Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population. Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks. Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space. Gadi Evron works for the Mclean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; Hewlett-Packard; active response; nondisclosure and non-competition agreements; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

To those who seek truth through science, even when the powerful try to suppress it. Richard A. Clarke is a former U.S. government official who specialized in intelligence, cyber security and counter-terrorism. Until his retirement in January 2003, Mr. Clarke was a member of the Senior Executive Service. He served as an advisor to four U.S. presidents from 1973 to 2003: Ronald Reagan, George H.W. Bush, Bill Clinton and George W. Bush. Most notably, Clarke was the chief counter-terrorism adviser on the U.S. National Security Council for both the latter part of the Clinton Administration and early part of the George W. Bush Administration through the time of the 9/11 terrorist attacks. Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations when in March of 2004 he appeared on the 60 Minutes television news magazine, his memoir about his service in government, Against All Enemies was released, and he testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks and the decision to go to war with Iraq. Richard Clarke is currently Chairman of Good Harbor Consulting, a strategic planning and corporate risk management firm, an on-air consultant for ABC News, and a contributor to GoodHarborReport.com, an online community discussing homeland security, defense, and politics. He also recently published his first novel, The Scorpion's Gate, in 2005; and a second, Breakpoint, in 2007.

Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible. This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success. David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices. David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year. John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. Embedded systems in general have a much lower security profile. This talk explores the use and impact of Side Channel Analysis on embedded systems. These systems have their own specific need for security. This need can vary significantly between systems and in addition a much wider range of attacks is possible. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical). We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS). We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway. This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts.

As VoIP products and services increase in popularity and as the "convergence" buzzword is used as the major selling point, it's time that the impact of such convergence and other VoIP security issues underwent a thorough security review. This presentation will discuss the current issues in VoIP security, explain why the current focus is slightly wrong, then detail how to effectively test the security of VoIP products and services. With examples of real life vulnerabilities found, how to find these vulnerabilities and why many of them shouldn't be there in the first place.

A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.

Tor project, an anonymous communication system for the Internet that has been funded by both the US Navy and the Electronic Frontier Foundation.

This presentation addresses the stated problem by focusing specifically on C++-based security, and outlines types of vulnerabilities that can exist in C++ applications. It will examine not only the base language, but also covers APIs and auxillary functionality provided by common platforms, primarily the contemporary Windows OSs. The topics that will be addressed in this presentation include object initialization/destruction, handling object arrays, implications of operator overloading, and problems arising from implementing exception handling functionality. Various STL classes will also be discussed in terms of how they might be susceptible to misuse, and unexpected quirks that can manifest as security problems. This presentation will include discussion of bug classes that have yet to be discussed or exploited in a public forum (to our knowledge) for the topic areas outlined.

Kernel vulnerabilities are often deemed unexploitable or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to ""creative debugging"" and knowledge about the target in question. This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited. The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice. The vulnerabilities that will be discussed are: - FreeBSD 802.11 Management Frame Integer Overflow Found and exploited by Karl Janmar. Advisory: http://www.signedness.org/advisories/sps-0x1.txt - NetBSD Local Kernel Heap Overflow Found by Christer ?berg, exploited by Christer ?berg and Joel Eriksson. - Windows (2000 & XP) Local GDI Memory Overwrite Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory: http://projects.info-pull.com/mokb/MOKB-06-11-2006.html More information about the vulnerabilities can be found at: http://kernelwars.blogspot.com/

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today?s web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client. The authors present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation. The authors will present findings based on the deployment of a distributed network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits. The authors will release a previously unpublished JavaScript evasion technique and demonstrate its use in evading a variety of present-day defensive technologies. Where present-day defenses have been demonstrated to be insufficient, the authors will present new ideas for ways mitigate the new threats.

Traditional exploitation techniques of overwriting heap metadata has been discussed ad-nauseum, however due to this common perspective the flexibility in abuse of the heap is commonly overlooked. This presentation examines a flaw that was found in several popular open-source applications including mod_auth_kerb (Apache Kerberos Authentication), Samba, Heimdal, OpenBSDs kerberos implementation (not exploitable), and so on, as a method for exploring heap structure exploitation and hopefully providing a gateway to understanding the true beauty of data structure exploitation. This focuses on the dynamic memory management implementation provided by the GNU C library, particularly ptmalloc2 and presents methods for evading certain sanity checks in the library along with previously unpublished methods for obtaining control.

