Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population. Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks. Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space. Gadi Evron works for the Mclean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

Digital cameras and video software have made it easier than ever to create high quality pictures and movies. Services such as MySpace, Google Video, and Flickr make it trivial to distribute pictures, and many are picked up by the mass media. However, there is a problem: how can you tell if a video or picture is showing something real? Is it computer generated or modified? In a world where pictures are more influencial than words, being able to distinguish fact from fiction in a systematic way becomes essential. This talk covers some common and not-so-common forensic methods for extracting information from digital images. You will not only be able to distinguish real images from computer generated ones, but also identify how they were created.

In 2007 black hat Europe a talk was given titled: "Heap Feng Shui in JavaScript" That presentation introduced a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allowed an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with more reliability and precision. Our talk is a defensive response to this new technique. We will begin with an overview of "in the wild" heap spray exploits and how we can catch them, as well other zero day exploits using our exploit-detection module. We will give an overview of the analysis engine we have built that utilizes this module and we will demonstrate scanning and detection of a "live" website hosting a heap corruption vulnerability. The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

RFID is being embedded in everything...From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them...

Get ready for the code to fly as two masters compete to discover as many security vulnerabilities in a single application as possible. In the spirit of the Food Network?s cult favorite show, Iron Chef, our Chairman will reveal the surprise ingredient (the code), and then let the challenger and the ?Iron Hacker? face off in a frenetic security battle. The guest panel will judge the tools created and used to determine which who's hack-fu will be victorious and who will be vanquished. Remember, our testers have only one hour to complete their challenge and will only be able to use tools they themselves have created. Watch as the masters wield their own weapons. What will they concoct? Who will come out victorious? Which techniques will prove most effective in a high-pressure every-minute-counts environment? Come and see for yourself! Visit ?Vulnerability Stadium? and watch a fierce battle. Our contestants will have upwards of five minutes to discuss their strategy before the battle begins. The show will be taped live with a studio audience and our co-hosts will provide running commentary, encourage the competitors and judge the results with the audience, based on originality of created tool, presentation of the number of bugs, and creativity of using the tool when searching for vulnerabilities. So Black Hat attendees... with an open application and an empty exploit list, I say unto you in the words of my uncle: Hack This!

Our right to privacy is under attack today. Actually, no one denies our right to privacy. However, in reality, this right is being eroded more and more as every minute passes. Some of this has to do with the war on terror, but much of it simply has to do with the fact that our online actions can and are being recorded in minute detail. In this presentation we describe some concrete dangers that arise out of this situation and show that the uncomfortable feeling we have when our privacy is compromised is the least of our problems. We also show that a full understanding of these concrete dangers is crucial for coming up with adequate privacy-preserving solutions. Having argued that the erosion of our privacy is a real danger, we discuss solutions to preserving privacy online. Some of these solutions are merely technical, like anonymous web surfing, but solve only a small part of the problem. For example, anonymous web surfing does not help if a user has to authenticate herself in order to access an online service (consider the case of a newspaper or magazine that requires subscription, and sometimes even paid subscription). Furthermore, as we will show, simple solutions like pseudonyms do not actually solve the real problems. Fortunately, it is possible to use anonymous authentication. Despite the fact that this seems to be a contradiction in terms, it is actually possible to authenticate without revealing your identity. In this type of protocol, the only information learned by the authenticating server is that the user is authorized. In particular, the authenticating server learns nothing whatsoever about the identity of the specific user that now entered the system! Cryptographic solutions to this problem and exist and are often called "anonymous credentials". However, all known solutions are relatively complex and require non-standard asymmetric operations (i.e., operations that are not available on standard smartcards). Thus, the deployment of such solutions is complex. In this presentation, we present new solutions to this problem that are simple and can be implemented using standard smartcard technology (and even passwords, although this achieves a weaker security guarantee). We also suggest concrete applications where the use of this primitive is especially appropriate.

