Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference

If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal.

In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com"

All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista. Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits."

Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music."

In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include: 1. De-perimeterization - the business imperative 2. From protocols to accessing the web - the technical issues 3. What should be implemented today - current and near term solutions 4. Planning for tomorrow - future solutions and roadmap The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a "technology demonstrator" with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one "office" PC and one laptop. The finals and judging will occur in 2007."

Looking for instant gratification from the latest client side attack? Your search may be over when you see the data that can be harvested from popular web browser caches. This discussion will focus on what web application programmers are NOT doing to prevent data like credit card and social security numbers from being cached. It will explore what popular websites are not disabling these features and what tools an attacker can use to gather this information from a compromised machine. A general overview of web browser caching will be included and countermeasures from both the client and server side. Corey Benninger, CISSP, is a Security Consultant with Foundstone, a division of McAfee, where he commonly performs web application assessments for leading financial institutions and Fortune 500 companies. He also is involved with teaching Ultimate Hacking Exposed courses to clients throughout the United States. Prior to joining Foundstone, Corey worked on developing web applications for a nation wide medical tracking system as well as infrastructure applications for internet service providers."

Automated identification of malicious code and subsequent classification into known malware families can help cut down laborious manual malware analysis time. Call sequence, assembly instruction statistics and graph topology all say something about the code. This talk will present three identification and classification approaches that use methods and results from complex network theory. Some familiarity with assembly, Win32 architecture, statistics and basic graph theory is helpful. Daniel Bilar is an academic researcher who enjoys poking his nose in code and networks and trying novel ways to solve problems. He has degrees from Brown University (BA, Computer Science), Cornell University (MEng, Operations Research and Industrial Engineering) and Dartmouth College (PhD, Engineering Sciences). Dartmouth College filed a provisional patent for his PhD thesis work ("Quantitative Risk Analysis of Computer Networks", Prof. G. Cybenko advisor), which addresses the problem of risk opacity of software on wired and wireless computer networks. Daniel is a founding member of the Institute for Security and Technology Studies at Dartmouth College. ISTS conducts counter-terrorism technology research, development, and assessment for the Department of Homeland Security. He was part of the group that researches new methods of protecting the nation's communication infrastructure. He also was a SANS GIAC Systems and Network Auditor Advisory Board member 2002-2005. Daniel is currently the Hess Fellow in Computer Science at Wellesley College (MA). He has previously developed and taught computer science undergraduate courses on network/computer security, and complex network theory at Oberlin College (OH) and Colby College (ME)."

Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices. Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering."

Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly. If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing "own me" sign, this talk is for you. We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well."

Worms traditionally propagate by exploiting a vulnerability in an OS or an underlying service. 2005 saw the release in the wild of the first worms that propagate by exploiting vulnerabilities in web applications served by simple http daemons. With the near ubiquity of W3C compliant web browsers and advances in dynamic content generation and client-side technologies like AJAX, major players like Google, Yahoo, and Microsoft are creating powerful application accessible only through web browsers. The security risks of web applications are already largely neglected. The discovery of programs that automatically exploit web applications and self-replicate will only make the situation worse. This presentation will analyze the scope of these new threats. First we will examine how Web Worms and Viruses operate, specifically focusing on propagation methods, execution paths, payload threats and limitations, and design features. Next we will autopsy the source code of the Perl.Sanity worm and the MySpace.com virus to better understand how these programs function in the wild. We will discuss the shortcomings of these two attacks, what that tells us about the author’s sophistication, and how their impact could have been worse. Then we will hypothesize two future programs, the Swogmoh worm and the 1929 virus, and discuss their capabilities to learn how these threats might evolve. Finally, we will present guidelines for implementing new web applications securely to resist these new threats. Participants should have a good understanding of the different HTTP methods, Javascript, DOM manipulation and security, Perl, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus."

Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects."

