Black Hat Digital Self Defense USA 2006

Black Hat USA 2007 Main Conference Overview

Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat Sponsors Black Hat Training Black Hat Hotel & Venue Black Hat FAQ Black Hat Registration
details Current Sponsors for Black Hat Briefings USA 2007
Black Hat USA 2007 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat USA 2007 Sponsors
Return to the top of the page
Black Hat Speakers

KEYNOTE: A Story About Digital Security in 2017
Richard Clarke, Chairman, Good Harbor Consulting

To those who seek truth through science, even when the powerful try to suppress it.

Richard A. Clarke is a former U.S. government official who specialized in intelligence, cyber security and counter-terrorism. Until his retirement in January 2003, Mr. Clarke was a member of the Senior Executive Service. He served as an advisor to four U.S. presidents from 1973 to 2003: Ronald Reagan, George H.W. Bush, Bill Clinton and George W. Bush. Most notably, Clarke was the chief counter-terrorism adviser on the U.S. National Security Council for both the latter part of the Clinton Administration and early part of the George W. Bush Administration through the time of the 9/11 terrorist attacks.

Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations when in March of 2004 he appeared on the 60 Minutes television news magazine, his memoir about his service in government, Against All Enemies was released, and he testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks and the decision to go to war with Iraq.

Richard Clarke is currently Chairman of Good Harbor Consulting, a strategic planning and corporate risk management firm, an on-air consultant for ABC News, and a contributor to, an online community discussing homeland security, defense, and politics. He also recently published his first novel, The Scorpion's Gate, in 2005; and a second, Breakpoint, in 2007.

Return to the top of the page

KEYNOTE: The NSA Information Assurance Directorate and the National Security Community
Tony Sager, Chief, Vulnerability Analysis and Operations Group, Information Assurance Directorate, National Security Agency

The Information Assurance Directorate (IAD) within the National Security Agency (NSA) is charged in part with providing security guidance to the national security community. Within the IAD, the Vulnerability Analysis and Operations (VAO) Group identifies and analyzes vulnerabilities found in the technology, information, and operations of the Department of Defense (DoD) and our other federal customers. This presentation will highlight some of the ways that the VAO Group is translating vulnerability knowledge in cooperation with many partners, into countermeasures and solutions that scale across the entire community. This includes the development and release of security guidance through the NSA public website ( and sponsorship of a number of community events like the Cyber Defense Initiative and the Red Blue Symposium. It also includes support for, or development of, open standards for vulnerability information (like CVE, the standard naming scheme for vulnerabilities); the creation of the extensible Configuration Checklist Description Format (XCCDF) to automate the implementation and measurement of security guidance; and joint sponsorship, with the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA), of the Information Security Automation Program (ISAP), to help security professionals automate security compliance and manage vulnerabilities.

The presentation will also discuss the cultural shift we have been making to treat network security as a community problem, one that requires large -scale openness and cooperation with security stakeholders at all points in the security supply chain—operators, suppliers, buyers, authorities and practitioners.

Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group, part of the Information Assurance Directorate at the National Security Agency. The mission of the VAO organization is to identify, characterize, and put into operational context vulnerabilities found in the technology, information, and operations of the DoD and the national security community and to help the community identify countermeasures and solutions. This group is known for its work developing and releasing security configuration guides to provide customers with the best options for securing widely used products. The VAO Group also helps to shape the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), partnering with National Institute for Standards and technology (NIST) on the Information Security Automation Program (ISAP), developing the eXtensible configuration checklist description format (XCCDF), and for hosting the annual Cyber Defense Exercise and the Red Blue Symposium. Mr. Sager is active in the public network security community, as a member of the CVE (Common Vulnerabilities and Exposures) Senior Advisory Council and the Strategic Advisory Council for The Center for Internet Security. He is in his 29th year with the National Security Agency, all of which he has spent in the computer and network security field.

Return to the top of the page

KEYNOTE: The Psychology of Security
Bruce Schneier, Founder and CTO, BT Counterpane

Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. In the industry, we tend to discount the feeling in favor of the reality, but the difference between the two is important. It explains why we have so much security theater that doesn't work, and why so many smart security solutions go unimplemented. Two different fields—behavioral economics and the psychology of decision making—shed light on how we perceive security, risk, and cost. Learn how perception of risk matters and, perhaps more importantly, learn how to design security systems that will actually get used.

Bruce Schneier is an internationally renowned security technologist and CTO of BT Counterpane, referred to by The Economist as a "security guru." He is the author of eight books—including the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography"—and hundreds of articles and academic papers. His influential newsletter, Crypto-Gram, and blog "Schneier on Security," are read by over 250,000 people. He is a prolific writer and lecturer, a frequent guest on television and radio, has testified before Congress, and is regularly quoted in the press on issues surrounding security and privacy.

Return to the top of the page

Dangling Pointer
Jonathan Afek, Senior Security Researcher, Watchfire

A Dangling Pointer is a well known security flaw in many applications.

When a developer writes an application, he/she usually uses pointers to many data objects. In some scenarios, the developer may accidentally use a pointer to an invalid object. In such a case, the application will enter an unintended execution flow which could lead to an application crash or other types of dangerous behaviors.

Jonathan Afek is a senior security researcher for Watchfire, a market-leading provider of software and service to help ensure the security and compliance of websites.

In his role as senior security researcher Jonathan is responsible for researching new web application vulnerabilities, performing application security audits and developing security related features for Watchfire’s market leading AppScan solution. Jonathan specializes in network and web application security, reverse engineering and exploit development.

Return to the top of the page

Fuzzing Sucks! (or Fuzz it Like you Mean it!)
Pedram Amini, Lead, Security Research and Product Security Assessment Team at TippingPoint, a division of 3Com
Aaron Portnoy, Researcher, TippingPoint Security Research Team (TSRT)

Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now.

This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

Pedram Amini currently leads the security research and product security assessment team at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer—developing automation tools, plug-ins and scripts. His most recent projects (aka "babies") include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion for the field, he launched, a community website dedicated to the art and science of reverse engineering. He has previously presented at DefCon, RECon, ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University, finds his current commander in chief rather humerous and recently co-authored a book on Fuzzing titled "Fuzzing: Brute Force Vulnerability Discovery".

Aaron Portnoy, aka deft, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: RSA, Citrix, Symantec, Hewlett-Packard, IBM and others.

Additionally, Aaron has contributed mind share and code to OpenRCE, PaiMei, and various white papers and books. On a more personal note, Aaron is the proud owner of a Rottweiler/German Shepherd puppy and he also drives really (really) fast.

Return to the top of the page

Kick Ass Hypervisoring: Windows Server Virtualization
Brandon Baker, Security Developer, Windows Kernel Team, Microsoft

Virtualization is changing how operating systems function and how enterprises manage data centers. Windows Server Virtualization, a component of Windows Server 2008, will introduce new virtualization capabilities to the Windows operating system. This talk will focus on security model of the system, with emphasis on design choices and deployment considerations. Aspects of virtualization security related to hardware functions will also be explored.

Brandon Baker is a security developer in the Windows kernel team working on the Windows hypervisor and leading security development and testing for the Windows Server Virtualization project. For the past five years he has worked on security and separation kernels at Microsoft of one form or another. Prior to joining Microsoft, Mr. Baker was a security architect at a managed data center company. He has been working in the computer security field since 1997, when at NSA he co-authored the first guide for the secure configuration of Windows NT for the DoD. Mr. Baker has a B.S. in Computer Science from Texas A&M University.

Return to the top of the page

Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation
Andrea Barisani, co-Founder and Chief Security Engineer, Inverse Path Ltd.
Daniele Bianco

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems.

All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America.

The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator.

We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection/jamming can play in social engineering attempts (hitmen in the audience will love this!).

In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts.

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Return to the top of the page

Smoke 'em Out!
Rohyt Belani, Managing Partner, Intrepidus Group.
Keith J. Jones, Owner and Senior Partner, Jones Rose Dykstra & Associates

Tracing a malicious insider is hard; proving their guilt even harder. In this talk, we will discuss the challenges faced by digital investigators in solving electronic crime committed by knowledgeable insiders. These challenges will be presented in light of three real world investigations conducted by the presenters. The focus of this talk will on the technicalities of the attacks, the motivation of the attackers, and the response techniques used by the investigators to solve the respective crimes.

The first case is the high-profile U.S. v Duronio trial, in which Keith Jones testified as the DoJ's computer forensics expert. Mr. Jones testified for over five days about how Mr. Duronio, a disgruntled employee, planted a logic bomb within UBS's network to render critical trading servers unusable. His testimony was key in the prosecution of the accused on charges of securities fraud and electronic crime. Mr. Jones will present the information as he did to the jury during this trial.

The second incident involved a recently fired employee at a large retail organization. The irked employee made his way from a store wireless network into the company's core credit card processing systems. The purpose of the attack was to malign the company's image by releasing the stolen data on the Internet. We will discuss the anatomy of the "hack", the vulnerabilities exploited along the way, and our sleepless nights in Miami honing in on the attacker.

The final case presented will focus on the technicalities of web browser forensics and how it facilitated the uncovering of critical electronic evidence that incriminated a wrong-doer, and more importantly freed an innocent systems administrator at a law firm from being terminated and facing legal music.

The common thread in all these cases—a malicious insider!

Rohyt Belani is a regular speaker at various industry conferences including Black Hat, OWASP, InfoSec World, Hack In The Box, and several forums catering to the FBI and US Secret Service agents. He currently co-teaches a class at Carnegie Mellon University and has been invited to guest lecture at the University of Wisconsin.

As an industry expert he has opined on security issues via columns for online publications like Securityfocus and SC magazine, and interviews with BBC UK Radio.

He is also a contributing author for Osborne's Hack Notes—Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.

Keith J. Jones is an owner and Senior Partner with Jones Rose Dykstra & Associates, a specialized services company which provides Computer Forensics, Electronic Evidence Discovery, Litigation Support and training to commercial and government clients. Mr. Jones is the Senior Partner responsible for the electronic evidence discovery and litigation support practices.

Mr. Jones is an industry-recognized expert in computer security with over ten years experience in computer forensics and incident response. His expertise also includes information security consulting, application security, software analysis and design.Mr. Jones has been an expert witness on several high-profile cases.

Before partnering with Mr. Curtis W. Rose and Brian Dykstra, Mr. Jones was the Director of Computer Forensics, Incident Response and Litigation Support and a founding member of MANDIANT where he managed and directed technical teams which conducted computer intrusion investigations, forensic examinations, litigation support and e-discovery efforts.

Prior to becoming a co-founder of MANDIANT (formerly known as Red Cliff Consulting, LLC), Mr. Jones was the Director of Incident Response and Computer Forensics at Foundstone, where he led the service line's engagements and was a developer and lead instructor of several technical education courses. Earlier in his distinguished career, Mr. Jones served as a Senior Security Administrator at a biotechnology company, responsible for the corporation's entire information security model, where he developed a security and network infrastructure from conception to completion; and managed a team of developers at SYTEX, Inc, a Department of Defense contractor, on several software development projected projects, where he was in charge of building specialized tools for log analysis, attack and penetration, defensive measures and vulnerability assessments.

Mr. Jones is an accomplished author, and his works include "Real Digital Forensics: Computer Security and Incident Response", Addison-Wesley, published in March 2005 and "The Anti-Hacker Toolkit", McGraw-Hill, copyright 2002, recognized in the security industry as a definitive reference on critical applications for security practitioners.

Mr. Jones holds two Bachelor of Science degrees in Electrical Engineering and Computer Engineering.He also earned a Master of Science degree in Electrical Engineering from Michigan State University. Mr. Jones earned and maintains the Certified Information Systems Security Professional (CISSP) certification and is an associate member of the American Bar Association (ABA). He also holds several lifetime memberships in the engineering, electrical engineering, and mathematical honor societies.

Return to the top of the page

Sphinx: An Anomaly-based Web Intrusion Detection System
Damiano Bolzoni, PhD student at Twente University
Emmanuele Zambon

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx “learns” automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS).

For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis.

Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties’ software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.

Damiano Bolzoni is currently a PhD student at the University of Twente, Netherlands. He received a MSc in Computer Science from the University of Venice, Italy, with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. His research topics are IDS and risk management.

Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper.

Return to the top of the page

Remote and Local Exploitation of Network Drivers
Yuriy Bulygin, Security Expertise Center of Excellence (SECoE) and PSIRT team at Intel Corporation

During 2006 vulnerabilities in wireless LAN drivers gained an increasing attention in security community. One can explain this by the fact that any hacker can take control over every vulnerable laptop without having any "visible" connection with those laptops and execute a malicious code in kernel.

This work describes the process behind hunting remote and local vulnerabilities in wireless LAN drivers as well as in other types of network drivers. The first part of the work describes simple and much more advanced examples of remote execution vulnerabilities in wireless device drivers that should be considered during vulnerabilities search. We demonstrate an example design of kernel-mode payload and construct a simple wireless frames fuzzer. The second part of the work explains local privilege escalation vulnerabilities in I/O Control device driver interface on Microsoft® Windows®, introduces a technique to uncover them. The third part of the work describes specific examples of local vulnerabilities in network drivers that can be exploited remotely and an exploitation technique. In the last part of the work we present case studies of remote and local vulnerabilities mitigated in Intel® Centrino® wireless LAN device drivers.

Yuriy Bulygin is a member of Security Center of Excellence (SeCoE) and Product Security Incident Response Team (PSIRT) at Intel Corporation. He focuses on (in)security analysis and penetration testing of various technologies, research in cryptography, exploitation techniques, malware and worm epidemics.

Prior to joining Intel Corporation in 2006 Yuriy Bulygin was a member of Technological Research team at Kaspersky Lab. He has previously been a member of 3G mobile networks security working group in Russia. Yuriy Bulygin holds Ph.D. in cryptography and Masters in applied math from Moscow Institute of Physics and Technology (MIPT), Moscow, Russia and a sole ISC2 SSCP record
issued in Russia. Yuriy was teaching Information Security classes at MIPT.

Return to the top of the page

Blackout: What Really Happened...
Jamie Butler, Principal Software Engineer, MANDIANT
Kris Kendall, MANDIANT

Malicious software authors use code injection techniques to avoid detection, bypass host-level security controls, thwart the efforts of human analysts, and make traditional memory forensics ineffective. Often a forensic examiner or incident response analyst may not know the weaknesses of the tools they are using or the advantage the attacker has over those tools by hiding in certain locations.

This session provides a detailed exploration of code injection attacks and novel countermeasures, including:

  1. The technical details of code injection starting with basic user land techniques and continuing through to the most advanced kernel injection techniques faced today.
  2. Case study of captured malware that reveals how these techniques are used in real world situations.
  3. Discussion of current memory forensic strengths and weaknesses.
  4. New memory forensic analysis techniques for determining if a potential victim machine has been infected via code injection.
  5. Post acquisition analysis.

James (“Jamie”) Butler II is a Principal Software Engineer at MANDIANT. He has a decade of experience researching offensive security technologies and developing detection algorithms. Jamie has a Master of Science degree in Computer Science and holds a Top Secret security clearance.

He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and "Advanced Second Generation Digital Weaponry". Jamie is also co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers, is a frequent speaker at computer security conferences.

Kris Kendall, a key leader of MANDIANT's technical team, has over eight years of experience in computer forensics and incident response. He provides expertise in computer intrusion investigations, computer forensics, and research & development of advanced network security tools and techniques. He is a former Special Agent in the United States Air Force Office of Special Investigations, and has developed several innovative tools that advanced the state-of-the-art in the rapidly evolving field of reverse engineering and binary analysis.

Mr. Kendall earned both a Bachelor of Science and a Master of Engineering degree from the Massachusetts Institute of Technology.

Return to the top of the page

Intranet Invasion With Anti-DNS Pinning
David Byrne, Security Architect, EchoStar Satellite, owner of Dish Network

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not. DNS-pinning is a technique web browsers use to prevent a malicious server from hijacking HTTP sessions. Anti-DNS pinning is a newly recognized threat that, while not well understood by most security professionals, is far from theoretical.

This presentation will focus on a live demonstration using anti-DNS pinning techniques to interact with internal servers through a victim web browser, completely bypassing perimeter firewalls. In essence, the victim browser becomes a proxy server for the external attacker. No browser bugs or plug-ins are required to accomplish this, only JavaScript, and untrusted Java applets for more advanced features.

If anyone still thought that perimeter firewalls could protect their intranet servers, this presentation will convince them otherwise.

David Byrne is a seven year veteran of the Information Security industry specializing in web application security. He is currently the Security Architect for EchoStar Satellite, owner of Dish Network. David is also the founder and current leader of the Denver chapter of the Open Web Application Security Project (OWASP).

Return to the top of the page

Traffic Analysis—The Most Powerful and Least Understood Attack Methods
Jon Callas, Chief Technology Officer & Chief Security Officer, PGP Corporation
Raven Alder
Riccardo Bettati
, Associate Professor in the Department of Computer Science, Texas A&M University
Nick Matthewson, Developer, Tor privacy network

Traffic analysis is gathering information about parties not by analyzing the content of their communications, but through the metadata of those communications. It is not a single technique, but a family of techniques that are powerful and hard to defend against.

Traffic analysis is also one of the least studied and least well understood techniques in the hacking repertoire. Listen to experts in information security discuss what we know and what we don't.

Jon Callas (moderator): Jon Callas is Chief Technical Officer and Chief Security Officer of PGP Corporation. He has worried about traffic analysis for years.

Raven Alder is a security researcher with wide-ranging expertise, including systems and network architecture design and analysis.

Riccardo Bettati is Associate Professor in the Department of Computer Science at Texas A&M University. His group has been studying timing analysis and traffic analysis in general in the context of private communication, bot classification, and other - sometimes surprising - distributed systems settings.

