Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference show

Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference

Summary: Past speeches and talks from the Black Hat Briefings computer security conferences. The Black Hat Briefings USA 2006 was held August August 2-3 in Las Vegas at Caesars Palace. Two days, fourteen tracks, over 85 presentations. Dan Larkin of the FBI was the keynote speaker. Celebrating our tenth year anniversary. A post convention wrap up can be found at http://www.blackhat.com/html/bh-usa-06/bh-usa-06-index.html Black Hat Briefings bring together a unique mix in security: the best minds from government agencies and global corporations with the underground's most respected hackers. These forums take place regularly in Las Vegas, Washington D.C., Amsterdam, and Tokyo. If you want to get a better idea of the presentation materials go to http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#USA-2006 and download them. Put up the pdfs in one window while watching the talks in the other. Almost as good as being there! Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! Past speeches and talks from Black Hat in an iPod friendly .mp3 audio and .mp4 h.264 192k video format

Join Now to Subscribe to this Podcast

Podcasts:

 Johnny Long: Death By 1000 cuts | File Type: video/mp4 | Duration: 1:01:15

"In this day and age, forensics evidence lurks everywhere. This talk takes attendees on a brisk walk through the modern technological landscape in search of hidden digital data. Some hiding places are more obvious than others, but far too many devices are overlooked in a modern forensics investigation. As we touch on each device, we'll talk about the possibilities for the forensic investigator, and take a surprising and fun look at the nooks and crannies of many devices considered commonplace in today's society. For each device, we'll look at what can be hidden and talk about various detection and extraction techniques, avoiding at all costs the obvious "oh I knew that" path of forensics investigation. All this will of course be tempered with Johnny's usual flair, some fun (and admittedly rowdy) "where's the evidence" games, and some really cool giveaways. Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com"

 Michael Sutton & Greg MacManus: Punk Ode - Hiding shellcode in plain sight | File Type: video/mp4 | Duration: 58:50

"Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music."

 Zvi Gutterman: Open to Attack; Vulnerabilities of the Linux Random Number Generator | File Type: video/mp4 | Duration: 58:50

"Linux® is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This presentation offers a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition, we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices. Zvi Gutterman is CTO and co-founder of Safend. As CTO, Zvi designs key Safend technologies such as the algorithms and theory behind Safend Auditor and Safend Protector implementation. He is responsible for maintaining Safend's competitive advantage through cutting-edge innovation. Prior to co-founding Safend, Zvi was with ECTEL (NASDAQ:ECTX), performing as a chief architect in the IP infrastructure group. He also previously served as an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. He holds Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology and is a Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering."

 HD Moore: Metasploit Reloaded | File Type: video/mp4 | Duration: 1:14:07

"Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects."

 Hacker Court Panel: Hacker Court 2006: Sex, Lies and Sniffers | File Type: video/mp4 | Duration: 1:08:55

"Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining."

 Hacker Court Part 2: Hacker Court 2006: Sex, Lies and Sniffers | File Type: video/mp4 | Duration: 1:34:17

"Expertise in computer forensic technology means nothing if that expertise can’t be conveyed convincingly to a jury. Presenting technical evidence in a courtroom is a far cry from presenting a technical paper at Black Hat. Sure, a computer professional may understand the importance of full headers in tracing email origins, but a jury has no clue. The real challenge in the field of computer forensics is translating complicated technical evidence in terms your typical grandmother would understand. This presentation will enact a courtroom environment, complete with judge, attorneys, and witnesses to demonstrate key issues in computer crime cases. While we strive to make case arguments and legal issues as accurate as possible, some liberties are taken to streamline the presentation and keep it entertaining."

 Robert Auger and Caleb Sima: Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems | File Type: video/mp4 | Duration: 43:05

"This presentation will discuss the use of RSS and Atom feeds as method of delivering exploits to client systems. In our research we have found a number of RSS clients, both local and web-based, that are far too trusting of the content that is delivered via feeds. Although this content arrives as well-formed XML, fundamentally it originated as user input elsewhere. Like any such data, it can contain malicious and mal-formed content, yet many clients fail to guard against this. And though such content by definition originates remotely, many clients use methods of display that cause it to be trusted as if it were locally originated. As RSS becomes more ubiquitous, the scope of this problem becomes worse. Many RSS feeds are machine generated from content originating in other feeds, search engine results, and so on. This means that feed subscribers can even be targeted without them actually subscribing to your feed at all. This has potential uses for worm propagation, botnet creation, and other forms of attack."

 Melanie Rieback: RFID Malware Demystified | File Type: video/mp4 | Duration: 51:38

"Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. Happily, once people started seriously thinking about RFID security issues, the ensuing discussion raised a heap of new research questions. This presentation will serve as a forum to address some of these recent comments and questions first-hand; I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out "the facts vs. the myth" regarding the real-world implications. Melanie Rieback is a Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID privacy management (RFID Guardian) and RFID security (RFID Malware) projects. Melanie's recent work on RFID Malware has attracted worldwide attention, appearing in the New York Times, Washington Post, Reuters, UPI, de Volkskrant, Computable, Computerworld, Computer Weekly, CNN, BBC, Fox News, MSNBC, and many other print, broadcast, and online news outlets. Melanie has also served as an invited expert for RFID discussions involving both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the MIT Center for Genome Research/Whitehead Institute. She was part of the public genome sequencing consortium, and is listed as a coauthor on the seminal paper 'Initial sequencing and analysis of the human genome', which appeared in the journal Nature."

