February 14th-15th Las Vegas
February 14th-15th Las Vegas

 
Schedule
Hotel Information
Registration
Sponsors
Back
SPEAKERS
Technical - These are technical issues all security practitioners should be aware of.
More Technical - The nuts and bolts of a technology. 
Deep Knowledge - These talks consume the most time because they contain the most complex technical details, are involved demonstrations, or cover big issues that are quite complex.
03/09/01 Added updated presentations for David Goldman, Clinton Mugge & Eric Berkholtz, Todd Sabin, and Eric Shultz & David LeBlanc.
04/02/01 All presentations are available from the Sound of Knowledge on MP3 CD, VHS, and cassette tape.

 
Take me to..
 
Key Note Speakers
 
Lunch Speakers
The More Technical Speakers
The Technical Speakers
Deep Knowledge Speakers
Key Note Speakers
James Bamford - Author of The Puzzle Palace.

Researching secrets.

BOOKS: The Puzzle Palace:  A Report On NSA, America's Most Secret Intelligence Agency. (Houghton Mifflin and Viking Penguin)  An investigation of the largest, most hidden and most important U.S. intelligence agency. The book became a national bestseller and won the Investigative Reporters and Editors Book-of-the-Year Award.  In February 1998 Washingtonian magazine called it ãa monument to investigative journalism.ä 
Body of Secrets: Anatomy of the Ultrasecret NSA, From the Cold War to the Dawn of a New Century.  (Doubleday)  A sequel to The Puzzle Palace, the new book takes a close look at NSA from the Cuban Missile Crisis and Vietnam to the present controversy over Echelon.  (Due out in April 2001).
TELEVISION: Washington Investigative Producer, ABC News, World News Tonight with Peter Jennings.  For nine years, until 1998, I was responsible for long-term, in-depth investigative stories from concept to final airing.  The stories have covered a wide range in both topics and geography, from White House scandals to locating spies in Cold War Europe to finding murderers in the Middle East.  Many involved complicated investigations in difficult areas of the world, such as locating principal figures involved in the Clinton campaign finance scandal hiding from U.S. authorities in China.  I am also the recipient of numerous television reporting awards, including the Overseas Press Club Award for Excellence and the Society of Professional Journalists Deadline Award for the Best Investigative Reporting in Television. 
MAGAZINES:  I have written on investigative topics for many national magazines, including the cover story on the Iran-contra affair for the New York Times Magazine, the cover on the Russian shoot down of Korean Air Lines 007 for The Washington Post Magazine and the cover on the Mafia for the Los Angeles Times Magazine. 
CRITICISM: I have written dozens of op ed pieces and book reviews for the New York Times, The Washington Post, and the Los Angeles Times.
CONGRESS: I have testified on intelligence and secrecy issues before committees of both the U.S. Senate and House of Representatives. 
EDUCATION: Juris Doctor degree. 


Chey Cobb, CISSP

Why Government Systems Fail at Security

The Cold War is over and government agencies and offices are told that everyone is an ally, partner, friend. Everyone and everything is connected. We're told everything is "safe", including COTS. Collaboration is the new buzz word.

The result? The agencies are at odds with one another as they try to adjust to this strange new world. They can no more agree on WHAT needs protecting than they can on HOW to protect it.

Official inter-agency security policies exist for protecting sensitive systems, but compliance is hit-or-miss at best. Factor in the politics, egos, personal agendas, skimpy budgets, and laissez faire attitudes, and you'll see why these systems aren't nearly as safe as we are led to believe. This talk documents these problems with case histories and focuses on the most promising paths to solving them.

Chey is a 15 year veteran of computer security. She is a former Senior Technical Security Advisor for Program Offices and Directorates of the NRO (National Reconnaissance Office). Her recent accomplishments include: A key member in the development of NRO's Malicious Code Protection Plan, Recently in charge of information security at a large overseas facility, and Instrumental in developing security policies, emergency response plans, and training programs for specific programs.

Their Presentation! (PowerPoint 122k)


Technical Speakers
David Litchfield - Director of Security Architecture, @Stake.