Nick Matthewson is one of the developers of the Tor privacy network. Traffic analysis is an important part of designing privacy-enhanced systems.

Return to the top of the page

Reverse Engineering Automation with Python
Ero Carerra, Reverse Engineering Automation Researcher, SABRE Security

Instead of discussing a complex topic in detail, this talk will discuss 4 different very small topics related to reverse engineering, at a length of 5 minutes each, including some work on intermediate languages for reverse engineering and malware classification.

Ero Carrera is currently a reverse engineering automation researcher at SABRE Security, home of BinDiff and BinNavi. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.

While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking.

Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering tools such as pydot, pype, pyreml and idb2reml.

Return to the top of the page

Defeating Web Browser Heap Spray Attacks
Stephan Chenette, Senior Security Researcher for Websense Security Labs
Moti Joseph, Senior Security Researcher Websense Security Labs.

In 2007 black hat Europe a talk was given titled: "Heap Feng Shui in JavaScript"

That presentation introduced a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allowed an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with more reliability and precision.

Our talk is a defensive response to this new technique. We will begin with an overview of "in the wild" heap spray exploits and how we can catch them, as well other zero day exploits using our exploit-detection module. We will give an overview of the analysis engine we have built that utilizes this module and we will demonstrate scanning and detection of a "live" website hosting a heap corruption vulnerability.

The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

Stephan Chenette is a Senior Security Researcher for Websense Security Labs working on malcodedetection techniques, Stephan Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4+ years working in research and product development at eEye Digital Security

Moti Joseph has been involved in computer security since 2000. For the past 5 years he has been working on reverse engineering, exploit code and development of security products. His current job is as a Senior Security Researcher Websense Security Labs.

Return to the top of the page

Iron Chef Blackhat
Brian Chess, Chief Scientist, Fortify Software
Jacob West, Manager Security Research Group, Fortify Software
Sean Fay, Lead Engineer, Fortify Source Code Analysis, Fortify Software
Toshinari Kureha, Technical Lead and Principal Member of, Fortify Software

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network’s cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the ‘Iron Hacker’ face off in a frenetic security battle. The guest panel will judge the tools created and used to determine which who's hack-fu will be victorious and who will be vanquished.

Remember, our testers have only one hour to complete their challenge and will only be able to use tools they themselves have created. Watch as the masters wield their own weapons. What will they concoct? Who will come out victorious? Which techniques will prove most effective in a high-pressure every-minute-counts environment? Come and see for yourself!

Visit ‘Vulnerability Stadium’ and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tool, presentation of the number of bugs, and creativity of using the tool when searching for vulnerabilities. So Black Hat attendees with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Brian Chess is the Chief Scientist at Fortify Software. His work focuses on practical methods for creating secure systems. Brian draws on his previous research in integrated circuit test and verification to find new ways to uncover security issues before they become security disasters. Brian has his Ph.D. in computer engineering from UC Santa Cruz. Brian has spoken at RSA, USENIX and CSI 2006, among many other industry events.

Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. When he is not in the lab, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Sean Fay works at Fortify Software, where he is the lead engineer for Fortify Source Code Analysis. Sean holds a degree in Literature and a degree in Computer Science, both from the Massachusetts Institute of Technology. None of Sean's diverse set of hobbies are suitable for print in a family-oriented publication.

Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of Fortify's runtime product line, including Fortify Defender and Fortify Tracer. Prior to joining Fortify, Kureha was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects, including Oracle Grid Control, Oracle Exchange and BPEL Orchestration Designer. Prior to working with Oracle, Kureha worked as a lead developer at Formal Systems, a web-based computer testing and assessment system for use in the Internet/Intranet. Kureha holds a bachelor's degree in computer science from Princeton University and has spoken at Software Security Summit, MSDN Webcast and the Bay Area's .NET user group, among many other industry events.

Return to the top of the page

Unforgivable Vulnerabilities
Steve Christey, Principal Information Security Engineer, The MITRE Corporation

For some products, it's just too easy to find a vulnerability. First, find the most heavily used functionality, including the first points of entry into the product. Then, perform the most obvious attacks against the most common vulnerabilities. Using this crude method, even unskilled attackers can break into an insecure application within minutes. The developer likely faces a long road ahead before the product can become tolerably secure; the customer is sitting on a ticking time bomb. This turbo talk will identify some of the Unforgivable Vulnerabilities that illustrate a systematic disregard for secure development practices. I will conclude with a call-to-arms for establishing Vulnerability Assessment Assurance Levels (VAAL), and nominate these Unforgivable Vulnerabilities as examplars of VAAL-0.

Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is a technical consultant to the Common Weakness Enumeration (CWE) project. He is a contributor to standards-based efforts such as the SANS Secure Programming exams, the Common Vulnerability Scoring System (CVSS), and others. His current interests include secure software development, vulnerability information management, post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.

Return to the top of the page

Computer and Internet Security Law—A Year in Review 2006–2007
Robert Clark

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; Hewlett-Packard; active response; nondisclosure and non-competition agreements; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

Robert Clark is the principal point of contact in the Department of the Navy Secretariat and the Office of the General Counsel for legal issues regarding information management/information technology. As such he is responsible for advising on critical infrastructure protection; information assurance; FISMA; privacy; electronic government; identity management; spectrum management; records management; information collection; Open Source Software; and, infrastructure protection program both physical and cyber assets. Prior to this position Mr. Clark was the legal advisor on computer network operations to the Army Computer Emergency Response Team. Both these positions require coordination and consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He is a previous Black Hat lecturer and lectures at Def Con, the Army’s Intelligence Law Conference and the DoD’s Cybercrimes Conference.

Return to the top of the page

Building an Effective Application Security Practice on a Shoestring Budget
David Coffey, Manager of Product Security, McAfee
John Viega, Vice President and Chief Security Architect, McAfee, Inc

Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible.

This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success.

David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices.

David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year.

John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.

Return to the top of the page

Side Channel Attacks (DPA) and Countermeasures for Embedded Systems
Job de Haas, Director Embedded Technology, Riscure

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. Embedded systems in general have a much lower security profile. This talk explores the use and impact of Side Channel Analysis on embedded systems. These systems have their own specific need for security. This need can vary significantly between systems and in addition a much wider range of attacks is possible. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.

Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, PDAs, VoIP enabled devices and a range of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics that are based on Sparc, MIPS, Intel and ARM processors.

At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has researched the security features and weaknesses of embedded technology for many years.

Job has a long speaking history at international conferences, including talks on kernel-based attacks, security of mobile technologies such as GSM, SMS and WAP, and the reverse engineering of embedded devices.

Return to the top of the page

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
Jared DeMott, President, VDA Labs
Dr. Richard Enbody, Associate Professor, Michigan State University
Dr. Bill Punch, Associate Professor, Michigan State University

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical).

We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS).

We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway.

This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts.

Jared DeMott is a vulnerability researcher, with a passion for hunting down and exploiting bugs in software. Mr. DeMott is the president of VDA Labs and is pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing. Mr. DeMott is a past DEFCON speaker.

Dr. Richard Enbody has been a professor at MSU since 1987. His research interests include computer security, computer architecture, web-based distance education and parallel processing.

Dr. Bill Punch is an associate professor in the computer science department of Michigan State University. He is co-director of the Genetic Algorithms Research and Applications Group or GARAGe. His main interests are genetic algorithms and genetic programming, including theoretical issues (parallel GA/GP) and application issues (design, layout, scheduling, etc.). He is also conducting active research in data mining, mostly focused on intelligent search approaches based on pattern-recognition techniques and GA/GP search.

Return to the top of the page

VoIP Security: Methodology and Results
Barrie Dempster, Senior Security Consultant, NGSSoftware

As VoIP products and services increase in popularity and as the "convergence" buzzword is used as the major selling point, it's time that the impact of such convergence and other VoIP security issues underwent a thorough security review. This presentation will discuss the current issues in VoIP security, explain why the current focus is slightly wrong, then detail how to effectively test the security of VoIP products and services. With examples of real life vulnerabilities found, how to find these vulnerabilities and why many of them shouldn't be there in the first place.

Barrie Dempster has worked in voice and data network security in the financial and telecommunications sectors providing consultancy and research.
While focusing on voice and data networks he has spent much of his time researching vulnerabilities and performing code reviews and assessments of applications and services with stringent security requirements. Barrie has also published a number of books in his field. Barrie is currently employed as a senior security consultant for NGSSoftware where he is involved with vulnerability research as well as security reviews of products and services.

Return to the top of the page

PISA: Protocol Identification via Statistical Analysis
Rohit Dhamankar, Senior Manager of Security Research, TippingPoint
Rob King,
Senior Security Researcher, TippingPoint

A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems.

This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols.

This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.

Rohit Dhamankar is the Senior Manager of Security Research at TippingPoint, where he manages vulnerability research and Digital Vaccine development for the company's Intrusion Prevention Systems. In addition, he co-authors the SANS Institute's RISK newsletter, read by over 200,000 subscribers weekly. He is the Director for the SANS Top20 updates. He holds an MS in Electrical Engineering from the University of Texas and an MSc in Physics from the Indian Institute of Technology in Kanpur, India.

Rob King is a Senior Security Researcher at TippingPoint, where he researches security vulnerabilities and other topics with security implications. In addition, he co-authors the SANS Institute's at RISK newsletter, read by over 200,000 subscribers weekly. He also contributes to the SANS Top20 updates.

Return to the top of the page

Tor and Blocking-resistance
Roger Dingledine, Security and Privacy Researcher

Websites like Wikipedia and Blogspot are increasingly being blocked by government-level firewalls around the world. Although many people use the Tor anonymity network to get around this censorship, the current Tor network is not designed to withstand a large censor.

In this talk I'll describe our plan for extending the Tor design so these users can access the Tor network in a way that is harder to block.

Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users.

He is best known for leading the Tor project, an anonymous communication system for the Internet that has been supported by such diverse groups as the US Navy, the Electronic Frontier Foundation, and Voice of America. He organizes academic conferences on anonymity, speaks at many industry and hacker events, and also does tutorials on anonymity for national and foreign law enforcement. Last year Roger was identified by Technology Review magazine as one of the top 35 innovators under the age of 35.

Return to the top of the page

Breaking C++ Applications
Mark Dowd
John McDonald,
IBM Internet Security Systems
Neel Mehta, IBM Internet Security Systems

This presentation addresses the stated problem by focusing specifically on C++-based security, and outlines types of vulnerabilities that can exist in C++ applications. It will examine not only the base language, but also covers APIs and auxillary functionality provided by common platforms, primarily the contemporary Windows OSs. The topics that will be addressed in this presentation include object initialization/destruction, handling object arrays, implications of operator overloading, and problems arising from implementing exception handling functionality. Various STL classes will also be discussed in terms of how they might be susceptible to misuse, and unexpected quirks that can manifest as security problems. This presentation will include discussion of bug classes that have yet to be discussed or exploited in a public forum (to our knowledge) for the topic areas outlined.

Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at ISS, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Asssessment", and has spoken at several industry-recognized conferences.

Neel Mehta works as an application vulnerability researcher at IBM ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Return to the top of the page

Something Old (H.323), Something New (IAX), Something Hollow (Security), and Something Blue (VoIP Administrators)
Himanshu Dwivedi, Founding Partner, iSEC Partners

The presentation will discuss the security issues, attacks, and exploits against two VoIP protocols, including IAX (a newer protocol) and H.323 (an existing VoIP protocol). H.323 is a well known technology; however, its security issues are not well publicized. While previous VoIP presentations and/or whitepapers discuss SIP security extensively, much is to be desired about H.323 security content and attack tools. Despite the fact that H.323 is most dominant VoIP session-setup protocol used in enterprise environments, it has not been given adequate attention in terms of security. The presentation will cover specific security attacks targeting H.323 authentication weaknesses, replay attacks, endpoint spoofing (E.164 alias), hopping attacks, and a sleuth of DOS attacks that can be executed with a few UDP packets. The presentation will also include a demonstration of new tool for H.323 security testing (H.323-me-ASAP.exe), which will be released at the conference.

In addition to the H.323 material, IAX security issues, attacks, and exploits will also be presented. While SIP/H.323 with RTP has been “face” of VoIP for many years, newer protocols such as IAX are gaining momentum (as shown with the popular open source Asterisk PBX system). IAX can be used for session setup as well as media transfer, providing a nice self-contained VoIP protocol that can be used to replace the combination of either SIP/H.323 with RTP. Similar to H.323, IAX has room for improvement in terms of security. The presentation will discuss security attacks on IAX, specifically authentication weaknesses that lead to offline dictionary attacks, pre-computed dictionary attacks, middle person attacks, and downgrade attacks on IAX clients. In addition to the authentication attacks, the presentation will show how DOS attacks can disrupt an IAX network and its devices quite easily. Each IAX attack shown will be demonstrated with three new attack tools for IAX security testing (IAX.Brute, IAXAuthJack, and IAXHangup), which will also be released at the conference.

The presentation will concluded with existing solutions to mitigate both the H.323 and IAX security issues discussed during the presentation.

Himanshu Dwivedi is a founding partner of iSEC Partners, an independent information security organization, with 12 years experience in security and information technology. Himanshu has focused his security research on storage security and VoIP. Himanshu's storage security research specializes in SAN and NAS security (see Blackhat USA talks from 2003 to 2006). His VoIP research focuses on H.323/RTP, IAX, as well as traditional protocols such as SIP/RTP.

Himanshu has three published books and two in process. The published books include "Securing Storage: A Practical Guide to SAN and NAS Security" (Addison Wesley Publishing), "Hackers Challenge 3" (McGraw-Hill/Osborne), and "Implementing SSH" (Wiley Publishing). Himanshu also has a patent pending on a storage design architecture.

Zane Lackey is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications and VoIP security. Zane has spoken at top security conferences including Black Hat and Toorcon. Additionally, he is a co-author of Hacking Exposed Web 2.0 and contributing author of VoIP Security. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.

Return to the top of the page

Kernel Wars
Joel Eriksson, CTO of Bitsec
Christer Öberg, Security Researcher, Bitsec
Claes Nyberg, Security Researcher, Bitsec
Karl Janmar, Security Researcher, Bitsec

Kernel vulnerabilities are often deemed unexploitable, or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of several real-life kernel vulnerabilities. From a defender's point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determin if and how they can be reliably exploited and of course the exploits will be demonstrated in practice.

None of the vulnerabilities that will be used as examples had public exploits by the time they were exploited by us, and includes the (in)famous Windows 2000/XP GDI bug, the FreeBSD 802.11 bug and a local NetBSD vulnerability.

We will also demonstrate a full exploit for the remote OpenBSD ICMPv6 vulnerability found by CORE SDI, and discuss the payload techniques we used for it.

We've also thrown in a new 0-day to make things a bit more interesting, and for those of you that will be coming to see our talk at DefCon too, there will be more 0-days still. ;)

More info will be made available at:

Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering.

Christer Öberg is a security researcher at Bitsec. Previous employers include Verizon and Swedish firewall manufacturer Clavister. He is interested in vulnerability research, exploit development and breaking any interesting systems he can get his hands on. Christer currently resides in the UK.

Claes Nyberg is a security researcher at Bitsec. Claes is interested in vulnerability research and a skilled developer of everything from tools to exploits. He is responsible for the development of Bitsec's in-house fuzzer Itchy, which has been used to find vulnerabilities in software ranging from Microsoft Office to various operating system kernels.

Karl Janmar is a security researcher at Bitsec. Karl is interested in vulnerability research, especially in the area of kernels. He finds exploit development to be a fun and good way to learn a system. He has worked for various companies developing software ranging from real-time applications to extending kernel network-stacks.

Return to the top of the page

Estonia: Information Warfare and Strategic Lessons
Gadi Evron, Security Evangelist, Beyond Security

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population.

Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks.

Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space.

Gadi Evron works for the Mclean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Return to the top of the page

CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
Ben Feinstein, Security Researcher, SecureWorks
Daniel Peck, Security Researcher, Secureworks

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today’s web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client.

The authors present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation.

The authors will present findings based on the deployment of a distributed network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits.

The authors will release a previously unpublished JavaScript evasion technique and demonstrate its use in evading a variety of present-day defensive technologies. Where present-day defenses have been demonstrated to be insufficient, the authors will present new ideas for ways mitigate the new threats.

Ben Feinstein is a Security Researcher at SecureWorks. He was introduced to IDS when working on a DARPA/Air Force contract 2000-2001 while getting his B.Sci in Computer Science at Harvey Mudd College. He is the author of RFC4765 and RFC4767. He has worked professionally designing and implementing security-related software since 2001. Feinstein worked in the areas of next-gen firewall systems, IDS/IPS, log analysis and visualization, vuln scanning, secure messaging, and security appliances, among other things.

Feinstein was a panelist at RAID and presented at ACSAC and several IETF meetings and achieved his CISSP certification in 2005.

Daniel Peck is a Security Researcher at Secureworks. His team is responsible for day to day discovery and documentation of vulnerabilities, as well as crafting countermeasures for several product lines and training security analysts to detect attacks patterns and trends. He has also been a critical team member in creating numerous internal tools and contributing to the design of future products and services. He has a BS in Computer Science from the Georgia Institute of Technology

Return to the top of the page

Understanding the Heap by Breaking It: A Case Study of the Heap as a Persistent Data Structure Through Non-traditional Exploitation Techniques
Justin Ferguson, Computer Security Consultant and Researcher, IOActive.

Traditional exploitation techniques of overwriting heap metadata has been discussed ad-nauseum, however due to this common perspective the flexibility in abuse of the heap is commonly overlooked. This presentation examines a flaw that was found in multiple open-source Simple and Protected Generic Security Services API Negotiation (SPNEGO) modules with the talk focusing on the implementation provided by mod_auth_kerb, an Apache Kerberos authentication module, as a method for exploring heap structure exploitation and hopefully providing a gateway to understanding the true beauty of data structure exploitation.