Databases are the single most valuable asset a business owns. Databases store and process critical healthcare, financial and corporate data, yet businesses place very little focus on securing and logging the underlying database transactions. As well, in an effort to trim costs, many organizations are consolidating several databases on to single mission critical systems which are frequently targeted by attackers. With large data security breaches occurring at an alarming rate, several database logging tools have been released in the industry, however adoption of these products is slow leaving these mission critical systems vulnerable and ill-equipped for traditional forensic analysis. Database forensics is a relatively unknown area of digital investigation but critical to investigating data security breaches when logging tools are unavailable or inadequate. There is very limited information available today on this subject and, at the time of this writing, no known information targeting SQL Server 2005 forensics. This presentation provides attendees a "real world" view into SQL Server 2005 forensics and how to gather evidence from the hidden database repositories using forensically sound practices.

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out. Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the Black Hat audience will hear about the future of cyber control, and the future of cyber resistance.

The simple decision by a researcher to tell what he or she has discovered about a software product or website can be very complicated both legally and ethically. The applicable legal rules are complicated, there isn?t necessarily any precedent, and what rules there are may be in flux. In this presentation, I will use Cisco and ISS's lawsuit against Michael Lynn (from Black Hat 2005) and HID's cease and desist letter to IOActive (from Black Hat 2006) to discuss major intellectual property law doctrines that regulate security research and disclosure. I will give the audience some practical tips for avoiding claims of illegal activity.

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network. This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks. You'll see: - Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript) - Web Browser History Stealing / Login Detection - (with and without JavaScript) - Bypassing Mozilla Port Blocking / Vertical Port Scanning - The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.) - Fundamentals of DNS Pinning and Anti-DNS Pinning - Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

Several protection techniques based on run-time taint analysis have been proposed within the last 3 years. Some of them provide full-automated protection for existing web applications, others require human interaction, and yet others require source code modification and/or special tunning. We briefly discuss advantages and disadvantages of these approaches. Next, we introduce a new technique which permits to efficiently identify and block several attack vectors on the fly by augmenting the web application's execution environment to include tracking information. Most web-scripting languages including PHP, ASP, Python, Perl and Java can be protected with this technique. Typical exploitation methods such as database-injection attacks, shell injection attacks, cross-site scripting attacks and directory-transversal attacks are prevented. More generally, this solution to the injection vulnerability problem for web applications is based on a characterization of the injection attacks family -that we implemented. The execution environment includes instrumentation information to allow identification of syntactic alteration of a sentence in cross-language boundaries. This characterization allows us, furthermore, to enforce privacy: it protects from untrusted users that try to obtain private data that stored within the web application's network. Thus, putting off the theft of sensitive data, like credit card information, as well as averting information leakage.

