The Black Hat Briefings '01, July 11-12th Las Vegas
The Black Hat Briefings '01, July 11-12th Las Vegas

Hotel Information

The Black Hat Briefings is Wednesday July 11th  to Thursday July 12th 

07/06/2001 : All available material are on-line.  Updated materials and missing presentations will be posted as soon as they become available.

Take me to..
The More Technical Speakers
The  Technical Speakers
The White Hat Speakers
Tools of the Trade
Deep Knowledge Speakers
Key Note Speakers
William Tafoya
Kevin Manson

Career Routing for the Ethical Code

This presentation will address the following issues:
o Trusted Software Used to Enhance Public Safety.
o Protecting & Serving on the Matrix with Apologies to John Quarterman.
o Who are the Elite, the Attackers or the Defenders?
o Plato's Republic in Cyberspace: Why It's Important to be a Responsible Netizen.
o Where are the Greenhouses That Nurture Ethical Hackers?
o Enlisting a Cyber Civil Defense Corps.
o CyberCorp Scholarships: Where Do I Apply?

Dr. William Tafoya: For the past three years, Dr. Tafoya has been Professor of Criminal Justice at Governors State University. Previously he was Director of Research, Office of International Criminal Justice, University of Illinois at Chicago. He is a retired Special Agent of the Federal Bureau of Investigation.

For 12 months (July 1989 ­ July 1990), he served as Congressional Research Fellow for the 101st Congress in Washington, DC. There he conducted research on police use of high technology as well as future crime. He remains the only law enforcement officer ever selected to serve in this capacity on behalf of the U. S. Congress. He has guest lectured at numerous universities and various venues internationally. In 1991 he founded the Society of Police Futurists International. Prior to his retirement from the FBI in June 1995, he was assigned in Washington, DC, Quantico, Virginia, and San Francisco, California. Dr. Tafoya served for 11 years at the FBI Academy as a senior faculty member of the Computer Crimes Training and Behavioral Science Units.

He was the first law enforcement officer to make investigative use of the Internet. He created the UNABOMber web site in December 1993. It was generated on a NASA computer because at that time the FBI did not have the capability to implement Bill‚s ideas on its own computer system. Bill subsequently developed the FBI‚s Oklahoma City Bombing web page in April 1995. At Governors State University Dr. Tafoya teaches courses in Computer Crime Investigation, Research Methods and Statistics, as well as Strategic Planning. His current research interests are in CyberTerrorism and the application of Virtual Reality for training of law enforcement officers.

His 1986 Ph.D. in Criminology is from the University of Maryland; it was a forecast of future of law enforcement. He was recently appointed an advisor to the National Cybercrime Training Partnership of the U. S. Department of Justice. Both the print and electronic media have interviewed him extensively nationally and internationally. Twice he has been featured in U. S. News & World Report. More recently he was featured in the April 2001 issue of Information Security.

Kevin Manson: Kevin Manson serves as a Senior Instructor with the Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC). In 1993, while an instructor with the FLETC Legal Division, he pioneered Internet training for the federal law enforcement community and created FLETC's first major computer security training component in 1997 ("Digital Officer Safety") as well as deploying the first working use of wireless networking in a FLETC training program.

He is the founder of a Virtual Private Network, "Cybercop Secure Communities", which is networking the corporate and law enforcement worlds to strengthen our nation's "Cyber Civil Defense" as contemplated by Presidential Decision Directive 63. His personal interests include the impact of technology on society, promoting industry and law enforcement cooperation in information age security and policing and use of Internet technology to deliver secure distance learning materials over the Internet to the laptops, palmtops and (future) wearable computers of those who serve behind the "thin digital blue line".

Mr. Tafoya and Mr. Manson will be giving a press conference to Black Hat credentialed journalists from 9:15am - 9:45am in the press room.

James Bamford , Author The Puzzle Palace & Body of Secrets

Researching Secrets, Part II

BOOKS: The Puzzle Palace:  A Report On NSA, America's Most Secret Intelligence Agency. (Houghton Mifflin and Viking Penguin)  An investigation of the largest, most hidden and most important U.S. intelligence agency. The book became a national bestseller and won the Investigative Reporters and Editors Book-of-the-Year Award.  In February 1998 Washingtonian magazine called it „a monument to investigative journalism.š 
Body of Secrets: Anatomy of the Ultrasecret NSA, From the Cold War to the Dawn of a New Century.  (Doubleday)  A sequel to The Puzzle Palace, the new book takes a close look at NSA from the Cuban Missile Crisis and Vietnam to the present controversy over Echelon.  (Due out in April 2001).

TELEVISION: Washington Investigative Producer, ABC News, World News Tonight with Peter Jennings.  For nine years, until 1998, I was responsible for long-term, in-depth investigative stories from concept to final airing.  The stories have covered a wide range in both topics and geography, from White House scandals to locating spies in Cold War Europe to finding murderers in the Middle East.  Many involved complicated investigations in difficult areas of the world, such as locating principal figures involved in the Clinton campaign finance scandal hiding from U.S. authorities in China.  I am also the recipient of numerous television reporting awards, including the Overseas Press Club Award for Excellence and the Society of Professional Journalists Deadline Award for the Best Investigative Reporting in Television. MAGAZINES:  I have written on investigative topics for many national magazines, including the cover story on the Iran-contra affair for the New York Times Magazine, the cover on the Russian shoot down of Korean Air Lines 007 for The Washington Post Magazine and the cover on the Mafia for the Los Angeles Times Magazine. CRITICISM: I have written dozens of op ed pieces and book reviews for the New York Times, The Washington Post, and the Los Angeles Times. CONGRESS: I have testified on intelligence and secrecy issues before committees of both the U.S. Senate and House of Representatives.

Technical Speakers
Steven M. Christey,

CVE Behind the Scenes: The Complexity of Being Simple

CVE, the Common Vulnerabilities and Exposures list, is just a collection of unique numbers, ridiculously terse descriptions, and a hodgepodge of references.  Isn't it?  To most people, CVE looks quite simple.  And it is, by design.  But simple doesn't always mean easy. I'll delve into some of the roadblocks faced during the short life of "the little list that could."

When David Mann and I proposed the CVE concept to the Vulnerability Database Workshop at Purdue CERIAS in January 1999, we outlined the following major criteria for a good CVE:

  - enumerate and discriminate between all known vulnerabilities
  - assign a standard, unique name to each vulnerability
  - exist independently of the multiple perspectives of what a vulnerability is
  - be publicly "open" and shareable without distribution restrictions

I'll discuss the challenges that MITRE and the CVE Editorial Board face in trying to satisfy these criteria, including: what we got wrong in those early days; the terminological warfare that forced CVE to change its name; how CVE has taxonomical features even though we claim that it's not a taxonomy; how CVE, which supposedly isn't a database, encounters various problems that full-fledged vulnerability databases do; why some candidates have been around for two years - and why some might stay that way forever; the bureaucratic process for creating official CVE entries that nonetheless has its advantages; what's being done about IDS; how CVE can simultaneously suffer from too much information and too little information; how CVE entries themselves have evolved over time, and how they publicly reflect the education of a vulnerability analyst; why it's impossible to please everyone at the same time; how having CVE could have helped in the construction of CVE; the buzzword-compliant techniques that support the population and search of CVE; what's being done about the delays between the initial public announcement of a security problem and the assignment of a candidate number; how there really isn't a CVE "behind the scenes;" and whatever else I (or you) feel like talking about.

