The Black Hat Briefings '99, July 7-8th Las Vegas
The Black Hat Briefings '99, July 7-8th Las Vegas

Schedule
Hotel Information
Registration
Sponsors
Back
SPEAKERS

There were approximately 32 speakers covering three tracks of speaking over two days, including two moderated panel discussions.

Audio tapes and Video tapes of speakers are now available from The Sound of Knowledge on-line.

NEW: 03-10-00 Added: Peter Stephenson, Scott Culp, Teresa Lunt, Peter Shipley &Tom Jackiewicz, and Padgett Peterson.

All speeches are being added on-line for free to better help the security community.  The speeches are in quarter screen size to save on space, and encoded using the 2-Pass and variable bit encoding options.

To view them you must have RealPlayer 7 to support the SureStream technology.  In making these speeches available I have encoded them at bitrates from 56k to DSL for maximum quality.  If you find broken links or have questions please contact Jeff Moss.


 
Take me to..
 
The More Technical Speakers
The Less Technical Speakers
The White Hat Speakers
Black Hat Track A - More Technical Speakers
Simple Nomad, Nomad Mobile Research Centre, author of the Novel Hack FAQ.

Modern NetWare Hacking

Computer security is one of those topics that most Novell NetWare system administrators think is something their Unix (and more recently Microsoft NT) administrator counterparts have to worry about. While those involved in security circles have known otherwise for years, Novell is making leaps and bounds into a more open world of web servers, NetWare/IP, and other connectivity to public networks, and it has become very important to consider all aspects of the security of Novell's products.

Novell has also been less than forthcoming regarding security patches for vulnerabilities in their products, and often release security patches as a part of regular maintenance patches without communicating the nature of the original security problem and the importance behind loading the latest patch. Due to some fairly high profile security exploits that have recently surfaced (including some I have helped author), Novell is slowly beginning to address security in a more proactive way. But they, like most other large commercial software producers, have a long way to go.

Therefore it is important to learn exactly how NetWare servers can be compromised, how easy it is to gain access to the tools to perform intrusions, how the tools work, and how easy it is to patch most holes. It is also important to understand not only the nature of the attacks, but also the nature of potential attackers.

I have been asked why I go by the name "Simple Nomad". The main reason is that my very understanding Fortune 100 employer cares little about what I do outside of work, as long as I leave them out of it. To help keep this agreement, I remain Simple Nomad, a name off of a Ouija board session. 

Many of my projects and papers are written from the perspective of the unwanted intruder. Why? Because it is simply much more interesting. I remember a movie where some girl didn't like the bank robbers and muggers, but was fascinated with the forger. She felt the forger was an "artist". I guess I see the hacker as an artist to a degree. It's the same mentality that gets us to watch spy movies, and movies about those "rebel" cops who break a few rules to get the job done. Next time you're watching one of those movies or TV shows notice how many times either a law is broken or a civil liberty is stepped on "for the greater good". And remember hackers are no different.  They just get the bad press. 


Dr. Mudge, L0pht Heavy Industries, Inc.

Thursday Keynote


Brent Huston, President of MicroSolved, Inc.

Appliance Firewalls: A Detailed Review

Firewalls seem to be everywhere these days, and few are getting more attention that the "new breed" of network firewall appliances. With claims ranging from "plug and play" to "zero maintenance" these new network black boxes seem to be the answer to a network administrator's dreams. However, as usual, all is not as it appears... Tune in for a comprehensive review of these security appliances including a feature by feature examination, an overview of vendor claims, and the results of our real world tests of nearly two dozen of these devices. 

Brent Huston is an information security consultant who specializes in penetration testing and incident response. He has provided services to Fortune 500 clients since 1992 and has an extensive background in electronic commerce. He is currently the president and CEO of MicroSolved, Inc.

MicroSolved, Inc. is an information security consulting company located in Columbus, Ohio. MicroSolved provides penetration testing, security policy, and incident response services to many clients of varying size.


Eric Schultze and George Kurtz, Ernst ? Young, LLP.

Over the Router, Through the Firewall, to Grandma‚s House We Go.

This will be a cross-platform hack demonstration taking everyone over a router, through a firewall and into the corporate jewels.  The demonstration setup will use 6 NT-Unix hosts, one router and one firewall.  Three to four video projectors will help walk everyone through each node in the attack. 

Methods will be presented which an attacker may use to circumvent traditional security models or exploit common security misconfigurations in a DMZ-Firewall environment.  Specific attacks will be demonstrated in a mixed Unix Ų NT environment, including:
 

*Exploiting NT: information enumeration via the NT resource kit.  *Exploiting Unix: hacking root via ttdb.  *Circumventing router filtering.  *Authenticating to an NT host from an NT host using only the password hash.  *Hijacking the GUI Ų „Back Orifice for NTš  *Exploiting common misconfigurations of packet inspection firewalls.  *Performing reverse telnets through the firewall.  *20 uses for netcat.  *Hacking NT from Unix.  *Trojans, sniffers and streamed file execution for NT Ų the „adminkit for NTš
Several intrusion detection systems will be running in default configurations to detect these attacks (yeah, right).  After demonstrating the cross-platform hack through the router and firewall to the internal network, we will spend the balance of the presentation discussing mechanisms that can be used to help deter these types of attacks.

