Black Hat Federal 2003 Topics and Speakers

Black Hat Federal 2003 Overview

Black Hat Federal 2003 Call for Papers Black Hat Federal 2003 Speakers Black Hat Federal 2003 Briefings Schedule Black Hat Federal 2003 Sponsors Black Hat Federal 2003 Training Black Hat Federal 2003 Hotel & Venue Black Hat Federal 2003 Registration
details Current Sponsors for Black Hat Briefings Federal 2003
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win Admission to a future Briefings of your choice.

Lessons From the Hanssen Spy Case: Not What You Expect
David G. Major, co-founder, the Centre for Counterintelligence & Security Studies (
ON February 21, 2001 the media announced the arrest of FBI counterintelligence expert and Supervisory Special Agent Robert Hanssen and that he had been charged with espionage for Soviet and then Russian Intelligence between November 1979 and his arrest on Sunday February 18th 2001. Since that day, he has plead guilty and sentenced to prison for the rest of his life with no possibility for parole. He has been debriefed numerous times, a top secret damage report has been prepared. The Congress and the Executive Branch have conducted extensive reviews of this case in an effort to determine how and why he could have spied for such a long time. As is so often the case in espionage cases, both government security professionals and individuals are left with lingering questions of what are the lessons learned from this case. Most of the media and many government reviews of this case have come to some simplistic conclusion. When the depth of Hanssen’s treachery, motivations and damage to national security are studied, the lesson’s learned for managers, security professionals and each individual citizen are far more complex than most anticipate. This discussion will attempt to answer some of the lingering questions that remain. What should we learn from one of the most damaging spies in American history? Not what you expect.

David Major has made a life-long commitment to the practice and study of counterintelligence making him one of the nation’s top experts on the subject. His views and advice are sought after by the government, private companies and national and international media. Major has a passion for helping people gain a greater understanding of the importance of counterintelligence and has been giving speeches and training people since the 1970’s. He is known as a dynamic, enthusiastic and incredibly interesting speaker who holds the audience captivated on any topic. He is able to speak on an unlimited number of different topics, many which are taken directly from segments in the highly-rated courses his training company provides.

Major served in the FBI from a street agent to a senior official and worked foreign counterintelligence his entire career. He has been involved in various ways in nearly all of the major espionage cases of the past 30 years and has recruited, run and handled agents, double agents and defectors as well as caught spies. Major’s skills and abilities propelled him to being named by the FBI to being the first FBI official to be assigned to the National Security Council. He served as the Director, Intelligence and Counterintelligence Programs in 1985 and 1986, and briefed and advised President Reagan on counterintelligence matters. He was also instrumental in an administration effort to decrease the number of Soviet intelligence officers in the US, which were overwhelming the FBI’s resources. As a result, over 80 Soviet KGB and GRU officers were expelled from the United States.

Upon retiring from the FBI, Major co-founded the Centre for Counterintelligence and Security Studies to provide high-quality counterintelligence and security training for the government and corporate sector. The Centre has trained nearly 10,000 people in counterintelligence, intelligence, counterterrorism and security topics. He is a host of an internal government TV series with over 154 episodes called CI-TV which helps educate government personnel on lessons learned from espionage cases. As an outreach program for the public, he helped develop the concepts of SpyDrive™ and SpyCruise® as a way of teaching people about the reality of espionage and the importance of vigilance. Both of these products received world-wide media coverage and attention.

In February 2001, the arrest of senior FBI agent Robert Hanssen stunned the nation, and no more so than David Major. Major had known Hanssen for 20 years as a coworker and was his supervisor at one point. An expert knowledge of counterintelligence combined with being driven to understand Hanssen and his actions has made Major truly the one of the country’s top experts on the case. He has developed an extensive and comprehensive presentation to show the man, his methods, his damage and lessons learned. When CBS-TV had director/producer Lawrence Schiller and author Norman Mailer create a movie about Robert Hanssen, they hired Major and his company to be the technical advisors. Major briefed Schiller and Mailer on the case and showed them where Hanssen lived, worked and operated as a spy. He also briefed and advised actors William Hurt, Ron Silver and Wayne Knight on the case and the characters they would be playing in the movie. Schiller based the character Ron Silver played, as Hanssen’s boss, on David Major.

Major’s expertise in the areas of counterintelligence and intelligence led him to be named to the select group of advisory board members of the International Spy Museum in Washington, DC.

Return to the top of the page

The Ghost in the Machine - Security as the Real Human Computer Interface
Keith Rhodes, Chief Technologist, GAO

Computers and computer security is viewed incorrectly as a "technical issue" that is better left to the technicians. Several of the common errors we find in our security testing, and how these technical issues are actually human errors that need to be corrected as a root cause if organizations will have any chance of being more secure.
Keith Rhodes is currently the Chief Technologist in the Center for Technology and Engineering, where he has contributed to a wide variety of technically complex reports and testimony. Before holding this position, Mr. Rhodes was the Technical Director in GAO's Office of the Chief Scientist for Computers and Telecommunications. As Technical Director, he provided assistance throughout GAO for issues relating to computer and telecommunications technology. His earlier work experience includes being a supervisory computer scientist at Lawrence Livermore National Laboratory and working on computer and telecommunications projects at Northrop Corporation and Ohio State. Mr. Rhodes's graduate degrees are in computer engineering, from Ohio State University, and in engineering physics, from the University of California (Los Angeles).

Return to the top of the page

MOSDEF Tool Release
David Aitel, Immunity, Inc.

Dave Aitel has spent 3 years in the private sector researching vulnerabilities, after six years working with the NSA. He is currently running Immunity, Inc., a NYC based consulting and security services firm. Immunity is best known for its donations of SPIKE and SPIKE Proxy to the security community.

Return to the top of the page

Using Xprobe2 in a Corporate Environment
Ofir Arkin, Founder, Sys-Security Group

Xprobe2 is a remote active operating system fingerprinting tool with a different approach to operating system fingerprinting.

The latest version of Xprobe2 was released at Black Hat USA 2003.

The talk will present the way Xprobe2 operates, its usage scenarios, and how Xprobe2 overcomes several issues effecting active operating system fingerprinting.

The talk will present the issues effecting traditional active operating system fingerprinting and how these issues directly effects the results different active operating system fingerprinting tools, relying on these methods, produce.

New advancements in the field of active operating system fingerprinting, which greatly enhance the accuracy of Xprobe2, will also be presented.

Examples and usage scenarios will be discussed. The main emphasis will be on how to benefit the most from using Xprobe2, and how to perform corporate wide network auditing using Xprobe2.

The talk will explain why accurate operating system fingerprinting is an extremely important stage in auditing and in nearly any network security related process.

Finally, Xprobe2’s future development plan will be discussed.

