The Black Hat Briefings '01, April 23rd - 24th Hong Kong
The Black Hat Briefings '01, April 26th - 27th Singapore 

Hotel Information

There were be approximately 13 speakers over two days, including a moderated panel discussion. The people speaking in Hong Kong will be identical to those speaking in Singapore.

The goal of the talks are to inform the audience with quality current state system vulnerabilities and fixes as well as future areas of concern.  We cover a broad range of security issues from the perspective of the network administrator, system cracker, and IS managers.  Because our unique speakers The Black Hat Briefings will offer the audience a deep insight into the real security issues facing your network with no vendor pitches!

NOTE: Anthony Fung & Greg Hoglund can not speak, and have been removed.
NOTE: J.D. Glaser and Samil have expanded their web hacking talk.

Keynote Speakers
Deep Knowledge Speakers

Keynote Addresses
Bruce Schneier - Counterpane Internet Security, Inc.

The Three Truths of Computer Security.

Internationally renowned security technologist and author Bruce Schneier is both a Founder and the Chief Technical Officer of Counterpane Internet Security, Inc. He established the Company with Tom Rowley to address the critical need for increased levels of security services. Schneier is responsible for maintaining the Company's technical lead in world class information security technology and its practical and effective implementation. Schneier's successful tenure leading Counterpane Systems make him uniquely qualified to shape the direction of the company's research endeavors, as well as to act as a spokesperson to the business community on e-commerce issues and solutions. 

While president of Counterpane Systems, Schneier designed and analyzed hardware and software cryptographic systems, advised sophisticated clients on products and markets, and taught technical as well as business courses related to the field of cryptography. Concerns as diverse as Microsoft, the National Security Agency, Citibank, and the White House staff have all relied upon Schneier's unique expertise. In addition, Schneier designed the Blowfish algorithm, which remains unbroken after eight years of cryptanalysis. And Schneier's Twofish is among a small number of algorithms currently being considered by the National Institute of Standards and Technology for the advanced encryption standard (AES) to replace the current data encryption standard (DES). 

Schneier is the author of five books including Applied Cryptography, the seminal work in its field. Now in its second edition, Applied Cryptography has sold over 110,000 copies worldwide and has been translated into three languages. He has presented papers at many international conferences, and he is a frequent writer, contributing editor, and lecturer on the topics of cryptography, computer security, and privacy. Schneier served on the board of directors of the International Association for Cryptologic Research, is an Advisory Board member for the Electronic Privacy Information Center, and was on the board of directors of the Voter's Telecom Watch. 

Martin Khoo - Assistant Director, Incident Handling, SingCERT

Post Mortem of a Rootkit Attack

Computer forensic analysis and investigation is becoming an important skill that security practitioners increasingly find necessary to add to their arsenal of skill sets. The ability to find out what went wrong is as important as knowing what to do to prevent something going wrong. This presentation will cover the process of investigating a system that has been compromised and installed with a "rootkit" and used to attack other sites. The use of forensic analysis software, both open source and commercial will be discussed as well as the lessons to be learned.

Martin is an Assistant Director with the Infocomm Development Authority (IDA) of Singapore. He takes charge of security incident management where he oversees a group of IT Security Consultants in providing security services to the various government organizations. He is also the Programme Manager of the Singapore Computer Emergency Response Team (SingCERT) which is the national level security incident response center charged with the prevention, detection and resolution of computer security incident on the Internet and Singapore ONE. He manages a group of Security Consultants providing incident resolution and security awareness promotion services to the local IT industry and the general IT users. Martin is a frequent speaker on subjects regarding security and incident handling. He last spoke at the PKI Conference on "Instilling Trust for Secure eCommerce" organized by CommerceNet Singapore in October 1999.

JD Glaser - Senior Software Engineer, Foundstone, Inc.
Saumil Udayan Shah - Principal Consultant, Foundstone Inc.

Web Hacking

Web hacking is the next generation of hacking "kung fu." The previous generation of hackers concentrated on operating systems and network protocols, but operating systems are getting more robust and resistant to attacks and network protocols are getting more secure. On the other hand, e-commerce technology is increasingly common and complex. Unfortunately, not enough effort has been spent on securing Web-based infrastructure. Join us for an eye-opening demonstration on what can go wrong with poorly secured Web applications, how severe the risks are, and how to protect yourself and your company from these Web ninjas.

