discussion

Hacker Court 2009: Pwning the Economy in 138 Chars or Less

This presentation is a mock trial that demonstrates legal issues in cyberspace. All events are fictitious, but legally accurate. A summary of the case follows:

A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, “Wanker” posing as a well-respected financial analyst "Jorge Greenspam" and causing the financial markets to collapse.

Jorge Greenspam is an aggressive financial analyst known for getting the scoop of what will move the market BEFORE it happens. His insights are so valuable and cryptic that he has been known to impact the financial market with the slightest comment. He has a very exclusive following to his Wanker account from which he sends out “wanx” (messages up to 138 characters in length) and “spanx” (messages up to 69 characters in length) from the account “Jorge007.” Only very select people know about this account since the “wanx” and “spanx” are so critical to the financial market.

Speaker Bios:

//BIO: Richard Thieme

Richard Thieme

Richard Thieme has been hearing the music for a long time.

His track record includes hundreds of published articles, dozens of published short stories, one published book with more coming, several thousand speeches, and, in a former incarnation, hundreds of sermons - all original, all unique.

In the 1980's, Thieme began writing about the impact of new technologies on religious systems and images, on spirituality, on identity. He was an Episcopal priest, and it made sense to begin where he was. What he wrote sounds obvious now. But it didn’t, then. He realized that his insights applied to other aspects of society and culture too. What was happening to religions was happening to everything else, a sea change of global transformation driven by new technologies of information and communication. He left the professional ministry to write and speak full time in 1993.

Of course other drivers are behind these radical changes, too. Biotechnology, nanotechnology, materials science, space travel ... and above all, the choices we make about how to use these discoveries to reinvent ourselves. Our choices must be informed. For the word “ethical” to mean anything, the changes in the systems that give rise to ethical thinking must also be understood. Everything is connected to everything else, and nothing is simply what it seems. Changes to context must be made as visible as changes to content.

That’s what Richard does. He makes the invisible visible, he amplifies the unheard music playing at the edges of our lives, he turns the context into content. Security and intelligence professionals value his insights because he sees into the heart of complex issues. He takes nothing at face value and links insights to the mixed motives of the human heart.
//BIO: Peiter “Mudge” Zatko

Peiter “Mudge” Zatko

BBN, National Intelligence Research and Applications

Peiter “Mudge” Zatko was a Senior Security Architect/Engineer at BBN from 1994 to 1998, and he rejoined BBN in 2004 as a Division Scientist focusing on research and development activities in support of DARPA and Intelligence Community projects and is now a Technical Director for for BBN's National Intelligence Research and Applications division. He is an experienced and nationally known researcher.

After leaving BBN he served as the CEO and Chief Scientist at LHI Technologies, was the Chief Scientist and Executive Vice President for R&D at @Stake Inc., and was the Chief Scientist at Intrusic Inc., all companies involved with network and information security. He has also served as on the advisory boards of several organizations, as an R&D Subcommittee Member to the Partnership for Critical Infrastructure Protection, and as a Research Subcommittee Member to the Office of Science and Technology.

Mr. Zatko is the inventor of L0phtCrack, an industry standard Microsoft password auditing tool, of AntiSniff, the world’s first remote promiscuous system detector that was used across primary DoD entities, of Tempwatch, now a distributed component of Linux and BSD distributions, and of SLINT, a pioneering tool in automating source code analysis to discover security coding problems.

Mr. Zatko was recognized by the National Security Council, Executive Office of the President, as a vital contributor to the success of the President’s Scholarship for Service Program. He was also recognized as contributing to the CIA’s critical national security mission. He is an honorary plank owner of the USS McCampbell (DDG-85).