Discussion of the power of Digital Forensics today and the real-world challenges. Also discuss the Defense Cyber Crime Center (DC3) and the triad of organizations that comprise DC3; The Defense Computer Forensics Lab, the Defense Cyber Crime Institute, and the Defense Cyber Investigations Training Academy. The evolving discipline of cyber crime investigations and the critical role law enforcement plays in a Network Centric Warfare environment. The accreditation process for a cyber forensics lab, the forensic processes, and capabilities. This year, there will be two separate panels: IA Panel: Information assurance, CERTS, first responders organizations from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO LE Panel: Law enforcement, counterintelligence agencies including DC3, FBI, IRS, NCIS, NASA, DoJ, NWC3, US Postal IG, FLETC, and RCMP Jim Christy is a recently (1 Dec 2006) retired special agent that specialized in cyber crime investigations and digital evidence for over 20 years and 35 years of federal service. Jim is currently the Director of Futures Exploration for the Defense Cyber Crime Center (DC3) and was profiled in Wired Magazine in January 2007. * Dir of Futures Exploration * Dir the Defense Cyber Crime Institute * R&D of digital forensic tools and processes * T&Validation of tools both Hardware & software used in an accredited digital forensics lab * Dir of Ops for Defense Computer Forensics Lab * LE/CI Liaison to OSD IA * DoD Rep to Presidents Infrastructure Protection Task Force * US Senate Investigator Perm Sub of Invest * 11 years Dir of AF OSI Computer Crime Investigations

Most modern processors provide a supervisor mode that is intended to run privileged operating system services that provide resource management transparently or otherwise to non-privileged code. Although a lot of research has been conducted into exploiting bugs in user mode code for privilege escalation within the operating system defined boundaries as well as what can be done if one has arbitrary supervisor access (typically related to modern rootkit work), not a great deal of research has been done on the interface between supervisor and non-supervisor, and potential routes from one to the other. The biggest problem arises when trying to protect the kernel from itself - for example, under the IA32 architecture implementation of Windows, the distinction between user mode and kernel mode from the user mode perspective is easily enforced through hardware based protection. However, as the kernel is running as supervisor, how does the kernel make distinctions between what it should be accessing? This would be irrelevant if the supervisor was not exposed to interaction with supervisee; but that would defeat the purpose of having a kernel. This presentation is focussed on Windows and the Intel Architecture, and will briefly outline the current supervisor boundaries provided. Different attack vectors, along with relevant examples, will be provided to demonstrate how to attack the supervisor from the perspective of the supervised. There will then be an outline of what possible architectures could be used to mitigate such attacks, such as the research operating system Singularity.

Since the state of California passed the Database Security Breach Notification Act (SB 1386) in 2003 another 34 states have passed similar legislation with more set to follow. In January 2007 TJX announced they had suffered a database security breach with 45.6 million credits card details stolen - the largest known breach so far. In 2006 there were 335 publicized breaches in the U.S.; in 2005 there were 116 publicized breaches; between 1st January and March 31st of 2007, a 90 day period, there have been 85 breaches publicized. There are 0 (zero) database-specific forensic analysis and incident response tools, commercial or free, available to computer crime investigators. Indeed, until very recently, there was pretty much no useful information out that could help. By delving into the guts of an Oracle database's data files and redo logs, this talk will examine where the evidence can be found in the event of a database compromise and show how to extract this information to show who did what, when. The presentation will begin with a demonstration of a complete compromise via a SQL injection attack in an Oracle web application server and then performing an autopsy. The talk will finish by introducing an open source tool called the Forensic Examiner's Database Scalpel (F.E.D.S.).

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

Security is very hard these days: lots of new attack vectors, lots of new acronyms, compliance issues, and the old problems aren?t fading away like predicted. What?s a security person to do? Take a lesson from your adversary... Hackers are famous for being lazy -- that?s why they?re hackers instead of productive members of society. They want to find new and interesting shortcuts to a quick payoff with minimal effort. Or, they look at a protocol designed by committee and find all the issues that never got a vote. Why not use the same enterprising approach to a quick and easy victory in the security arms race against them? Stop dialing the phone to your security vendor and pay attention. This talk will shine light on simple methods to fix complex problems that your security vendor doesn?t want you to know about. Problems that will be addressed are: - How to take care of client side exploits with ease. - Find tons of 0day by letting someone else do the all the work. - Employ simple measures to keep a wireless network key secure. All this without buying ANOTHER product! If you are drowning in problems, this talk could be just the lifeline you need...

