Past speeches and talks from DEF CON hacking conferences in an iTunes friendly Mp4 format. The DEFCON series of hacking conferences were started in 1993 to focus on both the technical and social trends in hacking, and has grown to be world known event. If you didn't make it, or missed the speaker you wanted to see here is you chance to download and watch the presentations when you want. Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! http://www.defcon.org Computers/Hacking (c)2007 DEF CON Communications http://blogs.law.harvard.edu/tech/rss en Thu, 31 Jan 2008 16:05:47 -0800 dtangent@defcon.org (The Dark Tangent) Fri, 11 Jan 2008 17:15:59 -0800 dtangent@defcon.org (The Dark Tangent) FeedForAll v2.0 (2.0.2.1) http://www.feedforall.com DEFCON 15: [Audio] Speeches from the hacker conventions Past speeches and talks from DEF CON hacking conferences in an iTunes friendly Mp4 format. The DEFCON series of hacking conferences were started in 1993 to focus on both the technical and social trends in hacking, and has grown to be world known event. If you didn't make it, or missed the speaker you wanted to see here is you chance to download and watch the presentations when you want. Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! The Dark Tangent The Dark Tangent dtangent@defcon.org (The Dark Tangent) defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no http://media.defcon.org/dc-15/defcon-15-itunes-logo.jpg http://www.defcon.org David Mortman, Moderator CSO-in-Residence, Echelon One<br /> Paul Proctor, Moderator VP, Gartner<br /> Window Snyder, Vendor Director of Ecosystem Development, Mozilla Corporation<br /> Ian Robertson CSO, RIM<br /> David Maynor CTO, Errata Security<br /> Dave Goldsmith<br /> <br /> Concerns about ethics for security professionals has been on the rise of late. It's time for researchers and vendors to meet up and discuss the issues of ethical behavior in our industry and start setting some guidelines for future research and discussion. Join active analysts, vendors and researchers for a lively discussion. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ D24147A3-D5AC-4CD7-9937-924B45A021C0 Thu, 31 Jan 2008 14:54:50 -0800 Panel: Disclosure Panel David Mortman, Moderator CSO-in-Residence, Echelon One Paul Proctor, Moderator VP, Gartner Window Snyder, Vendor Director of Ecosystem Development, Mozilla Corporation Ian Robertson CSO, RIM David Maynor CTO, Errata Security Dave Goldsmith Concerns about ethics for security professionals has been on the rise of late. It's time for researchers and vendors to meet up and discuss the issues of ethical behavior in our industry and start setting some guidelines for future research and discussion. Join active analysts, vendors and researchers for a lively discussion. 48:04 Panel: Disclosure Panel Disclosure Panel, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no 2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON XVI. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ D4DF3AB3-481E-4B43-9B69-31FBCFEF1DAD Thu, 31 Jan 2008 14:52:31 -0800 Panel: Meet the VCs 2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON XVI. 48:04 Panel: Meet the VCs Meet the VCs, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no This year we will have so many feds representing their federal agencies that we will have to break it up into two separate panels:<br /> <br /> IA Panel: Information Assurance, CERTS, first responder's organizations from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO.<br /> <br /> LE Panel: and Law Enforcement, Counterintelligence agencies including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG, FLETC, and RCMP.<br /> <br /> Each of the agency reps will make an opening statement regarding their agencies role, and then open it up to the audience for questions.<br /> <br /> Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS, National White Collar Crime Center (NWC3), Special Operations Command (SOCOM), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University, Federal Law Enforcement Training Center (FLETC), and the Government Accountability Office (GAO). For the third year in a row, the "Meet the Feds" panel has gone international. We will have a rep from the Royal Canadian Mounted Police.<br /> <br /> For years Defcon participants have played "Spot the Fed" For the 2nd year, the feds will play "Spot the Lamer" Come watch the feds burn another lamer. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ B26D7169-BCE6-4247-B5B8-9D211A815BAD Thu, 31 Jan 2008 14:48:56 -0800 Panel: Meet the Fed This year we will have so many feds representing their federal agencies that we will have to break it up into two separate panels: IA Panel: Information Assurance, CERTS, first responder's organizations from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO. LE Panel: and Law Enforcement, Counterintelligence agencies including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG, FLETC, and RCMP. Each of the agency reps will make an opening statement regarding their agencies role, and then open it up to the audience for questions. Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS, National White Collar Crime Center (NWC3), Special Operations Command (SOCOM), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University, Federal Law Enforcement Training Center (FLETC), and the Government Accountability Office (GAO). For the third year in a row, the "Meet the Feds" panel has gone international. We will have a rep from the Royal Canadian Mounted Police. For years Defcon participants have played "Spot the Fed" For the 2nd year, the feds will play "Spot the Lamer" Come watch the feds burn another lamer. 48:04 Panel: Meet the Feds Meet the Fed, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Lukas Grunwald CTO of DN-Systems Enterprise Internet Solutions GmbH<br /> <br /> This talk will show what happens if security is driven by politics and compromise, also I will cover additional security risks by the new generation of electronic passports.<br /> <br /> It will show why it could be possible to produce fake biometric fingerprints from the new generation electronic passports, for example by rogue regimes. The new bogus security attempts to secure the ePassports via EAN (Extended Access Control).<br /> <br /> Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting office working mainly in the field of security identity, and internet/eCommerce and Supply Council solutions for enterprises.<br /> <br /> Lukas presented at the Lower House of German Parliament for the Free Democratic Party as RFID and ePassport expert at the hearing for the new ePassport Law to allow the use of biometrics in electronic travel documents.<br /> <br /> Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT and Blackhat Briefings. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 0CB233A9-3807-4875-BB70-FE47CC7A58D1 Thu, 31 Jan 2008 14:38:55 -0800 Lukas Grunwald: Security by Politics - Why it will never work This talk will show what happens if security is driven by politics and compromise, also I will cover additional security risks by the new generation of electronic passports. It will show why it could be possible to produce fake biometric fingerprints from the new generation electronic passports, for example by rogue regimes. The new bogus security attempts to secure the ePassports via EAN (Extended Access Control). Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting office working mainly in the field of security identity, and internet/eCommerce and Supply Council solutions for enterprises. Lukas presented at the Lower House of German Parliament for the Free Democratic Party as RFID and ePassport expert at the hearing for the new ePassport Law to allow the use of biometrics in electronic travel documents. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT and Blackhat Briefings. 50:04 Lukas Grunwald Lukas Grunwald, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system.<br /> <br /> Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation.<br /> <br /> This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off.<br /> <br /> Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option.<br /> <br /> Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a recent computer science graduate of the University of Southampton. Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 2F62EF60-DE9F-442F-AAB3-5200E62F765E Thu, 31 Jan 2008 14:43:52 -0800 Luke Jennings:One Token to Rule Them All: Post-Exploitation Fun in Windows Environments The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system. Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation. This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off. Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option. Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a recent computer science graduate of the University of Southampton. Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this. 46:39 Luke Jennings Luke Jennings, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-25 no no Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind.<br /> <br /> In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget.<br /> <br /> Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity.<br /> <br /> <br /> <br /> Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 4C9B1E48-E928-49E7-A758-B6EB717C7159 Mon, 9 Jan 2006 16:10:19 -0700 The Inherent Insecurity of Widgets and Gadgets Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind. In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget. Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity." Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya. 48:04 Iftach Ian Amit Iftach Ian Amit, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Iftach Ian Amit: The Inherent Insecurity of Widgets and Gadgets Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind. In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget. Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity." Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya. Iftach Ian Amit Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network.<br /> <br /> Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide.<br /> <br /> The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed.<br /> <br /> The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions.<br /> Ofir Arkin is the CTO of Insightix (http://www.insightix.com), leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (http://www.sys-security.com), a computer security research group. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 19B37C96-628A-4E5C-B938-2C6CDB17F3CD Mon, 9 Jan 2006 16:10:19 -0700 kNAC! Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network. Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide. The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed. The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions. "Ofir Arkin is the CTO of Insightix (http://www.insightix.com), leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (http://www.sys-security.com), a computer security research group. 1:07:00 Ofir Arkin Ofir Arkin, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Ofir Arkin: kNAC! Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network. Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide. The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed. The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions. "Ofir Arkin is the CTO of Insightix (http://www.insightix.com), leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (http://www.sys-security.com), a computer security research group. Ofir Arkin Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping (with newly released technical information), using the Freedom of Information Act to dumpster dive with the law, tips and tricks for hacking evoting machines legally, how censorship, surveillance and privacy invasions are spreading throughout the world - and how hackers' can defend civil liberties at home and abroad, threats to freedom from digital TV, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you. "KEVIN BANKSTON, an EFF Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.<br /> MARCIA HOFMANN is an EFF Staff Attorney based in Washington, DC, where she focuses on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.<br /> <br /> MATT ZIMMERMAN is a Staff Attorney with the Electronic Frontier Foundation, specializing in electronic voting issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. He is also actively involved in e-voting-related grassroots development and public education efforts. His practice further includes ongoing work in areas such as online privacy, anonymity, and intellectual property. Prior to joining EFF, Matt was Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues.<br /> <br /> DANNY O'BRIEN is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co-edits the award-winning NTK newsletter, has written and presented science and travel shows for the BBC, performed a solo show about the Net in the London's West End, and once successfully lobbied a cockney London pub to join Richard M. Stallman in a spontaneous demonstration of Bulgarian folk dance.<br /> <br /> SETH SCHOEN created the position of EFF Staff Technologist, helping other technologists understand the civil liberties implications of their work, EFF staff better understand the underlying technology related to EFF's legal work, and the public understand what the technology products they use really do. Schoen comes to EFF from Linuxcare, where he worked for two years as a senior consultant. While at Linuxcare, Schoen helped create the Linuxcare Bootable Business Card CD-ROM. Prior to Linuxcare, Schoen worked at AtreNet, the National Energy Research Scientific Computing Center at Lawrence Berkeley National Laboratory, and Toronto Dominion Bank. Schoen attended the University of California at Berkeley with a Chancellor's Scholarship.