Steve Christey is a Lead INFOSEC Engineer in the Security and Information Operations Division at The MITRE Corporation.  After joining MITRE in 1989, he initially conducted research in artificial intelligence (AI), moving into the information security arena in 1993. He was the primary security auditor for MITRE's networks from 1994 to 1999, conducting network-based risk assessment, management, and incident response.  Since 1997, he has conducted research which blends his experience in AI and security, in topics such as automated vulnerability analysis of source code, reverse engineering of executable code, and distributed security assessment.  From 1999 to  the present, he has been the editor of the Common Vulnerabilities and Exposures (CVE) list, and the Chair of the CVE Editorial Board. Mr. Christey holds a B.S. in Computer Science from Hobart College.

Chip Andrews, independent computer security consultant

SQL Security revisited.

As organizations get better at configuring firewalls and intrusion detection systems, what may be left out of the security equation is database server security.  As Microsoft's flagship relational database product and with chart-topping TPC benchmarks, SQL Server is poised to serve as the backbone of many corporate and eCommerce infrastructures.  With all of these SQL Server installations around, who is going to secure them?  How SQL Server security conscious are the people developing the products?  How can SQL Server be transformed from a vessel of your corporate jewels into an injection vector for exploits, rootkits, and other shenanigans?

The SQL Server security presentation will begin with an overview and evolution of the SQL Server security model.  Discussion will include the differences between users and logins, database and server roles, SQL Server service security contexts, and the security of the various net-libs.  There will also be some discussion of the scope of SQL Server's enterprise presence as it has found its way into numerous commercial products that may exist in multiple locations of many shops.

The following section will describe typical SQL Server fingerprinting, information gathering, account acquisition, and privilege escalation techniques used by attackers.  There will be some discussion of the various tools available to the general community to both attack and defend SQL Server installations.  Finally, there will be a clear suggestion for how SQL Server administrators and developers can defend against these attacks including doing some intrusion detection on SQL Server itself.

The final section will discuss the growing problem of SQL-injection attacks and how they affect SQL Server specifically.  There will be a demonstration of exactly how attackers inject SQL code into applications and the tricks they use to bypass even the most vigilant input validation.  Best practice development techniques will be demonstrated and how even ad-hoc queries might be better constructed as to not let attackers inject trojan SQL code into your applications.

Chip Andrews (MCDBA, MCSE+I) has been a programmer (currently VB/SQL/Java/C++) and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of product development.  Chip maintains the sqlsecurity web site that focuses on SQL Server security issues.  He currently works as a Software Security Architect for Clarus Corporation, a leader in B2B e-Commerce software applications.

Timmothy Mullen, 

Grabbing User Credentials via W2k ODBC Libraries

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, and develops secure enterprise-level accounting software products and procedures.

Tim Newsham

Cracking WEP Keys

In this talk, Tim Newsham will apply the techniques of password cracking to the Wired Equivalent Privacy (WEP) protocol used to secure 802.11 traffic. The presentation will cover the basics of the WEP protocol and how keying material is configured and then illustrate techniques to perform traditional password grinding on the keys.  A weakness in one of the key generators that permits very fast recovery of keys will also be discussed.

Timothy Newsham is a computer security researcher with @Stake with interests in networking protocols and UNIX system security.  He received his Bachelors of Science in Electrical Engineering at the University of Hawaii and his Masters in Computer Science at the University of Arizona.  Tim has developed computer security products for Internet Security Systems, Secure Networks and Network Associates and held a research position at Guardent in the past.  He is perhaps best known for his papers "The Problem with Random Increments" which he wrote while at Guardent, and "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection" which he co-authored with Thomas Ptacek while at Secure Networks.

Job de Haas, ITSX

GSM / WAP / SMS Security.

Job de Haas, like many others in the IT and Internet industry, started his career in another technical field. Shortly before finishing his Electrical Engineering studies, in 1991, he came into contact with the Internet. From that moment on, he's been interested in computer security. 

In the beginning this interest was a hobby, albeit a very time consuming one. This was noticed by the first Internet providers that started to appear in The Netherlands. Their systems were almost never secure, and Job cleverly used their offers to give him free Internet access in trade for pointing out security flaws in their systems. This exercise in breaking security has proved to be an invaluable asset when protecting systems, since one can only protect what one can crack. 

Apart from this, Job has been a cryptographic programmer at DigiCash, which has developed a cryptographically secure anonymous payment system for the Internet. 

Chad R. Skipper, Sr. Software Engineer - Symantec Corporation

Polymorphism and Intrusion Detection Systems 

As the Internet and corporate networks continue to evolve and grow, much of the conventional wisdom associated with computer security will continue to be challenged, changed, and in some cases will become obsolete. This presentation discusses the effects of polymorphic attacks on networks.  It is important to note that the polymorphic algorithms used to craft malicious attacks are specifically designed to evade common techniques used by Network Intrusion Detection Systems (NIDS). While the use of malicious polymorphic code is not new, we are beginning to see a paradigm shift from polymorphic viruses to polymorphic attacks. 

This presentation will include a description of polymorphic attacks, to include the paradigm shift, encoding process, evasion techniques, TCPDump of polymorphic sessions, and the possible remedies of Intrusion Detection Systems.

Chad has eight years experience in systems engineering, network security, network design, and Internet design using various operating systems.  Chad holds a Bachelors degree in Computer Information Systems, has the MCSE, MCP +I, CCNA, and Solaris Certifications.  During his 4 years enlisted with the Air Force Chad built and secured several LAN and WAN networks, was involved with information systems counter intelligence, OSI investigations, information warfare, and exploit intelligence. After the Air Force Chad joined Trident Data Systems where he integrated UNIX and NT into a secure environment.  Chad then joined L-3 Network Security as the Exploitation Engineer where he researched, developed, verified, documented new vulnerabilities and exploitation techniques for a variety of communications platforms.  L-3 Network Security was acquired by Symantec, where today, Chad runs a signature development team for host/network based intrusion detection signatures.

Robert Hansen, 

Hardening .htaccess scripts in Apache environments.

Htaccess is an out of the box method to secure portions of websites using a username/password combination.  Several solutions will be presented, both theoretical and practical on hardening htaccess authentication.  In its natural form, it has serious flaws that will be explained in detail.  In addition a variation on Morris' attack will be used to show one method on how to break IP based authentication methods used by many of the third party on-line credit card clearing companies.

Robert, known formerly as RSnake and currently as RSenic, has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer.  He devised a method by which to make credit card clearing faster, more secure, and save large amounts of transaction costs.  He successfully negotiated a bridge financing round.  He has founded several security sites and organizations, and has been interviewed by many international magazines, newspapers, and television networks.

Andrew van der Stock, Senior Architect - e-Secure

Alternatives to honeypots or the dtk

Honeypots have a long history and undeserved high profile in the securityindustry. Andrew discusses flaws with honeypots, and popular sites like honeynet who host honeypots, from a technical and risk perspective. However, as their use is moderately common in many sites, a safer replacement should be found.

Andrew will be introducing a new passive intrusion detection tool to assist with providing advanced sites with additional information they require to track down careless attackers. In addition, common sense security advice is given to help reduce the risk profile for the majority of sites.

Andrew van der Stock is a Senior Architect at e-Secure, one of Australia's largest IT specialist security consultancy firms. e-Secure only delivers their core competency: consultancy services, and do not align themselves with any vendor. Andrew has been in security for over six years, and in IT for over eleven. He is a NT/2k/XP sorta guy (dual MCSE, fwiw (not much)), with a strong open source background. He helped develop the matrox drivers in XFree86 and is the current maintainer of pnm2ppa, which allows Unix people to print to HP's worst-ever printers.

Andrew sits on a government panel on the future of DNS competition in Australia, giving technical and security advice (he is one of three tech dudes on a panel of 30, and the only unbiased one ;-). He is the current immediate past President of SAGE-AU.

Cory Scott, Lead Security Consultant - Securify, Inc.