Eric Schultze is a Senior Manager in the Information Security Services practice of Ernst ? Young.  Based out of Seattle, Washington, he is a national resource and serves as the firm‚s subject matter expert for securing Windows NT and Microsoft BackOffice applications. Eric has over 8 years of experience in information systems and security.

While at Ernst ? Young, Mr. Schultze has developed the service line, tools, and audit methodologies for HackNT, AuditNT, SecureNT and TrainNT.   He has presented the NT Attack and Penetration methodology for numerous clients, internal training seminars, CSI 98, and NetSec 99. Portions of his HackNT methodology were featured in a July 1998 issue of InfoWorld Magazine.  Mr. Schultze is an instructor in Ernst ? Young‚s „Extreme Hacking: Defending Your Siteš training class - featured in the March 22, 1999 issue of TIME magazine.

His former experiences include serving as the Manager of Information Services for Beall's Department Stores where he managed their AS/400 and Windows NT environments and directed the implementation of their retail Internet presence.  Prior to joining Ernst ? Young, Mr. Schultze served as a Manager and a lead NT security specialist at Price Waterhouse, where he co-developed their Windows NT Attack and Penetration methodology.  Mr. Schultze began his career working at Salomon Brothers where he performed financial and technology audits. He holds BA degrees in Psychology and Sociology from Amherst College.

George Kurtz is a Senior Manager in the Information Security Services practice of Ernst ? Young and serves as the Attack and Penetration leader within the Profiling service line.  Mr. Kurtz has performed dozens of firewall, network, and Web server penetration studies  / security reviews throughout his security consulting career.  Mr. Kurtz has experience with designing firewall architectures and in evaluating various platforms and technologies from an audit, control, and data security perspective including: firewalls, routers, web servers, intrusion detection systems, and various Unix and NT operating systems.

Mr. Kurtz has spoken at numerous industry events, and has been quoted by: the Wall Street Journal, USA Today, Associated Press, Communications Week, InfoWorld, PC Week, Bergen Record,  C|net On-line, and Accounting Today.  He has also published several works including The art of Attack and Penetration, Sys Admin (March and April 1999) ? Diary of a Tiger Team, Information Security News (1995), and featured in a chapter of Corporate Espionage by Ira Winkler.


JD Glaser - NT Network Security Specialist, NT Objectives.

Auditing NT - Catching Greg Hoglund

This talk will address the issue of auditing an NT box after a break in. Specifically, we will examine the evidence left behind by an intruder and how to preserve this evidence for criminal prosecution. NT's built in tools are not sufficient and can damage what you are looking for. I will present a tutorial on using a few free tools I have made specifically for this purpose.

The demonstration will make use of  multiple overheads displaying the auditing notes and actual step by step details of a break in.  Details will include:

* Examining the event log in an enlightened way.  * Looking at the file system configuration.  *Examining permissions.  *Examining file attributes.  *Examining surrounding systems.  *Looking for trojan behavior.  *Looking for backdoors.  *Closing down the holes.
Again, the focus will be on looking at this data in a non-destructive manner.  Hope to see you there.

JD Glaser is CEO of NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in contract DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT and file system filters for real-time detection systems for NT that bypass NT's untrusted API.


batz - International backbone provider network analyst.

Security Issues Affecting Internet Transit Points and Backbone Providers.

Many sites believe that the only external threats to their network come from unsophisticated script kids or well funded corporate espionage projects. This problem is compounded by the underestimation of the former, and the belief that their organization is not of interest to the latter. 

The reality is that the stakes are raised substantially if the company in question is publicly traded. By allowing any investor with a computer and an online trading account to have a vested interest in their share price, the status and information contained on their network acquires the speculative value of whatever capital an attacker would invest in the company. 

With this motive established, we can examine some new threats and some existing threats in a new context. With the proliferation of online trading, new financial incentives exist for even the least sophisticated attacker to violate your network. [FUD]

This paper will deal with technical security issues affecting Internet transit points and providers, including the following points:

  • Security issues with the BGP4 protocol.
  • A brief overview of how the protocol operates and its function. Exploitable features of the protocol. 
  • What damage can be done. Historical examples of catastrophic mis-configuration. Scale of interruption.
  • Brief overview of BGP communities and their use in directing traffic. Network providers that charge based upon measured traffic will be affected by this.
  • Using IP spoofing to send false UPDATE messages. How does it work? What implementations are vulnerable? 
  • Misconfigured ingress and egress filters make the task of inserting bogus routing information into an AS's tables is simplified by this mistake. 
  • Vendors that implement authentication in BGP4. 
  • Password authentication of BGP sessions will prevent some attacks. Not all vendors implement this and  will be vulnerable to attack.
  • Brief case study and architecture of an attack against a misconfigured network through the use of route spoofing . 
'batz' works for an international backbone provider as a network analyst. He is also a security consultant who does not talk about who he has worked for. 

