DEFCON 14: [Video] Speeches from the hacker conventions

Abstract: The known topics for this year include: 1. The Worldwide SSL Analysis?There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan. 2. Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps?without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data. 3. Everything else Bio: Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.

Abstract: The Evolving Art of Fuzzing will be a technical talk detailing the current state of fuzzing and describing cutting edge techniques. Fuzzer types, metrics, and future research will be presented. Also, three of ASI's private fuzzer tools will be discussed. They will be released on the DEFCON CD. Bio: Jared DeMott Jared DeMott is a vulnerability researcher for Applied Security, Inc. (ASI). Jared earned a masters degree from Johns Hopkins University and is currently pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing.

Abstract: From the 1337 hax0rs that brought you Anonym.OS, kaos.theory/security.research presents SAMAEL (Secure, Anonymous, Megalomaniacal, Autonomous, Encrypting Linux), the natural evolution of our secure, automagicically anonymizing operating system, Anonym.OS into a kick-ass anonymizing server! When kaos.theory released the Anonym.OS at ShmooCon in January of this year, we received many requests for features we had already planned to implement: media players, smaller distribution size, office suites, better speed, USB functionality, etc. "Sure," we collectively replied, "we'll get right on that." But we didn't. We tried, but we realized that maintenance releases aren't 1337. Instead, we're back to release SAMAEL, a blackbox gateway that creates -- in a few simple steps -- a secure, anonymizing, transparent firewall and proxy server, protecting its users' love of sex, drugs, and rock and roll from embarrassing public disclosure (even better than the Kennedys). Making use of Gentoo, Transocks, Tor, and sweet, sweet Python, SAMAEL provides all of the services expected in a modern Linux firewall, including DHCP, a Captive Portal, and Web-Based Administration! The guiding principle of Anonym.OS and its derivative projects has remained "Anonymity for Everyone;" kaos.theory's SAMAEL takes that motto to the next level. But there's one more thing. And it doesn't involve sweatshop labor or black turtlenecks. Getting useful, attractive reports out of scanning tools is a bitch. People pay vendors thousands just for some slick charts and graphs. Why? Because SQL is hard for a boot-camp MCSE. So get your 'Security for Dummies' books and your free Nessus downloads ready, folks, because we've got scripts and queries all packaged up as pretty as your mom on a Friday night. kaos.theory's newest member, jonathan white, joins atlas and crew to introduce NARC, the Network Analysis Reporting Console. In its initial release, NARC can utilize output from common security tools like Nessus, Paros, and NMap to populate a database via automated scripts for reporting purposes. Version 0.DC14 also includes rudimentary reporting capabilities.

Today, as more punch gets packed into 1u than ever, server resources can be further consolidated and abstracted to securely separate complex and sophisticated services in the same hardware server, by running secure virtual UNIX machines. Who wants jails? System Administrators who need to securely separate small yet important services. Software Developers who always need more dev machines to hack amok. Root-Kit Testing and Debugging. Educators who could use virtual machines to provide clean unix server systems for student use. Anyone who wants *secure* virtual machines. Why would you want jail(8)? The design of Jail(8) and jail(2) are small and secure, and because jails use native system utilities, they are simple for any unix hacker to work with- very shallow learning curve. They're great for userland-level hacking and development, honeypots, or highly available services for regularly attacked systems. What I'd like to talk about: * How Jails Work, the technical nitty-gritty * How to setup jails, the practical how-to, cooking show style... * When NOT to use jails * jail(8) security vulnerabilities/considerations, attacking and breaking out of jail(8) o mitigating the risks of attacks and jail(8)breaks * Jails vs. Linux UML, XEN, VMware- fundamental technical differences Bio: Isaac Levy, (.ike) is an Open Source web-application developer based in New York City. He runs Diversaform Inc. as a business platform to make his code feed itself, (and ike). Diversaform specializes in BSD based solutions, web applications, and specialty network applications. Ike works as an consultant/developer mostly with small and medium sized business, but periodically works within large corporations and organizations. Ike's personal passions lie in object-relational persistent data systems, and UNIX hacking, and the internet at large. His 'young adult' life in computing has been lived almost entirely in Open Source, as well as on the internet, and ike aspires to give back to the Open Source and UNIX Hacker communities that have raised him. Isaac is a proud member of NYC*BUG (the New York City *BSD Users Group), and a long time member of LESMUUG, (the Lower East Side Mac Unix Users Group).