 Jamie Butler: R^2: The Exponential Growth in Rootkit Techniques | File Type: video/mp4 | Duration: 42:20

"Rootkit technology has exploded recently, especially in the realm of remote command and control vectors. This talk will cover the evolution of rootkit techniques over the years. It will explore the interaction between corporations, the open source community, and the underground. A detailed analysis of how different rootkits are implemented will be covered. Based on this analysis, the presentation concludes with a discussion of detection methods. James Butler has almost a decade of experience researching offensive security technologies and developing detection algorithms. Mr. Butler spent the first five years of his career at the National Security Agency. After that, he worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the recently released bestseller, "Rootkits: Subverting the Windows Kernel". Mr. Butler has authored numerous papers appearing in publications such as the IEEE Information Assurance Workshop, USENIX login, SecurityFocus, and Phrack. He has also appeared on Tech TV and CNN. William Arbaugh spent sixteen years with the U.S. Defense Department first as a commissioned officer in the Army and then as a civilian at the National Security Agency. During the sixteen years, Dr. Arbaugh served in several leadership positions in diverse areas ranging from tactical communications to advanced research in information security and networking. In his last position, Dr. Arbaugh served as a senior technical advisor in an office of several hundred computer scientists, engineers, and mathematicians conducting advanced networking research and engineering. Dr. Arbaugh received a B.S. from the United States Military Academy at West Point, a M.S. in computer science from Columbia University in New York City and a PhD in computer science from the University of Pennsylvania in Philadelphia. Prof. Arbaugh is a member of DARPA's Information Science And Technology (ISAT) study group, and he also currently serves on the editorial boards of the IEEE Computer, and the IEEE Security and Privacy magazines. He has also co-authored a book with Jon Edney on Wi-Fi security that is published by Addison-Wesley."

 Emmanuele Zambon: "NIDS, false positive reduction through anomaly detection" | File Type: video/mp4 | Duration: 48:40

"The Achilles' heel of network IDSs lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS to raise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets to produce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they do not correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. To demonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture. Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the two systems. APHRODITE is able to reduce the rate of false alarms from 50% to 100% (improving accuracy) without reducing the NIDS ability to detect attacks (completeness). Emmanuele Zambon pursued an MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for an year at Information Risk Management division in KPMG Italy. He is author and researcher of the POSEIDON paper. Damiano Bolzoni pursued a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebIT and many security conferences in Netherlands. Presently, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management."

 Andrew Cushman: Microsoft Security Fundamentals - Engineering, Response and Outreach | File Type: video/mp4 | Duration: 57:13

"You’ve heard about Trustworthy Computing and you’ve seen some security improvements from Microsoft. You may have wondered-"is this change real or is it just lip service?" You may also have asked yourself "self, why did they do that?" This presentation will give you an historical and current view of the changes Microsoft has made and our policies and procedures that deliver more secure products and improved security response. This promises to be a lively and entertaining talk illustrated with actual examples of these policies and procedures from Windows Vista and recent security updates. Andrew Cushman, Director, Security Engineering, Response and Outreach - is responsible for Microsoft's outreach to the security community and has overall responsibility for the BlueHat conference. Andrew is a member of Microsoft's Security Engineering leadership team whose current top priority is the security of Windows Vista. Cushman was the Group Manager for the IIS team and was instrumental in shipping IIS versions 4, 5, and 6.0. Way back in the day he started his 16 year career at Microsoft testing international versions of Publisher, Money, Works and Flight Simulator."

 Panel: Meet the Feds: OODA Loop and the Science of Security | File Type: video/mp4 | Duration: 48:34

"The OODA Loop theory was conceived by Col John Boyd, AF fighter pilot. He believed that a pilot in a lethal engagement that could Observe, Orient, Decide, and Act (OODA) before his adversary had a better chance to survive. He considered air combat an art rather than a science. John Boyd proved air combat could be codified; for every maneuver there is a series of counter maneuvers and there is a counter to every counter. Today, successful fighter pilots study every option open to their adversary and how to respond. This panel's focus is on the government efforts to try to get inside the cyber adversary's OODA Loop and survive another type of potential cyber lethal engagement. The bad guys are coming at us at the speed of light, so how do we as law enforcement or security experts get inside our adversaries’ OODA Loop."

 Charles Edge: Attacking Apple’s Xsan | File Type: video/mp4 | Duration: 16:19

"A fundamental of many SAN solutions is to use metadata to provide shared access to a SAN. This is true in iSCSI or FibreChannel and across a wide variety of products. Metadata can offer a way around the built-in security features provided that attackers have FibreChannel connectivity. SAN architecture represents a symbol of choosing speed over security. Metadata, the vehicle that provides speed, is a backdoor into the system built around it. In this session we will cover using Metadata to DoS or gain unauthorized access to an Xsan over the FibreChannel network."

 Yuan Fan and Xiao Rong: MatriXay-When Web App & Database Security Pen-Test/Audit Is a Joy | File Type: video/mp4 | Duration: 21:40

This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

 Jeremiah Grossman: Hacking Intranet websites from the outside: Malware just got a lot more dangerous | File Type: video/mp4 | Duration: 54:51

"Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

Comments

Login or signup comment.