Ofir Arkin is the founder of the Sys-Security Group, a non-biased computer security research and consultancy body.

Armed with extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several major European finance institutes were he played the role of Chief Security Architect and Senior Security Architect. Among the project’s he performed Ofir was responsible for assessing the future external and inter-bank IP communication security architecture for one of the world’s top 10 banks, analyzing the needs and solutions for an internal Single Sign-On (SSO) project for a world leading pharmaceutical company, securing the E-banking project for a leading Swiss bank, etc. Ofir also acted as Chief Security Architect for a 4th generation telecom company, where he designed the overall security architecture for the company. Currently Ofir is the CISO of a leading telecom company in Israel.

Ofir has published several papers as well as articles and advisories. The most known papers he has published are: “Etherleak: Ethernet frame padding information leakage”, “Security Risk Factors with IP Telephony based Networks”, the “ICMP Usage in Scanning” research paper, Xprobe2 (tool and papers), “The Cisco IP Phones Compromise”, and “Trace-Back”. He is currently conducting research on a number of TCP/IP protocols as well as Voice over IP. Ofir’s research has been mentioned in a number of professional computer security magazines.

Ofir is an active member with the Honeynet project and he co-authored the Honeynet’s team book, “Know Your Enemy” published by Addison-Wesley. He is a co-author of the second edition of the book, to be published at the end of 2003.

Return to the top of the page

Securing Data in Storage: Secure Networking for Complete Data Protection
Dan Avida, Ceo & President, Decru

Technologies like Storage Area Networks (SAN) and Network Attached Storage (NAS) are substantially reducing the cost of storage, while improving scalability, manageability, and access to critical data. However, as businesses depend more and more on the Internet, IT management faces complicated challenges in ensuring network security and data integrity The existence of a fabric that connects heterogeneous devices creates a significant security problem: a malicious attacker that penetrates a single server connected to the fabric can access data residing on any of the storage devices on the storage network. Consequently, this increased access raises immediate concerns about the security of network-stored data, from external - as well as internal - threats.

Dan Avida is the Ceo & President of Decru. Prior to founding Decru, Dan helped co-found Electronics for Imaging, Inc. (NASDAQ: EFII) in 1989. From 1989 to 1994, Dan was responsible for the creation and management of the Fiery project, which was the cornerstone of EFI's success. Dan was promoted to President in July 1994, CEO in 1995, and Chairman in 1999. Dan led the company to five years of dramatic and consecutive growth, placing the company on the Business Week, Fortune and Forbes lists of fastest growing companies, and on the NASDAQ 100 index. On the Silicon Valley 150 list for 1999, with revenues of $570M, EFI's overall profits were ranked 24th, and the company's profits per employee were ranked fourth in Silicon Valley. Dan graduated Summa Cum Laude from the Technion, the Israel Institute of Technology, with a B.Sc. in Computer Engineering.

Return to the top of the page

Government IP Tapping - EU
Jaya Baloo

Lawful Interception (LI) is currently in development internationally and the area of IP interception poses significant regulatory, as well as implementation, challenges. The presentation attempts to elucidate major legal and technical issues as well as citing the vendors, operators and governments involved in creating the standards and solutions.

In the European context, all EU countries have been mandated to have LI capabilities in place and be able to provide assistance to other member states when tracking transborder criminals. Public Communications Providers must tread warily between privacy concerns and LI requirements. Especially with the new talks concerning Interpol, Enfopol, & Data Retention, communication over public channels is anything but private. The conditions for interception and the framework for oversight are not widely known.

As LI in Europe presents an example for the rest of the world attention should be given to the changing face of EU legislation. This is relevant not only to the EU expansion but also concerns EU influence over her eastern and western allies.

Jaya Baloo (CCNP, CISSP) has been working in InfoSec for 5 years, starting at Unisource in The Netherlands. After moving to KPN Telecom, she has worked internationally for the Dutch Telecom Operator in Namibia, Egypt, Germany, and Costa Rica designing secure IP infrastructures for national operators. More recently she has worked in Prague for Czech Telecom on Lawful Interception.

Return to the top of the page

Intrusion Prevention: an Introduction and Comparison
Jay Beale, Lead Developer, the Bastille Project and Senior Research Scientist, George Washington University Cyber Security Policy and Research Institute

Intrusion Prevention is the computer security industry's most recent hot buzzword, but the overgeneralization that has ensued has created a very confused market. This talk will introduce Intrusion Prevention technologies, from network-based solutions like Inline Snort and McAfee IntruShield to host-based solutions like trusted O/S's like SE Linux, Trusted BSD and Trusted Solaris. We'll examine what these technologies actually can and cannot deliver, considering what goals each fulfill while considering the total effort of ownership.

Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and a core participant in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others.  A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through Baltimore-based JJBSec, LLC.

Jay writes the Center for Internet Security's Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense. He maintains the Center's Linux Security benchmark document and, as a core participant in the non-profit Center's Unix team, is working with private enterprises and US agencies to develop Unix security standards for industry and government.

Aside from his CIS work, Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for and He authored the Host Lockdown chapter in 'Unix Unleashed,' served as the security author for 'Red Hat Internet Server' and co-authored 'Snort 2.0 Intrusion Detection.'  Jay's currently finishing the Addison Wesley book, 'Locking Down Linux.'

Formerly, he served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution. He now works to further the goal of improving operating system security. To read Jay's past articles and learn about his past and future conference talks, take a look at his site.

Return to the top of the page

Rogue AP 101 - Threat, Detection, & Defense
Beetle, The Shmoo Group
Bruce Potter, Security Consultant

As if wireless networking needed another strike against it, the threat of rogue access points within or even near your corporation's infrastructure is all too real. Thanks to rogue access points, the badguys don't pay for hotspot Internet access nor do they find your corporate VPN to be much of a barrier. You don't fully grasp the concept of rogue APs and how they can be used for industrial espionage or garnering your employees Intranet credentials? You aren't convinced there's a magic 1U box that solves the wireless security problem? Would you like the basic knowledge necessary for defending against this threat? This basic talk is for you. Continuing where the Shmoo Group left off at DefCon, Beetle gives a crash course on the threat of rogue access points, real defense strategies & pitfalls, and demonstrates a new tool / concept for combating the rogue AP threat- and it doesn't cost a dime.

Beetle is a member of the Shmoo Group, holds a BS in Computer Science, and is a D.C.-area computer security engineer. He is CEO of a Northern Virginia WISP, Vice President of the Capital Area Wireless Network, and licensed amateur racecar driver. His war-driving setup and adventures have been covered by The Washington Times, The Baltimore Sun, and NPR. He recently presented on the topic of rogue access points at DefCon XI, introducing his rogue AP setup utility Airsnarf.