Systems Management in an Untrusted Network: Dealing with backups, monitoring, administration, and logging in the DMZ

Throughout the progression of networked systems from mainframe computing to the Internet world of today, the solutions available to system and network administrators for handling core tasks have also progressed. Applications and protocols for backups, logging, remote access, and monitoring have gotten easier to use, quicker to deploy, and commercially supported. However, these solutions don't necessarily take security into account. While the risk presented by deploying a systems management application with poor security may be mitigated when it is deployed in an internal network, the risk may not be acceptable in an untrusted network or DMZ environment. One only needs to look as far as the ongoing exploit of SNMP vulnerabilities on Internet-accessible hosts to see where the risk management failed. Nonetheless, administrators must keep a careful balance between security and convenience, as the management solutions save time and reduce downtime.

The goal of this presentation is to discuss how to implement systems management components in untrusted or semi-trusted networks with an eye towards security. Solutions for backups, monitoring, administration, and logging will be discussed. Network architectures that support a secure deployment of these solutions will be presented and evaluated. General tips and techniques for deploying applications for systems management will be presented.

Cory Scott has over six years of experience in network and systems security architecture. As a lead security consultant at Securify, he performs in-depth technically oriented tasks for his clients, including secure architecture design, configuration review, incident response, and protocol analysis. Some of his previous engagements have included network and system architecture reviews, in-depth application review and design work, operational and procedure reviews, and emergency response for internal and external incidents for financial institutions, healthcare organizations, security software companies, and e-commerce companies. He is also the Acting Chief Security Officer for Securify, responsible for building an internal security office for Securify's Managed Security Service offering, as well as general corporate security.

He has written on security issues for Windows NT Systems magazine and He is also a technical editor, editing books on networking, systems, and security for Macmillian, Osborne, and O'Reilly.


DOG of WAR: Attack Box Design

This presentation is geared for those who build scanner and attack boxes for companies and personal use. I will also cover some of the different methods I use in performing Security Audits as an Independent and elaborate on some previous Penetration Testing projects, including őRooting the Attacker‚.  With time provided and forum interest, I would like to show you some Hacking demos, including ones in which I have been hacked. 

Blake is an Independent Internet Consultant based out of the San Jose / San Francisco area. He has conducted over hundreds of on-site surveys involving network/system integration and design for a variety of projects and companies domestically as well as internationally. Technologies includes Internet Security, Online Banking, Back-Bone Infrastructures,  Data Centers, ISPs, ASPs, Dot-coms, State and Local governments communications, ATM, SONET, Microwave, RF, Satellite transmissions, etc

More Technical
Ian Goldberg, Zero-Knowledge Systems

The Insecurity of 802.11: An analysis of the Wired Equivalent Privacy protocol

The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks.  We have discovered several serious security flaws in the protocol, stemming from misapplication of cryptographic primitives.  The flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals.  In this talk, we will discuss in detail each of the flaws, the underlying security principle violations, and the ensuing attacks.

Dr. Ian Goldberg is internationally recognized as one of the world's leading cryptographers and cypherpunks.  Dr. Goldberg is a founder of Berkeley's Internet Security, Applications, Authentication and Cryptography group. In addition to developing many of the leading network software titles for the Palm Pilot, he is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours; breaking Netscape's implementation of the encryption system SSL; and breaking the cryptography in the GSM cellular phone standard. In November 1998, Wired magazine selected Dr. Goldberg as one of the "Wired 25" - the twenty-five people who in 1998 are "about to change the rules all over again." In December 2000 he obtained his Ph.D. from UC Berkeley for his thesis "A Pseudonymous Communications Infrastructure for the Internet," which examined the technical and social issues
involved in designing the Freedom Network.

Mike Beekey, Senior Manager - Deloitte & Touche

ARP Vulnerabilities: Indefensible Local Network Attacks?

ARP may be one of the most used, but least respected protocol allowing two devices to establish communications with each other across a network. Unfortunately, even with its critical role of mapping the logical address to physical address, ARP is inherently susceptible to a variety of spoofing attacks within local subnets.  While there have been discussions surrounding this issue and tools written to take advantage of these features, its potential to cause nearly indefensible denial of service attacks with minimal effort, appears to still be understood by only a few.

This presentation assumes some familiarity with ARP and will only briefly review the basics.  We will discuss the vulnerabilities and a variety of common attack tactics, such as turning your expensive network switch into a dumb hub, sniffing, and performing session hijacking.  We will then discuss some more unfriendly techniques including preventing individuals from accessing network resources, stopping kiddies from performing network scans, and best or worst of all, bringing all local network connectivity to a complete halt.  In addition, we will clear up some prevalent misconceptions about potential defenses and countermeasures, vulnerable systems and devices, and methods for detecting and reacting to these attacks.  Lastly, we will discuss and demonstrate testing methods,exploit techniques, and countermeasures using several custom tools.

Mike is a senior manager at Deloitte & Touche and has been working in the computer security area for over eight years.  Mike has extensive experience in performing manual penetration and vulnerability testing in a variety of environments.  His particular of focus and interest is in network protocols, and ways to manipulate them for various attacks and abuse of network devices and IDS systems.  Mike has worked as a consultant for a variety of commercial clients, as well as federal and civilian government agencies.

Daiji Sanai, Manager - Security Friday.

Promiscuous node detection using ARP packets

Packet sniffing is a serious security issue for a local network.  Malicious users on a local network can capture nearby user's data by using sniffers on a PC. Since, just about anyone can easily install and operate a sniffer it is especially dangerous. I will discuss a technique to detect promiscuous nodes running on local networks. It is a very practical method, because it does not greatly influence the load of the network and it can list doubtful nodes in a short amount of time. This techniques is effective for use with the common operating systems Windows and Linux.

I will explain the techniques uses for promiscuous detection using ARP packets. In addition, I will explain the three layers used for detection. These are hardware filters, software filters, and the ARP mechanisms.

Daiji Sanai is an expert in the field of network security and is also the manager of  SecurityFriday researches the security of local networks. They are very knowledgeable in the areas of security of the Ethernet layer and of Windows authentication. In his free-time, he is a specialist of private information security and web user security.

Marshall Beddoe, Research and Development Engineer with Foundstone, Inc.
Chris Abad, R&D Engineer with Foundstone, Inc.

The Siphon Project: An Implementation of Stealth Target Acquisition and Information Gathering Methodologies 

This new approach to information gathering is the latest in stealth target aquisition technology. This lecture will discuss dynamic routing protocol internals, network mapping methodology, vulnerability analysis techniques, and OS identification procedures. Come prepared for an in-depth compare / contrast session between active and passive network information gathering heuristics. We make informed target aquisition notoriously fun and difficult to detect.

Christopher Abad, an R&D Engineer with Foundstone, Inc., is currently studying mathematics at UCLA and has also done considerable research in the security industry including pioneering work in the concepts of passive network mapping. He has given various presentations on this subject at security conferences including Defcon. You can reach Chris at

Marshall Beddoe is a Research and Development Engineer with Foundstone, Inc.  He has performed research in the areas of passive network mapping, remote promiscuous detection, freebsd internals and new exploitation techniques with multiple non-profit security groups.  Marshall also developed and presented lectures on advanced penetration techniques for the U.S. Military and various Forture 500 Companies.  You can reach Marshall at

Jay Beale, Security Team Director - MandrakeSoft

Attacking and Defending BIND / DJBDNS DNS Servers

This talk basically runs in the Attack and Defense format, where we explain what the traditional attacks have been against name servers and how to harden your setup to defend against them.  The methods range from refusing queries from the "wrong" hosts, to chrooting servers to setting up split-horizon DNS / firewalling setups. 