It is important for the security professional to understand the techniques used by those they hope to defend against. This presentation focuses on the anti-forensic techniques which malware authors incorporate into their malicious code, as opposed to relying solely on an external rootkit. In addition to describing a number of known but scarcely documented techniques, this presentation will describe techniques which have never been observed through the presenter?s experience with incident response and malware reverse engineering. This presentation will also demonstrate a new technique for executing a malicious program directly from memory under unix. A new technique for avoiding entropy detection of packed or encrypted executables will also be discussed. This presentation will contain a great deal of highly technical content which covers the specifics of the techniques down to the machine instruction level. For the security professional/enthusiast with a limited technical background in this area, this presentation will serve as an eye-opening overview of malware anti-forensic techniques as well as a limited introduction to forensic analysis. The Executable Toolkit (exetk) will be introduced and demonstrated throughout the presentation. Included in the toolkit are various utilities for data hiding, manipulation and infection of executable files. The ability to execute a program directly from memory greatly enhances its stealth. With this ability, one malicious program can use any technique it chooses (such as downloading from the web) to fill a memory buffer with an executable, and then launch it directly without that executable ever being written to disk. If the executable is never written to disk there will be no binary for a forensic examiner to capture. A somewhat similar technique has been described before by ?the grugq?, though its inner workings were never fully described nor promised source code released. The approach taken by ?the grugq? was also significantly more obtuse and importable. The approach to executing a process directly from memory under unix which I describe for the first time in this presentation will take the following three stage approach. The first stage is a part of an executable program which is either stand alone or infected into another legitimate process or program file. The job of the first stage loader is to first act as a debugger, and launch a debugged process with a breakpoint at the entry point. This is accomplished through the ptrace() system call. With the debugged process suspended by a breakpoint at its entry point, the first stage loader will overwrite the memory at the entry point with the second stage loader, then resume continuous execution on the process. When the debugged process resumes continuous execution the code of the second stage loader begins executing. The role of the second stage loader is to first allocate enough memory for the new malicious executable. It then adjusts the memory protection on the new memory area to allow for writing and executing in addition to reading. The purpose for having a third stage loader is that the new executable code will likely have to be written to the same memory area in which the second stage loader currently resides. The third stage loader is a part of the same program which contains the first stage loader and performs its memory operations on the debugged process in the same fashion tradition debuggers use to alter process memory. Control is passed from the second stage loader to the third stage loader simply by setting a breakpoint interrupt at the end of the second stage loader. Control will return to the same program which contains the first stage loader but its role at this point is changed. The job of the third stage loader is to copy the malicious program into the new process memory in the same fashion as the operating system would had the program been executed traditionally. The third stage loader must also manually resolve program imports by loading all dynamic libraries and finding the appropriate exported symbols and populating the pointers in the program?s import table accordingly. Once everything has been loaded and dynamically linked, the instruction pointer of the new malicious process is set to its entry point and execution is resumed. At this point the process containing the first and third stage loader may detach itself from debugging if necessary. Packers will be discussed in detail. Use of a common packer such as UPX or PECompact can mask the malicious functionality of an executable but it is also very easy to ?unpack? these executables. This presentation will discuss how exactly a packer works and how you can write your own. The Executable Toolkit (exetk) will be demonstrated as a clean reference implementation for a simple obfuscating packer. The latest malware detection software is beginning to scan for such custom packers through the use of entropy (randomness) detection. The presentation will discuss a technique to create a packer which obscures program contents which keeping a non-suspicious entropy within the data.

Macs use an ultra-modern industry standard technology called EFI to handle booting. Sadly, Windows XP, and even Vista, are stuck in the 1980s with old-fashioned BIOS. But with Boot Camp, the Mac can operate smoothly in both centuries." - Quote taken from http://www.apple.com/macosx/bootcamp/ The Extensible Firmware Interface (EFI) has long been touted as the replacement for the traditional BIOS and was chosen by Apple as the pre-boot environment for Intel-based Macs. This presentation explores the security implications of EFI on firmware-based rootkits. We start by discussing the limitations of the traditional BIOS and the growing need for an extensible pre-boot environment. We also cover the key components of the EFI Framework and take a look at the fundamental design decisions affecting EFI and their consequences. Next we consider the entry points that an EFI system exposes - just how an attacker may set about getting their code into the EFI environment - taking the Apple Macbook as our reference implementation. After demonstrating several means of achieving the above, we turn our attention to subverting the operating system from below, drawing parallels wherever possible to attacks against systems running a traditional BIOS. The final part of this presentation discusses the evolution of EFI into the Unified Extensible Firmware Interface (UEFI), soon to be supported by Windows Server (Longhorn) and discusses the application of the previously discussed attacks to UEFI.

Web Services are becoming commonplace as the foundation of both internal Service Oriented Architectures and B2B connectivity, and XML is the world's most successful and widely deployed data format. This presentation will take a critical look at the technologies used to secure these systems and the emerging attention to "message-oriented" security. How do WS-Security, XML Digital Signatures and XML Encryption measure up? The first half of the talk will take a strategic view of message-oriented security and compare it to existing alternatives like SSL. The second half will be a technical deep dive into XML Digital Signatures as a case study in security technology design. The state of the art in XML attacks will be summarized and advanced, including a series of critical design flaws that allowed achieving reliable cross-platform code injection on multiple vendor platforms. A tool will be demonstrated to apply a several of the attack techniques discussed against SAML messages.