<br /> <br /> KURT OPSAHL is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook. In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 335E0B78-83E3-49CE-B41E-69F4AA0BD443 Mon, 9 Jan 2006 16:10:19 -0700 The Year in Digital Civil Liberties Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping (with newly released technical information), using the Freedom of Information Act to dumpster dive with the law, tips and tricks for hacking evoting machines legally, how censorship, surveillance and privacy invasions are spreading throughout the world - and how hackers' can defend civil liberties at home and abroad, threats to freedom from digital TV, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you. "KEVIN BANKSTON, an EFF Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin. MARCIA HOFMANN is an EFF Staff Attorney based in Washington, DC, where she focuses on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College. MATT ZIMMERMAN is a Staff Attorney with the Electronic Frontier Foundation, specializing in electronic voting issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. He is also actively involved in e-voting-related grassroots development and public education efforts. His practice further includes ongoing work in areas such as online privacy, anonymity, and intellectual property. Prior to joining EFF, Matt was Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues. DANNY O'BRIEN is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co 1:45:05 Ask EFF Ask EFF, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Ask EFF: The Year in Digital Civil Liberties Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping (with newly released technical information), using the Freedom of Information Act to dumpster dive with the law, tips and tricks for hacking evoting machines legally, how censorship, surveillance and privacy invasions are spreading throughout the world - and how hackers' can defend civil liberties at home and abroad, threats to freedom from digital TV, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you. "KEVIN BANKSTON, an EFF Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin. MARCIA HOFMANN is an EFF Staff Attorney based in Washington, DC, where she focuses on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College. MATT ZIMMERMAN is a Staff Attorney with the Electronic Frontier Foundation, specializing in electronic voting issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. He is also actively involved in e-voting-related grassroots development and public education efforts. His practice further includes ongoing work in areas such as online privacy, anonymity, and intellectual property. Prior to joining EFF, Matt was Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues. DANNY O'BRIEN is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co Ask EFF Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Sometimes even the top dudes need a refresher course. Remedial Heap Overflows is not so much a lesson to the lame, but a refresher for the leet. One day the speaker was approached (in a subway, of course) by a top-notch dude (who has his own posse) and asked how they work. Clearly not even the best of the best always know everything.<br /> <br /> atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas won the individual contest in 2005 and lead the winning team "1@stplace" in 2006. atlas has written the WEP-cracking tool bssid-flatten, the @Utility-Belt (toolkit for hacking and exploitation), and his favorite tool, disass. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 04504FBF-57E1-4AF9-8F40-F643C9BF9735 Mon, 9 Jan 2006 16:10:19 -0700 Remedial Heap Overflows: dlmalloc style Sometimes even the top dudes need a refresher course. Remedial Heap Overflows is not so much a lesson to the lame, but a refresher for the leet. One day the speaker was approached (in a subway, of course) by a top-notch dude (who has his own posse) and asked how they work. Clearly not even the best of the best always know everything."atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas won the individual contest in 2005 and lead the winning team "1@stplace" in 2006. atlas has written the WEP-cracking tool bssid-flatten, the @Utility-Belt (toolkit for hacking and exploitation), and his favorite tool, disass. 57:13 Atlas Atlas,defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Atlas: Remedial Heap Overflows: dlmalloc style Sometimes even the top dudes need a refresher course. Remedial Heap Overflows is not so much a lesson to the lame, but a refresher for the leet. One day the speaker was approached (in a subway, of course) by a top-notch dude (who has his own posse) and asked how they work. Clearly not even the best of the best always know everything."atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas won the individual contest in 2005 and lead the winning team "1@stplace" in 2006. atlas has written the WEP-cracking tool bssid-flatten, the @Utility-Belt (toolkit for hacking and exploitation), and his favorite tool, disass. Atlas Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems.<br /> <br /> All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America.<br /> <br /> The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator.<br /> <br /> We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!).<br /> <br /> In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts." Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 15BEFBA1-947F-44DF-9EBA-2A8EEEB35A6F Mon, 9 Jan 2006 16:10:19 -0700 Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation. RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems. All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America. The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator. We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!). In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts." Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd. 55:40 Andrea Barisani & Daniele Bianco Andrea Barisani & Daniele Bianco, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Andrea Barisani & Daniele Bianco: Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation. RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems. All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America. The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator. We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!). In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts." Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd. Andrea Barisani & Daniele Bianco Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ If you're responsible for the burglar alarm at your facility, do you understand how it's being monitored by the "Data Monitoring Group" flunkees? Are all those alarm conditions real? The Completion Backward Principle covers issues arising from Internet-enabled monitoring of burglar alarm systems, and possible mitigations. Spot The Fed will most assuredly be played at this talk.<br /> <br /> For the past seventeen years, geoffrey has been a Facility Security Officer and ComSec manager in support of various tla's. Securing computer networks, telephone systems, and buildings is not just an adventure, it's his job. He can often be found giggling, like a schoolgirl, at the thought of global warfare being waged upon nouns. geoffrey is also available for childrens' parties. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ A8ABB5E4-3BC1-4243-8AB6-D6DB16DDE771 Mon, 9 Jan 2006 16:10:19 -0700 The Completion Backward Principle If you're responsible for the burglar alarm at your facility, do you understand how it's being monitored by the "Data Monitoring Group" flunkees? Are all those alarm conditions real? The Completion Backward Principle covers issues arising from Internet-enabled monitoring of burglar alarm systems, and possible mitigations. Spot The Fed will most assuredly be played at this talk."For the past seventeen years, geoffrey has been a Facility Security Officer and ComSec manager in support of various tla's. Securing computer networks, telephone systems, and buildings is not just an adventure, it's his job. He can often be found giggling, like a schoolgirl, at the thought of global warfare being waged upon nouns. geoffrey is also available for childrens' parties. 54:15 geoffrey BENNETT geoffrey BENNETT, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Geoffrey Bennett: The Completion Backward Principle If you're responsible for the burglar alarm at your facility, do you understand how it's being monitored by the "Data Monitoring Group" flunkees? Are all those alarm conditions real? The Completion Backward Principle covers issues arising from Internet-enabled monitoring of burglar alarm systems, and possible mitigations. Spot The Fed will most assuredly be played at this talk."For the past seventeen years, geoffrey has been a Facility Security Officer and ComSec manager in support of various tla's. Securing computer networks, telephone systems, and buildings is not just an adventure, it's his job. He can often be found giggling, like a schoolgirl, at the thought of global warfare being waged upon nouns. geoffrey is also available for childrens' parties. geoffrey BENNETT Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ The recent case of Julie Amero has cast a bright spotlight on the difference in understanding between the worlds of technology and the law. We will examine adoption of technology within the legal profession, trial court decisions, as well as legislative and appellate decisions which may be inconsistent with generally accepted security measures.<br /> <br /> John Benson is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 7E3C9022-7AD3-46E0-98F2-E3D4F9125187 Mon, 9 Jan 2006 16:10:19 -0700 Bridging the Gap Between Technology and the Law The recent case of Julie Amero has cast a bright spotlight on the difference in understanding between the worlds of technology and the law. We will examine adoption of technology within the legal profession, trial court decisions, as well as legislative and appellate decisions which may be inconsistent with generally accepted security measures. John Benson is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators. 47:22 Benson John "jur1st" Benson, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no John "jur1st" Benson: Bridging the Gap Between Technology and the Law The recent case of Julie Amero has cast a bright spotlight on the difference in understanding between the worlds of technology and the law. We will examine adoption of technology within the legal profession, trial court decisions, as well as legislative and appellate decisions which may be inconsistent with generally accepted security measures. John Benson is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators. Benson Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ The presentation details the process whereby journalists select, discard, research and ultimately publish security related articles. It outlines the credibility necessary for security researchers to be taken seriously in the presentation of their findings and examines the "blowback" that criminal and kiddie hackers have on the security industry from a journalists perspective. This talk also looks at the current practices of legitimate software companies between secure content (DRM et al), metadata tracking, hardware and software tracking, and the very close parallels between their methods and those of the "hacking" universe. <br /> <br /> Peter Berghammer owns a number of companies in the military and consumer electronics market spaces. Additionally he has written monthly articles for the past few years dealing with security, the law, legislation. In 2005 he was named a Fellow at Stanford Law's Center for Internet and Society (researching security items and munitions law). He speaks frequently in international venues on items surrounding security, security breaches, privacy issues and pending legislation. Full bio info at: www.zoominfo.com http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 7613B061-264C-4E5C-A475-C90DB5E7142E Mon, 9 Jan 2006 16:10:19 -0700 A Journalist's Perspective on Security Research The presentation details the process whereby journalists select, discard, research and ultimately publish security related articles. It outlines the credibility necessary for security researchers to be taken seriously in the presentation of their findings and examines the "blowback" that criminal and kiddie hackers have on the security industry from a journalists perspective. This talk also looks at the current practices of legitimate software companies between secure content (DRM et al), metadata tracking, hardware and software tracking, and the very close parallels between their methods and those of the "hacking" universe. Peter Berghammer owns a number of companies in the military and consumer electronics market spaces. Additionally he has written monthly articles for the past few years dealing with security, the law, legislation. In 2005 he was named a Fellow at Stanford Law's Center for Internet and Society (researching security items and munitions law). He speaks frequently in international venues on items surrounding security, security breaches, privacy issues and pending legislation. Full bio info at: www.zoominfo.com 54:54 Peter Berghammer Peter