Bruce Potter has a broad information security background. From application security assessments to low-level smartcard analysis to wireless network deployments, Bruce has worked in both the open- and closed-source communities.Trained in computer science at the University of Alaska Fairbanks, Bruce now serves as a Senior Security Consultant for Cigital, Inc. in Dulles VA. Bruce is founder and President of Capital Area Wireless Network, a non-profit community wireless initiative based in Washington DC. In 1999 Bruce founded The Shmoo Group, an ad-hoc group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O’Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.

Return to the top of the page

Enhancing Network Security through Competitive Cyber Exercises
Eric Cole, Head of Research and Chief Scientist, The Sytex Group

Eric Cole is a highly sought after network security consultant and speaker. Eric has consulted for international banks, Fortune 500 companies and provided advice to Venture Capitalist Firms on what startups should be funded. He has in-depth knowledge of network security and has come up with creative ways to secure his clients assets. He is author of several books including Hackers Beware and Hiding in Plain Sight. Eric holds several patents and has written numerous magazine and journal articles. Eric worked for the CIA for over 7 years and has created several successful network security practices. Eric is a member of the HoneyNet project and the CVE Editorial board; both are invited positions. Eric presents at a variety of conferences including SANS where he helped created several of the courses. Eric has been interviewed by CBS news, 60 minutes and CNN. He is currently in charge of research and the chief scientist for The Sytex Group.

Return to the top of the page

Enhancing Network Security through Competitive Cyber Exercises
Major Ronald Dodge, Senior Research Scientist, United States Military Academy
Wayne Schepens,
National Security Agency Visiting Fellow assigned to the Department of Electrical Engineering and Computer Science Department, United States Military Academy
Lt. Colonel Daniel Ragsdale,
Associate Professor and Director of the Information Technology and Operations Center (ITOC), United States Military Academy
Colonel Don Welch,
Associate Dean for Information and Educational Technology, United States Military Academy

The security of our information systems is constantly under attack. We propose that to make them safer – they should be attacked even more. A competition where teams defend a network against skilled adversaries provides an excellent means to develop the skills necessary to defend real networks. In addition, such a competition provides and safe environment to test and evaluate new and emerging defensive techniques and technologies. Two similar events that have been publicized recently are the DEFCON “Capture the Flag” (CTF) competition and the military Cyber Defense Exercise. These two competitions follow different paradigms. The DEFCON event set all teams to be both attackers and defenders, while the Cyber Defense Exercise focuses the teams on defensive operations only.

The Cyber Defense Exercise (CDX), an annual competition between students at the five U.S. Service Academies has developed into an extraordinary exercise where defensive technologies are implemented and tested. During the three years that this exercise has been conducted the since the skill and the knowledge levels of the participants has improved so dramatically over the past three years the CDX has become an excellent testing ground for new and emerging concepts in information assurance.

We feel that taking our ideas for a defensive focused computer network exercise and modifying them to meet agency specific goals will provide a more robust set of security solutions, policies, and network security personnel than exists today.

Major Ronald Dodge
Major Ronald Dodge has served for over 16 years as an Aviation officer and is a member of the Army Acquisition Corps. His military assignments range from duties in an attack helicopter battalion during Operation Just Cause in the Republic of Panama to the United States Military Academy. Currently he is an Assistant Professor and Senior Research Scientist in the Information Technology and Operations Center (ITOC) at the United States Military Academy. His current research focuses are information warfare, security protocols, internet technologies, and performance planning and capacity management. He is a frequent speaker at national and international IA conferences and he has published many papers and articles on IA topics.

Wayne J. Schepens
Wayne J. Schepens, is currently the National Security Agency Visiting Fellow assigned to the Department of Electrical Engineering and Computer Science Department at the US Military Academy, West Point. He is a 1991 graduate of the New York Maritime Academy, received his M.S. in Civil Engineering from Virginia Polytechnic Institute and State University (1999), and is a licensed Profession Engineer. Prior to this assignment he provided Information Systems Security Engineering (ISSE) and technical management support to the Information Assurance Solutions Department at the National Security Agency. He served as the ISSE Team Lead for the F-22 Raptor, and managed the development of the Voting Over the Internet and CASCOM Secure Guard Programs. He now teaches Computer Systems Design and Information Assurance and performs and directs research in support of the Information Technology Operations Center a within the US Military Academy. In addition he works to develop, share, and infuse Information Assurance curricula throughout the academic programs at all five US service academies, and has led the efforts to obtain certification as a NSA Center of Academic Excellence for Information Assurance Education and to establish the annual Inter-Academy Cyber Defense Exercise.

Lt. Colonel Daniel Ragsdale
Lt. Colonel Daniel Ragsdale, Ph.D., has served for over twenty-two years as an officer in the US Army. During this time he served in a variety of important operational, and research and development assignments including participation in Operation Urgent Fury in Grenada and Operation Enduring Freedom in Afghanistan. Currently he is an Associate Professor and Director of the Information Technology and Operations Center (ITOC) at the US Military Academy. His current research focuses on information security, Information Assurance (IA), and Information Warfare. He is a frequent speaker and panelist at national and international IA conferences and he has published dozens of papers and articles on IA topics.

Colonel Donald Welch
Colonel Donald Welch is the Associate Dean for Information and Educational Technology for the United States Military Academy, West Point and an adjunct professor in the Department of Electrical Engineering and Computer Science. He received his Ph.D. in Computer Science from the University of Maryland College Park, MS in Computer Science from Cal Poly, San Luis Obispo, and BS from West Point. Throughout his Army career he has served as both a line officer and IT leader in infantry, special operations and educational organizations. In his current position he oversees all student and faculty computing at West Point. He develops, implements, and aligns the information technology strategic plan with USMA's vision. He is currently leading USMA through the transformation from a strictly wired computing paradigm to a mobile computing paradigm where all learning is supported by an information-rich environment. His primary research area is information assurance.

Return to the top of the page

Strike/Counter-Strike: Reverse Engineering Shiva
Chris Eagle, Chairman of Computer Science, Naval Postgraduate School
Shiva is a runtime binary encryption tool created by Neel Mehta and Shaun Clowes. Described by Mehta at Black Hat USA 2003, Shiva's goal is to "prevent trivial reverse engineering of algorithms" as well as to advance the state of the art for ELF runtime encryption. This talk attempts to measure Shiva's success by detailing static reverse engineering efforts against the shiva binary itself. The use of Ida Pro will be documented and useful Ida scripts will be provided. Future work in both passive and active analysis of Shiva will also be discussed.

Complete removal of Shiva protection will be demonstrated by extracting the original shiva-0.96 binary from it's Shiva protective wrapper.

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 18 years, his research interests include computer network operations and reverse/anti-reverse engineering. In addition to being Director of NPS' Computer Network Research Lab, he teaches computer forensics and conducts malware analysis.