This focuses on the dynamic memory management implementation provided by the GNU C library, particularly ptmalloc2 and presents methods for evading certain sanity checks in the library along with previously unpublished methods for obtaining control.

Justin Ferguson is a Computer Security Consultant and Researcher at IOActive.

Justin is involved with helping Fortune 500 companies understand and
mitigate risk introduced in complex software computing environments via
the Application Security Practice at IOActive. Justin has over 6 years
experience working as a reverse engineer, source code auditor, malware
analyst, and enterprise security analyst for industries ranging from
financial institutions to the Department of Energy. Justin
works along side a stable of experts fluent in helping clients
understand the SDL, Threat Modeling, Effective Fuzzing techniques, and
Secure Code Review and Design.

Return to the top of the page

Don't Tell Joanna, The Virtualized Rootkit Is Dead
Peter Ferrie, Symantec
Nate Lawson,

Thomas Ptacek,
Root Labs Principal, Founder, and Core Team Member, Matasano Security

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Peter Ferrie began working with computers in 1981. In 1986, while still in school, Peter began developing anti-virus software for Apple II PCs. From 1992-98, he worked for a distributor of anti-virus software for IBM PCs, first Viruscan then F-Prot. In 1998, he joined Frisk Software International and worked on the F-Prot engine. In 2000, he joined Symantec Corporation.

Peter specialises in the detection and repair of Win32 malware, reverse engineering file formats, and developing engine enhancements for Symantec Anti-virus.

Peter is a regular contributor to Virus Bulletin. He joined CARO (Computer Anti-virus Research Organisation) in 2001.

Thomas Ptacek is a renowned security researcher and veteran software developer with over 10 years of industry experience. He is the author of one of the most widely-cited research results in TCP/IP implementation security challenges and former lead developer of a security product now deployed on the backbones of every major Internet Service Provider in the world, inspecting a substantial fraction of all the connections made across the Internet today.

Thomas is a principal, founder, and core team member at Matasano Security where his responsibilities include security consulting engagements as well as research and development.

Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects.

Return to the top of the page

SQL Server Database Forensics
Kevvie Fowler, Manager, Managed Security Services, Emergis Inc.

Databases are the single most valuable asset a business owns. Databases store and process critical healthcare, financial and corporate data, yet businesses place very little focus on securing and logging the underlying database transactions. As well, in an effort to trim costs, many organizations are consolidating several databases on to single mission critical systems which are frequently targeted by attackers. With large data security breaches occurring at an alarming rate, several database logging tools have been released in the industry, however adoption of these products is slow leaving these mission critical systems vulnerable and ill-equipped for traditional forensic analysis.

Database forensics is a relatively unknown area of digital investigation but critical to investigating data security breaches when logging tools are unavailable or inadequate. There is very limited information available today on this subject and, at the time of this writing, no known information targeting SQL Server 2005 forensics. This presentation provides attendees a "real world" view into SQL Server 2005 forensics and how to gather evidence from the hidden database repositories using forensically sound practices.

Kevvie Fowler is the Manager of Managed Security Services for Emergis Inc. where he is responsible for the delivery of specialized security and incident response services. Kevvie has more than 10 years of professional Information Security and IT experience within development, database and host/network platforms. Kevvie is a GIAC Gold Certified Forensic Analyst and holds several other industry certifications including, CISSP, MCTS, MCSD, MCDBA and MCSE. He is contributing author of "How to Cheat at Securing SQL Server 2005" and a member of the High Technology Crime Investigation Association.

Return to the top of the page

Hacking Capitalism
Dave G., Matasano Security LLC
Jeremy Rauch, Matasano Security LLC

The financial industry isn't built on HTTP/HTTPS and web services like everything else. It has its own set of protocols, built off of some simple building blocks that it employs in order to make sure: that positions are tracked in real time, that any information that might affect a traders action is reliably received, and that trades happens in a fixed timeframe.

Unlike the protocols that comprise the internet as a whole, these haven't been scrutinized to death for security flaws. They're written with performance in mind and security is often just an afterthought, if present at all. And there are dozens of them, with names you may have never heard of before...

This talk will discuss the security implications of the protocols and technologies used by the financial industry to maintain the beating heart of capitalism. We'll take a look at some of the most popular protocols used by financials to execute billions (trillions!) of dollars worth of trades, discuss the flaws inherent in them, some of the implementation flaws in them, and discuss how hiding your money under your mattress might not be the worst idea.

Jeremy Rauch
For over 10 years Jeremy Rauch has been at the forefront of information security. An original member of the ISS X-Force and a co-founder of SecurityFocus, Jeremy is the discoverer of numerous security vulnerabilities in widely-deployed commercial products. Jeremy is also a former principal engineer for optical switching at Tellium.

Return to the top of the page

Greetz from Room 101
Kenneth Geers

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out.

Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the Black Hat audience will hear about the future of cyber control, and the future of cyber resistance

Kenneth Geers has worked for many years in a wide variety of technical and not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of "Cyber Jihad and the Globalization of Warfare"; "Hacking in a Foreign Language: A Network Security Guide to Russia"; "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall"; and "IPv6 World Update". His website,, is devoted to the intersection of art, the fate of nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!

Return to the top of the page

Disclosure and Intellectual Property Law: Case Studies
Jennifer Granick

The simple decision by a researcher to tell what he or she has discovered about a software product or website can be very complicated both legally and ethically. The applicable legal rules are complicated, there isn't necessarily any precedent, and what rules there are may be in flux.

In this presentation, I will use Cisco and ISS's lawsuit against Michael Lynn (from Black Hat 2005) and HID's cease and desist letter to IOActive (from Black Hat 2006) to discuss major intellectual property law doctrines that regulate security research and disclosure. I will give the audience some practical tips for avoiding claims of illegal activity.

Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally.

Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics.

Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Return to the top of the page

Hacking Intranet Websites from the Outside (Take 2)–"Fun with and without JavaScript malware"
Jeremiah Grossman, Founder and CTO, WhiteHat Security
Robert Hansen, CEO of SecTheory

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack.

One quote from a member of the community summed it way:

"The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left—including the "I'll just browse without JavaScript" mantra. Could you really call that browsing anyway?"

That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques—such as Browser Intranet Hacking, Port Scanning, and History Stealing—can still be perpetrated. From an enterprise security perspective, when users are visiting "normal" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network.

This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking/Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks.

You'll see:

  • Web Browser Intranet Hacking/Port Scanning—(with and without JavaScript)
  • Web Browser History Stealing/Login Detection—(with and without JavaScript)
  • Bypassing Mozilla Port Blocking/Vertical Port Scanning
  • The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.)
  • Fundamentals of DNS Pinning and Anti-DNS Pinning
  • Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, ISACA, CSI, OWASP, Vanguard, ISSA, OWASP, Defcon, etc. He has authored of dozens of articles and white papers, credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Robert Hansen (CEO of SecTheory) has been working with web application security since the mid 90’s, beginning his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Digital Island, Exodus, and Cable & Wireless beginning as a Sr. Security Architect and eventually leading the managed security services product management for intrusion detection, content integrity management systems, managed vulnerability management and security event correlation services. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies.

Mr. Hansen is probably best known for founding the web application security lab at, Dark Reading articles, and co-authoring “XSS Exploits”. He also speaks at Toorcon, Microsoft’s Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of WASC, IACSP, ISSA, and contributed to the OWASP 2.0 guide.

Return to the top of the page

A Dynamic Technique for Enhancing the Security and Privacy of Web Applications
Ezequiel D. Gutesman, Researcher at Corelabs, a division of Core Security Technologies
Ariel Waissbein, Researcher, Core Security Technologies

Web applications are often preferred targets in today’s threat landscape. Many widely deployed applications were developed in haste and are often ridden with SQL injection, file inclusion and cross-site scripting bugs, creating weak links in any Internet-exposed environment.

In this presentation, CoreLabs researchers Ezequiel Gutesman and Ariel Waissbein will address this issue by introducing a new application protection technology that efficiently identifies and blocks several attack vectors “on the fly.” The protection technique is based on very granular run-time taint analysis of an application’s data and does not require access or changes to the application’s source code.

Applications written in the most common web scripting languages, including PHP, ASP, Python, Perl and Java, can be protected using this technology to prevent database injection, shell injection, cross-site scripting and directory-transversal attacks. A fully functional implementation of the protection technique for PHP will be described in detail.

Ezequiel Gutesman is a researcher at Corelabs, the research unit at Core Security Technologies and Computer Science student at University of Buenos Aires. The research I do is actually focused on web application security, this includes dynamic protection and static analysis.

Ariel Waissbeing has been a researcher at Core Security Technologies for the last 8 years, producing results relevant to industry and academy. Ariel has uncovered vulnerabilities for MySQL and SSH, researched and developed a new software protection tool, researched in botnet security and their future, automated source-code analysis of web applications, detection and protection methods for injection vulnerabilities and various aspects of penetration testing, and in particular, pentesting of web applications. Ariel will be completing a Ph. D in mathematics, and has held different teaching positions in universities, and currently co-leads and teaches at the computer security department in the Ph.D programme of ITBA university.

Return to the top of the page

Stealth Secrets of the Malware Ninjas
Nick Harbour, Senior Consultant, Mandiant

It is important for the security professional to understand the techniques used by those they hope to defend against. This presentation focuses on the anti-forensic techniques which malware authors incorporate into their malicious code, as opposed to relying solely on an external rootkit. In addition to describing a number of known but scarcely documented techniques, this presentation will describe techniques which have never been observed through the presenter's experience with incident response and malware reverse engineering. This presentation will contain a great deal of highly technical content which covers the specifics of the techniques down to the machine instruction level. For the security professional/enthusiast with a limited technical background in this area, this presentation will serve as an eye-opening overview of malware anti-forensic techniques as well as a limited introduction to forensic analysis.

Introduced in this presentation will be a new tool for identifying malicious executables, a toolkit to achieve data hiding, manipulation and infection of executable files and a new technique for manual process execution under unix.

Nick Harbour is a Senior Consultant with Mandiant. He specializes in both offensive and defensive research and development as well as reverse engineering, incident response and computer forensics. He also occasionally teaches malware analysis and reverse engineering. Nick's 8 year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics.

Nick is a developer of open source software including most notably dcfldd, the popular forensic disk imaging tool, and tcpxtract, a tool for "carving" files out of network traffic.

Nick is also a trained chef!

Return to the top of the page

Hacking the extensible Firmware Interface
John Heasman, Director of Research, NGS Software

"Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries."
—Quote taken from

The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits.

We start by discussing the limitations of the traditional BIOS and the growing need for an extensible pre-boot environment. We also cover the key components of the EFI Framework and take a look at the fundamental design decisions affecting EFI and their consequences. Next we consider the entry points that an EFI system exposes—just how an attacker may set about getting their code into the EFI environment—taking the Apple Macbook as our reference implementation.

After demonstrating several means of achieving the above, we turn our attention to subverting the operating system from below, drawing parallels wherever possible to attacks against systems running a traditional BIOS.

The final part of this presentation discusses the evolution of EFI into the Unified Extensible Firmware Interface (UEFI), soon to be supported by Windows Server (Longhorn) and discusses the application of the previously discussed attacks to UEFI.

John Heasman is the Director of Research at NGS Software. He has significant experience in vulnerability research and has released numerous advisories in enterprise-level software, including Microsoft Windows, Norton Antivirus, Exchange Server and PostgreSQL.

His primary research interest is in rootkit and anti-rootkit technologies though he also has a strong interest in database security and was a co-author of the "Database Hackers Handbook" (Wiley, 2005).

He holds a Masters degree in Engineering and Computing from Oxford University and is certified as a CHECK Team Leader allowing him to lead penetration tests of UK government systems.

Return to the top of the page

Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Brad Hill, Senior Security Consultant, ISec Partners

Web Services are becoming commonplace as the foundation of both internal Service Oriented Architectures and B2B connectivity, and XML is the world's most successful and widely deployed data format. This presentation will take a critical look at the technologies used to secure these systems and the emerging attention to "message-oriented" security. How do WS-Security, XML Digital Signatures and XML Encryption measure up?

The first half of the talk will take a strategic view of message-oriented security and compare it to existing alternatives like SSL. The second half will be a technical deep dive into XML Digital Signatures as a case study in security technology design. The state of the art in XML attacks will be summarized and advanced, including a series of critical design flaws that allowed achieving reliable cross-platform code injection on multiple vendor platforms.

A tool will be demonstrated to apply a several of the attack techniques discussed against SAML messages.

Brad Hill is a Senior Security Consultant for Information Security Partners, where he performs security assessments for a variety of products. Prior to joining iSEC, Brad worked for several years in the high-tech and financial services sectors as a developer and security expert. He received the CISSP certification in 2004, has spoken at several OWASP events and been an invited speaker at Microsoft Corporation.

Return to the top of the page

Vista Network Attack Surface Analysis and Teredo Security Implications
Jim Hoagland, Principal Security Researcher, Advanced Threats Research team, Symantec Security Response

This talk will present the results of a broad analysis performed on the network-facing components of the release (RTM) version of Microsoft Windows Vista, as well as the results of study of the security implications of the related Teredo protocol. Windows Vista features a rewritten network stack, which introduces a number of core behavior changes. New protocols include IPv6 and related protocols, LLTD, LLMNR, SMB2, PNRP, PNM, and WSD. One of the IPv4-IPv6 transition mechanisms provided by Vista is Teredo, which tunnels IPv6 through a NAT by using IPv4 UDP. This provides globally usable IPv6 addresses without the knowledge or cooperation of any part of local network. The main security concerns raised by Teredo involves security controls being bypassed, defense in depth reduced, and unsolicited traffic being allowed by the protocol. Other security concerns with Teredo include the capability of remote nodes to open the NAT for themselves, worms, ways to deny Teredo service, the difficulty in finding all Teredo traffic to inspect, and a new phishing mechanism.

Dr. James Hoagland, CISSP, is a Principal Security Researcher on the Advanced Threats Research team in Symantec Security Response. At Symantec his research areas have included Windows Vista, IPv6, Teredo, network evasion, anomaly detection, botnets, intrusion detection improvement, and he was a researcher for the NIPS engine team. In total he has 13 years experience in the theoretical and more practical aspects of computer security. Before joining Symantec, he was a researcher at Silicon Defense, where his work included Spade (an anomalous packet detector), Spice (a stealthy portscan detector), and SnortSnarf (a Snort alert browser). Jim earned his doctorate from the Computer Security Lab at UC Davis in 2000, where his advisors were Profs. Karl Levitt and Raju Pandey.

Return to the top of the page

The Little Hybrid Web Worm that Could
Billy Hoffman, Lead Security Researcher, SPI Dynamics
John Terrill, Executive Vice President and co-founder of Enterprise Management Technology

The past year has seen several web worms attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and media formats, they all have some basic limitations such as infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made web worms annoying, but ultimately controllable. Often the source website simply fixes a single flaw and the worm dies.

In this presentation we will examine ways web worms might evolve to overcome these limitations. We describe a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping it. We will examine how web worms could implement polymorphism and source code mutation to evade signature detection systems. While these are not new concepts applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges.

While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database. Finally we will discuss steps to prevent hybrid web worms from exploiting a website or its users.

Billy Hoffman is a lead security researcher for SPI Dynamics. At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. Billy is currently coauthoring "Ajax Security", to be published by Addison-Wesley in Summer 2007.

John Terrill is the Executive Vice President and co-founder of Enterprise Management Technology LLC. EMT's flagship product is SecureView, an innovative web based two-factor authentication solution. John has a strong background in security having held positions in research, consulting, and services at some of the most respected names within the security industry including Internet Security Systems, Demiurge Consulting, and SPI Dynamics.

Return to the top of the page

Active Reversing: The Next Generation of Reverse Engineering
Greg Hoglund, Founder, & HBGary

Most people think of reverse engineering as a tedious process of reading disassembled CPU instructions and attempting to predict or deduce what the original 'c' code was supposed to look like. This process is difficult, time consuming, and expensive, but it doesn't need to be. Software programs can be made to reverse engineer themselves. Software, as a machine, can be understood by active observation, as opposed to static decompilation and prediction. In other words, you can reverse engineer software by using it, as opposed to reading code.

Code is nothing more than an abstraction of runtime states. When software operates it reverse engineers itself by design, exposing its conceptual abstraction to the CPU and memory. The problem is that computers only need to know about what the current state is, and because of that, they discard this veritable treasure trove of information. Observation of software behavior provides no less data than static reverse engineering, and in fact provides a great deal more information that is easier to understand and costs less to obtain. Human reverse engineers need tools and methods to capture and analyze this data.

Traditional debugging tools don‚t tie run-time information to abstract functionality because all this state information is too complex. But what the debugger doesn't see is precisely what the reverse engineer does see while running the program. The human mind grasps abstract functionality, the intent behind the seething mass of code and data. This is why automated program analysis can never replace the human mind.

Humans use software at a high layer of abstraction while the computer sees only the fine grains of detail. The challenge for the reverse engineer is to join the two extremes. Historically, this chasm between total abstraction and microscopic granularity has been bridged by static disassembly and this is the reason most people haven't tackled reverse engineering. In truth, most people who are daunted by this barrier could, in fact, be excellent reverse engineers. This is a terrible shame because there are many tools and techniques available for reverse engineering that do not, or at least, should not require reading disassembled instructions. And even though the tools can't go from fine grains to mountains automatically, proper usage can reveal the links between user action and execution under the hood.

This talk introduces a new method of reverse engineering coined 'Active' Reversing. Active Reversing includes debugging tools driven with techniques of use such as substring scanning, access breakpoints, dataflow tracing, behavioral set operations, run tracing, data sampling, proximity browsing, comparative memory scans, hit counters, and more. Some of the tools and techniques have been in use for quite some time, others are new concepts. In either case, never have all the techniques been formally presented as a new methodology. Active Reversing is a fresh new look on an old subject.

