Joe Grand is an electrical engineer and prolific inventor with four pending patents and 19 commercially-available products. Involved in computers and electronics since the age of 7, Joe has had the fortune of being a former member of the legendary Boston-based hacker collective L0pht Heavy Industries, testifying before the United States Senate Governmental Affairs Committee under his nom de hack, Kingpin, and being praised as a "modern day Paul Revere" by the Senators for his research and warnings of computer security weaknesses. Recognized for his unconventional approaches to product development and licensing, Joe is also a well-known hardware hacker and industrial artist, the author of two books, contributor to four others, and is on the technical advisory board of MAKE Magazine.
Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.
Thomas X. Grasso - Fighting Organized Cyber Crime: War Stories and Trends
As one of the pioneers of partnerships for the FBI, Thomas X. Grasso, Jr. of the FBI's Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra "make it personal" has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and ln a enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat.
Tom Grasso began working with computers in 1993 as a network administrator. In 1998 Mr. Grasso received an appointment to the position of Special Agent with the Federal Bureau of Investigation (FBI). After attending new agents training at the FBI Academy in Quantico, Virginia, Mr. Grasso was transferred to the FBI's Chicago Field Office where he was assigned to the Regional Computer Crime Squad. In the fall of 2000, Mr. Grasso was transferred to the FBI's Pittsburgh Field Office and assigned to the High Technology Crimes Task Force where he served as the FBI Liaison to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University. Mr. Grasso is now part of the FBI's Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is a 1991 graduate of the State University of New York at Buffalo, where he majored in Geological Sciences and minored in Music.
Atlas - The Making of atlas: Kiddie to Hacker in 5 Sleepless Nights
atlas was just a kiddie when asked to write his first exploit in order to qualify for DC13's capture-the-flag. After conquering his sense of inadaquacy, he went on to win the individual competitiion and finish third even among the teams. This presentation will introduce you to atlas, to hacking, and to the pivotal "Stage 3 Binary" which turned the man's life upside down. The talk will be an entertaining walk through his efforts to understand and write a network exploit, some of his lessons learned, and some tools which made hacking a bit easier. The talk will include use of GNU Debugger (gdb), objdump output, ReadElf, Ktrace, and the @ Utility Belt toolkit (newly released).
atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through DC13's CTF Qualifiers. atlas went on to win the individual contest and place third overall. atlas has written the WEP-cracking tool bssid-flatten and the @ Utility Belt toolkit.
Birth, School, Work, Death. Imagine every web search you've ever done placed on a timeline of your life. Is there anything on that list you wouldn't want your mother (or employer) to know about? How about the aggregate web searches of your entire company? What if they fell into the hands of a competitor? Recent trends indicate that we can no longer rely on the privacy policies of individual web companies to keep this information private. In this talk, we'll examine the many ways we disclose information in return for free web services as well as how effective you think your privacy countermeasures are. This session won't be a monolog, but an active discussion on the problem of web-based information disclosure. As part of the talk, I'm releasing a program that will extract web searches from your Firefox browser's cache to show you what you've been disclosing.
Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. He holds a PhD in Computer Science from Georgia Tech and a Bachelor of Science in Computer Science from the United States Military Academy. His areas of expertise include network security, information visualization and information warfare. His work can be found at http://www.rumint.org/gregconti.
In the first half of this session, Paul Simmonds will present on behalf of the Jericho Forum taking participants through the initial problem statement and what people need to go away and start implementing. Topics will include: 1. De-perimeterization - the business imperative, 2. From protocols to accessing the web - the technical issues, 3. What should be implemented today - current and near term solutions, 4. Planning for tomorrow - future solutions and roadmap.
The second half on this session will focus on the Jericho Challenge, the format, the rules, the judging format and the prizes followed by a Q&A. The aim with the Jericho Form Challenge is to develop a "technology demonstrator" with a full year from start to finish. The competition is based on a typical business environment with at least one business application, one legacy application, typical business usage (Web, E-mail and Word Processing) using at least one "office" PC and one laptop. The finals and judging will occur in 2007 at Defcon.
Binary disassembling and manual analysis to find exploitable vulnerabilities is a cool topic. What's cooler? Saving yourself hours of time and brain rot by letting a program do the hard parts for you! In this talk, we will dissect a well-known exploitable vulnerability as well as an open source tool for automatically detecting that vulnerability. By the end of the talk, you will understand the basics of static code analysis, exploitable bugs in Windows, x86 assembly, and the structure of the open source project. Interested attendees can join a pair programming session after the talk to start work on enhancements.
Matt Hargett last spoke at Defcon about using open source tools to test Firewalls and IDSes, and has spoken and written articles in a variety of venues and leading publications on the topics of security, testing, and programming techniques. After successfully creating and launching the commercial static analysis tool, BugScan, as the initial sole developer, he took time off and now works in a very different and unrelated field. He lives in Mountain View, California with his husband, Geoff, and their dog, Baxter.
Luis Miras is the lead vulnerability researcher at Intrusion Inc. He has done work for leading consulting firms and Network Associates. He released the first public polymorphic shellcode at Defcon 8 and has also spoken at Toorcon 7 as well as the CCC Congress (17c3) in Berlin. In the past he has worked in digital design, and embedded programming.
Renderman - New Wireless Fun From the Church Of WiFi
The Church of Wifi (reformed) has been busy coming up with new and wonderful wireless shenanigans. At Shmoocon we sped up WPA cracking 3 fold, at Layerone we made it even faster, now we take it even further, to places and sizes not dared before: WPA2!
When we aren't breaking WPA or cavorting with Evil Bastards, we are thinking about the future. With so many networking devices running embedded OSS software, they are almost whole PC's unto themselves. Well, what happens when hardware goes viral? The Church raises the question, "How do you trust your hardware?"
Frank ("Thorn") Thornton runs his own technology-consulting firm, Blackthorn Systems, which specializes in wireless networks and security. An interest in amateur radio has also helped him bridge the gap between computers and wireless networks. Thorn's experience with computers goes back to the 1970's when he started programming mainframes. Over the last thirty years, he has used dozens of different operating systems and programming languages.
In addition to his computer and wireless interests, Thorn was a Law Enforcement Officer for many years. As a detective and forensics expert he has investigated approximately one hundred homicides and thousands of other crime scenes. Combining both professional interests, he was a member of the workgroup that established ANSI Standard ANSI/NIST-CSL 1-1993 "Data Format for the Interchange of Fingerprint Information." Thorn is a co-author of "WarDriving: Drive, Detect, Defend", "Game Console Hacking", "RFID Security" and contributor to "IT Ethics" all by Syngress Publishing. He resides in Vermont with his wife.
RenderMan has been a fixture in the wardriving community for many years. He never seems to be out of crazy projects and ideas, never very far from wardriving news, often causing it himself. He also co-authored "RFID Security" for Syngress publishing. He spends his time working on things like the "stumbler ethic," Worldwide wardrive, "the warpack" and the Church of Wifi. When not working to make wardriving an acceptable hobby, he can usually be found taking something apart, creating an army of cybernetic fluffins, trying to win the Defcon wardriving contest, or more likely, at the hotel bar.
David "H1kari" Hulton has been in the security field for the past 7 years and currently specializes in FPGA logic design, 802.11b wireless security, smart card, and GSM development specifically to exploit its various inherent strengths and weaknesses. David has spoken at numerous international conferences on wireless security, has published multiple whitepapers, and is regularly interviewed by the media on computer security subjects.
David Hulton is one of the founding members of Pico Computing, Inc., a manufacturer of compact embedded FPGA computers and dedicated to developing revolutionary open source applications for FPGA systems. He is also one of the founding members of Dachb0den Research Labs, a non-profit security research think-tank, is currently the Chairman of the ToorCon Information Security Conference and has helped start many of the security and unix oriented meetings in San Diego, CA.
Richard Thieme - Beyond Social Engineering: Tools for Reinventing Yourself
Managing multiple modular identities is not a trivial task. But that's what the technologies and politics of Now demand. These tools will enable you to create personas at a deep level, then link them into a seamless life.
Richard Thieme is a business consultant, writer, and professional speaker focused on "life on the edge," in particular the human dimension of technology and work. He is a contributing editor for Information Security Magazine. Speaking/consulting clients include: GE Medical Systems; Los Alamos National Laboratory; Apache Con; Microsoft; Network Flight Recorder; System Planning Corporation (SPC); InfraGard; Firstar Bank; Financial Services - Information Sharing and Analysis Center (FS-ISAC); Psynapse/Center for the Advancement of Intelligent Systems; Cypress Systems; Assn. for Investment Management and Research (AIMR); Alliant Energy; Wisconsin Electric; UOP; Ajilon; OmniTech; Strong Capital Management; MAPICS; Influent Technology Group; FBI; US Department of the Treasury; the Attorney General of the State of Wisconsin; and the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas.
In this panel session we will begin with a short introductory presentation from Gadi Evron on the latest technologies and operations by the Bad Guys and the Good Guys. What's going on with Internet operations, global routing, botnets, extortion, phishing and the annual revenue the mafia is getting from it. The panel session itself will be hosted by mudge. The members will accept questions on any subject related to the topic at hand, and discuss it openly in regard to what's being done and what we can expect in the future - both from the Bad Guys and the Good Guys.
Gadi Evron is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing. He was previously the Israeli Government Internet Security Operations Manager, as well as the Israeli Government CERT Manager. Today, he manages the SecuriTeam portal and works for Israeli-based Beyond Security.
Paul Vixie holds the record for "most CERT advisories due to a single author" which came primarily from his years hacking on BIND4 and BIND8. Later on he cut off the oxygen supply to his brain by wearing a necktie for AboveNet, MFN, and PAIX. At the moment he is President at ISC where his primary duty is to sign paychecks for the people who bring you BIND9 and F.ROOT-SERVERS.NET. He is also an occasional critic of just about everything (the blog: FM.VIX.COM).
Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.
Randal Vaughn teaches a variety of courses in Information Systems. Vaughn is a widely quoted expert in the areas of cyber warfare, cyber defense, and internet threat metrics and reporting. He is on the Board of Advisors for MI5 Security and an Academic associate for the AntiPhishingWorkingGroup. He is a member of Educause, the Society for Information Management (SIM), and the Association for Computing Machinery (ACM). His work has been published in several mathematics publications and he has authored white papers such as "Using PowWow in the Academic Environment" for Tribal Voice. Previously, Vaughn worked at Mobil Exploration and Producing Services, Inc. as a computer analyst for seismic processing support. Prior to that, he was the lead designer for Vought Aircraft's Group Technology Support Software component of the U.S. Air Force's Integrated Computer Aided Manufacturing project. He also served in the U.S. Air Force as a project engineer and database administrator. Vaughn's operating system experience includes legacy mainframe operating systems, Microsoft Windows, Linux, and Apple Mac OS and Mac OS X operating systems.
Dan Hubbard is the VP of Security Research at Websense and runs Websense Security Labs. He is responsible for all things security at Websense, including managing the Websense Security Labs that researches, analyzes, and reverse engineers malicious code, analyzes security trends, and provides research on malicious websites and network protocols. Hubbard also defines security-related product features. He is the pioneer behind Websense's Web filtering database that supports its Security Group. Hubbard also acts as the company's security spokesperson.
Tom Grasso began working with computers in 1993 as a network administrator. In 1998 Mr. Grasso received an appointment to the position of Special Agent with the Federal Bureau of Investigation (FBI). After attending new agents training at the FBI Academy in Quantico, Virginia, Mr. Grasso was transferred to the FBI's Chicago Field Office where he was assigned to the Regional Computer Crime Squad. In the fall of 2000, Mr. Grasso was transferred to the FBI's Pittsburgh Field Office and assigned to the High Technology Crimes Task Force where he served as the FBI Liaison to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University. Mr. Grasso is now part of the FBI's Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is a 1991 graduate of the State University of New York at Buffalo, where he majored in Geological Sciences and minored in Music.
Rick Hill - WarRocketing: Network Stumbling 50 Sq. Miles in <60 Sec.
Network "stumbling" has taken many forms since Marcus Milner first released Netstumbler in May 2001. Historically, stumbling aficionados preferred data collection method has been Wardriving. Almost everyone owns a car and it's easy to fire up your laptop and drive around. Of course, other methods exist, creative souls have utilized everything from bikes, to boats, to planes in pursuit of new networks. Groups in the U.S. and Australia have performed "WarFlying" using Cessnas and other, small aircraft. Enter a newer (& faster) technique: "WarRocketing".
This talk is about 802.11b network discovery. It details the design, launch, and recovery of a rocket whose objective is to network stumble 50 square miles in less than a minute. Wardriving coverage is limited by obstructions such as trees, houses, and terrain. Our aerial platform, (the Rocket) does not have these limitations. Essentially, it provides Line-of-Sight to ALL targets in the antenna pattern!