As one of the pioneers of partnerships for the FBI, Dan Larkin of the FBI’s Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra "make it personal" has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and law enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat. Dan Larkin became unit chief of the Internet Crime Complaint Center (IC3), which is a join initiative between the FBI and the National White Collar Crime Center (NW3C) in January 2003. Before that he was a supervisory special agent (SSA) in the White Collar Crime area for ten years. In that capacity he supervised and coordinated numerous joint agency initiatives on both regional and national levels involving corruption and fraud associated with a variety of federal, state, and local agencies. SSA Larkin acted as the congressional investigative team leader in the "Operation Illwind" Pentagon scandal corruption investigation. The combined effort of this team led to record settlements and convictions involving numerous top defense contractors, as well as public officials. Prior to his current assignment UC Larkin developed and supervised the High Tech Crimes Task Force in Western Pennsylvania, one of the first such initiatives in the United States. UC Larkin also developed a national initiative known as the National Cyber Forensics and Training Alliance (NCFTA) This progressive initiative maximizes overlapping public/private sector resources, in identifying and proactively targeting escalating cyber-crime perpetrators both domestically and abroad. This project also serves to attract a perpetual stream of key Subject Matter Experts (SME's) from industry, government and academia, creating a dynamic cyber-nerve-center, for tactical and proactive response, forensics and vulnerability analysis, and the development of advanced training. UC Larkin also co-authored the FBI’s re-organization plan in 2002 which established Cyber Crime as a top priority, and underscored the need for additional Public/Private Alliances in combating priority cyber crimes word-wide."

Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining."

This talk will go in-depth into methods for breaking crypto faster using FPGAs. FPGA's are chips that have millions of gates that can be programmed and connected arbitrarily to perform any sort of task. Their inherent structure provides a perfect environment for running a variety of crypto algorithms and do so at speeds much faster than a conventional PC. A handful of new FPGA crypto projects will be presented and will demonstrate how many algorithms can be broken much faster than people really think, and in most cases, extremely inexpensively. Breaking WPA-PSK is possible with coWPAtty, but trying to do so onsite can be time consuming and boring. All that waiting around for things to be computed each and every time we want to check for dumb and default passwords. Well, we're impatient and like to know the password NOW! Josh Wright has recently added support for pre-computed tables to coWPAtty-but how do you create a good set of tables and not have it take 70 billion years? David Hulton has implemented the time consuming PBKDF2 step of WPA-PSK on FPGA hardware and optimized it to run at blazing speeds specifically for cracking WPA-PSK and generating tables with coWPAtty. What about those lusers that still use WEP? Have you only collected a few hundred interesting packets and don't want to wait till the universe implodes to crack your neighbor’s key? Johnycsh and David Hulton have come up with a method to offload cracking keyspaces to an FPGA and increasing the speed considerably. CheapCrack is a work in progress which follows in the footsteps of The Electronic Frontier Foundation's 1998 DES cracking machine, DeepCrack. In the intervening eight years since DeepCrack was designed, built, deployed, and won the RSA DES challenge, FPGAs have gotten smaller, faster, and cheaper. We wondered how feasible it would be to shrink the cost of building a DES cracking machine from $210,000 1998 dollars to around $10,000 2006 dollars, or less, using COTS FPGA hardware, tools, and HDL cores instead of custom fabricated ASICs. We'll show CheapCrack progress to date, and give estimates on how far from completion we are, as well as a live demo. Lanman hashes have been broken for a long time and everyone knows it's faster to do a Rainbow table lookup than go through the whole keyspace. On many PC's it takes years to go through the entire typeable range, but on a small cluster of FPGAs, you can brute force that range faster than doing a Rainbow table lookup. The code for this will be briefly presented and Chipper v2.0 will be released with many new features. David Hulton and Dan Moniz will also discuss some of the aspects of algorithms that make them suitable for acceleration on FPGAs and the reasons why they run faster in hardware."

Part two: Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining."

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'. Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems. A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques. She currently works as a security researcher for COSEINC, a Singapore based IT security company."

This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack."

The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service. The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite. Philip Trainor is currently an employee of Imperfect Networks where he creates remote exploits and audits security devices and practices being used for network equipment manufacturers, antivirus companies, telcom's, and several departments within the US federal Government."

Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications. Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature."

Tony Chor will discuss Microsoft’s security engineering methodology and how it is being applied to the development of Internet Explorer 7. He will detail key vulnerabilities and attacks this methodology revealed as well as how the new version of IE will mitigate those threats with unique features such as the Phishing Filter and Protected Mode. Rob Franco lives to make browsing safer for internet users. Rob led Security improvements in Internet Explorer for Windows Server 2003, Windows XP SP2, and IE 7. Prior to that, Rob worked on Corporate deployment features such as Group Policy and the Internet Explorer Administration Kit. When he’s not working, he can usually be found cycling around the Seattle area or boating on a nearby lake."