Remote Web Application Disassembly with ODBC Error Messages

The talk will discuss how to use ODBC error messages caused by specially crafted queries to remotely disassemble a web application running on IIS feeding into an SQL database server, without ever having had access to the ASP source code or without any knowledge of the SQL server's structure, returning such information as table names, the name of every column in that table and the data type expected by that column. Once the application (in this talk a login page) has been disassembled the talk will then go on to demonstrate how to use this information to create an account and gain access to the restricted areas of the site.

Known as the UK's NT Guru by ZDNet, David is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed". 

Their Presentation! (PowerPoint 37k)


Rooster - Product Security Manager, Unknown Company.
Dan Kurc - Tools Developer for Network Attack & Audit Team, Unknown Company.
William Dixon - Program manager for the Windows Networking Division at Microsoft.
 

IPSec in a Windows 2000 World

Windows 2000 has brought many new tools and techniques to the realm of security , one of which is IPSec.  This session will examine IPSec from the basics down to the packet-by-packet nuts and bolts.  We will be breaking the talk into several distinct sessions.

 * Protocol basics, including IPSec, Kerberos, Certificates and PKI, and L2TP
 * Detailed discussion of the IPSec architecture, protocol, and IKE
 * W2k Implementation
 * Deployment issues in a W2k infrastructure
 * Demonstration of a working IPSec cross-platform environment
 * Advanced IPSec for Win2k

We will be thoroughly discussing the IPSec protocol itself, and then exactly how Win2k implements the specifications.  Also a demo  will be provided to demonstrate a Win2k IPSec host communicating with a Linux machine running Free S/WAN.

Some of the important issues discussed for Win2k include,  performance, protocol overhead, and interaction with Active Directory.

A detailed knowledge of TCP/IP at a protocol level will be valuable to get the most out of this presentation.

Rooster has been involved with computer security in one form or another since the mid 80's.  Currently working for a software development company, he is responsible for product security.  With specialties in Layer 3 and networking services, Rooster has been involved in many aspects of IT infrastructure and product development.

Dan is currently a tools developer for an audit and penetration team for a fortune 500 company.  His job responsibilities include network and platform security design, review and auditing for a large, multiple property environment.

William Dixon is the program manager for Network Security, which includes Internet Protocol Security (IPSec), for the Windows Networking Division at Microsoft. He holds bachelors and masters in computer science from the University of Virginia School of Engineering, and had 10 years experience as a software developer and project lead both for commercial business and US DoD applications prior to Microsoft.

Their Presentation! (PowerPoint Zipped 2,892k)


Macy Bergoon - Chief Technology Officer, Secure Labs

Host Based Intrusion Detection Using W2K Auditing Features.

Effective auditing is a key component of any security strategy.   This session will take auditing to a new level,  Intrusion Detection.   All aspects of the Windows 2000 auditing subsystem will be discussed along with general strategies anyone can use to begin to monitor for un-authorized activity with no additional costs beyond that of the Operating System.

High level topics will include Effective Auditing, Auditing Strategies, W2K Functionality, Group Policies, Event Log Subsystem, Auditing DHCP, Auditing Message Queues and the IPSEC Audit Log.    Event log collection and preservation issues will be discussed along with a new methods for log analysis and trending.   A solid understanding of the W2K auditing subsystem will provide an excellent foundation to build on for all host based security implementations.

Their Presentation! (PowerPoint 710k)


Mushin - Lead Incident Response Consultant, Jawz Technology Incâs CyberCrime division.

Incident Response in a Microsoft world.

Since so many articles and texts seem to focus on Incident Response based around Unix platforms this speech will give the audience the opportunity to walk through a scenario of a penetration of a Microsoft webserver, and what is commonly done by mistake when the company responds to the incident.  Then examples and discussion will be given on better procedures to follow with some discussion of various tools and actions that are best utilized when investigating an incident on a Microsoft platform.  Depending on the level of knowledge and participation of this speech, further discussions in later BlackHat settings may delve into technical forensics and aspects of Security Policy.

John Kutzschebauch, AKA Mushin, is currently the lead Incident Response consultant for Jawz Technology Incâs CyberCrime division.  Previous positions most recently include the Task Force Falcon Information Assurance Manager 1999-2000 (basically the InfoSec manager for the US Armed forces in the countries of Macedonia and Kosovo in support of the Kosovo Peacekeeping Forces), various vulnerability assessment contracts, and the NT and MVS security consultant with DISA at what was previously known as Defense MegaCenter Denver.  He can be reached at http://www.securityhorizon.com.