The Presentation will include photographs of the rocket construction, (1/3 scale model Nike Smoke), a launch video, and screen capture & analysis of all computer activity during the flight: network stumbling, # of A/P's registered, and so on. No prerequisite-only an interest in Network Stumbling and Wireless Technology.
Rick Hill, CISSP, CWSP works as an information systems security engineer for Tenacity Solutions, Inc., an IT consulting firm based in Reston, VA. Specializing in wireless security, his day job involves C&A of govt. networks, site surveys, and performing network security assessments. In a previous life, he did equipment automation and optimized new production lines for ITT Automotive, an ABS brake systems manufacturer. Rick's after work interests include working to become his neighborhood's Wireless Internet Service Provider (WISP), Netstumbling, and shooting High Power Rockets. A born-again Rocketeer (BAR), he started flying those little Estes "kid size" rockets at 8 years old. His motto today: "bigger toys for bigger boys." Rick's been a Tripoli rocketry association member since 2000. He also holds a Technician class amateur radio license (KG4BSY), which he uses primarily for rocket telemetry and investigating cool new wireless applications.
Bruce Potter - Trusted Computing: Could it be... SATAN?
Trusted computing is not inherently evil. It sounds scary, but it's true. While the public perception of trusted computing is that content providers will use trusted computing to enforce their digital rights and take away our civil liberties (whew! a mouthful), the reality is that there is a lot of good to be done by trusted computing.
For more than thirty years, computer scientists have been trying to find ways to make trusted computing a reality. Unfortunately the technology simply wasn't there, and info sec folk and hackers alike have spent their time chasing an impossible dream. Now we finally have the ability to have trusted hardware in general purpose devices and we need to figure out what to do with it. Everything we know about security changes with trusted computing...firewalls, SSL transactions, and even SMS have very different concerns with trusted computing than they do now. This talk will attempt to dispel some of the myths of trusted computing, discuss the current state of trusted hardware, and examine how software will change due to the TPM. Heck, we'll even have some tools for you to play with on your TPM-enabled hardware.
Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has coauthored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.
The proliferation of malware is a serious problem, which grows in sophistication and complexity every day, but with this growth, comes a price. The price that malware pays for advanced features and sophistication is increased vulnerability to attack. Malware is a system, just like an OS or application. Systems employ security mechanisms to defend themselves and also suffer from vulnerabilities which can be exploited. Malware is no different.
Malware authors are employing constantly evolving techniques including binary obfuscation, anti-debugging and anti-analysis, and built in attacks against protection systems such as anti-virus software and firewalls.
This presentation will dig into these techniques and explain the basics. The idea of an open source malware analysis and research community will be explored. All the things the anti-virus vendors don't want you to know will be discussed. Methods for bypassing malware's security systems will be presented. These methods include detecting and defeating packers/encoders, hiding the debugger from the malware, and protecting analysis virtual machines. We will hack the malware.
Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. Valsmith is a member of the Cult of the Dead Cow NSF. He also works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.
Danny Quist (Chamuco) is a computer security professional who has been interested in malware and hacking ever since the Michelangelo computer virus was released many years ago. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults both with both private and public sectors on system and network security projects. His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems.
Smart phones are the new favorite target of many attackers. Also most current attacks are harmless, since these mostly rely on user mistake or lack of better knowledge. Current attacks are mostly based on logic errors rather then code inject and often are only found by accident. The talk will show some real attacks against smart phones and the kind of vulnerability analysis which lead to their discovery.
Collin Mulliner is a computer science student/researcher and a member of the trifinite.group. Collin's main interest are mobile devices, their security and pretty much everything that is somehow related. Collin started poking PalmOS-based PDAs in 1997, and by now has laid his hands on pretty much every existing type of portable device. In recent years Collin was mainly messing around with Bluetooth and created the first Bluetooth port-scan
Greg White - The National Collegiate Cyber Defense Competition
Security competitions have been of interest to many individuals for a number of years. The popularity of the annual Defcon competition demonstrates the level of interest in these events. This talk will discuss the creation of the National Collegiate Cyber Defense Competition which was held in April 2006. A brief history covering the development of this competition will be covered as well as a discussion of the event itself. The results of the competition will be presented as well as the lessons learned from it and the plans to hold similar future events. A description of the hardware and software used as well as the network configuration and red team composition and activity will also be addressed.
Dr. Gregory White has been involved in computer and network security since 1986. He spent 19 years on active duty with the Air Force and is currently in the Air Force Reserves assigned to the Pentagon. He obtained his Ph.D. in computer science from Texas A&M University in 1995. His dissertation topic was in the area of Computer Network Intrusion Detection and he continues to conduct research in this area. He is currently the Director for the Center for Infrastructure Assurance and Security and is an Associate Professor of Computer Science at The University of Texas at San Antonio (UTSA).
Dr. White has been involved in security instruction for a number of years. He taught at the U.S. Air Force Academy for seven years where he developed and taught two courses on Computer Security and Information Warfare. For the last two years, he has been heavily involved in developing and promoting the idea of conducting an annual collegiate cyber security competition.
In 2002, Dr. White was chosen to direct the Dark Screen cyber terrorist exercise conducted in San Antonio, Texas. This exercise, the first of its kind, brought together over 225 individuals from the military, various levels of government, industry and academia to examine the ability of San Antonio, Bexar County and surrounding region to react to a cyber attack on the area's critical infrastructures. The event, which also had representatives from state and federal agencies, received national attention and expanded its scope to an even larger exercise in 2003. Since then he has been in charge of other sector-based and community exercises around the country.
Dr. White has written and presented numerous articles and conference papers on security. He is also the co-author for six textbooks on computer and network security and has written chapters included in two other security books.
Scott Moulton - Rebuilding Hard Drives for Data Recovery; Anatomy of a Hard Drive
Every hard drive will die a quick and sudden death sooner rather than later. What happens after that death can be very important to your data and become the deciding factor in its survival. We will display the inner workings of a hard drive in a beautiful animation and discuss the successes and failures in rebuilding a hard drive. We will teach you what to look for and how to accomplish this task on your own. We will delve into the platters and heads to show you when there is a good probability of success. Have you ever wondered how data recovery houses can rebuild your drive and put your data back together? The animated presentations will make it clear how rebuilding a hard drive can save your data and your money.
Scott Moulton was the first person arrested for port scanning in January of 2000. During the defence, Scott found he had to train his lawyers on the technical aspects of computers in order to defend himself. This began his forensic computer career with a speciality in rebuilding hard drives for investigation purposes.
Many times working on a case, Mr. Moulton will be given hard drives that had already failed in an effort to "blame" the opposition or to slow down the work and cost the opposing forces more money. To combat the "blame" scenario, Mr. Moulton developed a skill at rebuilding hard drives and recovering data. In the five years since its inception, Mr. Moulton has handled many complex cases that include homicide, embezzlement, theft, divorce, child pornography and corporate fraud and continues to combat dead hard drives to this day.
It's been a year since Major Mal gave his talk on hotel IR systems, and things haven't got any better... In fact, they've got worse. No, wait a minute...that's not right... They've *stayed* worse!! Having plumbed the depths of the IR in his room, and finding himself with little else to do, Major turned his attention to another piece of technology easily to hand: his magstripe room key... Now these have been around since Mary checked into her stable, and every hotel on the planet is using them, so they *must* be secure, right? Right??? OMFG, wrong! So wrong it'll make your head spin... In this talk Major Malfunction will expose not only how easy it is to bypass security mechanisms built into various magstripe technologies such as hotel doorkeys, train tickets, credit cards etc., but will also take a sideways look at how they might be leveraged to provide attack vectors on other in-house systems, such as passenger ticketing systems, bank clearing houses, hotel billing... OK, OK, enough already! We can fix this! All we need is some new technology, like, errr...RFID! That's it! That'll do the trick! Right? Right????
Major Malfunction lives in a fantasy world. He believes he works by day in the security industry, advises corporate, government, police and military, has a base in a secret underground nuclear bunker, and a network of colaborators all over the world involved in dark mysterious missions. He legally indulges his love of firearms in a country that prohibits them, swaps souvenirs with TLAs from all over the world, and generally swans about the UK like he owns the place... If you look closely, the man is obviously James Bond... No, not that closely... Back a bit and squint so you can't see his paunch... That's it! There, you see? What's that bulge under his armpit? James Bond, definitely.
Thomas Holt - Exploring the Changing Nature of Defcon Over the Past 14 Years
Defcon began in 1993 as an "orgy of information exchange, viewpoints, speeches, education, enlightenment...and most of all sheer, unchecked PARTYING." (Defcon 1 Announcement, 1993). Fourteen years later, the convention is one of the most established hacker conventions, and is defined as "the largest underground hacking convention in the world." However, significant social and technological changes have occurred during this period. The growth of the Internet, the increased need for computer security and the increasing significance of computer crime may have critically affected the shape and scope of the convention over time. This talk will critically examine the Defcon convention over the past 14 years to understand the ways the con has changed, using previous convention materials, including programs, panels, and websites. The content, nature, and scope of the convention will be considered, including the number and types of presentations, as well as the presenters' credentials. This information will be assessed to consider what this says about the nature of the convention and the underground after 14 years. Audience participation is welcomed to inform this discussion and provide first hand insight into the past, present, and future of Defcon.
Dr. Thomas J. Holt is an assistant professor in the Department of Criminal Justice at the University of North Carolina at Charlotte specializing in computer crime and technology. His research interests include a variety of topics in computer and cybercrime, especially hackers and hacking. Over the past few years, Dr. Holt has examined the elements that compose hacker subculture, as well as hacker social organization through multiple data sources. His primary goal is to understand various social aspects of hacking and the computer underground from the hacker's perspective. Dr. Holt has also given a number of different talks on computer crime issues and published on computer crime victimization around the globe.
In this day and age, forensics evidence lurks everywhere. The task presented to modern forensics investigators is a daunting one. During this talk, you'll slip into the shoes of an uber-agent hot on the trail of the illustrious Knuth from the Stealing the Network series. Haven't read the latest installation? You should. How would YOU catch a guy that MELTED his hard drive platters and sanded down all his CDs? Where's the evidence? That's the question of the hour. Answer it correctly and you could win any number of cool prizes.
Now that the talk description you can show you boss is out of the way, what's this really about? Think of it as the hacker's version of "Where's Waldo." You'll laugh. You'll learn. You'll cry when you realize the answer was staring you right in the face. You'll scream when you're caught in the mosh pit of the full-on frenzy of the bonus prize rounds. Forget Waldo. This is HALO 2 meets hacking. Get your game on. Got no coordination, no reflexes, no skillz, and no eye for detail? Come anyway.
Come have some fun, and learn how the feds put the smack down on even the most paranoid among us.
Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com.
Strom Carlson - Hacking FedEx Kinko's: How Not To Implement Stored-Value Card Systems
ExpressPay is a stored-value cash card system which utilizes the Infineon SLE4442 chip; it was developed by enTrac Technologies of Toronto, Ontario, and its largest application is as the pre-paid cash card system in use at FedEx Kinko's. Analysis of a few dozen cards reveals that the data stored on the card is unencrypted and poorly protected against fraud, and a simple attack can be used to obtain the security code necessary to alter the data on the card. This talk will step the audience through the analysis, research, attack, and subsequent tests performed on the ExpressPay system, and conclude with recommendations on how to implement a more secure stored-value card system.
Strom Carlson is a hardware security researcher at Secure Science Corporation, the organizer of the Los Angeles area Defcon Groups chapter (DC213), and the co-host of Binary Revolution Radio. He enjoys tinkering with technology, playing with telephones, and having a good time with whatever he happens to be involved in.
Robert Clark - Legal Aspects of Internet & Computer Network Defense - A Year in Review Computer and Internet Security Law 2005-2006
This presentation looks at computer network defense and the legal cases of the last year that affect Internet and computer security. This presentation clearly and simply explains (in non-legal terms) the legal foundations available to users and service providers to defend their networks. Quickly tracing the legal origins from early property common-law doctrine into today's statutes and then moving into recent court cases and battles. We will look at the past criminal prosecutions and precedents, both civil and criminal, since we last met a year ago. As always, this presentation will quickly become an open forum for questions and debate.
Major Robert Clark is the Command Judge Advocate for the Army's 1st Information Operations Command. As the sole legal advisor, his primary duty is to advise the Army's Computer Network Operations Division on all aspect of computer operations and security. This role has him consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He lectures at the Army's Intelligence Law Conference and at the DoD's Cybercrimes Conference.
Jack Grove tries to stop his racing heart as he slips into a dark dingy alley. His paranoia is getting the best of him as he looks behind him. No one is following him, but he senses they are coming. He is afraid. The hack hadn't gone down as planned. Damn it, he was supposed to have taken everything into account, he got sloppy. He knew his only saving grace was no one would be able to recover his laptop. Not after what he did to it.
