Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference

Input validation is an important part of security, but it's also one of the most annoying parts. False positives and false negatives force us to choose between convenience and security-but do we have to make that choice? Can't we have both? In this talk two University of Iowa researchers will present new methods of input validation which hold promise to give us both convenience _and_ security. A basic understanding of SQL and regular expressions is required. Robert J. Hansen: B.A. in Computer Science from Cornell College, 1998. Graduate student at the University of Iowa, 2003-2005, researching secure voting systems with Prof. Doug Jones. Senior Security Engineer at Exemplary Technologies, 2000; Cryptographic Engineer at PGP Security, 2000-2001. Meredith L. Patterson: B.A. English (Linguistics) from the University of Houston, 2000. M.A. Linguistics from the University of Iowa, 2003. Graduate student at the University of Iowa, 2003-2005, studying data mining with Prof. Hwanjo Yu. Bioinformatics intern at Integrated DNA Technologies, 2003-2005.

A Honeypot is a information gathering system, designed for attackers to interact with. A honeynet, simply put, is a network of honeypots. The key component of a honeynet is the honeywall. The honeywall is used to provide the following capabilities: * Data Capture. The ability to collect information about the attack. * Data Control. The ability to restrict the amount of damage that can be done from one of your honeypots to another network. * Data Analysis. The ability to conduct limited forensics analysis on the network traffic or compromised honeypots in order to discover the attackers methodology. * Data Alerting. The ability to alert an analyst as to suspicious activity. In 2001, Honeynet.org released a honeywall, called eeyore, which allowed for Gen II honeynets and improved both Data Capture and Data Control capabilities over the Gen I honeynets. In the summer of 2005, Honeynet.org released a new honeywall, called roo, which enables Gen III honeynets. The new roo has many improvements over eeyore: * Improved installation, operation, customization * Improved data capture capability by introducing a new hflow database schema and pcap-api for manipulating packet captures. * Improved data analysis capability by introducing a new web based analysis tool called walleye. * Improved user interfaces and online documentation The purpose of this presentation is to describe the new capabilities of Gen III honeynets and demonstrate the new roo. In addition, a road ahead will be discussed to describe a global honeygrid of connected honeynets. Allen Harper is a Security Engineer for the US Department of Defense in Northern Virginia. He holds a MS in Computer Science from the Naval Post Graduate School. For the Honeynet Project, Allen leads the development of the GEN III honeywall CDROM, now called roo. Allen was a co-author of Gray Hat, the ethical hackers handbook published by McGraw Hill and served on the winning team (sk3wl of root) at last year's DEFCON Capture the Flag contest. Edward Balas is a security researcher within the Advanced Network Management Laboratory at Indiana University. As a member of the Honeynet Project, Edward leads the development of Sebek and several key GenIII Honeynet data analysis components. Prior to joining Indiana Unviersity, Edward worked for several years as a network engineer developing tools to detect and manage network infrastructure problems.

The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We're all very familiar with each of those issues. Instead, we'll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security research and development and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

The Grugq has been at the forefront of forensic research for the last six years, during which he has been pioneering in the realm of anti-forensic research and development. During this time, he has also worked with a leading IT security consultancy and been employed at a major financial institution. Most recently he has been involved with an innovative security software development start-up company. Currently the Grugq is a freelance forensic and IT security consultant. While not on engagements, the Grugq continues his research on security, forensics and beer.

Most users treat a hardware solution as an inherently trusted black box. "If it's hardware, it must be secure," they say. This presentation explores a number of classic security problems with hardware products, including access to stored data, privilege escalation, spoofing, and man-in-the-middle attacks. We explore technologies commonly used in the network and computer security industries including access control, authentication tokens, and network appliances. You'll leave this presentation knowing the consequence of blindly trusting hardware. Joe Grand is the President of Grand Idea Studio, a San Diego-based product development and intellectual property licensing firm, where he specializes in embedded system design, computer security research, and inventing new concepts and technologies. Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker collective L0pht Heavy Industries. He is the author of "Hardware Hacking: Have Fun While Voiding Your Warranty" and a co-author of "Stealing The Network: How to Own A Continent". Joe holds a Bachelor of Science degree in Computer Engineering from Boston University.

