DEFCON 14 Speakers

Abstract:
atlas was just a kiddie when asked to write his first exploit in order to qualify for dc13's capture-the-flag. After conquering his sense of inadaquacy, he went on to win the individual competitiion and finish third even among the teams. This presentation will introduce you to atlas, to hacking, and to the pivotal "Stage 3 Binary" which turned the man's life upside down. The talk will be an entertaining walk through his efforts to understand and write a network exploit, some of his lessons learned, and some tools which made hacking a bit easier. The talk will include use of GNU Debugger (gdb), objdump output, ReadElf, Ktrace, and the @ Utility Belt toolkit (newly released).

People who will find this talk of interest include:

N00b hackers with an interest in writing exploits
Anyone interested in the defcon CTF drama
Friends of atlas who wish to heckle and otherwise find amusement at his expense

Bio:
atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas went on to win the individual contest and place third overall. atlas has written the WEP-cracking tool bssid-flatten and the @ Utility Belt toolkit.

Discovering Mac OS X Weaknesses and Fixing Them with the New Bastille OS X Port
Jay Beale, Lead Developer, Bastille Linux

Abstract:
The Mac OS X operating system is beautiful, but it’s not as secure as you think. It’s mostly Unix under that shiny GUI and while we’ve come to expect a very locked down system from recent Unix/Linux releases, that expectation isn’t entirely realistic when it comes to OS X. For instance, the firewall GUI tool makes it seem like you can create a default-deny firewall that only lets packets from established sessions in. The firewall it produces, though, is full of holes! Whatever you do, don’t take your OS X laptop onto the wireless network here! Write your own replacement or take the one we’ll offer in this talk, where we’ll introduce the new OS X port of the popular Bastille Linux system lockdown and audit tool, Bastille OS X.

Bastille increases the security of OS X systems. It starts by building a real firewall configuration that you can tune to your needs. It continues by deactivating services like the information-leaking Bonjour service, which a remote attacker can use to get your Security Update (patch bundle) level, hardware versions and machine name. Finally, it configures the remaining operating system components, doing things like isolating local users from the service that gives them the length of all users’ passwords. There’s a lot more than that, though. Come learn about OS X security, learn how to harden and see the newest part of the Bastille family: Bastille OS X!

Bio:
Jay Beale is a information security specialist, well known for his work on mitigation technology, specifically in the form of operating system and application hardening. He's written two of the most popular tools in this space: Bastille Linux, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. He also focuses his energies on the OVAL project, where he works with government and industry to standardize and improve the field of vulnerability assessment. Jay is also a member of the Honeynet Project,
working on tool development.

Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and the now-defunct SecurityPortal.com. He has worked on five books in the Information Security space. Three of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series.

Jay makes his living as a security consultant with the firm Intelguardians, which he co-founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson, where his work in penetration testing allows him to focus on attack as well as defense. Prior to consulting, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution.

Phishing, it starts with “Ph” for a reason. Some best practices to detect and prevent for some new point of attack methods
Teli Brown, Brown Communications Security Consulting, Secure Science Corporation

Abstract:
Phishing, it starts with “Ph” for a reason. Some best practices to detect and prevent for some new point of attack methods.

When banks and other financial institutions tell their customers to only give personal information (e.g.: Credit Card, Social Security Number, ETC) via the telephone, because of online attacks from phishers, that's when phishers get creative and go back to what the root of phishing has been and blend it with some new technologies.

Bio:
Teli Brown has done Security consulting for major telecommunications companies, aiding in tracking terrorist and malicious telephone users. He has also done massive amounts of testing with number delivery in SS7, and was able to identify and backtrace the flaw in SS7 that allowed people the ability to change their "Charge Number". Now spends his time consulting for small businesses for voice services.

Exploit Writing Using Injectable Virtual Machines
Wes Brown, Founder, Ephemeral Security
Scott Dunlop, Developer, Ephemeral Security

Abstract:
Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation.

The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine’s native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Java except it fits within 150K on some platforms.

This talk will demonstrate the use of Mosquito to write exploits on the fly while the audience watches; the advantages and flexibility of using a virtual machine will be leveraged to implement a second stage puddle-hop exploit into another host. The cross-platform advantages of writing exploits in a portable virtual machine will also be demonstrated. There will be some discussion of Mosquito itself to give context and understanding.

Bio:
Wes Brown is a long-time network security practitioner who specializes in code reviews, web application assessments, penetration testing, and tools development.

Prior to joining Accuvant as a senior security consultant, Wes worked for Internet Security System’s X-Force Consulting team. He conducted hundreds of penetration tests and web application assessments for ISS clients ranging from the smallest to Fortune 500 companies. He was also responsible for many of the in-house tools that helped the external assessment consulting practice succeed. He also can be frequently seen at industry conferences, having spoken at Defcon in the past.

In founding Ephemeral Security, Wes hopes to advance the state of the art in network security by doing innovative and original research work. When not conducting consulting work, he has spent the last year and half on the Mosquito Environment along with other members of his company.

Currently, he is hard at work as one of Accuvant’s lead consultants which gives him an opportunity to test the tools and environments that is developed as part of Ephemeral Security’s research efforts. He does the majority of the automation and tools that streamlines the assessment practice’s engagements, increasing quality while reducing turnaround time. Of course, Wes also does conventional consulting with a keen focus on code reviews and application assessments.

Fun with 802.11 Device Drivers
Johnny Cache

Abstract:
The 802.11 link-layer wireless protocol is widely known for its design flaws. Unauthenticated management packets, a ridiculous attempt at providing link layer confidentiality and authentication (WEP), and general vendor stupidity have all contributed to 802.11 being the most sensationalized protocol ever mentioned in the media.

All of the above topics have been beaten to death. Instead this talk explores new advances not in design problems in 802.11, but in implementation issues. The two major advances in 802.11 security will be covered, device driver vulnerabilities and link layer fingerprinting techniques. 802.11 fingerprinting represents the first time that a link-layer protocol has been vulnerable to finger-printing attacks. These attacks can provide useful information to the attacker, allowing him to accurately target the latest weapon in any wireless hackers arsenal: 802.11 device driver exploits.

Bio:
Johnny Cache is responsible for many wireless hacking tools. These include jc-wepcrack (a distributed wep-cracker) jc-aircrack (a complete aircrack re-write in C++), and also helped h1kari create pico-wepcrack (a FPGA accelerated WEP brute forcer). Cache is currently pursuing his Master's degree in computer security. He is also co-author of "Hacking Exposed Wireless". His latest accomplishments can be found in Airbase, available at www.802.11mercenary.net

Hacking FedEx Kinko's: How Not To Implement Stored-Value Card Systems
Strom Carlson, Hardware Security, Researcher, Secure Science Corporation

Abstract:
ExpressPay is a stored-value cash card system which utilizes the Infineon SLE4442 chip; it was developed by enTrac Technologies of Toronto, Ontario, and its largest application is as the pre-paid cash card system in use at FedEx Kinko's. Analysis of a few dozen cards reveals that the data stored on the card is unencrypted and poorly protected against fraud, and a simple attack can be used to obtain the security code necessary to alter the data on the card. This talk will step the audience through the analysis, research, attack, and subsequent tests performed on the ExpressPay system, and conclude with recommendations on how to implement a more secure stored-value card system.

Bio:
Strom Carlson is a hardware security researcher at Secure Science Corporation, the organizer of the Los Angeles area Defcon Groups chapter (DC213), and the co-host of Binary Revolution Radio. He enjoys tinkering with technology, playing with telephones, and having a good time with whatever he happens to be involved in.