Greg Hoglund has been a pioneer in the area of software security for ten years. He created and documented the first Windows NT-based rootkit, founding in the process.

Return to the top of the page

Status of Cell Phone Malware in 2007
Mikko Hypponen, Chief Research Officer, F-Secure

First real viruses infecting mobile phones were found during late 2004. Since then, hundreds of different viruses have been found, most of them targeting smartphones running the Symbian operating system.

Mobile phone viruses use new spreading vectors such as Multimedia messages and Bluetooth.

Why is this mostly a Symbian problem? Why hasn't Windows Mobile or Blackberry devices been targeted more? What makes the latest Symbian phones more secure? Why most of the infections are happening in Europe and in South-East Asia? And what will happen next?

Mikko Hypponen is the Chief Research Officer for F-Secure. He was selected among the 50 most important people on the web in March 2007 by the PC World magazine.

Return to the top of the page

Vulnerabilities in Wi-Fi/Dual-Mode VoIP Phones
Krishna Kurapati, Founder and Chief Technology Officer, Sipera Systems

Dual-mode phones are used to automatically switch between WiFi and cellular networks thus providing lower costs, improved connectivity and a rich set of converged services utilizing protocols like SIP. Among several other VoIP products and services, Sipera VIPER Lab conducted vulnerability assessment on a sample group of dual-mode/Wi-Fi phones and discovered that several vulnerabilities exist in such phones allowing remote attacker to carry out spoofing and denial-of-service attacks on such phones. As a result, it is apparent that enterprises and service providers need to become more aware of security threats to their fixed and mobile VoIP infrastructure. Additionally, protection mechanisms including increasing robustness of phone protocol implementations, employing VoIP security best practices, and securing critical network nodes must be used. This presentation gives a brief overview of this emerging technology, threats associated with it, and ways to mitigate such threats.

Krishna Kurapati founded Sipera Systems in 2003 and serves as the CTO. He holds 5 patents and has over 15 years of technology and product development experience.

In 1998, Krishna co-founded IPCell Technologies (acquired by Cisco for $213 million in 2000) and served as the VP of Engineering where he led the development of the world's first Class 5/4 softswitch. From 2000 to 2002, Krishna was the Director of Engineering with Cisco, spearheading the BTS10200 Softswitch product.

Krishna holds an MS from the Indian Institute of Science, Bangalore, and a BE from Osmania University, Hyderabad.

Return to the top of the page

Black Ops 2007: Design Reviewing The Web
Dan Kaminsky

Design bugs are really difficult to fix—nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I've been starting to take a look at some interesting aspects of the ""Web 2.0"" craze. Here's a few things I've been looking at:

Slirpie: VPN'ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of and Dan Boneh of Stanford University have pointed out, so-called ""DNS Rebinding"" attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.

I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy Web Single Sign On technologies. Slirpie falls to some of them, but slices through the rest handily.

p0wf: Passing Fingerprinting of Web Content Frameworks. Traditional OS fingerprinting has looked to identify the OS Kernel that one is communicating with, based on the idea that if one can identify the kernel, one can target daemons that tend to be associated with it. But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites.

LudiVu: A number of web sites have resorted to mechanisms known as CAPTCHAs, which are intended to separate humans from automated submission scripts. For accessibility reasons, these CAPTCHAs need to be both visual and auditory. They are usually combined with a significant amount of noise, so as to make OCR and speech recognition impossible. I was in the process of porting last year's dotplot similarity analysis code to audio streams for non-security related purposes, when Zane Lackey of iSec Partners proposed using this to analyze CAPTCHAs. It turns out that, indeed, Audio CAPTCHAs exhibit significant
self-similarity that visualizes well in dotplot form. This will probably be the first Black Hat talk to use WinAMP as an attack tool.

A number of other projects are also being worked on—I've been sending billions of packets for a reason, after all, and they haven't been coming from WinAMP :) There will be some updates on the analysis tools discussed during Black Ops 2006 as well.

Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Server 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

Return to the top of the page

A Picture's Worth...
Dr. Neal Krawetz, Hacker Factor Solutions

Digital cameras and video software have made it easier than ever to create high quality pictures and movies. Services such as MySpace, Google Video, and Flickr make it trivial to distribute pictures, and many are picked up by the mass media. However, there is a problem: how can you tell if a video or picture is showing something real? Is it computer generated or modified? In a world where pictures are more influencial than words, being able to distinguish fact from fiction in a systematic way becomes essential. This talk covers some common and not-so-common forensic methods for extracting information from digital images. You will not only be able to distinguish real images from computer generated ones, but also identify how they were created.

Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006) and "Hacking Ubuntu" (Wiley, 2007).

Return to the top of the page

"Point, Click, RTPInject"
Zane Lackey, Security Consultant, iSEC Partners
Alex Garbutt, Security Consultant, iSEC Partners

The Realtime Transport Protocol (RTP) is a common media layer shared between H.323, SIP, and Skinny (SCCP) VoIP deployments. RTP is responsible for the actual voice/audio stream in VoIP networks; hence attacks against RTP are valid against the bulk VoIP installations in enterprise environments. Since signaling (H.323/SIP/SCCP) and media transfer (RTP) are handled by two separate protocols, injecting audio into a stream is often the most damaging attack against RTP. RTP is vulnerable to audio injection due to its lack of integrity protection and its wide tolerance of sequence information.

The presentation will demonstrate an easy to use GUI VoIP injection attack tool for RTP appropriately named RTPInject. The tool, with zero setup prerequisites, allows an attacker to inject arbitrary audio into an existing conversation involving at least one VoIP endpoint. RTPInject automatically detects RTP streams on the wire, enumerates the codecs in use, and displays this information to the user. The user can then select an audio file they wish to inject into the targeted RTP stream. The presentation will provide a walkthrough of the easy three step process: view, click, and inject.

Zane Lackey is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications and VoIP security. Zane has spoken at top security conferences including Black Hat and Toorcon. Additionally, he is a co-author of Hacking Exposed Web 2.0 and contributing author of VoIP Security. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.

Alex Garbutt is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. In the course of his work, Alex regularly performs application penetration testing, code review, and network assessments for iSEC. His current specializations include VoIP and 802.1x. He holds a BS with Honors in Computer Science and Engineering from the University of California, Davis.

Return to the top of the page

RFIDIOts!!!– Practical RFID Hacking (Without Soldering Irons or Patent Attorneys)
Adam Laurie

RFID is being embedded in everything...From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them...

Adam Laurie is a UK based freelance security consultant. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother, Ben, became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here:

Return to the top of the page

Practical Sandboxing: Techniques for Isolating Processes
David LeBlanc, Microsoft

The sandbox created for the Microsoft Office Isolated Converter Environment will be demonstrated in detail. The combination of restricted tokens, job objects, and desktop changes needed to seriously isolate a process will be demonstrated, along with a demonstration of why each layer is needed.

Return to the top of the page

Anonymous Authentication–Preserving Your Privacy Online
Dr. Andrew Lindell, Chief Cryptographer at Aladdin Knowledge Systems and an Assistant Professor at Bar-Ilan University in Israel

Our right to privacy is under attack today. Actually, no one denies our right to privacy. However, in reality, this right is being eroded more and more as every minute passes. Some of this has to do with the war on terror, but much of it simply has to do with the fact that our online actions can and are being recorded in minute detail. In this presentation we describe some concrete dangers that arise out of this situation and show that the uncomfortable feeling we have when our privacy is compromised is the least of our problems. We also show that a full understanding of these concrete dangers is crucial for coming up with adequate privacy-preserving solutions.

Having argued that the erosion of our privacy is a real danger, we discuss solutions to preserving privacy online. Some of these solutions are merely technical, like anonymous web surfing, but solve only a small part of the problem. For example, anonymous web surfing does not help if a user has to authenticate herself in order to access an online service (consider the case of a newspaper or magazine that requires subscription, and sometimes even paid subscription). Furthermore, as we will show, simple solutions like pseudonyms do not actually solve the real problems. Fortunately, it is possible to use anonymous authentication. Despite the fact that this seems to be a contradiction in terms, it is actually possible to authenticate without revealing your identity. In this type of protocol, the only information learned by the authenticating server is that the user is authorized. In particular, the authenticating server learns nothing whatsoever about the identity of the specific user that now entered the system! Cryptographic solutions to this problem and exist and are often called "anonymous credentials". However, all known solutions are relatively complex and require non-standard asymmetric operations (i.e., operations that are not available on standard smartcards). Thus, the deployment of such solutions is complex. In this presentation, we present new solutions to this problem that are simple and can be implemented using standard smartcard technology (and even passwords, although this achieves a weaker security guarantee). We also suggest concrete applications where the use of this primitive is especially appropriate.

Andrew Lindell is the Chief Cryptographer at Aladdin Knowledge Systems and an Assistant Professor at Bar-Ilan University in Israel. Andrew attained a Ph.D. at the Weizmann Institute of Science in 2002 and spent two years at the IBM T.J. Watson research lab as a PostDoctoral fellow in the cryptography research group. Andrew has carried out extensive research in cryptography, and has published more than 40 conference and journal publications. He has authored two books: the first on secure cryptographic protocols, and the second an undergraduate textbook titled "Introduction to Modern Cryptography" that will appear in August 2007. Andrew has presented at numerous international conferences, workshops and university seminars, and has served on program committees for top international conferences in cryptography. In addition to Andrew's notable academic experience, he joined Aladdin Knowledge Systems in 2004. In his position as Chief Cryptographer, he has worked on the cryptographic and security issues that arise in the design and construction of authentication schemes, smartcard applications, software protection
schemes and more.

Return to the top of the page

Attacking the Windows Kernel
Jonathan Lindsay, Security Consultant, NGS Software

Most modern processors provide a supervisor mode that is intended to run privileged operating system services that provide resource management transparently or otherwise to non-privileged code. Although a lot of research has been conducted into exploiting bugs in user mode code for privilege escalation within the operating system defined boundaries as well as what can be done if one has arbitrary supervisor access (typically related to modern rootkit work), not a great deal of research has been done on the interface between supervisor and non-supervisor, and potential routes from one to the other.

The biggest problem arises when trying to protect the kernel from itself—for example, under the IA32 architecture implementation of Windows, the distinction between user mode and kernel mode from the user mode perspective is easily enforced through hardware based protection. However, as the kernel is running as supervisor, how does the kernel make distinctions between what it should be accessing? This would be irrelevant if the supervisor was not exposed to interaction with supervisee; but that would defeat the purpose of having a kernel.

This presentation is focussed on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be providedto demonstrate how to attack the supervisor from the perspective of the supervised. There will then be an outline of what possible architectures could be used to mitigate such attacks, such as the research operating system Singularity.

Jonathan Lindsay is a security consultant for NGS Software. Though he has a wide range of experience in IT security, he specialises in reverse engineering and started his career as a virus researcher. The necessity of dealing with both user mode and kernel mode rootkits in the AV industry envouraged him to delve into the underlying operating system technologies concerned.

Some of Jonathan's primary interests are the application of reverse engineering to everything, automated static binary analysis, and prodding kernel code until it falls over.

Return to the top of the page

Database Forensics
David Litchfield, Founder, Next Generation Security Software

Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow.

In January 2007 TJX announced they had suffered a database security breach with 45.6 million credits card details stolen—the largest known breach so far.

In 2006 there were 335 publicized breaches in the U.S.; in 2005 there were 116 publicized breaches; between the 1st of January and March 31st of 2007, a 90 day period, there have been 85 breaches publicized.

There are 0 (zero) database-specific forensic analysis and incident response tools, commercial or free, available to computer crime investigators. Indeed, until very recently, there was pretty much no useful information out that could help.

By delving into the guts of an Oracle database's data files and redo logs, this talk will examine where the evidence can be found in the event of a database compromise and show how to extract this information to show who did what, when. The presentation will begin with a demonstration of a complete compromise via a SQL injection attack in an Oracle web application server and then performing an autopsy. The talk will finish by introducing an open source tool called the Forensic Examiner's Database Scalpel (F.E.D.S.).

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

No-Tech Hacking
Johnny Long, Penetration Tester (*snicker*)

I'm Johnny. I hack stuff. I've been at it for quite a while now, and I've picked up a few tricks along the way. I get asked about my tricks all the time, mostly by kids who saw that movie. You know the one. But I've always said no. I've held onto my secrets as part of the pact I made with the hacker underground. I mean I'm allowed to give talks and presentations about hacking stuff, but the secrets...the real super-cool secrets I've had to keep to myself. The head of the underground said so. But I got this email the other day that says I'm THIS close to getting kicked out of the underground. Seems the glare of the public eye has been on me for far too long and I've become a liability. So, I'm going to be proactive. I'm going to quit before they can fire me. I'm coming out of the closet (not that one) and I'm airing all the underground's dirty laundry in the process. That's right. I'm going public with the überest of the über. The real ninja skillz are yours for the knowing. Want to know how to suck data off a laptop with nothing but your MIND? Poke your way into a corporate email server without touching a keyboard? You think I'm kidding. I'm not. Want to slip inside a building and blend with the shadows? Even the best slip up with this trick, but don't worry. If your camouflage breaks down, I'll teach you the Jedi wave. Not the one in Star Wars (they stole theirs from the hacker underground), but the REAL Jedi wave that confuses people and makes them ignore you as you bumble around in the high security areas. Or the smoke trick. The one that lets you pass through walls untouched, surrounded by a cool-looking (but smelly) cloud of smoke. How about sucking sensitive data from a corporate network from the parking lot? Without a wireless device. How about blending in with the feds? You can chat with them about...fed stuff, and they'll accept you as one of their own. All this and more. The underground is gonna be sooo ticked off.

Johnny Long is a Christian, pirate, hacker, (almost) ninja and author. He has been spotted around Johnny works
for Computer Sciences Corporation (CSC).

Return to the top of the page

Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook: What Your Security Vendor Doesn’t Want You to Know
David Maynor, Founder & CTO, Errata Security

Security is very hard these days: lots of new attack vectors, lots of new acronyms, compliance issues, and the old problems aren’t fading away like predicted. What’s a security person to do? Take a lesson from your adversary.

Hackers are famous for being lazy—that’s why they‘re hackers instead of productive members of society. They want to find new and interesting shortcuts to a quick payoff with minimal effort. Or, they look at a protocol designed by committee and find all the issues that never got a vote. Why not use the same enterprising approach to a quick and easy victory in the security arms race against them?

Stop dialing the phone to your security vendor and pay attention. This talk will shine light on simple methods to fix complex problems that your security vendor doesn’t want you to know about.

Problems that will be addressed are:

  • How to take care of client side exploits with ease.
  • Find tons of 0day by letting someone else do the all the work.
  • Employ simple measures to keep a wireless network key secure.

All this without buying ANOTHER product! If you are drowning in problems, this talk could be just the lifeline you need.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Robert Graham is the co-founder and CEO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

Return to the top of the page

Longhorn Server Foundation & Server Roles
Iain McDonald, Director Program, Management Windows Server, Microsoft

Iain will discuss Server Foundation and Server Roles—how Longhorn Server applied the principles of attack surface minimization. This talk will detail the mechanics of LH Server componentization and then discuss the primary roles. You will learn how to install and manage a server that doesn't have a video driver and will hear about File Server, Web Server, Read Only Domain Controller, etc.

Return to the top of the page

It's All About the Timing
Haroon Meer, Technical Director, SensePost
Marco Slaviero, Senior Security Analyst, SensePost

Timing attacks have been exploited in the wild for ages. In recent times timing attacks have largely been relegated to use only by cryptographers and cryptanalysts. In this presentation SensePost analysts will show that timing attacks are still very much alive and kicking on the Internet and fairly prevalent in web applications (if only we were looking for them). The talk will cover SensePost-aTime (our new SQL Injection tool that operates purely on timing differences to extract data from injectable sites behind draconian firewall rulesets), our new generic (timing aware) web brute-forcer and lots of new twists on old favorites. We will discuss the implications of timing on current JavaScript malware discussing XSRT (Cross Site Request Timing) (because we can never have too many acronyms!) and will demonstrate how reasonably effective this is against the "Same Origin Policy"

If you are doing testing today, and are not thinking a lot about timing, chances are you are missing attack vectors right beneath your stop-watch!

Haroon Meer is the Technical Director of SensePost. He joined SensePost in 2001 and has not slept since his early childhood. He has co-authored several technical books on Information Security and has spoken and trained at conferences around the world. He has played in most aspects of IT Security from development to deployment and currently gets his kicks from reverse engineering, application assessments and similar forms of pain.

Marco Slaviero is a senior security analyst, avid reader and recovering student. He doesn't smoke and is rumored to harbor personal animosity towards figs.

Return to the top of the page

Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X
Charlie Miller, Senior Security Analyst, Independent Security Evalutators

According to the Apple website, “Mac OS X delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions.” Of course, the Month of Apple Bugs showed that Mac’s are just as susceptible to vulnerabilities as other operating systems. Arguably, the two factors keeping the number of announced vulnerabilities on Mac OS X low is that not many researchers are interested in exploring this operating system due to low market share and not many researchers are familiar with the platform which can introduce a steep learning curve. The first of these reasons is going away as Apple’s market share continues to rise. This talk hopes to address the second reason. Namely, to provide researchers already familiar with Windows and Linux the knowledge and tools necessary to search for new security bugs in this operating system, specifically the new forthcoming release of “Leopard”, the newest version of Mac OS X. Happily, there are plenty of bugs and some Mac-only tools which help to find them. This talk will announce the port of some popular tools including the release of PaiMei for Mac OS X and will demonstrate one or two 0-days (if they’re still around).