Berghammer, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Peter Berghammer: A Journalist's Perspective on Security Research The presentation details the process whereby journalists select, discard, research and ultimately publish security related articles. It outlines the credibility necessary for security researchers to be taken seriously in the presentation of their findings and examines the "blowback" that criminal and kiddie hackers have on the security industry from a journalists perspective. This talk also looks at the current practices of legitimate software companies between secure content (DRM et al), metadata tracking, hardware and software tracking, and the very close parallels between their methods and those of the "hacking" universe. Peter Berghammer owns a number of companies in the military and consumer electronics market spaces. Additionally he has written monthly articles for the past few years dealing with security, the law, legislation. In 2005 he was named a Fellow at Stanford Law's Center for Internet and Society (researching security items and munitions law). He speaks frequently in international venues on items surrounding security, security breaches, privacy issues and pending legislation. Full bio info at: www.zoominfo.com Peter Berghammer Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Intrusion Analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability attribute attacks to specific individuals or groups. <br /> <br /> Sean M. Bodmer is an active developer and deployer of intrusion detection systems. Sean is also an active Honeynet Researcher, specializing in analyzing signatures and behaviors used by the blackhat community regarding patterns, methods, and motives behind attacks. Currently Sean is working on a highly-adaptive sensor network under a joint commercial venture in which global sensors are deployed to generate better understandings of various attack approaches and techniques. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 7E7FF3C3-AE35-471E-8510-FBF71DC48FAB Mon, 9 Jan 2006 16:10:19 -0700 Analyzing Intrusions & Intruders Intrusion Analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability attribute attacks to specific individuals or groups. Sean M. Bodmer is an active developer and deployer of intrusion detection systems. Sean is also an active Honeynet Researcher, specializing in analyzing signatures and behaviors used by the blackhat community regarding patterns, methods, and motives behind attacks. Currently Sean is working on a highly-adaptive sensor network under a joint commercial venture in which global sensors are deployed to generate better understandings of various attack approaches and techniques. 47:44 Sean M. Bodmer Sean M. Bodmer, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Sean M. Bodmer: Analyzing Intrusions & Intruders Intrusion Analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability attribute attacks to specific individuals or groups. Sean M. Bodmer is an active developer and deployer of intrusion detection systems. Sean is also an active Honeynet Researcher, specializing in analyzing signatures and behaviors used by the blackhat community regarding patterns, methods, and motives behind attacks. Currently Sean is working on a highly-adaptive sensor network under a joint commercial venture in which global sensors are deployed to generate better understandings of various attack approaches and techniques. Sean M. Bodmer Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Last semester I taught a new course in "Ethical Hacking and Network Defense" at City College San Francisco. I had legal, ethical, and practical concerns about this class, so I took several precautions to prevent the students from one another, and others from them. The course was a success--it was full and popular, and there were no security problems (at least none that I found out about). <br /> We have built hacking into our Computer Networking and Information Technology program. The topic is important and exciting for the students, and reinforces their security knowlege. I encourage other college teachers to do the same. "Degrees: B.S. in Physics, Edinboro University of PA; Ph.D. in Physics, University of Illinois, Urbana Champaign Industry Certifications: Microsoft Certified Professional, Microsoft Certified Desktop Support Technician, Network+, Security+, Certified Fiber Optic Technician Sam Bowne has been teaching at CCSF since 2000. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 6CB8F458-D5C0-45F3-ADF7-19EE7157B822 Mon, 9 Jan 2006 16:10:19 -0700 Teaching Hacking at College Last semester I taught a new course in "Ethical Hacking and Network Defense" at City College San Francisco. I had legal, ethical, and practical concerns about this class, so I took several precautions to prevent the students from one another, and others from them. The course was a success--it was full and popular, and there were no security problems (at least none that I found out about). We have built hacking into our Computer Networking and Information Technology program. The topic is important and exciting for the students, and reinforces their security knowlege. I encourage other college teachers to do the same. "Degrees: B.S. in Physics, Edinboro University of PA; Ph.D. in Physics, University of Illinois, Urbana Champaign Industry Certifications: Microsoft Certified Professional, Microsoft Certified Desktop Support Technician, Network+, Security+, Certified Fiber Optic Technician Sam Bowne has been teaching at CCSF since 2000. 28:16 Sam Bowne Sam Bowne, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Sam Bowne: Teaching Hacking at College Last semester I taught a new course in "Ethical Hacking and Network Defense" at City College San Francisco. I had legal, ethical, and practical concerns about this class, so I took several precautions to prevent the students from one another, and others from them. The course was a success--it was full and popular, and there were no security problems (at least none that I found out about). We have built hacking into our Computer Networking and Information Technology program. The topic is important and exciting for the students, and reinforces their security knowlege. I encourage other college teachers to do the same. "Degrees: B.S. in Physics, Edinboro University of PA; Ph.D. in Physics, University of Illinois, Urbana Champaign Industry Certifications: Microsoft Certified Professional, Microsoft Certified Desktop Support Technician, Network+, Security+, Certified Fiber Optic Technician Sam Bowne has been teaching at CCSF since 2000. Sam Bowne Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/
In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring
out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs.

Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views.