Peter Shipley, KPGM and Tom Jackiewicz

Security issues with implementing and deploying the LDAP directory system.

The popularity of LDAP is increasing and is thus resulting in it's rapidly replacing NIS, Radius and tacacs and other  authentication services.  Unfortunately, as will most new technologies, many site are failing to instigate proper security measures when deploying this new technology.

Common errors and assumptions will me discussed as well as techniques used by network intruders to compromise LDAP servers and related systems and harvest data.

Peter Shipley Is an consultant in the San Francisco's Bay Area with over thirteen years experience n the Computer Security field.
Currently working for KPMG LLP. out of the San Jose/Silicon Valley office with the title of "Chief Security Officer".  Mr. Shipley is one of the few individuals who is well known and respected in the professional world as well as the underground/hacker community. He has extensive experience in system and network security as well as programming and project design.  Mr. Shipley past accomplishments include first in depth research into the security aspects of wardialing, designing and implanting the first automated network security scanner, among other accomplishments.

Mr. Shipley's specialties are third party penetration testing and firewall review, computer risk assessment, and security training.  Mr. Shipley also performs post-intrusion analysis as well as expert witness testimony.

Tom wants to be sitting in the bathtub of my suite at Mandarin Oriental after watching my super model girlfriend give new insight into number theory in front of everyone at Berkeley. He wants to be driving a 900 series BMW, wearing an Armani suit and GUCCI loafers while talking to his broker on his cellular phone.  And while he's doing that, he wants to think of all the great projects that he has been involved with during my career.


Dominique Brezinski - Building a Forensic Toolkit That Will Protect You From Evil Influences

When responding to computer security incidents, you will invariably have to work on compromised hosts.  Check to see if the interface is in promiscuous mode, what processes are running, and if anything interesting has been left in /tmp.  You will be making bit-for-bit copies of hard drives and shutting down the system.  And you want to do all these operations safely and without compromising the integrity of evidence.  So, you are going to use "known good" copies of all the utilities that you have so carefully placed on a floppy or CD-ROM.  But does this really protect you or the evidence from little nasties that the bad guy may have left behind?  No. 

This presentation will focus on the subtle and technical aspects of operating in a hostile computing environment.  We will go over how to create a reasonably secure environment for doing forensic analysis of a running compromised system and what utilities you will most likely need.  Solaris and Windows NT will be used as the demonstration environments.

Dominique Brezinski works for an un-named company.


Ed Gerck, The Meta-Certificate Group.

Overview of Certification Systems: x.509, CA, PGP and SKIP.

Cryptography and certification are considered necessary Internet features and must be used together, for example in e-commerce. This work deals with certification issues and reviews the three most common methods in use today, which are based on X.509 Certificates and Certification Authorities (CAs), PGP and, SKIP. These methods are respectively classified as directory, referral and collaborative based.  For two parties in a dialogue the three methods are further classified as extrinsic, because they depend on references which are outside the scope of the dialogue. A series of conceptual, legal and implementation flaws are catalogued for each case, emphasizing X.509 and CAs, which helps to provide users with safety guidelines to be used when resolving certification issues. Governmental initiatives introducing Internet regulations on certification, such as by TTP, are also discussed with their pros and cons regarding security and privacy.  Throughout, the paper stresses the basic paradox of security versus privacy when dealing with extrinsic certification systems, whether with X.509 or in combination with PGP. This paper has benefited from the feedback of the Internet community and its expanded on-line version has received more than 50,000 Internet visitors from more than 20,000 unique Internet sites, in 1997/98.

Ed Gerck received his Doctorate in Physics from the Ludwig-Maximilians-Universitaet and the Max-Planck-Institut fuer Quantenoptik, in Munich, Germany, 1983, with the maximum grade ("sehr gut"). Since 1986 he has been active as a consultant and developer in the field of security and cryptography, for government agencies and international companies based in Brazil, the US and other countries. He is the founder and President of Novaware ISEC, developer of Holocomm encoding and other innovative communication and security software, such as the one-floppy WWW browser and e-mail agent WebBoy UMC in collaboration with IBM Japan. He is also the founder and current Coordinator of the Meta-Certificate  Group - MCG, an open international non-profit group active in the field of Internet security and certification standards development, with participants from 28 countries. Ed Gerck has been appointed in 1999 to the NSI's RAB -- Registry Advisory Board of Network Solutions, Inc., Herndon, VA, US. Dr. Gerck's  most recent papers can be found at the MCG site.


