spacer
spacer

spacer

spacer spacer spacer spacer spacer spacer spacer
spacer
spacer Current Sponsors for Black Hat Briefings Windows 2004
Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

spacer

Day 1 Keynote
Dan Geer Jr., Sc.D, Principal, Geer Risk Services, LLC & VP/Chief Scientist, Verdasys, Inc.

Dr. Geer is an entrepreneur, author, scientist, consultant, teacher, and architect. Most recently, he served as CTO with @stake, a leading digital security consulting firm. Previously, Dr. Geer ran the development arm of MIT's Project Athena, where Kerberos, the X Window System, and much of what we take for granted in distributed computing was pioneered by his staff on his watch. For many years he has provided high-level strategy in all manners of digital security and in promising areas of security research to industry leaders, especially in engineering and finance as a consultant and as an officer in a series of relevant startups. He is a widely noted author in scientific journals, the technology press, and has co-authored several books on risk management and information security.

Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice, and the Institute for Information Infrastructure Protection.

Geer holds several security patents, received an Sc.D. in Biostatistics from Harvard and an S.B. in Electrical Engineering from MIT. He serves both fiduciary and nonfiduciary roles for a number of promising startups. He is also Past President of the USENIX association.

spacer

Day 2 Keynote
Broken Windows: What Security Looks Like When Gollum Gets the Ring
Richard Thieme, Thiemeworks.com

We all know the story, the issues, the lay of the land. Depending on how it's defined and who's defining, Windows security is both impossible and essential. So how we describe the problem IS the problem.

Thieme shows how focusing on the security context instead of granular content illuminates the content that's critical and the path to it that's optimal. As well as how to think about the problem.

Richard Thieme (www.thiemeworks.com) is a Contributing Editor for Information Security Magazine and, according to The Linux Journal, a "hacker philosopher journalist sage" whose presentations at security and hacking conventions are always well-attended and well-received. He speaks eloquently about the relationships between technology, people, and spirituality and always speaks straight to the heart of important matters right at the front of the audience's collective mind. He is very subtle ... and extremely deep."

Thieme consults, writes, and speaks about "life on the edge," in particular the human dimensions of technology and the work place. His focus these days is on security and identity - how to play chess while the board is disappearing.

Thieme has published widely. Translated into German, Chinese, Japanese, Slovene, Danish and Indonesian, his articles are taught at universities in Europe, Australia, Canada, and the United States. His column, "Islands in the Clickstream," has been published in Singapore, Toronto, and Capetown and is distributed to subscribers in 60 countries. Archives are at www.thiemeworks.com.

spacer

MOSDEF Tool Release
David Aitel, Immunity, Inc.

Dave Aitel is the founder of Immunity, Inc. and the primary developer of CANVAS and the SPIKE Application Assessment Suite. His previous experience, both within the US Government and the private sector has given him a broad background in exploit development, training, and speaking. He has discovered numerous new vulnerabilities in products such as Microsoft IIS, SQL Server 2000, and RealServer.

Immunity, Inc. is a New York City based consulting and security software products firm. CANVAS, Immunity's flagship product, is a sophisticated exploit development and demonstration framework.

spacer

Trusted Computing 101
David Blight, Ph.D., Security Architect, Voyager Systems

Trusted Computing is a controversial security initiative led by Microsoft which takes security improvements beyond the Operating System by requiring significant changes in PC hardware. Trusted Computing has evoked much debate, and many misunderstanding exists about its capabilities and intentions. This presentation will detail the components of Trusted Computing including: Next Generation Secure Computing Base (NGSCB) which represents Windows OS changes; Trusted Computing Group (TCG) initiatives which require a TPM chip in hardware; Intel’s LaGrande and AMD SEM plans which bring changes in the CPU; and BIOS changes which are already being included in new systems. This presentation will use a technical analysis of the plans to show the strengths, weaknesses, and potential capabilities of Trusted Computing. The role of Trusted Computing in DRM will be examined, the potential role of Linux will be discussed, and determine whether Trusted Computing is something to fear or embrace?

Dr. Blight is currently security architect for Voyager Systems, an industry leader in wireless communications and services for the public safety industry. Previous to Voyager Systems, Dr. Blight has been a security consultant and founder of Marzenka Inc, and held research positions at Palm, Fujitsu Labs, TRLabs, and was an assistant professor at the University of Manitoba. Dr. Blight has lectured and published extensively in areas related to security, mobile computing, network management, software engineering, and system design.

spacer

Without a Trace: Forensic Secrets for Windows Servers
Mark Burnett
James Foster,
Deputy Director, Global Security Solutions

Every day administrators around the world discover their server has been hacked but in their efforts to respond, they destroy crucial evidence. This presentation shows the importance of even the smallest pieces of evidence and demonstrates how you can use this evidence in a forensic investigation.