Jack pulls out his cell phone to make what will soon be his last phone call.
He looks around anxiously to make sure that he is alone before making the most important call of his life. He notices a man digging through a trash can. He decides not to risk the man overhearing him and chooses to send a text message instead. With his palms starting to sweat he texts:
"net hax. Hidn. Dngr. Plan?"
Just as the send button is pushed the alley is swarming with agents. Jack is thrown up against a wall. Agents begin to frisk him and take the remains of his hack from him. His cell phone, PDA, and iPod are all that is left of his digital task.
He watches and wonders will they find anything to tie him to what has just happened as he is taken away into custody.
Back at the crime lab, the agency's uber geek lab babes Amber and Tyler are under the gun to get this case solved. Someone on top thinks it is personal and wants Jack Grove. The two ladies are used to the pressure, but know they are tops in the crime lab when it comes to the bizarre bits and bytes of devices. They start their examination on the three items from the scene the cell phone, PDA and an iPod.
Can these two super sleuths use digital forensics on the few devices recovered to figure out what Jack Grove was up to, who his accomplices were, and find the evidence needed to prosecute?
By using this scenario, Amber and Tyler will bring the audience into the crime lab with them. Taking the devices from seizure to analysis showing where Jack Grove has left his digital fingerprints. Once the fingerprints are gathered the audience will work with these two examiners to piece together the case and solve the crime and prove Jack's innocence or guilt.
The audience will gain an overall understanding of digital forensic handling and procedure. Details to what is gained on some of the unique digital storage devices will be demonstrated.
Amber Schroader has been involved in the field of computer forensics for the past seventeen years. During this time, she has developed and taught numerous courses for the computer forensic arena, specializing in the field of wireless forensics as well as mobile technologies. Ms. Schroader is the CEO of Paraben Corporation and continues to act as the driving force behind some of the most innovative forensic technologies. As a pioneer in the field, Ms. Schroader has been key in developing new technology to help investigators with the extraction of digital evidence from hard drives, e-mail and, hand held and mobile devices. Ms. Schroader has extensive experience in dealing with a wide array of forensic investigators ranging from federal, state, local, and corporate. With an aggressive development schedule, Ms. Schroader continues to bring new and exciting technology to the computer forensic community world wide and is dedicated to supporting the investigator through new technologies and training services that are being provided through Paraben Corporation. Ms. Schroader is involved in many different computer investigation organizations including The Institute of Computer Forensic Professionals (ICFP), HTCIA, CFTT, and FLETC.
Tyler Cohen is an instructor and developer for the Department of Defense Cyber Crime Center. Her specialties are digital forensics, network intrusions, and conducting forensic exams with the iPod and other alternative media devices. She presents her expertise at various conferences all over the country some of which include the Department of Defense Cyber Crime Conference, International High Technology Crime Investigation Association and the California District Attorney's Cyber Crime Conference.
EFF Panel - Ask EFF: The Year in Digital Civil Liberties
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping, cellphone tracking by the government, bloggers' rights and online journalism, the Sony rootkit scandal, Hollywood's latest attempts to control technology development, and more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.
Cindy Cohn is the Legal Director for the Electronic Frontier Foundation as well as its General Counsel. She is responsible for overseeing the EFF's overall legal strategy and supervising EFF's 7 staff attorneys. Outside the Courts, Ms. Cohn has testified before Congress, been featured in the New York Times, San Francisco Chronicle and elsewhere for her work on cyberspace issues, interviewed on the BBC, NPR, CNN, CBS News and the Newshour, Economist, Wall Street Journal, Washington Post and many other online and offline media outlets. In 1997, as a result of her work on Internet issues, Ms. Cohn was named as one of the "Lawyers of the Year" by California Lawyer magazine. In 2001, Ms. Cohn and the EFF were honored by the Editorial Board of Daily Journal.
Kevin Bankston, an EFF staff attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.
Danny O'Brien is the Activist Coordinator for the EFF. His job is to help our membership in making their voice heard: in government and regulatory circles, in the marketplace, and with the wider public. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co-edits the award-winning NTK newsletter, has written and presented science and travel shows for the BBC, performed a solo show about the Net in the London's West End, and once successfully lobbied a cockney London pub to join Richard M. Stallman in a spontaneous demonstration of Bulgarian folk dance.
Kurt Opsahl is a Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored Electronic Media and Privacy Law Handbook.
Seth Schoen created the position of EFF Staff Technologist, helping other technologists understand the civil liberties implications of their work, EFF staff better understand the underlying technology related to EFF's legal work, and the public understand what the technology products they use really do. Schoen comes to EFF from Linuxcare, where he worked for two years as a senior consultant. While at Linuxcare, Schoen helped create the Linuxcare Bootable Business Card CD-ROM. Prior to Linuxcare, Schoen worked at AtreNet, the National Energy Research Scientific Computing Center at Lawrence Berkeley National Laboratory, and Toronto Dominion Bank. Schoen attended the University of California at Berkeley with a Chancellor's Scholarship.
Jason Schultz is a Staff Attorney specializing in intellectual property and reverse engineering. He currently leads EFF's Patent Busting Project. Jason also teaches graduate classes on Cyberlaw at UC Berkeley's Boalt Hall School of Law and School of Information. Prior to joining EFF, Schultz worked at the law firm of Fish & Richardson P.C., where he spent most of his time invalidating software patents and defending open source developers in law suits. While at F&R, he co-authored an amicus brief on behalf of the Internet Archive, Prelinger Archives, and Project Gutenberg in support of Eric Eldred's challenge to the Sonny Bono Copyright Term Extension Act. Prior to F&R, Schultz served as a law clerk to the Honorable D. Lowell Jensen and as a legal intern to the Honorable Ronald M. Whyte, both in the Northern District of California federal court system. During law school, Schultz served as Managing Editor of the Berkeley Technology Law Journal and helped found the Samuelson Clinic, the first legal clinic in the country to focus on high-tech policy issues and the public interest. Schultz also has undergraduate degrees in Public Policy and Women's Studies from Duke University. Jason maintains a personal blog at http://lawgeek.net.
Chris Paget - US-VISIT: Raping Personal Privacy Since 2004
In 2004, the Department of Homeland Security began the deployment of US-VISIT system for tracking visitors to the United States. Since that time, the capabilities of US-VISIT have increased dramatically; US-VISIT now incorporates a number of controversial technologies which violate the privacy, anonymity, and overall security of visitors to the USA in significant ways.
In this talk, the technology and capabilities of US-VISIT will be explained in detail; weaknesses in the system will be explored, and the consequences of such a system will be considered. If you are a foreign national visiting the USA, a US citizen who is concerned about what DHS has in store for you, or just curious about what US-VISIT does and how it works, this is the talk for you.
Chris Paget is the Director of Research and Development for IOActive Inc, based in Seattle. Recently, Chris has been working on the "biggest independent security audit in history" the Final Security Review of Windows Vista. Chris is an expert on Windows architecture and security, a privacy advocate, a British expatriate, a helicopter pilot, and a Code Red junkie.
Scott Miller - A New Bioinformatics-Inspired and Binary Analysis: Coding Style/Motif Identification
Security analysis is severely complicated by the size and abundance of executable code. Existing concepts and code can be combined, obfuscated, packed, and hidden toward the ends of evading detection and frustrating analysis. Is that patch fixing the problem it claims to fix? Have you seen that malicious code before? Have you seen these particular motifs/style before?
All very interesting questions, some of which can be addressed using existing tools/techniques. This talk looks at a new tool, inspired by a scored string match used for genetic analysis: the Basic Local Alignment Search Tool (BLAST). Can this tool identify motifs common to UPX? Can this tool identify code generated by different versions of GCC? Does this tool provide similar Malware classifications to other tools?
The talk will include an overview of the technique, demonstration of the use of the new tool set (binBLAST), and its performance.
Scott Miller has recently graduated from the New Mexico Institute of Mining and Technology, the technique of this presentation developed in his Master's Thesis "A Bioinformatics Approach to the Security Analysis of Binary Executables." While pursuing his masters degree, he also considered a number of topics including human infection/immunity, natural language steganography, self-sustaining high-availability intrusion prevention systems, and secure compiler construction.
Teli Brown - Phishing, It Starts With "Ph" for a Reason
When banks and other financial institutions tell their customers to only give personal information (e.g.: Credit Card, Social Security Number, ETC) via the telephone, because of online attacks from phishers, that's when phishers get creative and go back to what the root of phishing has been and blend it with some new technologies.
Teli Brown has done security consulting for major telecommunications companies, aiding in tracking terrorist and malicious telephone users. He has also done massive amounts of testing with number delivery in SS7, and was able to identify and backtrace the flaw in SS7 that allowed people the ability to change their "Charge Number." Now spends his time consulting for small businesses for voice services.
In 2002 the President issued an Executive Order authorizing the National Security Agency (NSA) to wiretap phone and email communications involving United States persons within the U.S., without obtaining a warrant or court order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), which prohibits such unauthorized electronic surveillance. Investigate the technology timeline regarding this contentious activity. The surveillance threat to liberty consists of multiple and overlapping collection efforts, targeted against all sources of information available by various agencies and is supported through several pieces of legislation. For this reason, the balance between technological capability and privacy will continue to remain a major concern in the future.
Tim O'Neill instructs various engaging INFOSEC and OPSEC courses as an adjunct professor with the Division of Extended Studies at Boise State University. Working extensively with the National Security Agency's Information Assurance Directorate, (NSA IAD) he was successful in designing and implementing the first NSA accredited curriculum for the Information Assurance Courseware Evaluation Program at Boise State University in accordance with the Committee on National Security Systems (CNSS) National Standards 4011 & 4013. As an associate of the FBI's Infragard Salt Lake City Utah chapter, he works to provide assistance, expertise and resources relating to information security vulnerabilities, policy development and computer security best practices. His most recent speaking and organizing initiatives are: the 2005 National OPSEC Conference & Exhibition, 2005 Gowen Field OPSEC briefs, 2005 BSU Fraud & ID Theft conference, 2005 NWFIA conference. Additionally, Tim O'Neill is part of a collaborative effort with the Better Business Bureau to form a regional, small business training group, fostering trust and partnerships throughout business and industry, while providing risk mitigation, education, training and research modalities.
Charles Edge - 10 Ways To Not Get Caught Hacking On Your Mac
It's hard to prosecute someone if you can't prove what they did. In this session, we will quickly cover 10 easy ways to cover your tracks using Mac OS X. The features of Mac OS X at the GUI level were in a lot of ways designed to cater to the paranoid (eg. Steve Jobs). Underneath the hood, using some easily scriptable techniques you can cover your tracks in such a way that will make it easy to hide what you've done as well as your identity.
In this session, we will quickly cover some of the techniques that can be used to cover your tracks using case studies that illustrate ways that we have pieced together evidence as a starting point. Using a little bit of forensic evasion can go a long way to keep you free. This might also be interesting for forensic enthusiasts who can learn ways around these techniques.
Charles Edge began his consulting career working with Support Technologies, Andersen Consulting and Honda to name a few. In January of 2000 Charles arrived at Three18, a boutique consulting firm in Santa Monica, California. At Three18, Charles has worked with Network Architecture, Security and Design for a wide range of clients. As a partner at Three18 Charles manages a team of engineers, security professionals and programmers.
His first book, "Mac Tiger Server Little Black Book" is available through Paraglyph Press. His second book, "Web Admin Scripting Little Black Book" is also available through Paraglyph Press. The latest title Charles is working on is Mac Security Essentials.
Melanie Rieback - A Hacker's Guide to RFID Spoofing and Jamming
Radio Frequency Identification (RFID) tags are remotely-powered data carriers that augment physical objects with wireless computing abilities. This allows us to create smart homes and offices, optimize our supply chains, and keep a watchful eye on our pets, livestock, and kids. But unfortunately, RFID security and privacy issues have been addressed as an afterthought; it is regretfully easy to interfere with RFID systems, as many rely upon the integrity of RFID tag data for their correct functioning. To illustrate these problems, we have built a handheld device that performs RFID tag spoofing and selective RFID tag jamming (a bit like an "RFID firewall"). Compatible with the ISO 15693/14443 13.56 MHz RFID standards, our device is battery-powered and fits into a shirt pocket. This presentation will explain the "nuts and bolts" of RFID tag spoofing and jamming attacks, and will conclude with a live practical demonstration of these attacks.
Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research / Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper "Initial Sequencing and Analysis of the Human Genome", which appeared in the journal Nature.
James Christy - Meet the Feds: OODA Loop and the Science of Security
The OODA Loop theory was conceived by Col. John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement.