It's all about the timing... Timing attacks have been exploited in the wild for ages, with the famous TENEX memory paging timing attack dating back to January of 1972. In recent times timing attacks have largely been relegated to use only by cryptographers and cryptanalysts. In this presentation SensePost analysts will show that timing attacks are still very much alive and kicking on the Internet and fairly prevalent in web applications (if only we were looking for them). The talk will cover SensePost-aTime (our new SQL Injection tool that operates purely on timing differences to extract data from injectable sites behind draconian firewall rulesets), our new generic (timing aware) web brute-forcer and lots of new twists on old favorites. If you are doing testing today, and are not thinking a lot about timing, chances are you are missing attack vectors right beneath your stop-watch!

There are many other wireless devices besides Wifi and Bluetooth. This talk examines the security of some of these devices, including wireless keyboards, mice, and presenters. Many of these devices are designed to be as cost effective as possible. These cost reductions directly impact their security. Examples of chip level sniffing will be shown as well as chip level injection attacks allowing an attacker to control the target system. The hardware used in these devices will be examined along with an attacker toolkit consisting of low cost hardware and software.

Todays headlines are rife with high profile information leakage cases affecting major corporations and government institutions. Most of the highest-profile leakage news has about been stolen laptops (VA, CPS), or large-scale external compromises of customer databases (TJX). On a less covered, but much more commonplace basis, sensitive financial data, company secrets, and customer information move in and out of networks and on and off of company systems all the time. Where it goes can be hard to pin down. How can a company prevent (let alone detect) Alice taking a snapshot of the customer database or financial projections and posting them on internet forums or even dumping them to a floppy disk? This, understandably, has a lot of people worried. In response, many organizations have begun looking for technologies to detect and prevent sensitive information from leaving their networks, servers, workstations, and even buildings. For some time a product space for ""Extrusion Detection"" products has existed. But now the space is exploding and as tends to happen, security problems abound. Some ""Extrusion Detections"" products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company's perimeter, they focus on keeping assets *inside*. We've been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack|buffer|heap) protection, or have one available that's relatively trivial to implement/enable. So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing. The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety. This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. Our focus will be on building defense-in-depth, with some real-world examples of what works, what doesn't, and why. As an attendee, you should come away with a better understanding of how to protect yourself and your boxes, with some tools to (hopefully) widen the gap between what's vulnerable and what's exploitable.

OpenBSD is regarded as a very secure Operating System. This article details one of the few remote exploit against this system. A kernel shellcode is described, that disables the protections of the OS and installs a user-mode process. Several other possible techniques of exploitation are described.

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk. The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi-tag storage capability, multiple RF frontends and an enhanced software backend to support many different type of Proximity tags, and overall improvements in reliability and flexibility. While we won't be able to give you full schematics or the names of any vendors whose tags can be cloned, we will be including significant information (including useful snippets of source and circuit diagram fragments) that will allow you to more deeply understand the significant flaws in older RFID technologies. This talk will give you th information you need to make informed decisions about the use and mis-use of the most common RFID implementations available today. Abstract for the original "RFID for Beginners" talk: RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A. Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, backscattering system known as RFID.