This will be a practical and theoretical tutorial on legal issues related to computer security practices. In advance of the talk, I will unscientifically determine the "Top Ten LegalQuestions About Computer Security" that Black Hat attendees have and will answer themas clearly as the unsettled nature of the law allows. While the content of the talk is audience driven, I expect to cover legal issues related to strike-back technology,vulnerability disclosure, civil and criminal liability for maintaining insecure computersystems, reverse engineering, the Digital Millennium Copyright Act, trade secret law and licensing agreements. Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computercrime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few public interest law and technology litigation clinics. Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices and the Hacker Foundation, a research and service organization promoting the creative use of technological resources. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Don't get caught. Building off of Foster's log manipulation and bypassing forensics session at BlackHat Windows 2004, James C. Foster and Vincent T. Liu will share over eighteen months of continued private forensic research with the Black Hat audience including ground-breaking vulnerabilities and key weaknesses in some of the most popular tools used by forensic examiners including EnCase, CA eTrustAudit, and Microsoft ISA Server. Watch live demonstrations as Foster and Vinnie detail how to leverage these weaknesses to avoid being detected, and discover the theory and practice behind the most effective and cutting-edge anti-forensics techniques. Finally, learn how to turn a forensic analyst's training against himself by joining the speakers in a lively discussion of the "Top 10 Ways to Exploit a Forensic Examiner". This talk should be required viewing for all those on both sides of the fence, so come prepared to watch trusted forensics tools crumble. James C. Foster, Fellow, is the Deputy Director of Global Security Solution Development for Computer Sciences Corporation. Foster is responsible for directing and managing the vision, technology, and operational design for CSC's global security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate Rresearch and developmentamp;D initiatives. Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Vincent Liu is an IT security specialist at a Fortune 100 company where he is responsible for assessing the security of the enterprise network infrastructure and participating as a member of the global incident response team.Before moving to his current position, Vincent worked as a consultant with the Ernst and Young Advanced Security Center and as an analyst at the National Security Agency. His specialties include penetration testing, web application assessments, incident response, binary reverse engineering, and exploit development.

Has your network ever been hacked, and all you have to show for your investigative efforts is an IP address belonging to an ISP in Irkutsk? Are you tired of receiving e-mails from Citibank that resolve to Muscovite IP addresses? Would you like to hack the Kremlin? Or do you think that the Kremlin has probably owned you first? Maybe you just think that Anna Kournikova is hot. If the answer to any of the above questions is yes, then you need an introduction to the Gulag Archipelago of the Internet, the Cyberia of interconnected networks, Russia. Do not let the persistent challenges of crossing international boundaries intimidate you any longer. In this briefing, we will follow several real-world scenarios back to Russia, and you will learn valuable strategies for taking your investigations and operations one big geographical step further. A brief introduction to Russia will be followed by 1,000 traceroutes over the frozen tundra described in detail, along with an explanation of the relationship between cyber and terrestrial geography. Information will be provided on Russian hacker groups and law enforcement personnel, as well as a personal interview with the top Russian cyber cop, conducted in Russian and translated for this briefing. Quick: name one significant advantage that Russian hackers have over you. They can read your language, but you cannot read theirs! Since most Westerners cannot read Russian, the secrets of Russian hacking are largely unknown to Westerners. You will receive a short primer on the Russian language, to include network security terminology, software translation tools, and cross-cultural social engineering faux-pas (this method will apply to cracking other foreign languages as well). Hacking in a Foreign Language details a four-step plan for crossing international frontiers in cyberspace. First, you must learn something about the Tribe: in this case, the chess players and the cosmonauts. Second, you must study their cyber Terrain. We will examine the open source information and then try to create our own network map using traceroutes. Third, we will look at the Techniques that the adversary employs. And fourth, we will conquer Translation. The goal is to level the playing field for those who do not speak a foreign language. This briefing paves the way for amateur and professional hackers to move beyond their lonely linguistic and cultural orbit in order to do battle on far-away Internet terrain. Kenneth Geers (M.A., University of Washington, 1997) is an accomplished computer security expert and Russian linguist. His career includes many years working as a translator, programmer, website developer and analyst. The oddest job he has had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly bug in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. He loves to read computer logfiles. In his free time, he plays chess and serves as a SANS mentor. He loves Russia, his wife Jeanne, and daughters Isabelle and Sophie. Kenneth drinks beer and feeds the empty cans to camels.

This presentation shows new ways to attack Oracle Databases. It is focused on SQL injection vulnerabilities and how can be exploited using new techniques. It also explains how to see the internal PL/SQL code that is vulnerable in Oracle built-in procedures and examples using recently discovered vulnerabilities. Buffer overflows, remote attacks using web applications and some ways to protect from these attacks also will be shown. Esteban Martinez Fayo is a security researcher; he has discovered and helped to fix multiple security vulnerabilities in major vendor software products. He specializes in application security and is recognized as the discoverer of most of the vulnerabilities in Oracle server software. Esteban currently works for Argeniss doing information security research and developing security related software solutions for Application Security Inc.