Our tools and algorithm descriptions can be found at http://kerf.cs.dartmouth.edu"For the past five years, my research at Dartmouth's Institute for Security
Technology Studies was related to application of information theory and
machine learning to log analysis and other security topics. Before that, I
worked as a research scientist at BBN Technologies on applications of
similar techniques to Natural Language Processing, English text and
speech.]]> http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 5F6F3013-B565-4C7D-AB71-4E302768D68D Mon, 9 Jan 2006 16:10:19 -0700 Entropy-based data organization tricks for log and packet capture browsing. I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing log data. In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs. Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views. Our tools and algorithm descriptions can be found at http://kerf.cs.dartmouth.edu"For the past five years, my research at Dartmouth's Institute for Security Technology Studies was related to application of information theory and machine learning to log analysis and other security topics. Before that, I worked as a research scientist at BBN Technologies on applications of similar techniques to Natural Language Processing, English text and speech. 49:05 Sergey Bratus Sergey Bratus, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Sergey Bratus: Entropy-based data organization tricks for log and packet capture browsing. I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing log data. In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs. Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views. Our tools and algorithm descriptions can be found at http://kerf.cs.dartmouth.edu"For the past five years, my research at Dartmouth's Institute for Security Technology Studies was related to application of information theory and machine learning to log analysis and other security topics. Before that, I worked as a research scientist at BBN Technologies on applications of similar techniques to Natural Language Processing, English text and speech. Sergey Bratus Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ "Being in the know" is key to supporting or violating a security infrastructure. Whether you're taking over the Taco Bell drive through or listening in during a presidential visit, being armed with the right information could drastically affect your outcome and ultimately lead to your success. This talk will focus on modern radio systems and the challenges of listening to them. We will provide information on several utilities and resources to aid in reconnaissance efforts as well as provide detailed information about how various types of radio systems function in today's modern world. Lastly we will cover some of the hardware to help make you successful and review some fun things to listen to here in Vegas and to do when you get back home.<br /> <br /> Brett Neilson is a manager of network and information security systems and has a strong background in the wireless industry. Previously, he worked for one of the leading wireless communication companies as a Senior Systems Administrator and RF Field Technician. Currently he spends his time overseeing a team of system owners for a major financial institution. Brett is also an active amateur radio operator and scanner enthusiast who can be frequently found mapping and monitoring RF systems in his area.<br /> <br /> Taylor Brinton is an IT manager for the leading Property Management Company in Utah. He is also a managing partner in a web hosting company, which provides design and hosting services nationwide. Taylor is an active amateur radio operator, who loves to learn new technologies and teach others about radio and computer/network systems.. http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ EF3B3EF8-F613-4449-9F43-A71298BCEB44 Mon, 9 Jan 2006 16:10:19 -0700 Being in the know... Listening to and understanding modern radio systems "Being in the know" is key to supporting or violating a security infrastructure. Whether you're taking over the Taco Bell drive through or listening in during a presidential visit, being armed with the right information could drastically affect your outcome and ultimately lead to your success. This talk will focus on modern radio systems and the challenges of listening to them. We will provide information on several utilities and resources to aid in reconnaissance efforts as well as provide detailed information about how various types of radio systems function in today's modern world. Lastly we will cover some of the hardware to help make you successful and review some fun things to listen to here in Vegas and to do when you get back home. Brett Neilson is a manager of network and information security systems and has a strong background in the wireless industry. Previously, he worked for one of the leading wireless communication companies as a Senior Systems Administrator and RF Field Technician. Currently he spends his time overseeing a team of system owners for a major financial institution. Brett is also an active amateur radio operator and scanner enthusiast who can be frequently found mapping and monitoring RF systems in his area. Taylor Brinton is an IT manager for the leading Property Management Company in Utah. He is also a managing partner in a web hosting company, which provides design and hosting services nationwide. Taylor is an active amateur radio operator, who loves to learn new technologies and teach others about radio and computer/network systems.. 46:05 Taylor Brinton & Brett Neilson Taylor Brinton & Brett Neilson, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no Taylor Brinton & Brett Neilson: Being in the know... Listening to and understanding modern radio systems "Being in the know" is key to supporting or violating a security infrastructure. Whether you're taking over the Taco Bell drive through or listening in during a presidential visit, being armed with the right information could drastically affect your outcome and ultimately lead to your success. This talk will focus on modern radio systems and the challenges of listening to them. We will provide information on several utilities and resources to aid in reconnaissance efforts as well as provide detailed information about how various types of radio systems function in today's modern world. Lastly we will cover some of the hardware to help make you successful and review some fun things to listen to here in Vegas and to do when you get back home. Brett Neilson is a manager of network and information security systems and has a strong background in the wireless industry. Previously, he worked for one of the leading wireless communication companies as a Senior Systems Administrator and RF Field Technician. Currently he spends his time overseeing a team of system owners for a major financial institution. Brett is also an active amateur radio operator and scanner enthusiast who can be frequently found mapping and monitoring RF systems in his area. Taylor Brinton is an IT manager for the leading Property Management Company in Utah. He is also a managing partner in a web hosting company, which provides design and hosting services nationwide. Taylor is an active amateur radio operator, who loves to learn new technologies and teach others about radio and computer/network systems.. Taylor Brinton & Brett Neilson Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/
This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript.

The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker's browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML.

Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed.

Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers.

Enhancements to the tool are in-progress to add binary socket capabilities using an untrusted Java Applet. These changes will be complete in time for the presentation. This will allow for full access to any TCP protocol via a web browser supporting JavaScript and a JVM. The attacker would access this via a SOCKS proxy interface. The image dimension-based covert transfer is too slow for many protocols, so a second technique involving Cascading Style Sheets is used.*** The data is smuggled in border values of sequentially named classes. This is clearly a superior method, but there is still benefit from demonstrating the image-based method.