cross the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection. In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files. This talk will make the following arguments: 1. Forensic software vendors are not paranoid enough. Vendors must operate under the assumption that their software is under concerted attack. 2. Vendors do not take advantage of the protections for native code that platforms provide, such as stack overflow protection, memory page protection), safe exception handling, etc. 3. Forensic software customers use insufficient acceptance criteria when evaluating software packages. Criteria typically address only functional correctness during evidence acquisition when no attacker is present, yet forensic investigations are adversarial. 4. Methods for testing the quality of forensic software are not meaningful, public, or generally adopted. Our intention is to expose the security community to the techniques and importance of testing forensics software, and to push for a greater cooperation between the customers of forensics software to raise the security standard to which such software is held. Chris Palmer is a security consultant with iSEC Partners, performing application penetration tests, code reviews, and security research. Tim Newsham is a security consultant with iSEC Partners. He has over a decade of experience in computer security research, development and testing. Alex Stamos is the co-founder and VP of Professional Services at iSEC Partners, a leading provider of application security services. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a well-known researcher in the field of software security and has been a featured speaker at top industry conferences such as BlackHat, CanSecWest, DefCon, Toorcon, SyScan, Microsoft BlueHat, the Web 2.0 Expo, InfraGuard, ISACA and OWASP. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley. Chris K. Ridder is a Residential Fellow at Stanford Law School's Center for Internet and Society (CIS). His research interests include the full range of issues that arise at the intersection of technology and the law, including the application of intellectual property law to software and the Internet, and the impact of technological change on privacy and civil liberties. Prior to joining CIS, Chris was an associate at Fish & Richardson P.C. and subsequently Simpson Thacher and Barltett LLP, where he litigated a broad range of patent, intellectual property and complex commercial cases. From 2001-2002, he was a law clerk for the Honorable Mariana R. Pfaelzer of the U.S. District Court for the Central District of California. Chris received his J.D. from the University of California at Berkeley (Boalt Hall) in 2001. Before he went to law school, Chris was a newspaper editor and publisher where he served, among other positions, as Editor-in-Chief of the Anchorage Press, the largest weekly newspaper in Anchorage, Alaska.

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; Hewlett-Packard; active response; nondisclosure and non-competition agreements; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible. This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success. David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices. David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year. John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities. Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will discuss various approaches to securing the Tor network and Tor usage against a whole gauntlet of attacks, from browser specific, to general intersection risks, to theoretical attacks on routing itself. Methods of protection discussed will include node scanning, transparent Tor gateways, Firefox extensions (including the dark arts of Javascript hooking), and general user education. Each approach has its own strengths and weaknesses, which will be discussed in detail.

Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. Embedded systems in general have a much lower security profile. This talk explores the use and impact of Side Channel Analysis on embedded systems. These systems have their own specific need for security. This need can vary significantly between systems and in addition a much wider range of attacks is possible. At the same time different countermeasures are available to defend against Side Channel Analysis. The options for developers to mitigate the impact of such attacks will be examined.

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical). We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS). We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway. This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts.

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

As VoIP products and services increase in popularity and as the "convergence" buzzword is used as the major selling point, it's time that the impact of such convergence and other VoIP security issues underwent a thorough security review. This presentation will discuss the current issues in VoIP security, explain why the current focus is slightly wrong, then detail how to effectively test the security of VoIP products and services. With examples of real life vulnerabilities found, how to find these vulnerabilities and why many of them shouldn't be there in the first place.

The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. >From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.

A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems. A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection approaches based on exploiting CPU bugs. The conclusion of this part is that we still do not have any good way to detect virtualization based malware... Were also going to talk about malware that fully supports nested virtualization (like e.g. our New Blue Pill does) and how this might be a challenge for OSes that would like to provide their own hypervisors in order to prevent Blue Pill-like attacks. People say that once an attacker gets into the kernel, the game is over and we should reinstall the whole system from scratch. In this presentation we show that sometimes we cannot know that the game is actually over, so we do not even know when to stop trusting our systems. In order to change this we need something more then just a bunch of patches! Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted by the international press and she is a frequent speaker at security conferences around the world. In April 2007 she founded Invisible Things Lab, a consulting company dedicated for cutting-edge research into operating systems security. Alexander Tereshkin, aka 90210, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology and kernel exploitation. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. During the last year, when working for COSEINC Advanced Malware Labs, he has done significant work in the field of virtualization based malware and kernel protection bypassing.