Jay Beale is the Security Team Director at MandrakeSoft, makers of Mandrake Linux. He is also the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux.  Jay is the author of a number of articles on Unix/Linux security, along with the upcoming book Securing Linux the Bastille Way, to be published by Addison-Wesley. You can learn more about his articles, talks and favorite security links via

Iván Arce, Founder and CTO of CORE-SDI
Max Caceres, Head Engineer, Corelabs, CORE-SDI

Automated Penetration Testing

Penetration tests have become a common practice in the information Security industry during the past decade. However it is still a very inmature practice in term of profesionalism, methodology and quality. Automating the penetration test practice will bring it to a new level of quality and trusworthyness. But attempts to do so will face interesting technical challenges. This is perhaps a new challege to the IS industry for the next years. In our talk we attempt to clarify and define the penetration test practice as it is now. When the proceed to indentify current flaws and conclude that automating the practice might solve many of them. Finally we describe the technical difficulties we face in doing so and a possible way to address them.

Ivan Arce, Founder and CTO of CORE-SDI.  Ivan is currently reponsable of the R&D, IS Consulting, IT and Implemementation deparments at CORE-SDI.  He has managed CORE's  IS consulting services team, responsible for coordinating the team execution of hundreds of penetration tests. Ivan is involved in the research, discovery and reporting of computer security vulnerabilties during the last 10 years.  He is also involved in the R&D teams of several top commercial  security software projects (network vulnerability scanners, intrusion detection systems, honeypots).

Maximiliano Caceres, Head Engineer, Corelabs, CORE-SDI.  Maximiliano is the head engineer for a software development project involving  a new  information security technology at CORELABS. He is a Senior consultant of the IS consulting services team at CORE-SDI, responsable for coordinating and executing pentration test, security architecture design and product security evaluation engagements. Maximikiano is also involved in the research, discovery and reporting of computer security vulnerabilities during the last 8 years.

Jeff Nathan, - @Stake
Kevin Depeugh, - @Stake

Layer 2 Attacks

We will be using advanced layer 2 mangling techniques to setup a mostlyinvisible layer 2 tunnel allowing bi-directional packet sniffing.  This allows for perfect sniffing of traffic to and from any host on the layer 2 segment.  We will also be explaining previously undisclosed methods for Denial-of-Service against a gateway.  This talk has far reaching implications with the explosion of co-location and XSP environments.  As enterprises rely on IP to provide increasingly more critical infrastructure services (ie VOIP), this becomes particularly relevant as a DoS against network connectivity results in a DoS against business

A technical overview examining the implementation details of ARP and other layer 2 communication and management protocols will illustrate the root of the known but often misunderstood vulnerabilities described within the talk.

Eric Brandwine, Incident Response - UUNet
Todd MacDermid, Incident Response - UUNet

Fnord: A Loadable kernel module for defense and honeypots

Loadable Kernel Module (LKM) rootkits are the most effective way for an attacker to maintain access to a machine after the initial compromise. Impervious to most traditional methods of assuring host integrity, they can be a nightmare for someone attempting to deteck intrusions or perform forensics.

In this presentation, "Fnord: A Loadable kernel module for defense and honeypots," we will discuss ways to use kernel modules to assure host integrity. This will include monitoring files for unauthorized changes, wrapping system calls to detect unauthorized kernel modules, and assuring secure, covert logging to a secure loghost.

We will also discuss methods of assuring that our honeypot modules remain undetected by intruders, through process hiding, file hiding, environment and kmem alteration, and covert administration utilizing hidden devices and hashed authentication strings.

All methods will be demonstrated live on the Linux 2.2 kernel, although the general methods will be applicable to most modern Unices. 

I - What is a kernel module? 
  A - What is kernel mode? (How processes use system calls)
  B - The system call table:  i - Intercepting system calls  ii - Difficult system calls
  C - What do kmod rootkits currently in use look like?
II - Objectives of Fnord
  A - System integrity, insure integrity where tripwire can't
  B - Kmod rootkit detection
  C - Honeypot system logging capability:  i - Indetectability  ii - Honeypot process hiding
III - Methods of kmod detection
  A - System call wrap detecting wrappers:  i - The Stone attack
  B - Automated kmod generation
  C - Userland detection with kstat:  i - Kmod defenses against kstat
IV - System integrity
  A - Concepts of "special" dev/inode pairs
  B - Wrapping open() to check for specials
V - Improved Kmod stealthing for honeypots
  A - Extending dev/inode pairs to special filesystems:  i - /proc  ii - /dev/kmem
  B - Administration:  i - Administration device and device hiding  ii - The "L33T" string
  C - Private logging with sklog
  D - Hiding processes/filesystems
  E - Hiding network traffic
VI - Limitations of kernel modules
  A - Non-kmod supporting kernels
  B - BSD kernel security levels
  C - Cryptographically signed module loading
  D - Virtual Machines
  E - What are special restrictions on a honeypot?

Eric Brandwine: I got my first computer when I was 7.  I promptly took it apart. As soon as I got to college, I discovered the Internet, and shortly thereafter, Linux.  My first kernel was in the 0.97 series.  In the course of 4 years, I wasted my Linux box many times, and earned a B.S. in Computer Science with a concentration in Operating Systems, with Honors.

I took a job at the MITRE Corporation in McLean, VA, where I was the primary engineer working to build a lab for air traffic control simulations.  There, I learned a whole lot about systems administration, and wrote several Linux device drivers for analog and digital I/O boards.

In March of 1999, I accepted a position with UUNET Technologies as a member of the Network Security team.  I spent the first year there as a programmer, qualifying systems and writing security tools.  I spent most of the second year in Europe, as a member of the Incident Response team.  There, I investigated several kernel module based intrusions.  I've since returned to the US, where I still perform Incident Response domestically, as well as work on projects like Fnord.

Todd MacDermid: Todd MacDermid used to be an aerospace controls engineer, programming flying robots to be dynamically stable. In this work, he wrote device drivers for A/D boards under QNX, as well as the software to control the bots at the other end of the boards.

In December 1999 he was whisked away by the UUNet Network Security group to be a developer/analyst/incident response guy. Since then he has programmed packet flooders, AAA systems, and several system integrity assurance programs. 

Jose Nazario, crimelabs

The future of internet worms

Historically, some of the most devastating attacks and widespread intrusions have come through autonomous intrusion agents, commonly referred to as  'worms'. Our paper dissects worms into their six components and discusses these. Several worms are then mapped onto this analysis, including the Morris Worm, the Linux Ramen Worm, and the FunLove Worm. 

All of these worms are monolithic in nature, while the above components can be put together to form a modular worm. Furthermore, each of these components need not be present in any incident of the worm. We then go on to discuss a hypothetical worm system, which has a rather devastating potential. Using evolving instances, covert mechanisms and smarter techniques, this worm system can evade detection, and be used for a variety of purposes.

Most importantly, this is where we see worms headed in the near future. Current worms, like Ramen, are only the tip of the iceberg. Our goal is to get people thinking about how to detect a worm based upon this model.

A Brief Outline

Introduction:  worms vs virii &  why worms are devastating
Worm Theory
  six components: 1) communications 2) command 3) on board capabilities 4) off board capabilities 5) recon 6) intelligence
  how they fit together
Worm Analysis: 1) Ramen Worm 2) KakWorm 3) Morris Worm
Hypothetical Worm
  Considerations: 1) stealth 2) distribution 3) pace 4) introduction

Currently, I am completing a Ph.D. degree in Biochemistry in Cleveland, OH. I also have been studying high end computing for approximately ten years, and been focused on applying my skills in UNIX and networking administration in security administration and research. I feel that by applying the morphing approaches of biological systems with computing, both new threats, and adaptive defense strategies, emerge. This research into the futgure of worms in an outgrowth of this philosophy. I perform network security  consulting for supplemental income.