SA Jim Christy, Director, Defense Cyber Crime Institute (DCCI). Supervisory Special Agent Jim Christy, is the Director of the Defense Cyber Crime Institute (DCCI), Defense Cyber Crime Center (DC3). The DCCI is responsible for the research & development and test & evaluation of forensic and investigative tools for the DoD Law Enforcement and Counterintelligence organizations. The Institute is also charged with intelligence analysis, outreach, and policy for DC3. Jim is an Air Force Office of Special Investigations, Computer Crime Investigator. SA Christy has been a computer crime investigator for over 20 years.
Jason Beckett, New South Wales Police in Sydney Australia. Jason Beckett is the Director of the State Electronic Evidence Branch of the Special Services Group for the New South Wales Police in Sydney Australia. A former Inspector with the Special Services Group before moving to the corporate world as the Director of Forensics for a multinational consultancy firm. In 2003 he was invited back to the New South Wales Police Force to establish Australia's largest forensic computing laboratory. Jason has more than a decade of experience in Electronic Evidence and forensic computing. He has trained nationally and internationally in forensic computing and electronic evidence including training with many international law enforcement agencies. He holds numerous tertiary qualifications in computer science, engineering and forensic computing and is currently completing a PhD in forensic computing.
Michael J. Jacobs, Vice President and Director, Cyber and National Security Program SRA International, Inc. Michael Jacobs joined SRA in October 2002 as a Senior Advisor following his retirement from the federal government after 38 years of service. In March 2003 he was appointed Director of SRA's Cyber and National Security Program. Prior to SRA, Mr. Jacobs was the Information Assurance (IA) Director at the National Security Agency (NSA). Under his leadership, NSA began implementing an Information Assurance strategy to protect the Defense Information Infrastructure and as appropriate, the National Information Infrastructure. He was responsible for overseeing the evolution of security products, services, and operations to ensure that the federal government's national security information was free-flowing, unobstructed and uncorrupted.
Mr. Jacobs had a long and distinguished career at the National Security Agency where he served in key management positions in both the Intelligence and IA mission areas. He served as the Deputy Associate Director for Operations, Military Support where he was responsible for developing a single, coherent military support strategy for NSA. During his 38 years of NSA service, Jacobs was a leader in Information Systems Security production and control, policy and doctrine and customer relations. He has testified before Congress on defense issues and has spoken widely on topics ranging from IA to cultural diversity. For his vision, dedication, and accomplishments, he has been recognized by the Department of Defense with the Distinguished Civilian Service Medal; by the Director Central Intelligence with the Intelligence Community's Distinguished Service Award; and by NSA with the Exceptional Civilian Service Award. In addition, he has been awarded the National Intelligence Medal of Achievement and was twice awarded the Presidential Rank Award for Meritorious Achievement.
Ken Privette, USPS OIG. Ken presently works as the Special Agent in Charge of the Computer Crimes Unit (CCU) at the USPS Office of Inspector General. His unit conducts computer intrusion investigations and provides computer forensics support to a force of over 450 agents who conduct fraud investigations for the U. S. Postal Service. Ken spent most of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters, in adition to an assignment with the Defense Information Systems Agency Computer Emergency Response Team.
Keith Rhodes, CTO, Government Accountability Office (GAO). Mr. Rhodes is currently the Chief Technologist of the U. S. Government Accountability Office and Director of the Center for Technology & Engineering. Mr. Rhodes has been the senior advisor on a range of assignments covering continuity of government & operations, export control, computer security & privacy, e-commerce & e-government, voting systems, and various unconventional weapons systems. Before joining GAO, he was a supervisory scientist leading weapons and intelligence programs at the Lawrence Livermore National Laboratory.
David A. Thomas was designated a Special Agent of the FBI in 1989. After completing more than a dozen years of supervisory and leadership roles in areas such as violent crime, domestic terrorism, and national infrastructure Protection, Mr. Thomas was appointed Chief of the Cyber Division?s Criminal Computer Intrusion Unit in 2001. As Chief of CCIU, Mr. Thomas directed the FBI's efforts on many large-scale cyber investigations. He was promoted to Assistant Special Agent in Charge of the St. Louis Field Office in April 2003. In July 2004, Mr. Thomas was promoted to the position of Chief of Counterterrorism/Counterintelligence and Criminal computer intrusion investigations. Additionally, he is responsible for development of the FBI's Cyber Intelligence Unit and Cyber Action Teams, which deploy domestically and internationally in response to major cyber events.
Tim Fowler, NCIS. Tim is an active duty Marine Special Agent who has worked as a Cyber Agent for the NCIS Cyber Department in Washington, DC, for the last six years. Tim has 19 years of active duty service in the U.S. Marine Corps working in the fields of military police, polygraph, criminal investigations and computer crime investigations and operations. While working as a Cyber Agent for NCIS, Tim specializes in conducting criminal, counterintelligence and counter-terrorism computer crime investigations and operations. Tim also has extensive knowledge and experience conducting media exploitation operations in hostile environments. In 2004, Tim was awarded the Bronze Star with combat Valor device by the Secretary of the Navy for his media exploitation efforts in Iraq.
Jay Beale - Discovering Mac OS X Weaknesses and Fixing Them With the New Bastille OS X Port
The Mac OS X operating system is beautiful, but it's not as secure as you think. It's mostly Unix under that shiny GUI and while we've come to expect a very locked down system from recent Unix/Linux releases, that expectation isn't entirely realistic when it comes to OS X. For instance, the firewall GUI tool makes it seem like you can create a default-deny firewall that only lets packets from established sessions in. The firewall it produces, though, is full of holes! Whatever you do, don't take your OS X laptop onto the wireless network here! Write your own replacement or take the one we'll offer in this talk, where we'll introduce the new OS X port of the popular Bastille Linux system lockdown and audit tool, Bastille OS X.
Bastille increases the security of OS X systems. It starts by building a real firewall configuration that you can tune to your needs. It continues by deactivating services like the information-leaking Bonjour service, which a remote attacker can use to get your Security Update (patch bundle) level, hardware versions and machine name. Finally, it configures the remaining operating system components, doing things like isolating local users from the service that gives them the length of all users' passwords. There's a lot more than that, though. Come learn about OS X security, learn how to harden and see the newest part of the Bastille family: Bastille OS X!
Jay Beale is a information security specialist, well known for his work on mitigation technology, specifically in the form of operating system and application hardening. He's written two of the most popular tools in this space: Bastille Linux, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. He also focuses his energies on the OVAL project, where he works with government and industry to standardize and improve the field of vulnerability assessment. Jay is also a member of the Honeynet Project,
Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and the now-defunct SecurityPortal.com. He has worked on five books in the Information Security space. Three of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series.
Jay makes his living as a security consultant with the firm Intelguardians, which he co-founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson, where his work in penetration testing allows him to focus on attack as well as defense. Prior to consulting, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution.
Lukas Grunwald - First We Break Your Tag, Then We Break Your Systems Attacks to RFID Systems
This talk provides an overview of new RFID technology used for dual-interfaces cards (credit cards, ticketing and passports), and RFID tags with encryption and security features.
Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags an overview to the rest of a RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure is given. At the end of this talk there is a practical demonstration of these discussed attacks.
Lukas Grunwald works for a German Security company, and has security experience over 20 years. As hobby he writes for the iX Magazine, and other security publications. He is also the head of the Hacking Lab where new technology is evaluated.
The ability to both conceal and detect hidden data on the hard drive of a compromised computer represents an important arms-race between hackers and forensic analysts. While rootkits and other kernel manipulation tools make hiding on live systems fairly easy, the trick of hiding data from forensic tools and offline drive analysis is much more difficult. In this presentation, we will review traditional data hiding techniques, examine their strengths and weaknesses, and then explore more advanced methods of data hiding which go beyond the detection capabilities of current forensics tools. Further attention will be given to enabling transparent access to hidden file systems while also minimizing detection, ensuring data confidentiality, and providing robustness against corruption. The culmination of our research will be demonstrated in an advanced data hiding methodology and corresponding forensic detection utility.
Irby Thompson is currently a Senior Security Engineer for the Advanced Technology Laboratories of Lockheed Martin. His early interest in computer security led to a career in network and host security with a focus on operating system security and applied cryptography. Irby's past experience includes the design and development of a secure email system including features such as guaranteed read-receipts, message expiration, one-time read, and un-send capabilities. He holds a masters degree in information security from Georgia Tech and a bachelors degree in computer science, math, and management of technology from Vanderbilt University.
Mathew Monroe has a BS in electrical and computer engineering with an additional major in mathematical sciences from Carnegie Mellon University, and is currently pursuing graduate studies there. He is an accomplished developer specializing in embedded systems and computer security. In addition, Mathew has experience designing and implementing high performance distributed file systems and applications. He is currently a Senior Security Engineer at the Lockheed Martin Advanced Technology Laboratories. Prior to this post he implemented, deployed, and tested Lustre file systems on Lawrence Livermore National Laboratory's MCR and ACL clusters and Pacific Northwest National Laboratory's rx2800 cluster. The Lustre file system is an advanced high performance distributed file system used by a number of the world's top super computers. In addition, Mathew designed and implemented firmware and low-level file system code for network attached storage devices at Spinnaker Networks (now Network Appliances).
Apple claims not to care about the enterprise market, but there is no doubt that Apple networks are growing. The number of Apple systems in enterprise networks are growing as well. For security purposes it is becoming more and more important to manage these systems in the same way that we manage Windows clients.
In this session we will cover the tools that Apple and some 3rd party organizations have been quietly building for use in these environments. We will also cover the methods Apple has started using to facilitate running security updates on their workstations.
Charles Edge began his consulting career working with Support Technologies, Andersen Consulting and Honda to name a few. In January of 2000 Charles arrived at Three18, a boutique consulting firm in Santa Monica, California. At Three18, Charles has worked with Network Architecture, Security and Design for a wide range of clients. As a partner at Three18 Charles manages a team of engineers, security professionals and programmers.
His first book, "Mac Tiger Server Little Black Book" is available through Paraglyph Press. His second book, "Web Admin Scripting Little Black Book" is also available through Paraglyph Press. The latest title Charles is working on is Mac Security Essentials.
Strom Carlson - Social Message Relay: Using Existing Social Networks to Transmit Covert Messages in Public
In the age of NSA phone taps, mandatory data retention, CALEA, the PATRIOT Act, and national firewalls, establishing a truly covert communications channel without leaving a trail is becoming almost impossible. Even when strong encryption is used to protect the message, government agencies now have the ability to use pattern analysis to pinpoint almost all participants in the conversation. Without tremendous diligence, truly anonymous communication is almost impossible.
But what if you could skip having to create the communications channel entirely? What if you could have unwitting, or even willing, third parties spread your message for you? The larger the network of people spreading the message, the more difficult traffic analysis becomes as the signal-to-noise ratio increases. Convenient anonymity for the sender and recipient of the message becomes possible again.
The presenters will demonstrate how they were able to create a publicly available communications channel and use thousands of unwitting participants to spread their encrypted messages. The presentation will also include speculations on how to create networks designed to foil traffic analysis attempts, and observations about the culture of the online cryptographic community, and the nature of collaborative problem solving.
Strom Carlson is a hardware security researcher at Secure Science Corporation, the organizer of the Los Angeles area Defcon Groups chapter (DC213), and the co-host of Binary Revolution Radio. He enjoys tinkering with technology, playing with telephones, and having a good time with whatever he happens to be involved in.
Raffael Marty - Visual Log Analysis - The Beauty of Graphs
Event and log analysis is becoming one of the main tools for security analysts to investigate and comprehend the state of their networks, hosts, and applications. Recent developments, such as regulatory compliance requirements and an increased focus on insider threat has increased the demand for analytical tools to help in the process. Event correlation is one of the tools that helps addressing the challenges. However, the vast amount of events still leaves the analysts with enourmeous amounts of data to manually analyze, creating space for new tools to fill the gap.
Visualization of data has proven to be the approach generating the best return on investment. This talk takes a step-by step approach to analyzing a log file, showing how AfterGlow (http://afterglow.sourceforge.net) can be used to analyze and understand a log file. The analysis will show how visualization can be used to detect portscans, policy violations, and misconfigurations. The talk will focus on using link graphs and treemaps to analyze the data sets.
The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data. The main tool used for the talk is AfterGlow, which in his current version supports a diverse set of operations to ease the analysis of log data.
Raffael Marty, GCIA, CISSP is the amanger of ArcSight's Strategic Application Solution Team, where he is responsible for delivering industry solutions that address the security needs of Fortune 500 companies, ranging from regulatory compliance to insider threat. Raffael initiated ArcSight's Content Team, which holds responsibility over all the product's content, ranging from correlation rules, dashboards and visualizations to vulnerability mappings and categorization of security events. Before joining ArcSight, Raffael used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related projects. His main project, Thor, was the first approach to testing intrusion detection systems by means of correlation tables. Raffael also serves on the MITRE OVAL (Open Vulnerability and Assessment Language) advisory board, is involved in the Common Vulnerability Scoring System (CVSS) standard and has been presenting at various occasions.