Their Presentation! (PowerPoint 1,699k)


Todd Sabin - Bindview.

Null Sessions, MSRPC, and Windows 2000.

Null sessions have been a favorite tool for information gathering on Windows NT.  How does the arrival of Windows 2000 change things?  This talk will begin with a review of Null sessions on NT4: what they are, how they're done, and the information that you can obtain with them, including some things that are currently not well known.  Next it'll discuss what's different (and what's not) in Win2k.  Then it will take a closer look at Null Sessions and their foundations in MSRPC over named pipes, and find that this can have some rather surprising implications on Win2k.  Finally, it will cover what administrators can do to protect themselves.

Their Presentation! (PowerPoint 182k)


Kate Borten, CISSP - President, The Marblehead Group.

Healthcare and New Federal Security Protections

Kate Borten, president and founder of The Marblehead Group, Inc., a health information security consultancy, brings to clients her unique combination of extensive experience in both healthcare information systems and security management.  The Marblehead Group provides education, risk assessment, and security management consulting to the healthcare sector.  She is a nationally-recognized expert in health information security and related legislation such as the Health Insurance Portability and Accountability Act (HIPAA), as well as a frequent speaker and the chair (1998, 1999, 2000) of MIS Training Instituteâs annual health information security conference.

Ms. Borten is former Chief Information Security Officer at CareGroup, a major integrated delivery system in Boston encompassing several Harvard University teaching hospitals, health centers and other facilities, and one of the regionâs largest physician networks.  During her tenure she established the first corporate-wide information security program, including integrated security and confidentiality policies, procedures, and technical controls, as well as a comprehensive education and awareness program.

Prior to her CareGroup experience she was information security chief at Massachusetts General Hospital where she managed information systems development and integration before assuming responsibility for security of the MGH healthcare delivery system.

Their Presentation! (PowerPoint 93k)


Todd Feinman - Manager, PriceWaterhouseCoopers
David Goldman - Manager, PriceWaterhouseCoopers

Safeguarding your Business Assets through Understanding of the Win32API

As Windows 2000 becomes integrated with indispensable corporate operations, the operating system acts a portal through which hackers can breach and compromise sensitive business resources.  Through case study analysis we will discuss numerous vulnerabilities inherent to the Win32API.  You must protect your business against threats that exploit these features.  This session will arm you with critical knowledge and an arsenal of assessment techniques that will help you not only battle todayâs vulnerabilities, but also prepare you for unknown future threats.

Todd is currently pursuing an MBA at Harvard Business School.  Combining this with his experience as a manager for PricewaterhouseCoopersâ technology-security consulting practice, he is assisting corporations with the integration of secure systems into their daily operations and e-business systems.  At PwC, he was responsible for delivering Windows NT/2000 services including security assessment, penetration, as well as strategy development and implementation.  He is a principal author of several books, white papers, and articles including Microsoftâs technical reference book on Windows NT Security and Audit, as well as an Electronic Commerce book published by Irwin/McGraw Hill.

David is currently in PricewaterhouseCoopersâ technology-security consulting practice and is focusing on assisting businesses secure their online environments.  Leveraging his background in e-business systems and Internet enabled application design, he facilitates the incorporation of sound security practices into corporate operations.  Currently, he is managing the assessment, design, and implementations of security and controls on systems and applications across disparate environments.  His specialty is Windows NT/2000 and has written several white papers and articles on the subject.

Todd and David are the developers of eXcalibur Security 2000, a Windows NT/2000 security collection tool that utilizes many security-related Win32 API calls.


JD Glaser - Senior Software Engeneer, Foundstone, Inc.
Saumil Shah - Principal Consultant, Foundstone, Inc.

Web Hacking

Web hacking is the next generation of hacking "kung fu." The previous generation of hackers concentrated on operating systems and network protocols, but operating systems are getting more robust and resistant to attacks and network protocols are getting more secure. On the other hand, e-commerce technology is increasingly common and complex. Unfortunately, not enough effort has been spent on securing Web-based infrastructure. Join us for an eye-opening demonstration on what can go wrong with poorly secured Web applications, how severe the risks are, and how to protect yourself and your company from these Web ninjas.

We shall be covering vulnerabilities ranging from web server misconfigurations, improper URL parsing, application level vulnerabilities, Java application server hacking and some special advanced techniques.