Top 25 overlooked security configurations on your switches and routers

Routers and switches ARE your network. They control your network and everything in it. So what are you doing to protect yourself against someone shutting down or flooding your network, rerouting packets, and even sniffing or hijacking traffic THROUGH YOUR SWITCH? And telecoms have it even worse, you don't have the luxury of hiding everything behind an egress-only firewall.

Coverage spans LLC, Layer 2, ARP, and Layer 3. Both Cisco and Foundry Networks equipment will be covered, with general syntax of corrective commands. Basic familiarity with device configuration strongly advised, You may want to bring a copy of your config to take notes on during the presentation.

"Palante" is a three time prize winner in Defcon Capture the Flag, speaker at the 1999 and 2000 ToorCon Security Expo, and kernel programmer. Employed with the pen-test team of an unnamed Fortune 500 consulting firm, his telecom-specific experience includes security work in a large (OC 192) telecom data center, a national ISP, a county government's MAN, and most recently a NAP.

Tools of the Trade
Simple Nomad, Senior Security Analyst - BindView

The RAZOR Warez

BindView's RAZOR team develops performs research into security issues, and often to illustrate a point will write a tool to helpillustrate a strategy, explain a technical paper, or even demonstrate a vulnerability. In this presentation, RAZOR will discuss some of these tools, and give a live demonstration of some of their features. All of the tools are open source freeware, with many in use by security professional already.

Simple Nomad, Senior Security Analyst for BindView's RAZOR team, has spent years testing the security of computer systems. He has authored numerous papers and tools, lectures at security conferences, written magazine articles, and has been quoted in print and on television regarding computer security issues.

Rain Forest Puppy

rfp.labs: new toys in the works

So what's going on with rfp.labs?  There's rumors of whisker 2.0 being out, a wierd proxy tool with embedded flash animations, and all these preview releases of some library/API thingy...  RFP intends to set the record straight on what's what, where it's going, and how you can get your hands on it.

RFP is the Chief Executive Puppy of rfp.labs, an independant research lab nestled somewhere in the midwest.  The mission of rfp.labs is to provided managed sarcasm services via P2P, B2B, P2B, and L2TP channels, in conjunction with the implementation of innovating products that border on current technological advances in the security industry.  In his spare time, RFP is an advocate for

Martin Roesch,


Snort is probably the largest and most popular Open Source network intrusion detection system available today.  It allows users to monitor their networks for signs of hostile activity, as well as performing a host of other tasks such as mundane as generic packet sniffing or as complex as forensic analysis of network attack traffic.

This talk will discuss the background of Snort, as well as the capabilities and uses of the program.  The current architecture of the underlying subsystems that constitute its core functionality will also be examined, in addition to the proposed changes to the system that will be the basis of Snort 2.0.  Additionally, the talk will get into the details of what it takes to build a network intrusion detection system and how Snort came to be built.

Martin Roesch is the founder of Sourcefire Inc and has served as President and CEO since its inception. Martin is also the author and lead developer of the open source (GPL) Snort Network Intrusion Detection System ( that forms the foundation of the Sourcefire product line. Over the past five years, he has developed a variety of network security tools and technologies including intrusion detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc, and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for a variety of government and large corporate customers over this period as well. Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University. 

Renaud Deraison, The Nessus Project

Reducing the costs of vulnerability assessment using Nessus 1.2

Thomas Olofsson, C.T.O. - Defcom AB

Building a blind ip spoofed port scanning tool

Thomas Olofsson has his background from hardware and software development in digital and analogue communication systems for military applications.  He has been involved in development of secure communication for the last eight years. With a skill set ranging from major Telco switchboards to modern Networked environments. Thomas has an extensive experience in Penetration testing of high security facilities and has specialized in security in internet banking applications.  Thomas is now working as C.T.O. in defcom with main focus on developing the defcom services and technologies in penetration testing and intrusion detection as well as forensics. During his years as security consultants he has done jobs for more then ten major banks worldwide.

White Hat - Management Issues
Walter Gary Sharp, SR, Principal Information Security Engineer - The MITRE Corporation

Key Legal Implications of Computer Network Defense

Computers and information technology have become a ubiquitous facet of our professional and personal lives.  One of America‚s greatest challenges is to balance its citizens‚ privacy and civil liberties with an effective ability to:

  • Protect America‚s information infrastructure;
  • Detect potential attacks by joy-hackers, economic competitors, criminals, terrorists, and hostile states; and,
  • Respond effectively in a way that is compatible with American democratic principles and international law.

  • In today‚s society, an attack on America‚s information infrastructure is a threat to our very way of life Ų and every system owner must understand the legal regime that governs how his or her computer network can be effectively defended.

    This presentation will provide a detailed survey of the legal issues and problems involved in computer network defense Ų what is lawful, what is unlawful, why is international and foreign law important, and how should the private and government sectors craft an effective computer network defense within the legal restrictions found in U.S. domestic, international, and foreign law.  It will conclude with a series of recommendations on how the private and government sectors can improve America‚s defense against computer network attacks.

    WALTER GARY SHARP, SR.  An experienced and well-published author, international lawyer, trial attorney, and engineer who has had a distinguished career in law, education, government service, and private industry.  He currently serves as a Principal Information Security Engineer at THE MITRE CORPORATION.  As such, he is responsible for providing national and agency-level strategy and policy implementation guidance to U.S. government clients on all issues related to information security, critical infrastructure protection, intrusion detection, computer security incident response, penetration testing, vulnerability analysis, computer network defense, and information operations.  Gary has provided support to the Department of Defense critical infrastructure protection work programs as well as on-site information security support to the Department of Energy Chief Information Officer.  He now serves as a section leader and task leader at MITRE responsible for assisting the IRS in establishing a Treasury-wide computer security incident response capability and performing penetration testing and vulnerability assessments throughout the IRS and its private sector partners.  He is also responsible for developing information security work programs with the Customs Service during its modernization program.

    In 1978, Gary graduated from the U.S. Naval Academy with a Bachelor of Science in Aerospace Engineering and received his commission in the U.S. Marine Corps.  He retired from the Marines in December 1997 as a Lieutenant Colonel with prior enlisted service and 25 years of active duty as a field artillery officer and judge advocate.  Gary‚s military assignments included serving as Deputy Legal Counsel to the Chairman of the Joint Chiefs of Staff from August 1994 to August 1997.  While serving in the Chairman‚s office, Gary was responsible for the preparation of legal and policy advice on issues relating to military operations, rules of engagement, information operations, information warfare, information assurance, arms control, peacekeeping, international law, national security law, and constitutional law.  During his career as a military attorney, he was frequently involved in the National Security Council interagency coordination process and participated in multiple international negotiations.  After leaving active duty, Gary served for two years as Senior Counsel and Principal National Security Policy Analyst at AEGIS RESEARCH CORPORATION before accepting his current position at MITRE.  Gary also currently serves as an Adjunct Professor of Law at Georgetown University Law Center, where he teaches two graduate-level seminars on United Nations Peace Operations and International Peace and Security.  Starting in the Fall semester of 2001, Gary will also teach a course on computer network defense and the use of force in cyberspace.

    Gary received his law degree in 1984 from Texas Tech University School of Law.  He holds an LL.M. in international and comparative law from Georgetown University Law Center, and an LL.M. in military law from The Judge Advocate General‚s School.  He has also been admitted to candidacy at the University of Virginia for his S.J.D.  Gary has won four major academic awards and honors for writing excellence, and frequently lectures in universities and other public fora across the nation.  He is the author of 3 books entitled UNITED NATIONS PEACE OPERATIONS, CYBERSPACE AND THE USE OF FORCE, and JUS PACIARII; 10 law journal articles; 12 articles that appeared in magazines or other periodicals; and 27 newspaper articles.