David Bovee, MCSE, Network Security Engineer,  International Network Services.

VPN Architectures: Looking at the complete picture.

VPN continues to be a complex subject due to the multitude of products and protocols. However, taking enterprise security concerns a step further, how many VPN systems integrate with a native authorization and access control system? 

After concluding with a short-list of requirements including protocols and applications, I will introduce the enterprise security domains. I will demonstrate the differences between planning for Branch Office VPN (BOVPN) and planning for Remote User VPN (RUVPN).

Overall, VPN solutions may include more components than simply the VPN products. First, in order to guarantee certain performance, customers may negotiate agreements with service providers. The architecture of the resulting VPN will then determine whether the contracted QoS can be realized. Secondly are concerns over enterprise security systems. How should the VPN be deployed with respect to a firewall? Should certain internal systems or LANs be inaccessible from a remote connection? How can the security administrator monitor the traffic? What are the best architectures for use in different environments?

These questions each imply a discussion in the given area. I will treat the area of firewall/VPN integration very carefully and then extrapolate those principles to the use of IDS systems. The second major area of security that will be covered is auditing. The ability to audit and manage VPN usage will be discussed in the context of the various architectures.

David Bovee is a Network Security Engineer for INS. David focuses on work involving large network security design and implementation projects. An experienced and senior systems and network administrator, David is also an active writer and public speaker. He has co-authored articles on Windows NT, NT Security and Virtual Private Networks in conjunction with SANS. In 1999, David will publish a book with Macmillan Technical Publishing on VPNs focused on the requirements, architecture, and protocols. He also gives frequent technology seminars on various topics related to network and Internet security.


Peter Stephenson, Principle consultant of the Intrusion Management and Forensics Group (IMF). 

Introduction to Cyber Forensic Analysis

This session will address the techniques used to investigate network-based intrusions, especially those originating from the public Internet.  Emphasis will be on techniques that provide an acceptable chain of evidence for use by law enforcement or in anticipation of civil litigation.  We will cover back-tracing, forensic tools, end-to-end tracing and evidence collection and preservation as well as the forensic use of RMON2-based tools for documenting the path of an attack.

Peter Stephenson is a well-known writer, consultant and lecturer with an international reputation in large scale computer networks and information protection. He has lectured extensively on network planning, implementation, technology and security.  He has written or co-authored 14 books (including foreign language translations) and several hundred articles in major national and international trade publications. He is the principle consultant for InfoSEC Technologies division of Sanda International Corp.

Mr. Stephenson has participated in investigations of computer system intrusions, Internet misuse and abuse and has performed forensic analysis of computer disk drives as well as backtracing analysis of intrusions coming from the Internet. He has used forensic techniques to recover lost data from computer disk drives. 

Stephenson is a member of the Information Systems Audit and Control Association (ISACA), the Information Systems Security Association (ISSA) and the High Technology Crime Investigation Association (HTCIA). He provides volunteer assistance on request to the Michigan State Police and other law enforcement agencies.


Rooster

Secure DNS solutions

This talk will discuss the many security issues with DNS and what is being done to protect this vital infrastructure.  Many standards have come out of the IETF recently that address the security problems that has always plagued DNS, and we will look at the standards themselves and then how they are being implemented.

DNS could probably be considered one of the most important infrastructure services on the Internet.  Amazingly, in its current form, DNS is one of the most vulnerable for attack.  A well thought out DNS attack could completely take a domain off the net, or just redirect them to someplace unintended. 

Rooster is a Network Engineer on one of the largest Non ISP networks around.  His primary focus is on DNS and routing.


Mike Schiffman - Senior Security Consultant, Internet Security Systems.

Firewalk

Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device.  This technique can be used to map 'open' or 'pass through' ports on a gateway.  More over, it can determine whether packets with various control information can pass through a given gateway.  Also, using this technique, an attacker can map routers behind a packet-filtering device.

Mike Schiffman has lectured across the country and overseas to technical and management audiences on network vulnerabilities, auditing and Internet penetration techniques.  While at Cambridge Technology Partners, as senior security architect, he along with David Goldsmith developed "firewalk", a new technique for scanning packet forwarding devices and mapping networks.  Some of his
audit and penetration test clients include multinational financial and industrial institutions, television studios and fine German automobile corporations.

He has also been a principal instructor for New Dimensions International on various network security topics.  The clients and class participants have included the NSA, FBI, CIA, members of the defense and space industry, NASA as well as various members of the commercial industry.

Mike is currently a senior security consultant with Internet Security Systems and is an associate faculty member for NDI.  In his spare time he publishes and writes articles for a hobbyist computer security journal.


Black Hat  Track B - Less Technical
Marcus Ranum, President and CEO of Network Flight Recorder, Inc.

Burglar alarms and Booby Traps

Many network managers ignore the single biggest weapon they have against hackers: the home court advantage. Intimate knowledge of one's own system and network is a huge advantage in building intrusion detection systems for networks, web sites, and fire walls.  In this talk, I'll outline a couple of fun tricks that can be useful in defending your systems.

Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall, whitehouse.gov, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons.


Bruce Schneier, President of Counterpane Systems and author of Applied Cryptography.

Mistakes and blunders: A hacker looks at cryptography

From encryption to digital signatures to electronic commerce to secure voting--cryptography has become the enabling technology that allows us to take existing business and social constructs and move them to computer networks.  But a lot of cryptography is bad, and the problem with bad cryptography is that it looks just like good cryptography; most people cannot tell the difference.  Security is a chain: only as strong as the weakest link.  In this talk I'll examine some of the common mistakes companies make implementing cryptography, and give tips on how to avoid them. 

BRUCE SCHNEIER is president of Counterpane Systems, the author of Applied Cryptography, and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He serves on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a contributing editor to Dr. Dobb's Journal, and a frequent writer and lecturer on cryptography.

Counterpane Systems is a five-person consulting firm specializing in cryptography and computer security.  Counterpane provides expert consulting in, design and analysis, implementation and testing, threat modeling, product research and forecasting, classes and training, intellectual property, and export consulting.  Contracts range from short-term design evaluations and expert opinions to multi-year development efforts.


Greg Hoglund, Author of the Asmodeus Security Scanner (Now the Webtrends Security Analyzer).

1000 Hackers in a Box: Failings of "Security Scanners"

Last year saw the boom of commercial "security scanners", the very same technology that Dan Farmer was fired for writing over 5 years ago.  If you believe the propaganda, these scanners will seem to take you to "security nirvana".  However, scanners not only fail to enforce security policy, they encourage bad policy.  The applications themselves are full of shortcomings, from false positives to blatant oversights.  The market is driven by coverage, resulting in inaccurate tests based on flawed assumptions.  If you scan and repair your network with such a scanner, you are no more secure than when you started.

Greg Hoglund is a software engineer and researcher.  His most notable achievement was the creation of the Asmodeus Security Scanner, a Windows NT based port scanner and ethernet sniffer, which he later sold to Webtrends, Corp.  Additionally, Hoglund has written several white papers on content based attacks, kernel patching, and forensics.  He currently works as a researcher for Tripwire Security Systems, exploring forensics issues.


Sarah Gordon, IBM Research Center.

Viruses in the Information Age

Understanding how the virus writers operate, how they perceive their world and the world around them, and how they think is an integral part of addressing the problem of computer viruses. Avoiding the often dangerous over generalization into some homogenous group, an examination of various motivations and technical abilities is presented. Trends in the virus writing communities will be explored.  Future threats will be considered and possible solutions presented.

The presentation will include actual case studies selected from the following populations:
(1) adolescents
(2) college students
(3) adult/professionally employed
(4) ex-virus writers

Sarah Gordon graduated from Indiana University with special projects in both UNIX system security and ethical issues in technology. She currently works with the anti-virus science and technology R?D team at IBM Thomas J. Watson Research Center. Her current research projects include development of certification standards, test criteria, and testing models. She has been featured in publications such as Forbes, IEEE Monitor and The Wall Street Journal, and is published regularly in publications such as Computer and Security and Network Security Advisor. She has won several awards for her work in various aspects of computing technology, and volunteers in an advisory capacity to Virus Bulletin, The WildList Organization, and The European Institute for Computer Antivirus Research. 


Larry Korba, National Research Council of Canada.

Hope, Hype, Horrors... E-Commerce Explored

There is currently a great deal of hype surrounding the tremendous growth and potential of e-commerce. Many companies get on the bandwagon with the hope that providing an e-commerce front end will boost sales and, more importantly, increase the value of the company. Researchers, ever sensitive to the need to be on the leading edge to garner resources, are building e-commerce applications of technologies ranging from secure billing systems for on-line transactions to intelligent agents for business-to-business transactions. In this talk I will discuss the current state of e-commerce and focus on the threats and challenges associated with these emerging e-commerce technologies.

Larry Korba is a Senior Research Officer in the Network Computing Group of the Institute for Information Technology, National Research Council of Canada. His current areas of research include: development of e-commerce technologies, Distributed Security applications in the area of Network Management (including wireless LANs), and Intelligent Agent development. Larry has published over 70 scientific and technical papers.


Jeremy Rauch

How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public?

Hundreds, if not thousands, of machines are unnecesarily compromised each day.  But most of these breakins could have been avoided if administrators had been aware of just a single vulnerability - the one that affected them!  How do these administrators keep up with the plethora of security issues exposed every week? Today, there are primarily three ways to discover these vulnerabilities: vendor fixes and patches, security advisories published by one of the myriad of groups (CERT, CIAC, etc), and full disclosure mailing lists such as Bugtraq. 

But how effective are each of these methods?  How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public?  Are the proponents of full disclosure helping to fix the problem, as they believe, or are they creating more of a problem by divulging vulnerability exploits before a fix is available?