Saumil provides information security consulting services to Foundstone clients, specializing in ethical hacking and security architecture. He is also featured as an instructor in Foundstone's Ultimate Hacking and Ultimate Web Hacking training programs. He holds a designation as a Certified Information Systems Security Professional (CISSP).

Saumil has had over 6 years of experience with system administration, network architecture, integrating heterogenous platforms and information security.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young LLP where he was responsible for their ethical hacking and security architecture solutions. For over a year, Saumil has performed numerous ethical hacking exercises for many significant companies in the IT arena. Saumil regularly contributes to the "Security Issues" column on CNet's Builder.com site. He has served as a technical editor for Hacking Exposed 2nd Edition, published by Osborne McGraw-Hill. Saumil has also authored a book titled "The Anti-Virus Book" published by Tata McGraw-Hill India.

Their Presentation! Talk #1 Hacking Exposed: E-commerce (PowerPoint 429k) Talk #2 Web Hacking (PowerPoint 305k


Loki - Founder of Fate Research Labs

Virtual Private Problems: A Broken Dream

With continued advancements in current cryptography technology such as Diffie Helman key exchange, Triple (3) DES Encryption, MD5, HMAC, IKE, and IPSec, we have been introduced to a technology that has created a false sense of complete security for end users of VPN's. In an industry where each vendor defines a VPN differently, we are faced with no real standards, no real complete interoperability, and growing security problems as the products become more and more complex. IPSec creates an open standard for VPNs. However, interoperability remains an issue. Compliance with standards is not enough. 

As a technology in it's extreme infancy, this topic will drill deep into the insecurities of Virtual Private Network appliances and demonstrate several exploits that circumvent VPN's. It's not cryptography that has ever been the issue, it's the misconfiguration and improper deployment of the security product that is the weakest link.

According to Forrester Research, Corporate America will go from spending $205,000,000 in 1997 to more then $11.9 billion in 2001. With this dramatic increase of investments into what is a relatively new product, has brought and will continue to bring an advent of serious security problems. Should such neoteric and untested technology be relied on so heavily? Through the demonstration of our recently released VPNet exploit and other situations that have risen from this technology, we hope to prove that such a technology should not be so heavily relied on in its current nonviable stage of development.

As founder of Fate Research Labs, Loki has released several Virtual Private Network advisories from RapidStream to even VPNet.  Loki later became the CEO of Netstream, where he is now currently manager of the Penetration Testing division for the largest phone conglomeration in the world.

Their Presentation! (PowerPoint 1,769k


Eric Schultz - Security Program Manager for the Microsoft Security Response Center.
David LeBlanc - Senior Technologist for Microsoft Corporate Security.

Defense in Depth: Winning in Spite of Yourself (aka  "Foiling JD")

David LeBlanc is a Senior Technologist for Microsoft Corporate Security.  He works on Microsoft's internal red team doing penetration testing and writing internal-use security tools. Prior to joining Microsoft, he worked at Internet Security Systems and led the team which produced the Windows NT version of the Internet Scanner. Dr. LeBlanc has a B.S. and M.S. in Aerospace Engineering, and a Doctorate in Environmental Engineering from the Georgia Institute of Technology. Despite not having a way-cool title like "Guru", "Visionary", "Senior Wizard", or "Grand Wazoo", he thinks he has the most fun job at Microsoft.

Eric Schultze is a Security Program Manager for the Microsoft Security Response Center where he receives first hand reports of potential security vulnerabilities via secure@microsoft.com.  Prior to joining Microsoft, Eric managed the security training programs at  Foundstone, worked at SecurityFocus as a Director of Microsoft content, and worked for several BigX firms doing security penetration assessments.  Having a liberal arts degree from Amherst College, Eric doesn't consider himself a true geek, but still likes to think of David Leblanc as his long lost brother.

More Technical
Erik Birkholz, CISSP - Principal Consultant / Trainer, Foundstone, Inc.
Clinton Mugge, CISSP -  Principal Consultant, Foundstone, Inc.