    Gregory S. Miles, Ph.D., Director, CyberCrime Response - JAWZ Inc.

    Computer Forensics: A Critical Process in Your Incident Response Plan

    HOW?  How did my computer die? How did my website get hacked?  Sometimes the answer is clear and sometimes its hidden. This presentation will focus on the critical elements of Computer Forensics as it relates to Incident Response.  Computer Forensics is as much a legal and procedural capability as it is a technical capability.  Assuring you follow the appropriate procedures is as important as the technical capability of your analyst.  A brief overview of the Incident Response process will provide you with the basis for the computer forensics process.  We will cover the different kinds of computer forensics, the computer forensics process, technical and legal aspects, tools of the trade, and possible future aspects.  This presentation provides the basics to target your incident response and computer forensics capabilities.

    Greg has over fourteen years in Computer and Information Systems.  The last ten years have been focused in the design, development, and implementation of Information System Security Solutions.  He currently serves as the Director of CyberCrime Response for JAWZ Inc and the COO/CFO for Security Horizon Inc.  Greg is responsible for JAWZ‚ Computer Incident Response Team (CIRT), Computer Forensic analysis and investigation, and all JAWZ computer security and forensics training courses. 

    Greg possesses a Ph.D in Engineering Management, an M.S. in Administration, and a B.S. in Electrical Engineering.  He has extensive training in technology and management and has authored articles for security periodicals and websites, to include The International Journal on CyberCrime , DuckTank, and Security Horizon ( 

    Daniel VanBelleghem, CISSP - SRA International

    Solving Network Mysteries

    Have you ever wondered what data is traveling around your network?  Internal network activity is seldom what you expect and often remains a mystery to most system administrators.  Understanding what users are doing, how they comply with corporate security policies and how they communicate both inside and outside a network is an integral part of understanding your internal security posture.  However, thisunderstanding is often overlooked.

    This session will present a collection of „real lifeš observations demonstrating that what really happens on your internal network is not what you think.  These observations will explore common traits collected from solving real network mysteries.

    Examples of observations to be examined during this session include:

    - Uncovering installed Distributed Denial of Service (DDOS) agents
    - Finding Trojan Horses and other backdoors
    - Exposing harassing e-mails in the workplace
    - Discovering corporate resources misused and abused

    The various audit and monitoring methodologies used to detect, analyze and recover from these observations will be presented.  Current trends in analysis tools will be discussed and tips will be offered on how to analyze your audit and monitoring activities with high-quality and consistent results.  Potential benefits you should expect from performing audit and monitoring inside your network will be discussed, to include positive user behavior, an increased incident response capability and improved overall accountability.  Recommendations on dealing with sensitive issues such as inappropriate web surfing, threatening or harassing behavior and others will be provided along with possible alternative solutions.

    This perspective on network activity has invaluable information to all professionals involved in the technical or policy aspects of managing security and privacy in electronic communications

    Daniel VanBelleghem, currently is a member of the Information Assurance group at SRA International. In this role, he conducts security-related research and consulting activities including providing strategic guidance to customers, analyzing network traffic for security-related incidents, and designing security solutions to maintain integrity and prevent loss of intellectual capital.  Before joining SRA, Dan was in the security consulting business with the firms Network Forensics, Deloitte & Touche and Booz Allen & Hamilton.

    Dan holds a Master of Science degree in Systems Engineering from Virginia Tech, a Bachelor of Science degree in Electrical Engineering from Northeastern University and is a Certified Information Systems Security Professional (CISSP).  Dan's professional affiliations include the International Information Systems Security Certification Consortium (ISC2) and the High Technology Crime Investigations Association (HTCIA).

    Mandy Andress, CEO - ArcSec Technologies, Inc.

    Wireless LAN Security

    The ease of use and increased mobility provided by Wireless LANs are making them one of the must-have technologies for every IT department. As usual, security considerations are the last thing on anyone's mind. Among other things, how do you protect your network from rogue systems trying to access the network with a wireless NIC? This presentation will discuss weaknesses with current wireless LAN technology, what security issues should be considered when installing a wireless LAN, and what technologies can help mitigate this issue.

    Mandy Andress CISSP, SSCP, CPA, CISA. Mandy is Founder and President of ArcSec Technologies. Before starting ArcSec Technologies, Mandy worked for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young.  At Exxon, Mandy worked in the internal audit department, performing information system controls reviews for Exxon USA departments and subsidiaries.  At Deloitte & Touche, she focused on security controls analysis, performing many security audits in the healthcare, financial services, oil and gas, and energy industries.  At Ernst & Young, Mandy increased her technical skills by performing vulnerability assessments, firewall reviews, PKI analysis and deployment, security architecture design, and developing and deploying VPN solutions. While at Ernst & Young, Mandy gained extensive hands-on experience with numerous security products and technologies. 

    After leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy startup in San Jose.  At Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions, increase physical security, secure product design, and periodic network vulnerability testing. 

    Mandy has written numerous security product and technology reviews for InfoWorld magazine and other publications including Information Security Magazine, Federal Computer Week, Internet Security Advisor, and IBM DeveloperWorks. She is also a frequent presenter at conferences, including Networld+Interop and TISC. She is also the author of Surviving Security. 
    Mandy holds a Bachelor of Business Administration - Accounting and a Master of Science - MIS from Texas A&M University. 

    Meet the Press Hosted By BindView Corporation's RAZOR Team

    Ever wonder what makes reporters tick?  What drives them to cover thesecurity news that they do?  How do they decide what hacks, viruses and vulnerabilities get printed and which don't?  At the "Meet the Press" panel, hosted by members of BindView's RAZOR Team, find out what interests the media and what their views on the security market are.  Panelists include reporters from leading business and trade industry press.  In addition, attendees will have the opportunity to turn the tables and put the reporters in the interview "hot seat" in a question and answer session.

    Brian Martin,
    B.K. DeLong,


    The Attrition Web Defacement Mirror began as a small collection of mostly high profile Web defacement mirrors and quickly grew into the largest archive of its kind on the Net.  In less than two years it moved from a few dozen mirrors to over fifteen thousand.  The process of identifying, confirming and recording a mirror of a defaced site began as a simple set of commands and quickly morphed into a thousand-line custom application handling more tasks than we ever had imagined.

    From start to finish, the mirror brought on more challenges and unique obstacles than we were prepared for. In retrospect, the lessons learned and insight gained from the world of Web defacing is staggering. This presentation will cover many of those aspects and begin to explain the ins and outs of running such a mirror hopefully giving insight to future developers who decide to create their own and to computer security experts who will use such mirrors.

  • Defacement Notifications 
  • who, how, where and more 
  • Administrative Response to our notifications
  • * hostility, threats, mistrust and a bit of thanks
  • What else is being hacked/defaced, not displayed on the mirror
  • Journalism (mostly at its worst)
  • 'hacker site' to 'security site' in two years
  • Cashing in on the mirror
  • * we didn't
  • * ambulence chasers sure tried
  • Tracking Hackers
  • * we didn't
  • * good thing for them 
  • Automation (limits to everything)
  • Brian Martin (aka Jericho) is a founder and staff member of His day job includes a wide variety of security consulting provided to  commercial and government outfits. When not working, he devotes a lot of time to the maintenance and updating of the security resource. He has three cats.

    B.K. DeLong (aka McIntyre) is a staff member of and a researcher, writer and editor by day as well as a common face in the Web standards and development community.