SOCIAL MESSAGE RELAY: Using existing social networks to transmit covert messages in public
Strom Carlson, Hardware Security, Researcher, Secure Science Corporation
skrooyoo
datagram
Vidiot

Abstract:
In the age of NSA phone taps, mandatory data retention, CALEA, the PATRIOT Act, and national firewalls, establishing a truly covert communications channel without leaving a trail is becoming almost impossible. Even when strong encryption is used to protect the message, Government agencies now have the ability to use pattern analysis to pinpoint almost all participants in the conversation. Without tremendous diligence, truly anonymous communication is almost impossible.

But what if you could skip having to create the communications channel entirely? What if you could have unwitting, or even willing, third parties spread your message for you? The larger the network of people spreading the message, the more difficult traffic analysis becomes as the signal-to-noise ratio increases. Convenient anonymity for the sender and recipient of the message becomes possible again.

The presenters will demonstrate how they were able to create a publicly available communications channel and use thousands of unwitting participants to spread their encrypted messages. The presentation will also include speculations on how to create networks designed to foil traffic analysis attempts, and observations about the culture of the online cryptographic community, and the nature of collaborative problem solving.

Legal Aspects of Computer Self-Defense and Aggressive Self-Defense
Robert W. Clark, Command Judge Advocate, 1st Information Operations Command (ACERT Legal Advisor) U.S. Army

Abstract:
This presentation looks at several scenarios of aggressive self defense. It applies the law to each of the participants in various schemes—to the aggressor and to the defender. We see where simple self defense options could actually result in prosecution to the aggressor; prosecution of the defender; prosecution of both; or, be faulted for screwing up an investigation rendering a prosecution impossible. Many of the legal rationales for aggressive self defense will be discussed from the typical discussion of self defense to the law of nuisance and self help. This presentation seeks to simplify the aspects of aggressive and non-aggressive self defense.

Bio:
Major Robert Clark is the Command Judge Advocate for the Army’ 1st Information Operations Command. As the sole legal advisor, his primary duty is to advise the Army’s Computer Network Operations Division on all aspect of computer operations and security. This role has him consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He lectures at the Army’s Intelligence Law Conference and at the DoD’s Cybercrimes Conference.

Legal Aspects of Internet & Computer Network Defense - A Year in Review Computer and Internet Security Law 2005-2006
Robert W. Clark, Command Judge Advocate, 1st Information Operations Command (ACERT Legal Advisor) U.S. Army

Abstract:
This presentation looks at computer network defense and the legal cases of the last year that affect internet and computer security. This presentation clearly and simply explains (in non-legal terms) the legal foundations available to users and service providers to defend their networks. Quickly tracing the legal origins from early property common-law doctrine into today’s statutes and then moving into recent court cases and battles. We will look at the past criminal prosecutions and precedents, both civil and criminal, since we last met a year ago. As always, this presentation will quickly become an open forum for questions and debate.

Googling: I‚m Feeling (un)Lucky
Greg Conti, United States Military Academy

Abstract:
Birth, School, Work, Death. Imagine every web search you‚ve ever done placed on a timeline of your life. Is there anything on that list you wouldn‚t want your mother (or employer) to know about? How about the aggregate web searches of your entire company? What if they fell into the hands of a competitor? Recent trends indicate that we can no longer rely on the privacy policies of individual web companies to keep this information private. In this talk, we'll examine the many ways we disclose information in return for free web services as well as how effective you think your privacy countermeasures are. This session won't be a monolog, but an active discussion on the problem of web-based information disclosure. As part of the talk, I'm releasing a program that will extract web searches from your Firefox browser's cache to show you what you‚ve been disclosing.

Bio:
Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. He holds a PhD in Computer Science from Georgia Tech and a Bachelor of Science in Computer Science from the United States Military Academy. His areas of expertise include network security, information visualization and information warfare. His work can be found at http://www.rumint.org/gregconti/index.html.

The Evolving Art of Fuzzing
Jared DeMott, Vulnerability Researcher, Applied Security, Inc.

Abstract:
The Evolving Art of Fuzzing will be a technical talk detailing the current state of fuzzing and describing cutting edge techniques. Fuzzer types, metrics, and future research will be presented. Also, three of ASI's private fuzzer tools will be discussed. They will be released on the DEFCON CD.

Bio:
Jared DeMott Jared DeMott is a vulnerability researcher for Applied Security, Inc. (ASI). Jared earned a masters degree from Johns Hopkins University and is currently pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing.

FEAR!(?) The Census Bureau
Steve Dunker

Abstract:
The Census Bureau is the Only Federal Agency that is acquiring detailed personal data on Every person in the United States. While the Census provides valuable information that is vital to our form of government, major privacy concerns exists. The potential for abuse of the data has historical roots, the most notorious being the rounding up and relocation of Japanese-Americans during World War II.

Learn how the Social, Economic, Housing, and Financial characteristics being gathered can be legally used against you. We will examine how dangerous the data could be if it was used illegally. (If you are paranoid, you do not want to miss this!)

Finally, we will examine the laws that mandate that every American must cooperate with the Census Bureau or face possible Civil and/or Criminal Punishment. What are your options when that Census worker shows up at your door and threatens you with prosecution by the U.S. Attorneys office?

Bio:
Steve Dunker is a Professor of Criminal Justice at Northeastern State University. He is a former Major Case Squad Detective who worked as a planner and supervisor of an anti-crime and decoy unit. He is a licensed attorney in the State of Missouri.

SAMAEL (Secure, Anonymous, Megalomaniacal, Autonomous, Encrypting Linux) and NARC (Network Analysis Reporting Console).
dr.kaos (aka Taylor Banks), Founder, kaos.theory/security.research
arcon (aka Adam Bregenzer)
atlas (aka Gavin Mead)
beth (aka Beth Milliken)
digunix (aka Kevin Miller)

Abstract:
From the 1337 hax0rs that brought you Anonym.OS, kaos.theory/security.research presents SAMAEL (Secure, Anonymous, Megalomaniacal, Autonomous, Encrypting Linux), the natural evolution of our secure, automagicically anonymizing operating system, Anonym.OS into a kick-ass anonymizing server!

When kaos.theory released the Anonym.OS at ShmooCon in January of this year, we received many requests for features we had already planned to implement: media players, smaller distribution size, office suites, better speed, USB functionality, etc. "Sure," we collectively replied, "we'll get right on that."

But we didn't. We tried, but we realized that maintenance releases aren't 1337. Instead, we're back to release SAMAEL, a blackbox gateway that creates -- in a few simple steps -- a secure, anonymizing, transparent firewall and proxy server, protecting its users' love of sex, drugs, and rock and roll from embarrassing public disclosure (even better than the Kennedys).

Making use of Gentoo, Transocks, Tor, and sweet, sweet Python, SAMAEL provides all of the services expected in a modern Linux firewall, including DHCP, a Captive Portal, and Web-Based Administration! The guiding principle of Anonym.OS and its derivative projects has remained "Anonymity for Everyone;" kaos.theory's SAMAEL takes that motto to the next level.

But there's one more thing. And it doesn't involve sweatshop labor or black turtlenecks.

Getting useful, attractive reports out of scanning tools is a bitch. People pay vendors thousands just for some slick charts and graphs. Why? Because SQL is hard for a boot-camp MCSE. So get your 'Security for Dummies' books and your free Nessus downloads ready, folks, because we've got scripts and queries all packaged up as pretty as your mom on a Friday night. kaos.theory's newest member, jonathan white, joins atlas and crew to introduce NARC, the Network Analysis Reporting Console.