Terminal Server: The Day of Reckoning

Windows administrators have long struggled with the problem of native graphical remote access to their servers.   Today, Microsoft's Windows 2000 Server offers a solution that is tightly integrated with the operating system: Terminal Server.  Terminal Server provides a valuable and robust tool for Windows 2000. As usual, due diligence must be performed when implementing any new technology.   To quote from Microsoft's site, "Windows 2000 Terminal Services is a technology that lets you remotely execute applications on a Windows 2000-based server from a wide range of devices over virtually any type of network connection."  Windows 2000 Terminal Server provides a fully interactive, user-friendly, graphical interface to users and administrators alike.  This free administration tool may be an affordable means of implementing a distributed application solution - but at what cost?

Demonstrations will highlight the impacts of typical Windows attacks coupled with Terminal Server as well as Terminal Server specific attacks.  Solutions will be presented to reduce the impact of these attacks.  Countermeasures will include implementing critical security features found native to W2K Terminal Server and available from the W2K Option Pack. 

Erik is a Principal Consultant/Trainer for Foundstone. Erik's prime area of concentration is Internet and Intranet technologies and the security of their encompassing protocols, network devices, and operating systems. He specializes in Attack & Penetration testing and security architecture design. Erik also instructs Foundstone's "Ultimate Hacking: Hands On" and "Ultimate NT/2000 Security: Hands On" courses.  Prior to joining Foundstone, Inc., he served as an Assessment Lead for Internet Security System's (ISS) West coast Consulting Group. Before ISS, Erik worked for Ernst & Young's eSecurity Solutions group. He was a member of their National Attack and Penetration team, and an instructor for their "Extreme Hacking" course. 

Clinton is a Principal Consultant at Foundstone, specializing in Attack & Penetration and E-commerce security architecture reviews.  Prior to joining Foundstone, Inc. he was a senior consultant for Ernst & Young's eSecurity Solutions group performing and managing Internet/Intranet security assessments, Cyber Process Certifications and Incident Response programs for new and existing clients. Before E&Y, Clinton served as a Counter-Intelligence (CI) Agent in the Information Warfare Branch of the U.S. Army, during which he assisted in planning and implementing CI Special Operation Concepts.  He also served as the lead computer investigator in Top Secret information technology related investigations, and performed vulnerability surveys on Department of Army Units.

Their Presentation! (PowerPoint 2,720k)


Ofir Arkin - Founder, The sys-security Group.

Active & Passive Fingerprinting of Microsoft Based Operating Systems using the ICMP protocol

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network, and the ways of using the ICMP protocol to fingerprint Microsoft based operating systems are the subject of this lecture.

First we will outline the basics, going over the ICMP protocol's characteristics. We will briefly introduce Host Detection and Advanced Host Detection methods using the ICMP Protocol. We will outline several methods that might help us to determine the network mapping of a targeted network and to understand the ACL a filtering device protecting the targeted network might use. 

After we have explained the basic know-how we will introduce OS fingerprinting using the ICMP protocol. Methods, which use crafted ICMP query messages and the replies they produce will be introduced. Other methods that use crafted packets, which will elicit an ICMP Error messages from the probed machines, will be introduced as well. An in-depth explanation will be given to the specific methods, which allow us to identify Microsoft based operating systems. We will also introduce ways to identify those fingerprinting attempts.

The last topic of the talk will be the usage of passive fingerprinting methods with the ICMP protocol.  With passive fingerprinting we will be able to have a clear distinction between the various Microsoft Operating Systems. 

At the end of the talk we will summarize the specific characteristics that leads to the identification of the Microsoft based operating systems and specifically Microsoft Windows 2000 that was to be ãa non identified OSä hidden in the haze.

Ofir Arkin is a researcher and explorer of the computer security field. His passion for knowledge in the "Know How" category has led him to many projects in the lowest levels of the TCP/IP stack implementation. Ofir has published numerous papers about his work, the most recent are "Identifying ICMP Hackery Tools Used in the Wild Today", "ICMP Usage In Scanning", and "Unverified Fields - A Problem with Firewalls & Firewall Technology Today". All are available from Ofir Arkinâs web site

Currently Ofir is working at OFEK , as the company's Security Technical Manager. OFEK is in the process of becoming a National Operator and a Leading Provider of advanced Telecommunication Services in Israel as a carrier of Voice, Internet, Data and Video through a Convergence of Services.

Their Presentation! (PowerPoint 433k)


Greg Hoglund - ClickToSecure, Inc.