Return to the top of the page

More Fun With Graphs
Halvar Flake, Reverse Engineer, Black Hat

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

Cisco Vulnerabilities - Yesterday, Today and Tomorrow
FX, Phenoelit

The speech provides and interesting overview of the Vulnerabilities in Cisco IOS published by on Cisco's website. Exaiming the types of problems in detail leads to emerging patterns. Then, the details of recent IOS exploitation developments are covered - including heap and stack based exploitation and shell codes. The talk concludes with an outlook on the future of vulnerabilities and attacks against Cisco IOS devices.

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

Return to the top of the page

Intrusion Vulnerabilities of Fiber Optic Infrastructures: An Assesment
Mark Gross, Vice President, Opterna Inc.
Robert J. Bagnall, Director of Intelligence Operations, iDefense

This presentation covers a technical overview of the threats to fiber optic network infrastructures, intrusion detection, and defensive considerations. Through a combination of demonstration and lecture, attendees will be given an introduction to fiber networking, security concerns, and defensive options. A demonstration will be given showing the use of a fiber optic tap as well as intrusion detection tools. Case studies will be discussed. This presentation is open to attendees of all skill levels and id taught toward an intermediate skill level.

Mark Gross - Since becoming a pioneer in the networking industry with start-up Bridge Communications in 1982 (pre-courser to 3Com), Mr. Gross has made a career of bringing bleeding and leading edge technologies to the marketplace. Known for his ability to make complex technologies understandable to any audience, Mr. Gross is sought as a speaker for networking events at the national and world level. He is currently Vice President of Opterna, Inc., a Pennsylvania company known for it’s expertise in fiber optic networking technology and the FiberSentinel intrusion detection system.

Robert J. Bagnall has a military and 3-letter agency intelligence background as well as over a decade of cyber-security experience. He has built, managed, and worked numerous Computer Emergency Response Team (CERT) environments for customers such as DoD, FBI-NIPC, government contractors, and Counterpane Internet Security. Mr. Bagnall is currently the Director of Intelligence Operations at iDefense, a government and commercial intelligence provider located in the Washington, DC metro area.

Return to the top of the page

The Challenges of Automated Web Application Scanning: "Why automated scanning only solves half the problem."
Jeremiah Grossman, CEO, WhiteHat Security, Inc.

Web application scanning presents many unique challenges. The biggest challenge is that the increasing complexity and diversity of Web applications make it extremely difficult for any scanner to effectively identify security issues. The goal in typical network vulnerability scanning is to identify "known security issues in known code." Unfortunately, the problem is more complex in Web application vulnerability scanning, where the mission is to identify "known security issues in unknown code." With this in mind, we will dive into the specific details that make Web application vulnerability scanning difficult, discussing the lessons learned and recommended solutions. Scanning a Web application for vulnerabilities is akin to remotely black-box testing an unknown piece of code. The remote scanner does not have access to source code, knowledge of what programming language was used, what actions the software performs, and it won't even know on what platform the application resides. The benefit of known security issues is lost within web application vulnerability scanning and the scanner must resort to identifying classes of vulnerabilities, such as cross-site scripting and SQL injection. However, there are security issues that go beyond simple classes and target exploitation of the flow in application business logic. These business logic issues are arguably impossible for any automated process to uncover and yet are some of the most dangerous. The list of challenges faced by today's web application vulnerability scanner is endless.

Jeremiah Grossman founded WhiteHat Security in 2001. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, where he designed, audited, and penetration-tested the company's hundreds of web applications. As one of the world's busiest web properties, with over 17,000 web servers for customer access and 600 web applications, the highest level of security was required. Before Yahoo!, Mr. Grossman worked for Amgen, Inc.

Mr. Grossman is a world recognized expert in web application security and is a frequent information security speaker at security conventions including the Black Hat Briefings, the Air Force and Technology Conference, Washington Software Alliance, technology forums, Defcon and ToorCon. Mr. Grossman's continuing research focuses on all areas of web application security and he has been featured in the mainstream media such as USA Today, NBC, and ZDNet on several occasions. His endeavors have yielded successes such as the widely used assessment tool "WhiteHat Arsenal", as well as the acclaimed Web Server Fingerprinter tool and technology. Mr. Grossman is also a contributing member to the Center for Internet Security Apache Benchmark Group.

Return to the top of the page

Runtime Decompilation
Greg Hoglund, Rootkit

Pure static analysis of machine code is both time consuming and, in many cases,incapable of determining control flow when branching decisions are based on user-supplied input or other values computed at runtime. Other problems include the lack of type information or the inability to identify all instructions. Although difficult if not impossible to solve using static analysis, many specific problems can be solved by running the program and observing its behavior. Hoglund presents a strategy that combines static analysis with runtime sampling to determine data flow and, more importantly, trace data from the point of user input to potentially vulnerable locations in code. His focus is directly on security auditing and techniques to significantly reduce the amount of time it takes to audit a binary executable. To get the most from this talk, attendees should have experience debugging code.

Greg Hoglund is a recognized speaker and business person working out of California. His work is focused on reverse engineering and exploiting software. Hoglund has developed several automated tools and commerical products. Hoglund most recently developed the fault-injection product called 'Hailstorm' and has now moved on to form a new company, HBGary, LLC. In his spare time, Hoglund hosts the popular internet site and takes his dog, Oreo, for walks on the beach.

Return to the top of the page

Honeynet Technologies: The Latest Technologies
The Honeynet Project

Focusing on Sebek and the latest advances in Honeynet Technologies. Includes a general overview of the Honeynet Project and Honeynet Technologies.

Return to the top of the page

Practical Vulnerability Assessments in a Distributed Federal Environment
Chris Hurley, Principal Information Security Engineer, The Titan Corporation

Developing an effective program to assess and track the security posture of Federal entities can often be frustrating process. Mr. Hurley will present methodology used by the Titan IT Security Team that has been used to effectively reduce the number of known vulnerabilities on project systems while also taking a proactive approach to reducing risk from unknown or "yet to be discovered" vulnerabilities.

Chris Hurley is the Principal Information Security Engineer on a large NASA Project's IT Security Team. Primarily focusing his efforts on vulnerability assessments, he also performs penetration testing, forensics and incident response operations on both wired and wireless networks. He has spoken at several security conferences, been published in numerous online and print publications, and been the subject of several interviews and stories.

Return to the top of the page

Stack Black Ops: New Concepts for Network Manipulation
Dan Kaminsky, Senior Security Consultant, Avaya, Inc.