Abstract: Reverse engineering continues to evolve, or rather REvolve. The reverse engineering toolset primarily consists of disconnected disassemblers and debuggers. Without symbol information or data acquired from disassembly, the use of a debugger can be blind and tedious. Reverse engineering has fueled the need to enable these tools to work together. When disassemblers and debuggers are used in conjunction, the resulting union is greater than sum of the disparate parts. To bridge the gap between disassemblers and debuggers, I will be releasing two IDA Pro plugins. * pdbgen-Generates custom pdb files from the IDA Pro database. The pdb file can then be loaded into a debugger, transferring symbolic information. * Redress-Reinserts debug information from the IDA Pro database into stripped ELF executables. The inserted debug information will be available in GDB. During this talk, I will review the other tools and plugins that perform similar bridging functions. I will then present a live demonstration of pdbgen and REdress, streamlining the reversing process. ?Viva la REvoluci?n! Bio: Luis Miras is the head vulnerability researcher at Intrusion Inc. He has done work for HBGary LLC. and Network Associates. He released the first public polymorphic shellcode at Defcon 8 and has also spoken at Toorcon 7 as well as the CCC Congress (17c3) in Berlin. In the past he has worked in digital design, and embedded programming.

Abstract: Why would you want to attack IBM Networking? Isn?t it old, unused and unimportant in today?s modern business environments? The answer is why not attack it, after all it is still deployed in lots of high value environments. IBM Networking usually means Mainframes and therefore the potential to get to some cool financial or intelligence data. But what was that I heard you say? You can only route IP across the Internet! Maybe so, but if you have a poorly designed network I just might be able to get to your mainframe. Maybe even compromise it! So if you are a penetration tester, Security Manager or Network Architect you will gain insight into a number of areas of IBM Networking security. You will also learn about the tool which will be released to accompany the presentation. This presentation will introduce the basic concepts behind a number of IBM networking protocols and how they are currently used by companies. The talk will cover a number of areas including an overview of Systems Network Architecture (SNA) and Data Link Switching (DLSw). The manners through which these protocols can be abused to gain unauthorised access to systems will also be discussed. This presentation is not a criticism of IBM or their technologies but intends to lift the lid on an area of IT security that is not widely understood. The prentation will cover issues relating to software bugs, device configuration and architecture design. A number of recommendations are also made to ensure that vulnerable environments can be adequately secured against attack. Bio: Martyn Ruks is an information security professional working for mwr Infosecurity in the UK. Martyn has worked in the industry for 5 years and has principally been involved in security consultancy and penetration testing. This testing has covered a wide range of technologies and has been performed for Blue Chip companies. Very little of Martyn?s previous security research has been published, however, this presentation is intended to form the first part of a detailed investigation into various IBM technologies.

Single Packet Authentication is becoming an increasingly important method for protecting arbitrary network services through the use of a kernel level filtering mechanism such as Netfilter in the Linux kernel. By sending SPA packets over the Tor network, SPA packets can be endowed with an additional layer of privacy and anonymity. It becomes cryptographically difficult to deduce the communication of the SPA packet from any particular source address; even from the perspective of an attacker that is in the enviable position to montior all packets going to and leaving from the SPA client system. The end result it that the exploitation of even 0-day vulnerabilities in a service that is protected with SPA/Tor is much more difficult. This talk will focus on applied aspects of Single Packet Authentication, and will include a lengthy demonstration at the beginning of the talk. A new version of the Single Packet Authentication software "fwknop" will also be released contains new features such as GPG-hardened last-hop IP resolution, a web interface to monitor SPA usage in an Enterprise environment, remote Netfilter policy management, and more. Bio: Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is the CTO of Solirix, Inc. where he leads the Solsen product development effort. Previous to Solirix, Michael was a developer on the Dragon intrusion detection and prevention system, and also wrote a custom host-based intrusion detection system which was used to monitor the security of over one thousand systems from Linux to Cisco IOS at a major ASP. Michael frequently contributes to open source projects such as Netfilter and Bastille-Linux, and has written security related articles for the Linux Journal, Sys Admin Magazine, and USENIX ;login: Magazine. He is also the lead author of the book "Intrusion Prevention and Active Response; Deploying Network and Host IPS", and a co-author of "Snort-2.1 Intrusion Detection", both published by Syngress Press. Michael is the creator of two open source tools "psad" and "fwsnort" that are designed to blur the boundaries between Netfilter firewalls and the Snort IDS.

