Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference

Ethereal is a thing of beauty, but ultimately you are constrained to a tiny window of 30-40 packets that is insufficient when dealing with network datasets that could be on the order of millions of packets. In addition, it only displays traffic from packet captures and lacks the ability to incorporate and correlate other security related datastreams. In an attempt to break from this paradigm, we will explore conceptual, system design and implementation techniques to help you build better security analysis tools. By applying advanced information visualization and interaction techniques such as dynamic queries, interactive encoding, semantic zooming, n-gram analysis and rainfall visualization you will gain far more insight into your data, far more quickly than with today's best tools. We will discuss lessons learned from the implementation of a security PVR (a prototype will be released) and explore additional topics such as using visual techniques to navigate and semantically encode small and large binary objects, such as executable files, to improve reverse engineering. To get the most out of this talk you should have a solid understanding of the OSI model and network protocols. Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. He holds a Masters Degree in Computer Science from Johns Hopkins University and a Bachelor of Science in Computer Science from the United States Military Academy. His areas of expertise include network security, information visualization and information warfare. Greg has worked at a variety of military intelligence assignments specializing in Signals Intelligence. Currently he is on a Department of Defense Fellowship and is working on his PhD in Computer Science at Georgia Tech. His work can be found at www.cc.gatech.edu/~conti and www.rumint.org.

This presentation looks at computer network defense and the legal cases of the last year that affect internet and computer security. This presentation clearly and simply explains (in non-legal terms) the legal foundations available to service providers to defend their networks. Quickly tracing the legal origins from early property common-law doctrine into today's statutes and then moving into recent court cases and battles. This presentation will quickly become an open forum for questions and debate. Major Robert Clark is the Command Judge Advocate for the Army' 1st Information Operations Command. As the sole legal advisor, his primary duty is to advise the Army's Computer Network Operations Division on all aspect of computer operations and security. This role has him consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He lectures at the Army's Intelligence Law Conference and at the DoD's Cybercrimes Conference.

It has become apparent that the greatest threat toward the survival of peer to peer, and especially file sharing, networks is the openness of the peers themselves towards strangers. So called "darknets"-encrypted networks where peers connect directly only to trusted friends-have been suggested as a solution to this. Some, small-scale darknet implementations such a Nullsofts WASTE have already been deployed, but these share the problem that peers can only communicate within a small neighborhood. Utilizing the small world theory of Watts and Strogatz, Jon Kleinbergs algorithmic observations, and our own experience from working with the anonymous distributed data network Freenet, we explore methods of using the dynamics of social networks to find scalable ways of searching and routing in a darknet. We discuss how the results indicating the human relationships really form a "small world", allow for ways of restoring to the darknet the characteristics necessary for efficient routing. We illustrate our methods with simulation results. This is, to our knowledge, the first time a model for building peer to peer networks that allow for both peer privacy and global communication has been suggested. The deployment of such networks would offer great opportunities for truly viable peer to peer networks, and a very difficult challenge to their enemies. Ian Clarke is the architect and coordinator of The Freenet Project, and the Chief Executive Officer of Cematics Ltd, a company he founded to realise commercial applications for the Freenet technology. Ian is the co-founder and formerly the Chief Technology Officer of Uprizer Inc., which was successful in raising $4 million in A-round venture capital from investors including Intel Capital. In October 2003, Ian was selected as one of the top 100 innovators under the age of 35 by the Massachusetts Institute of Technology's Technology Review magazine. Ian holds a degree in Artificial Intelligence and Computer Science from Edinburgh University, Scotland. He has also worked as a consultant for a number of companies including 3Com, and Logica UK's Space Division. He is originally from County Meath, Ireland, and currently resides in Edinburgh, Scotland. Oskar Sandberg is a post graduate student at the Chalmers Technical University in Gothenburg, Sweden. He is working on a PhD about the mathematics of complex networks, especially with regard to the small world phenomenon. Besides this he has an active interest in distributed computer networks and network security, and has been an active contributor to The Freenet Project since 1999.