In its initial release, NARC can utilize output from common security tools like Nessus, Paros, and NMap to populate a database via automated scripts for reporting purposes. Version 0.DC14 also includes rudimentary reporting capabilities.

Bios:
dr.kaos
Across the past 9 years, Taylor Banks (aka dr.kaos) has written and delivered training and provided security consultation to thousands of security engineers, architects, managers and executives from hundreds of organizations including Bristol-Myers Squibb, Ernst and Young, FedEx, IBM Global Services, PricewaterhouseCoopers, and VeriSign as well as the US Department of Defense, Federal Bureau of Investigation, the US Marine Corps Computer Emergency Response Team (MARCERT) and the National Security Agency. Prior to 1997, he worked as a network and security consultant for Benedict College, the Environmental Policy Center, Georgia Institute of Technology, Georgia State University, Sodexho Marriott, and SunTrust Equitable Securities. Taylor currently manages the Southeast Systems Engineering group at Caymas Systems.

Taylor holds his CISSP and has been certified by CheckPoint, ISECOM, ISS, NAI, Nokia and VeriSign. He is a contributor to the EFF and a member of Usenix, SAGE, ISSA and ISACA as well as an active participant in, and contributor to, numerous open security forums and user groups. He is the organizer for the Defcon Atlanta Group, the founder of kaos.theory/security.research, and has presented at Defcon, ShmooCon, InterZone, LayerOne and numerous ISSA, ISACA and Infragard events.

arcon:
Adam Bregenzer (aka arcon) has been working in the IT industry for the last 12 years. Founder of SuperLight Industries, he's a security professional who has gained recognition on the web for websites such as GroupHug.us and BidItOnline.com. He resides in Atlanta with his beautiful wife, Lydia.

atlas:
Gavin Mead (aka atlas) is the product of a misspent youth hunched over the comforting glow of a green-and-black CRT. As monitor technology evolved, so did Gavin's interests in computer and network security, specifically in enterprise risk management frameworks and data privacy protection, leading him to the seedy underworld of security consulting where he met the the rest of the kaos.theory crew. Gavin currently works for KPMG's Security, Privacy, and Continuity practice out of Atlanta, performing penetration testing, risk assessment, framework alignment, and policy development engagements. Gavin holds a B.S. from Georgia Tech and participates actively in local security group meetings and public forums.

beth:
Beth Milliken pokes at computers for fun and profit, Beth has been sleeping lately in the wet spot where technology, ethics, and legal issues run together. She is very interested in educating people about protecting themselves on line - from not-so-nice people, as well as not-so-nice legislation. She works in a large building with lots of glass windows and foamy cube-walls. Beth has pieces of paper saying she is certifiable regarding certain bodies of knowledge, but swears she has no knowledge of where the bodies are.

digunix:
Kevin Miller (aka digunix) is one of the founding members of the DC404 group. Having recently moved back to Atlanta, he can be found near many a public access point with tools in hand. He needs a job BAD. Hook his ass up or he will make you his bitch. GO VEGAN!!

Ripples in the Gene Pool - Creating Genetic: Mutations to Survive the Vulerability Window
Chris Eagle, Senior Lecturer of Computer Science

Abstract:
Reverse engineers often like to argue that a prime motivator for their activities is the desire to discover and patch vulnerabilities in closed-source binary software. Given the veritable plethora.. nay, Katrina-like flood of vulnerabilities being discovered on a near daily basis, one has to wonder where all these binary patches are hiding. Clearly this argument is a sham to make reverse engineers feel better about their DMCA violating activities. Now, just to be clear, there have been one or two third party binary patches released in the past year, but why haven't there been more? Is it truly a difficult task to develop such a patch or are our sights simply set too high? Is a true fix to the problem a requirement or is it sufficient to modify the vulnerable program just enough to make it immune to scripted attacks, the goal being to provide sufficient protection to survive until a vendor supplied patch can truly fix the problem. Dan Geer argued that a software monoculture is a dangerous thing leading to the rapid spread of malicious code in the event of a public vulnerability disclosure. The goal of this talk is to discuss simple yet effective measures to introduce sufficient genetic diversity into an inbred piece of software to allow it to survive in the wild until a vendor supplied update becomes available.

Bio:
Chris Eagle is a Defcon Black Badge holder, and the Dean of Hacking for the Sk3wl0fr00t. When not at a CTF table, he is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 20+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, CodeCon, and Shmoocon and is a co-author of the book "Gray Hat Hacking".

10 Ways To Not Get Caught Hacking On Your Mac
Charles Edge, aka Krypted, Partner, Three18

Abstract:
It’s hard to prosecute someone if you can’t prove what they did. In this session, we will quickly cover 10 easy ways to cover your tracks using Mac OS X. The features of Mac OS X at the GUI level were in a lot of ways designed to cater to the paranoid (eg. Steve Jobs). Underneath the hood, using some easily scriptable techniques you can cover your tracks in such a way that will make it easy to hide what you’ve done as well as your identity.

In this session, we will quickly cover some of the techniques that can be used to cover your tracks using case studies that illustrate ways that we have pieced together evidence as a starting point. Using a little bit of forensic evasion can go a long way to keep you free. This might also be interesting for forensic enthusiasts who can learn ways around these techniques.

Bio:
Charles Edge began his consulting career working with Support Technologies, Andersen Consulting and Honda to name a few. In January of 2000 Charles arrived at Three18, a boutique consulting firm in Santa Monica, California. At Three18, Charles has worked with Network Architecture, Security and Design for a wide range of clients. As a partner at Three18 Charles manages a team of engineers, security professionals and programmers.

His first book, "Mac Tiger Server Little Black Book" is available through Paraglyph Press. His second book, "Web Admin Scripting Little Black Book" is also available through Paraglyph Press. The latest title Charles is working on is Mac Security Essentials.

Mac OS X Security Tools
Charles Edge, aka Krypted, Partner, Three18

Abstract:
Apple claims not to care about the enterprise market, but there is no doubt that Apple networks are growing. The number of Apple systems in enterprise networks are growing as well. For security purposes it is becoming more and more important to manage these systems in the same way that we manage Windows clients.

In this session we will cover the tools that Apple and some 3rd party organizations have been quietly building for use in these environments. We will also cover the methods Apple has started using to facilitate running security updates on their workstations.

This is a good session for security professionals who have Mac systems on their networks. Tools we will cover:

Mac OS X Server Managed Clients
Nagios
Radmind
Apple Remote Desktop
HenWen
Tripwire
Open Directory Password policies
ipfw and dummynet
Centrify DirectControl
Dave
AdmitMac

Securing MANET
Riley "Caezar" Eller, Director for Technology and Security, CoCo Communications

Abstract:
Mobile Ad-Hoc Networking (MANET) technology promises disaster-tolerant, interoperable, secure communications that work the way we users do. Features like automatic peer discovery and stable multi-transport TCP connections are so attractive that some may wonder if it isn't all too good to be true. After a brief but clear introduction to the more-or-less subtle differences between wireless routing technologies, we will delve directly into simulating attacks on Layers 2 and 3 and implementing appropriate defenses. Full graphical visualization of the processes and results makes this presentation accessible to anyone with at least basic understanding of computer networks.

Bio:
As a professional software developer, Caezar began his career in embedded operating system development. After bringing that company to the Internet and integrating a TCP/IP stack, his passion for networking ignited. After a brief stint performing security audits, Mr. Eller returned to software development as the principal architect Greg Hoglund's ClickToSecure. He is only now resurfacing after spending three years bringing security and quality of service to high-speed mobile networks.