Many security experts find themselves as first or second responders to an incident and faced with the challenge of reconstructing the crime, finding the point of entry, and identifying the attacker. This presentation will show a side of forensics beyond hard drive imaging and keyword searching. This presentation will show how to use the many pieces of evidence to construct a solid understanding of what happened

Based on experiences from actual investigations, we explain techniques to gather evidence, including recreating a server environment and reproducing the steps of the hacker. Using little-known tricks, we’ll show how you can determine what applications were running or not running at the time of an intrusion. Even when an attacker deletes log files, you can still determine what icons an intruder clicked on or produce a timeline of events. Using tools such as Microsoft’s LogParser and many of the free Foundstone tools, we will teach tricks to determine exactly what the intruder did and just as important, what he didn’t do. Through the process of elimination and by gathering circumstantial evidence, you can often build a clear picture of what transpired and who was responsible.

Mark Burnett is a security consultant and author specializing in securing Windows-based servers. Mark is author of the book Hacking the Code (ISBN: 1-932266-65-8). He is co-author of the best-selling book Stealing the Network (ISBN: 1-931836-87-6) and co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (ISBN: 1-931836-69-8); Maximum Windows Security (ISBN: 0-672-31965-9); and Dr. Tom Shinder's ISA Server and Beyond (ISBN: 1-931836-66-3). Mark is a regular contributor to many industry-related magazines, newsletters, web sites, and other publications.

James C. Foster (CISSP, CCSE), Deputy Director Global Security Solutions for CSC Inc., is responsible for the technical vision and operation for all security solutions within CSC. Prior to joining CSC, Foster was the Director of R&D for Foundstone Inc. and responsible for all aspects of product and corporate R&D initiatives. Foster was also a Senior Advisor and Research Scientist with Guardent Inc. and an adjunct author at Information Security Magazine. Foster has co-authored or contributed to books including Snort 2.0, Hacking Exposed 4th Ed, Special Ops Security, Intrusion Detection and Prention, Anti-Hacker Toolkit 2nd Ed, Hacking the Code, and Anti-Spam Toolkit. Foster has an AS, BS, MBA and is currently a fellow at the University of Pennsylvania's Wharton School of Business.

spacer

DKOM (Direct Kernel Object Manipulation)
Jamie Butler, Director of Engineering, HBGary, LLC

This talk will address insecurities in the current implementation of today's operating systems. Because of the lack of exclusive access to kernel objects used to track privileges, report processes, and do auditing, rootkits and other subversive programs can modify them without detection in many cases. Obscurity is no longer enough! Corporations and some private consumers have tried to secure themselves by buying third party products. However, these products are not enough to prevent an attacker using the DKOM method. DKOM writes directly to memory without calling the kernel functions used to protect these objects thus bypassing the protection mechanisms of the kernel and third party tools such as HIPS (Host Intrusion Prevention Systems).

Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at rootkit.com.

spacer

Data Hiding On A Live (NTFS) System
Harlan Carvey

The presentation walks through various data hiding techniques, demonstrating those that have been used (and continue to be used) since the days of MS-DOS. Other techniques for hiding data are newer, developed more recently as Microsoft has increased the functionality and usability of its products. While some of the techniques will simply hide data from casual users, others can be used to hide data from system administrators and even forensics analysts. Each of these techniques will be covered thoroughly using demonstrations and real world examples. This presentation contains the single most comprehensive treatment of NTFS alternate data streams available to date.

Harlan Carvey’s interest in information security began while he was an officer in the military, during which time he earned his master’s degree. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also worked in the area of incident response and forensics, performing internal and external investigations as the network security professional for a now-defunct telecommunications firm. He has presented at Usenix, DefCon 9, and Black Hat, and has had articles published in the Information Security Bulletin and on the SecurityFocus web site.

spacer

Auditing ActiveX Controls
Cesar Cerrudo

In the last year many vulnerabilities have been found on ActiveX controls massively deployed, right now millons of computers are still running vulnerable ActiveX controls, most of Activex vulnerabilities can be easily exploited to compromise systems. This talk discusses how to perform a black box security audit on ActiveX controls. The process of auditing an ActiveX is not a very complex task and the audience will learn how to manually do it in a few minutes with great success with the help of free available tools.

