Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.
The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.
The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.
More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.
This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.
John Benson currently works as an Electronic Discovery Consultant for a large Midwestern law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the Chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at http://www.john-benson.com.
SmartCards are commonly used for authentication, or securing e-mails or transactions. The concept armors crypto functions to a tamper proof architecture. Software cannot be protected by Software - and this paradigm forces the need for secure devices. But how does it work? How does a Windows computer communicate to the SmartCard device? Can hackers inject malware in between the communication? This presentation addresses this items. The Compass Security APDU debugger allowes you to halt, alter, intercept APDU commands and disclose hidden secrets. The APDU debugger is part of the presentation.
Ivan Buetler TBD
This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.
This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.
Yuriy Bulygin so enjoyed watching the Chernobyl Nuclear Power Plant burn at age 7 he decided to learn how things work and why they fail. Yuriy recieved his Masters in Applied Math and Physics while attempting to hack the physics of Jupiter's atmosphere which appeared to be too far from the Earth. He then received his Ph.D. in Crypto from Moscow Institute of Physics and Technology (Phystech) in Russia. Yuriy works for Intel's Security Center of Excellence where he leads security analysis and pen-testing of Intel hardware/software and teaches secure coding to Intel engineers. He is also a core member of Intel PSIRT. Prior to joining Intel Yuriy was a member of the technological research team at Kaspersky Lab in Russia.
This talk will expose the tools and tactics used in the phishing underground. What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers.
Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by phishers, determine if these phishers are really the Einsteinian Ninja Hackers the media portrays them to be, uncover how phishers phish other phishers, and discover the sites where real life identities are being bought and sold.
Nitesh Dhanjani being an actual reincarnation of Dawkins' Spaghetti Monster, Nitesh Dhanjani is also a rare type of Blowfish that is poisonous to phishermen across the world. Once netted, Dhanjani's poison quickly disables the phishermen and spreads to the their prized lines and lures. Currently, only two individuals, namely Chuck Norris and Bruce Schneier, are known to handle this toxic poison without fear of death.
A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture.
Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.
Virtualization rootkits have been a hot topic for the past couple of years. In this talk, we will discuss a new type of malware with potentially even greater stealth: The System Management Mode (SMM) Rootkit. System Management Mode, a relatively obsecure mode on Intel processors, provides an isolated memory and execution environment. SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. We will demo a proof of concept SMM rootkit that functions as a chipset level keylogger. Our rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly exfiltrating sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.
Shawn Embleton is the CTO of the Florida company, Clear Hat Consulting, Inc. Shawn spoke at Black Hat in 2006 on the topic of using evolutionary computation for automated vulnerability analysis and co-authored a prototype intelligent fuzz testing tool, named Sidewinder. During 2007, Shawn co-taught the Black Hat Offensive Aspects of Rootkit Technology class with Sherri Sparks and co-founded Clear Hat Consulting, Inc. Some of his current interests include hardware virtualization and chipset level rootkit technology.
While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.
It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.
We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.
We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.
Secondly, we will discuss the potential impact of phishing on an election.
Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.
This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.
Oliver Friedrichs is the Director, Emerging Technologies in Symantec Security Response, the organization responsible for the delivery of AntiVirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company’s acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry’s first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry’s first commercial penetration testing product, codenamed SNIPER. The technology was acquired by Core Security Technologies in 2001 and further developed to become CORE IMPACT, the company's flagship product and market leader for automated penetration testing. Mr. Friedrichs has over 15 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.
This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for 900 USD. The second part of the talk unravels a practical solution to crack the GSM encryption A5/1.
David Hulton has been hacking with wireless and embedded devices for the past 6 years and actively involved in the security industry for 10. After helping start and run various security meetings and ToorCon back in the late 90’s, he switched focus and became credited with designing open source tools such as bsd-airtools, doing extensive security research with Wireless, Smart Cards, GSM, and most recently with revolutionary high-speed crypto cracking applications for FPGAs.
With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection. Additionally, during this talk we will release and demonstrate a tool for sending and receiving covert SMS messages. Finally, we will release SMS fuzzing tools to allow vendors and users of mobile phone forensics software to test the reliability of the tools they rely upon.
Zane Lackey is a Senior Security Consultant with iSEC Partners, Inc. -a strategic digital security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications, VoIP, and mobile phone security. Zane has spoken at top security conferences including BlackHat, Toorcon, MEITSEC, and the iSEC Open Forum. Additionally, he is a co-author of Hacking Exposed:Web 2.0 (McGraw-Hill/December 2007) and contributing author of Hacking VoIP (No Starch Press/Fall 2008). Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop.
Toll payment systems, such as FasTrak and E-ZPass, promise quick travel and more revenue for the state. While privacy issues with such systems have been discussed in general, little is known about their actual implementation and security. We reverse-engineered the RFID internals and analyzed the protocol to find out just what's going on inside. We'll explain the low-level details we found, problems, and possible ways to build a more safe and secure system
Nate Lawson, founder of Root Labs, assists companies with the design of embedded, platform, and cryptographic security. At Cryptography Research, Nate co-developed the Blu-ray content protection layer known as BD+. He is also the original developer of IBM/ISS RealSecure. Powered by home-roasted coffee, Nate spends his spare time contributing to the FreeBSD (ACPI/power management, SCSI) and C64 Preservation open-source projects
Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform.