As the public face of the Ghetto Hackers, Caezar was central to DEFCON's Capture the Flag contest for the better part of a decade. During that time, he improved security contest scoring techniques, invented self-decoding ASCII-only stack exploits, produced fully automated web intrusion, and contributed to several other inventions including a pattern language for describing network attack processes.

As a speaker and writer, his credits include BlackHat Training and Briefings, DevX Security Zone, Hack-Proofing Your Network, Meet the Enemy seminars, Stealing the Network, and one unfortunately brief appearance on a USENIX panel.

DNS Abuse Infrastructure and Games
Gadi Evron

Abstract:
DNS operations today are no longer just a secure configuration and bandwidth, but rather a whole world of online abuse and criminal activities. In this presentation we will discuss how DNS has become this infrastructure for online crime and abuse. Spam, DDoS attacks, botnets and extremely reliable phishing servers all owe their existence to DNS games

Further, we will discuss how DNS helps discover and combat malicious activities online and some of the Big Brother privacy risks this involves.

Bio:
Gadi Evron is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing. He was previously the Israeli Government Internet Security Operations Manager, as well as the Israeli Government CERT Manager. Today, he manages the SecuriTeam portal and works for Israeli-based Beyond Security.

Analysing Complex Systems: The BlackBerry Case
FX, Phenoelit & SABRE Labs

Abstract:
When trying to analyze a complex system for its security properties, very little information is available in the beginning. If the complex system in question contains parts that the analyst cannot see or touch, proprietary hardware and software as well as large scale server software, the task doesn't get any easier. The talk will tell the story about how Phenoelit went about looking at RIM's BlackBerry messaging solution while focusing on the approaches tryed their expected and real effectiveness.

Bio:
FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. FX looks back at as little as eight years of (legal) hacking with only a few Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. Professionally, FX runs SABRE Security's consulting arm SABRE Labs, specializing in reverse engineering, source code audits and on-demand R&D of industry grade security architectures & solutions.

MatriXay—When Web App & Database Security Pen-Test/Audit Is a Joy
Yuan Fan, Founder, DBAppSecurity Inc.
Xiao Rong

Abstract:
This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

Bio:
Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool˜MatriXray˜was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).

RE 2006: New Challenges Need Changing Tools
Halvar Flake, CEO of Sabre Security

Abstract:
Reverse Engineering has come a long way—what used to be practiced behind closed doors is now a mainstream occupation practiced throughout the security industry. Compilers and languages are changing, and the reverse engineer has to adapt: Nowadays, understanding C and the target platform assembly language is not sufficient any more. Too many reverse engineers shy away from analyzing C++ code and run into trouble dealing with heavily optimized executables. This talk will list common challenges that the reverse engineer faces in the process of disassembling nowadays, and suggest some solutions. Furthermore, a list of unsolved problems will be discussed.

Bio:
Halvar Flake is SABRE Labs' founder and Black Hat's resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined Black Hat as their main reverse engineer.

Graphical Representations of Security Relationships: Awesome or Bullshit?
Foofus

Abstract:
We all want to be awesome hackers, but let's face it: inventing the sploitz can be hard work. What if there were a way to make interesting security discoveries using relatively simple tools, recycled concepts from research in other fields, and readily available data? For better or worse, this is the kind of question that we at foofus.net ask ourselves on a regular basis. And it's in that spirit that we present this fine talk.

We'll show some incremental advances in our penetration testing tools (once again, focused on identifying and taking advantage of trust relationships between Windows systems), and we'll appropriate concepts from graph theory. Our main goals are twofold. First, we want to find ways of mining new conclusions out of the same old data that's been staring us in the face all along. Second, we want to find ways of making the data we collect more interesting and useful. Basically, we're trying to look cool without having to work too hard.

Previously, we've provided tools for gathering this sort of information, and for representing it mathematically and visually. This year's talk focuses on using these techniques to draw worthwhile conclusions and offer helpful advice. As usual, our tools will be provided (such as they are), and a good time will be had by all.

Bio:
Foofus leads a team of security engineers at a technology consulting firm in the midwest, where he has worked for the past nine years. He has spoken at a variety of events and conferences including Defcon, ToorCon and LISA. His chief technical interests are software security, and the security relationships that emerge between systems in large networked environments. In his spare time Foofus enjoys playing guitar, cooking, and attending the opera and symphony.

Ipv6 World Update: High Diplomacy & Monster Trucks
Kenneth Geers
Alexander Eisen

Abstract:
Governments around the world are investing serious time, effort, and money into the next gen Internet, based on IP version 6. With important mandatory and remarkably close deadlines looming for v6 deployment, much yet remains to be understood about its security and socio-economic implications as well as our readiness to fully embrace it. While Europe and Asia have been trailblazing IPv6 industry for years now, the U.S. Government has mandated that its organizations be IPv6-compliant by June 30, 2008, yet the vague definition of compliance has already confused many considering dual-stack, tunneled and/or native environments.

Imagine the bliss of IPv6 telematics, mobility, autoconfiguration, "mandatory IPSec" encrypted traffic and enough IPs to globally address everything with a battery or even a reference to a snippet of code for the world to access. Now imagine your firewalls and IDS sensors being blind to IPSec or even just cleartext 6to4 tunneled traffic. Debunking many myths, such as IPv6 "built-in security", prior to the transition is key as we watch the beloved IPv4 become legacy, say goodbye to NAT and the 6bone and welcome more DNSSEC, tunnel brokers and distributed PKI firewalls?!

This presentation will cover wide-ranging research the authors have conducted and the new paradigm shift necessary to approach IPv6 differently than IPv4, including interviews with some of world's top thinkers about the sleeping giant. Whether it is yet another gov-hyped failed theory like GOSSIB or it is here to stay, you will take away enormous insight into the work that you may be responsible for and dependent on over the next several years.

Alexander Eisen will present the tactical, down-in-the-weeds view of this elegant and extensible yet dangerous protocol. What are the main challenges organizations will face during the inevitable transition? A threat analysis will follow, based on how the attack surface will inherently increase with the introduction of v6, many more IPs, more stacks, lack of smart fully v6-capable firewalls/IDSs and most importantly lack of training and understanding of this technology. Will larger packet size and extension headers give incentive for covert channels? Will multi-homing, multicast and link-local attacks be difficult to restrain? Why might traditional hacker methodology change focus away from scanning and local MITM attacks to going after PKI Certificate Authorities and DNS servers, splitting attacks between the stacks and hiding within tunnels? Many are unaware of existing rogue v6 traffic on their networks and with Teredo's exploitation of NAT via UDP (enabled by default in XP SP1/2, Vista and Longhorn), your ::1 might already be owned... Some large enterprises can barely even inventory all their IP-enabled assets. Mr. Eisen will explain how attackers can use all this as ammunition to take advantage of the necessarily long-lasting, heterogeneous environment that will be required during the transition. Questions like, what should be done right now to block rogue v6 traffic and what defense mechanisms should be employed when v6 traffic is authorized, will be explored. Discussion of wardriving results and the efforts to build a v6 connection at home will also provide some intrigue.

Kenneth Geers will present the political and strategic view of IPv6, including why nation-states view the technology as vital to their national security plans for the future. Stops will be made at the White House, Beijing, Red Square, and Tokyo - all of whom are influencing the development of IPv6 standards in unique ways. He will cover the most current v6 research and deployment events from around the world, including translated summaries of official foreign language IPv6 documents that might otherwise remain inaccessible outside their home countries. DEFCON audience members should know that if some governments get their way on here-to-fore esoteric issues such as traceability due to privacy EUI-64 fields and IPSec certs, global v6 address allocation and portable IPs, they could well lose their last byte of anonymity on the Internet!