*** I developed this technique and couldn't find any reference to it, but others may have used it before.

Several key use-cases are outlined below. The actors involved are:
* Victim browser: Once a malicious or XSS infected site is visited, any browser can be used
* Slave.js: The JavaScript that registers the victim browser with the attack website and polls for new commands
* Proxy.js: The JavaScript that executes arbitrary HTTP commands from the attacker
* Controller.pl: A multipurpose CGI script that acts as the central control point for victim browsers, as a management console for the attacker, and coordinates the firewall & DNS changes required for the anti-pinning attack
* Database: Stores session state and new commands for victim browsers
* Proxy.pl: Runs an HTTP proxy that translates attacker requests into JavaScript commands
* Attacker web server: Hosts controller.pl on primary and secondary IP addresses
* Firewall: Blocks inbound requests to the secondary IP address during the anti-pinning attack
* DNS Server: Serves up the "A" records used for the anti-pinning attack

Initial infection
1. The victim browser visits an attack website and downloads slave.js
2. Slave.js registers with controller.pl and polls for new commands

Port scanning
1. The attacker sends a request to controller.pl to have the victim browser scan a range of addresses for specific ports running web servers
2. Controller.pl generates and inserts the port scan JavaScript code for the victim browser
3. Slave.js polls for new commands and receives the scanning script from controller.pl
4. The scanning script creates a new iframe for each host/port combination and sets the ?onload? event to create an img object. This image has a source of controller.pl with parameters indicating a successful port scan for the host/port combination.
5. Controller.pl receives the image request logs the successful scan event into the database.

Out-of-channel img communications for value retrieval
1. A proxy.js component calls GetValue with a command, unique description, and call-back function as argument
2. GetValue creates an img object
a. The source is set to controller.pl with a query string containing the relevant command
b. The id is set to a string containing a unique description and sequence number
c. The "onload" attribute is set to a callback function with the command, unique description, the counter value, and a secondary call-back function to resume execution
3. GetValue appends the img object to the document
4. The victim browser requests the image from the attack web server
5. Controller.pl processes the request and returns a dynamically generated bitmap with the width and height properties used to encode a two byte integer value as a response. The bitmap only needs to be 66 bytes, regardless of the dimensions.
6. The victim browser loads the image and fires the onload call-back
7. The call-back function checks the width and height of the image, decodes the value and stores it in a global array with the unique description & sequence number as the index
8. The call-back function calls the secondary call-back function and resumes execution within proxy.js

Out-of-channel img communications for string retrieval
1. A proxy.js component calls GetString with a command, unique description, and call-back function as argument
2. GetString requests the string length from controller.pl using out-of-channel img communications, prepending "stringlength" to the relevant command
3. GetString creates an img object for every two bytes of the string (1&2, 3&4, etc)
a. The source is set to controller.pl with a query string containing the relevant command and the string position of the bytes
b. The id is set to a string containing a unique description and sequence number
c. The "onload" attribute is set to a callback function with the image id as the only parameter
4. The victim browser will asynchronously request all of the generated images
a. Controller.pl processes the request and returns a bitmap with the width and height properties used to encode the two byte string.
b. The victim browser loads the image and fires the onload call-back
c. The call-back function checks the width and height of the image, decodes the string segment and stores it in a global array with the img object id as the index
5. As the browser is requesting the images, GetString calls the CompileString function, which checks the global array to see if all string components have been returned & stored.
6. If the string is not complete, CompileString pauses, then calls itself again using SetTimeout.
7. Once the string is complete, CompileString calls the call-back function to resume execution with proxy.js

First request for an iframe proxy
1. The attacker sends a command to controller.pl to activate the proxy for a victim browser
2. Controller.pl starts proxy.pl on a random port and modifies the PAC file to point at that port
3. The attacker browser sends a request to proxy.pl for a target IP address detected in the port scanning phase
4. Proxy.pl checks in the database to see if the victim browser has an iframe proxy for the requested target IP address. Since this is the first request for the target IP address, there will be no iframe record.
5. Proxy.pl creates a random host name record in the DNS server and points it to the attack web server's secondary IP address
6. Proxy.pl inserts a JavaScript command to create a new iframe proxy in the victim browser pointed at the random host name
7. Proxy.pl inserts the attacker's HTTP request in the database and begins to poll for the result
8. Slave.js polls for new commands and receives the iframe command from controller.pl
9. Slave.js creates a new iframe. The source attribute of the iframe points at controller.pl on the random hostname, with the command requesting proxy.js
10. Once proxy.js has been downloaded, controller.pl blocks access from the victim IP address to the web server's secondary IP address, and changes the random hostname to point at the target IP address
11. Using out-of-channel img communications, proxy.js polls controller.pl, until the DNS & firewall changes are confirmed
12. Using out-of-channel img communications, proxy.js requests the next HTTP command
13. Proxy.js uses XMLHttpRequest to process the provided HTTP command, using the random hostname. Because of the firewall rule, the victim browser will timeout after trying to reconnect to the cached secondary IP address.
14. Continue to attempt XMLHttpRequest until the browser realizes the server isn't there, and dumps its host / IP address cache.