Kenneth Geers - IPv6 World Update: High Diplomacy & Monster Trucks
Governments around the world are investing serious time, effort, and money into the next gen Internet, based on IP version 6. With important mandatory and remarkably close deadlines looming for v6 deployment, much yet remains to be understood about its security and socio-economic implications as well as our readiness to fully embrace it. While Europe and Asia have been trailblazing IPv6 industry for years now, the U.S. Government has mandated that its organizations be IPv6-compliant by June 30, 2008, yet the vague definition of compliance has already confused many considering dual-stack, tunneled and/or native environments.
Imagine the bliss of IPv6 telematics, mobility, autoconfiguration, "mandatory IPSec" encrypted traffic and enough IPs to globally address everything with a battery or even a reference to a snippet of code for the world to access. Now imagine your firewalls and IDS sensors being blind to IPSec or even just cleartext 6to4 tunneled traffic. Debunking many myths, such as IPv6 "built-in security," prior to the transition is key as we watch the beloved IPv4 become legacy, say goodbye to NAT and the 6bone and welcome more DNSSEC, tunnel brokers and distributed PKI firewalls?!
This presentation will cover wide-ranging research the authors have conducted and the new paradigm shift necessary to approach IPv6 differently than IPv4, including interviews with some of world's top thinkers about the sleeping giant. Whether it is yet another gov-hyped failed theory like GOSSIB or it is here to stay, you will take away enormous insight into the work that you may be responsible for and dependent on over the next several years.
tommEE pickles (http://tommEE.net) presents an explanation of 802.1x networking. Exploring what 802.1x is and why we would use it. He explains how 802.1x might be used in a corporate environment, wireless or wired. Giving an explanation on how you can start 802.1x network and get your users on it. Hardware and software resources will be discussed and recommendations for free ways of accomplishing it will be presented. He will talk about the current problems and how to provide possible fixes for problems.
tommEE pickles has been born, raised, and possibly living in New York City. He co-founded Moloch Indiustries in 1999. He his known for the 4 Defcon Cannonball Runs and his passion for streaming media and TiVo hacking. tommEE has worked for large streaming media providers while giving them solutions for streaming media security. He has also developed wireless networks for several large companies. He is also know for Birthdaycon during CES and AVN weekend.
In 2006, thousands of people will create applications based on the free Oracle 10g Express Edition. Even if this version of Oracle (based on Oracle 10g Rel. 2) is the most secure database from Oracle out of the box so far, there is still room for improvements. This presentation shows different possibilities to attack Oracle 10g Express Edition (and Oracle 10g Rel. 1 and Rel. 2).
With Oracle 10g Oracle introduced some new security features (e.g. listener protection) which eliminates old attack vectors. But by introducing new features they implemented new bugs and new possibilities like SQL injection, built-in HTTPS-server, etc.
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products.
Yuan Fan - MatriXay: When Web App & Database Security Pen-Test/Audit is a Joy
This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.
Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc. with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer security. Before that he worked 5+ years for ArcSight for a variety of security device's connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool "MatriXray" was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).
Zulu is a light weight 802.11 wireless frame generation tool to enable fast and easy debugging and probing of 802.11 networks. It has an intuitive command line interface and operates with the unmodified madwifi-ng and partially with PRISM based Linux network drivers. Individual fields in frames can be set or unset, generating frames that possibly violate the IEEE 802.11 protocol. It can generate all control, data, and management frame types and subtypes. The user-friendly command line options enable novice users to quickly generate custom frames with a combination of values placed in different frame fields. Zulu is freely available under the GNU license.
Damon McCoy has worked in a variety of industry and government positions. Currently he is a Doctoral Candidate in the Department of Computer Science at the University of Colorado at Boulder. He has also worked at Sandia National Laboratories in the Center for Cyber Defenders. Prior to this he worked for IBM in the Emergency Response Services group as a network security consultant. Before this he worked for both AT&T Research and Lucent Bell Laboratories.
Anmol Sheth is a doctoral candidate in computer science at the University of Colorado at Boulder. He received his B.S. in computer science from the University of Pune, India in 2001. His research interests include MAC layer protocol design, fault tolerant distributed wireless systems and energy-efficient wireless communication.
1. The Worldwide SSL Analysis. There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan.
2. Syntax Highlighting...on Hexdumps. Reverse engineering efforts often require looking at hex dumps without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data.
3. Everything else.
Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.
The Evolving Art of Fuzzing will be a technical talk detailing the current state of fuzzing and describing cutting edge techniques. Fuzzer types, metrics, and future research will be presented. Also, three of ASI's private fuzzer tools will be discussed. They will be released on the Defcon CD.
Jared DeMott is a vulnerability researcher for Applied Security, Inc. (ASI). Jared earned a masters degree from Johns Hopkins University and is currently pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing.
From the 1337 hax0rs that brought you Anonym.OS, kaos.theory/security.research presents SAMAEL (Secure, Anonymous, Megalomaniacal, Autonomous, Encrypting Linux), the natural evolution of our secure, automagicically anonymizing operating system, Anonym.OS into a kick-ass anonymizing server!
When kaos.theory released the Anonym.OS at ShmooCon in January of this year, we received many requests for features we had already planned to implement: media players, smaller distribution size, office suites, better speed, USB functionality, etc. "Sure," we collectively replied, "we'll get right on that."
But we didn't. We tried, but we realized that maintenance releases aren't 1337. Instead, we're back to release SAMAEL, a blackbox gateway that creates -- in a few simple steps -- a secure, anonymizing, transparent firewall and proxy server, protecting its users' love of sex, drugs, and rock and roll from embarrassing public disclosure (even better than the Kennedys).
Making use of Gentoo, Transocks, Tor, and sweet, sweet Python, SAMAEL provides all of the services expected in a modern Linux firewall, including DHCP, a Captive Portal, and Web-Based Administration! The guiding principle of Anonym.OS and its derivative projects has remained "Anonymity for Everyone;" kaos.theory's SAMAEL takes that motto to the next level.
But there's one more thing. And it doesn't involve sweatshop labor or black turtlenecks.
Getting useful, attractive reports out of scanning tools is a bitch. People pay vendors thousands just for some slick charts and graphs. Why? Because SQL is hard for a boot-camp MCSE. So get your "Security for Dummies" books and your free Nessus downloads ready, folks, because we've got scripts and queries all packaged up as pretty as your mom on a Friday night. kaos.theory's newest member, Jonathan White, joins atlas and crew to introduce NARC, the Network Analysis Reporting Console.
In its initial release, NARC can utilize output from common security tools like Nessus, Paros, and NMap to populate a database via automated scripts for reporting purposes. Version 0.DC14 also includes rudimentary reporting capabilities.
Across the past 9 years, Taylor Banks (aka dr.kaos) has written and delivered training and provided security consultation to thousands of security engineers, architects, managers and executives from hundreds of organizations including Bristol-Myers Squibb, Ernst and Young, FedEx, IBM Global Services, PricewaterhouseCoopers, and VeriSign as well as the US Department of Defense, Federal Bureau of Investigation, the US Marine Corps Computer Emergency Response Team (MARCERT) and the National Security Agency. Prior to 1997, he worked as a network and security consultant for Benedict College, the Environmental Policy Center, Georgia Institute of Technology, Georgia State University, Sodexho Marriott, and SunTrust Equitable Securities. Taylor currently manages the Southeast Systems Engineering group at Caymas Systems.
Taylor holds his CISSP and has been certified by CheckPoint, ISECOM, ISS, NAI, Nokia and VeriSign. He is a contributor to the EFF and a member of Usenix, SAGE, ISSA and ISACA as well as an active participant in, and contributor to, numerous open security forums and user groups. He is the organizer for the Defcon Atlanta Group, the founder of kaos.theory/security.research, and has presented at Defcon, ShmooCon, InterZone, LayerOne and numerous ISSA, ISACA and Infragard events.
Isaac Levy - Hacking UNIX with FreeBSD Jail(8), Secure Virtual Servers
Today, as more punch gets packed into 1u than ever, server resources can be further consolidated and abstracted to securely separate complex and sophisticated services in the same hardware server, by running secure virtual UNIX machines.
Who wants jails? System administrators who need to securely separate small yet important services. Software developers who always need more dev machines to hack amok. Root-Kit Testing and Debugging. Educators who could use virtual machines to provide clean Unix server systems for student use. Anyone who wants *secure* virtual machines. Why would you want jail(8)? The design of jail(8) and jail(2) are small and secure, and because jails use native system utilities, they are simple for any Unix hacker to work with very shallow learning curve. They're great for userland-level hacking and development, honeypots, or highly available services for regularly attacked systems.
Isaac Levy, (.ike) is an Open Source web-application developer based in New York City. He runs Diversaform Inc. as a business platform to make his code feed itself, (and ike). Diversaform specializes in BSD based solutions, web applications, and specialty network applications. Ike works as an consultant/developer mostly with small and medium sized business, but periodically works within large corporations and organizations.
Ike's personal passions lie in object-relational persistent data systems, and UNIX hacking, and the Internet at large. His "young adult" life in computing has been lived almost entirely in open source, as well as on the Internet, and ike aspires to give back to the open source and Unix hacker communities that have raised him. Isaac is a proud member of NYC*BUG (the New York City *BSD Users Group), and a long time member of LESMUUG, (the Lower East Side Mac Unix Users Group).
Luis Miras - Bridging the Gap Between Static and Dynamic Reversing
Reverse engineering continues to evolve, or rather REvolve. The reverse engineering toolset primarily consists of disconnected disassemblers and debuggers. Without symbol information or data acquired from disassembly, the use of a debugger can be blind and tedious.
Reverse engineering has fueled the need to enable these tools to work together. When disassemblers and debuggers are used in conjunction, the resulting union is greater than sum of the disparate parts.
To bridge the gap between disassemblers and debuggers, I will be releasing two IDA Pro plugins.
pdbgen-Generates custom pdb files from the IDA Pro database. The pdb file can then be loaded into a debugger, transferring symbolic information.
Redress-Reinserts debug information from the IDA Pro database into stripped ELF executables. The inserted debug information will be available in GDB.
During this talk, I will review the other tools and plugins that perform similar bridging functions. I will then present a live demonstration of pdbgen and REdress, streamlining the reversing process.
Luis Miras is the head vulnerability researcher at Intrusion Inc. He has done work for HBGary LLC. and Network Associates. He released the first public polymorphic shellcode at Defcon 8 and has also spoken at Toorcon 7 as well as the CCC Congress (17c3) in Berlin. In the past he has worked in digital design, and embedded programming.
Martyn Ruks - IBM Networking Attacks - Or The Easiest Way To Own A Mainframe Without Getting The Removals Men In
Why would you want to attack IBM Networking? Isn't it old, unused and unimportant in today's modern business environments?
The answer is why not attack it, after all it is still deployed in lots of high value environments. IBM Networking usually means Mainframes and therefore the potential to get to some cool financial or intelligence data.
But what was that I heard you say? You can only route IP across the Internet! Maybe so, but if you have a poorly designed network I just might be able to get to your mainframe. Maybe even compromise it!
So if you are a penetration tester, Security Manager or Network Architect you will gain insight into a number of areas of IBM Networking security. You will also learn about the tool which will be released to accompany the presentation.
This presentation will introduce the basic concepts behind a number of IBM networking protocols and how they are currently used by companies. The talk will cover a number of areas including an overview of Systems Network Architecture (SNA) and Data Link Switching (DLS). The manners through which these protocols can be abused to gain unauthorized access to systems will also be discussed. This presentation is not a criticism of IBM or their technologies but intends to lift the lid on an area of IT security that is not widely understood.
The prentation will cover issues relating to software bugs, device configuration and architecture design. A number of recommendations are also made to ensure that vulnerable environments can be adequately secured against attack.
Martyn Ruks is an information security professional working for mwr Infosecurity in the UK. Martyn has worked in the industry for 5 years and has principally been involved in security consultancy and penetration testing. This testing has covered a wide range of technologies and has been performed for Blue Chip companies. Very little of Martyn's previous security research has been published, however, this presentation is intended to form the first part of a detailed investigation into various IBM technologies.
