Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference

"This talk provides an overview of new RFID technologies used for dual-interface cards (credit cards, ticketing and passports), and RFID tags with encryption and security features. Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags, an overview to the rest of an RFID-implementation, middleware and backend database and the results of special attacks to this infrastructure are given. Is it possible that your cat is carrying an RFID virus? And how might one attack the backend systems, and what does an RFID malware design look like? At the end of this talk, there is a practical demonstration of these discussed attacks. Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany), a globally acting consulting office working mainly in the field of security and Internet/eCommerce and Supply Council solutions for enterprises."

"Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards."

"Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hotpatch injection and binary patching. The most fun part will be at the end of the presentation, when I will do a live demo of analyzing a vulnerability and building a hotpatch for it in 15 minutes."

This presenation will offer a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest-commercial-pentest-in-the-world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you won’t hear anywhere else.

"How often have you encountered random-looking cookies or other data in a web application that didn‚t easily decode to human readable text? What did you do next-ignore it and move on, assuming that it was encrypted data and that brute forcing the key would be infeasible? At the end of the test, when the application developer informed you that they were using 3DES with keys rotating hourly, did you tell them they were doing a good job, secretly relieved that you didn't waste your time trying to break it? This presentation will discuss penetration testing techniques for analyzing unknown data in web applications and demonstrate how encrypted data can be compromised through pattern recognition and only a high-level understanding of cryptography concepts. Techniques will be illustrated through a series of detailed, step-by-step case studies drawn from the presenter‚s penetration testing experience. This is not a talk on brute forcing encryption keys, nor is it a discussion of weaknesses in cryptographic algorithms. Rather, the case studies will demonstrate how encryption mechanisms in web applications were compromised without ever identifying the keys or even the underlying ciphers."

"There is an often overlooked security design flaw in many web applications today. Web applications often take user input through HTML forms. When privileged operations are performed, the server verifies the request is from an authorized user. Cross-Site Request Forgery Attacks allow an attacker to coerce an authorized user to request privileged operations of the attacker’s choice. Learn about this attack, how you can quickly identify these bugs in web applications, common techniques programmers use prevent these attacks, common bugs in some of these preventions, how the attack applies to SOAP, and how to automate tests to verify the attack is successfully prevented. Tom Gallagher has bee"

"Monkeyspaw is a unified, single-interface set of security-related website evaluation tools. Implemented in Greasemonkey, its purpose is to automate several common tasks employed during the early steps of an incident investigation involving client-side exploits. More generally, Monkeyspaw is also intended to demonstrate some of the more interesting data correlation capabilities of Greasemonkey. Hopefully, its release will encourage more security application development in this easy to use, cross-platform, web-ready scripting environment. About Greasemonkey: Greasemonkey is described as "bookmarklets on crack" by its primary developer, Aaron Boodman. For more details, see his presentation."

"Ajax can mean different things to different people. To a user, Ajax means smooth web applications like Google Maps or Outlook Web Access. To a developer, Ajax provides methods to enrich a user's experience with a web application by reducing latency and offloading complex tasks on the client. To an information architect, Ajax means fundamentally changing the design of web applications so they span both client and server. To the security professional, Ajax makes life difficult by increasing the attack surface of web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, Ajax makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of Ajax These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like Ajax bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against Ajax applications, how Ajax increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an Ajax application to avoid these security issues and demonstrate methods to secure existing applications. Participates should have a good understanding of HTTP, JavaScript, and be familiar with web application design. Billy Hoffman is a security researcher for SPI Dynamics where he focuses on automated discovery of web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, FooCamp, Shmoocon, The 5th Hope, and several other conferences. He has also presented by invitation to the FBI. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included phishing, automated crawler design, automation of web exploits, reverse engineering laws and techniques, cracking spyware, ATMs, XM radio and magstripes. Billy also wrote TinyDisk, which implements a file system on a third party's web application to illustrate common weaknesses in web application design. In addition, Billy reviews white papers for the Web Application Security Consortium (WASC) and is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects, writing articles, and giving presentations under the handle Acidus."

"How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you're typing on the keyboard, take pictures of the room you're in, and monitor everything you're doing, without ever getting in the range of your Bluetooth mobile phone? In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users...), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag! ;-) Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano School of Engineering. Since 2004, he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics. Luca Carettoni is a Computer Engineering student at the Politecnico of Milano University. His current research and master’s degree thesis deals with automatic detection of web application security flaws. Since 2005 he has worked as a security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. He is the author of several research papers, advisories and articles on computer security for Italian journals. His interests revolve around three attractors: web applications security, mobile computing and digital freedom."