The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization.

Runtime packers are a widely-used technique in malware today. Virtually every Win32 malware added to the WildList as well as ad- and spyware is packed with one or another runtime packer. Not only can they turn older malware into new threats again, but they might also prevent AV vendors from using more generic approaches and therefore requiring more work, which possibly generates more errors or broken updates, unless the product is able to handle all the different runtime packers out there. Yet, there aren't any comprehensive tests of runtime packer capabilities in AV products so far. We use a testset of more than 3000 runtime-packed files (with different packers, versions, compression options) to determine how well-equipped today's AV software is in dealing with these types of threats. In this presentation, we'll not only discuss the aspects of handling and detecting runtime packed malware, but also have a look into other problems that come along. These include false positives, crashes and the very slow scanning speeds seen in way too many products. Lastly, we will give an overview of the current situation, try to specify reasons for the results we got and show what should and could be done in the future."

Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods. James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN. William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley."

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management."

Lately there seems to be an explosion of press hype around the possibility of hackers exploiting Voice-over-IP networks and services (Skype, Vonage, etc.). VoIP Spam, Caller ID Spoofing, Toll Fraud, VoIP Phishing, Eavesdropping, and Call Hijacking are just some of the terms being thrown around that seem to cause a fair share of fear and uncertainty in the market. We set out to write "Hacking Exposed VoIP" in part to combat this FUD, and also in order to help admins prioritize and defend against the most prevalent threats to VoIP today through real exploitation examples. This presentation is the byproduct of our research for the book. In it, we describe and demonstrate many real-world VoIP exploitation scenarios against SIP-based systems (Cisco, Avaya, Asterisk, etc.), while providing a sense of realism on which attacks are likely to emerge into the public domain. Also, we will unveil several VoIP security tools we wrote to facilitate the exploiting and scanning of VoIP devices, along with a few 0-days we discovered along the way. As VoIP is rolled out rapidly to enterprise networks this year, the accessibility and sexiness of attacking VoIP technology will increase. The amount of security research and bug hunting around VoIP products has only reached the tip of the iceberg and we predict many more vulnerabilities will begin to emerge. David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools. Prior to TippingPoint, Endler led the security research teams at iDEFENSE. In previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University. Mark Collier, CTO for SecureLogix Corporation, is responsible for research and related intellectual property. Previously, Mr. Collier was with the Southwest Research Institute for 14 years, where he contributed to and managed software research and development projects in a wide variety of fields, including information warfare. Mr. Collier has been working in the industry for 20 years, and has spent the past decade working in security, telecommunications, and networking. He is a frequent author and presenter on the topic of voice and VoIP security and holds a Bachelor of Science degree in Computer Science from St. Mary’s University."

You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered-"is this change real or is it just lip service?" You may also have asked yourself "self, why did they do that?" This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates. Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator."

The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement. The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop."

A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity. SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network."

In an online world, anonymity seems easy. Network addresses can be cloaked and files can be manipulated. People rapidly change virtual names, genders, and skills. But even with these precautions, anti-anonymity techniques can track people. Habitual patterns and learned skills are subtle, appearing in everything we type. This presentation discusses profiling methods for identifying online people and breaching anonymity. The topics covered include methods to identify skillsets, nationality, gender, and even physical attributes. Dr. Neal Krawetz has a Ph.D. in Computer Science and over 15 years of computer security experience. His research focuses on methods to track "anonymous" people online, with an emphasis on anti-spam and anti-anonymity technologies. Dr. Krawetz runs Hacker Factor Solutions, a company dedicated to security-oriented auditing, research, and solutions. He is the author of "Introduction to Network Security" (Charles River Media, 2006)."

This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software (Sygate, Microsoft, etc.) and hardware (Cisco, Vernier Networks, etc.) solutions from a variety of vendors has emerged recently. All are tasked with one goal - controlling the access to a network using different methods and solutions. This presentation will examine the different strategies used to provide with network access controls. Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market. Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir holds 10 years of experience in data security research and management. Prior of co-founding Insightix, he had served as a CISO of a leading Israeli international telephone carrier. In addition, Ofir had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The most known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is a co-author of the remote active operating system fingerprinting tool Xprobe2. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA) and also serves as a board member. Ofir is the founder of (Sys-Security Group), a computer security research group."