Last but not least, a live, on-stage demonstration will take place: the authors will attempt to saw a woman in half, and then try to check their beer inventory and fridge temperature across the continent with the aid of the world's first IPv6-enabled refrigerator add-on device! The demo will show a discovery and port scan of the appliance via the Internet (found at this v6 IP -> 1337:sec:badd:a22:DEF:C012::14), followed by authentication, remote administration, and an SMS message sent to the speaker's mobile phone. Welcome to the v6-pack!!

Bios:
Kenneth Geers (CISSP, M.A. University of Washington) has worked for many years as a translator, programmer, Web developer, and analyst. The oddest job he has had was working on the John F. Kennedy Assassination Review Board. He also waited tables in Luxembourg, harvested grapes in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Mr. Geers is the author of "Cyber Jihad and the Globalization of Warfare", "Hacking in a Foreign Language: A Network Security Guide to Russia", and "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall". His website, www.chiefofstation.com, is devoted to the intersection of politics, art, and the Internet. He loves his wife Jeanne, and daughters Isabelle, Sophie and Juliet.

Alexander Eisen (CISSP, M.S. University at Buffalo) has twice been awarded a government Information Assurance Scholarship to complete a multi-disciplinary Computer Science program spanning Cryptography, Cyber Law and Management. Having played in the fields of network red teaming, pen-testing, incident response, forensics and security product evaluation, his passions include exploring pioneering topics in security, researching with academia and being a bilingual grayhat-entrepreneur. Mr. Eisen attempts to give back to the community as an adjunct professor with University of Advanced Technology and an active member of IEEE Computer Society, Infragard, and AFCEA. Wishing to have Kenneth's frequent flyer miles to continue charting his back-country snowboarding adventures across the globe, his other half paints, unicycles and chases his Russian Blue 'pantera' named Jazz.

Hardware Hacking
Joe Grand, President and Principal Electrical Engineer of Grand Idea Studio

Bio:
Joe Grand is an electrical engineer and prolific inventor with four pending patents and 19 commercially-available products. Involved in computers and electronics since the age of 7, Joe has had the fortune of being a former member of the legendary Boston-based hacker collective L0pht Heavy Industries, testifying before the United States Senate Governmental Affairs Committee under his nom de hack, Kingpin, and being praised as a "modern day Paul Revere" by the Senators for his research and warnings of computer security weaknesses. Recognized for his unconventional approaches to product development and licensing, Joe is also a well-known hardware hacker and industrial artist, the author of two books, contributor to four others, and is on the technical advisory board of MAKE Magazine.

Fighting Organized Cyber Crime – War Stories and Trends
Supervisory Special Agent Thomas X. Grasso, Jr., Federal Bureau of Investigation

Abstract:
As one of the pioneers of partnerships for the FBI, Thomas X. Grasso, Jr. of the FBI’s Cyber Division will outline how the FBI has taken this concept from rhetoric to reality over the past 5 years. This presentation will explore how the mantra “make it personal” has aided the FBI in forging exceptional alliances with key stake holders from industry, academia and ln a enforcement both domestically and abroad. This presentation will also outline how such collaborations have helped to proactively advance the fight against an increasingly international and organized, cyber crime threat.

Bio:
Tom Grasso began working with computers in 1993 as a network administrator. In 1998 Mr. Grasso received an appointment to the position of Special Agent with the Federal Bureau of Investigation (FBI). After attending new agents training at the FBI Academy in Quantico, Virginia, Mr. Grasso was transferred to the FBI’s Chicago Field Office where he was assigned to the Regional Computer Crime Squad. In the fall of 2000, Mr. Grasso was transferred to the FBI’s Pittsburgh Field Office and assigned to the High Technology Crimes Task Force where he served as the FBI Liaison to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University. Mr. Grasso is now part of the FBI’s Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is a 1991 graduate of the State University of New York at Buffalo, where he majored in Geological Sciences and minored in Music.

First We Break Your Tag, Then We Break Your Systems Attacks to Rfid Systems
Lukas Grunwald

Abstract:
This talk provides an overview of new RFID Technologie used for Dual-Interfaces Cards (Credit cards, Ticketing and Passports), and RFID Tags with encryption and security features.

Problems and attacks to these security features are discussed and attacks to these features are presented. After dealing with the tags an overview to the rest of a RFID-implementation, middelware and backend database and the results of special attacks to this infrastructure is given.

At the end of this talk there is a practical demonstration of these discussed attacks.

Bio:
Lukas Grunwald works for a German Security company, and has security experience over 20 years. As hobby he writes for the iX Magazine, and other security publications.

He is also the head of the Hacking Lab where new technology is evaluated.

Phishing Tips and Techniques: Tackle, Rigging, and How & When to Phish
Peter Gutmann

Abstract:
This talk looks at the technical and psychological backgrounds behind why phishing works, and how this can be exploited to make phishing attacks more effective. To date, apart from the occasional use of psychology grads by 419 scammers, no-one has really looked at the wetware mechanisms that make phishing successful. Security technology doesn't help here, with poorly-designed user interfaces playing right into the phishers hands.

After covering the psychological nuts and bolts of how users think and make decisions, the talk goes into specific examples of user behaviour clashing with security user interface design, and how this could be exploited by attackers to bypass security speedbumps that might be triggered by phishing attacks. Depending on your point of view, this is either a somewhat hair-raising cookbook for more effective phishing techniques, or a warning about how these types of attacks work and what needs to be defended against.

(Warning: Talk may contain traces of cognitive psychology. Keep away from small children).

Bio:
Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption including the X.509 Style Guide for certificates, and is the author of "Cryptographic Security Architecture: Design and Verification" (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.

Trust, But Verify: Auditing Proprietary DRE Systems
Robert J. Hansen, Researcher, ACCURATE

Abstract:
In 2006 the Help America Vote Act (HAVA) rid the country of lever voting machines and punchcard ballots, and gave the states enormous budgets for buying electronic voting machines. What's still unresolved is how these electronic voting machines are going to be audited. Trying to keep track of many different vendors, each of which has many different machines, is like getting lost in a funhouse hall of mirrors. Yet, there is good news. The National Science Foundation has established a research group for electronic voting, ACCURATE. In this presentation, an ACCURATE researcher will start talking about the thorny problem of making sure voting machines are playing fair. Existing technologies, both proprietary and open source, will be criticized; and new technologies will be presented.

Bio:
Robert J. Hansen has a Bachelor of Arts in Computer Science, Cornell College, 1998. Master of Computer Science, the University of Iowa, 2006. Chief Security Geek for Yomu Inc., 2000. Cryptographic Engineer for PGP Security, 2000-2001. Student at the University of Iowa pursuing a Ph.D. in computer security, 2002-present.

Your Name, Your Shoe Size, Your Identity? What do we Trust in this Web?
Seth Hardy

Abstract:
The web of trust, as used in PGP, is a well-known system for establishing trust between people, even if the people have not previously met. Why does it work so well in crypto? The answer is simple: it's the same system that we all use on a daily basis when dealing with friends, family, relationships, andjust about everyone else we have to interact with. On the crypto side, however, there are a number of restrictions that limit the effectiveness of this trust network. While many "security professionals" say that they are mandatory, the system seems to work just as well without them— are they completely arbitrary? Here we'll look at a couple of these restrictions, focusing on the technical aspects of identity verification, and evaluate their effectiveness through a couple of real-world experiments.