What can your network do? You might be surprised. Layer by layer, this talk will examine previously undocumented and unrealized potential within modern data networks. We will discuss aspects of the newest versions of scanrand, a very high speed port scanner, and the rest of the Paketto Keiretsu. Interesting new techniques will also discussed, including:

  • Bandwidth Brokering - a technique that allows market-based load balancing across administrative boundries using existing TCP protocols
  • DHCP-less Bootstrapping - a sub-optimal but effective strategy for bootstrapping network access for hosts that cannot directly acquire a DHCP lease
  • State Reconstruction - a design model that allows stateless network scanners (such as scanrand) to acquire deep knowledge about scanned hosts
  • Multihomed Node Detection - a simple set of techniques that expose firewalled hosts with alternate paths to an unfirewalled network link.
  • Generic ActiveX Encapsulation - a step-by-step methodology for safely launching arbitrary win32 tools (such as putty or a Cygwin OpenSSH environment) from a web page

We will also be discussing significant advances in data visualization, made necessary by the sometimes daunting amount of raw information these sorts of tools can expose one to.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems, and he is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

Return to the top of the page

Digital Information, User Tokens, Privacy and Forensics Investigations: The Case of Windows XP Platform
Larry Leibrock, Ph.D, founder, eforensics, LLC

Incident Response and IT Security practitioners are aware that normal user interactions with digital devices create, delete and typically leave a range of data, metadata and residue (termed tokens) on differing systems media. We seek to explore the Microsoft Windows XP as an illustrative platform to review how these tokens are created, discovered and perhaps cleaned using some generally available privacy tool sets.

This paper explores a field study that intends to review extant knowledge, determination of the range of user tokens and current forensics used to discover evidentiary findings. The field study focuses solely on two variants (Windows XP Professional and Windows Tablet PC) commercially available Windows XP platforms in networked settings.

The paper describes the Windows XP platform from these perspectives: files, registry, system folders, special folders, media and forensics processes. A review of present data-hiding techniques (cryptography and steganography) is presented and demonstrated. Finally a set of data destruction algorithms and tools are described.

Lastly in the context of a teaching case, a set of public policy perspectives are presented for discussion. The purpose of the case is to set out a dialogue about individual privacy rights, privacy of information, ownership of data, protection of sensitive information and legal investigative processes in democratic settings.

Discussion topics in the presentation include the following:

  • Investigation and Privacy of Digital Data and Introductory
    Forensics Investigations: Practices/Procedures
  • An International Forensics Case discussion - law - privacy - ethics - law enforcement
  • Microsoft Windows XP - Media typology and morphology of data
  • Data Caches - files - registry - folders - metadata derivatives
  • Networking artifacts and residue
  • Introduction to information hiding techniques, data wiping tools - special hardware - some special tools
  • Extant political - public policy - legal systems perspectives

Larry Leibrock, Ph.D., is a member of the McCombs Business School – The University of Texas faculty and serves as the Associate Dean and Technology Officer for the McCombs Business School. He has held or currently holds clinical teaching and research appointments at McCombs Business School, Institute for Advanced Technology, The University of Texas Law School, Emory University, Helsinki School of Economics and Monterrey Technologica in Mexico City and Monterrey. He is a member of IEEE, ACM, Internet Society, FIRST and USENIX/SAGE. He is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He is the founder and CTO for eForensics LLC, a private technical services firm.

Larry has delivered expert digital evidence testimony at both civil and criminal trials. He has testified for the Presidential Commission for Protection of Critical Information Infrastructure and the Senate Science Committee. He recently presented forensics testimony at an invitational conference for the Executive Office of the President. He presently serves on the Texas Infrastructure Protection Advisory Committee formed by the Attorney General of Texas. He is also appointed to the Board of Directors - Texas Department of Information Resources. Larry is active in IT industry and government systems consulting projects in the areas of systems forensics, enterprise IT operations, security and incident investigations.

Return to the top of the page

Defeating the Stack Based Buffer Overflow Exploitation Prevention Mechanism of Microsoft Windows 2003 Server
David Litchfield, Founder & Managing Director, NGSSoftware

David Litchfield is a world-renowned security expert specializing in Microsoft Windows and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Internet Information Server and Oracle's Application Server have helped businesses globally to protect their infrastructure and digital assets. David has contributed to several books and is a co-author of "SQL Server Security", "The Shellcoder's Handbook" and "Special Ops". Currently the Managing Director of NGSSoftware, a UK based security software and consultancy company, David also heads the research team - currently the World leaders in terms of discovery of new vulnerabilities.

Return to the top of the page

Application Intrusion Detection
Drew Miller, Black Hat Consulting

As corporations begin to embrace secure mitigation techniques, we hope to see a visible decline in application specific exploits. Applications operate on a higher level than the operating system and must trust many components in the system to just work. There is not much that an application can do to verify a third-party component. However, it is completely possible for an application to monitor the things that the application mitigates and the things that he application cannot mitigate.

An infrastructure for the application that allows auditing, monitoring and statistical analysis of events and related data can allow an application to know when a user is attempting to buffer overflow the application. The application can know when a hacker is bypassing the client validation outines. The application can know when all these events occur. You write the programs, so learn how to add monitoring to give you application the edge on hackers in a network environment

Drew Miller has been a software engineer for more than ten years. Drew has worked at many levels of software development, from embedded operating systems, device drivers and file systems at Datalight Inc. to consumer and enterprise networking products such as Laplink’s PCSync and Cenzic’s Hailstorm. Drew’s experience with many software genres combined with his passion for security give him a detailed perspective on security issues in a wide variety of software products.

Drew’s latest projects were the aided design and development of two security courses for Hewlett-Packard at the Hewlett-Packard Security Services Center. One course aimed at educating quality assurance personal and the other educating developers to the exposures that exist in present day network applications and how to avoid such exposures. Drew is currently an instructor for Black Hat Training, Inc.

Return to the top of the page

Security Design Patterns
Gunnar Peterson, CTO, Arctec Group

Security guy: "If only those developers had built this 'right', we wouldn't be having these security problems now."

Developer: "If only I had the right requirements at the beginning instead of when it is too late, I could have built this right."

Let's face it, Enterprise development is fraught with issues like this. Discussions like the one above happen every day across the world. Poor code quality and lack of security dramatically reduces the impact of the billions of dollars poured into software. Ultimately we are less safe and our society which increasingly relies on technology is less stable.

Bridging the gap between security and development can be an exercise in tail-chasing. Software development is a complex field and useful security metrics are hard to come by. "Security Design Patterns" seeks to change the focus of security from a reactive find/fix/firedrill mode of operations and towards a set of architecture-centric processes and design activities aimed at producing robust, reliable, and secure software systems.

In this presentation we will follow the software development lifecycle end-to-end and examine in detail where and how security can effectively play a role in improving the quality of the finished product. The lifecycle starts in the Analysis & Design phases by examining how to derive security requirements, threat models, and Mis-Use Case at the earliest stage of development. Next we will drill down on specific sets of Patterns for defending your application's structural and logical elements, and recognizing/responding to attacks on your systems. We will address foundational security systems elements including secure asynchronous messaging, logging, exception handling, audit process, authentication, and authorization. Lastly, we will focus on the transition to the production environment, specifically looking at ways to secure the build/config/deployment processes.