This talk will present the results of a broad analysis performed on the network-facing components of the release (RTM) version of Microsoft Windows Vista, as well as the results of study of the security implications of the related Teredo protocol. Windows Vista features a rewritten network stack, which introduces a number of core behavior changes. New protocols include IPv6 and related protocols, LLTD, LLMNR, SMB2, PNRP, PNM, and WSD. One of the IPv4-IPv6 transition mechanisms provided by Vista is Teredo, which tunnels IPv6 through a NAT by using IPv4 UDP. This provides globally usable IPv6 addresses without the knowledge or cooperation of any part of local network. The main security concerns raised by Teredo involves security controls being bypassed, defense in depth reduced, and unsolicited traffic being allowed by the protocol. Other security concerns with Teredo include the capability of remote nodes to open the NAT for themselves, worms, ways to deny Teredo service, the difficulty in finding all Teredo traffic to inspect, and a new phishing mechanism.

The past year has seen several web worms attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and media formats, they all have some basic limitations such as infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made web worms annoying, but ultimately controllable. Often the source website simply fixes a single flaw and the worm dies. In this presentation we will examine ways web worms might evolve to overcome these limitations. We describe a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping it. We will examine how web worms could implement polymorphism and source code mutation to evade signature detection systems. While these are not new concepts applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges. While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website?s database. Finally we will discuss steps to prevent hybrid web worms from exploiting a website or its users.

Most people think of reverse engineering as a tedious process of reading disassembled CPU instructions and attempting to predict or deduce what the original 'c' code was supposed to look like. This process is difficult, time consuming, and expensive, but it doesn't need to be. Software programs can be made to reverse engineer themselves. Software, as a machine, can be understood by active observation, as opposed to static decompilation and prediction. In other words, you can reverse engineer software by using it, as opposed to reading code. Code is nothing more than an abstraction of runtime states. When software operates it reverse engineers itself by design, exposing its conceptual abstraction to the CPU and memory. The problem is that computers only need to know about what the current state is, and because of that, they discard this veritable treasure trove of information. Observation of software behavior provides no less data than static reverse engineering, and in fact provides a great deal more information that is easier to understand and costs less to obtain. Human reverse engineers need tools and methods to capture and analyze this data. Traditional debugging tools don't tie run-time information to abstract functionality because all this state information is too complex. But what the debugger doesn't see is precisely what the reverse engineer does see while running the program. The human mind grasps abstract functionality, the intent behind the seething mass of code and data. This is why automated program analysis can never replace the human mind. Humans use software at a high layer of abstraction while the computer sees only the fine grains of detail. The challenge for the reverse engineer is to join the two extremes. Historically, this chasm between total abstraction and microscopic granularity has been bridged by static disassembly and this is the reason most people haven't tackled reverse engineering. In truth, most people who are daunted by this barrier could, in fact, be excellent reverse engineers. This is a terrible shame because there are many tools and techniques available for reverse engineering that do not, or at least, should not require reading disassembled instructions. And even though the tools can't go from fine grains to mountains automatically, proper usage can reveal the links between user action and execution under the hood. This talk introduces a new method of reverse engineering coined 'Active' Reversing. Active Reversing includes debugging tools driven with techniques of use such as substring scanning, access breakpoints, dataflow tracing, behavioral set operations, run tracing, data sampling, proximity browsing, comparative memory scans, hit counters, and more. Some of the tools and techniques have been in use for quite some time, others are new concepts. In either case, never have all the techniques been formally presented as a new methodology. Active Reversing is a fresh new look on an old subject.

First real viruses infecting mobile phones were found during late 2004. Since then, hundreds of different viruses have been found, most of them targeting smartphones running the Symbian operating system. Mobile phone viruses use new spreading vectors such as Multimedia messages and Bluetooth. Why is this mostly a Symbian problem? Why hasn't Windows Mobile or Blackberry devices been targeted more? What makes the latest Symbian phones more secure? Why most of the infections are happening in Europe and in South-East Asia? And what will happen next?

Dual-mode phones are used to automatically switch between WiFi and cellular networks thus providing lower costs, improved connectivity and a rich set of converged services utilizing protocols like SIP. Among several other VoIP products and services, Sipera VIPER Lab conducted vulnerability assessment on a sample group of dual-mode/Wi-Fi phones and discovered that several vulnerabilities exist in such phones allowing remote attacker to carry out spoofing and denial-of-service attacks on such phones. As a result, it is apparent that enterprises and service providers need to become more aware of security threats to their fixed and mobile VoIP infrastructure. Additionally, protection mechanisms including increasing robustness of phone protocol implementations, employing VoIP security best practices, and securing critical network nodes must be used. This presentation gives a brief overview of this emerging technology, threats associated with it, and ways to mitigate such threats.