We shall be covering vulnerabilities ranging from web server misconfigurations, improper URL parsing, application level vulnerabilities, Java application server hacking and some special advanced techniques.

JD provides customized NT network security and audit tools for Foundstone. He specializes in Windows NT system software development and COM/DCOM application development. His most recent achievement was the successful formation of NT OBJECTives, Inc., a software company exclusively centered on building NT security tools.  Since it's inception, over 100,000 of those security tools have been downloaded and put into practice. In addition, he has written several critical, unique intrusion audit pap ers on NT intrusion forensic issues. 

Currently, JD has been retained as a featured speaker/trainer for all the BlackHat 2000 Conferences on NT intrusion issues. These conferences tackle advanced technical issues concerning criminal intrusion and computer security on the Windows NT platform. He has also spoken at SANS and ASIS. JD is an MCSE/MCSD with seven years of enterprise database development experience.  Clients have included Intel, Hewlett-Packard, Gilbarco Oil, and Columbia Sportsware.

Saumil provides information security consulting services to Foundstone clients, specializing in ethical hacking and security architecture. He holds a designation as a Certified Information Systems Security Professional (CISSP).  Saumil has had over 6 years of experience with system administration, network architecture, integrating heterogenous platforms and information security, and has performed numerous ethical hacking exercises for many significant companies in the IT arena.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young where he was responsible for their ethical hacking and security architecture solutions.

Saumil graduated from Purdue University with a Masters in Computer Science and a strong research background in operating systems, computer networking, information security and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in Computer Engineering from Gujarat University, India. Saumil has also authored a book titled "The Anti-Virus Book" published by Tata McGraw-Hill India. Saumil has also worked at the Indian Institute of Management, Ahmedabad as a
research assistant.

Emmanuel Gadaix -

Overall security review of GSM infrastructure.

There are an estimated 100 million of users of the Internet after more than 20 years of existence. This unprecedented growth is only beaten by GSM, whose user base is estimated at 500 million users, less than 10 years after its conception. Although GSM has been designed with security in mind (as opposed to early cellular systems), there are a number of issues that surround its various components, from the user terminal (handset) to the network infrastructure implemented by operators. Upcoming 3G technologies promise us broadband multimedia, always-on 2 Mbit/s  connections, a whole range of interactive services and complete integration with the Internet. This can only mean increased security concerns, for both users and operators. The presentation will focus on issues that operators are facing, or will face soon. The traditional head-in-the-sand approach of most telcos, particularly in GSM when time-to-market constraints are paramount, will certainly not be able to stand the upcoming integration with the Internet and its legions of hackers.

Emmanuel started his career in GSM telecommunications in 1994, specializing in Network Management Systems and Intelligent Networks, participating in the launch of several cellular networks across Asia and Europe, with a focus on Value-Added Services. In 1997 he co-founded The Relay Group, a consulting firm based in Thailand dealing mostly in penetration testing for clients in governments, financial institutions and telecommunications operators.

Marcus Ranum - CEO, Network Flight Recorder, Inc.

IDS benchmarking.

Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall,, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons.

Rooster - Product Security Manager, Unknown Company.

IPSec in a Windows 2000 World

Windows 2000 has brought many new tools and techniques to the realm of security, one of which is IPSec.  This session will examine IPSec from the basics down to the packet-by-packet nuts and bolts.  We'll go through a general overview of the protocol suite as well as deployment and interoperability with Free UN*X and Cisco systems.

We'll start off with an exploration of the design and basics behind the IPSec standards.  You'll see why it was created and how it adds another layer of security that can be used in most network environments.   The protocols that will be covered are AH, ESP, IKE and ISAKMP/Oakley.

Our focus is mainly on the Windows 2000 implementation of IPSec and we will go over the configuration and design of Windows IPSec enabled networks.  In doing this, we'll also show how the Windows implementation works in a heterogeneous network including Un*x implementations of IPSec.

A detailed knowledge of TCP/IP at a protocol level will be valuable to get the most out of this presentation.

Rooster has been involved with computer security in one form or another since the mid 80's.  Currently working for a software development company, he is responsible for product security.  With specialties in Layer 3 and networking services, Rooster has been involved in many aspects of IT infrastructure and product development.

Simple Nomad - Senior Security Analyst, BindView

Stealth Network Techniques: Offensive and Defensive.