The examples are geared to be reusable in a cross platform sense. UML models which can be used for Java/J2EE/.Net/CORBA environments are provided in addition to Java and C# source code. Familiarity with enterprise software development technology and concerns (Java/.Net/CORBA/UML) is helpful, but not required.

Gunnar Peterson is a Software Security Architect. He designs secure, stable, and scalable solutions for complex problem spaces. Over his ten year career, he has been dedicated to design and development of distributed middleware Object-Oriented and Component systems for clients ranging from large enterprises to start ups. Currently, Gunnar is CTO of Arctec Group. Arctec Group's primary focus is designing "Strategic Technology Blueprints" for enterprise.

Return to the top of the page

Contextually Intelligent IDS
Marty Roesch, Founder and CTO, Sourcefire

Martin Roesch founded Sourcefire in 2001 and serves as CTO. A respected authority on intrusion detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 14 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort TM Intrusion Detection System ( that forms the foundation for the Sourcefire product suite.

Over the past seven years, Martin has developed various network security tools and technologies, including intrusion detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort TM has been featured in Scientific American, on A&E's Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others.

Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University.

Return to the top of the page

Putting The Tea Back Into CyberTerrorism

Many talks these days revolve around cyber terrorism and cyber warfare. Some experts suggest such attacks could be effective - others say that targetted country-wide cyberterrorism is just for the movies...or a Tom Clancy book. In this talk we look at very practical examples of possible approaches to Internet driven Cyber Warfare/Terrorism. The talk will include an online demo of a framework designed to perform closely focussed country-wide cyber attacks.

Roelof Temmingh is the technical director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.

Haroon Meer is one of SensePost's senior technical specialists. He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including Black Hat Briefings. Haroon doesn’t drink tea or smoke camels.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

HTTP Fingerprinting and Advanced Assessment Techniques
Saumil Udayan Shah, Director, Net-Square Solutions

This talk discusses some advanced techniques in automated HTTP server assessment which overcome efficiency problems and increase the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A free tool - HTTPRINT which performs HTTP fingerprinting, shall be released along with this presentation.

Saumil Shah continues to lead the efforts in e-commerce security research and software development at Net-Square. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Return to the top of the page

The Challenge of Multilevel Security
Dr. Rick Smith, CISSP, University of St. Thomas in Minnesota

Despite over thirty years of work, there is no real "solution" to the multilevel security problem. This talk looks at the technical and policy problems posed by working with data at multiple classification levels, and at typical strategies used today for dealing with those problems. Is the answer to be found in guards and "multiple independent levels of security," or in true multilevel products? What about open source or other "certified" real time systems? What might the future hold?

Dr. Rick Smith, CISSP, is a writer, educator, and information security consultant. He was the lead systems engineer on the Standard Mail Guard, an early guard product, and has contributed to many other multilevel security programs. He is the author of two books, "Authentication" and "Internet Cryptography," and is currently a faculty member at the University of St. Thomas in Minnesota.

Return to the top of the page

The Future of Honeypots
Lance Spitzner, Senior Security Architect, Sun Microsystems

Honeypots are an exciting, yet relatively unexplored, security technology. A security resource that is designed to be attacked, honeypots have many unique advantages (and disadvantages) when compared to other technologies. This presentation will define what a honeypot is, how it works, its values, and some demonstrations of different types of honeypots. It is hoped you will gain a better understanding of what honeypots are, the many different types and what they can do, and how they can apply to your organization.

Lance Spitzner, is a geek who constantly plays with computers, especially network security. He loves security because it is a constantly changing environment, your job is to do battle with the bad guys. This love for tactics first began in the Army, where he served for seven years. He served three years as an enlisted Infantryman in the National Guard and then four years as an Armor officer in the Army's Rapid Deployment Force. Following the Army he received his M.B.A and became involved in the world of information security. Now he fights the bad guys with IPv4 packets as opposed to 120mm SABOT rounds. His passion is researching honeypot technologies and using them to learn more about the enemy. He is founder of the Honeynet Project, moderator of the honeypot maillist, author of Honeypots: Tracking Hacker, co-author of Know Your Enemy and author of several whitepapers. He has also spoken at various conferences and organizations, including Blackhat, SANS, CanSecWest, the Pentagon, NSA, the FBI Academy, JTF-CNO, the President's Advisory Board, the Army War College, and Navy War College.

Return to the top of the page

Security Implications of IPv6
Michael H. Warfield, Senior Researcher and Fellow, Internet Security Systems

IPv6 is a new, widely available version of the Internet Protocol that carries a number of significant performance and security advantages over earlier versions. These same benefits also work to the advantage of IPv6-savvy attackers against, network administrators have not deployed IPv6. IPv4 administrators are unaware that IPv6 is available nearly anywhere IPv4 is available and that IPv6 traffic can pass through their networks without their awareness. Because they have ignored IPv6 as something to worry about in the future, they frequently lack the expertise to manage it and they assume it is not present on their networks. But IPv6 and IPv6 transitional mechanisms offer new security issues and open new avenues of attack even on IPv4 based networks.

This presentation will examine the current state of IPv6 and IPv6 transitional mechanisms and their deployment. Some of the security implications against IPv4-only networks in this multiprotocol environment will be explored. Recommendations and best praactices for the secure operation of IPv4-only networks in an IPv6 enabled world as well as IPv4/IPv6 dual stack networks will be offered for the network administrators in these environments.

Michael Warfield is the Senior Researcher and Fellow on the X-Force of
Internet Security Systems, Inc. (ISS).

With computer security experience dating back to the early 1970s and Unix experience dating back to the early 1980s, Mike is responsible for doing research into security vulnerabilities and intrusion protection techniques for ISS X-Force, the research division of ISS.

Prior to joining ISS, Mike has held positions such as, a unix systems engineer, unix consultant, security consultant and network administrator on the Internet. He is one of the resident Unix gurus at the Atlanta UNIX Users Group and is one of the founding members of the Atlanta Linux Enthusiasts. He is also an active member of the Samba development team and is a contributor to the Linux Kernel and numerous Open Source Software projects. Mike has published articles on both Samba and on Security and is a respected cryptographer in the Open Source community.