Kernel Mode Rootkits: Stealth and Subversion of Trust

This talk will draw upon the work of www.rootkit.com, a group of individuals that have maintained and distributed a kernel-mode rootkit for Windows NT/2000.  The talk will cover the following details:

0. What is a rootkit?
1. How kernel-mode affects host-security
2. How to subvert file-access and fool file-integrity analysis.  a. trojan file handles
3. How to talk directly to the network without a TCP/IP stack.  a. NIDS layer communications
4. How to modify trusted system-calls.  a. hook software interrupts.  b. hook NTDLL
5. How to inject code into the kernel.  a. ZwLoadDriver.  b. The Registry.  c. infection of device drivers. d. SystemLoadAndCallImage
6. How to deploy rootkit-code like a virus.  a. software interrupts as a covert channel.  b. viral infection of system drivers
7. How to subvert the Windows NT/2000 EventLog.  a. stealing file handles   b. patching eventlog functions
8. Subverting Access-Control.  a. SeAccessCheck.   b. Backdoors.
9. Spawning win32 processes.
10. Stealth.  a. Hiding threads from a debugger.  b. Hiding processes under NT/2000.  c. Hiding drivers under NT/2000. 
11. How to detect a rootkit
12. Sample rootkit code available

Greg Hoglund is an accomplished software engineer and researcher.  He has written and been involved in many commercial security products.  Hoglund
currently works for Click To Secure, Inc. where his work is focused on automated software-security analysis and the product known as 'Hailstorm'.  Hoglund recently contributed to 'Hack Proofing Your Network/Internet Tradecraft' published by Syngress.  His other work includes research and speaking about software vulnerabilities, buffer overflows, and issues related to NT security.

Their Presentation! Complete mirror of Rootkit.com with source code (Zip 1,554k)


Panel Discussion

The Black Hat Time Machine: What happens next year?

The panel of experts will discuss what new tools and projects they are working on, what other tools may be released from the "underground" and how this will all impact our jobs.  Plenty of time for Q&A.


Chip Andrews - sqlsecurity.com

MS SQL Server Security Overview

As organizations get better at configuring firewalls and intrusion detection systems, what may be left out of the security equation is database server security.  As Microsoft's flagship relational database product and with chart-topping TPC benchmarks, SQL Server is poised to serve as the backbone of many corporate and eCommerce infrastructures.  With all of these SQL Server installations around, who is going to secure them?  How SQL Server security conscious are the people developing the products?  How can SQL Server be transformed from a vessel of your corporate jewels into an injection vector for exploits, rootkits, and other shenanigans?

The SQL Server security presentation will begin with an overview and evolution of the SQL Server security model.  Discussion will include the differences between users and logins, database and server roles, SQL Server service security contexts, and the security of the various net-libs.  There will also be some discussion of the scope of SQL Server's enterprise presence as it has found its way into numerous commercial products that may exist in multiple locations of many shops.

The following section will describe typical SQL Server fingerprinting, information gathering, account acquisition, and privilege escalation techniques used by attackers.  There will be some discussion of the various tools available to the general community to both attack and defend SQL Server installations.  Finally, there will be a clear suggestion for how SQL Server administrators and developers can defend against these attacks including doing some intrusion detection on SQL Server itself.

The final section will discuss the growing problem of SQL-injection attacks and how they affect SQL Server specifically.  There will be a demonstration of exactly how attackers inject SQL code into applications and the tricks they use to bypass even the most vigilant input validation.  Best practice development techniques will be demonstrated and how even ad-hoc queries might be better constructed as to not let attackers inject trojan SQL code into your applications.

Chip Andrews (MCDBA, MCSE+I) has been a programmer (currently VB/SQL/Java/C++) and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of product development.  Chip maintains the www.sqlsecurity.com web site that focuses on SQL Server security issues.  He currently works as a Software Security Architect for Clarus Corporation (www.claruscorp.com), a leader in B2B e-Commerce software applications.

Their Presentation! (PowerPoint 239k) SQLPing tool (Zip 19k)


Paul T. Mobley Sr. - Senior U.S. Forensics Expert, CyberCrime Division of Jawz, Inc.

Computer Forensics with an emphasis on the NT operating system.