In a refreshing different format, Foster cracks the audience with a twenty minute comedic dissertation of the past year in the information security industry. Performing standup, Foster will roast the year's worst companies' business mistakes, stereotypes, books, websites, Fucked Company security excerpts in addition to posing fun of those who don't have the dream job, boatloads of cash, the supermodel girlfriend, or cabana boy - boyfriend with humorous hints of how to get there. Wrapping up the session, Foster will make his 2006 security predictions. James C. Foster, Fellow, is the Deputy Director of Global Security Solution Development for Computer Sciences Corporation. Foster is responsible for directing and managing the vision, technology, and operational design for CSC's global security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc (acquired by McAfee). and was responsible for all aspects of product, consulting, and corporate research and development initiatives. Prior to joining Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc (acquired by Verisign) and an editor at Information Security Magazine(acquired by TechTarget Media), subsequent to working as an Information Security and Research Specialist for the Department of Defense. Foster's core competencies include high-tech management, international software development and expansion, web-based application security, cryptography, protocol analysis, and search algorithm technology. Foster has conducted numerous code reviews for commercial OS components, Win32 application assessments, and reviews on commercial and government cryptography implementations. Foster is a seasoned speaker and has presented throughout North America at conferences, technology forums, security summits, and research symposiums with highlights at the Microsoft Security Summit, BlackHat, MIT Wireless Research Forum, SANS, MilCon, TechGov, InfoSec World 2001, and the Thomson Security Conference. He also is commonly asked to comment on pertinent security issues and has been cited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. Foster holds degrees in Business Administration, Software Engineering, and Management of Information Systems and has attended the Yale School of Business, Harvard University, the University of Maryland, and is currently a Fellow at University of Pennsylvania's Wharton School of Business. Foster is also a well published author with multiple commercial and educational papers; and has authored, contributed, or edited for major publications to include Snort 2.0, Snort 2.1 2nd Edition, Hacking Exposed 4th Ed and 5th Edition, Special Ops Security, Anti-Hacker Toolkit 2nd Ed, Advanced Intrusion Detection, Hacking the Code, Anti-Spam Toolkit, Programmer's Ultimate Security DeskRef, Google for Penetration Testers, Buffer Overflow Attacks, and Sockets/Porting/and Shellcode.

Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.

This topic will present the proposal/idea/work from the author's master graduate project about effective detection of SQL Injection exploits while lowering the number of false positives. It gives detail analysis example of how database auditing could help this case, and also presents the challenge with anomaly detection for this attack and how the author tried to solve them. Finally a correlation between the two will be presented. Yuan Fan, CISSP, has worked in the network security area for more than 7 years. He currently works for ArcSight as a Software Engineer. He holds a Master of Computer Engineering degree from San Jose State University. The tool he is writing for master graduate research project related to this topic is a Java-based, multilayer anomaly intrusion detection system.

This presentation, by a former Deputy Legal Adviser to the White House National Security Council, and author of a chapter on legal issues in the forthcoming "Case Studies for Implementing the NSA IEM," will provide information security consultants and information technology providers alike with insights into: how emerging United States national security and cybersecurity policies and initiatives could impact the work of consultants and technology providers; emerging standards of potential legal and regulatory liability for such consultants and providers; and strategies for mitigating risk and protecting proprietary and vulnerabilities information. Bryan Cunningham has extensive experience as a cybersecurity and intelligence expert, both in senior U.S. Government posts and the private sector. Cunningham, now a corporate information and homeland security consultant and principal at the Denver law firm of Morgan and Cunningham LLC, most recently served as Deputy Legal Adviser to National Security Advisor Condoleezza Rice. At the White House, Cunningham drafted key portions of the Homeland Security Act, and was deeply involved in the formation of the National Strategy to Secure Cyberspace, as well as numerous Presidential Directives and regulations relating to cybersecurity. He is a former senior CIA Officer and federal prosecutor, founding co-chair of the ABA CyberSecurity Privacy Task Force, and, in January 2005, was awarded the National Intelligence Medal of Achievement for his work on information issues. Cunningham holds a Top Secret Security Clearance and counsels corporations on information security programs, as well as information security consultants on how to structure and conduct their assessments and remediation to mitigate potential liability. C. Forrest Morgan (JD (1987), Trained in NSA IAM) has extensive experience in corporate practice and structure including contracting, corporate formation, and operations. Mr. Morgan advises information security consultants on drafting and negotiating contracts with their customers to best protect them against potential legal liability. Mr. Morgan's practice also has emphasized commercial contract drafting and reorganization, and corporate litigation, providing in-depth understanding of the business and legal environment. He has represented both national corporations and regional firms in state and federal courts and administrative agencies in matters of litigation, creditors' rights, bankruptcy, administrative law and employment issues. Mr. Morgan served as the Regional Editor of the Colorado Bankruptcy Court Reporter from 1989 to 1992, and he co-authored the Bankruptcy section of the Annual Survey of Colorado from 1991 to 1997. As a Principal of the Denver law firm of Morgan and Cunningham, LLC, Mr. Morgan's practice also includes corporate information and security consulting. He counsels corporations on information security programs, including development of corporate policies and procedures to minimize business risks and litigation exposure.

