spacer
spacer
spacer
Chip Andrews

Ofir Arkin

Jay Beale

Erik Pace Birkholz

Harlan Carvey

Stephen Dugan

Todd Feineman

Halvar Flake

FX

JD Glaser

David Goldman

Jennifer S. Granick

Jeremiah Grossman

Sherief Hammad

Tony Harris

Jim Harrison

Andrew Hintz

Jesper M. Johansson

David Litchfield

Haroon Meer

Timothy Mullen

Joe Nocera

Laura A. Robinson

Tony Sager

Eric Schultze

Thomas Shinder

Murugiah Souppaya

Roelof Temmingh

Jonathan Wilkins

Urity

spacer
Current Organization and Media Sponsors for Black Hat Windows Security 2002
main speakers schedule sponsors training hotel register

spacer ke me to..
Topic descriptions are listed alphabetically by speaker.
Presentations are now online and can be found beneath the speaker name on this page.
If you missed any of the talks or was not able to attend, audio and video is available from The Sound of Knowledge.

MS SQL Server Security Mysteries Explained
Chip Andrews, sqlsecurity.com
[ Database Track ]

This presentation will focus on answering the most common questions asked by those seeking to secure applications based on Microsoft SQL Server. Whether you are a programmer, administrator, or a security professional, it is vital to understand the complete picture when deploying a SQL Server application.

Questions will include:

  • Is there any way to strengthen the native SQL Server security model?
    What does a secure SQL Server deployment look like?
    Which security model should I use and why?
    How do I encrypt data in SQL Server?
    Are privilege escalation attacks possible in SQL Server?
    How do I implement SSL with SQL Server over TCP/IP?
    How do I design secure SQL Server-based applications?
    How do I secure managed .NET applications that inter-operate with SQL Server?
    What is "Yukon" and what might it mean for the future of SQL Server?

These topics and others will be explored as we focus on SQL Server as a secure
repository for your data.

Chip Andrews has been a software developer and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of
product development. Chip maintains the www.sqlsecurity.com web site that focuses on SQL Server security issues. Chip has also contributed the SQL Server chapter to the recently released book "Hacking Exposed: Windows 2000" (Scambray, McClure) by Osborne Press. He currently works as a Software Security Architect for Clarus Corporation www.claruscorp.com.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


VoIP: The Next Generation of Phreaking
Ofir Arkin, Managing Security Architect , @stake
[ Network Track ]

"...It is no longer necessary to have a separate network for voice..."

Welcome to the next generation of security hazards and problems inherited from the usage of one network for both Data and Voice. Welcome to the world of IP Based Telephony (and Internet Telephony) which, not only, provide exciting new technologies, but a new challenge for the security community in securing these networks.

Along with new technologies come their security problems. Some security problems inherited from the usage of IP based networks, some (new) result from design flaws and complexity of protocols and implementation, and some result from the combination of both worlds - Telephony and IP.

This talk will also examine several scenarios for deployment of VoIP from several architectural angels - the Internet, a corporate, an ITSP, and a Telecom company. With each and every scenario the security problems will be highlighted and security design tips will be given.

Ofir Arkin, Managing Security Architect, @stake
With extensive knowledge in the information security field, Ofir Arkin has worked as a consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. His experience includes working for a leading European Swiss bank architecting the security of the bank's E-banking project.

Prior to joining @stake Ofir acted as chief security architect for a 4th generation telecom company, were he designed the overall security scheme for the company.

Ofir has published several papers as well as articles and advisories. Most known is the "ICMP Usage in Scanning" research paper. Some of his research was mentioned in professional computer security magazines. He is an active member with the Honeynet project and participated in writing the Honeynet's team book, "Know Your Enemy" published by Addison-Wesley.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


Attacking and Defending DNS
Jay Beale, Founder & Principal Security Consultant, JJB Security Consulting and Training
Andrew Hintz, IBM

[ MS Apps Track ]

This talk follows the Attack and Defense format, illustrating the traditional attacks against DNS servers first and then showing how to harden your server or defense. The methods range from refusing queries from the "wrong" hosts to setting up split horizon DNS and firewalling. We'll consider platform-specific defenses on both Windows and Solaris.