Charlie Miller spent five years as a Global Network Exploitation Analyst for the National Security Agency. During this time, he identified weaknesses and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets. He sought and discovered vulnerabilities against security critical network code, including web servers and web applications. Since then, he has worked as a Senior Security Architect for a financial firm and currently works as a Senior Security Analyst for Independent Security Evalutators, a security consulting firm. He was a technical editor for the upcoming fuzzing book authored by Sutton, Greene, and Amini. He has spoken at the Workshop on the Economics of Information Security.

His areas of expertise include identifying vulnerabilities in software, writing exploits, and computer attack methodology. He is a Red Hat Certified Engineer (RHCE), GIAC Certified Forensics Analyst (GCFA), and is a Certified Information Systems Security Professional (CISSP). He has a B.S. from Truman State University and a Ph.D. from the University of Notre Dame.

Return to the top of the page

Other Wireless: New ways of being Pwned
Luis Miras, Lead Vulnerability Researcher, Intrusion Inc

There are many other wireless devices besides Wifi and Bluetooth. This talk examines the security of some of these devices, including wireless keyboards, mice, and presenters. Many of these devices are designed to be as cost effective as possible. These cost reductions directly impact their security. Examples of chip level sniffing will be shown as well as chip level injection attacks allowing an attacker to control the target system. The hardware used in these devices will be examined along with an attacker toolkit consisting of low cost hardware and software.

Luis Miras is the lead vulnerability researcher at Intrusion Inc. He has done work for leading consulting firms and recently has done work for Chumby. His interests include vulnerability research, binary analysis, and hardware/software reversing. In the past he has worked in digital design, and embedded programming. When he isn't head down in IDA or a circuit board, you will likely find him boarding down some sweet powder.

Return to the top of the page

Tactical Exploitation
HD Moore, Director of Security, BreakingPoint Systems
Valsmith, Founder, Offensive Computing

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework.

HD Moore is the director of security research at BreakingPoint Systems, where he focuses on the security testing features of the BreakingPoint product line. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.

Return to the top of the page

Defeating Information Leak Prevention
Eric Monti, Researcher, Matasano Security
Dan Moniz, Matasano Security

Todays headlines are rife with high profile information leakage cases affecting major corporations and government institutions. Most of the highest-profile leakage news has about been stolen laptops (VA, CPS), or large-scale external compromises of customer databases (TJX).

On a less covered, but much more commonplace basis, sensitive financial data, company secrets, and customer information move in and out of networks and on and off of company systems all the time. Where it goes can be hard to pin down.

How can a company prevent (let alone detect) Alice taking a snapshot of the customer database or financial projections and posting them on internet forums or even dumping them to a floppy disk? This, understandably, has a lot of people worried.

In response, many organizations have begun looking for technologies to detect and prevent sensitive information from leaving their networks, servers, workstations, and even buildings. For some time a product space for "Extrusion Detection" products has existed. But now the space is exploding and as tends to happen, security problems abound.

Some "Extrusion Detections" products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company's perimeter, they focus on keeping assets *inside*.

We've been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework
itself as the vehicle.

Eric Monti is a computer security professional, developer, and researcher of over ten years industry experience. His professional experience includes secure network architecture, application and network assessment and penetration testing, security application development, lead roles on strategic risk management, and security policy development.

Eric is a Researcher at Matasano Security, where his responsibilities include vulnerability research and product development. Prior to Matasano, Eric held security positions at Discover Financial Services, Neohapsis, and the Chicago Board of Trade.

Return to the top of the page

Type Conversion Errors: How a Little Data Type Can Do a Whole Lot of Damage
Jeff Morin, AmbironTrustWave

In the realm of application testing, one of the major, but most often overlooked vulnerabilities, is that of type conversion errors. These errors result from input variable values being used throughout the many areas and codebases that make up the application, and in doing so, are potentially treated as different data types throughout the processing. The application functions correctly and without issue because the values of the input variable are anticipated, even though they are treated in different areas as different data types. The issue arises then when a value is input into one of these variables that is crafted in such a way as to be successfully manipulated by some data types, while failing others, resulting in the application behaving in unanticipated and potentially dangerous ways. These vulnerabilities are much more difficult to identify than simple error-based SQL injection or XSS as they don't readily display success or failure, rather can manifest themselves in other areas or at a later time. This also makes them very dangerous in that the application behaves in completely unanticipated ways, potentially resulting in circumvented authentication and authorization, Denial of Service, elevated privileges, etc.

This talk explores the security pitfalls that result from type conversion errors, how to identify them, and proposes some solutions for identification going forward.

Return to the top of the page

(un)Smashing the Stack: Overflows, Countermeasures, and the Real World
Shawn Moyer, Chief Researcher, SpearTip Technologies

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack|buffer|heap) protection, or have one available that's relatively trivial to implement/enable.

So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing.

The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety.

This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. Our focus will be on building defense-in-depth, with some real-world examples of what works, what doesn't, and why.

As an attendee, you should come away with a better understanding of how to protect yourself and your boxes, with some tools to (hopefully) widen the gap between what's vulnerable and what's exploitable.

Shawn Moyer is the Chief Researcher of SpearTip Technologies, a
forensics, assessment and incident response consultancy. He has led security projects for major financial companies, credit card vendors, and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences. He's currently spending most of his waking moments building a soon-to-be-released security appliance. In his spare time, he's been working on translating Snow Crash into Esperanto.

Return to the top of the page

OpenBSD Remote Exploit
Alfredo Ortega, Exploit Writer, Core Security

For more than a decade, OpenBSD has had only two officially disclosed bugs that could be considered remotely exploitable. In this presentation, Alfredo Ortega will provide a detailed look at one of those two rare bugs: the IPv6 mbuf overflow he discovered earlier in 2007. Ortega will provide an in-depth view of the process of developing a remote exploit for the bug, analyzing various exploitation techniques, and implementing kernel shellcode that disables the defenses of the operating system and installs a privileged user-mode process.

Alfredo Ortega was born in Esquel, Chubut, Argentina on 1978. He worked on lowly security related works (Mostly cracking) since 2000. Ortega majored in Computer Science in Universidad de la Patagonia San Juan Bosco and is currently a PhD student at ITBA (Instituto Tecnologico de Buenos Aires).

Ortega is working as Junior Developer for Core Security.

Return to the top of the page

RFID for Beginners++
Chris Paget, Director of Research and Development, IOActive

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk.

The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi–tag storage capability, multiple RF frontends and an enhanced software backend to support many different type of Proximity tags, and overall improvements in reliability and flexibility.

While we won't be able to give you full schematics or the names of any vendors whose tags can be cloned, we will be including significant information (including useful snippets of source and circuit diagram fragments) that will allow you to more deeply understand the significant flaws in older RFID technologies. This talk will give you th information you need to make informed decisions about the use and mis-use of the most common RFID implementations available today.

Abstract for the original "RFID for Beginners" talk: RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip—the PIC16F628A. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.

Chris Paget is the Director of Research and Development for IOActive (based in Seattle) and is currently creating IOActive's East-Coast research and auditing facility. After 9 months reviewing the Vista source code and many years performing security audits for the largest and most well-known companies in the world, Chris is getting back to his roots in electronics, radio-frequency hacking, and security theory. Chris' past research projects include the US-VISIT tracking system, RFID-triggered smart bombs, Shatter attacks, and a wide variety of protocol-level weaknesses in well known and widely deployed systems, most of which have yet to be patched or publicly discussed.

Return to the top of the page

Breaking Forensics Software: Weaknesses in Critical Evidence Collection
Chris Palmer, Security Consultant, iSEC Partners
Tim Newsham, Security Consultant, iSEC Partners
Alex Stamos,
co-founder and VP of Professional Services, iSEC Partners
Chris Ridder, Fellow, Stanford Law School Center for Internet and Society

Across the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection.

In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files.

This talk will make the following arguments:

  1. Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack.
  2. Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc.
  3. Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial.
  4. Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held.

Chris Palmer is a security consultant with iSEC Partners, performing application penetration tests, code reviews, and security research.

Tim Newsham is a security consultant with iSEC Partners. He has over a decade of experience in computer security research, development and testing.

Alex Stamos is the co-founder and VP of Professional Services at iSEC Partners, a leading provider of application security services. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.

He is a well-known researcher in the field of software security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, Toorcon, SyScan, Microsoft BlueHat, the Web 2.0 Expo, InfraGuard, ISACA and OWASP.

He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

Chris K. Ridder is a Residential Fellow at Stanford Law School's Center for Internet and Society (CIS). His research interests include the full range of issues that arise at the intersection of technology and the law, including the application of intellectual property law to software and the Internet, and the impact of technological change on privacy and civil liberties. Prior to joining CIS, Chris was an associate at Fish & Richardson P.C. and subsequently Simpson Thacher and Barltett LLP, where he litigated a broad range of patent, intellectual property and complex commercial cases. From 2001-2002, he was a law clerk for the Honorable Mariana R. Pfaelzer of the U.S. District Court for the Central District of California. Chris received his J.D. from the University of California at Berkeley (Boalt Hall) in 2001. Before he went to law school, Chris was a newspaper editor and publisher where he served, among other positions, as Editor-in-Chief of the Anchorage Press, the largest weekly newspaper in Anchorage, Alaska.

Return to the top of the page

Social Network Site Data Mining
Stephen Patton, CISSP Enterprise Security Architect

Social Network Sites contain a wealth of public information. This information is of great interest to researchers, investigators, and forensic experts. This presentation presents research regarding an approach to automated site access, and the implications of site structure. Associated tools and scripts will be explained. Additionally, investigative techniques with the recovered information will be covered.

Stephen Patton, CISSP is an Enterprise Security Architect in the financial services industry. He has been interested in social networking site data mining since 2006 when a Columbine-style school attack plan was found on MySpace and foiled in Riverton, Kansas.

Return to the top of the page

Securing the Tor Network
Mike Perry, Mad Computer Scientist, evil labs

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities.

Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will discuss various approaches to securing the Tor network and Tor usage against a whole gauntlet of attacks, from browser specific, to general intersection risks, to theoretical attacks on routing itself. Methods of protection discussed will include node scanning, transparent Tor gateways, Firefox extensions (including the dark arts of Javascript hooking), and general user education. Each approach has its own strengths and weaknesses, which will be discussed in detail.

Mike Perry
By day, Mike Perry is a mild mannered reverse engineer owned and operated by Riverbed Technology, slaving away at accelerating broken monopolistic protocols from the Evil Empire and generally helping to make the Internet faster by several orders of magnitude. By night, he transforms into an ardent supporter of digital rights, privacy, and anonymity on and offline. Mike believes that not only is it every person's right to opt-out of the Database Nation, it is also in their self-interest to do so, and to have company. We are only just beginning to understand the consequences of having our entire lives archived and sold to the highest bidder, to say nothing of rampant government surveillance. Those who are not careful with protecting their personal information and online activities are in for some unpleasant surprises in the future: be it from a bitter divorce case, character attacks in a frivolous lawsuit, political opposition, or just plain old marketing spam that arrives at exactly the wrong time. In a world where our minute-to-minute thoughts are archived by IP address in search engines, Mike believes Tor is desperately needed not just by political dissidents, but by everyone.

Return to the top of the page

PyEmu: A multi-purpose scriptable x86 emulator
Cody Pierce, Founding Member, TippingPoint Security Research Team (TSRT)

Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi–purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.

Cody Pierce, aka intropy, is currently one of the founding members of the TippingPoint Security Research Team (TSRT) where he spends most of his time in a dark corner reverse engineering and developing auditing and reverse engineering automation tools. Cody has discovered critical vulnerabilities affecting a wide range of enterprise vendors, including: Microsoft, Hewlett-Packard, America Online, Computer Associates and others. Though he spends much of his personal and free time in the world of a reverse engineer, Cody's true passion is music.

Return to the top of the page

Covert Debugging: Circumventing Software Armoring Techniques
Danny Quist, CEO and co-Founder, Offensive Computing, LLC
Valsmith, co-Founder, Offensive Computing, LLC

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

Danny Quist is currently the CEO and co–founder of Offensive Computing, LLC a public malware research site as well as a consulting company. He is a PhD student at New Mexico Tech working on automated analysis methods for malware with software and hardware assisted techniques. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults both with both private and public sectors on system and network security. His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.

Return to the top of the page

Dror-John Roecher, Senior Security Consultant, ERNW GmbH
Michael Thumann, Chief Security Officer, ERNW GmbH

Part I: Introduction—Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology—How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem—NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack—how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach—“stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror-John Roecher has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Return to the top of the page

IsGameOver(), anyone?
Joanna Rutkowska, Invisible Things Lab
Alexander Tereshkin, Invisible Things Lab

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems.

A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection approaches based on exploiting CPU bugs. The conclusion of this part is that we still do not have any good way to detect virtualization based malware...

We’re also going to talk about malware that fully supports nested virtualization (like e.g. our New Blue Pill does) and how this might be a challenge for OSes that would like to provide their own hypervisors in order to prevent Blue Pill-like attacks.

People say that once an attacker gets into the kernel, the game is over and we should reinstall the whole system from scratch. In this presentation we show that sometimes we cannot know that the game is actually over, so we do not even know when to stop trusting our systems. In order to change this we need something more then just a bunch of patches!

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted by the international press and she is a frequent speaker at security conferences around the world. In April 2007 she founded Invisible Things Lab, a consulting company dedicated for cutting-edge research into operating systems security.

Alexander Tereshkin, aka 90210, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology and kernel exploitation. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. During the last year, when working for COSEINC Advanced Malware Labs, he has done significant work in the field of virtualization based malware and kernel protection bypassing.

Return to the top of the page

Reversing C++
Paul Vincent Sabanal, Researcher, IBM Internet Security Systems, X-Force research team

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done.

Paul Vincent Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.

Return to the top of the page

Anonymity and its Discontents
Len Sassaman

In recent years, an increasing amount of academic research has been focused on secure anonymous communication systems. In this talk, we briefly review the state of the art in theoretical anonymity systems as well as the several deployed and actively used systems, and explain their strengths and limitations.

We will then describe the pseudonym system we are developing based on an information-theoretic secure private information retrieval protocol, designed to be secure against an adversary with unbounded computing power, as long as (as little as) a single honest server exists in the network of servers operating this system. We will explain the design decisions behind the architecture of the system, intended to be operated by volunteers with a limited resource pool. We will discuss the usability considerations in designing a system intended to be accessible to a more naive user-base than simply "hackers and cypherpunks", and explain why user accessibility is critical to the security of anonymity systems in general.

Finally, we'll present an attack on the original design of the system whereby an attacker could cause a denial of service attack untraceable to the attacker, and explain the solution we have implemented to prevent this attack.

Len Sassaman has over a decade of experience designing and deploying privacy enhancing technologies. Formerly a member of the PGP Security engineering team and later the security architect for Anonymizer, Inc., he has also been the maintainer of the anonymous remailer software Mixmaster (since 2001), and a Mixmaster remailer operator (since 2000).

Currently, he is working toward a PhD as a researcher for the COSIC group at K.U. Leuven in Belgium, under the supervision of Bart Preneel and David Chaum.

Return to the top of the page

Strengths and Weaknesses of Access Control Systems
Eric Schmiedl
Mike Spindel

Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available—card readers, biometrics, or even posting a guard to check IDs—each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. We provide a comprehensive overview of 20 different access control technologies that focuses on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. We also present a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.

Return to the top of the page

Reflection DNS Poisoning
Jerry Schneider, Founder, ATG Labs

Targeting an enterprise attack at just a few employees seems to be yielding the best results, since it lowers the risk of discovering the exploit. Yet the typical DNS cache poisoning approach, aimed at various levels in the DNS server hierarchy or the enterprise server itself, is not as effective as it could be, primarily because so many people are affected that detection is rapid...

There is one approach to DNS cache poisoning that can control the attack surface and is particularly effective when executed from within the enterprise. Rather than attempting to poison the enterprise DNS server or other external caches, the internal DNS cache within a Windows PC is targeted. Additionally, forensic analysis of the infected PC is hindered by the TimeToLive and volatility of these cache entries.

I will demonstrate this type of attack using two machines on a local lan, and include some analysis of the firewall and configuration issues needed to defend against this type of exploit.

Jerry Schneider has enjoyed groveling inside all types of system software, reversing code to illuminate its undocumented features and hacking behaviors to his liking. Developing drivers and kernel code commercially for OSes from Windows 3.x to Vista, a love for discovering secrets blossomed. His retributive desire to battle spyware led to joining Webroot Software in 2004, where he architected the move of their anti-malware detection, blocking and removal into the Windows kernel and boot processes, producing competitive advances and key patent submissions.

Today, Jerry can be found at ATG Labs, a Boulder Colorado security software company he recently founded to develop better tools for security researchers. His ongoing research into technologies used by 0-day and stealthy exploits continues to expose gaps difficult to monitor or close. To help in discovering these exploits, the tools under development at ATG Labs employ stealth virtualization and hypervisor mechanisms that will allow researchers to follow Alice down the malware hole.

Return to the top of the page

Building and Breaking the Browser
Window Snyder, Director of Ecosystem Development, Mozilla Corporation
Mike Shaver, co-founder, Mozilla Project

Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same.

Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies.

Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla's work on Web security, and how Mozilla's security community uses openness and transparency to protect 100 million users around the world. Learn how to apply Mozilla's tools and techniques to secure your own software, and get an early look at new security features for Firefox 3.

Window Snyder is the Director of Ecosystem Development at Mozilla Corporation.

Prior to joining Mozilla, Ms. Snyder was a principal, founder, and core team member at Matasano, a security services and product company based in New York City and a senior security strategist at Microsoft in the Security Engineering and Communications organization. At Microsoft she managed the relationships between security consulting companies and the Microsoft product teams and the outreach strategy for security vendors and security researchers. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of "Threat Modeling", a manual for security architecture analysis in software.