To those who seek truth through science, even when the powerful try to suppress it. Richard A. Clarke is a former U.S. government official who specialized in intelligence, cyber security and counter-terrorism. Until his retirement in January 2003, Mr. Clarke was a member of the Senior Executive Service. He served as an advisor to four U.S. presidents from 1973 to 2003: Ronald Reagan, George H.W. Bush, Bill Clinton and George W. Bush. Most notably, Clarke was the chief counter-terrorism adviser on the U.S. National Security Council for both the latter part of the Clinton Administration and early part of the George W. Bush Administration through the time of the 9/11 terrorist attacks. Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations when in March of 2004 he appeared on the 60 Minutes television news magazine, his memoir about his service in government, Against All Enemies was released, and he testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks and the decision to go to war with Iraq. Richard Clarke is currently Chairman of Good Harbor Consulting, a strategic planning and corporate risk management firm, an on-air consultant for ABC News, and a contributor to GoodHarborReport.com, an online community discussing homeland security, defense, and politics. He also recently published his first novel, The Scorpion's Gate, in 2005; and a second, Breakpoint, in 2007.

Tor project, an anonymous communication system for the Internet that has been funded by both the US Navy and the Electronic Frontier Foundation.

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done. Paul Vincent Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.

This presentation addresses the stated problem by focusing specifically on C++-based security, and outlines types of vulnerabilities that can exist in C++ applications. It will examine not only the base language, but also covers APIs and auxillary functionality provided by common platforms, primarily the contemporary Windows OSs. The topics that will be addressed in this presentation include object initialization/destruction, handling object arrays, implications of operator overloading, and problems arising from implementing exception handling functionality. Various STL classes will also be discussed in terms of how they might be susceptible to misuse, and unexpected quirks that can manifest as security problems. This presentation will include discussion of bug classes that have yet to be discussed or exploited in a public forum (to our knowledge) for the topic areas outlined.

In recent years, an increasing amount of academic research has been focused on secure anonymous communication systems. In this talk, we briefly review the state of the art in theoretical anonymity systems as well as the several deployed and actively used systems, and explain their strengths and limitations. We will then describe the pseudonym system we are developing based on an information-theoretic secure private information retrieval protocol, designed to be secure against an adversary with unbounded computing power, as long as (as little as) a single honest server exists in the network of servers operating this system. We will explain the design decisions behind the architecture of the system, intended to be operated by volunteers with a limited resource pool. We will discuss the usability considerations in designing a system intended to be accessible to a more naive user-base than simply "hackers and cypherpunks", and explain why user accessibility is critical to the security of anonymity systems in general. Finally, we'll present an attack on the original design of the system whereby an attacker could cause a denial of service attack untraceable to the attacker, and explain the solution we have implemented to prevent this attack.

Kernel vulnerabilities are often deemed unexploitable or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to ""creative debugging"" and knowledge about the target in question. This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited. The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice. The vulnerabilities that will be discussed are: - FreeBSD 802.11 Management Frame Integer Overflow Found and exploited by Karl Janmar. Advisory: http://www.signedness.org/advisories/sps-0x1.txt - NetBSD Local Kernel Heap Overflow Found by Christer ?berg, exploited by Christer ?berg and Joel Eriksson. - Windows (2000 & XP) Local GDI Memory Overwrite Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory: http://projects.info-pull.com/mokb/MOKB-06-11-2006.html More information about the vulnerabilities can be found at: http://kernelwars.blogspot.com/

Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available?card readers, biometrics, or even posting a guard to check IDs?each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. We provide a comprehensive overview of 20 different access control technologies that focuses on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. We also present a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.

Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same. Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies. Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla's work on Web security, and how Mozilla's security community uses openness and transparency to protect 100 million users around the world. Learn how to apply Mozilla's tools and techniques to secure your own software, and get an early look at new security features for Firefox 3.

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today?s web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client. The authors present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation. The authors will present findings based on the deployment of a distributed network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits. The authors will release a previously unpublished JavaScript evasion technique and demonstrate its use in evading a variety of present-day defensive technologies. Where present-day defenses have been demonstrated to be insufficient, the authors will present new ideas for ways mitigate the new threats.

Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application. This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision. This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for two complex heap corruption vulnerabilities. The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.