Many Forensic classes and papers discuss utilizing speciality Unix tools and operating system commands to perform indepth Forensics.  Paul will cover the basics of general Forensics to include how to NOT totally destroy the crime scene and how to use some of the available NT tools to assist in an investigation.  This speech and the one held by Mushin will assist the standard security administrator/manager in setting up policies and procedures on how to react to an intrusion.  While it is not designed to create Forensic experts out of all of the attendees it will share enough information for a person to lay the framework for a forensic investigation.

Mr. Mobley served the United States Navy from 1989 -2000 as a Special Agent for the U.S. Naval Criminal Investigative Service.  Paul's last assignment was with the NCIS Gulf Coast Field Office, Computer Crimes Investigation and Operations Unit; (CIO), located at Naval Air Station Pensacola, FL.   Paul was assigned to the CIO in September 1996.   While assigned to the CIO, he had the opportunity to investigate and assist in the investigation of major computer attacks against Department of the Navy and U.S. Marine Corps computer networks.  A majority of Paul's network intrusion experience was in the Foreign Counter Intelligence arena. Forensic Examinations and Evidence presentation became a specialty for Paul while he was assigned to the CIO where the experience afforded him opportunity to work jointly with other Military Intelligence organizations, Federal Law Enforcement, and various U.S. Attorneys throughout the United States.

Their Presentation! (PowerPoint 1,556k)


Andrey Malyshev - Chief of software development,ElcomSoft Co.Ltd.

Analysis of Microsoft Office password protection system, and survey of encryption holes in other MS Windows applications.

While successfully creating password recovery software for most of the major applications on the market including Microsoft Word, Microsoft Excel, Lotus, Paradox, NT, Oucken, and many more, ElcomSoft has become a leader in its field. This speech covers a password protection of Micorosoft Office documents (created in Word, Excel, Outlook) and VBA macros embedded in all MS Office and some other vendors applications. Examples of low cryptographical stability and  some software tools doing this will be demonstrated (see also a paper on these issues here)

Andrey Malyshev Chief of software development since 1998. Before this he worked as a System Administrator in Russian Military Academy of General Staff.

Their Presentation! (PowerPoint 112k)


Deep Knowledge
Kevin McPeake - Senior Consultant, Trust Factory.
Wouter Aukema- Co-founder, Trust Factory.

Falling Domino's 

Lotus Notes / Domino is considered one of the more secure mail/groupware platforms in the world. With an installed base of more than 50 millions ­mainly corporate and government- seats, the product is used by almost all financial institutions, big 6 accounting firms, government's secret agencies and defense organizations. 

At Defcon 8, Trust Factory consultants Patrick Guenther, Kevin McPeake and Wouter Aukema presented several new vulnerabilities along with Chris 'BloodAxe' Goggans, of Security Design International, who validated their research. Topics included known vulnerabilities  and new ones, such as bypassing the Execution Control List, modifying Notes design elements and identity theft. Using Notes Sesame, a tool written by Patrick Guenther, Trust Factory demonstrated weaknesses in the hashing algorithms for internet passwords as well as the validation of Notes ID-files obtained from remote networks and users. 

At Black Hat Windows 2000, Patrick and Wouter will give in-depth information about the vulnerabilities they discovered. Also, they will give and update about their latest results of their ongoing research. 

1.        Execution Control List : The ECL was designed to prevent malicious code from running on a client Several methods exist to bypass and/or reset the ECL 
2.       Design Element manipulations : How to re-enable Stored Forms which is known to be a dangerous feature and implementing mechanisms for information operations.
3.        Traditional Hashing algorithms 
4.        ID-file: Validation mechanism and bypassing it and brute forcing an ID-file.
5.        Revealing the 'strong' password hash: The strong password hash was Lotus' answer to the vulnerabilities they discovered. Patrick will talk about the latest findings of his research regarding the "strong password hash". 

Originally entering the world of computer security at the age 11 & armed with his TRS-80, Kevin McPeake has worked in many different facets of the computer industry.  In the beginning of 90's, after he began his formal career, he began developing applications for various banks and institutions which were making the move to electronic funds transfers over X.25 networks.  In 1993, his skills in protocols & programming were recognized by a Dutch firm, who relocated him to Germany and later to The Netherlands, where he worked on various protocol development for the BBS & Telecom industry.  After trying his hand at International Sales (which he refers to as "paid social engineering") in 1994, Kevin returned to the IT market in the USA, where he worked as a X.25 network & Internet consultant.  In 1996, Kevin was relocated to The Netherlands for his "2nd Tour of Duty" by another Dutch firm, where he served as an Infrastructure Consultant and later Chief of Network Security.  Realizing that one could actually make money in security, he eventually returned to his roots and co-founded his own security company, Trust Factory BV, where he now serves actively as a senior consultant, as well as the CEO. 