Jay Beale is the founder and principal security consultant for JJB Security Consulting and Training. He is the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux and HP-UX. Jay is the author of a number of articles on computer security, along with the upcoming book "Locking Down Linux the Bastille Way" to be published in the second quarter of this year by Addison Wesley. You can learn more about his articles, talks, courses and consulting via www.bastille-linux.org/jay.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


How to Fix A Broken Window
Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone
[ Tools of the Trade Track ]

Part one: Intranet Penetration Testing: Discovering network negligence
Part two: Strengthening Microsoft: When #1 is not an option

Background
Year 2001 was the year that got away. Our comfort zone crumbled. Seemingly well laid plans turned to dust. Systems crashed and networks halted as faceless network attacks tore through cyberspace. As a nation and an industry, we fell victim to devastating attacks that could have been avoided. Security and comfort slipped through our fingers and was gone.

Ladies and gentleman, security has reached the board room. Management wants answers. They want solutions. Above all else they want piece of mind this won’t happen again. Purse-strings are opening; now is the time for IT to make things right. Management finally understands a simple fact that can no longer be avoided: responsibility without authority is a recipe for failure.

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

Intranet Penetration Testing: Discovering network negligence
I will present a methodology with specific steps and public tools that will aid you in performing internal penetration tests. I will offer opinions on what should, and should not be tested by internal security teams. I will walk through examples and provide demonstrations showing time effective techniques to get the highest return on investment.

Then we will shift gears and begin the first ever interactive “choose your own adventure”. There will be a full network and the flow will be controlled by “you”, the class. As a team, we “choose our own adventure” and see where it leads us. The goal will be complete compromise of two domains and a database full of “fake” credit card information. I will be your guide, but your success is up to you as a class.

Strengthening Microsoft: When # is not an option
A no BS approach on making the best with what we’ve got. No more excuses, the tools and techniques are out there. We will discuss:

  • strong domain architectures
  • rigid user management
  • hardened applications
  • principle of least privilege
  • security baselines for systems
  • defense in depth
  • network segmentation
  • 3rd party audit

Erik Birkholz (erik@foundstone.com) is a Principal Consultant for Foundstone. Erik's prime area of concentration is assessing Internet and Intranet security architectures and their components. Erik has performed nearly a hundred of attack & penetration tests since he began his career in 1995. Erik also instructs Foundstone's "Ultimate Hacking: Hands On" and "Ultimate NT/2000 Security: Hands On" courses.

Prior to joining Foundstone, Inc., he served as Assessment Lead for Internet Security System's (ISS) West Coast Consulting Group. Before ISS, Erik worked for Ernst & Young's eSecurity Services. He was a member of their National Attack and Penetration team, and an instructor for their "Extreme Hacking" course. Erik also spent two years as a Research Analyst for the National Computer Security Association (NCSA).

Mr. Birkholz is a contributing author for the exciting new Hacking Exposed titles: Hacking Exposed: Windows 2000 & Hacking Exposed, Third Edition. Previously, Erik was featured in the international best seller, Hacking Exposed, Second Edition and has been published in The Journal of the National Computer Security Association and Foundstone's Digital Battlefield. He has also presented his research at The Black Hat Briefings and The Internet Security Conference (TISC).

Erik holds a BS in Computer Science from Dickinson College, Pennsylvania, where he was a 1999-2000 Metzger Conway Fellow, an annual award presented to a distinguished alumnus that has achieved excellence in their field of study. He is a Certified Information Systems Security Professional (CISSP) and a Microsoft Certified Systems Engineer (MCSE).

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


NT/2K Incident Response and Mining for Hidden Data:
Post Mortem of a Windows Box
Harlan Carvey
[ Deep Knowledge Track ]

Part 1: NT/2K Incident Response
Current reactions to security incidents against NT/2K systems seem to range from Homer Simpson ("If I didn't see it, it didn't happen") or rebooting the system, to paying thousands of dollars for a forensics analyst...with very little in between. A lot of extremely useful volatile information lives on a 'victim' machine, but is often overlooked because it is accessible from the "Dark Place", i.e., the command line. This volatile information can give the administrator an excellent view of the situation, and may prove useful in an investigation. This presentation will discuss a methodology and framework for incident response on NT/2K systems. Policies and procedures will be touched on, and various available tools and techniques will be demonstrated. Demonstrations will show what type of information can be collected, how to get it off of the 'victim' system cleanly, and what that information means to the administrator or investigator.