Mike Shaver is a co-founder of the Mozilla project, and leads the Mozilla Corporation's work to support the developer ecosystem that has grown up around Firefox and Mozilla technologies. A veteran of open source development, Mike has worked on code at virtually every level of the open source application stack, ranging from the Linux kernel and Lustre clustered filesystem to Mozilla's Gecko layout engine and even, when he was younger and didn't know better, some CORBA infrastructure. Less well-known than Bono but with slightly more geek-cred than K-Fed, Mike is a frequent speaker and advisor for technology/open source conferences and organizations. He lives in Toronto with his wife and cat, and an increasingly-dusty collection of cookbooks.

Return to the top of the page

Heap Feng Shui in JavaScript
Alexander Sotirov

Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application.

This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision.

This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for two complex heap corruption vulnerabilities.

The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past nine years he has been working on reverse engineering, exploit code development and research of automated source code auditing. His most well-known work is the development of highly reliable exploits for Apache modssl, ProFTPd and Windows ASN.1. He graduated with a Masters degree in computer science in 2005. His current job is as a vulnerability researcher at Determina Inc.

Return to the top of the page

Blind Security Testing—An Evolutionary Approach
Scott Stender, Principal Partner, iSEC Partners

Security testing is difficult enough when auditors have complete access to the system under review. This task is all the more difficult when the auditor must perform this assessment blind. In a blind scenario, the attacker has an infinite number of test cases to choose from, far more than can be executed and evaluated in a reasonable amount of time. This talk will cover the use of evolutionary algorithms in test case generation and result evaluation with the goal of focusing security test cases on those most likely to result in flaws.

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is also a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

Return to the top of the page

Just Another Windows Kernel Perl Hacker
Joe Stewart, GCIH, Senior Security Researcher, SecureWorks

This talk will detail the Windows remote kernel debugging protocol and present a Perl framework for communicating with the kernel debug API over a serial/usb/1394 port from non-Windows systems. This leads to some interesting possibilities for hacking the kernel, such as code injection, hooking, forensics, sandboxing and more, all controlled from a separate non-windows machine.

Joe Stewart, GCIH—Senior Security Researcher with SecureWorks, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for seven years. Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot, SpamThru and other cyber-threats and attack techniques, and has presented at several previous security conferences, including DEFCON, ShmooCon, REcon, CodeCon, CSI and others.

Return to the top of the page

Premature Ajax-ulation
Bryan Sullivan, Development Manager, SPI Dynamics
Billy Hoffman, Lead Security Researcher, SPI Dynamics

Interest in Ajax is sky-high and only continues to grow. Unfortunately, far too many people rush into Ajax development without giving proper consideration to security issues. These unfortunate individuals suffer from the most embarrassing of security issues: Premature Ajax-ulation.

This presentation will demonstrate specific Ajax application design flaws that stem from a disregard for security, including: Improper use of client-side XSLT; Use of overly- or underly-granular server-side APIs; and Storing secrets (either data or functionality) in client-side code.

We will also perform live demonstrations of exploits of these vulnerabilities, including: Vastly more efficient Blind SQL and Blind XPath injection techniques; Detecting and exploiting race conditions; and Applying static analysis to deobfuscate client-side JavaScript.

Given the popularity of Ajax and the ease of use of framework helper libraries, it can be very tempting for developers to use Ajax when it's not really necessary. This is a significant security risk in itself, since Ajax applications can be more difficult to secure than traditional Web applications. Furthermore, the use of third-party frameworks can actually make the problem worse, since they hide potential security issues without truly resolving them. We will address these issues, make recommendations on which Ajax frameworks to avoid, and make recommendations on when to avoid Ajax altogether.

Following the design and implementation guidelines set out in this presentation will help you to delay your Ajax gratification to provide the highest level of security satisfaction for you and your partners.

Bryan Sullivan is a development manager for SPI Dynamics, the leading provider of Web application security testing software and services. At SPI Dynamics, Bryan is in charge of development for the company's DevInspect and QAInspect products, which can automatically detect security vulnerabilities during the development and QA phases of the software development lifecycle. He is a frequent speaker at industry events—most recently Atlanta Code Camp and RSA 2007—and a published author. Bryan is currently co-authoring a book on AJAX security for the publisher Addison-Wesley, which will be published in the summer of 2007.

Billy Hoffman is a lead security researcher for SPI Dynamics. At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. Billy is currently coauthoring "Ajax Security", to be published by Addison-Wesley in Summer 2007.

Return to the top of the page

The Security Analytics Project: Alternatives in Analysis
Mark Ryan del Moral Talabis, Secure-DNA

With the advent of advanced data collection techniques in the form of honeypots, distribured honeynets, honey clients and malware collectors, data collected from these mechanisms becomes an abundant resource. One must remember though that the value of data is often only as good as the analysis technique used.

In this presentation, we will describe a number of alternative analysis techniqes that leverages techniques adopted from statistics, AI, data mining, graphics design pattern recognition and economics. We will also show how security researchers can utilize tools from other disciplines to extract valuable findings to support security research work.

This presentation hopes to be an eye opener for security practitioners that there are many more techniques, tools and options beyond the security research field that they can use in their work. Hopefully, this will be the groundwork for a cross-discipline collaborative project that will help identify more techniques for security research and analysis.

Some techniques that we will talk about is the use of various clustering algorithms to classify attacks. Predicting attacks by using learning algorithms, detecting attacks through artificial intelligence, determining attack trends using pattern recognition and advanced visualization for attack analysis.

Among the tools that we will demonstrate are readily available open source tools like WEKA, Tanagra, and R Project that have not been traditionally used in security research but has great potential in security research.

This presentation will be useful for those in security research, honeypot development and forensics.

Return to the top of the page

Transparent Weaknesses in VoIP
Peter Thermos, Palindrome Technologies

The presentation will disclose new attacks and weaknesses associated with protocols that are used to establish and protect VoIP communications. In addition, a newer "unpublished" version of the SIVuS tool will be demoed.

Peter Thermos has over a decade of experience in consulting and research in several areas of Information Security and Assurance and has held senior technical and management positions with telecommunications companies in research and consulting. In his current position with Palindrome Technologies spearheads the technological direction and vision of the company. Furthermore he acts as a trusted advisor for commercial and government organizations and provides consultation in areas such as security policy, architecture and risk management.

Peter has been the lead technical expert on various tasks (for commercial and government organizations) associated with information security and assurance including security risk assessments, standards and requirements development, ISO 17799 assessments, network security architecture and organizational security strategy.

In addition, Peter has been the principal investigator on research tasks, in the area of Internet Multimedia and Next Generation Networks (VoIP) and security, that were are funded by government organizations such as NIST (National Institute of Standards and Technology) and LTS (Lab for Telecommunication Sciences).

Peter’s professional experience is also demonstrated at conferences and workshops that he delivers across U.S. and Europe. He focuses in helping managers and system administrators understand the threats and risks that are associated with computer security and arms his audience with the tools and knowledge that they need to accomplish their task and protect their computer networks.

He is the author of SIVuS (The 1st VoIP vulnerability Scanner) and has published articles and refereed research papers on VoIP Security.

Peter holds a Masters degree in Computer Science from Columbia University, NY and he is an active member of IETF/IEEE/ACM.

Return to the top of the page

Exposing Vulnerabilities in Media Software
David Thiel, Security Consultant, iSEC Partners

The attack surface of audio and multimedia software is quite broad. Generally, desktop users tend to have a fairly small number of programs that are used on an almost constant basis—web browsers, Instant Messengers, e-mail readers and media players. Of those, media players have been underexplored as an attack vector. There have been simple overflow exploits of long playlists, filenames or HTTP responses, but very little has been done that is specific to media streams themselves.

Audio in particular is an attractive attack vector because:

  • Players are very frequently used software; users tend to use them for an extended period of time, leaving them open during other tasks, and frequently switch media streams.
  • There are a wide variety of different audio players, and many of different codecs and audio file plugins—all written by generally non-security-conscious people.
  • The file formats involved are binary streams, and tend to be reasonably complex.
  • Players take untrusted input from many different unreliable sources (often over the network), and run with fairly high privilege and priority. For instance, in Windows Vista, a low-privileged IE instance can launch content in a higher-privileged WMP.
  • They're perceived as relatively harmless—users are likely to play files given to them.
  • They're frequently invoked without the user's explicit acknowledgement, (i.e. embedded in a webpage)
  • Media content is rich in metadata and external references. Media players behave more like web browsers every day.

The examples in this presentation will illustrate some of the techniques used to build a basic media codec fuzzer in Python, using a new (free, open-source) tool, Fuzzbox, as an example. Also included will be a review of some of the more interesting new bugs this tool has disclosed in audio players and libraries.

While the focus is on audio codecs in this presentation, some of the container formats involved also can contain other content like video, and the techniques involved are readily applicable to codecs of all kinds.

David Thiel is a Security Consultant with iSEC Partners, Inc, a strategic digital security organization. His areas of expertise are web application penetration testing, network protocols, and fuzzing. Research interests include media software vulnerabilities, mobile and embedded device exploitation, and attack vectors in emerging web application technologies.

Before joining iSEC Partners, David was Security Architect at In his free time, he pursues various audio interests, and is a committer to the FreeBSD project.

Return to the top of the page

OpenID: Single Sign-On for the Internet
Eugene Tsyrklevich
Vlad Tsyrklevich

Tired of tracking your username and password across 169 Web 2.0 websites that you have registered with? Thinking of adding SSO to your webapp? Pen-testing a Web 2.0 app? Then come and learn about OpenID—a new decentralized Single Sign-On system for the web.

OpenID is increasingly gaining adoption amongst large sites, with organizations like AOL acting as a provider. In addition, integrated OpenID support has been made a mandatory priority in Firefox 3 and Microsoft is working on implementing OpenID 2.0 in Windows Vista. As OpenID adoption increases pace, the security of the protocol becomes of increasing importance.

This talk introduces OpenID, takes you through its demo and discusses the security of the underlying protocol. The talk will also introduce known attacks against OpenID such as phishing and some of the possible work arounds.

Eugene Tsyrklevich has an extensive security background and has presented his research at a number of security conferences including Usenix Security, BlackHat Europe and BlackHat USA. Eugene holds both a Bachelor and a Masters degree in Computer Science from the University of California, San Diego.

Return to the top of the page

Timing Attacks for Recovering Private Entries From Database Engines
Ariel Waissbein, Researcher, Core Security Technologies
Pablo Damian Saura, Developer and Researcher at Corelabs, a division of Core Security Technologies

In today’s threat landscape, data security breaches are mostly due to the exploitation of bugs in front-end web applications (e.g. via SQL injection) or to the abuse of misconfigured authorization and access control permissions. CoreLabs devised an attack that works without requiring the existence of implementation bugs or security misconfigurations in the database. The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems.

During this talk, Damian Saura and Ariel Waissbein will present ongoing research work on this new type of attack against database-driven applications. Their work uses timing attacks, a common technique for breaking cipher system implementations, and applies them to database engines. The researchers will explain how this technique makes it possible to extract private data from a database by performing record insertion operations, which are typically available to all database users – including anonymous users of front-end web applications.

The presentation will also review BTREE, the most popular database indexing algorithm and data structure. Saura and Wassbein will describe how they discovered BTREE’s security weaknesses and demonstrate the attack against the MySQL database engine.

Ariel Waissbein has been a researcher at Core Security Technologies for the last 8 years, producing results relevant to industry and academy. Ariel has uncovered vulnerabilities for MySQL and SSH, researched and developed a new software protection tool, researched in botnet security and their future, automated source-code analysis of web applications, detection and protection methods for injection vulnerabilities and various aspects of penetration testing, and in particular, pentesting of web applications. Ariel will be completing a Ph. D in mathematics, and has held different teaching positions in universities, and currently co-leads and teaches at the computer security department in the Ph.D programme of ITBA university.

Pablo Damian Saura has been working as developer and researcher at Corelabs (the research labs of Core Security). He has a vast experience as a software developer, software designer and ingeniering processes, he worked as software security consultant and he is involved in windows security and vulnerabilities since more than 7 years. He holds an university degree in Computer Systems obtained in CAECE University of Buenos Aires.

Return to the top of the page

Reversing MSRC Updates: Case Studies of MSRC Bulletins 2004–2007
Greg Wroblewski, MSRC Security Software Engineer, Microsoft

Greg Wroblewski has a Ph.D. in Computer Science and over 15 years of software industry experience. At Microsoft he is a member of a team of security researchers that investigate vulnerabilities and security threats as part of the Microsoft Security Response Center (MSRC). The team works on every MSRC case to help improve the guidance and protection we provide to customers through our security updates and bulletins by discovering additional attack vectors, new exploitation techniques and adapting quickly to stay ahead of the ever evolving security ecosystem. This team also provides forward looking security guidance to product teams within Microsoft, impacting products that have and have not shipped and ultimately helping to protect Microsoft customers from getting their systems compromised by building more resilient software. During past few years he has worked on some of the high profile security flaws, overseeing investigation, production and release of up to 20 Microsoft's security bulletins per year. Prior to joining Microsoft he was doing academic research in reverse engineering and code obfuscation techniques.

Return to the top of the page

Static Detection of Application Backdoors
Chris Wysopal, co-founder and CTO, Veracode
Chris Eng, Director of Security Services, Veracode

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary.

We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.

Chris Wysopal is co-founder and CTO of Veracode, which provides an on-demand software security analysis service. He has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. Chris co-authored the password auditing tool L0phtCrack, wrote the windows version of netcat, and was a researcher at the security think tank, L0pht Heavy Industries, which was acquired by @stake. He was VP of R&D at @stake and later director of development at Symantec, where he led a team developing binary static analysis technology. He was influential in the creation of responsible vulnerability disclosure guidelines and a founder of the Organization for Internet Safety. Mr. Wysopal wrote "The Art of Software Security Testing: Identifying Security Flaws", published by Addison Wesley and Symantec Press in December 2006. He earned his Bachelor of Science degree in Computer and Systems Engineering from Rensselaer Polytechnic Institute

Chris Eng is Director of Security Services at Veracode, which provides an on-demand software security analysis service. He manages Veracode's application security research lab, drawing on nearly a decade of professional experience in the information security industry.

Before joining Veracode, Mr. Eng was Technical Director at @stake (later acquired by Symantec), where he led security assessments of critical web applications, commercial software, and networks. He also led the Attack and Penetration Center of Excellence, authored pen testing methodologies, and developed @stake's popular WebProxy tool. Prior to @stake, he was an Electrical Engineer for the US Department of Defense.

Mr. Eng has presented on application security topics at Black Hat US 2006 and other industry events. He holds a Bachelor of Science in Electrical Engineering and Computer Science from the University of California in Berkeley, CA.

Return to the top of the page

The Art of Unpacking
Mark Vincent Yason, Malcode Analyst, IBM Internet Security Systems

Unpacking is an art—it is a mental challenge and is one of the most exciting mind games in the reverse engineering field. In some cases, the reverser needs to know the internals of the operating system in order to identify or solve very difficult anti-reversing tricks employed by packers/protectors, patience and cleverness are also major factors in a successful unpack. This challenge involves researchers creating the packers and on the other side, the researchers that are determined to bypass these protections.

The main purpose of this paper is to present anti-reversing techniques employed by executable packers/protectors and also discusses techniques and publicly available tools that can be used to bypass or disable this protections. This information will allow researchers, especially, malcode analysts to identify these techniques when utilized by packed malicious code, and then be able decide the next move when these anti-reversing techniques impedes successful analysis. As a secondary purpose, the information presented can also be used by researchers that are planning to add some level of protection in their software by slowing down reversers from analyzing their protected code, but of course, nothing will stop an skilled, informed, and determined reverser.

Mark Vincent Yason is a malcode analyst. He currently works at IBM Internet Security Systems as a member of the X-Force research team supporting IBM ISS' Virus Prevention System (VPS) technology. Previously, he worked at TrendMicro Incorporated as a research engineer supporting TrendMicro's VSAPI scan engine. His job involves reverse engineering malcode/packers and writing code.

Return to the top of the page

Observing the Tidal Waves of Malware
Stefano Zanero, Partner and CTO, Secure Network

In this talk we will address the main challenges to be solved in order to build an automatic, global network which can perform early warning, automatic classification and analysis of malware and exploits as they propagate, or are used, worldwide. We all know of honeypots, early warning systems, and the Internet Storm Center: what are the missing pieces before we can really observe the tidal waves of malware and exploit the knowledge gained?

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Return to the top of the page

Phil Zimmermann

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.

Return to the top of the page

Panel: Ethics Challenge!
Moderator: David Mortman, CSO-in-Residence, Echelon One
Paul Proctor, VP, Gartner
Window Snyder, Director of Ecosystem Development , Mozilla Corporation
Steven B. Lipner, Senior Director of Security Engineering Strategy, Trustworthy Computing, Microsoft Corporation
John N. Stewart, VP and CSO, Cisco Systems, Inc.
Ian Robertson, CSO, RIM
David Maynor, Founder & CTO, Errata Security
Dave Goldsmith
David Litchfield, Founder, Next Generation Security Software

Concerns about ethics for security professionals has been on the rise of late. It's time for researchers and vendors to meet up and discuss the issues of ethical behavior in our industry and start setting some guidelines for future research and discussion. Join active analysts, vendors and researchers for a lively discussion.

David Mortman, CSO-in-Residence, Echelon One
As CSO-in-Residence, David Mortman, is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007, InfoSecurity 2003, Blackhat 2004, 2005 and 2006, Defcon 2005 and 2006 and will be speaking at Defcon 2007 as well. Mr. Mortman sits on a variety of advisory boards including Qualys and Flexilis amongst others. He holds a BS in Chemistry from the University of Chicago.