Abstract: Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools". The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms? We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed. Bio: Mark Stamp can neither confirm nor deny that he spent 7 years as a National Security Agency cryptanalyst. However, he can confirm that he spent 2 years as Chief Cryptologic Scientist at a small Silicon Valley startup, where he helped develop a digital rights management (DRM) system. For the past 4 years he has been Assistant Professor in the Department of Computer Science at San Jose State University, where he teaches courses in information security, networking, and cryptography. He recently published a textbook, Information Security: Principles and Practice (Wiley Interscience, 2006) and he has just completed a second textbook, Applied Cryptanalysis. Wing H. Wong is a graduate student at San Jose State University. Her research interests include network security and bioinformatics.

Abstract: Mobile Ad-Hoc Networking (MANET) technology promises disaster-tolerant, interoperable, secure communications that work the way we users do. Features like automatic peer discovery and stable multi-transport TCP connections are so attractive that some may wonder if it isn't all too good to be true. After a brief but clear introduction to the more-or-less subtle differences between wireless routing technologies, we will delve directly into simulating attacks on Layers 2 and 3 and implementing appropriate defenses. Full graphical visualization of the processes and results makes this presentation accessible to anyone with at least basic understanding of computer networks. Bio: As a professional software developer, Caezar began his career in embedded operating system development. After bringing that company to the Internet and integrating a TCP/IP stack, his passion for networking ignited. After a brief stint performing security audits, Mr. Eller returned to software development as the principal architect Greg Hoglund's ClickToSecure. He is only now resurfacing after spending three years bringing security and quality of service to high-speed mobile networks. As the public face of the Ghetto Hackers, Caezar was central to DEFCON's Capture the Flag contest for the better part of a decade. During that time, he improved security contest scoring techniques, invented self-decoding ASCII-only stack exploits, produced fully automated web intrusion, and contributed to several other inventions including a pattern language for describing network attack processes. As a speaker and writer, his credits include BlackHat Training and Briefings, DevX Security Zone, Hack-Proofing Your Network, Meet the Enemy seminars, Stealing the Network, and one unfortunately brief appearance on a USENIX panel.

The 802.11 link-layer wireless protocol is widely known for its design flaws. Unauthenticated management packets, a ridiculous attempt at providing link layer confidentiality and authentication (WEP), and general vendor stupidity have all contributed to 802.11 being the most sensationalized protocol ever mentioned in the media. All of the above topics have been beaten to death. Instead this talk explores new advances not in design problems in 802.11, but in implementation issues. The two major advances in 802.11 security will be covered, device driver vulnerabilities and link layer fingerprinting techniques. 802.11 fingerprinting represents the first time that a link-layer protocol has been vulnerable to finger-printing attacks. These attacks can provide useful information to the attacker, allowing him to accurately target the latest weapon in any wireless hackers arsenal: 802.11 device driver exploits. Bio: Johnny Cache is responsible for many wireless hacking tools. These include jc-wepcrack (a distributed wep-cracker) jc-aircrack (a complete aircrack re-write in C++), and also helped h1kari create pico-wepcrack (a FPGA accelerated WEP brute forcer). Cache is currently pursuing his Master's degree in computer security. He is also co-author of "Hacking Exposed Wireless". His latest accomplishments can be found in Airbase, available at www.802.11mercenary.net

Abstract: Reverse Engineering has come a long way?what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed. Bio: Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Abstract: The Plausible Deniability Toolkit is a collection of processes and tools designed to protect its users from invasions of privacy and infringement of civil rights by oppresive organizations and governments. The foundation for this toolkit is the result of anti-forensics gap analysis and the need for fabrication of evidence. Certainly most of these techniques have been in use by child pornography rings and various governmental TLA's, but we intend to bring them forward for more legitimate usages, such as protecting civil activist and whistleblowers. This presentation will consist of a walkthough of the gaps left behind by anti-forensics techniques, as well as describe the technologies and techniques used by the toolkit. We will aslo cover live demonstrations of the tools and their uses as well as allow plenty of flexibility for audience interaction. And if there it time left at the end, we will do a live hacking of Jeff Moss' bank accounts. Bio: Nomad Mobile Research Centre (NMRC) is a hacker collective, and has been around since 1996. NMRC has released numerous papers, advisories, FAQs, and tools over the years, and believes that hackers have something good to give to society.Unfortunately most of the world doesn't believe in their definition of "good". NMRC has distinguished itself in the realm of hackerdom in the following ways over other hacker groups: 1) They maintain friends of all hat colors; 2) They were the first hacker group to spell Centre with an "e" on the end; and 3) They live to hack and hack to live, unless of course they find free pr0n.