Cesar Cerrudo is a independent security researcher/consultant specialized on application security. In the latest years he has found many vulnerabilities on top software such as MS SQL Server, MS Biztalk Server, MS Commerce Server, MS Windows 2000, Oracle database server, Yahoo! Messenger, etc. He has presented about SQL Server security at Black Hat and Microsoft in the last year.

spacer

Information Security in Mergers & Acquisitions
Chris Conacher, Black Hat Consulting

This talk will look at the unique problems that the Mergers & Acquisition (M&A) process poses and possible solutions to those problems.

The talk will provide an understanding of:

  • The risk to both your organization and the target organization
  • The role of Information Security
  • Business drivers and approaches to dealing with them
  • The different phases of the M&A process
  • How risk changes in relation to the different phases
  • Key actions that need to be taken at each phase within the process

Chris Conacher has over 6 years experience in formal Information Security roles. This time has been spent with the Fortune 500 companies BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE Systems Airbus and Intel Corporation. He has also worked for the Information Risk Management consultancy practice of 'Big 5' firm KPMG LLP where he specialized in 'High-Tech' companies. Chris' time in Information Security has seen him working in England, France, Germany, Greece, Russia and the USA. His specialties include the development, deployment and review of corporate information security programs; the secure integration of Mergers & Acquisitions; data protection in disaster recovery planning; and information security business impact analysis. Chris has a strong understanding of the strategic business impact of information security and works to align information security to complement corporate operating models. He is also an experienced trainer, project manager and has held numerous speaking engagements to internal and external clients and professional groups.

spacer

"They'll never see it coming!"
Stephen Dugan, CCSI

This talk will focus on the dangers of unprotected routing protocols. By injecting a route into a companies or ISPs routing table we can assume the identity of ANY internet site. Worse the affected site has no countermeasure or method of detection that the attack is occurring. There will be a step-by-step demo with a Cisco Network showing this attack.

We will be asking for audience participation, so bring your laptop and wireless card. During the demo you will be able to watch as the site is hijacked with route injection.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

spacer

Automated Binary Reverse Engineering
Halvar Flake, Reverse Engineer, Black Hat

The presentation will focus on some advanced topics of automated reverse engineering. Algorithms (and plug-ins for IDA that implement them) for detecting programmatic changes between two versions of the same executable and for detecting memory-copying or -decoding loops in executables will be explained and demonstrated.

There are several applications for these techniques, for example porting debug info that a vendor might have accidentally left in an older version of a product to a newer version of the same program or reverse engineering the details of a bug if the vendor has only provided sketchy details. Detection of memory-copying loops has some interesting applications in vulnerability research and code analysis.

Halvar Flake is Black Hat's resident reverse engineer. Originating in the fields of copy protection, he moved more and more towards network security after realizing the potential for reverse engineering as a tool for vulnerability analysis. He spends most of his screen time in a disassembler (or developing extensions for the disassembler), likes to read source code diff's with his breakfast and enjoys giving talks about his research interests. He drinks tea but does not smoke camels.

spacer

Lessons Learned When the Cisco Guys Went to Windows land
FX, Phenoelit

The speech covers stack based buffer overflows in Win32 applications and services where the buffer content consists of wide characters. Techniques for finding return addresses as well as practical wide character shellcodes (so-called venetian shell code) will be discussed. There will also be some side notes on ASCII based overflows and format string vulnerabilities. This talk is to provide the intermediate security pro with a few more usefull tricks for her/his sleeve using one of SAP's Internet architectures as example targets.

FX is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH.

spacer

WinCE PDA Insecurity
Bryan Glancey, Vice President of Research & Development, Mobile Armor

Palmtops are going in power and popularity. How is the security on these devices and what can be easily bypassed. We will look at the HP 5455 , the pinnacle of Palmtop security and see how easily it's biometric security can be overcome. We will also cover basic security holes present in all palmtops - regardless of model.

Bryan Glancey is the Vice President of Research and Development of Mobile Armor. Mobile Armor is a provider of Enterprise Mobile Data Security Solutions for large enterprises.

Mr. Glancey was formerly Vice President of Sales Engineering for Pointsec Mobile Technologies, a leader in Mobile Device Security software. He has led implementations of Enterprise security solutions at companies including Cisco Systems, CitiGroup, and Bank of America.

Mr. Glancey’s innovative security ideas have led to five patent pending software security solutions . He has spoken extensively on information security, PDA Security, and Enterprise Security at conferences including The Internet Security Conference (TISC), SANS (System Audit Network Security), Defcon, Black Hat and PlanetPDA. He has been quoted on PDA security on Reuters.

Mr. Glancey holds a Bachelors Degree in Physics from Clarkson University where he participated in research studies for the National Science Foundation, and the US Air Force.

spacer

Legal Risks of Vul
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.