Bio:
Seth Hardy stopped writing these self-promoting blurbs a long while ago. While he acknowledges there's far too much information about him on the internet already, he's been told that just saying this doesn't look too good standing by itself in a bio.So, here's some supporting facts: he's been involved in cryptography research, academically and professionally, for the last eight years. Some of these areas of research include elliptic curves, combinatorial cryptography, random number generation, and trust networks. He's presented his work at a number of conferences, including Black Hat, DEFCON and the CCC Congress.

Automatic Exploit Detection in Binaries
Matt Hargett
Luis Miras, Lead Vulnerability Researcher, Intrusion Inc.

Abstract:
Binary disassembling and manual analysis to find exploitable vulnerabilities is a cool topic. What's cooler? Saving yourself hours of time and brain rot by letting a program do the hard parts for you! In this talk, we will dissect a well-known exploitable vulnerability as well as an open source tool for automatically detecting that vulnerability. By the end of the talk, you will understand the basics of static code analysis, exploitable bugs in Windows, x86 assembly, and the structure of the open source project. Interested attendees can join a pair programming session after the talk to start work on enhancements.

Bio:
Matt Hargett last spoke at Defcon about using open source tools to test Firewalls and IDSes, and has spoken and written articles in a variety of venues and leading publications on the topics of security, testing, and programming techniques. After successfully creating and launching the commercial static analysis tool, BugScan, as the initial sole developer, he took time off and now works in a very different and unrelated field. He lives in Mountain View, California with his husband, Geoff, and their dog, Baxter.

Luis Miras is the lead vulnerability researcher at Intrusion Inc. He has done work for leading consulting firms. and Network Associates. He released the first public polymorphic shellcode at Defcon 8 and has also spoken at Toorcon 7 as well as the CCC Congress (17c3) in Berlin. In the past he has worked in digital design, and embedded programming.

Remote Pair Programming and Test-driven Development Using Open Source
Matt Hargett
Luis Miras, Lead Vulnerability Researcher, Intrusion Inc.

Abstract:
Pair programming and test-driven development are proven best practices for producing high quality code quickly. But, because of geographical disparity, they can be difficult to apply to open source projects. This talk addresses how a flexible approach can be taken using open source software to enable this kind of collaboration. Attendees will learn the basics of the techniques, what tools to use (and not to use), and how it can improve their code no matter what language or platform they write it in.

WarRocketing – Network Stumbling 50 sq. miles in < 60 sec.
Rick Hill, Senior Scientist, Tenacity Solutions, Inc.

Abstract:
Network "stumbling" has taken many forms since Marcus Milner first released Netstumbler in May 2001. Historically, stumbling aficionados preferred data collection method has been Wardriving – almost everyone owns a car and it’s easy to fire up your laptop and drive around. Of course, other methods exist…creative souls have utilized everything from bikes, to boats, to planes in pursuit of new networks. Groups in the U.S. and Australia have performed "WarFlying" using Cessnas and other, small aircraft.

Enter a newer (& faster) technique: "WarRocketing".

This talk is about 802.11b network discovery. It details the design, launch, and recovery of a rocket whose objective is to network stumble 50 square miles in less than a minute. Wardriving coverage is limited by obstructions such as trees, houses, and terrain. Our aerial platform, (the Rocket) does not have these limitations. Essentially, it provides Line-of-Sight to ALL targets in the antenna pattern!

The Presentation will include photographs of the rocket construction, (1/3 scale model Nike Smoke), a launch video, and screen capture & analysis of all computer activity during the flight: network stumbling, # of A/P's registered, and so on. No prerequisite—only an interest in Network Stumbling and Wireless Technology.

Bio:
Rick Hill, CISSP, CWSP works as an information systems security engineer for Tenacity Solutions, Inc., an IT consulting firm based in Reston, VA. Specializing in Wireless Security, his day job involves C&A of govt. networks, site surveys, and performing network security assessments. In a previous life, he did equipment automation and optimized new production lines for ITT Automotive, an ABS brake systems manufacturer. Rick's after work interests include working to become his neighborhood's Wireless Internet Service Provider (WISP), Netstumbling, and shooting High Power Rockets. A born-again Rocketeer (BAR), he started flying those little Estes "kid size" rockets at 8 years old. His motto today: "bigger toys for bigger boys." Rick's been a Tripoli rocketry association member since 2000. He also holds a Technician class amateur radio license (KG4BSY), which he uses primarily for rocket telemetry and investigating cool new wireless applications.

Exploring the Changing Nature of DEFCON over the Past 14 Years
Dr. Thomas J. Holt, Assistant Professor, University of North Carolina at Charlotte

Abstract:
DEFCON began in 1993 as an “orgy of information exchange, viewpoints, speeches, education, enlightenment...and most of all sheer, unchecked PARTYING.”(DEFCON 1 Announcement, 1993). Fourteen years later, the convention is one of the most established hacker conventions, and is defined as “the largest underground hacking convention in the world.” However, significant social and technological changes have occurred during this period. The growth of the Internet, the increased need for computer security and the increasing significance of computer crime may have critically affected the shape and scope of the convention over time. This talk will critically examine the DEFCON convention over the past 14 years to understand the ways the con has changed, using previous convention materials, including programs, panels, and websites. The content, nature, and scope of the convention will be considered, including the number and types of presentations, as well as the presenters’ credentials. This information will be assessed to consider what this says about the nature of the convention and the underground after 14 years. Audience participation is welcomed to inform this discussion and provide first hand insight into the past, present, and future of DEFCON.

Bio:
Dr. Thomas J. Holt is an Assistant Professor in the Department of Criminal Justice at the University of North Carolina at Charlotte specializing in computer crime and technology. His research interests include a variety of topics in computer and cybercrime, especially hackers and hacking. Over the past few years, Dr. Holt has examined the elements that compose hacker subculture, as well as hacker social organization through multiple data sources. His primary goal is to understand various social aspects of hacking and the computer underground from the hacker’s perspective. Dr. Holt has also given a number of different talks on computer crime issues and published on computer crime victimization around the globe.

Meme Hacking - Subverting The Ideosphere
Broward Horne, Software Consultant

Abstract:
“Meme Hacking – Subverting The IdeoSphere” is a followup and expansion of last year’s “Meme Mining” presentation. It expands upon previous material and shifts from passive data mining to active meme manipulation. Concrete examples and patterns for meme manipulation are demonstrated, including an example of how I legally used active meme propagation to disrupt a former employer. The material ranges from specific tactical examples up to a strategic framework for Meme theory and the possible evolution of memes due to information technology changes.

Bio:
Broward Horne is a software consultant with a diverse background. He has done contract work for Unigard, Nike, JP Morgan, Verizon, Transcore and the US Department of Transportation, worked directly for several large corporations (Hewlett Packard, Avnet, Teradyne, Litton) and for two startup companies. His projects include network construction and administration, prototype wireless LANs, prototype pen-top software, CRM software, e-commerce, insurance and banking enterprise applications. Horne began data-mining & business intelligence in 1993 as a career guidance tool and have slowly expanding the scope, strategy and theory of my technique.

Owning the linksys wrtp54g VOIP Router
Arias Hung

Abstract:
The wrtp54g/rtp300 is a linksys VOIP Proxy router with one primary distinguishing characteristic that separates it from all other VOIP Routers on the market today: It's based on linux.

This fact alone makes this router the key to learning the inner workings of VOIP and opens up a world of possibilities when it comes to its de-obfuscation. After all, 3rd party firmware on its parent router, of which it is a descendant of the wrt54g, is big business as they've become near ubiquitous in every consumer household. With VOIP poised as the current cat-out-the-box technology prepped to take down established telecoms, VOIP security takes front and center as a paramount imperative.