"In the past couple years there have been major advances in the field of rootkit technology, from Jamie Butler and Sherri Sparks' Shadow Walker, to FU. Rootkit technology is growing at an exponential rate and is becoming an everyday problem. Spyware and BotNets for example are using rootkits to hide their presence. During the same time, there have been few public advances in the rootkit detection field since the conception of VICE. The detection that is out there only meets half the need because each tool is designed to detect a very specific threat. After three years, it’s time for another run at rootkit detection. This presentation will review the state-of-the-industry in rootkit detection, which includes previously known ways to detect rootkits and hooks. It will be shown how the current detection is inadequate for today’s threat, as many detection algorithms are being bypassed. The talk will outline what those threats are and how they work. The presentation will then introduce the RAIDE (Rootkit Analysis Identification Elimination) tool and detail RAIDE’s unique features such as unhiding hidden processes, showing new ways to detect hidden processes, and restoring non-exported ntoskrnl functions. The talk will conclude with a demonstration, which at Black Hat Europe included five rootkits, one virtual machine, two kernel level debuggers, and RAIDE running happily on top of them all. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was employed at HBGary during the summer of 2005; however during the year, Peter is an independent security researcher who tries to contribute to openRCE.org in his spare time. Peter is currently a sophomore at a liberal arts school where he tries to not let education interfere with his learning. Peter if not behind a computer or power tools can be found behind a pong table mastering his skills. Jamie Butler is the Chief Technology Officer at Komoku, Inc. He has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was also the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. Mr. Butler has a Master's degree in Computer Science from the University of Maryland and a B.B.A. and B.S from James Madison University. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel." Mr. Butler has authored numerous papers appearing in publications such as the "IEEE Information Assurance Workshop, USENIX login";, "SecurityFocus", and "Phrack". He is a frequent speaker at computer security conferences such as the Black Hat Security Briefings and has appeared on Tech TV and CNN. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies" and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel" due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com."

Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be.

"TCP/IP is on the front lines in defending against network attacks, from intrusion attempts to denial-of-service. Achieving resilience depends on factors from NIC driver quality up through network application behavior. Windows Vista delivers resilience, security and extensibility with the NetIO stack-a re-architected and re-written TCP/IP stack. Windows Vista Network Architect Abolade Gbadegesin will provide an in-depth technical description of the new architecture and new features, and will provide an insider’s view of how Microsoft listened and responded to feedback from the security community. Abolade Gbadegesin is an Architect in the Windows Networking and Device Technologies Division, and is responsible for leading the redesign and implementation of the Windows networking stack for Windows Vista, incorporating native support for IPv6, IPSec and hardware offload capabilities. Abolade is a member of the Windows architecture group and the networking architecture team. When time permits, he works as a comic book artist, practices piano and breakdance and Argentine tango, and contributes performances at various spoken word events as a founding member of the Learned Hearts Brigade."

"If you know good tech, you can smell bad tech from a mile away. Bad tech is the stuff that makes you laugh out loud in a theater when all the "normal" people around you thought something k-rad just happened. The stuff that makes real hackers cringe, furious that they missed their true calling: the cushy life of a Hollywood "technical consultant". Then again, maybe Hollywood got it right, and the hackers have it all confused. Judge for yourself as Johnny slings the code that quite possibly explains what, exactly those boneheads must have been thinking. If you can piece together the meaning behind the code, and guess the pop culture reference first, you'll win the respect of your peers and possibly one of many dandy prizes. Either way you'll relish in the utter stupidity (or brilliance) of Hollywood's finest hacking moments. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com"

"Assessing and analyzing storage networks are key to protecting sensitive data at rest; however, the tools and procedures to protect such resources are absent. The presentation will attempt to bridge the gap between security professionals worried about storage security and the lack of tools/process to mitigate any exposures. The presentation will introduce the Storage Network Audit Program (SNAP), which is an assessment program for security professionals who wish to ensure their storage network is secure. The audit program requires no storage background. The program will clearly outline topics for storage security, list specific questions regarding the topic, and clearly state what outcomes would be satisfactory or unsatisfactory. Over 40 different topics are discussed in SNAP. The presentation will also introduce a new tool to analyze the security configuration of a NetApp filer. SecureNetApp is a tool that will analyze over 90 settings on a NetApp filer and create an HTML report that shows all satisfactory and unsatisfactory settings. Based on the results, the tool will display the exact syntax that can be used to mitigate all unsatisfactory settings, which can be given directly to a storage administrator for remediation. The presentation will conclude with a brief overview of the security gaps in new storage devices marketed to home users and small offices. While devices like NetGear Z-SAN’s meet the increasing demands of storage, they miss the mark it terms of data protection. A demo of a basic attack will be shown to highlight the lack of security in such home storage products."

"The VoIP Security Essentials presentation will introduce the audience to voice over IP (VoIP) technology. The practical uses of VoIP will be discussed along with the advantages and disadvantages of VoIP technology as it is today. Key implementation issues will be addressed to ensure product selection for VoIP technology will integrate into the organization’s current infrastructure. The presentation will look at some of the latest VoIP security issues that have surfaced and the vendor/industry responses to those issues. Jeff Waldron, CISSP, ISSAP, SCSA has over 15 years of IT experience-over 10 of those years are IT Security specific. Has supported both Commercial, State, Federal and DoD IT security environments. Extensive knowledge of Host and Network-Based Intrusion Detection/Prevention tools and technologies along with UNIX-based security configurations. Has presented at Black Hat USA 04 and a facility member with The Institute for Applied Network Security."