This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features. Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks. Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises."

Trusted computing is considered a dirty word by many due to its use for Digital Rights Management (DRM). There is a different side of trusted computing, however, that can solve problems information security professionals have been attempting to solve for more than three decades. Large scale deployment of trusted computing will fundamentally change the threat model we have been using for years when building operating systems, applications, and networks. This talk will examine the history of trusted computing and the current mindset of information security. From there, we will attempt to demystify the trusted computing architecture and give examples of where trusted computing is being used today. Then, we'll discuss how security constructs that we know an love today (such as firewalls and SSL transactions) fundamentally change when a trusted hardware component is added. Finally, new tools will be released to allow users to examine trusted components in their system. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton."

Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards."

Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching. The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes."

The known topics for this year include: 1. The Worldwide SSL Analysis-There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan. 2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps-without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data. 3. Everything else "

This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else.

How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented. Tom Gallagher has bee"

Reverse Engineering has come a long way-what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed. Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer."

Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits. More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment. About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation."

Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications. Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus."

PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this. What is not common knowledge amongst the user community is that PL/SQL code installed in the database is not secure and can be read if you are in possession of an unwrapper. What is not common knowledge even in the security community is that Oracle always knew that PL/SQL can be unwrapped due to the methods chosen to wrap it in the first place, what is more surprising is that there are features and programs actually shipped with the database software that show how it is possible to unwrap PL/SQL without using reverse engineering techniques-if you know where to look! Pete Finnigan is well known in the Oracle community for hosting his Oracle security website, www.petefinnigan.com, which includes a whole raft of Oracle security information from blogs, forums, tools, papers and links. He is also the author of the "SANS Oracle Security Step-By-Step" guide book, he is also the author of the SANS GIAC Oracle security course. Pete currently works for Siemens Insight Consulting as head of their database security team performing security audits, training, design and architecture reviews. He has also written many useful Oracle security scripts and password lists available from his website and has also written many papers on the subject published by many different sites including Security Focus and iDefence. Pete is also a member of the OakTable a group of the world’s leading Oracle researchers."

This session will examine the threat of spyware to corporations. What does the threat currently look like and how is it evolving? What market forces are at play? How big of a threat is spyware for corporations now and in five years? What countermeasures work now and in the future? How are regulators working to combat this threat?

How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone? In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag! ;-) Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics. Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom."

VoIP applications went mainstream, although the underlying protocols are still undergoing constant development. The SIP protocol being the main driver behind this has been analyzed, fuzzed and put to the test before, but interoperability weaknesses still yield a large field for attacks. This presentation gives a short introduction to the SIP protocol and the threats it exposes; enough to understand the issues described. A SIP stack fingerprinting tool will be released during the talk which allows different stacks to be identified and classified for further attacks. The main part focuses on practical attacks targeting features from caller ID spoofing to Lawful Interception. Various attack vectors are pointed out to allow further exploit development. Hendrik Scholz is a lead VoIP developer and Systems Engineer at Freenet Cityline GmbH in Kiel, Germany. His daily jobs consist of developing server side systems and features as well as tracking down bugs in SIP stacks. He earned his Bachelor in Computer Science from the German University of Applied Sciences Kiel in 2003. While studying abroad in Melbourne, Australia and working as Unix developer in Atlanta, GA and Orlando, FL, he contributed to FreeBSD and specialized in networking security issues. He released Operating System level as well as Application Layer fingerprinting tools. Having access to present and upcoming VoIP devices, hacking on these has become a spare time passion."

In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection. This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions. The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills. Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com."

This presentation shows the next (2.) generation of Oracle Rootkits. In the first generation, presented at the Blackhat 2005 in Amsterdam, Oracle Rootkits were implemented by modifying database views to hide users, jobs and sessions. The next generation presented at the BH USA is using more advanced techniques to hide users/implement backdoors. Modifications on the data dictionary objects are no longer necessary so it’s not possible to find the new generation of rootkits by checksumming the data dictionary objects. Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products."

Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be.