    Deep Knowledge
    Lance Spitzner

    The Honey Net Project

    The Honeynet Project will make a group presentation of their  research.  Specifically, members will discuss the goals of  the project, how they accomplish their research, what they  have found, and where they plan to go into the future.  The presentation will be interactive, giving you an opportunity to ask a variety of team members questions.

    Ofir Arkin, Founder, The Sys-Security Group

    Introducing X: Playing Tricks with ICMP

    During my research with the „ICMP Usage In Scanningš project, I have discovered some new active and passive operating system fingerprinting methods using the ICMP protocol. Methods that are simple, and efficient. 

    The active operating system fingerprinting methods were not correlated into a certain logic. A logic that would allow us to have the ability to use any available method in order to, wisely, actively fingerprint an operating system.

    In this talk I will be releasing a new active operating system fingerprinting tool using the active OS fingerprinting methods with the ICMP protocol I have discovered. I will be explaining the tool‚s inner works and the various active OS fingerprinting methods with ICMP implemented and used with the tool. The tool‚s limitations, ways to detect its usage, and how to defend our selves from its abilities will also be discussed. Future plans and enhancements, which include a different approach to OS detection, will be presented as well.

    Ofir Arkin is the Founder of the Sys-Security Group, a free computer security research body. Ofir is most widely known for his research about the ICMP protocol usage in scanning. He has extensive knowledge and experience with many aspects of the Information Security field including: Cryptography, Firewalls, Intrusion Detection, OS Security, TCP/IP, Network Security, Internet Security, Networking Devices Security, Security Assessment, Penetration Testing, E-Commerce, and Information Warfare. Ofir has worked as consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. Ofir has published several papers, the newest deal with „Passive Fingerprinting techniquesš and with the „ICMP protocol usage In Scanningš.

    HalVar Flake - Reverse Engineer, Black Hat.

    Hit them where it hurts: Finding holes in COTS software

    Application security is crucial in any modern networked environment. While many security architectures can survive a single critical service "developing" a major security vulnerability few will survive the seperate "development" of several vulnerabilities
    for several critical systems at once.

    While everybody knows that commercial-off-the-shelf (COTS) software is usually full of bugs, few researchers outside of government organizations actually analyze the disassembly of COTS software for common programming mistakes such as buffer overruns and format string vulnerabilities. This speech will introduce you to the topic of analyzing COTS software for (in)security.

    An overview over various problematic C/C++ coding mistakes will be given with specific detail on how these mistakes translate to the underlying assembly language (specifically IA32/x86 assembly). After the audience is familiar with spotting these mistakes, the focus of the speech will shift towards automating the boring and repetitive task when auditing COTS software -- programs which automatically find suspicious constructs in the binaries will be explained & demonstrated.

    The last focus of the presentation will be a demonstration of how the techniques discussed would be applied to a major networking infrastructure product such as a commercial and widely used firewall.

    HalVar Flake is BlackHat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

    Dan Kaminsky, CISSP,

    Gateway Cryptography:  Hacking Impossible Tunnels through Improbable Networks with OpenSSH and the GNU Privacy Guard.

    1) Theory of Gateway Cryptography
    2) Methods of securely connecting mutually firewalled hosts
    3) Turning any SSHD into a VPN termination point (without using PPP over SSH)
    4) Dynamically Rekeyed OpenPGP
    5) PPTP over SSH
    6) Securely SUing to root
    7) Robustifying live-configuration of OpenSSH
    8) SFTP Compatibility Mode (implementing everything with cat, tar, and tail)

    Last Stage of Delirium Research Group

    UNIX assembly codes development for vulnerabilities illustration purposes

    The main goal of this presentation is to provide a brief introduction into the development of low-level assembly routines, used in proof of concept codes for specific class of vulnerabilities such as buffer overflow and format strings. These assembly routines (with shellcode execution as the simplest example) seem to play the critical role in such attacks and their preparation often requires using appropriate techniques specific for a given operating system. In our presentation we will focus mainly on RISC-based commercial operating systems such as Irix/MIPS, Solaris/SPARC, HP-UX/PA-RISC and Aix/PowerPC/POWER.

    In the following sections of our presentation we will discuss different aspects of creating forementioned assembly routines. At the beginning we will present the functionality of various routines, in the context of active/passive and local/remote attacks. Next, we will provide the comparative look of each of the discussed operating system platform in the context of a given processor architecture and its machine language specifics. Then, we will try to present the main problems involved with a development of such assembly routines for selected operating systems along with appropriate solutions that may be used in such cases. As the presentation will be done from the code developers' point of view, it will be enriched with some illustrative examples.

    At the end, we will provide some sort of summary and discuss the motivations for developing such codes. Along with the presentation, an accompanying technical document will be provided, containing more detailed discussion concerning presented techniques with regard to larger set of operating systems/platforms. This paper should be considered as a sort of complementary material to our presentation. In its appendix, the ready to use sample codes for every discussed system will be also included.

    Last Stage of Delirium Research Group is a non-profit organization established in 1996 in Poland. Its main fields of activity cover various aspects of modern network and information security, with special emphasis on analysis of technologies for gaining unauthorized accesses to systems (including the actual search for vulnerabilities, developing reverse engineering tools, proof of concept codes as well as general technologies for exploitation of vulnerabilities). The group has significant experience in performing penetration tests (based upon own codes, tools and techniques) as well as in design and deployment of security solutions for complex network infrastructures including experiments with Intrusion Detection and Prevention Systems.

    The group consists of four members, all graduates (M.Sc.) of Computer Science from the Poznan University of Technology. For the last six years they have been working as Security Team at Poznan Supercomputing and Networking Center. As the LSD Research Team, they have also discovered several vulnerabilities for commercial systems and provided proof of concept codes for many others. More information including samples of their work can be found at the LSD website.

    Kevin McPeake, Consultant

    Falling Dominos

    Lotus Notes / Domino is considered one of the more secure mail/groupware platforms in the world. With an installed base of more than 50 millions ­mainly corporate and government- seats, the product is used by almost all financial institutions, big 6 accounting firms, government's secret agencies and defense organizations. 

    At Defcon 8, Trust Factory consultants Patrick Guenther, Kevin McPeake and Wouter Aukema presented several new vulnerabilities along with Chris 'BloodAxe' Goggans, of Security Design International, who validated their research. Topics included known vulnerabilities  and new ones, such as bypassing the Execution Control List, modifying Notes design elements and identity theft. Using Notes Sesame, a tool written by Patrick Guenther, Trust Factory demonstrated weaknesses in the hashing algorithms for internet passwords as well as the validation of Notes ID-files obtained from remote networks and users. 

    At Black Hat Windows 2001, Kevin McPeake will give in-depth information about the vulnerabilities they discovered. Also, they will give and update about their latest results of their ongoing research. 

    1.        Execution Control List : The ECL was designed to prevent malicious code from running on a client Several methods exist to bypass and/or reset the ECL 
    2.       Design Element manipulations : How to re-enable Stored Forms which is known to be a dangerous feature and implementing mechanisms for information operations.
    3.        Traditional Hashing algorithms 
    4.        ID-file: Validation mechanism and bypassing it and brute forcing an ID-file.
    5.        Revealing the 'strong' password hash: The strong password hash was Lotus' answer to the vulnerabilities they discovered. Patrick will talk about the latest findings of his research regarding the "strong password hash". 