Michael Rash - Service Cloaking and Anonymous Access; Combining Tor with Single Packet Authorization (SPA)
Single Packet Authentication is becoming an increasingly important method for protecting arbitrary network services through the use of a kernel level filtering mechanism such as Netfilter in the Linux kernel. By sending SPA packets over the Tor network, SPA packets can be endowed with an additional layer of privacy and anonymity. It becomes cryptographically difficult to deduce the communication of the SPA packet from any particular source address; even from the perspective of an attacker that is in the enviable position to montior all packets going to and leaving from the SPA client system. The end result it that the exploitation of even 0-day vulnerabilities in a service that is protected with SPA/Tor is much more difficult. This talk will focus on applied aspects of Single Packet Authentication, and will include a lengthy demonstration at the beginning of the talk. A new version of the Single Packet Authentication software "fwknop" will also be released contains new features such as GPG-hardened last-hop IP resolution, a web interface to monitor SPA usage in an Enterprise environment, remote Netfilter policy management, and more.
Michael Rash holds a master's degree in applied mathematics with a concentration in computer security from the University of Maryland, and is the CTO of Solirix, Inc. where he leads the Solsen product development effort. Previous to Solirix, Michael was a developer on the Dragon intrusion detection and prevention system, and also wrote a custom host-based intrusion detection system which was used to monitor the security of over one thousand systems from Linux to Cisco IOS at a major ASP. Michael frequently contributes to open source projects such as Netfilter and Bastille-Linux, and has written security related articles for the Linux Journal, Sys Admin Magazine, and USENIX ;login: Magazine. He is also the lead author of the book "Intrusion Prevention and Active Response; Deploying Network and Host IPS," and a co-author of "Snort-2.1 Intrusion Detection," both published by Syngress Press. Michael is the creator of two open source tools "psad" and "fwsnort" that are designed to blur the boundaries between Netfilter firewalls and the Snort IDS.
Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools." The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms?
We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed.
Mark Stamp can neither confirm nor deny that he spent 7 years as a National Security Agency cryptanalyst. However, he can confirm that he spent 2 years as Chief Cryptologic Scientist at a small Silicon Valley startup, where he helped develop a Digital Rights Management (DRM) system. For the past 4 years he has been Assistant Professor in the Department of Computer Science at San Jose State University, where he teaches courses in information security, networking, and cryptography. He recently published a textbook, Information Security: Principles and Practice (Wiley Interscience, 2006) and he has just completed a second textbook, Applied Cryptanalysis.
Wing H. Wong is a graduate student at San Jose State University. Her research interests include network security and bioinformatics.
Mobile Ad-Hoc Networking (MANET) technology promises disaster-tolerant, interoperable, secure communications that work the way we users do. Features like automatic peer discovery and stable multi-transport TCP connections are so attractive that some may wonder if it isn't all too good to be true. After a brief but clear introduction to the more-or-less subtle differences between wireless routing technologies, we will delve directly into simulating attacks on Layers 2 and 3 and implementing appropriate defenses. Full graphical visualization of the processes and results makes this presentation accessible to anyone with at least basic understanding of computer networks.
As a professional software developer, Caezar began his career in embedded operating system development. After bringing that company to the Internet and integrating a TCP/IP stack, his passion for networking ignited. After a brief stint performing security audits, Mr. Eller returned to software development as the principal architect Greg Hoglund's ClickToSecure. He is only now resurfacing after spending three years bringing security and quality of service to high-speed mobile networks.
As the public face of the Ghetto Hackers, Caezar was central to Defcon's Capture the Flag contest for the better part of a decade. During that time, he improved security contest scoring techniques, invented self-decoding ASCII-only stack exploits, produced fully automated web intrusion, and contributed to several other inventions including a pattern language for describing network attack processes.
As a speaker and writer, his credits include BlackHat Training and Briefings, DevX Security Zone, Hack-Proofing Your Network, Meet the Enemy seminars, Stealing the Network, and one unfortunately brief appearance on a USENIX panel.
The 802.11 link-layer wireless protocol is widely known for its design flaws. Unauthenticated management packets, a ridiculous attempt at providing link layer confidentiality and authentication (WEP), and general vendor stupidity have all contributed to 802.11 being the most sensationalized protocol ever mentioned in the media.
All of the above topics have been beaten to death. Instead this talk explores new advances not in design problems in 802.11, but in implementation issues. The two major advances in 802.11 security will be covered, device driver vulnerabilities and link layer fingerprinting techniques. 802.11 fingerprinting represents the first time that a link-layer protocol has been vulnerable to finger-printing attacks. These attacks can provide useful information to the attacker, allowing him to accurately target the latest weapon in any wireless hackers arsenal: 802.11 device driver exploits.
Johnny Cache is responsible for many wireless hacking tools. These include jc-wepcrack (a distributed wep-cracker) jc-aircrack (a complete aircrack re-write in C++), and also helped h1kari create pico-wepcrack (a FPGA accelerated WEP brute forcer). Cache is currently pursuing his Master's degree in computer security. He is also co-author of "Hacking Exposed Wireless." His latest accomplishments can be found in Airbase, available at http://www.802.11mercenary.net.
Halvar Flake - RE 2006: New Challenges Need Changing Tools
Reverse engineering has come a long way - what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed.
Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network security over time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.
The Plausible Deniability Toolkit is a collection of processes and tools designed to protect its users from invasions of privacy and infringement of civil rights by oppresive organizations and governments. The foundation for this toolkit is the result of anti-forensics gap analysis and the need for fabrication of evidence. Certainly most of these techniques have been in use by child pornography rings and various governmental TLA's, but we intend to bring them forward for more legitimate usages, such as protecting civil activist and whistleblowers.
This presentation will consist of a walkthough of the gaps left behind by anti-forensics techniques, as well as describe the technologies and techniques used by the toolkit. We will aslo cover live demonstrations of the tools and their uses as well as allow plenty of flexibility for audience interaction.
Nomad Mobile Research Centre (NMRC) is a hacker collective, and has been around since 1996. NMRC has released numerous papers, advisories, FAQs, and tools over the years, and believes that hackers have something good to give to society. Unfortunately most of the world doesn't believe in their definition of "good."
NMRC has distinguished itself in the realm of hackerdom in the following ways over other hacker groups: 1) They maintain friends of all hat colors; 2) They were the first hacker group to spell Centre with an "e" on the end; and 3) They live to hack and hack to live, unless of course they find free pr0n.
Linton Wells - UNCLASSIFIED Information Sharing with Non-Traditional Partners
Experience from domestic and foreign Humanitarian Assistance and Disaster Relief (HADR) operations shows that shared situational awareness and the information systems that support it are the critical enablers of all other functions in such situations. They are not merely technical adjuncts to the delivery of food, water and shelter. Federal Agencies can respond better to disasters (both domestic and international) by sharing unclassified information effectively with state, local and tribal governments, non-governmental organizations, and relief entities. DoD often refers to these as "non-traditional partners." Besides sharing situational awareness, decision-makers also must exchange ideas for solving emergent problems and convert decisions into action. These capabilities need to be in place within hours after the beginning of a crisis. Success will require new cultures of unclassified information sharing; not just within DoD, but also with the non-traditional partners that form the backbone of domestic and international disaster response.
Dr. Linton Wells II serves as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). He resumed these duties on November 14, 2005 after serving as the Acting Assistant Secretary and DoD Chief Information Officer from March 8, 2004. He became the Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) on August 20, 1998 which became Networks and Information Integration in 2003. Prior to this assignment, he had served in the Office of the Under Secretary of Defense (Policy) from 1991 to 1998, most recently as the Deputy Under Secretary of Defense (Policy Support).
In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; C3I; and special access program oversight.
Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.
Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.
Joe Stewart - OllyBone: Semi-Automatic Unpacking on IA-32
The amount of new malware being developed has increased at a staggering rate over the last couple of years. At the same time, executable packing technology has grown to provide malware authors with a myriad of choices in how they pack their malware to evade detection and analysis. This presents a growing problem to analysts who lack the time to learn how each packer works and can be unpacked, but still need to be able to quickly handle anything that comes their way.
There are three conventional approaches to automatic unpacking, including unpacking by emulation (very difficult to write 100% compatible to the platform and therefore tools that are closely held by their authors), unpacking by memory dump (not reliable and, will also corrupt variables with their post-initialization values), and finally, writing a specific unpacking engine for each packer based on reverse-engineering the packer code (also a huge undertaking to have enough coverage, also a cat-and-mouse game).
In this presentation I will demonstrate a semi-automatic approach to unpacking malware that bridges the gap between highly-skilled manual unpacking and speedy but costly automatic unpacking. By leveraging certain aspects of the i386 architecture we can unpack code from a great deal of packers to the OEP without emulation or specific knowledge of the packing algorithm.
Joe Stewart, GCIH - Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for six years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot, BlackWorm, Cryzip and other cyber-threats and attack techniques. Joe is the author of software projects Fess, Mumsie, and Truman as well as numerous OllyDbg plugins including OllyPerl.
Kiosks are being deployed in an increasing number of locations including supermarkets, banks and airports. Providing public computer access from machines connected to your internal network is one of the most challenging IT problems. Traditionally, an anonymous user with local access to a machine that can talk to the Internet and the internal network is an administrator's nightmare. Therefore the techniques to secure these machines must go far beyond the procedures for a normal desktop environment. Often times these devices are deployed on the same network as the store's cash registers introducing PCI compliance issues. Relying on store employees to monitor for kiosk abuse is not an option. This discussion will focus on the security issues surrounding the deployment of Windows-based kiosks. Deployment strategies, application security design, PCI compliance issues, known attack methods and common security tools will be covered.
Peleus Uhley is a Principal Security Consultant with the Symantec Professional Services team where he performs wireless, network and application penetration testing for clients. Several of his recent engagements have covered assessing kiosk security for retailers. As part of the Advisory Services team, Peleus also serves an Attack and Penetration Center of Excellence lead helping to develop penetration testing services and coordinate knowledge development and tools for Symantec consultants. Peleus joined Symantec through their acquisition of @stake. Prior to being a security consultant, he was the lead developer for the online privacy company, Anonymizer. Peleus has also given talks and authored a white paper on web browser security.
Government organizations are required by the Office of Management and Budget to migrate their networks over to IPv6 by 2008. There is a belief that this opens inherit risk to the organization due to undiscovered flaws and security holes that may be opened up. One such breach is the use of covert channels to push data in or out of a network in the guise of standard traffic. Covert channels are not new, and have been exploited in the past through IPv4 communications. This presentation and PoC tool demonstration will show how IPv6 networks communicate, and how the tool can be used to pass text or files through IPv6 and ICMPv6 packet manipulation.
R.P. Murphy is currently pursuing a Masters Degree in Information Systems Technology and is working on IPv6/ICMPv6 Covert Channels as a thesis topic. He is a Certified Information Systems Security Professional (CISSP), and does IT Consulting for small businesses. His areas of expertise include network security, information security and wireless network security and administration. Areas of interest include computer forensics, protocol analysis and tool development. Tools developed include MACSpoof, a tool to store and change MAC addresses in Windows, VoodooKey, a tool to recover software keys in Windows, and the PoC tool v00d00N3t, a tool that sends text or files through the use of IPv6 / ICMPv6 packet manipulation.
Marc Weber Tobias - Things That Go "Bump" in the Night: An Analysis of Current and Emerging Threats to Physical Security
Although there has been a significant amount of attention paid to the topic of late, there are complexities that must be understood to accurately gauge the impact of "Bumping Locks" on physical security. This talk will explore the vulnerabilities and exposures of virtually all pin-tumbler locks, highlighting the legal issues surrounding the possession and use of bump-keys and bumping implements. Case examples and demonstrations detailing a major security flaw and vulnerability in locks used by the federal government and a private sector corporation that affect millions of users will be presented.
Marc Weber Tobias is an investigative attorney and polygraph examiner in the United States. He has written five law enforcement textbooks dealing with criminal law, security, and communications. Marc Tobias was employed for several years by the Office of Attorney General, State of South Dakota, as the Chief of the Organized Crime Unit. As such, he directed felony investigations involving frauds as well as violent crimes.
Mr. Tobias is the author of the 1400 page textbook and multimedia collection "Locks, Safes, and Security: An International Police Reference." He consults on lock security and his law firm handles investigations for government and private clients.
Matt Fiddler leads a Threat Management Team for a large Fortune 100 Company. Mr. Fiddler's research into lock bypass techniques have resulted in several public disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 13 years enhancing his extensive expertise in the area of Unix and network engineering, security consulting, and intrusion analysis. Currently Mr. Fiddler is the Connecticut Chapter President and active Board Member of Locksport International.
This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.
Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks.
The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue. The attack under study was anticipated as early as 2002 (gnupg 2002). Earlier attacks using queries to non-authoritative servers were for a reflection attack using MX records (Mirkovic, Dietrich, Dittrich. and Reiher). To our knowledge, this is the first documentation of a new form of a recursive name server reflection attack designed to use the significantly larger data amplification available from the extended capabilities of extended DNS standards. In addition to this attack technique, recursion can be leveraged for other uses such as theft of DNS resources (CERT UNI-Stuttgart 2003).