In this talk various stealth network communication techniques for passing information between nodes will be discussed. Their application from both an attacker and defender perspective will be discussed, including evading firewalls and IDSs, as well as evading possible sniffing attackers.

Simple Nomad, a Senior Security Analyst for BindView Corporation, adds distributed systems and networking expertise to BindView's RAZOR security team. He is also the founder of the Nomad Mobile Research Centre, and has spent years developing and testing various computer systems for security strengths. He has authored numerous papers, developed a number of tools for testing the security and insecurity of computer systems, a regular lecturer at security conferences, and has been quoted in various media outlets regarding computer security.

David Litchfield - Director of Security Architecture, @Stake.

Remote Web Application Disassembly with ODBC Error Messages

Known as the UK's NT Guru by ZDNet, David is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed". 

Rain Forest Puppy - 

Web Assessment Tools.

As the web becomes more and more feature full (or bloated, depending on your stance), it also becomes a rich ground for security concerns and exploitation.  The HTTP protocol was meant for simple file serving (much like gopher)--grafting ecommerce applications and secure transactions on top of it has always been a bumpy road, particularly if you want to do
it securely.

However, to date, there have only been a few tools to help an administrator or researcher properly assess and check the security of these applications and underlying technology.  In this talk RFP will review a few currently-available tools and their pitfalls, as well as introduce his latest suite of web assessment tools which overcome those pitfalls.

RFP is the director of research and development for a midwest consulting company.  The bulk of RFP's contributed work can be found at

Kevin McPeake - Senior Consultant, Trust Factory.
Wouter Aukema- Co-founder, Trust Factory.

Falling Domino's 

Lotus Notes / Domino is considered one of the more secure mail/groupware platforms in the world. With an installed base of more than 50 millions ­mainly corporate and government- seats, the product is used by almost all financial institutions, big 6 accounting firms, government's secret agencies and defense organizations. 

At Defcon 8, Trust Factory consultants Patrick Guenther, Kevin McPeake and Wouter Aukema presented several new vulnerabilities along with Chris 'BloodAxe' Goggans, of Security Design International, who validated their research. Topics included known vulnerabilities  and new ones, such as bypassing the Execution Control List, modifying Notes design elements and identity theft. Using Notes Sesame, a tool written by Patrick Guenther, Trust Factory demonstrated weaknesses in the hashing alorithms for internet passwords as well as the validation of Notes ID-files obtained from remote networks and users. 

At Black Hat Asia, Patrick and Wouter will give in-depth information about the vulnerabilities they discovered. Also, they will give and update about their latest results of their ongoing research. 

1.        Execution Control List : The ECL was designed to prevent malicious code from running on a client Several methods exist to bypass and/or reset the ECL.
2.       Design Element manipulations : How to re-enable Stored Forms which is known to be a dangerous feature and implementing mechanisms for information operations.
3.        Traditional Hashing algorithms.
4.       ID-file: Validation mechanism and bypassing it and brute forcing an ID-file.
5.        Revealing the 'strong' password hash: The strong password hash was Lotus' answer to the vulnerabilities they discovered. Patrick will talk about the latest findings of his research regarding the "strong password hash". 

Originally entering the world of computer security at the age 11 & armed with his TRS-80, Kevin McPeake has worked in many different facets of the computer industry.  In the beginning of 90's, after he began his formal career, he began developing applications for various banks and institutions which were making the move to electronic funds transfers over X.25 networks.  In 1993, his skills in protocols & programming were recognized by a Dutch firm, who relocated him to Germany and later to The Netherlands, where he worked on various protocol development for the BBS & Telecom industry.  After trying his hand at International Sales (which he refers to as "paid social engineering") in 1994, Kevin returned to the IT market in the USA, where he worked as a X.25 network & Internet consultant.  In 1996, Kevin was relocated to The Netherlands for his "2nd Tour of Duty" by another Dutch firm, where he served as an Infrastructure Consultant and later Chief of Network Security.  Realizing that one could actually make money in security, he eventually returned to his roots and co-founded his own security company, Trust Factory BV, where he now serves actively as a senior consultant, as well as the CEO. 