Himanshu Dwivedi's presentation will discuss the severe security issues that exist in the default implementations of iSCSI storage networks/products. The presentation will cover iSCSI storage as it pertains to the basic principals of security, including enumeration, authentication, authorization, and availability. The presentation will contain a short overview of iSCSI for security architects and basic security principals for storage administrators. The presentation will continue into a deep discussion of iSCSI attacks that are capable of compromising large volumes of data from iSCSI storage products/networks. The iSCSI attacks section will also show how simple attacks can make the storage network unavailable, creating a devastating problem for networks, servers, and applications. The presenter will also follow-up each discussion of iSCSI attacks with a demonstration of large data compromise. iSCSI attacks will show how a large volume of data can be compromised or simply made unavailable for long periods of time without a single root or administrator password. The presentation will concluded with existing solutions from responsible vendors that can protect iSCSI storage networks/products. Each iSCSI attack/defense described by the presenter will contain deep discussions and visual demonstrations, which will allow the audience to fully understand the security issues with iSCSI as well as the standard defenses. Himanshu Dwivedi is a founding partner of iSEC Partners, LLC. a strategic security organization. Himanshu has 11 years experience in security and information technology. Before forming iSEC, Himanshu was the Technical Director for @stake's bay area practice, the leading provider for digital security services. His professional experiences includes application programming, infrastructure security, secure product design, and is highlighted with deep research and testing on storage security for the past 5 years. Himanshu has focused his security experience towards storage security, specializing in SAN and NAS security. His research includes iSCSI and Fibre Channel (FC) Storage Area Networks as well as IP Network Attached Storage. Himanshu has given numerous presentations and workshops regarding the security in SAN and NAS networks, including conferences such as BlackHat 2004, BlackHat 2003, Storage Networking World, Storage World Conference, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, SNIA Security Summit, Syscan 2004, and Bellua 2005. Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals. The patent is for a storage security design that can be implemented on enterprise storage products deployed in Fibre Channel storage networks. Additionally, Himanshu has published three books, including "The Complete Storage Reference" - Chapter 25 Security Considerations (McGraw-Hill/Osborne), "Implementing SSH" (Wiley Publishing), and "Securing Storage" (Addison Wesley Publishing), which is due out in the fall of 2005. Furthermore, Himanshu has also published two white papers. The first white paper Himanshu wrote is titled "Securing Intellectual Property", which provides insight and recommendations on how to protect an organization's network from the inside out. Additionally, Himanshu has written a second white paper titled Storage Security, which provides the basic best practices and recommendations in order to secure a SAN or a NAS storage network.

The Shatter attack uses the Windows API to subvert processes running with greater privilege than the attack code. The author of the Shatter code has made strong claims about the difficulty of fixing the underlying problem, while Microsoft has, with one exception, claimed that the attack isn't a problem at all. Whether or not Shatter is indeed an exploit worth worrying about, it uses a feature of Windows that has other malicious uses, such as keystroke logging. This talk presents a means of defeating this entire family of attacks with minimal breaking of applications and effect on the look and feel of the user interface. Tyler Close is a researcher and developer, working in the field of secure, multi-user, distributed applications since 1998. He is the designer of the web-calculus, a messaging model for creating POLA interfaces between heterogeneous applications. He is a developer for an ongoing series of applications in the POLA genre, including: Waterken Server, for web-services; petname tool, anti-phishing browser extension; httpsy, decentralized authentication for the WWW; E language, P2P scripting language; Waterken DB, capability-based object database; Waterken IOU, generic rights transfer protocol. Tyler joined HP as a Visiting Scientist in 2005 to work on the Virus Safe Computing Initiative.