Randal Vaughn teaches a variety of courses in Information Systems. Vaughn is a widely quoted expert in the areas of cyber warfare, cyber defense, and internet threat metrics and reporting. He is on the Board of Advisors for MI5 Security and an Academic associate for the AntiPhishingWorkingGroup. He is a member of Educause, the Society for Information Management (SIM), and the Association for Computing Machinery (ACM). His work has been published in several mathematics publications and he has authored white papers such as "Using PowWow in the Academic Environment" for Tribal Voice. Previously, Vaughn worked at Mobil Exploration and Producing Services, Inc. as a computer analyst for seismic processing support. Prior to that, he was the lead designer for Vought Aircraft's Group Technology Support Software component of the U.S. Air Force's Integrated Computer Aided Manufacturing project. He also served in the U.S. Air Force as a project engineer and database administrator. Vaughn's operating system experience includes legacy mainframe operating systems, Microsoft Windows, Linux, and Apple Mac OS and Mac OS X operating systems.
FX - Analysing Complex Systems: The BlackBerry Cas
When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness.
FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions.
Despite many appearances in film and television, fairly little is widely known about how safes can be opened without the proper combination or key. This talk will attempt to address some of the questions commonly asked about the craft, such as -- is it really possible to have a safe open in a minute or two using just a stethoscope and some clever finger-work? (Yes, but it will take a bit more time than a few minutes.) Are the gadgets used by secret agents in the movies ever based on reality? (Some of them.) The talk will cover several different ways that safes are opened without damage, as well as the design of one lock that is considered completely secure.
Eric Schmiedl is studying mechanical engineering at the Massachusetts Institute of Technology. Since learning to pick locks in elementary school, he's taught lockpicking workshops at What the Hack 2005 (in exchange for food and a tent to crash in), opened safes for the MIT pistol team, and done contract work for M. Tobias, JD of "Locks, Safes, and Security" fame.
DNS operations today are no longer just a secure configuration and bandwidth, but rather a whole world of online abuse and criminal activities. In this presentation we will discuss how DNS has become this infrastructure for online crime and abuse. Spam, DDoS attacks, botnets and extremely reliable phishing servers all owe their existence to DNS games.
Gadi Evron is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing. He was previously the Israeli Government Internet Security Operations Manager, as well as the Israeli Government CERT Manager. Today, he manages the SecuriTeam portal and works for Israeli-based Beyond Security.
Arias Hung - Owning the Linksys WRTP54G VoIP Router
The WRTP54G/RTP300 is a Linksys VoIP proxy router with one primary distinguishing characteristic that separates it from all other VoIP routers on the market today: It's based on Linux.
This fact alone makes this router the key to learning the inner workings of VoIP and opens up a world of possibilities when it comes to its de-obfuscation. After all, 3rd party firmware on its parent router, of which it is a descendant of the WRT54G, is big business as they've become near ubiquitous in every consumer household. With VoIP poised as the current cat-out-the-box technology prepped to take down established telecoms, VoIP security takes front and center as a paramount imperative.
The problem to this point has been this router being tied specifically to one vendor, who happens to also be the largest VoIP only vendor to date whose interest is that your hardware can be only used for their service.
Discover how vendor provisioning works on these routers, in order to reclaim control of your hardware. Learn specifics as to the AR7 dual processor architecture that the hardware utilizes, and how to unlock its numerous built-in capabilities that have been crippled prior to release by the vendor. Watch a demonstration of how easy VoIP and its companion protocol MGCP can be manipulated for illegal purposes such as call spoofing, number hijacking, and untraceable call routing. And find out how companies that provide VoIP are complying with the FCC mandate that requires them the ability to snoop at will without a court mandate, by saving all of your voice calls as a .wav file that can be listened to at their leisure.
Arias Hung is a security professional with a particular passion for embedded distributions. Arias began his career in Unix administration, specializing in SGI/Irix while employed at the Lawrence Berkeley National Laboratory (lbl.gov) before expanding independently as a Unix consultant in silicon valley and gaining a degree in computer forensics and security. Arias is currently working as a security consultant in the Seattle area.
Hacking stuff is for the birds. I'm taking a new path in life. I've decided to become a technical consultant for Hollywood. (No, not really, but work with me here). In my new role, I've decided it's time to take up the torch for all my fellow consultants who have been abused by you people through the years. We're all just sick and tired of your snide little comments about hackers in the movies.
So go ahead. Make fun of Hollywood. Poke fun at A-list actors who "slide in [a] Trojan horse riding a worm" or B-movie bandits that use "mega modems with compression." Snort your snooty little snicker at smarties who smash 128-bit DES encryption in a skimpy 60 seconds. Who do you think you are, anyway? You've probably never even USED 128-bit DES. Think you're all uber because you can sling a bit of code? Let's see you sling a multi-headed worm that sniffs out latent digital footprints throughout an encrypted network. Not leet enough? That's OK. I'll show you how it's done.
Think you've found a movie line that's just slam-dunk stupid? A movie line that proves Hollywood is just clueless about technology? Think again. You just misunderstood. I'll use video clips and ultra-magnified freeze-framed screen stills to prove to you that Hollywood is clue++. Failing that, I'll at least distract you with seriously classified hardware and 0day exploits that were leaked through Hollywood films. Then again, you just might be safer if you keep on thinking they're only cheesy movie props.
Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com.
x30n - Blackjacking - 0wning the Enterprise via the Blackberry
Research in Motion's Blackberry technology has quickly become the defacto standard for executives and technical personnel alike to maintain unteathered remote access to critical data. Often regarded as inherently secure, most administrators deploy this solution without a full understanding of the technology or risks involved.
This presentation will demonstrate how an attacker could utilize many typical corporate Blackberry deployments to directly attack machines on the internal network behind your perimiter defenses! The tools and source code presented will be available for attendees. Techniques for reducing the risks associated with this technology will also be presented.
This talk is a must see for anyone who has deployed or is planning on deploying the Blackberry solution within their network. Whether you are an administrator, CIO, security officer, or user, you can't afford not to understand the risks associated with this technology.
30n has over 8 years of experience in software and network security. His expertise and industry experience includes software engineering, vulnerability research, exploit development, risk managment, penetration testing, source code auditing, reverse engineering, forensic analysis, and network analysis as well as many other niche areas within the information security industry.
x30n is also a core member as well as current team captain of Digital Revelation, the notorious research group that has taken 1st place in Defcon's Capture the Flag competition twice.
x30n enjoys code with his breakfast, discovering new ways to break things, reversing, and long walks on the beach. Oh and 0wning everyone in hacking competitions of course!
Robert Clark - Legal Aspects of Internet & Computer Network Defense
This presentation looks at several scenarios of aggressive self defense. It applies the law to each of the participants in various schemes to the aggressor and to the defender. We see where simple self defense options could actually result in prosecution to the aggressor; prosecution of the defender; prosecution of both; or, be faulted for screwing up an investigation rendering a prosecution impossible. Many of the legal rationales for aggressive self defense will be discussed from the typical discussion of self defense to the law of nuisance and self help. This presentation seeks to simplify the aspects of aggressive and non-aggressive self defense.
Major Robert Clark is the Command Judge Advocate for the Army 1st Information Operations Command. As the sole legal advisor, his primary duty is to advise the Army's Computer Network Operations Division on all aspect of computer operations and security. This role has him consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He lectures at the Army's Intelligence Law Conference and at the DoD?s Cybercrimes Conference.
Matt Hargett - Automatic Exploit Detection in Binaries
Binary disassembling and manual analysis to find exploitable vulnerabilities is a cool topic. What's cooler? Saving yourself hours of time and brain rot by letting a program do the hard parts for you! In this talk, we will dissect a well-known exploitable vulnerability as well as an open source tool for automatically detecting that vulnerability. By the end of the talk, you will understand the basics of static code analysis, exploitable bugs in Windows, x86 assembly, and the structure of the open source project. Interested attendees can join a pair programming session after the talk to start work on enhancements.
Matt Hargett last spoke at Defcon about using open source tools to test firewalls and IDSes, and has spoken and written articles in a variety of venues and leading publications on the topics of security, testing, and programming techniques. After successfully creating and launching the commercial static analysis tool, BugScan, as the initial sole developer, he took time off and now works in a very different and unrelated field. He lives in Mountain View, California with his husband, Geoff, and their dog, Baxter.
Luis Miras is the lead vulnerability researcher at Intrusion Inc. He has done work for leading consulting firms and Network Associates. He released the first public polymorphic shellcode at Defcon 8 and has also spoken at Toorcon 7 as well as the CCC Congress (17c3) in Berlin. In the past he has worked in digital design, and embedded programming.
Robert J. Hansen - Trust, But Verify: Auditing Proprietary DRE Systems
In 2006 the Help America Vote Act (HAVA) rid the country of lever voting machines and punchcard ballots, and gave the states enormous budgets for buying electronic voting machines. What's still unresolved is how these electronic voting machines are going to be audited. Trying to keep track of many different vendors, each of which has many different machines, is like getting lost in a funhouse hall of mirrors. Yet, there is good news. The National Science Foundation has established a research group for electronic voting, ACCURATE. In this presentation, an ACCURATE researcher will start talking about the thorny problem of making sure voting machines are playing fair. Existing technologies, both proprietary and open source, will be criticized; and new technologies will be presented.
Robert J. Hansen has a Bachelor of Arts in Computer Science, Cornell College, 1998. Master of Computer Science, the University of Iowa, 2006. Chief Security Geek for Yomu Inc., 2000. Cryptographic Engineer for PGP Security, 2000-2001. Student at the University of Iowa pursuing a Ph.D. in computer security, 2002-present.
Detecting global abuse patterns with realtime black lists, spamtraps and honey pots. Understanding what your network is doing to the rest of the community is difficult, we discuss how to use our tools to understand how your network is abusing other networks and show graphs and stats of trends globably and within the us.
Rick Wesson has worked in the IETF and ICANN on DNS, whois, and Registry and Registrar protocols; Served for 4 years as the CTO of the Registrars Constituency in the GNSO/ICANN framework and 2 years on the ICANN security and Stability Committee.
Learn to spy on corporate network traffic. After attending this talk, you will learn how to perform targeted packet sniffing to capture web, e-mail, chat conversations, VoIP, and file transfer traffic. Many tools are covered, including Effetech, MSN Protocol Analyzer, Ethereal filters, URLSnarf, FileSnarf, ACE, Cain and Abel, and others.
Andrew Whitaker is the Director of Enterprise Security for InfoSec Academy, a global leader in accelerated information security training. In his position, Andrew travels throughout the United States speaking at conferences and teaching courses on penetration testing and vulnerability assessments. He has been featured in numerous press articles including the Wall Street Journal and Business Week Magazine. He is a contributor to several articles and books including being the co-author of the book "Penetration Testing and Network Defense" (Cisco Press, 2005). Andrew performs numerous penetration tests for organizations each year, helping companies improve their information security. Along with a masters degree in computer science, Andrew holds the following certifications: CCSP, CEH, CEI, CCNP, INFOSEC, MCSE, CNE, CCNA, CCDA, A+, Security+, Network+, and CTP.
Broward Horne is a software developer with a diverse background, including several years as an electronic technician at Litton and Teradyne and as a sysadmin at a major University. Broward also has a business background, doing contract work for the United States Department of Transportation on experimental pen-based systems, early wireless LANs and two-dimension barcoding.
Since 1999, he has been in Java software development, mostly for sales and ordering systems in large corporations. Prior to 1991, he hacked internal networks at two major electronics companies out of curiosity, but never intentionally damaged or sabotaged any system or network.
For the past thirteen years, Broward has done business intelligence and analysis against various internet data sources, including the usenet newsgroups, Dice.com, Monster.com, Google and other search engines. This analysis kept him gainfully employed throughout the Dotcom Crash. More at http://www.realmeme.com.
Foofus - Graphical Representations of Security Relationships: Awesome or Bullshit?
We all want to be awesome hackers, but let's face it: inventing the sploitz can be hard work. What if there were a way to make interesting security discoveries using relatively simple tools, recycled concepts from research in other fields, and readily available data? For better or worse, this is the kind of question that we at foofus.net ask ourselves on a regular basis. And it's in that spirit that we present this fine talk.
We'll show some incremental advances in our penetration testing tools (once again, focused on identifying and taking advantage of trust relationships between Windows systems), and we'll appropriate concepts from graph theory. Our main goals are twofold. First, we want to find ways of mining new conclusions out of the same old data that's been staring us in the face all along. Second, we want to find ways of making the data we collect more interesting and useful. Basically, we're trying to look cool without having to work too hard.