Paul Proctor, Vice President, Security and Risk Practice, Gartner Research
Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

Window Snyder is the Director of Ecosystem Development at Mozilla Corporation

Prior to joining Mozilla, Ms. Snyder was a principal, founder, and core team member at Matasano, a security services and product company based in New York City and a senior security strategist at Microsoft in the Security Engineering and Communications organization. At Microsoft she managed the relationships between security consulting companies and the Microsoft product teams and the outreach strategy for security vendors and security researchers. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of "Threat Modeling", a manual for security architecture analysis in software.

Steven B. Lipner is Senior Director of Security Engineering Strategy in Trustworthy Computing at Microsoft. He is responsible for the definition and updating of the Security Development Lifecycle that Microsoft applies to improve the security and privacy of its products. Mr. Lipner is also responsible for Microsoft’s policies and strategies for the security evaluation of its products, and for the development of other programs to provide improved product security to Microsoft customers. Mr. Lipner has over thirty years’ experience as a researcher, development manager, and general manager in IT security. He is named as co-inventor on eleven patents in the field of computer and network security. Mr. Lipner holds S.B. and S.M. degrees from the Massachusetts Institute of Technology and attended the Harvard Business School’s Program for Management Development. He is a Certified Information Systems Security Professional and a member of the ISC2 Americas Advisory Board and the coauthor of The Security Development Lifecycle.

John N. Stewart
In his current role, Mr. Stewart provides leadership and direction to multiple corporate security teams throughout Cisco Systems, Inc. focused on Information Security, product direction, product resiliency, and government. He is responsible for overseeing the security for, the infrastructure supporting Cisco’s $28 billion business.

Mr. Stewart’s longstanding career in information security has included numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a Research Scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. His professional experience also includes software development, systems and network administration, software specialist, author, and instructor. He has given numerous tutorials and presentations at various security forums including SANS, USENIX, and the Java Security Alliance.

Throughout his career, he has been an active member of the security industry community. He served on advisory boards for Akonix, Finjan, Cloudshield, Riverhead, and TripWire, Inc. Currently, Mr. Stewart sits on technical advisory boards for Ingrian Networks, Redseal Networks, and Signacert, Inc. and sits on the Corporate Board of Directors for KoolSpan, Inc.

Mr. Stewart’s publications and recent speaking engagements include: Author, "Securing Cisco Routers Step by Step"; Co-Author, "Internet WWW Security FAQ", found online at the W3C; Cisco and Microsoft Security Summit, 2006, Sydney, Australia; Deloitte TMT Summit, 2006, Dallas, TX; US-Japan Critical Infrastructure Protection Forum, 2006 Washington D.C.; CSO Perspectives, 2007, Colorado

Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.

Dave Goldsmith was co-author of the first published i386 stack overflow, and is a respected consultant, trainer, and researcher with over eleven years of experience. David co-founded @stake, managed its critical NYC office, and led Symantec Security Academy. David co-invented firewalking, which reverse-engineers firewall rules from remote firewalls and authored security tools for ISS and Network Associates.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Return to the top of the page

Panel: Executive Womens Forum
Moderator: Joyce Brocaglia, Founder, EWF and CEO, Alta Associates
Becky Bace, President/CEO, Infidel
Pamela Fusco, VP, Fishnet
Merike Kaeo, Author, Securing Cisco Networks
Window Synder, Director of Ecosystem Development at Mozilla Corporation

We know security is a work in progress, but have you noticed a significant shift in security's place in the IT world? Are you effected by future security spending decreasing, the outsourcing of IT services, and the consolidation of security solution providers? Join our panel of industry leaders, drawn from the full spectrum of security influencers, for a lively discussion of the future of security and where you fit in.

Becky Bace, President/CEO of Infidel, Inc.
Becky Bace is an information security veteran with a wide array of interests and accomplishments in the field. Ms. Bace has worked in security since the 1980s, leading the first major intrusion detection research program at the National Security Agency, where she received a Distinguished Leadership Award. She transitioned from the research to the operational world in the mid 1990s, serving as the Deputy Security Officer for the Computing Division of the Los Alamos National Laboratory. She is currently President and CEO of Infidel, Inc., a security consulting firm, a venture consultant for Trident Capital, where she works with Trident's security-related investment portfolio, and Chief Strategy Officer for KSR, a security services startup. Ms. Bace has been a technical advisor to many successful startups, including TriCipher, Security Focus, Tripwire, Arxan, Qualys, SecureWorks, @Stake, Sygate Technologies, Thor Technologies, and Intruvert Networks. Her publication credits include the books "Intrusion Detection" (Macmillan, 2000) and (with Fred Chris Smith) "A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as An Expert Technical Witness", (Addison-Wesley, October, 2002) and "NIST Special Publication SP 800-31 Intrusion Detection" and the chapter on intrusion detection for the "Computer Security Handbook", 4 Ed., (Wiley, 2003) , considered the definitive practice handbook for information security professionals. A 2003 recipient of Information Security Magazine's Women of Vision Award, she is recognized as one of the most influential women in Information Security today.

Merike Kaeo, Chief Network Security Architect at Double Shot Security and author of Designing Network Security
Merike was a lead member of the first Cisco security initiative, has acted as a technical advisor for numerous security start-up companies, and has been a frequent speaker and instructor of security issues and solutions at security-related conferences and ISP forums around the world including RSA, NANOG, RIPE, APRICOT and SANOG.

Prior to working at Double Shot Security, Merike was employed by Cisco Systems, Inc. as a technology leader in the 'emerging technologies' team looking at innovative technology developments available for partnering or acquisition. She was responsible for developing strategies with senior executives for entering new markets and was responsible for identifying opportunities and working with business development managers to execute investment, partnering and acquisition transactions.

She received her BSEE from Rutgers University in 1987 and completed her MSEE degree from George Washington University in 1998.

Window Snyder, Director of Ecosystem Development, Mozilla Corporation
Prior to joining Mozilla, Ms. Snyder was a principal, founder, and core team member at Matasano, a security services and product company based in New York City and a senior security strategist at Microsoft in the Security Engineering and Communications organization. At Microsoft she managed the relationships between security consulting companies and the Microsoft product teams and the outreach strategy for security vendors and security researchers. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of "Threat Modeling", a manual for security architecture analysis in software.

Return to the top of the page

Panel: Hacker Court 2007: The Case of a Thousand Truths
Carole Fennelly
Richard Salgado
Kevin Bankston
Jennifer Granick
Ryan Bulat
Brian Martin
Jesse Kornblum
Richard Thieme
Jon Klein
Simple Nomad
Caitlin Klein
Paul Ohm
Merlin Arduini

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand.

This particular case involves a person who is unlucky enough to have his name on the TSA's terrorism watch list and gets his laptop seized and searched at the border when coming home from abroad. As it turns out, he's not a terrorist and there are no contraband images on his computer, but the forensics expert does discover MMORPG cheat tools—tools which the suspect has used to build a large and growing kingdom in a popular MMORPG as the notorious "Crimson Knight".  He is charged with a CFAA violation (Computer Fraud and Abuse Act).

This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining.

Carole Fennelly
Carole Fennelly is an information security professional with over 25 years of hands-on experience in the computing technology field. Starting as a Unix System Administrator in 1981, she was drawn into the developing information security field as the commercial Internet grew. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine. A frequent speaker at security conferences, such as the Black Hat Briefings, her technical background includes in-depth security and administration knowledge of UNIX operating systems.

Richard Salgado
Richard P. Salgado is a Senior Legal Director with Yahoo! Inc., where he focuses on worldwide data security and international law enforcement compliance matters. Prior to joining Yahoo!, Mr. Salgado served as Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice. As a federal prosecutor, Mr. Salgado specialized in investigating and prosecuting computer network cases, such as computer hacking, illegal computer wiretaps, denial of service attacks, malicious code and other technology-driven privacy crimes. Mr. Salgado also regularly speaks on the legal and policy implications of searching and seizing computers and electronic evidence, emerging surveillance technologies, digital evidence and related criminal conduct. Mr. Salgado is a lecturer in law at Stanford Law School, where he teaches a Computer Crime seminar; he previously served as an adjunct law professor at Georgetown University Law Center and George Mason Law School, and as a faculty member of the National Judicial College. Mr. Salgado is also a Certified Instructor with the SANS Institute. He received his J.D. from Yale Law School.

Kevin Bankston
Kevin Bankston, a staff attorney specializing in free speech and privacy law, was the Electronic Frontier Foundation's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Jennifer Granick
Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Jonathan Klein
Jonathan Klein is a Director of Security Solutions with Calence Inc, a networking company located in Tempe Arizona. Jon has been a software developer in the Unix/C environment for over 20 years. During that time, he has developed custom security software for several large financialinstitutions and held key roles in numerous application deployments. Facing the choice of a management career that would remove him from hands-on technical work, Jon chose consulting as a method of achieving both. Jon has participated in forensic
investigations on behalf of the Federal Defender's Office in Manhattan and with private attorneys, discovering there is more to being a technical witness than purely technical knowledge. Most recently, he served as defense expert witness in U.S. vs. Oleg Zezev, the Russian citizen accused of hacking into Bloomberg LLP and making extortion demands.

Brian Martin
Brian Martin is an outspoken senior security consultant with the Ethical Hacking group at BT IN. With over ten years of professional security assessment experience, he has had the opportunity to provide cynical review of network and physical security for all types of business, government agency and military facility. Martin's training and articles have given people an accurate and honest picture of the dismal state of Information Security across all industries. In his spare time, he is the content manager for the Open Source Vulnerability Database and a champion of small misunderstood woodland creatures.

Jesse Kornblum
Jesse Kornblum is a Principal Computer Forensics Engineer for ManTech SMA's Computer Forensics and Intrusion Analysis Division. Based in the Washington DC area, his research focuses on computer forensics and computer security. In 2007 he published the "Buffalo" paper on Windows memory analysis, striking fear into the hearts of both rootkit authors and Bovinae lovers everywhere. He has authored a number of computer forensics tools including both md5deep and ssdeep, two widely used hashing suites. Previously he has served as a Computer Crime Investigator for the United States Air Force, an instructor at the Naval Academy, and the Lead Information Technology Specialist for the Department of Justice Computer Crime and Intellectual Property Section. His favorite part of coming to Las Vegas is eating at IN-N-OUT Burger.

Richard Thieme
*"And those who were seen dancing were thought to be insane by those who could not hear the music." —Frederick Nietzsche*/

Richard Thieme has been hearing the music for a long time. His track record includes hundreds of published articles, dozens of published short stories, one published book with more coming, several thousand speeches, and—in a former incarnation - hundreds of sermons, all original, all unique.

In the nineteen eighties, Thieme began writing about the impact of new technologies on religious systems and images, on spirituality, on identity. He was an Episcopal priest, and it made sense to begin where he was. What he wrote sounds obvious now. But it didn't, then.

He realized that his insights applied to other aspects of society and culture too. What was happening to religions was happening to everything else, a sea change of global transformation driven by new technologies of information and communication. He left the professional ministry to write and speak full time in 1993.

Security and intelligence professionals often value his insights because he sees into the heart of complex issues. He takes nothing at face value and links insights to the mixed motives of the human heart, trying to amplify the unheard music playing at the edges of our lives.

Mostly he delivers keynotes and closing speeches that unite the diverse themes of a conference. He has spoken in lots of venues—Sydney and Brisbane, Dublin and London, Amsterdam and The Hague, Israel, and around the States, including many hacker cons. Def Con is his favorite.

Simple Nomad
Simple Nomad is one of the world's most intriguing hackers. Intriguing means old, right? Working for Vernier Networks by day and hacking for NMRC by night, he lives in his own world of wonder and intrigue, conspiracy and paranoia, death and taxes. He has done hackerish things for years, enjoys a good Vodka, and regularly speaks at security conferences and speaks to the press about security issues.

Ryan Bulat
Ryan Bulat used to major in Computer Science until he decided that he much preferred to be a writer. However, five years of Hacker Court have turned him to The Dark Side. He is presently a pre-law student at Monmouth University in New Jersey.

Caitlin Klein
Caitlin Klein is an honor-roll student at a private school in New Jersey and still finds time to devote to dance, guitar, horseback-riding and her level-70 Hunter on World of Warcraft. She is frequently mistaken for an undercover FBI agent. She despises blond jokes and the fact that most girls don't play video games. Caitlin drinks a lot of coffee.

The following contributed significantly to the presentation but were
unable to appear:

Paul Ohm
Paul Ohm joined the faculty of the CU School of Law in Spring of 2006. He specializes in the emerging field of computer crime law, as well as criminal procedure, intellectual property, and information privacy. Prior to joining CU he worked as an Honors Program trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. Professor Ohm is a former law clerk to Judge Betty Fletcher of the U.S. Ninth Circuit Court of Appeals and Judge Mariana Pfaelzer of the U.S. District Court for the Central District of California. He attended the UCLA School of Law where he served as Articles Editor of the UCLA Law Review and received the Benjamin Aaron and Judge Jerry Pacht prizes. Prior to law school, he worked for several years as a computer programmer and network systems administrator, and before that he earned undergraduate degrees in computer science and electrical engineering.

Merlin Arduini
Merlin Arduini is a student at the University of Colorado School of Law. He has a BA in Mathematics, and is formerly a firmware engineer. He would rather be a fish.

Return to the top of the page

Panel: Meet the Fed
Special Agent (Ret) Jim Christy, Director, Futures Exploration, Department of Defense Cyber Crime Center

Discussion of the power of Digital Forensics today and the real-world challenges.  Also discuss the Defense Cyber Crime Center (DC3) and the triad of organizations that comprise DC3; The Defense Computer Forensics Lab, the Defense Cyber Crime Institute, and the Defense Cyber Investigations Training Academy. The evolving discipline of cyber crime investigations and the critical role law enforcement plays in a Network Centric Warfare environment. The accreditation process for a cyber forensics lab, the forensic processes, and capabilities. 

This year, there will be two separate panels:
IA Panel: Information assurance, CERTS, first responder’s organizations
from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO

LE Panel: Law enforcement, counterintelligence agencies including DC3, FBI,

Jim Christy is a recently (1 Dec 2006) retired special agent that specialized in cyber crime investigations and digital evidence for over 20 years and 35 years of federal service. Jim is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired Magazine in January 2007.

  • Dir of Futures Exploration
  • Dir the Defense Cyber Crime Institute
  • R&D of digital forensic tools and processes
  • T&Validation of tools both Hardware & software used in an accredited
    digital forensics lab
  • Dir of Ops for Defense Computer Forensics Lab
  • LE/CI Liaison to OSD IA
  • DoD Rep to President’s Infrastructure Protection Task Force
  • US Senate Investigator – Perm Sub of Invest
  • 11 years Dir of AF OSI Computer Crime Investigations

Ovie L. Carroll, DoJ
Ovie Carroll is the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS). The Cybercrime lab is responsible for providing computer forensic and other technical support to CCIPS and other DOJ attorneys as it applies to implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

Mr. Carroll has 20-years law enforcement experience. Prior to joining the Department of Justice, Mr. Carroll was the Special Agent in Charge of the Computer Crimes Unit at the United States Postal Service, Office of Inspector General, responsible for all computer intrusion investigations within the USPS network infrastructure and for providing all computer forensic analysis in support of USPS-OIG investigations and audits.

Mr. Carroll has also served as the Chief, Computer Investigations and Operations Branch, Air Force Office of Special Investigations, Washington Field Office where he was responsible for coordinating all national level computer intrusions occurring within the United States Air Force. He has extensive field experience applying his training to a broad

Jerry Dixon, DHS
As Director of National Cyber Security Division (NCSD) of the Department of Homeland Security, Jerry Dixon leads the national effort to protect America’s cyber infrastructure and identify cyber threats. He works collaboratively and facilitates strategic partnerships with stakeholders in the public sector, private industry, and the international arena. Mr. Dixon was appointed Director of the NCSD on January 7, 2006.

Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT), where he was responsible for coordinating incident response activities across federal, state, local government agencies, and private sector organizations. Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT’s capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security’s primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer’s private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tim Fowler, NCIS
Tim is an active duty Marine Special Agent who has worked as a Cyber Agent for the NCIS Cyber Department in Washington, DC, for the last six years. Tim has 19 years of active duty service in the U.S. Marine Corps working in the fields of military police, polygraph, criminal investigations and computer crime investigations and operations. While working as a Cyber Agent for NCIS, Tim specializes in conducting criminal, counterintelligence and counter-terrorism computer crime investigations and operations. Tim also has extensive knowledge and experience conducting media exploitation operations in hostile environments. In 2004, Tim was awarded the Bronze Star with combat Valor device by the Secretary of the Navy for his media exploitation efforts in Iraq.

Barry J. Grundy, NASA
Barry J. Grundy has worked as a Special Agent for the NASA Office of Inspector General (OIG), Computer Crimes Division (CCD) for the past six years. In that time he has been responsible for conducting computer intrusion investigations related to NASA systems. In 2005, SA Grundy received the annual Inspector General’s award for his investigative efforts. He currently serves as the Resident Agent in Charge of the Eastern Region of the NASA OIG CCD, responsible for the supervision of criminal investigations related to cyber events at eight NASA Centers. Before working for the NASA OIG, SA Grundy was employed as a Special Agent for the Ohio Attorney General’s Office, Health Care Fraud Unit, where he was responsible for the computer seizure and forensic media analysis support for the unit in addition to maintaining a normal health care fraud case load.

Prior to his law enforcement career, Grundy served for six years in the United States Marine Corps. All of his active duty service was spent in Reconnaissance Battalions, eventually as a Recon Team Leader, Scout/Sniper, and Combat Diver.

SA Grundy currently lives in Maryland with his wife, Jo Ann and son, Patrick. Hobbies include motorcycles, computers, and outdoor activities.