    Originally entering the world of computer security at the age 11 & armed with his TRS-80, Kevin McPeake has worked in many different facets of the computer industry.  In the beginning of 90's, after he began his formal career, he began developing applications for various banks and institutions which were making the move to electronic funds transfers over X.25 networks.  In 1993, his skills in protocols & programming were recognized by a Dutch firm, who relocated him to Germany and later to The Netherlands, where he worked on various protocol development for the BBS & Telecom industry.  After trying his hand at International Sales (which he refers to as "paid social engineering") in 1994, Kevin returned to the IT market in the USA, where he worked as a X.25 network & Internet consultant.  In 1996, Kevin was relocated to The Netherlands for his "2nd Tour of Duty" by another Dutch firm, where he served as an Infrastructure Consultant and later Chief of Network Security.

    George Jelatis, CISSP, Secure Computing Corporation.
    David Pappas, Secure Computing Corporation.

    Countering the Insider Threat with the Autonomic Distributed Firewall (ADF)

    George and Dave will explain and demonstrate a revolutionary approach to internal network security that protects against insider threats as well as classic external threats.  This is NOT a product pitch but a demonstration of the results of cutting edge security R&D.  The closest we will get to product discussion is to point out that the demo runs on COTS hardware -- this is not a prototype or an R&D toy but real, functional technology.

    This approach is called the Autonomic Distributed Firewall (ADF).  The ADF distributes network layer security onto smart hardware directly in front of critical hosts.  It uses distributed  firewalls embedded in every NIC to control protocols, ports, encryption (IPSec) at every host's connection with the network.  Only a centralized policy controller can set or modify the embedded firewall policies and each embedded firewall can have its own policy.  ADF complements existing perimeter firewalls by adding another layer of defense to counter attacks by insiders or Trojan Horse code.  ADF is far stronger than existing host or application security because unlike software-based "personal firewalls", it cannot be subverted by malicious users or code.

    The demonstration will show how various attacks and casual sniffing and spoofing can all be blocked, using special firmware loaded onto a standard 3Com NIC.  Because it uses a COTS NIC, the ADF is cost-effective and easy to deploy.George Jelatis directs Secure Computing's e-business and other Internet programs. He speaks widely on information security topics and advises major clients on security architecture, safeguards and procedures. 

    George has concentrated on information security R&D and practice for over 15 years and has been messing about with computers for much longer.  George holds a Bachelor of Physics and a Master of Science in Computer Science, both from the University of Minnesota.  He is a Certified Information Systems Security Professional (CISSP) and a recognized security curmudgeon.

    David Papas is the Director of Advanced Technology Research Operations at Secure Computing.  David coordinates, presents and facilitates many talks and briefs on government and industry computer security, leading edge technology capabilities, and research / development programs.  David holds Bachelor of Science degrees in both software programming and hardware development.  David has been working the the computer security field for over 7 years and most recently left the Department of the Army where he ran the Army's Computer Emergency /response Team (CERT). 

    Lunch Speakers
    Richard Thieme, CEO,

    Defending the Information Web:  New Ways of Thinking About Security

    Computer security often focuses on trees. Yet data becomes meaningful only when seen as a forest.

    Security means operating on the macro level of the Big Picture. Security means defending an organizational structure, not its data. Security begins, therefore, with a mental model of the organization, not the data inside it. Attacker and defender share this mental model prior to attack or defense. Attackers must know what they're looking for before they look for it.

    It's a paradox, all right. Security begins and ends with a shared paradigm. To the degree that it doesn't, data is leaked through other structures where it is linked differently and mined by different algorithms. 

    War in space is an example. In the space-air-ground model, the entire web of information spun across all dimensions of the system must be defended. The entire system radiates information not just through explicit communication but through energy, structure and behavior. If something moves, it is talking.

    Cyberdefense means defending the entire web in which information in all its forms is embedded. The entire web spun through space, air and ground defines the topography of the battlespace. The use of holographic image projection, cloaking devices, multispectral camouflage, and the creation of synthetic environments which the attacker believes to be real in space war also serve as metaphors for what is necessary in computer security as well ... because computer security is a subset of the entire information web.

    Because the manipulation of human perception is the primary act of cyberwar, including deception, illusion, and camouflage of every dimension of a system, concepts and percepts alike are ammunition in global cyberwar. Cyberwarfare is in fact cyborg-war. 

    This presentation uses war in space as a metaphor for the macro models that must inform computer security if it is to be truly secure. 

    Thieme was born in Chicago, Illinois, in 1944 and graduated from Northwestern University in 1965 with a B.A. in English literature (highest honors, Phi Beta Kappa). His non-academic education included working with the Daley political organization. After living in Madrid, Spain for a year, he attended the University of Chicago (Title IV NDEA Fellow) and received an M.A. in English literature. He taught literature and writing at the University of Illinois-Chicago and wrote fiction in his twenties. Then, after two years in England and a three-year professional Master's degree from Seabury-Western Theological Seminary, he became an Episcopal priest and led parishes for sixteen years in three very different cultures: Salt Lake City, Utah; the Hawaiian island of Maui; and Milwaukee, Wisconsin. 

    He bought an Apple II computer in the early eighties and life was never the same. He realized that the way he was affected by his interaction with the computer was exactly how society would be affected by the computer revolution. He began writing about topics like "Computer Applications for Spirituality: the Transformation of Religious Experience," but ų as one editor wrote ų "only three of you care about this."

    The internet changed all that, making the transformation visible. His diverse experiences working with symbols in speech and literature and communities bound together by symbols translated effortlessly into the digital world. His passion for exploring the impact of technology on institutions and organizations ų business, education, government, religion ų and his extensive experience with leadership, management, organizational dynamics, and cultural diversity led him to establish ThiemeWorks in 1993 to pursue a career of professional speaking, consulting, and writing. 

    Bruce Schneier - Counterpane Internet Security, Inc.

    Paradigms Lost: Engineering vs. Risk Management

    Computer and network security has been viewed as an engineering problem, and companies have tried to solve it through the application of technologies.  This approach is failing; even though technologies continue to improve, the security of the Internet continues to decline.  The real problem is not one of technology, but of process.  Network security is no different from real-world security.  The correct paradigm is "risk management."  Strong countermeasures combine protection, detection, and response.  The way to build resilient security is with vigilant, adaptive, relentless defense by experts (people, not products).  There are no magic preventive countermeasures against crime in the real world, yet we are all reasonably safe, nevertheless.  We need to bring that same thinking to the Internet.

    Internationally renowned security technologist and author Bruce Schneier is both a Founder and the Chief Technical Officer of Counterpane Internet Security, Inc. He established the Company with Tom Rowley to address the critical need for increased levels of security services. Schneier is responsible for maintaining the Company's technical lead in world class information security technology and its practical and effective implementation. Schneier's successful tenure leading Counterpane Systems make him uniquely qualified to shape the direction of the company's research endeavors, as well as to act as a spokesperson to the business community on e-commerce issues and solutions.

    While president of Counterpane Systems, Schneier designed and analyzed hardware and software cryptographic systems, advised sophisticated clients on products and markets, and taught technical as well as business courses related to the field of cryptography. Concerns as diverse as Microsoft, the National Security Agency, Citibank, and the White House staff have all relied upon Schneier's unique expertise. In addition, Schneier designed the Blowfish algorithm, which remains unbroken after eight years of cryptanalysis. And Schneier's Twofish is among a small number of algorithms currently being considered by the National Institute of Standards and Technology for the advanced encryption standard (AES) to replace the current data encryption standard (DES). 

    Schneier is the author of five books including Applied Cryptography, the seminal work in its field. Now in its second edition, Applied Cryptography has sold over 110,000 copies worldwide and has been translated into three languages. He has presented papers at many international conferences, and he is a frequent writer, contributing editor, and lecturer on the topics of cryptography, computer security, and privacy. Schneier served on the board of directors of the International Association for Cryptologic Research, is an Advisory Board member for the Electronic Privacy Information Center, and was on the board of directors of the Voter's Telecom Watch.