15. The victim browser re-queries DNS, this time getting the IP address of the targeted web server
16. The browser runs the request and returns the result to proxy.js
17. Proxy.js creates a new iframe with a unique ID
18. Proxy.js creates a form with a POST method, an action pointing at controller.pl on the primary IP address, a target at the new iframe, and a single textarea input
19. Proxy.js sets the textarea value to the HTTP results and submits the form. Since the target is an iframe, there will be no redirection
20. Controller.pl receives the HTTP response and inserts it into the database
21. Proxy.pl polls the database, finds the response, and returns it to the attacker browser

Proxy requests for an existing iframe are essentially the same, but steps 5-11, 14, 15 are not required." Specializing in web application security, David Byrne is a seven year veteran of the Information Security industry. He is currently the Security Architect for EchoStar Satellite, owner of Dish Network. David is also the founder and current leader of the Denver chapter of the Open Web Application Security Project (OWASP).]]> http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 8D4ECCBA-4614-4B37-9C41-D1E4FF2230C6 Mon, 9 Jan 2006 16:10:19 -0700 Intranet Invasion With Anti-DNS Pinning Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker's browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML. Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed. Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers. Enhancements to the tool are in-progress to add binary socket capabilities using an untrusted Java Applet. These changes will be complete in time for the presentation. This will allow for full access to any TCP protocol via a web browser supporting JavaScript and a JVM. The attacker would access this via a SOCKS proxy interface. The image dimension-based covert transfer is too slow for many protocols, so a second technique involving Cascading Style Sheets is used.*** The data is smuggled in border values of sequentially named classes. This is clearly a superior method, but there is still benefit from demonstrating the image-based method. *** I developed this technique and couldn't find any reference to it, but others may have used it before. Several key use-cases are outlined below. The actors involved are: * Victim browser: Once a malicious or XSS infected site is visited, any browser can be used * Slave.js: The JavaScript that registers the victim browser with the attack website and polls for new commands * Proxy.js: The JavaScript that executes arbitrary HTTP commands from the attacker * Controller.pl: A multipurpose CGI script that acts as the central control point for victim browsers, as a management console for the attacker, and coordinates the firewall & DNS changes required for the anti-pinning attack * Database: Stores session state and new commands for victim browsers * Proxy.pl: Runs an HTTP proxy that translates attacker requests into JavaScript commands * Attacker web server: Hosts controller.pl on primary and secondary IP addresses * Firewall: Blocks inbound requests to the secondary IP address during the anti-pinning attack * DNS Server: Serves up the "A" records used for the anti-pinning attack 46:14 David Byrne David Byrne, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no David Byrne: Intranet Invasion With Anti-DNS Pinning Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker's browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML. Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed. Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers. Enhancements to the tool are in-progress to add binary socket capabilities using an untrusted Java Applet. These changes will be complete in time for the presentation. This will allow for full access to any TCP protocol via a web browser supporting JavaScript and a JVM. The attacker would access this via a SOCKS proxy interface. The image dimension-based covert transfer is too slow for many protocols, so a second technique involving Cascading Style Sheets is used.*** The data is smuggled in border values of sequentially named classes. This is clearly a superior method, but there is still benefit from demonstrating the image-based method. *** I developed this technique and couldn't find any reference to it, but others may have used it before. Several key use-cases are outlined below. The actors involved are: * Victim browser: Once a malicious or XSS infected site is visited, any browser can be used * Slave.js: The JavaScript that registers the victim browser with the attack website and polls for new commands * Proxy.js: The JavaScript that executes arbitrary HTTP commands from the attacker * Controller.pl: A multipurpose CGI script that acts as the central control point for victim browsers, as a management console for the attacker, and coordinates the firewall & DNS changes required for the anti-pinning attack * Database: Stores session state and new commands for victim browsers * Proxy.pl: Runs an HTTP proxy that translates attacker requests into JavaScript commands * Attacker web server: Hosts controller.pl on primary and secondary IP addresses * Firewall: Blocks inbound requests to the secondary IP address during the anti-pinning attack * DNS Server: Serves up the "A" records used for the anti-pinning attack David Byrne Black Hat / CMP Media, Inc. Computers_and_Internet/Security_and_Encryption/Hacking/Conferences/ Computers/Hacking/ Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has clearly been an afterthought. <br /> While every product claims isolation, it seems that's only when you don't have an attacker involved. Despite what the press releases say, it's not free to put all your machines on the same hardware. We'll be brushing aside the dust and trying to figure out part of the cost. <br /> <br /> " *BSD and Windows 2000. He has also published a few articles describing http://www.defcon.org/html/defcon-15/dc-15-speakers.html feedback@defcon.org (DEF CON Announcements) Computers/Hacking/ 2BFA5C66-2C22-4BA8-857A-7767887A088D Mon, 9 Jan 2006 16:10:19 -0700 Virtualization: Enough holes to work Vegas Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has clearly been an afterthought. While every product claims isolation, it seems that's only when you don't have an attacker involved. Despite what the press releases say, it's not free to put all your machines on the same hardware. We'll be brushing aside the dust and trying to figure out part of the cost. " *BSD and Windows 2000. He has also published a few articles describing 48:08 D.J. Capelis D.J. Capelis, defcon, def con, hacking, hackers, information security, hacking, convention, computer security, DC 15, Defcon 15, dc-15 no no D.J. Capelis: Virtualization: Enough holes to work Vegas Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has clearly been an afterthought. While every product claims isolation, it seems that's only when you don't have an attacker involved. Des