Return to the top of the page

Hacker Court 2003
Carole Fennelly, Partner, Wizard’s Keys Corp
Don Cavender, Supervisory Special Agent, FBI
Jesse Kornblum,
Chief, Computer Investigations and Operations, Air Force Office of Special Investigations
Jack Holleran,
Former NSA
Richard Salgado, Senior Counsel, Computer Crime and Intellectual Property Section of the United States Department of Justice
Donald P. Flynn, Jr., Attorney-Advisor for the Department of Defense Cyber Crime Center [DCCC]
Paul Ohm, Attorney, U.S. Department of Justice
Ken Olthoff, emcee
Rebecca Bace,
President/CEO of Infidel, Inc
Jonathan Klein, President, Wizard’s Keys Corp
Richard Thieme, CEO, Thiemeworks, Inc
Philip L. Weinstein,
Staff Attorney, Federal Defender’s Office
Richard Forno, Founder,
TBD (judge)
TBD (clerk)
Raven Alder

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand.

This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining. While there isn’t sufficient time to reach a definitive verdict, the audience will be polled to see who made the most convincing argument.

Please note some details of the case may change slightly. We expect to have all evidence, slides, indictments and “news articles” complete at least one month prior to Black Hat Federal.

The defendant in our case for Black Hat Federal is alleged to have illegally accessed a USAF computer, altered the contents of said computer with images against Air Force policy, and attempted extortion.

According to the Complaints filed in this case, FORNI gained unauthorized access to the internal personal computer belonging to one COL. JACK NICHOLS, in the Fall of 2001, when he was employed as a civilian contractor at Andres Air Force Base.

FORNI provided consulting services for the USAF, specializing in the Microsoft Windows platform. FORNI is alleged to have accessed COL. NICHOLS personal computer without authorization. He is also alleged to have altered the data on the system by causing pornographic images to be installed via a Trojan program, which COL. NICHOLS was tricked into downloading.

In addition, according to the Complaints, FORNI sent a number of e-mails to COL. NICHOLS, demanding that his contract be extended in exchange for his silence regarding a potentially embarrassing situation and his assistance in sanitizing the computer.

Producer/Court Clerk: Carole Fennelly, Wizard's Keys
EmCee/Witness for the Prosecution: Ken Oltoff
Judge: TBD [in a pinch we can use whoever is around]
Federal Marshal: Jack Holleran
Prosecutor: Richard Salgado Senior Counsel, USDoJ
DOJ Attorney: Paul Ohm - attorney, DoJ
Defense Attorney: Donald P. Flynn, Jr
Defendant: Richard Forno,
AFOSI Officer (Prosecution): Jesse Kornblum, AFOSI
Expert witness (Prosecution): Rebecca Bace, Infidel Inc
Expert witness (Defense): Jonathan Klein, Wizard's Keys
Technical Assistant: Raven Alder

Carole Fennelly (producer and contact):
Carole Fennelly is co-founder of the Wizard's Keys security consulting firm which has been providing security expertise to Fortune 500 clients in the New York Metropolitan area for more than ten years. Ms. Fennelly has also published numerous articles for IT World, Sunworld and Information Security Magazine. She has been a speaker at Black Hat and many other security conferences. Her technical background includes over 20 years of in-depth security and administration knowledge of UNIX operating systems.

Rebecca Bace
Rebecca Bace is the President/CEO of Infidel, Inc., a network security consulting practice, headquartered in Scotts Valley, CA. She is also a Venture Partner for Trident Capital, a venture capital firm in Palo Alto. Bace provides strategic and operational consulting services for clients that include security point product developers, legal firms, and Internet solutions providers, and also directs investments in security startups. She is a noted author on topics in intrusion detection, network security, and forensic testimony with credits including the white paper series for ICSA's Intrusion Detection Consortium, a book on Intrusion Detection (published by Macmillan in 2000) and a book on Forensic Testimony (with Fred Smith), published by Addison Wesley in October, 2002.

Donald P. Flynn, Jr.
Mr. Flynn is the Attorney-Advisor for the Department of Defense Cyber Crime Center [DCCC] in Linthicum, MD. His duties consist of developing and teaching computer law-related classes at the DoD Computer Investigations Training Program [DCITP] and providing legal counsel for that organization, DoD Computer Forensic Laboratory [DCFL], and DoD Cyber Crime Institute [DCCI]. He is a retired Air Force Judge Advocate and a graduate of the University of Cincinnati School of Law.

Richard Thieme
Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Speaking/consulting clients include: GE Medical Systems;
Los Alamos National Laboratory; Apache Con; Microsoft; Network Flight Recorder; System Planning Corporation (SPC); InfraGard; Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.

Jonathan Klein
Jonathan Klein is president and co-founder of Wizard’s keys, a security consultancy located in New Jersey. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financial institutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose independent consulting as a method of achieving both. Jon has participated in forensic investigations on behalf of the Federal Defender's Office in Manhattan , discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Don Cavender
SSA Cavender is an internationally recognized expert in Internet Investigations and Digital Forensics. Of his thirteen years experience as an FBI Agent, the past eight years he has been involved in high technology investigations and/or digital forensics. He is presently responsible for instruction in Internet and Network Investigations for FBI, Federal, State, Local and International Law Enforcement Investigators, as well as providing case support, consultation and research to on-going investigations. Notable accomplishments include Operation Solar Sunrise (1998), where SSA Cavender was a first responder and conducted the network forensics that lead to the identification of Ehud Tenebaum, aka the Analyzer, and Houston Case Agent of Operation Innocent Images (1997-98), the FBI's On-going Undercover Operation against On-line child sexual exploitation. He is also the second most spotted FBI Agent at Defcon.

Jesse Kornblum
SA Kornblum is the Chief, Computer Investigations and Operations for the Air Force Office of Special Investigations. A graduate of the Massachusetts Institute of Technology, he has experience running intrusion investigations and supporting other agents in more traditional investigations. He is currently responsible for developing tools and techniques to allow agents to conduct investigations.

Jack Holleran
Jack Holleran, CISSP, currently teaches Information Security at several colleges and the Common Body of Knowledge review for ISC2. In a past life, he was the Technical Director of the National Computer Security Center at the National Security Agency and Chair of the National Information Systems Security Conference.

Richard P. Salgado
Richard Salgado serves as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. Mr. Salgado specializes in investigating and prosecuting computer network cases, such as computer hacking, denial of service attacks, illegal sniffing, logic bombs, viruses and other technology-driven privacy crimes. Often such crimes cross international jurisdictions; Mr. Salgado helps coordinate and manage the investigation and prosecution of those cases. Mr. Salgado participates in policy development relating to emerging technologies such as the growth of wireless networks, voice-over Internet Protocol, surveillance tools and forensic techniques. Mr. Salgado serves as a lead negotiator on behalf of the Department in discussions with communications service providers to ensure that the ability of the Department to enforce the laws and protect national security is not hindered by foreign ownership of the providers or foreign located facilities. Mr. Salgado also regularly trains investigators and prosecutors on the legal and policy implications of emerging technologies, and related criminal conduct. Mr. Salgado is an adjunct law professor at Georgetown University Law Center where he teaches a Computer Crime seminar, and is a faculty member of the SANS Institute. Mr. Salgado graduated magna cum laude from the University of New Mexico and in 1989 received his J.D. from Yale Law School.

