The Black Hat Briefings '01, November 21st- 22nd Amsterdam
The Black Hat Briefings '01, November 21st- 22nd Amsterdam

Schedule
Hotel Information
Registration
Sponsors
Back
SPEAKERS
 
 

The goal of the talks are to inform the audience with current system vulnerabilities and their fixes, as well as future areas of concern.  We cover a broad range of security issues from the perspective of the network administrator, system cracker, and IS managers.  Because of our unique speakers, the Black Hat Briefings will offer the audience a deep insight into the real security issues facing your network with no vendor pitches!

For Amsterdam we will feature a combination of top US and International speakers focusing on technical issues, and plenty of opportunity to interact with them in a social and informal setting.
New for 2001 will be the addition of the "Deep Knowledge" speakers.

Keynote Speakers
Wilco Van Ginkel , Senior Security Consultant, Ubizen

The Other Side of Information Security

Until now, the focus of Information Security within organisations was mainly technical. Organisations are becoming more and more aware of the fact that this technical side – although very important – is just one part of the total security solution. Currently, organisations are increasingly changing their focus to the organisational side of Information Security because:

  1. The other part of the total security solution is missing.
  2. Information Security is treated more and more as just another business need in the overall business process of an organisation. This means that Information Security should start from the organisational side.

In order to control the organisational issues of Information Security, a business approach is needed. Such an approach will be the subject of this keynote and will give the audience an overview, ideas, references, hints & tips of this organisational side. Items to be discussed are:

  • Business Assessment
  • Risk Analysis
  • Security Policies & Procedures
  • Security Standards
  • Security Awareness
  • Where Organisational meets Technical

Scott Blake, Director of Security Strategy, Bindview Corporation

Politics of Vulnerability Reporting

The vulnerability reporting process is rife with competing interests. Research is conducted by software vendors themselves, paid consultants, government agencies, professional and academic researchers, as well as
people who make their living in other ways. Each of these groups have particular interests in the process. The vendor of the targeted software has their concerns. The public at large has an interest in the process (and its results), but it is unclear what the public should be concerned with. This talk explores vulnerability reporting from all angles, including that of the public good. Atendees will learn a rudimentary cognitive framework for understanding the powers in play in vulnerability reporting and apply that to understand the present and the future of security.

As BindView's Director of Security Strategy and an internationally recognized security expert, Blake is responsible for providing security expertise to BindView's corporate strategy and operations. Before taking this role, Blake was the leader of BindView's RAZOR security research team. Prior to joining BindView, Blake designed perimeter security, network security architectures, and developed security policies for several large companies including leaders in financial services and telecommunications, as well as several large hospitals and universities. Blake has spoken at many security conferences, authored numerous articles on security topics and is frequently sought by the press for commentary. He holds a BA in Social Sciences (International Relations) from Simon's Rock College and an MA in Sociology (Political Theory) from Brandeis University.


General Session Speakers
Nicolas Fischbach - Sébastien Lacoste-Séris - Sécurité.Org, COLT Telecom

Protecting your IP Network Infrastructure

This speech will focus on layer 2 and 3 protocols with the associated risks, routers and switches security and best practices directly from the guys running a large IP network and Internet Solution Centre.

The content of the presentation will be complementary to FX's one, while he will focus on routing protocol attacks we will show you how to detect them, protect against them and improve the security of your IP based network.

Most of the examples, configuration samples and tips will focus on the Cisco routers, switches and multi-layer switches running IOS and/or CatOS.

Nicolas Fischbach is working as a Senior IP and Security Engineer and Sébastien LACOSTE-SERIS is the Security Officer and managing the IP Research & Development Department at COLT Telecom AG, a leading provider of high bandwidth data, Internet and voice services in Europe.

Nicolas is working on network and security architectures and processes for major financial institutes, insurance companies and hosting/housing projects. Previously he was dealing with the Swiss network, systems and Internet Solution Centre architecture and security. He worked for a french ISP and he's also teaching network and security courses in engineering schools and universities. He has an Engineer degree in Networking and Distributed Computing.

Sébastien is in charge of networks and systems security and design for Switzerland and is part of COLT Group's security taskforce. His team is working on the evaluation and integration of new technologies. He previously worked for several major french ISPs, he also did consulting and software security auditing (ITSEC) for a security company. He has an Engineer degree in Computing Sciences and Networking.

Sébastien and Nicolas are co-founders of Sécurité.Org a french speaking portal on computer and network security. You can reach them at webmaster@securite.org


FX - Phenoelit

Routing and Tunneling Protocol Attacks

The functionality and security of TCP/IP networks depends on the layer 2 and 3 traffic flow information. Attacks against these layers will immediately affect the operation of your network and the security of your servers.

Working hand in hand with Nicolas and Sébastien, this speech will provide you with the possible attack scenarios, layer 2 attacks (alias "interception"), router discovery and how an attacker can influence the flow of information in your network using a variety of routing protocols. Another key point is the impact of these attacks in your every day's business and why you should include communication layers into your security considerations.

The finale will explain attacks against several tunneling mechanisms used for large corporate networks and how things like GRE, IPIP and others can enable intruders to attack your supposedly protected systems in RFC1918 networks. Also, the issues surrounding IPv6 islands will be discussed.