Traffic analysis is gathering information about parties not by analyzing the content of their communications, but through the metadata of those communications. It is not a single technique, but a family of techniques that are powerful and hard to defend against. Traffic analysis is also one of the least studied and least well understood techniques in the hacking repertoire. Listen to experts in information security discuss what we know and what we don't.

Design bugs are really difficult to fix -- nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I've been starting to take a look at some interesting aspects of the "Web 2.0" craze. Here's a few things I've been looking at: Slirpie: VPN'ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page. I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy Web Single Sign On technologies. Slirpie falls to some of them, but slices through the rest handily. p0wf: Passing Fingerprinting of Web Content Frameworks. Traditional OS fingerprinting has looked to identify the OS Kernel that one is communicating with, based on the idea that if one can identify the kernel, one can target daemons that tend to be associated with it. But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites. LudiVu: A number of web sites have resorted to mechanisms known as CAPTCHAs, which are intended to separate humans from automated submission scripts. For accessibility reasons, these CAPTCHAs need to be both visual and auditory. They are usually combined with a significant amount of noise, so as to make OCR and speech recognition impossible. I was in the process of porting last year's dotplot similarity analysis code to audio streams for non-security related purposes, when Zane Lackey of iSec Partners proposed using this to analyze CAPTCHAs. It turns out that, indeed, Audio CAPTCHAs exhibit significant self-similarity that visualizes well in dotplot form. This will probably be the first Black Hat talk to use WinAMP as an attack tool. A number of other projects are also being worked on -- I've been sending billions of packets for a reason, after all, and they haven't been coming from WinAMP :) There will be some updates on the analysis tools discussed during Black Ops 2006 as well.

Digital cameras and video software have made it easier than ever to create high quality pictures and movies. Services such as MySpace, Google Video, and Flickr make it trivial to distribute pictures, and many are picked up by the mass media. However, there is a problem: how can you tell if a video or picture is showing something real? Is it computer generated or modified? In a world where pictures are more influencial than words, being able to distinguish fact from fiction in a systematic way becomes essential. This talk covers some common and not-so-common forensic methods for extracting information from digital images. You will not only be able to distinguish real images from computer generated ones, but also identify how they were created.

RFID is being embedded in everything...From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them...

Our right to privacy is under attack today. Actually, no one denies our right to privacy. However, in reality, this right is being eroded more and more as every minute passes. Some of this has to do with the war on terror, but much of it simply has to do with the fact that our online actions can and are being recorded in minute detail. In this presentation we describe some concrete dangers that arise out of this situation and show that the uncomfortable feeling we have when our privacy is compromised is the least of our problems. We also show that a full understanding of these concrete dangers is crucial for coming up with adequate privacy-preserving solutions. Having argued that the erosion of our privacy is a real danger, we discuss solutions to preserving privacy online. Some of these solutions are merely technical, like anonymous web surfing, but solve only a small part of the problem. For example, anonymous web surfing does not help if a user has to authenticate herself in order to access an online service (consider the case of a newspaper or magazine that requires subscription, and sometimes even paid subscription). Furthermore, as we will show, simple solutions like pseudonyms do not actually solve the real problems. Fortunately, it is possible to use anonymous authentication. Despite the fact that this seems to be a contradiction in terms, it is actually possible to authenticate without revealing your identity. In this type of protocol, the only information learned by the authenticating server is that the user is authorized. In particular, the authenticating server learns nothing whatsoever about the identity of the specific user that now entered the system! Cryptographic solutions to this problem and exist and are often called "anonymous credentials". However, all known solutions are relatively complex and require non-standard asymmetric operations (i.e., operations that are not available on standard smartcards). Thus, the deployment of such solutions is complex. In this presentation, we present new solutions to this problem that are simple and can be implemented using standard smartcard technology (and even passwords, although this achieves a weaker security guarantee). We also suggest concrete applications where the use of this primitive is especially appropriate.