Paul Ohm
Paul Ohm used to write code for a living. Then he went to law school, and he's never really been the same. He now works for the U.S. Department of Justice.

Richard Forno
A student of national security studies, Richard is a frequent lecturer at government, industry, and academic symposia in addition to consulting on various technology security projects. Along with several articles and white-papers, he is the co-author of two books on internet security and the author of the forthcoming "Weapons of Mass Delusion: America's Real National Emergency." A popular technology commentator, his comments on technology issues have appeared in Wired, News.Com, Reuters, AP, Federal Computer Week, USA TODAY, MSNBC.COM, The Wall Street Journal, UOL-TV (Brazil), BBC & BBC Radio (UK), among other domestic and international news sources. Richard's home in cyberspace is at

Philip L. Weinstein
Philip Weinstein is a staff attorney with the Federal Defender Division of the Legal Aid Society. He received his BS from Cornell University and J.D. from the University of Michigan.
Since 1994, he has been a Federal Defender in the Southern District of New York, representing clients in both district court and the Court of Appeals for the 2nd Circuit. Prior to that he was Attorney-in Charge of the Criminal Appeals Bureau of the Legal Aid Society of N.Y., which provided primary representation on NY State appeals. He has been on many bar association committees and taught CLE causes on various subjects.

Return to the top of the page

Adversary Characterization and Scoring Systems
Marcus H. Sachs, P.E., Researcher / Instructor, The SANS Institute.
Tom Parker, Head Of Research, Pentest Ltd (UK).
Eric D. Shaw, Ph.D., Clinical Psychologist, Consulting & Clinical Psychology. Ltd.
Toby Miller, Researcher,

Cyber adversary characterization is a topic which was conceived by the panel members along side other members of the computer security and intelligence communities in an attempt to provide an accurate way to build profiles of cyber adversaries, much like the way in which criminal psychologists profile more traditional criminals.

The characterization metrics conceived attempt provide a characterization of both theoretical adversaries, classing them based on statistics harvested from the wild and an accurate way of characterizing an adversary at an incident response level by studying the methodologies used during the attack.

The panel will begin with an introduction to the topic, followed by in depth discussion regarding the various characterization metrics and their applications; toward the end, we will be taking questions from the floor.

Marcus H. Sachs, P.E., Researcher / Instructor, The SANS Institute.
Marcus Sachs is a researcher, writer, and instructor for the SANS Institute in Washington D.C. He brings over 22 years of professional experience to SANS including 20 years of active duty service in the United States Army and two years of national cyberspace security policy development. Prior to joining SANS, he was the Director for Communication Infrastructure Protection in the White House Office of Cyberspace Security, was a staff member of the President's Critical Infrastructure Protection Board, and was a senior member of the US Department of Homeland Security's National Cyber Security Division. Mr. Sachs retired from the United States Army in 2001 after serving over 20 years as a Corps of Engineers officer.

He specialized during the later half of his career in computer network operations, systems automation, and information technology. His final assignment in the Army was with the Defense Department's Joint Task Force for Computer Network Operations where he was the Senior Operations Analyst and Technical Director.

Tom Parker, Head Of Research, Pentest Ltd (UK).
Tom Parker is one of Britain's most highly prolific security consultants. He regularly contracts with international firms to provide integral security services. Tom is well known for his vulnerability research on a wide range of platforms and commercial products, developing proof of concept code to demonstrate flaws. Whilst with GIS he played a leading role in developing key relationships between public and private sector security communities. Tom has taken part in closed door workshops on cyber adversary characterization and has furthered research into this topic under Pentest Limited, provider of security consultancy services throughout Europe. Tom is also known for his research into methodologies for secure transmission of video streams over corporate networks using satellite and multicast technology.

Eric D. Shaw, Ph.D., Clinical Psychologist, Consulting & Clinical Psychology. Ltd.
Eric Shaw is a Clinical Psychologist who has spent the last 20 years specializing in the psychological profiling of political actors and forensic subjects. He has approached profiling from the perspective of an organizational consultant supporting manager development and organizational change, a clinician aiding law enforcement and corporate security, and an intelligence officer supporting national security interests. In addition, Dr. Shaw provides traditional psychological screening, monitoring and debriefing services to government and corporate clients.

As an academic researcher Dr. Shaw has developed new approaches to the remote assessment of individuals and groups. He has particularly specialized in the use of content analysis techniques to produce profiles. As a consultant to the national security community, and as an intelligence officer with the Central Intelligence Agency, Dr. Shaw specialized in the profiling of foreign political leaders and organizations. Dr. Shaw has devoted significant efforts to the assessment of the organizational processes of terrorist groups, developing training manuals and indications and warning systems for intelligence analysts. Since 1998 Dr. Shaw has led a profiling effort of computer hackers sponsored by the Department of Defense. This work identifies individuals at-risk for computer crime, specific motivational subtypes and describes the critical pathway these individuals travel toward escalation to destructive acts. He now provides consultation to corporate and government clients concerned with cyber crimes by employees and outsiders.

Toby Miller, Researcher,
Toby Miller is a independent Security Consultant. He holds a bachelor's degree in computer information systems and is currently worked towards his master's degree. Toby is a contributing author for Intrusion Signatures and Analysis and Maximum Security revision 3 and 4. Toby also publishes papers for Securityfocus and SANS. Toby has spoken at various SANS conferences. Toby is also a certified GIAC Analyst.

David Aitel

Ofir Arkin

Dan Avida

Rebecca Bace

Robert J. Bagnall

Jaya Baloo

Jay Beale


Don Cavender

Eric Cole

Major Ronald Dodge

Chris Eagle


Carole Fennelly

Halvar Flake

Richard Forno

Mark Gross

Jeremiah Grossman

Greg Hoglund

Jack Holleran

The Honeynet Project

Chris Hurley

Dan Kaminsky

Jonathan Klein

Jesse Kornblum

Larry Leibrock

David Litchfield

David G. Major

Drew Miller

Toby Miller

Paul Ohm

Ken Olthoff

Tom Parker

Gunnar Peterson

Bruce Potter

Lt. Colonel Daniel Ragsdale

Jeremy Rauch

Keith Rhodes

Marty Roesch

Marcus Sachs

Richard Salgado

Wayne Schepens


Saumil Udayan Shah

Eric D. Shaw

Rick Smith

Lance Spitzner

Richard Thieme

Michael H. Warfield

Philip L. Weinstein

Colonel Don Welch

Black Hat Logo
(c) 1996-2007 Black Hat