We will analyze this issue from all three perspectives, discussing both successes and failures of each method, and discussing what steps we need to take to remedy the problem.  People have very strong feelings on this topic, and its sure to provoke interesting discussion.

Jeremy Rauch has been involved in discovering and researching security vulnerabilities from a number of different perspectives.  Working with vendors, he has identified and helped fix over two dozen major security vulnerabilities.  Jeremy is currently a developer at one of the largest security vendors, where part of his duties include the identification and reporting of security risks.  Jeremy is also one of the founders of Security Focus, Inc. a centralized online security resource offering security news, products, events, books, tools, and one of the most comprehensive vulnerability listing on the net.


Adam Shostack, Director of Technology, Netect, Inc.

Towards a taxonomy of network security testing techniques.

Security scanners such as SATAN are poorly understood by almost everyone who has never written one.  Despite this lack of understanding, scanners are being widely sold, and sometimes even deployed.  This talk will focus on the details of how scanners actually work in the field, and why the results they give range from somewhat to very misleading.

Adam Shostack is Director of Security Technologies for Bindview Development.  Mr Shostack is a leader in the design and development of BindView's HackerShield security scanner. He also serves on the board of the International Financial Cryptography Association, and has published papers on a variety of security topics.


William R. Cheswick, Author, Firewalls and Internet Security : Repelling the Wily Hacker.

Two different talks:

Security Ideas from all over 
Internet Mapping Project
As a security guy who has travelled a bit, I've come to agree with a former counter espionage agent that "this security stuff is all the same."   From a security viewpoint, there is little new about the Internet.  The same security rules apply to the Internet, castles, walls, and even the immune system.  We will explore a number of security lessons from many sources.

Bill Cheswick logged into his first computer in 1969.  Six years later, he was graduated from Lehigh University with a degree that looked like Computer Science.

Cheswick has worked on (and against) operating system security for nearly 30 years.  He contracted for several years at Lehigh and the Naval Air Development Center working on systems programming and communications.  In 1978 he worked at the American Newspaper Publishers Association/Research Institute, where he shared a patent for a hardware-based spelling checker, a device clearly after its time.

For the next nine years he worked for Systems and Computer Technology Corporation at a variety of universities including Temple University, LaSalle College,  Harvard Business School, Manhattan College, NJIT, and several others.  Duties included system management, consulting,software development, communications design and installation, PC evaluations, etc.

In 1987 (Morris minus 1) he joined Bell Laboratories as a Member of the Technical Staff.  Since then he has worked on firewalls, network security, PC viruses, mailers, interactive science exhibits, and trash-picking in the physics building.  He co-authored the first full book on Internet security in 1994, and has since toured the world giving talks and supplying the media with sound bites.  Infoweek called him "the sweet but feral hacker-in-residence at Bell Labs."

Ches continues as a science guy at Bell Labs.  He latest work includes a new edition of his book and long-term mapping of the Internet, which is producing some really smashing posters.  In his spare time he launches rockets with his wife, tries to fly RC aircraft, and automates his home (his doorbell announces visitors, his mailbox announces real mail, and his phone announces callers.)

Ches's favorite part of Las Vegas is the Hoover Dam.


Eugene Schultz, Contributing author, Internet Security for Business

Security Issues with configuring and maintaining an IIS 4 server

Dr. Eugene Schultz, CISSP, is the Research Director and Trusted Security Advisor with Global Integrity Corporation, a wholly-owned subsidiary of Science Applications International Corporation (SAIC).  In this role he conducts research and consulting activities and provides strategic guidance to corporate clients.  He is also an Adjunct Professor in the Computer Science Department at Purdue University in connection with his research activities. 

An expert in Windows NT, UNIX, and network security, Dr. Schultz is a member of the faculty of the Computer Security Institute and SANS (System Administration and Network Security).  He has co-authored two books (UNIX:  Its Use, Control and Audit and Internet Security for Business) and over 80 published articles, and is a contributing editor to Network Security in addition to being a member of IFIP Working Group 11.4 (Network Security) and the SANS Board of Directors.  His new book, Practical Windows NT Security, will be released soon. 

He has received numerous professional awards, including the NASA Technical Innovation Award, Best Paper Award for the National Information Systems Security Conference, and Information Systems Security Association (ISSA) Professional Contribution Award.  He has served as Chair of the U.S. Presidential Commission on Critical Infrastructure Protection Group on Intrusion Detection and has also provided expert testimony for the U.S. Senate. 

Before coming to Global Integrity, he was the Principal and Information Security Practice Leader for SRI Consulting, where he also served as Program Manager and Research Director for the I-4 (International Information Integrity Institute) Program.  Dr. Schultz was also previously a Principal Security Engineer with ARCA Systems, the Project Manager and founder of the Department of Energy's Computer Incident Advisory Capability (CIAC) at Lawrence Livermore National Laboratory, and Group Leader at the Jet Propulsion Laboratory.    He holds a Ph.D. in Cognitive Science from Purdue University, where he was a David Ross Fellow and member of the Honor Society of Phi Kappa Phi.