Most modern processors provide a supervisor mode that is intended to run privileged operating system services that provide resource management transparently or otherwise to non-privileged code. Although a lot of research has been conducted into exploiting bugs in user mode code for privilege escalation within the operating system defined boundaries as well as what can be done if one has arbitrary supervisor access (typically related to modern rootkit work), not a great deal of research has been done on the interface between supervisor and non-supervisor, and potential routes from one to the other. The biggest problem arises when trying to protect the kernel from itself - for example, under the IA32 architecture implementation of Windows, the distinction between user mode and kernel mode from the user mode perspective is easily enforced through hardware based protection. However, as the kernel is running as supervisor, how does the kernel make distinctions between what it should be accessing? This would be irrelevant if the supervisor was not exposed to interaction with supervisee; but that would defeat the purpose of having a kernel. This presentation is focussed on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised. There will then be an outline of what possible architectures could be used to mitigate such attacks, such as the research operating system Singularity.

Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow. In January 2007 TJX announced they had suffered a database security breach with 45.6 million credits card details stolen - the largest known breach so far. In 2006 there were 335 publicized breaches in the U.S.; in 2005 there were 116 publicized breaches; between 1st January and March 31st of 2007, a 90 day period, there have been 85 breaches publicized. There are 0 (zero) database-specific forensic analysis and incident response tools, commercial or free, available to computer crime investigators. Indeed, until very recently, there was pretty much no useful information out that could help. By delving into the guts of an Oracle database's data files and redo logs, this talk will examine where the evidence can be found in the event of a database compromise and show how to extract this information to show who did what, when. The presentation will begin with a demonstration of a complete compromise via a SQL injection attack in an Oracle web application server and then performing an autopsy. The talk will finish by introducing an open source tool called the Forensic Examiner's Database Scalpel (F.E.D.S.).

Security is very hard these days: lots of new attack vectors, lots of new acronyms, compliance issues, and the old problems aren?t fading away like predicted. What?s a security person to do? Take a lesson from your adversary... Hackers are famous for being lazy -- that?s why they?re hackers instead of productive members of society. They want to find new and interesting shortcuts to a quick payoff with minimal effort. Or, they look at a protocol designed by committee and find all the issues that never got a vote. Why not use the same enterprising approach to a quick and easy victory in the security arms race against them? Stop dialing the phone to your security vendor and pay attention. This talk will shine light on simple methods to fix complex problems that your security vendor doesn?t want you to know about. Problems that will be addressed are: - How to take care of client side exploits with ease. - Find tons of 0day by letting someone else do the all the work. - Employ simple measures to keep a wireless network key secure. All this without buying ANOTHER product! If you are drowning in problems, this talk could be just the lifeline you need...

It's all about the timing... Timing attacks have been exploited in the wild for ages, with the famous TENEX memory paging timing attack dating back to January of 1972. In recent times timing attacks have largely been relegated to use only by cryptographers and cryptanalysts. In this presentation SensePost analysts will show that timing attacks are still very much alive and kicking on the Internet and fairly prevalent in web applications (if only we were looking for them). The talk will cover SensePost-aTime (our new SQL Injection tool that operates purely on timing differences to extract data from injectable sites behind draconian firewall rulesets), our new generic (timing aware) web brute-forcer and lots of new twists on old favorites. If you are doing testing today, and are not thinking a lot about timing, chances are you are missing attack vectors right beneath your stop-watch!

There are many other wireless devices besides Wifi and Bluetooth. This talk examines the security of some of these devices, including wireless keyboards, mice, and presenters. Many of these devices are designed to be as cost effective as possible. These cost reductions directly impact their security. Examples of chip level sniffing will be shown as well as chip level injection attacks allowing an attacker to control the target system. The hardware used in these devices will be examined along with an attacker toolkit consisting of low cost hardware and software.