Wouter Aukema is the co-founder of Trust Factory. He's been in the security undergound for about three years, and he concentrates mainly on Lotus Notes/Domino and other (client) application security issues.  His interest in computers date from 1980, when he bought himself an Acorn Atom computer. Since '86, Wouter has worked for seveal corporations, such as Philips daughter Origin, AT&T and the Venezuelan state-owned oilcompany PDVSA, where he also specialised in telephone switches. 

Patrick Guenther, a Swiss native and resident, previously worked at Arlan SA, where he personally oversaw the integration of Lotus Notes into the KLE-LINE electronic payment system, and developed a Java based licensing system for third party Lotus Notes applications.  Guenther also developed the first version of EQS (Electronic Quality System) for Lotus Notes, which went on to win the Lotus Beacon Award in 1996.  Guenther recently joined Trust Factory in May 2000, where he heads up R&D of security vulnerabilities as well as new software products.  Guenther recently was credited with the discovery of multiple password hashing problems within the Lotus Notes environment and presented these findings to the community at DEFCON-8.

Shaun Clowes - I.T Director SecureReality 

Breaking In Through The Front Door
The impact of Application Service Provision and Browser Based Applications on traditional security models

With the rise of ASP and B2B e-commerce, the IT world has moved into a new environment, dramatically different in its security requirements. Unfortunately the paradigms that govern 'worlds best practice' haven't moved to match the new environment.  This talk:

- Explores the phenonmenon of ASP and web based applications and how they differ from traditional Client/Server and cetralised computing
- Examines the tools and languages that are driving ASP in a security context
- Discusses why typical web applications are vulnerable
- How the vulnerabilities can be used in an attack scenario
- Using PHP as an example of an ASP/Web Application driver:

 Examine how easy it is to exploit PHP scripts and why
 Real life examples with previously unpublished vulnerabilities in very popular PHP scripts
- Discusses methods to limit the threat to
PHP applications
Application Service Provider applications
Any web based application
What works and what doesn't
Shaun Clowes is the I.T director of SecureReality, Australia's cutting edge security consultancy which specializes in security research, e-business security and code auditing. Shaun has over 4 years experience in the IT industry, from C coding under *nix to S/390 mainframe administration to PHP scripting. Shaun leads the vulnerability research arm of SecureReality which is broadly exploring the security landscape testing both the obvious targets and the glue that holds everything together.

Fyodor Yarochkin and the ISS / Taiwan R&D Team - 

Non-common architectures buffer overflows.

Non-common buffer overflows talk features 3 case studies of buffer overflow exploitation techniques for 3 major non-intel architectures which are frequently found in the Internet: PA-RISC(HP-UX), RS/6000(AIX) and Sparc(SunOS 5.x) 
Exploitation of other common security problems (such as formatted string vulnerabilities, and heap buffer overflows) and alsoarchitecture-specific tricks and twists will be covered.

Fyodor Yarochkin is a security analyst for eGlobal Technology / TruSecure Asia Pacific. He gained a degree in computer science at Kyrgyz Russian Slavic University and has involved with security for 5 years. His previous experience includes penetration testing, vulnerabilities reseach, intrusion detection and prevention tools programming, code auditing, attacking tools etc..

Yu-Min Chang, is a research team leader for Internet Security Solutions Co.Ltd in Taiwan. He holds a degree in Mathematics and a Masters in Computer Science from the National Chengchi University, where he was also PhD candidate. His interests in security field include penetration testing, forensics, distributed attacks tools implementation, code audit, crypto and any other interesting areas of security. Previous work experience includes system administrator of IBM3090,
IBM4341 IBM RS6000 and IBM SP2, penetration of AIX OS, Sun Sparc and some x86 platform UNIX.

Chieh-Chun Lin, is a R&D researcher for Internet Security Solutions Co.Ltd in Taiwan. His Major is Mathematics. After finishing his studies,he served in ROC (Taiwan) Army Electronic Warfare Company for 2 years as a squad leader. Previous work experience includes system administrator of HP 700/800 series, Sun Sparc, BSD of TungHai University (Taiwan) ,researcher of Taiwan Computer Emergency Response Team (TWCERT).

Huang-Yu Wang is a R&D researcher for ISS/TW. He is a psychology major.
Before finishing his psychology studies, he found out about the Internet, and decided to study information engineering. After finishing his studies, he became a system engineer and became interested in security. He currently develops security tools techniques in ISS/TW.