This talk will show new developments in this sector and how a slightly adjusted network infrastructure configuration together with new tools finally allows to separate crashed, attacked and backdoored routers from each other. We walk through the known types of backdoors and shellcodes for IOS as well as their detection and the challenges in doing so.
Felix "FX" Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.
Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.
Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.
We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.
Justine Osborne is a Security Consultant with iSEC Partners, Inc., where she specializes in the security analysis of complex web and Win32 applications. Her research interests include web applications and dynamic vulnerability assessment tools. She holds a BS in Computer Science from Mills College.
This talk will give an overview of the Mobitex wireless networking technology and infrastructure (www.mobitex.org). A detailed presentation of the authentication (subscriber identity) and privacy (anti-sniffing) features will be presented and fundamental weaknesses in both will be presented along with suggested improvements and "best practice" advice for implementors of applications built on Mobitex and other wide-area coverage wireless network standards.
olleB has been working in the IT-security industry since 1999 and has a background in UNIX systems administration. In his spare time he enjoys tinkering with tech and building security related tools under the banner of the Toolcrypt group (www.toolcrypt.org). He has held numerous security training courses of the "hands on/attacker perspective" type on behalf of past employers and has presented at T2 and CanSecWest security conferences.
Presentation Abstract
Michael Ossman is an information security researcher for the Institute for Telecommunication Sciences at the U. S. Department of Commerce Boulder Laboratories. He has served as the information security officer for a hospital system, as a consultant, and as a system and network administrator. Michael is best known for his 2004 article, WEP:Dead Again, and the 5-in-1 Network Admin's Cable featured in the premiere issue of Make.
Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient to use.
This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow implementation available on almost all their routers, has been used for years for network engineering purposes. And while there has been some capability for security analysis against these flows, there has been little interest until recently. This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis tool, and show specific examples of how to detect malware on live networks.
Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders.
In this presentation we will discuss a couple of significant problems in existing IDS / Firewall technology and present a proof of concept "chipset" level rootkit / network backdoor that is capable of bypassing virtually all host based firewall and intrusion detection software on the market. These, of course, include popular, widely deployed software like Snort and Zone Alarm Security Suite. Our backdoor operates at an even deeper level than previous backdoors (e.g. Joanna's "DeepDoor" rootkit) because it interacts directly with the chipset interface of the NIC hardware. Capabilities include the ability to both covertly send AND recieve packets. We use both of these capabilities to implement a simple command and control interface. Implications for security vendors include the exfiltration of sensitive information and delayed detection of malware threats like DDOS attacks, Botnes, and Worms.
Sherri Sparks is President of the Florida company, Clear Hat Consulting, Inc. Currently, her research interests include offensive / defensive stealth code technologies and digital forensics. She has spoken at Black Hat on these topics and has taught the Black Hat Offensive Aspects of Rootkit Technology. Her published articles have appeared in Usenix Login; ACSAC, Security Focus, and Phrack magazine. With an increasing involvement in providing consulting / training services for independent clients, she co-founded the company Clear Hat Consulting, Inc. in early 2007. Clear Hat Consulting specializes in Windows kernel and hypervisor development as it relates to stealth rootkit technology, digital forensics, and other custom software security solutions.
Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.
Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.
We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.
Alex Stamos is a Founding Partner of iSEC Partners and is an experienced security engineer and consultant specializing in application security and incident response. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Infragard, Microsoft BlueHat, Toorcon, the Web 2.0 Expo and OWASP AppSec. He holds a BSEE from the University of California, Berkeley, and spends his spare time chasing his baby son and sailing on the SF bay.
Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.
Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.
We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.
David Thiel TBD
In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008, the rumor goes that Elvis is still alive or at least his passport is. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms.
Jeroen van Beek is a Security Consultant and Security Researcher with over 6 years of professional experience in network security and penetration testing. In 2007 he presented the world’s first publicly available full blown cracker for Oracle 11g. vonJeek is a well-known guest speaker at several Dutch universities. Besides security, he likes sleeping, drinking wine, the sun and fast red Italian motorcycles.
Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network's cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the 'Iron Hacker' face off in a frenetic security battle. The guest panel will judge the tools created and used to determine who's hack-fu will be victorious and who will be vanquished.
Remember, our testers have only one hour to complete their challenge and they will be restricted to their respective choice of bug-finding techniques: One team will use static analysis, while the other will employ fuzzing. Watch as the masters wield their weapons of choice. What will they concoct? Who will come out victorious? Which techniques will prove most effective in a high-pressure every-minute-counts environment? Come and see for yourself!
Visit 'Vulnerability Stadium' and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tools, presentation of the number of bugs, and creativity of using the tools when searching for vulnerabilities. So Black Hat attendees... with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!
Jacob West TBD