The problem to this point has been this router being tied specifically to one vendor, who happens to also be the largest VOIP only vendor to date whose interest is that your hardware can be only used for their service.

Discover how vendor provisioning works on these routers, in order to reclaim control of your hardware. Learn specifics as to the ar7 dual processor architecture that the hardware utilizes, and how to unlock its numerous built-in capabilities that have been crippled prior to release by the vendor. Watch a demonstration of how easy VOIP and its companion protocol MGCP can be manipulated for illegal purposes such as call spoofing, number hijacking, and untraceable call routing. And find out how companies that provide VOIP are complying with the FCC mandate that requires them the ability to snoop at will without a court mandate, by saving all of your voice calls as a .wav file that can be listened to at their leisure.

Bio:
Arias Hung is a security professional with a particular passion for embedded distributions. Arias began his career in unix administration, specializing in SGI/Irix while employed at the Lawrence Berkeley National Laboratory (lbl.gov) before expanding independently as a Unix consultant in silicon valley and gaining a degree in computer forensics and security. Arias is currently working as a security consultant in the Seattle area.

How to Create an Anonymous Identity
Johan Hybinette

Abstract:
An Anonymous identity is difficult but not impossible to obtain. With help of international laws and loopholes a new identity can be created.

This talk will demonstrate how this can be done with never before published methods.

There are many reasons why a person might choose to obscure their identity and become anonymous. Several of these reasons are legal and legitimate - someone, for example, who feels threatened by someone else might attempt to hide from the threat behind various means of anonymity. There are also many illegal reasons to hide behind anonymity. Criminals typically try to keep themselves anonymous either to conceal the fact that a crime has been committed, or to avoid capture.

Bio:
Johan Hybinette is CSO and founder of Cebic Technologies, inc. specializing in international security auditing, policy and monitoring. Johan has over 20 years of security experience and has been speaking on numerous international events. His expertise includes compliance, pen testing, SIM integration (Security Incident Management), auditing, and identity management. Some of the certifications held are CISM, CISSP, ISSAP, IAM, ISSMP, IEM.

Black Ops 2006
Dan Kaminsky

Abstract:
The known topics for this year include:

The Worldwide SSL Analysis—There's a major flaw in the way many, many SSL devices operate. I'll discuss how widespread this flaw is, as well as announce results from this worldwide SSL scan.
Syntax Highlighting...on Hexdumps. Reverse Engineering efforts often require looking at hex dumps—without much context for whats being looked at. I will discuss a "bridge" position between AI and manual operation in which compression code is used to automatically visualize patterns in analyzed data.
Everything else

Bio:
Dan Kaminsky, Dox Para Research. Formerly of Cisco and Avaya.

Oracle Rootkits 2.0
Alexander Kornbrust, Founder & CEO, Red-Database-Security GmbH

Abstract:
In 2006 thousands of people will create applications based on the free Oracle 10g Express Edition. Even if this version of Oracle (based on Oracle 10g Rel. 2) is the most secure database from Oracle out of the box so far, there is still room for improvements. This presentation shows different possibilities to attack Oracle 10g Express Edition (and Oracle 10g Rel. 1 and Rel. 2).

With Oracle 10g Oracle introduced some new security features (e.g. listener protection) which eliminates old attack vectors. But by introducing new features they implemented new bugs and new possibilities like SQL injection, built-in HTTPS-server, etc

Bio:
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground.

Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992.During the last six years, Alexander has found over 220 security bugs in different Oracle products.

Hacking UNIX with FreeBSD Jail(8), Secure Virtual Servers
Isaac Levy (.ike)

Abstract:
FreeBSD Jails are a time-tested, secure UNIX virtual machine with endless uses.

Early unix mainframe computing brought elegant process and resource sharing systems, which helped get more application use out of expensive hardware. These concerns have been largely been pushed aside in computing with the rise of desktop PCs, and large farms of ever-shrinking pizza boxes in the data center. Today, as more punch gets packed into 1u than ever, server resources can be further consolidated and abstracted to securely separate complex and sophisticated services in the same hardware server, by running secure virtual UNIX machines.

Who wants jails?
System Administrators who need to securely separate small yet important services.
Software Developers who always need more dev machines to hack amok.
Root-Kit Testing and Debugging.
Educators who could use virtual machines to provide clean unix server systems for student use.
Anyone who wants *secure* virtual machines.

Why would you want jail(8)?
The design of Jail(8) and jail(2) are small and secure, and because jails use native system utilities, they are simple for any unix hacker to work with- very shallow learning curve. They're great for userland-level hacking and development, honeypots, or highly available services for regularly attacked systems.

What I'd like to talk about:

How Jails Work, the technical nitty-gritty
How to setup jails, the practical how-to, cooking show style...
When NOT to use jails
jail(8) security vulnerabilities/considerations, attacking and breaking out of jail(8)
- mitigating the risks of attacks and jail(8)breaks
Jails vs. Linux UML, XEN, VMware- fundamental technical differences

Bio:
Isaac Levy, (.ike) is an Open Source web-application developer based in New York City. He runs Diversaform Inc. as a business platform to make his code feed itself, (and ike). Diversaform specializes in BSD based solutions, web applications, and specialty network applications. Ike works as an consultant/developer mostly with small and medium sized business, but periodically works within large corporations and organizations.

Ike's personal passions lie in object-relational persistent data systems, and UNIX hacking, and the internet at large. His 'young adult' life in computing has been lived almost entirely in Open Source, as well as on the internet, and ike aspires to give back to the Open Source and UNIX Hacker communities that have raised him. Isaac is a proud member of NYC*BUG (the New York City *BSD Users Group), and a long time member of LESMUUG, (the Lower East Side Mac Unix Users Group).

Advanced Windows Based Firewall Subversion
Lin0xx

Abstract:
This presentation will focus on disabling many of the windows based network security solutions that are most widely used. New payloads will be presented that demonstrate how host based firewalls at this time are not adequate defense to safeguard one's network resources. The speech is highly technical and requires knowledge of reverse engineering and process injection.

Bio:
Lin0xx has been a code and security enthusiast for a number of years along with speaking at interz0ne 5. He also helps run the local DC group in Atlanta, DC404.

Death By 1000 cuts
Johnny Long / j0hnny

Abstract:
In this day and age, forensics evidence lurks everywhere. The task presented to modern forensics investigators is a daunting one. During this talk, you'll slip into the shoes of an uber-agent hot on the trail of the illustrious Knuth from the Stealing the Network series. Haven't read the latest installation? You should. How would YOU catch a guy that MELTED his hard drive platters and sanded down all his CDs? Where's the evidence? That's the question of the hour. Answer it correctly and you could win any number of cool prizes.

Now that the talk description you can show you boss is out of the way, what's this really about? Think of it as the hacker's version of "Where's Waldo." You'll laugh. You'll learn. You'll cry when you realize the answer was staring you right in the face. You'll scream when you're caught in the mosh pit of the full-on frenzy of the bonus prize rounds. Forget Waldo. This is HALO 2 meets hacking. Get your game on. Got no coordination, no reflexes, no skillz, and no eye for detail? Come anyway.

Come have some fun, and learn how the feds put the smack down on even the most paranoid among us.