The ability to check memory references against their associated array/buffer bounds helps programmers to detect programming errors involving address overruns early on and thus avoid many difficult bugs down the line. Because such programming errors have been the targets of remote attacks, i.e., buffer overflow attack, prevention of array bound violation is essential for the security and robustness of application programs that provide service on the Internet. This talk proposes a novel approach called CASH to the array bound checking problem that exploits the segmentation feature in the virtual memory hardware of the X86 architecture. The CASH approach allocates a separate segment to each static array or dynamically allocated buffer, and generates the instructions for array references in such a way that the segment limit check in X86's virtual memory protection mechanism performs the necessary array bound checking for free. In those cases that hardware bound checking is not possible, it falls back to software bound checking. As a result, CASH does not need to pay per-reference software checking overhead in most cases. However, the CASH approach incurs a fixed set-up overhead for each use of an array, which may involve multiple array references. The existence of this overhead requires compiler writers to judiciously apply the proposed technique to minimize the performance cost of array bound checking. This talk will describe the detailed design and implementation of the CASH compiler, and a comprehensive evaluation of various performance tradeoffs associated with the proposed array bound checking technique. For the set of production-grade network applications we tested, including Apache, Sendmail, Bind, etc., the latency penalty of CASH's bound checking mechanism is between 2.5% to 9.8% when compared with the baseline case that does not perform any bound checking. Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995, and has published over 130 technical papers in refereed conferences and journals in the areas of operating systems, networking, and computer security. He has developed several innovative security systems/products in the past several years, including SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion Detection), DOFS (Display-Only File Server), and CASH.

This talk will cover the Defense Cyber Crime Center (DC3), our mission and capabilities. The DC3 is one-stop shopping for cyber crime related support. We have approximately 160 people assigned in 3 main organizations: * The Defense Computer Forensics Lab - probably the largest digital forensics lab in the world and the leader in handling large datasets. One case averages 75 terabytes. * The Defense Computer Investigations Training Program - the most high-tech classrooms in the world, training all of the DoD criminal and counterintelligence agents on the techniques to investigate cyber crime. FBI, Secret Service and Department of State, Diplomatic Security Service actually buy our courses for their agents due to the quality. * The Defense Cyber Crime Institute - my organization, responsible for research and development of new digital forensics tools as well as the validation, test and evaluation of these tools. Since crime labs now are moving to accreditation so that their evidence will be admissible in court, all of the tools used in a crime lab must first be independently tested and validated. You can't download the latest and greatest tool from the Internet or purchase it and use it without validating it first. Digital forensics is now a recognized forensic discipline just like, ballistic, serology, DNA, handwriting analysis, and finger print analysis. As such, there are best practices that must be adhered to. The discipline is on the cusp, moving from adhoc to certified professionals. The institute would like to be the consumer reports for digital forensics tools someday. Check out our website, www.dc3.gov.

Databases are where your most valuable data rest, when you use a database server you implicitly trust the vendor, because you think you bought a good and secure product. This presentation will compare MS SQL Server and Oracle Database Server from security standpoint, comparison will include product quality, holes, patches, etc. This presentation will also show how both vendors manage security issues and how they have evolved over time. The main goal of this presentation is to kill the myths surrounding both products and let people know the truth about how secure these products are. Cesar Cerrudo is a security researcher specialized in application security. Cesar is running his own company, Argeniss. Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua and CanSecWest.

This talk will be on using toolkits for your pen-testing, vulnerability assessment etc. Configuring a plethora of the different tools out there can be quite time consuming, and challenging. The focus of this talk will be to look at an alternative solution that provides a suite of tools at boot. Until recently there was not very many toolkits, and the ones that were there did not work very well, that has changed and in this talk I will discuss the toolkits available, and demo one of the better ones. The toolkits that will be reviewed will all be open source, and free, there are commercial solutions available, but why pay when the free ones are more than adequate. Kevin Cardwell spent 22 years in the U.S. Navy, starting off in Sound Navigation and Ranging (SONAR). He began programming in 1987. He was fortunate enough to get on the Testing Team and got to test and evaluate Surveillance and Weapon system software including; Remote Mine-Hunting System, Multi-System Torpedo Recognition Alert Processor (MSTRAP), Advanced Radar Periscope Discrimination Detection System (ARPDD), Tactical Decision Support Subsystem (TDSS) and Computer Aided Dead Reckoning Tracer (CADRT). Shortly thereafter he became a software and systems engineer and was was selected to head the team that built a Network Operation Center (NOC) that provided services to the command ashore and ships at sea in the Norwegian Sea and Atlantic Ocean. In 2000, Cardwell formed his own Engineering Solutions company and has been providing consulting services for companies throughout the UK and Europe. He is also an Adjunct Associate Professor for the University of Maryland University College and is the European rep for the Information Assurance curriculum. He holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas.

Trust Transience: Post Intrusion SSH Hijacking explores the issues of transient trust relationships between hosts, and how to exploit them. Applying technique from anti-forensics, linux VXers, and some good-ole-fashioned blackhat creativity, a concrete example is presented in the form of a post-intrusion transparent SSH connection hijacker. The presentation covers the theory, a real world demonstration, the implementation of the SSH Hijacker with special reference to defeating forensic analysis, and everything you'll need to go home and hijack yourself some action. Adam Boileau is a deathmetal listening linux hippy from New Zealand. When not furiously playing air-guitar, he works for linux integrator and managed security vendor Asterisk in Auckland, New Zealand. Previous work has placed him in ISP security, network engineering, linux systems programming, corporate whore security consultancy and a brief stint at the helm of a mighty installation of solaris tar. Amongst his preoccupations at the moment are the New Zealand Supercomputer Centre, wardriving-gps-visualization software that works in the southern hemisphere, and spreading debian and python bigotry. Oh, and Adam's band 'Orafist' needs a drummer - must have own kit and transport to New Zealand.