Todays headlines are rife with high profile information leakage cases affecting major corporations and government institutions. Most of the highest-profile leakage news has about been stolen laptops (VA, CPS), or large-scale external compromises of customer databases (TJX). On a less covered, but much more commonplace basis, sensitive financial data, company secrets, and customer information move in and out of networks and on and off of company systems all the time. Where it goes can be hard to pin down. How can a company prevent (let alone detect) Alice taking a snapshot of the customer database or financial projections and posting them on internet forums or even dumping them to a floppy disk? This, understandably, has a lot of people worried. In response, many organizations have begun looking for technologies to detect and prevent sensitive information from leaving their networks, servers, workstations, and even buildings. For some time a product space for ""Extrusion Detection"" products has existed. But now the space is exploding and as tends to happen, security problems abound. Some ""Extrusion Detections"" products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company's perimeter, they focus on keeping assets *inside*. We've been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack|buffer|heap) protection, or have one available that's relatively trivial to implement/enable. So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing. The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety. This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. Our focus will be on building defense-in-depth, with some real-world examples of what works, what doesn't, and why. As an attendee, you should come away with a better understanding of how to protect yourself and your boxes, with some tools to (hopefully) widen the gap between what's vulnerable and what's exploitable.

OpenBSD is regarded as a very secure Operating System. This article details one of the few remote exploit against this system. A kernel shellcode is described, that disables the protections of the OS and installs a user-mode process. Several other possible techniques of exploitation are described.

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk. The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi-tag storage capability, multiple RF frontends and an enhanced software backend to support many different type of Proximity tags, and overall improvements in reliability and flexibility. While we won't be able to give you full schematics or the names of any vendors whose tags can be cloned, we will be including significant information (including useful snippets of source and circuit diagram fragments) that will allow you to more deeply understand the significant flaws in older RFID technologies. This talk will give you th information you need to make informed decisions about the use and mis-use of the most common RFID implementations available today. Abstract for the original "RFID for Beginners" talk: RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.

cross the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection. In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files. This talk will make the following arguments: 1. Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack. 2. Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc. 3. Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial. 4. Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held. Chris Palmer is a security consultant with iSEC Partners, performing application penetration tests, code reviews, and security research. Tim Newsham is a security consultant with iSEC Partners. He has over a decade of experience in computer security research, development and testing. Alex Stamos is the co-founder and VP of Professional Services at iSEC Partners, a leading provider of application security services. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a well-known researcher in the field of software security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, Toorcon, SyScan, Microsoft BlueHat, the Web 2.0 Expo, InfraGuard, ISACA and OWASP. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley. Chris K. Ridder is a Residential Fellow at Stanford Law School's Center for Internet and Society (CIS). His research interests include the full range of issues that arise at the intersection of technology and the law, including the application of intellectual property law to software and the Internet, and the impact of technological change on privacy and civil liberties. Prior to joining CIS, Chris was an associate at Fish & Richardson P.C. and subsequently Simpson Thacher and Barltett LLP, where he litigated a broad range of patent, intellectual property and complex commercial cases. From 2001-2002, he was a law clerk for the Honorable Mariana R. Pfaelzer of the U.S. District Court for the Central District of California. Chris received his J.D. from the University of California at Berkeley (Boalt Hall) in 2001. Before he went to law school, Chris was a newspaper editor and publisher where he served, among other positions, as Editor-in-Chief of the Anchorage Press, the largest weekly newspaper in Anchorage, Alaska.

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities. Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will discuss various approaches to securing the Tor network and Tor usage against a whole gauntlet of attacks, from browser specific, to general intersection risks, to theoretical attacks on routing itself. Methods of protection discussed will include node scanning, transparent Tor gateways, Firefox extensions (including the dark arts of Javascript hooking), and general user education. Each approach has its own strengths and weaknesses, which will be discussed in detail.

Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. >From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems. A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection approaches based on exploiting CPU bugs. The conclusion of this part is that we still do not have any good way to detect virtualization based malware... Were also going to talk about malware that fully supports nested virtualization (like e.g. our New Blue Pill does) and how this might be a challenge for OSes that would like to provide their own hypervisors in order to prevent Blue Pill-like attacks. People say that once an attacker gets into the kernel, the game is over and we should reinstall the whole system from scratch. In this presentation we show that sometimes we cannot know that the game is actually over, so we do not even know when to stop trusting our systems. In order to change this we need something more then just a bunch of patches! Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted by the international press and she is a frequent speaker at security conferences around the world. In April 2007 she founded Invisible Things Lab, a consulting company dedicated for cutting-edge research into operating systems security. Alexander Tereshkin, aka 90210, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology and kernel exploitation. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. During the last year, when working for COSEINC Advanced Malware Labs, he has done significant work in the field of virtualization based malware and kernel protection bypassing.

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done. Paul Vincent Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.