Part II: Hiding Data on NT/2K
GUI's like Windows are used to increase the efficiency of the user, but they also provide a curtain for a malicious user to hide behind. This presentation will demonstrate several techniques for hiding data on NT/2K systems, some of which are as old as DOS...but still work. Other techniques, such as steganography, will also be discussed. NTFS alternate data streams will be covered in detail, to include differences between NTFS4 (NT) and 5 (2K). Various tools to detect the presence of hidden data will be demonstrated, and techniques to prevent and detect the activity will be discussed.

Harlan Carvey is an information security consultant with a deep and ongoing curiosity into getting under the hood of NT/2K platforms. Conducting vulnerability assessments and penetration tests of NT led to a growth in his use of Perl, in order to prototype both offensive and defensive security tools. Performing incident response and forensics investigations at a large telecomm presented him with many interesting challenges and learning experiences. Harlan has had articles published on SecurityFocus.com, as well as in the Information Security Bulletin. He holds a BSEE from the Virginia Military Institute, and an MSEE from the Naval Postgraduate School.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


Protecting Your Cisco Infrastructure Against the Latest "Attacktecs"
Stephen Dugan, CCSI 101labs.com
[ Network Track ]

This Presentation will focus on Cisco Routers and Switches and the commands used to protect them. The presentation will also include a live demo of the commands in a Cisco Network. The Presentation and Demo will include:

  • Securing Device Access and Management Protocols
    Stopping Console Password Recovery
    Protecting L3 Routing Protocols
    Eliminating ARP Spoofing Attacks
    VLAN Implementation Issues

Stephen Dugan is currently an independent contract instructor and network engineer.b He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


Third Generation Exploits on NT/Win2k Platforms
Halvar Flake, Reverse Engineer, Black Hat Consulting
[ Deep Knowledge Track ]

Due to the fact that standard stack-smashing overflows are getting a bit rare in well-audited code new ways of executing arbitrary code on attacked machines are badly needed. With the appearance of format string bugs and malloc() / free()-manipulations the attacking side has two powerful techniques of writing more or less arbitrary data to more or less arbitrary locations.

Assuming we classify the different overrun exploitation techniques into generations it could look like this:

  • Generation 1: Standard return address overwrites
    Generation 2: Frame pointer overwrites, off-by-ones etc.
    Generation 3: malloc()/free() overwrites, format bugs etc.

While third generation exploits have been documented on *NIX platforms, documentation concerning their exploitation under NT/Win2k is rare. But this class of vulnerabilities are especially interesting from the reverse engineers perspective on closed-source platforms, as traditional means of vulnerability research (e.g. stress testing with tools like RetinaTM or HailstormTM) fail to detect these problems.

This speech will consist of two halves: The first half will cover format string vulnerabilities, covering all aspects ranging from detection (both in source and binary) to reliable exploitation in multithreaded environments without killing the exploited service. The second half of the speech will focus on malloc()/free() overwrites, explaining their general principle, documenting the different implementations of heap management under NT/Win2k (Borland C++, Visual C++, native operating system support in various versions etc.) and explaining how to exploit them in various situations.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


Routing and Tunneling Protocol Attacks
FX, Phenoelit
[ Network Track ]

The functionality and security of TCP/IP networks depends on the layer 2 and 3 traffic flow information. Attacks against these layers will immediately affect the operation of your network and the security of your servers.

This speech will provide you with the possible attack scenarios, layer 2 attacks (alias "interception"), router discovery and how an attacker can influence the flow of information in your network using a variety of routing
protocols. Another key point is the impact of these attacks in your every day's business and why you should include communication layers into your security considerations.

The finale will explain attacks against several tunneling mechanisms used for large corporate networks and how things like GRE, IPIP and others can enable intruders to attack your supposedly protected systems in RFC1918 networks. Also, the issues surrounding IPv6 islands will be discussed.

FX of Phenoelit is the leader of the German Phenoelit group. His and the group's primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH www.nruns.com

[ Their Presentation! ] [ See It! ] [ Hear It! ]

Return to the top of the page


One-Way SQL Hacking: Futility of Firewalls in Web Hacking
JD Glaser, Director of Engineering, Foundstone
[ Database Track ]

Topics covered will be:

  • Overview of Web attacks 
  • One-way attacks 
  • SQL Entry points 
  • Privilege escalation 
  • Installing a web based sql command prompt 
  • Back-end Database Enumeration tool  
One Way SQL Web Hacking: SQL Web hacking is the next generation of hacking "kung fu." This talk expands on our previous web talks with new SQL techniques for taking apart an e-commerce site. Join us for an eye-opening demonstration on what can go wrong with poorly
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.