The White Hat speakers
Jim Litchko - General Manager for Integrated Management Services, Inc.

Total BS Security:  Business-based Systems Security.

The good news:  We have a lot of security solutions today. 
The bad news:  We have a lot of security solutions today.

Selecting your systems security solutions can be two of the most frustrating problem for security professionals and management.  Jim will provide the audience with a different way to approach the problem of selecting the appropriate security solution.  He will show how to base your security solutions on your business requirements first and security requirements second.  Using real-world case studies and life-lesson concepts (i.e., „PROFIT?lossš, „Secure Brick Theoryš, „Sailor-Proofš, and „SNABš), he will demonstrate ways to determine what the most practical security solution is and sell them to management and customers.  Jim's examples include solutions for financial, presidential, military, gaming and electronic commerce operations.  This presentation is for those frustrated systems security professionals and managers.

Mr. Litchko is a senior information systems security specialist with over twenty-five years experience assessing and developing information system security (INFOSEC) solutions for computer and network systems.  Currently, he is General Manager for Integrated Management Services, Inc. (IMSI).  He has been a senior executive for special projects and business development at the two largest commercial INFOSEC companies, Secure Computing Corporation and Trusted Information Systems, and the enterprise integrator, Telos, all internationally known for advance INFOSEC R?D, consulting, and network security products.  During his twenty-year career as a Navy cryptologist, he spent his first six years supporting operations on naval combatants and air reconnaissance platforms in the Atlantic, Pacific, and European theaters. Mr. Litchko‚s last five years in the Navy were in staff and technical positions in the National Security Agencies (NSA) INFOSEC Directorate and the National Computer Security center (NCSC).  He retired in 1990 as the Staff Chief for the Director of the NCSC.  In 1997, he conducted the first security review of an Internet gaming site.  Since 1988, he has been an instructor for systems and network security for Johns Hopkins University, MIS Training Institute and the National Cryptologic School.  He also provided INFOSEC presentations for Congressional staffs, Gartner Group, Conference Board, Price Waterhouse, Exxon, Freddie Mac, National Industrial Security Association, Computer Security Institute (CSI), National Computer Security Association (NCSA), Defense Intelligence University, and Armed Forces Communications and Electronic Association (AFCEA).  Mr. Litchko has chaired panels and provided INFOSEC presentations at national and international conferences and executive conferences.  He holds a Masters degree in Information Systems from John Hopkins University and a Bachelors degree in Industrial Technology from Ohio University.


Dr. Jeffrey A. Hunker, Director of the Critical Infrastructure Assurance Office.

Protecting America‚s Cyberspace: Version 1.0 of the National Plan

As Director, Mr. Hunker is responsible for bringing together an integrated national plan for addressing physical and cyber threats to the nation's communications and electronic systems, transportation, energy, banking and financial, health and medical services, water supply, and key government services. As Director, he also coordinates a national education and awareness program, as well as develop legislative and public affairs initiatives.

Prior to joining the office, he served as Deputy Assistant to the Secretary of Commerce, where his responsibilities included issues relating to overall economic policy development and initiatives, the integration of economic, energy, and environmental issues, China and other developing countries, and representing the Administration with key constituencies.

Dr. Hunker brings both the government and private sector perspective to his role as Director of the Critical Infrastructure Assurance Office. He was Vice-President of Corporate Finance at Kidder, Peabody ? Co., Incorporated in New York, where he specialized in capital raising and acquisition advisory work for U.S. and European industrial firms. Previously, he was a consultant and case leader at the Boston Consulting Group. He has an AB in Engineering and Applied Physics (cum laude, Phi Beta Kappa) from Harvard College, and a Doctorate in Business Administration from Harvard Business School, and has written several articles and one book on topics of public policy and corporate strategy.


Rob Karas, Para-Protect Services, Inc.

Open Source Monitoring:

Open Source Monitoring (OSM) is becoming more of a necessity in today's electronic market.  Today one person can broadcast messages to millions of people using the Internet and adversely represent the company he or she works for.  These messages may contain information, which could be used to exploit the security of a corporate network or give away valuable information about a company.  Open Source Monitoring can help companies solve and rectify problems before they become a more serious threat.

During this briefing you will obtain information on what OSM is and is not, methodologies, different types of examples for OSM and the pros and cons of outsourcing OSM.

Rob Karas currently works for Para-Protect Services Inc. where he is a Senior Computer Security Engineer.  Specializing in penetration testing and incident response, Rob has participated in investigations of computer system intrusions and been called as an expert witness in judicial cases.  Recently he appeared on a NPR radio segment which show cased the security, or lack of security found throughout the Internet and on corporate networks.  Rob has been involved with Open Source Monitoring, penetration testing, certification and incident response work for the past 6 years. 