Andrew Fried, IRS
Andrew Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration’s System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

During his 17 year career with Treasury, he is credited with developing his agency’s Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.

Bob Hopper, NW3C
Mr. Hopper manages NW3C Computer Crimes instructor cadre who provide computer forensics training to state and local Law Enforcement throughout the United States. The Computer Crimes Section offers basic, intermediate and advance training in computer forensics and computer crimes as well as provides technical assistance and research and development for computer forensic examiners.

Mr. Hopper retired with nearly thirty years service with the Arizona Department of Public Safety and thirty seven years in Law Enforcement. Mr. Hopper’s Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime and Organized Crime. Mr. Hopper also developed and managed the Arizona DPS Regional Computer Forensic Lab. This computer forensic lab grew from a two man unit in 1998 to a state of the art computer forensic lab that, in 2005 when he retired, had grown to seven state, local and federal agencies and nearly twenty five computer forensic examiners.

Michael J. Jacobs, SRA International, Inc.
Michael Jacobs joined SRA in October 2002 as a Senior Advisor following his retirement from the Federal Government after 38 years of service. In March 2003 he was appointed Director of SRA’s Cyber and National Security Program. Prior to SRA, Mr. Jacobs was the Information Assurance (IA) Director at the National Security Agency (NSA). Under his leadership, NSA began implementing an Information Assurance strategy to protect the Defense Information Infrastructure and as appropriate, the National Information Infrastructure. He was responsible for overseeing the evolution of security products, services, and operations to ensure that the Federal Government’s national security information was free-flowing, unobstructed and uncorrupted.

Mr. Jacobs had a long and distinguished career at the National Security Agency where he served in key management positions in both the Intelligence and IA mission areas. He served as the Deputy Associate Director for Operations, Military Support where he was responsible for developing a single, coherent military support strategy for NSA. During his 38 years of NSA service, Jacobs was a leader in Information Systems Security production and control, policy and doctrine and customer relations. He has testified before Congress on defense issues and has spoken widely on topics ranging from IA to cultural diversity. For his vision, dedication, and accomplishments, he has been recognized by the Department of Defense with the Distinguished Civilian Service Medal; by the Director Central Intelligence with the Intelligence Community’s Distinguished Service Award; and by NSA with the Exceptional Civilian Service Award. In addition, he has been awarded the National Intelligence Medal of Achievement and was twice awarded the Presidential Rank Award for Meritorious Achievement.

He earned his B.S. degree in Business Administration from King’s College and completed the Senior Managers in Government Program at Harvard University’s Kennedy School.

Mr. Jacobs resides in College Park, Maryland with his wife Ethel and their five children. From 1997 through 2001 he served as the City’s elected Mayor following fourteen years as an elected member of the City Council.

Timothy Kosiba, FBI
Timothy Kosiba has been a Forensic Examiner with the FBI CART Program for 12 years, and managing the CART-BWI Laboratory in Linthicum, Maryland for the last 6 years. Mr. Kosiba has a B.S. in Management Information Systems from the University of Baltimore, and M.S. in Forensic Science from George Washington University. Currently, he is also the Program Manager for the Forensic Networks Program within CART, and is responsible for managing the deployment of 25 Storage Area Networks around the country, for use in examining and reviewing digital evidence. Mr. Kosiba is also a Certified ASCLD/LAB Inspector in the discipline of Digital Forensics.

Robert F. Lentz, OSD
Mr. Lentz is the Director for Information Assurance (IA) in the Office of the Assistant Secretary of Defense, Networks and Information Integration/Chief Information Officer. He is the Chief Information Assurance Officer (CIAO) for the Department of Defense (DoD) and oversees the Defense-wide IA Program, which plans, monitors, coordinates, and integrates IA activities across DoD. Mr. Lentz is also the Chairman of the National Space INFOSEC Steering Council (NSISC), a member of the Presidential Sub-Committee on National Security Systems (CNSS), the Manager of the DoD IA Steering Council, and the IA Domain Owner of the Global Information Grid Enterprise Information Management Mission Area. In his capacity of IA Domain Owner, Mr. Lentz is a member of the DoD CIO Executive Council. He also reports to the Deputy Undersecretary for Security and Counter-Intelligence and is a member of the Information Operations (IO) Steering Council. Mr. Lentz represents DoD on several private sector boards, including the Center for Internet Security (CIS) Strategic Advisory Council, the Common Vulnerabilities & Exposures (CVE) Senior Advisory Council, and the Federal Electronic Commerce Coalition (FECC).

Mr. Lentz has over 26 years of experience with the National Security Agency (NSA) in the areas of financial management and technical program management. He has served as Chief of the Space and Networks IA Office, Chief Financial Officer of the NSA IA Directorate, Executive Assistant to the NSA SIGINT Collections and Operations Group and Field Chief of the Finksburg National Public Key Infrastructure / Key Management Infrastructure Operations Center. He has also served on several strategic planning and acquisition reform panels. Mr. Lentz has received the NSA Resource Manager of the Year Award, the Defense Meritorious Service Award, the 2003 Presidential Rank Award and the 2004 “Federal 100” award. In2004, Mr. Lentz also received the highest-level honorary award the Department can bestow on a civilian employee, the prestigious Secretary of Defense Distinguished Civilian Service Award. Mr. Lentz is a graduate of the National Senior Cryptologic Course at the National Cryptologic School, Federal Executive Institute (FEI) and the Resource Management Course at the Naval Postgraduate School. He earned a Bachelor of Science Degree with a double major in History and Political Science from Saint Mary's College of Maryland and a Masters Degree in National Security Strategy from the National War College. While attending the National War College in 1999, Mr. Lentz’s primary focus was on Homeland Security.

Richard Marshal, NSA
Mr. Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA’s Legislative Affairs Office is the Agency’s point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. Mr. Marshall has been instrumental in framing critical appreciation by key Senators and Representatives on Information Assurance and its impact on helping to protect the nation’s critical infrastructures. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall was selected by Dick Clarke, the Cyber Advisor to the President to serve as the Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce where he led a team of 40 dedicated professionals in coordinating and implementing the Administration’s National Security for Critical Infrastructure Protection initiative to address potential threats to the nation’s critical infrastructures. He persuasively articulated the business case for enhancing information assurance in government and private sectors, and championed national outreach and awareness of information assurance issues to key stakeholders such as owners and operators of critical infrastructures, opinion influencers, business leaders, and government officials.

Before being nominated by the DIRNSA and approved by the SECDEF to serve in an Executive Development assignment to help lead the CIAO, Mr. Marshall served with distinction as the Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency for over eight years. In that capacity, Mr. Marshall provided advice and counsel on national security telecommunications and technology transfer policies and programs, the National Information Assurance Partnership, the Common Criteria Mutual Recognition Arrangement, legislative initiatives and international law. Mr. Marshall was the legal architect for the Joint Chiefs of Staff directed exercise “Eligible Receiver 97” that spotlighted many of the cyber-vulnerabilities of our nation’s critical infrastructures and helped bring focus on this issue at the national leadership level.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law.

Ken Privette, USPS
Ken works as the Special Agent in Charge of the Computer Crimes Unit (CCU) at the United States Postal Service Office of Inspector General. His Unit conducts computer crime investigations and provides computer forensics support to a force of over 650 agents who conduct fraud and internal crime investigations for the U. S. Postal Service. Over the past two years Ken’s team has doubled in size, now managing a computer forensics workload of more than 900 requests per year.

Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters.

Keith Rhodes, GSA
Keith Rhodes is currently the Chief Technologist of the U. S. Government Accountability Office and Director of the Center for Technology & Engineering. He provides assistance throughout the Legislative Branch on computer and telecommunications issues and leads reviews requiring significant technical expertise. He has been the senior advisor on a range of assignments covering continuity of government & operations, export control, computer security & privacy, e-commerce & e-government, voting systems, and various unconventional weapons systems. He has served as a Commissioner on the Independent Review of the National Imagery and Mapping Agency. Before joining GAO, he was a supervisory scientist at the Lawrence Livermore National Laboratory. His other work experience includes computer and telecommunications projects at Northrop Corporation and Ohio State.

Linton Wells II, Principal Deputy Assistant Secretary of Defense, Networks and Information Integration Dr. Linton Wells II serves as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). He resumed these duties on November 14, 2005 after serving as the Acting Assistant Secretary and DoD Chief Information Officer from March 8, 2004. He became the Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) on August 20, 1998 which became Networks and Information Integration in 2003. Prior to this assignment, he had served in the Office of the Under Secretary of Defense (Policy) from 1991 to 1998, most recently as the Deputy Under Secretary of Defense (Policy Support).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; C3I; and special access program oversight.

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.

Return to the top of the page

Panel: Meet the VCs
Moderator: Brad Stone, New York Times Technology Correspondent
Patrick Chung, Partner, NEA
Maria Cirino, Co-Founder and Managing Director, .406 Ventures
Mark McGovern, Tech Lead, In-Q-Tel
Dov Yoran, Partner, Security Growth Partners

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16.

Brad Stone, New York Times technology correspondent
Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspaper’s San Francisco bureau. In addition to writing for the paper, he contributes to the Times’ technology blog, Bits.

From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles.

He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London.

Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio.

Patrick Chung, Partner, NEA
Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars.

Maria Cirino, Co-Founder and Managing Director, .406 Ventures
Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardent—a Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997.

Mark McGovern, Tech Lead, In-Q-Tel
Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts.

Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents.

Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue.

Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry.

Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

Return to the top of the page

Panel: Spyware 2010: Center for Democracy & Technology Anti-Spyware Coalition
Moderator: Ari Schwartz, Deputy Director, the Center for Democracy and Technology
Eileen Harrington, Deputy Director, the Federal Trade Commission
Ben Edelman, Assistant Professor, Harvard Business School
Mario Vuksan, Director of Knowledgebase Services, Bit9

Profit and motive for spyware will increase drastically over the next three years. How are federal agencies and corporations planning for this surge? What are next big technological breakthroughs? How can we prepare?

Mario Vuksan, Director of Knowledgebase Services, Bit9
Mario Vuksan is the Director of Knowledgebase Services at Bit9, a leading provider of application and device control solutions, where he has helped create the world's largest collection of actionable intelligence about software. Before Bit9, Vuksan was Program Manager and Consulting Engineer at Groove Networks (acquired by Microsoft), working on Web based solutions, P2P management, and integration servers. Before Groove Networks, Vuksan developed one of the first Web 2.0 applications at 1414c, a spin-off from PictureTel. He received a bachelor's degree in Mathematics, Art History, and Computer Science from Swarthmore College and a master's degree in Art History from Boston University.

Ben Edelman is an assistant professor at the Harvard Business School in the Negotiation, Organizations & Markets unit.

Ben's current research includes analyzing methods and effects of spyware, with a focus on installation methods and revenue sources. Ben has documented advertisers supporting spyware, advertising intermediaries funding spyware, affiliate commission fraud, and click fraud.

More generally, Ben is interested in the evolving mix of public and private forces shaping the Internet—how private parties and central authorities seek to change users' Internet experience. In this vein, Ben tabulated registrations in new TLDs and tracked Internet filtering efforts by governments worldwide.

Ben's academic research focuses on Internet advertising. Looking at pay-per-click auctions for online advertising, Ben has analyzed search engines' market designs, bidders' strategies, and possible improvements to these large and growing marketplaces. Ben's recent academic work also includes designing compensation structures to deter advertising fraud, and critiquing online "safety" certifications that fail to adequately protect users.

Ben was previously a Student Fellow at the Berkman Center for Internet & Society, where his projects included analyzing the formative documents and activities of ICANN, running Berkman Center webcasts, and developing software tools for real-time use in meetings, classes, and special events. He oversaw ICANN Public Meeting webcasts and operated the technology used at ICANN's first twelve quarterly meetings. Ben wrote about domain name politics, particularly in the context of expired domain names subsequently used for pornography and registered with false WHOIS data. He developed methods for testing Internet filtering worldwide, without leaving his office, publishing reports on filtering in China and in Saudi Arabia.

Ben has served as a consultant and testifying expert for a variety of clients, including the ACLU, the City of Los Angeles, the NationalAssociation of Broadcasters, the National Football League, the New York Times, the Washington Post, and Wells Fargo.

Ben holds a Ph.D. from the Department of Economics at Harvard University, a J.D. from the Harvard Law School, an A.M. in Statistics from the Harvard Graduate School of Arts and Sciences, and an A.B. in Economics from Harvard College (summa cum laude). He is a member of the Massachusetts Bar.

Eileen Harrington, an attorney, is Deputy Director of the Federal Trade Commission’s Bureau of Consumer Protection. The Bureau of Consumer Protection’s mandate is to protect consumers from deceptive, unfair, or fraudulent practices. The Bureau enforces a variety of consumer protection laws enacted by Congress, as well as trade regulation rules issued by the Commission. Its actions include individual company and industry-wide investigations, administrative and federal court litigation, rulemaking proceedings, and consumer and business education. In addition, the Bureau contributes to the Commission’s on-going efforts to inform Congress and other government entities of the impact that proposed actions could have on consumers.

Prior to becoming Deputy Director of the Bureau of Consumer Protection, Ms. Harrington was Associate Director for Marketing Practices. In that role, she led the Commission’s consumer fraud law enforcement effort, and oversaw some of its most visible regulatory work, including the National Do Not Call initiative and implementation of the CAN-SPAM Act. She also led development of the Commission’s Internet Fraud enforcement program and coordinated domestic and international law enforcement programs to detect and halt fraud against consumers on the Internet.

Ms. Harrington joined the FTC as Assistant Director for Marketing Practices in 1987, and served as Associate Director for Marketing Practices from 1991 to 2005. In 1997, President Clinton conferred on Ms. Harrington the rank of Distinguished Executive in the Senior Executive Service for "sustained extraordinary accomplishments" in organizing and leading interagency enforcement, education and regulatory efforts to halt consumer fraud. In 2004, she was awarded a Service to America Medalfor her work on the National Do Not Call Registry.

Ari Schwartz is the Deputy Director of the Center for Democracy and Technology (CDT). Schwartz's work focuses on increasing individual control over personal and public information. He promotes privacy protections in the digital age and expanding access to government information via the Internet. He regularly testifies before Congress and Executive Branch Agencies on these issues.

Schwartz also leads the Anti-Spyware Coalition (ASC) , anti-spyware software companies, academics, and public interest groups dedicated to defeating spyware. In 2006, Schwartz won the RSA award for Excellence in Public Policy for his work building the ASC and other efforts against spyware.

Return to the top of the page

Jonathan Afek

Raven Alder

Pedram Amini

Becky Bace

Brandon Baker

Kevin Bankston

Andrea Barisani

Rohyt Belani

Riccardo Bettati

Daniele Bianco

Damiano Bolzoni

Joyce Brocaglia

Ryan Bulat

Yuriy Bulygin

Jamie Butler

David Byrne

Jon Callas

Ero Carrera

Stephan Chenette

Brian Chess

Steve Christey

Jim Christy

Patrick Chung

Maria Cirino

Robert Clark

Richard Clarke

David Coffey

Job de Haas

Jared DeMott

Barrie Dempster

Rohit Dhamankar

Roger Dingledine

Mark Dowd

Himanshu Dwivedi

Dr. Richard Enbody

Chris Eng

Joel Eriksson

Gadi Evron

Sean Fay

Ben Feinstein

Carole Fennelly

Justin Ferguson

Peter Ferrie

Kevvie Fowler

Pamela Fusco

Dave G.

Alex Garbutt

Kenneth Geers

Robert Graham

Jennifer Granick

Jeremiah Grossman

Ezequiel D. Gutesman

Robert Hansen

Nick Harbour

Eileen Harrington

Greg Wroblewski

John Heasman

Brad Hill

Billy Hoffman

Greg Hoglund

Jack Holleran

Mikko Hypponen

Keith Jones

Moti Joseph

Merike Kaeo

Dan Kaminsky

Kris Kendall

Rob King

Caitlin Klein

Jonathan Klein

Dr. Neal Krawetz

Krishna Kurapati

Toshinari Kureha

Zane Lackey

Nate Lawson

Adam Laurie

Dr. Andrew Lindell

Jonathan Lindsay

Steven Lipner

David Litchfield

Johnny Long

Brian Martin

Nick Mathewson

David Maynor

Iain McDonald

John McDonald

Mark McGovern

Haroon Meer

Neel Mehta

Charlie Miller

Luis Miras

HD Moore

Dan Moniz

Eric Monti

Jeff Morin

David Mortman

Shawn Moyer

Tim Newsham

Claes Nyberg

Paul Ohm

Christer Öberg

Alfredo Ortega

Chris Paget

Chris Palmer

Stephen Patton

Daniel Peck

Mike Perry

Cody Pierce

Aaron Portnoy

Paul Proctor

Thomas Ptacek

Dr. Bill Punch

Danny Quist

Jeremy Rauch

Chris Ridder

Ian Robertson

Dror-John Roecher

Joanna Rutkowska

Bruce Schneier

Paul Vincent Sabanal

Tony Sager

Richard Salgado

Len Sassaman

Pablo Damian Saura

Eric Schmiedl

Jerry Schneider

Ari Schwartz

John Seely

Mike Shaver

Simple Nomad

Marco Slaviero

Window Snyder

Alexander Sotirov

Mike Spindel

Alex Stamos

Scott Stender

John Stewart

Brad Stone

Alexander Tereshkin

John Terrill

Peter Thermos

Richard Thieme

Michael Thumann

Eugene Tsyrklevich

Vlad Tsyrklevich


John Viega

Mario Vuksan

Ariel Waissbein

Jacob West

Chris Wysopal

Mark Vincent Yason

Dov Yoran

Emmanuele Zambon

Stefano Zanero

Phil Zimmermann

Black Hat Logo
(c) 1996-2007 Black Hat