Tim Mullen, CIO AnchorIS.Com

Restrict Anonymous and the Null User

What many people fail to realize is that with the combination of a few different API calls the entire user-base for a domain controller can be dumped out via a null session, even when RestrictAnonymous has been explicitly turned on.  Though a new value for RA (RA=2) has been created in Win2k, the downside of using it is so great than many people can't and won't use it.  Even with Win2k and RA set to 1, it is still possible to grab the entire base of users... And not just that.  By properly parseing out certain DWORD values returned by the API call, extremely detailed information of the user- basically all aspects of their account.  These issues will be explored in detail.

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, and develops secure enterprise-level accounting software products and procedures.

Deep Knowledge Speakers
Ofir Arkin - Founder, The sys-security Group.

ICMP Usage In Scanning (The Advanced Methods)

The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network are the subject of this lecture. 

First we will outline the basics, going over the ICMP protocolās characteristics. We will briefly introduce Host Detection methods using the various ICMP query message types with some elementary examples. Next we will overview the process of some Advanced Host Detection methods mainly centered in eliciting an ICMP error message back from the probed machines. Methods that allow us to map entire networks and understand ACL filtering devices protecting networks will be used during the course of the lecture. Some of the above mentioned methods also allow us to bypass weak firewalls. 

Recent methods of operating system fingerprinting discovered by the ICMP project ( will also be presented. Some of the methods will deal with ICMP Query Replies produced for a crafted ICMP Query, while other methods will deal with ICMP Error messages produced by the targeted machine as a result of a crafted eliciting error query. Some of the methods allow a malicious computer attacker to clearly identify a flavor of an operating system including Microsoft Windows 2000 machines, and to isolate certain groups of operating systems. We will also introduce ways to identify those fingerprinting attempts.

New methods currently being researched by Ofir Arkin, which deal with Passive Fingerprinting with the ICMP protocol, will be discussed as well.  With passive fingerprinting we, for example, will be able to have a clear distinction between the various Microsoft based Operating Systems.

At the end of the talk a few minutes will be spent on some considerations necessary for firewall policy design.

Ofir Arkin is a researcher and explorer of the computer security field. His passion for knowledge in the "Know How" category has led him to many projects in the lowest levels of the TCP/IP stack implementation. Ofir has published numerous papers about his work, the most recent are "Identifying ICMP Hackery Tools Used in the Wild Today", "ICMP Usage In Scanning", and "Unverified Fields - A Problem with Firewalls & Firewall Technology Today". All are available from Ofir Arkinās web site

Currently Ofir is working at OFEK , as the company's Security Technical Manager. OFEK is in the process of becoming a National Operator and a Leading Provider of advanced Telecommunication Services in Israel as a carrier of Voice, Internet, Data and Video through a Convergence of Services.

HalVar Flake - Reverse Engineer.

Finding holes in closed-source software (With IDA)

Application security is crucial in any networked environment. Joey__ has demonstrated how reverse engineering can be utilized to find unknown vulnerabilites in his speech at Black Hat Singapore. This speech will go further into the idea of using reverse engineering to audit closed-source programs. 

Specifically, the first focus will be on common programming mistakes such as buffer overflows and format string vulnerabilites and how they can be spotted when no source is available. 

The second focus will be on how to reduce the amount of repetetive and boring work by devising algorithms that will do a good part of the stupid work automatically and which are capable of pointing out dangerous or suspicious programming constructs. 

Finally it will be demonstrated how these algorithms were used in a real-life example to find a yet-unpublished buffer-overflow vulnerability.

A passing understanding of x86-Assembly language as well as understanding the concepts of buffer overflows and format string problems will help greatly in understanding this speech.  While the speech is primarily focusing on x86 platforms, I will briefly cover some issues concerning SPARC as well at the end of the speech.

HalVar Flake is a reverse engineer specializing in x86 Assembly. Originally working in the realm of copy protection on the NT platform, he one fateful day decided that writing an exploit for a buffer overflow was a good way to pass his sunday afternoon.  He was hooked and realized that his reverse engineering experience was a very handy asset on a closed-source platform such as NT.

After completely abandoning copy protection work in favour of network security, he spent his time reverse engineering applications and looking for flaws. He is currently serving his mandatory military service in Germany while working for The Relay Group during his days off.

Previous work experience includes analyzing PE-Virii, Polymorphic Engines, CPU-Emulators and pretty much everything that has been written to be annoying to reverse engineer.