Wouter Aukema is the co-founder of Trust Factory. He's been in the security underground for about three years, and he concentrates mainly on Lotus Notes/Domino and other (client) application security issues.  His interest in computers date from 1980, when he bought himself an Acorn Atom computer. Since '86, Wouter has worked for several corporations, such as Philips daughter Origin, AT&T and the Venezuelan state-owned oil company PDVSA, where he also specialized in telephone switches. 

Patrick Guenther, a Swiss native and resident, previously worked at Arlan SA, where he personally oversaw the integration of Lotus Notes into the KLE-LINE electronic payment system, and developed a Java based licensing system for third party Lotus Notes applications.  Guenther also developed the first version of EQS (Electronic Quality System) for Lotus Notes, which went on to win the Lotus Beacon Award in 1996.  Guenther recently joined Trust Factory in May 2000, where he heads up R&D of security vulnerabilities as well as new software products.  Guenther recently was credited with the discovery of multiple password hashing problems within the Lotus Notes environment and presented these findings to the community at DEFCON-8.

Their Presentation! (PowerPoint 168k)


Havlar Flake - Independent Reverse Engineer

Auditing binaries for security vulnerabilities

Even with the advent of the open-source movement, many critical systems such as most firewalls and many high-performance web servers still run closed-source software. Few security architectures are not prone to failure if the security of critical software fails. As Joey__ demonstrated in his speech at Black Hat Singapore, reverse engineering can be used in order to find unknown vulnerabilities in closed-source software. The first half of the speech will give in-depth coverage on reverse engineering of compiled C/C++ code on the x86 platform with specific focus on its immediate application to network security. The speech will begin with a short note on the legality of reverse engineering for security purposes in both the US and EU. The following topics will include an thorough review of common C/C++ programming mistakes that can lead to illicit code execution, how these mistakes look when they have been compiled into assembly code and how one can go about finding these problems. The techniques which are explained will then be used to find a yet-undiscovered format string bug in a major web server. 

The second half of the speech will focus on more "esoteric" topics in relation to reverse engineering, including reconstruction of C++ classes via the "this"-pointer (both manually and automatically) and ways to faciliate and automate the auditing process.

A solid knowledge of C and a decent understanding of x86 assembly language
will help in getting most out of this speech. 

HalVar Flake is an independent reverse engineer specializing in application security evaluation and source reconstruction. With a background in copyprotection, he realized one day that reverse engineering was a very handy asset on closed-source platforms such as NT/2k.  Fluent in various assembly languages and C/C++, he is furthering his research on his days off from his mandatory military service.

Previous work experiences include: Detection and Exploitation of Buffer Overflows and format string vulnerabilities under NT, Analysis of  PE(Win32)-Virii, Polymorphic Engines, Trojans, CPU-Emulators and many other things that have been written to be annoying to reverse engineer.

Their Presentation! (PowerPoint 464k)

Lunch Speakers
Howell McConnell - Retired NSA & Regional Counternarcotics Support

International Organized Crime and Terrorism


Jeff Jonas - 

Cops and robbers - Cheating Las Vegas

Over the last 10 years, Mr. Jonas has been working with the gaming industry to create new technologies to combat the growing challenges related to fraud and "insider threats".  To catch them you must know their ways.  See how this high stakes game of cops and robbers is being played.

President and founder of Systems Research & Development (SRD), Jeff Jonas collaborates with senior management to design and develop strategic information systems.  Today companies rely on Mr. Jonas and his organization to design and implement leading edge technology solutions.  This work has been recognized on the Discovery Channel, MSNBC, The Learning Channel aswell as in Fortune magazine and ComputerWorld.

Mr. Jonas has been significantly involved in over 50 major system development projects.  With no area of specialty other than "inventing that which does not already exist", Mr. Jonas has acquired a most diverse knowledge ranging from engineering traits of sewer systems to transactional pattern fraud detection.  With this extensive practical experience, Mr. Jonas finds more commonality than not, between what otherwise appears as unrelated business problems.