Bio:
Johnny Long is a "clean-living" family guy who just so happens to like hacking stuff. A college dropout, Johnny overcompensates by writing books, speaking at conferences and hanging around with really smart people. Johnny is currently working on the final third of the coveted "Hacker Pirate Ninja" title, which has thus far evaded even the most erudite of academics. Johnny can be reached through his website at http://johnny.ihackstuff.com

Secrets of the Hollywood Hacker!
Johnny Long / j0hnny

Abstract:
Hacking stuff is for the birds. I'm taking a new path in life. I've decided to become a technical consultant for Hollywood. (No, not really, but work with me here). In my new role, I've decided it's time to take up the torch for all my fellow consultants who have been abused by you people through the years. We're all just sick and tired of your snide little comments about hackers in the movies.

So go ahead. Make fun of Hollywood. Poke fun at A-list actors who "slide in [a] Trojan horse riding a worm" or B-movie bandits that use "mega modems with compression". Snort your snooty little snicker at smarties who smash 128-bit DES encryption in a skimpy 60 seconds. Who do you think you are, anyway? You've probably never even USED 128-bit DES. Think you're all über because you can sling a bit of code? Let's see you sling a multi-headed worm that sniffs out latent digital footprints throughout an encrypted network. Not leet enough? That's OK. I'll show you how it's done.

Think you've found a movie line that's just slam-dunk stupid? A movie line that proves Hollywood is just clueless about technology? Think again. You just misunderstood. I'll use video clips and ultra-magnified freeze-framed screen stills to prove to you that Hollywood is clue++. Failing that, I'll at least distract you with seriously classified hardware and 0day exploits that were leaked through Hollywood films. Then again, you just might be safer if you keep on thinking they're only cheesy movie props.

Old Skewl Hacking: Magstripe Madness
Major Malfunction

Abstract:
It's been a year since Major Mal gave his talk on hotel IR systems, and things haven't got any better...In fact, they've got worse. No, wait a minute...that's not right...They've *stayed* worse!! Having plumbed the depths of the IR in his room, and finding himself with little else to do, Major turned his attention to another piece of technology easily to hand: his magstripe room key...Now these have been around since Mary checked into her stable, and every hotel on the planet is using them, so they *must* be secure, right? Right??? OMFG, wrong! So wrong it'll make your head spin... In this talk Major Malfunction will expose not only how easy it is to bypass security mechanisms built into various magstripe technologies such as hotel doorkeys, train tickets, credit cards etc., but will also take a sideways look at how they might be leveraged to provide attack vectors on other in-house systems, such as passenger ticketing systems, bank clearing houses, hotel billing... OK, OK, enough already! We can fix this! All we need is some new technology, like, errr...RFID! That's it! That'll do the trick! Right? Right????

Bio:
Major Malfunction lives in a fantasy world. He believes he works by day in the security industry, advises corporate, government, police and military, has a base in a secret underground nuclear bunker, and a network of colaborators all over the world involved in dark mysterious missions. He legally indulges his love of firearms in a country that prohibits them, swaps souvenirs with TLAs from all over the world, and generally swans about the UK like he owns the place...If you look closely, the man is obviously James Bond... No, not that closely...Back a bit and squint so you can't see his paunch...That's it! There, you see? What's that bulge under his armpit? James Bond, definitely.

Visual Log Analysis - The Beauty of Graphs
Raffael Marty, GCIA, CISSP is the amanger of ArcSight's Strategic

Abstract:
Event and Log Analysis is becoming one of the main tools for security analysts to investigate and comprehend the state of their networks, hosts, and applications. Recent developments, such as regulatory compliance requirements and an increased focus on insider threat has increased the demand for analytical tools to help in the process. Event correlation is one of the tools that helps addressing the challenges. However, the vast amount of events still leaves the analysts with enourmeous amounts of data to manually analyze, creating space for new tools to fill the gap.

Visualization of data has proven to be the approach generating the best return on investment. This talk takes a step-by step approach to analyzing a log file, showing how AfterGlow (afterglow.sourceforge.net) can be used to analyze and understand a log file. The analysis will show how visualization can be used to detect portscans, policy violations, and misconfigurations. The talk will focus on using link graphs and treemaps to analyze the data sets.

The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data. The main tool used for the talk is AfterGlow (afterglow.sourceforge.net), which in his current version supports a diverse set of operations to ease the analysis of log data.

Bio:
Raffael Marty, GCIA, CISSP is the amanger of ArcSight's Strategic Application Solution Team, where he is responsible for delivering industry solutions that address the security needs of Fortune 500 companies, ranging from regulatory compliance to insider threat. Raffael initiated ArcSight's Content Team, which holds responsibility over all the product's content, ranging from correlation rules, dashboards and visualizations to vulnerability mappings and categorization of security events. Before joining ArcSight, Raffael used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related projects. His main project, Thor, was the first approach to testing intrusion detection systems by means of correlation tables. Raffael also serves on the MITRE OVAL (Open Vulnerability and Assessment Language) advisory board, is involved in the Common Vulnerability Scoring System (CVSS) standard and has been presenting at various occasions.

Zulu a Command Line Wireless Frame Generator
Damon McCoy, University of Colorado at Boulder
Anmol Sheth

Abstract:
Zulu is a light weight 802.11 wireless frame generation tool to enable fast and easy debugging and probing of 802.11 networks. It has an intuitive command line interface and operates with the unmodified madwifi-ng and partially with prism based Linux network drivers. Individual fields in frames can be set or unset, generating frames that possibly violate the IEEE 802.11 protocol. It can generate all control, data, and management frame types and subtypes. The user-friendly command line options enable novice users to quickly generate custom frames with a combination of values placed in different frame fields. Zulu is freely available under the GNU license.

Bios:
Damon McCoy has worked in a variety of industry and government positions. Currently he is a Doctoral Candidate in the Department of Computer Science at the University of Colorado at Boulder. He has also worked at Sandia National Laboratories in the Center for Cyber Defenders. Prior to this he worked for IBM in the Emergency Response Services group as a network security consultant. Before this he worked for both AT&T Research and Lucent Bell Laboratories.

Anmol Sheth is a Doctoral Candidate in Computer Science at the University of Colorado at Boulder. He received his B.S. in Computer Science from the University of Pune, India in 2001. His research interests include MAC layer protocol design, fault tolerant distributed wireless systems and energy- efficient wireless communication.

A New Bioinformatics-Inspired and Binary Analysis: Coding Style/Motif Identification
Scott Miller

Abstract:
Security analysis is severely complicated by the size and abundance of executable code. Existing concepts and code can be combined, obfuscated, packed, and hidden toward the ends of evading detection and frustrating analysis. Is that patch fixing the problem it claims to fix? Have you seen that malicious code before? Have you seen these particular motifs/style before?

All very interesting questions, some of which can be addressed using existing tools/techniques. This talk looks at a new tool, inspired by a scored string match used for genetic analysis: the Basic Local Alignment Search Tool (BLAST). Can this tool identify motifs common to UPX? Can this tool identify code generated by different versions of GCC? Does this tool provide similar Malware classifications to other tools?

The talk will include an overview of the technique, demonstration of the use of the new tool set (binBLAST), and its performance.

Bio:
Scott Miller has recently graduated from the New Mexico Institute of Mining and Technology, the technique of this presentation developed in his Master's Thesis "A Bioinformatics Approach to the Security Analysis of Binary Executables". While pursuing his master's degree, he also considered a number of topics including human infection/immunity, natural language steganography, self-sustaining high-availability intrusion prevention systems, and secure compiler construction.

Bridging the Gap Between Static and Dynamic Reversing
Luis Miras, Vulnerability Researcher, Intrusion Inc.

Abstract:
Reverse engineering continues to evolve, or rather REvolve. The reverse engineering toolset primarily consists of disconnected disassemblers and debuggers. Without symbol information or data acquired from disassembly, the use of a debugger can be blind and tedious.

Reverse