Previously, we've provided tools for gathering this sort of information, and for representing it mathematically and visually. This year's talk focuses on using these techniques to draw worthwhile conclusions and offer helpful advice. As usual, our tools will be provided (such as they are), and a good time will be had by all.
Foofus leads a team of security engineers at a technology consulting firm in the midwest, where he has worked for the past nine years. He has spoken at a variety of events and conferences including Defcon, ToorCon and LISA. His chief technical interests are software security, and the security relationships that emerge between systems in large networked environments. In his spare time Foofus enjoys playing guitar, cooking, and attending the opera and symphony.
EFF - EFF v. AT&T: Your World, Delivered (to the NSA)
If you want to know how the National Security Agency and telecommunications companies are conspiring to invade your privacy, this is the panel for you. The Electronic Frontier Foundation (EFF) is currently suing AT&T for collaborating with the NSA in its massive and illegal program to wiretap and data-mine Americans' phone and Internet communications. Come learn about the legal and technical issues surrounding the NSA surveillance program, find out what Congress is (or isn't) doing about it, and get an up-to-the-minute update from the EFF lawyers on their lawsuit and other NSA-related court cases across the country.
Cindy Cohn is the Legal Director for the Electronic Frontier Foundation as well as its General Counsel. She is responsible for overseeing the EFF's overall legal strategy and supervising EFF's 7 staff attorneys. Outside the Courts, Ms. Cohn has testified before Congress, been featured in the New York Times, San Francisco Chronicle and elsewhere for her work on cyberspace issues, interviewed on the BBC, NPR, CNN, CBS News and the Newshour, Economist, Wall Street Journal, Washington Post and many other online and offline media outlets. In 1997, as a result of her work on Internet issues, Ms. Cohn was named as one of the "Lawyers of the Year" by California Lawyer magazine. In 2001, Ms. Cohn and the EFF were honored by the Editorial Board of Daily Journal.
Kevin Bankston, an EFF staff attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.
Kurt Opsahl is a Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook."
Jason Schultz is a Staff Attorney specializing in intellectual property and reverse engineering. He currently leads EFF's Patent Busting Project. Jason also teaches graduate classes on Cyberlaw at UC Berkeley's Boalt Hall School of Law and School of Information. Prior to joining EFF, Schultz worked at the law firm of Fish & Richardson P.C., where he spent most of his time invalidating software patents and defending open source developers in law suits. While at F&R, he co-authored an amicus brief on behalf of the Internet Archive, Prelinger Archives, and Project Gutenberg in support of Eric Eldred's challenge to the Sonny Bono Copyright Term Extension Act. Prior to F&R, Schultz served as a law clerk to the Honorable D. Lowell Jensen and as a legal intern to the Honorable Ronald M. Whyte, both in the Northern District of California federal court system. During law school, Schultz served as Managing Editor of the Berkeley Technology Law Journal and helped found the Samuelson Clinic, the first legal clinic in the country to focus on high tech policy issues and the public interest. Schultz also has undergraduate degrees in Public Policy and Women's Studies from Duke University. Jason maintains a personal blog at lawgeek.net.
During this presentation SensePost will discuss and demonstrate two pieces of new technology - the Suru WebProxy and the SP_LR Generic network proxy.
The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch.
SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. It's a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer).
Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of Perl code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding." He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels.
Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesn't drink tea or smoke camels.
Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in information security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.
Peter Gutmann - Phishing Tips and Techniques: Tackle, Rigging, and How & When to Phish
This talk looks at the technical and psychological backgrounds behind why phishing works, and how this can be exploited to make phishing attacks more effective. To date, apart from the occasional use of psychology grads by 419 scammers, no-one has really looked at the wetware mechanisms that make phishing successful. Security technology doesn't help here, with poorly-designed user interfaces playing right into the phishers hands.
After covering the psychological nuts and bolts of how users think and make decisions, the talk goes into specific examples of user behaviour clashing with security user interface design, and how this could be exploited by attackers to bypass security speedbumps that might be triggered by phishing attacks. Depending on your point of view, this is either a somewhat hair-raising cookbook for more effective phishing techniques, or a warning about how these types of attacks work and what needs to be defended against.
Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption including the X.509 Style Guide for certificates, and is the author of "Cryptographic Security Architecture: Design and Verification" (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.
An anonymous identity is difficult but not impossible to obtain. With help of international laws and loopholes a new identity can be created. This talk will demonstrate how this can be done with never before published methods.
There are many reasons why a person might choose to obscure their identity and become anonymous. Several of these reasons are legal and legitimate - someone, for example, who feels threatened by someone else might attempt to hide from the threat behind various means of anonymity. There are also many illegal reasons to hide behind anonymity. Criminals typically try to keep themselves anonymous either to conceal the fact that a crime has been committed, or to avoid capture.
Johan Hybinette is CSO and founder of Cebic Technologies, inc. specializing in international security auditing, policy and monitoring. Johan has over 20 years of security experience and has been speaking on numerous international events. His expertise includes compliance, pen testing, SIM integration (Security Incident Management), auditing, and identity management. Some of the certifications held are CISM, CISSP, ISSAP, IAM, ISSMP, IEM.
Lin0xx - Advanced Windows Based Firewall Subversion
This presentation will focus on disabling many of the Windows based network security solutions that are most widely used. New payloads will be presented that demonstrate how host based firewalls at this time are not adequate defense to safeguard one's network resources. The speech is highly technical and requires knowledge of reverse engineering and process injection.
Lin0xx has been a code and security enthusiast for a number of years along with speaking at Interz0ne 5. He also helps run the local DC group in Atlanta, DC404.
Chris Eagle - Ripples in the Gene Pool: Creating Genetic Mutations to Survive the Vulerability Window
Reverse engineers often like to argue that a prime motivator for their activities is the desire to discover and patch vulnerabilities in closed-source binary software. Given the veritable plethora.. nay, Katrina-like flood of vulnerabilities being discovered on a near daily basis, one has to wonder where all these binary patches are hiding. Clearly this argument is a sham to make reverse engineers feel better about their DMCA violating activities. Now, just to be clear, there have been one or two third party binary patches released in the past year, but why haven't there been more? Is it truly a difficult task to develop such a patch or are our sights simply set too high? Is a true fix to the problem a requirement or is it sufficient to modify the vulnerable program just enough to make it immune to scripted attacks, the goal being to provide sufficient protection to survive until a vendor supplied patch can truly fix the problem. Dan Geer argued that a software monoculture is a dangerous thing leading to the rapid spread of malicious code in the event of a public vulnerability disclosure. The goal of this talk is to discuss simple yet effective measures to introduce sufficient genetic diversity into an inbred piece of software to allow it to survive in the wild until a vendor supplied update becomes available.
Chris Eagle is a Defcon Black Badge holder, and the Dean of Hacking for the Sk3wl0fr00t. When not at a CTF table, he is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 20+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, CodeCon, and Shmoocon and is a co-author of the book "Gray Hat Hacking."
The Census Bureau is the only federal agency that is acquiring detailed personal data on every person in the United States. While the Census provides valuable information that is vital to our form of government, major privacy concerns exists. The potential for abuse of the data has historical roots, the most notorious being the rounding up and relocation of Japanese-Americans during World War II.
Learn how the social, economic, housing, and financial characteristics being gathered can be legally used against you. We will examine how dangerous the data could be if it was used illegally. (If you are paranoid, you do not want to miss this!)
Finally, we will examine the laws that mandate that every American must cooperate with the Census Bureau or face possible civil and/or criminal punishment. What are your options when that census worker shows up at your door and threatens you with prosecution by the U.S. Attorneys office?
Steve Dunker is a Professor of Criminal Justice at Northeastern State University. He is a former Major Case Squad Detective who worked as a planner and supervisor of an anti-crime and decoy unit. He is a licensed attorney in the State of Missouri.
Seth Hardy - Your Name, Your Shoe Size, Your Identity? What do we Trust in this Web?
The web of trust, as used in PGP, is a well-known system for establishing trust between people, even if the people have not previously met. Why does it work so well in crypto? The answer is simple: it's the same system that we all use on a daily basis when dealing with friends, family, relationships, andjust about everyone else we have to interact with. On the crypto side, however, there are a number of restrictions that limit the effectiveness of this trust network. While many "security professionals" say that they are mandatory, the system seems to work just as well without them? Are they completely arbitrary? Here we'll look at a couple of these restrictions, focusing on the technical aspects of identity verification, and evaluate their effectiveness through a couple of real-world experiments.
Seth Hardy stopped writing these self-promoting blurbs a long while ago. While he acknowledges there's far too much information about him on the Internet already, he's been told that just saying this doesn't look too good standing by itself in a bio. So, here's some supporting facts: he's been involved in cryptography research, academically and professionally, for the last eight years. Some of these areas of research include elliptic curves, combinatorial cryptography, random number generation, and trust networks. He's presented his work at a number of conferences, including Black Hat, Defcon and the CCC Congress.
We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house.
We discuss how malware authors are aware of, and actively exploit inherent inefficiencies in the current generation of competitive, closed malware collections. We demonstrate how, by illuminating AV sensors, and by using frequent updates, malware authors can keep their victims within a perpetual zero-day window.
The are numerous cooperative malware repositories created to address problems in private collections. After exploring the policy trade-offs, we describe our own solution. Features include automated unpacking of samples, data mining of packed samples, static and dynamic analysis, and selected network trace files.
Paul Vixie holds the record for "most CERT advisories due to a single author" which came primarily from his years hacking on BIND4 and BIND8. Later on he cut off the oxygen supply to his brain by wearing a necktie for AboveNet, MFN, and PAIX. At the moment he is President at ISC where his primary duty is to sign paychecks for the people who bring you BIND9 and F.ROOT-SERVERS.NET. He is also an occasional critic of just about everything (the blog: http://FM.VIX.COM).
David Dagon is a PhD student in the College of Computing at Georgia Institute of Technology. His area of research includes network security, BSD kernel hacking, honeynets, and malware analysis. He has written extensively about malware, including modelling botnet propagation using time zones and the KarstNet active sinkhole. We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house.
This session will reveal to you how the FBI uses Neuro-Linguistic Programming (NLP) during interview and interrogation sessions. Gaining cooperation with special speech and word changes, clues to help determine whether clients are lying or remembering and the traditional "Cop Stop technique" will all be revealed and practiced by attendees. Seldom taught outside the law or medical community, you'll be instructed in and actual practice techniques, just like the Feds do. While you may not be able to stop leaking information to the specially trained professional, you'll now see the extra information other are giving off. Come prepared to talk to others and learn invaluable skills that can C.Y.A.
Brad Smith, RN, BS-Psych, CISSP has utilized social engineering in emergency rooms to defuse medical crisis for many years. He has taught Neuro-Linguistic Programming to healthcare, law enforcement and security professionals and now helps educate everyone on the reality of social engineering and its exploits. Session attendees get cutting edge information they can immediately start using to protect themselves. He is know for his high energy presentation style and group participation format that helps people truly understand the concepts presented, while also having a fun time. He has attended Defcon for many years and looks forward to Coffee Wars, Hacker Jeopardy and the Black and White Ball again this year.
Wes Brown - Exploit Writing Using Injectable Virtual Machines
Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation.
The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine's native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Java except it fits within 150K on some platforms.
This talk will demonstrate the use of Mosquito to write exploits on the fly while the audience watches; the advantages and flexibility of using a virtual machine will be leveraged to implement a second stage puddle-hop exploit into another host. The cross-platform advantages of writing exploits in a portable virtual machine will also be demonstrated. There will be some discussion of Mosquito itself to give context and understanding.
Wes Brown is a long-time network security practitioner who specializes in code reviews, web application assessments, penetration testing, and tools development.
Prior to joining Accuvant as a senior security consultant, Wes worked for Internet Security System's X-Force Consulting team. He conducted hundreds of penetration tests and web application assessments for ISS clients ranging from the smallest to Fortune 500 companies. He was also responsible for many of the in-house tools that helped the external assessment consulting practice succeed. He also can be frequently seen at industry conferences, having spoken at Defcon in the past.
In founding Ephemeral Security, Wes hopes to advance the state of the art in network security by doing innovative and original research work. When not conducting consulting work, he has spent the last year and half on the Mosquito Environment along with other members of his company.
Currently, he is hard at work as one of Accuvant?s lead consultants which gives him an opportunity to test the tools and environments that is developed as part of Ephemeral Security?s research efforts. He does the majority of the automation and tools that streamlines the assessment practice?s engagements, increasing quality while reducing turnaround time. Of course, Wes also does conventional consulting with a keen focus on code reviews and application assessments.
The Dark Tangent acknowledges those who made Defcon 14 possible, contest winners and the techniques that were used to win. As well as plans and a Q&A for next year at the Riviera.
August 4-6, 2006 at the Riviera Hotel and Casino.