Para-Protect Services Inc. is one of the fastest growing security consulting companies.  We provide penetration testing, 24X7 incident response, Open Source Monitoring and other security services.  As our slogan says „Information Protection around the clock, around the globeš Para-Protect, in its first six months has provided security support throughout the US and Europe.


Jon David, Senior editor Computers ? Security.

Putting Intrusion Detection into Intrusion Detection Systems

Most, if not all, activities of present intrusion detection systems are involved with the detection and reporting of attacks;  worse, these are deflected attacks.  IDS devices are typically placed outside of perimeter defenses, and treat only incoming traffic.


Jennifer Granick, Attorney at Law.

Forensic Issues in Hacker Prosecutions

Jennifer Stisa Granick is a criminal defense attorney in San Francisco, California.  She defends people charged with computer related crimes, as well as other offenses.  Jennifer has been published in Wired and the Magazine for the National Association of Criminal Defense Lawyers.


Teresa Lunt, Xerox Parc 

Taxonomy of Intrusion Detection Systems

Teresa F. Lunt is Principal Scientist at Xerox PARC, where she is Manager of the Secure Document Systems group. Prior to joining Xerox, she was Associate Director of the Computer Science Laboratory at SRI international.   Until August 1998 she was Assistant Director for Distributed Systems in Defense Advanced Research Projects Agency's (DARPA) Information Technology Office, where she had oversight of programs on distributed computing, secure networking, information survivability, adaptive systems, and software-enabled control. She also developed and managed DARPA's Information Survivability program, was instrumental in the development of DARPA's Information Assurance program, and developed a new research program called Inherent Survivability. Prior to her four years at DARPA, she was Program Director for Secure Systems at SRI International, where she led the development of the SeaView multilevel secure database system, the NIDES intrusion-detection system, the DISSECT tool to detect inferences of highly sensitive information from less sensitive information, and a system for semantic interoperability of secure databases.


Scott Culp, Security Product Manager, Microsoft

Building a Security Response Process

Customers' increasing need for secure software products is causing many software vendors to change their development processes.  Where vendors previously delivered static products at discrete intervals, many now constantly monitor their already-shipped products for reported security vulnerabilities, and provide security patches in real time.  Microsoft has had such a process in place for over a year.  This talk will discuss the process - what has worked and what hasn't worked - and will be of interest both to vendors and customers. 

Scott Culp is a Security Product Manager at Microsoft for Windows NT Server.  He is the "voice" behind [email protected], Microsoft's email alias for reporting security vulnerabilities in Microsoft products.


John Davis, Director, NCSC, Will Ozier, Nebel, and Migues

Panel Discussion - Introduction to the White Hat Track, overview of security challenges from the inside.


Padgett Peterson, Corporate Information Security. 

Overlooked Local Attack Techniques

Those few companies that take information security seriously are often bewildered by the incredible array of tools and pseudo-tools available for analysis. Penetration testing and internet scanners are very popular yet are based on attack tools. These do not make use of the "home team advantage" of very fast response and the ability to examine the machines directly. This talk will describe some of those local techniques which are often overlooked.

A registered professional engineer and graduate of the General Motors Institiute, I have been involved with digital computers, communications, and cryptography for over thirty years. Became involved with viruses in 1988 and information security has been my day job since 1990. Have written a number of anti-virus programs (DiskSecure and MacroList) which are given away as FreeWare. Am currently the Chief Information Protection Architect for Lockheed-Martin Corporation.


G. Alec Tatum, III, IntelAgents, LLC 

Introduction to the White Hat Tack - Panel

Managing the External Environment


Lori L. Woehler, CISSP, Director of Professional Services, Secure Computing Corporation.

Lori is the Director of Professional Services in the Vienna, VA office of Secure Computing Corporation.  Her background in Information Systems Security includes program management and support addressing network and telecommunications security, training, policy development and implementation, risk management planning and execution, and associated sub-disciplines including telecommunications, physical, operations and personnel security.  She is the former Chief of Technical Security for an Army installation and has provided consulting and assessment services for numerous federal, DoD and commercial organizations.  She was a participant in the National Defense Industrial Association Special Study for the Secretary of Defense on Outsourcing of DoD Red Teaming Activities.  She has been a featured speaker before the NSA Security Proof of Concept Keystone, the Department of Defense Security Institute, and a variety of commercial and defense groups.  She brings a realistic „in the trenchesš approach and perspective to facilitating integration of technical, managerial and operational elements of information systems security programs.


Panel Discussion: Competative Intelligence
Moderated by Sangfroid.
Pannelists include: Dr. Mudge, Mike Schiffman, Batz, Jeremy Rauch, Dean Turner, Space Rogue, Sir Distic.

Ira Winkler, 

The issues surrounding the hiring of "hackers"