At DefCon 11, a rogue access point setup utility named "Airsnarf" was presented by the Shmoo Group. Two years later, "Evil Twin" access points have made it to Slashdot and news.google.com. Who would have thought TSG could get away with the easy rogue AP attacks for so long? Note to Shmoo: Next time, put the word "evil" in the title of your presentation for mass appeal and acceptance. Oh, rock on--it WORKED! Wireless n00b? No problem0. This talk starts off with the basics. Wireless insecurity basics. Rogue AP basics. How your wireless users are basically screwed. Etc. If you read about "Evil Twin" access points earlier this year, you will actually see how easy it is to build your own. However, this talk quickly moves on to more advanced attacks and trickery with rogue APs, including: gathering intel beyond usernames / passwords, getting around WEP and WPA-PSK protected networks, integrating RADIUS with your rogue AP, abusing vulnerable EAPs, rogue AP backend bridging, and real-time abuse of two-factor authentication a la Bruce Schneier's Springtime scary story. Even wireless warriors will learn an entertaining trick or two. You want demonstrations? Okey dokey. You'll have them. Once everyone has the willies, the "professional" and "responsible" portion of this talk, albeit minimal, will cover rogue AP defense. Basic wireless security architectures and to-dos for home users, hotspot users, and enterprise wireless network admins are covered, as well as client-side defensive tools, WIDS considerations, and roll-your-own options. But wait! There's more! For the closet Microsoft fanboy in all of us, wireless weapons for Windows are covered--both offense and defense. Why launch a rogue AP attack when you can launch three? Rogue AP attacks for the masses! The release of "Rogue Squadron"! It's a bizarre look at how to be a social engineering badboy with 802.11b presented by Beetle of the Shmoo Group. If you want to know what the press will pick up on two years from now, you should probably check this out. Otherwise, move along. These are not the APs you are looking for. Beetle is a member of the Shmoo Group, holds a BS in Computer Science, and is a D.C.-area computer security engineer. He is a geek, and he is a licensed amateur racecar driver-the perfect combination for successfully working and driving around the nation's capital. He presented on the topic of rogue access points at DefCon 11 and Black Hat Federal, demonstrating his rogue AP setup utility Airsnarf. Last year, he and the Shmoo Group pimped some of their new wireless gadgets, such as 802.11bounce and the Sniper Yagi, at DefCon 12, and Beetle unleashed Wireless Weapons of Mass Destruction for Windows at ToorCon last fall. This year, Beetle swears he is taking a break of sorts, having recently organized an East coast hacker conference in D.C. called ShmooCon this past Winter, while reminding people that rogue APs and "Evil Twins" are NOT new, and presenting on wireless topics at several other conferences this past Spring. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, large-scale network architectures, smartcards and promotion of secure software engineering practices. Mr. Potter coauthored the books "802.11 Security", published in 2003 by O'Reilly, "Mac OS X Security" by New Riders in 2003 and "Mastering FreeBSD and OpenBSD Security" by O'Reilly published in April 2005. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton.

This is a real story of modern extortion in a cyberworld. Bots have replaced dynamite and you don't buy "protection" to prevent your shop from going in flames; you buy "consulting" to prevent your IT from beeing DoSed. From the first limited synflood to the conclusion, we will review those crazy 48 hours that end up in a one to one digital fight. We will see in depth which attacks and mitigation techniques where involved and how they both evolved quickly in complexity and intensity. As a conclusion we will see which were the major weaknesses, found either in the network architecture, the security perimeter and the target application, and how it would have been possible to prevent such attack, limit its impact... and save money. Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high criticity security cases. In the mean time Renaud is an active member of the rstack team and the French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France.

USB peripheral devices are made by reputable manufacturers and will not misbehave by attacking the host system's operating system. This device is not one of those. This discussion will cover the creation of a USB meta-device, the discovery and exploitation of flaws in operating system device drivers. In a nutshell, plug this device into an otherwise locked system and it will automatically take control of the system. Darrin Barrall has a varied background in both hardware and software. While working in the hardware world, Darrin repaired electronics in devices ranging from televisions to sports arena lighting systems. After transitioning to the software world, his talents further diversified into banking applications, and recently into buffer overflows. Darrin is currently a RandD coder for the SPI Labs group at SPI Dynamics where he specializes in breaking things. David Dewey is a security engineer for SPI Dynamics. David came to SPI Dynamics with five years of information security experience ranging from firewall and IDS configuration and support to application level assessment and exploit research. As a pre-sales security engineer, and member of the SPI Labs team, the renowned application security research and development group within SPI Dynamics, David assists in developing new tools and researching new threats in the realm of Web application security.