Abstract: Experience from domestic and foreign humanitarian assistance and disaster relief (HADR) operations shows that shared situational awareness and the information systems that support it are the critical enablers of all other functions in such situations. They are not merely technical adjuncts to the delivery of food, water and shelter. Federal Agencies can respond better to disasters (both domestic and international) by sharing unclassified information effectively with state, local and tribal governments, non-governmental organizations, and relief entities. DoD often refers to these as "non-traditional partners." Besides sharing situational awareness, decision-makers also must exchange ideas for solving emergent problems and convert decisions into action. These capabilities need to be in place within hours after the beginning of a crisis. Success will require new cultures of unclassified information sharing; not just within DoD, but also with the non-traditional partners that form the backbone of domestic and international disaster response. Bio: Dr. Linton Wells II serves as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). He resumed these duties on November 14, 2005 after serving as the Acting Assistant Secretary and DoD Chief Information Officer from March 8, 2004. He became the Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) on August 20, 1998 which became Networks and Information Integration in 2003. Prior to this assignment, he had served in the Office of the Under Secretary of Defense (Policy) from 1991 to 1998, most recently as the Deputy Under Secretary of Defense (Policy Support). In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; C3I; and special access program oversight. Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there. Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.

Abstract: The amount of new malware being developed has increased at a staggering rate over the last couple of years. At the same time, executable packing technology has grown to provide malware authors with a myriad of choices in how they pack their malware to evade detection and analysis. This presents a growing problem to analysts who lack the time to learn how each packer works and can be unpacked, but still need to be able to quickly handle anything that comes their way. There are three conventional approaches to automatic unpacking, including unpacking by emulation (very difficult to write 100% compatible to the platform and therefore tools that are closely held by their authors), unpacking by memory dump (not reliable and, will also corrupt variables with their post-initialization values), and finally, writing a specific unpacking engine for each packer based on reverse-engineering the packer code (also a huge undertaking to have enough coverage, also a cat-and-mouse game). In this presentation I will demonstrate a semi-automatic approach to unpacking malware that bridges the gap between highly-skilled manual unpacking and speedy but costly automatic unpacking. By leveraging certain aspects of the i386 architecture we can unpack code from a great deal of packers to the OEP without emulation or specific knowledge of the packing algorithm. Bio: Joe Stewart, GCIH - Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for six years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot, BlackWorm, Cryzip and other cyber-threats and attack techniques. Joe is the author of software projects Fess, Mumsie, and Truman as well as numerous OllyDbg plugins including OllyPerl.

Abstract: Kiosks are being deployed in an increasing number of locations including supermarkets, banks and airports. Providing public computer access from machines connected to your internal network is one of the most challenging IT problems. Traditionally, an anonymous user with local access to a machine that can talk to the Internet and the internal network is an administrator?s nightmare. Therefore the techniques to secure these machines must go far beyond the procedures for a normal desktop environment. Often times these devices are deployed on the same network as the store?s cash registers introducing PCI compliance issues. Relying on store employees to monitor for kiosk abuse is not an option. This discussion will focus on the security issues surrounding the deployment of Windows-based kiosks. Deployment strategies, application security design, PCI compliance issues, known attack methods and common security tools will be covered. Bio: Peleus Uhley is a Principal Security Consultant with the Symantec Professional Services team where he performs wireless, network and application penetration testing for clients. Several of his recent engagements have covered assessing kiosk security for retailers. As part of the Advisory Services team, Peleus also serves an Attack and Penetration Center of Excellence lead helping to develop penetration testing services and coordinate knowledge development and tools for Symantec consultants. Peleus joined Symantec through their acquisition of @stake. Prior to being a security consultant, he was the lead developer for the online privacy company, Anonymizer. Peleus has also given talks and authored a white paper on web browser security.