This discussion will cover the theoretical background of using ordinary, readable text to conceal an exploit payload's true content, ending with a practical application of the discussed technique. Encoding a payload as plain text is useful in cases where input filtering eliminates many of most useful values that make up a payload. In particular, Unicode based systems place numerous constraints on acceptable character values, making it worthwhile to create a simple decoder function to decode far more complex shellcode data. The technique is also useful where content filtering is used, the small amount of unusual text making up the decoder could be outweighed by a large amount of grammatically correct text. Darrin Barrall has a varied background in both hardware and software. While working in the hardware world, Darrin repaired electronics in devices ranging from televisions to sports arena lighting systems. After transitioning to the software world, his talents further diversified into banking applications, and recently into buffer overflows. Darrin is currently a RandD coder for the SPI Labs group at SPI Dynamics where he specializes in breaking things.

An enterprise IT infrastructure is a complex and a dynamic environment that is generally described as a black hole by its IT managers. The knowledge about an enterprise network's layout (topology), resources (availability and usage), elements residing on the network (devices, applications, their properties and the interdependencies among them) as well as the ability to maintain this knowledge up-to-date, are all of critical for managing and securing IT assets and resources. Unfortunately, the current available network discovery technologies (active network discovery and passive network discovery) suffer from numerous technological weaknesses which prevent them from providing with complete and accurate information about an enterprise IT infrastructure. Their ability to keep track of changes is unsatisfactory at best. The inability to "know" the network directly results with the inability to manage and secure the network in an appropriate manner. This is since it is impossible to manage or to defend something, or against something, its existence is unknown or that only partial information about it exists. The first part of the talk presents the current available network discovery technologies, active network discovery and passive network discovery, and explains their strengths and weaknesses. The talk highlights technological barriers, which cannot be overcome, with open source and commercial applications using these technologies. The second part of the talk presents a new hybrid approach for infrastructure discovery, monitoring and control. This agent-less approach provides with real-time, complete, granular and accurate information about an enterprise infrastructure. The underlying technology of the solution enables maintaining the information in real-time, and ensures the availability of accurate, complete and granular network context for other network and security applications. During the talk new technological advancements in the fields of infrastructure discovery, monitoring and auditing will be presented. Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir holds 10 years of experience in data security research and management. He has served as a CISO of a leading Israeli international telephone carrier, and worked as a Managing Security Architect at @stake, a US-based security consultancy company. In addition, Ofir has consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir conducts cutting edge research in the information security field and has published several research papers, advisories and articles in the fields of information warfare, VoIP security, and network discovery, and lectured in a number of computer security conferences about the research. The best known papers he had published are: "ICMP Usage in Scanning", "Security Risk Factors with IP Telephony based Networks", "Trace-Back", "Etherleak: Ethernet frame padding information leakage", etc. He is co-author of the remote active operating system fingerprinting tool Xprobe2. Ofir is an active member with the Honeynet project and co-authored the team's books, "Know Your Enemy" published by Addison-Wesley. Ofir is the founder of Sys-Security Group, a computer security research group.

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA).

One of the most important weapons in our arsenal for securing applications is threat modeling. Applications are becoming increasingly complex and new technologies are emerging constantly. In this scenario, building or attacking applications is challenging. Threat models can help attackers discover design vulnerabilities and mount complex attacks. These models give secure application developers a great amount of leverage to envision their design, implementation and soundness of their architectures. Being living documents they also carry forward any knowledge gained from previous development life cycles and are invaluable in understanding the impact of any changes to the overall security posture of the applications. Understanding and constructing meaningful threat models is hard. Application teams and attackers need to be aware of what they want to model, how they want to model and when they want to model. Rapid Threat Modeling will help them develop models rapidly while reutilizing data they gathered either through reconnaissance or through the software development lifecycle. A practical hands-on demonstration of modeling threats for complex managed application will allow for immediate use of any threat modeling knowledge gained. Akshay Aggarwal currently works for IOActive Inc. as a computer security consultant where he is responsible for conducting security architecture design, application and source-code assessments and vulnerability research. He helps Fortune 100 clients evaluate the security of their software products and applications and develop threat models. He has authored several research papers and been invited to speak at many forums like the Multi-University Research Initiative for Protocol Development and the Center for Information Technology Research in Interest of Society. Akshay holds a MS in Computer Science from the University of California at Davis. There, at the renowned Computer Security Lab, he conducted research on Internet worms and Intrusion detection systems.