FX of Phenoelit is the leader of the german Phenoelit group. His and the groups primary interests are in security implementations and implications of standards or less-known protocols. FX works as a Security Solution Consultant at n.runs GmbH http://www.nruns.com


Job de Haas - ITSX

Mobile Security: SMS and WAP

With all developments leading to more and more sophisticated features in mobile devices, the threats are increasing more and more as well. The use of the mobile phone as a device that is always available and soon to be an  'always on' IP connected (GPRS etc.) device, will make it an interesting platform for many parties to develop applications on.

Because a repetition is to be expected of all the problems that were encountered with PC's, an overview will be given of the two mobile technologies SMS and WAP. For each the technical background will be given with their respective risks and expected vulnerabilities. The presentation is not from the point of view of a developer, but from the point of view of the attacked. The information is aimed at people who are asked to look into the security of the respective technologies and at people who would like to do research in this area themselves. Although a few demos will be given, the talk mainly tries to identify where problems will occur in the future.

Job de Haas, like many others in the IT and Internet industry, started his career in another technical field. Shortly before finishing his Electrical Engineering studies, in 1991, he came into contact with the Internet. From that moment on, he's been interested in computer security. 

In the beginning this interest was a hobby, albeit a very time consuming one. This was noticed by the first Internet providers that started to appear in The Netherlands. Their systems were almost never secure, and Job cleverly used their offers to give him free Internet access in trade for pointing out security flaws in their systems. This exercise in breaking security has proved to be an invaluable asset when protecting systems, since one can only protect what one can crack. 

Apart from this, Job has been a cryptographic programmer at DigiCash, which has developed a cryptographically secure anonymous payment system for the Internet. 


Marc Witteman

Smart Card Security

Electronic communication is under constant threat of eavesdropping, impersonation, and falsification. Cryptography can provide a level of security to guarantee confidentiality, authentication and integrity. Smart cards are relatively new cryptographic devices that may help to realize secure communication. The key benefits of smart cards are:

  • Secure data storag
  • Strong encryption
  • Small and portable device
  • Cheap (<10$)

Smart cards application areas are everywhere: communication, entertainment, retail, transportation, health care, government, e-commerce, e-banking, education and offices. Although many applications are promising, or strong growing, the absolute killer-app is GSM. Worldwide over one billion smart cards are applied as Secure Identification Module (SIM) in GSM handsets. Technically speaking a smart card chip is a pretty complete computer with limited resources. It does contain a CPU, but also three types of memory (ROM, RAM and EEPROM). Furthermore it contains interface circuits, security and test logic.

Basic security features include:

  • fuses and security logic (sensors)
  • application and operating system separation (Java card)
  • restricted file access and life cycle control
  • cryptographic coprocessors and random generators
  • various cryptographic algorithms and protocols

Despite of all the security features even smart cards are not absolutely secure. Three classes of attacks are distinguished:

  • Logical and crypt-analysis attacks
  • Internal attacks
  • Side Channel attacks

Logical attacks include penetration tests (command exploration), but also protocol and crypt-analysis. Those attacks hardly require investments in equipment and have proven successful on GSM SIM cards. Internal attacks are invasive, and often destructive; they aim at reverse engineering the device. Instruments used for this type of attack include etching tools, microscopes, probe-stations and focussed ION beams. Even though costly, these attacks can be very successful, and have repeatedly been used in Pay-TV fraud. Side Channel Attacks use leaked information and signal injection to analyze and manipulate smart card behavior. These attacks have been developed recently and are surprisingly effective on virtually all smart cards. They require some low-end lab equipment (oscilloscopes and pulse generators) and a good knowledge of signal analysis, cryptography and statistics.

Marc Witteman got his MSc degree in Electrical Engineering at the Delft University of Technology in the Netherlands. In 1989 he joined KPN where he initially worked on GSM development. Later he worked on testing theory, which resulted in a couple of scientific papers and patent applications.

From 1994 he moved to the area of smart cards. During 1996 and 1997 he was affiliated with the ETSI standardization body where he headed a smart card team. In 1997 he moved to TNO where he became a research leader in smart card security projects. He developed and published many new smart card evaluation methods. In 2001 he started his own consulting company called Riscure, and also joined Dutchtone as a part-time senior security analyst.


JD Glaser - Senior Software Engineer, Foundstone, Inc
Saumil Udayan Shah - Principal Consultant, Foundstone, Inc

One-Way SQL Hacking: Futility of Firewalls in Web Hacking

Topics covered will be:

  • Overview of Web attacks 
  • One-way attacks 
  • SQL Entry points 
  • Privilege escalation 
  • Installing a web based sql command prompt 
  • Back-end Database Enumeration tool  
One Way SQL Web Hacking: SQL Web hacking is the next generation of hacking "kung fu." This talk expands on our previous web talks with new SQL techniques for taking apart an e-commerce site. Join us for an eye-opening demonstration on what can go wrong with poorly secured Web applications, how severe the risks are, and how to protect yourself and your company. 

We shall be covering vulnerabilities ranging from web server misconfigurations, improper URL parsing, application level vulnerabilities, Java application server hacking and some special advanced techniques. 

JD provides customized NT network security and audit tools for Foundstone. He specializes in Windows NT system software development and COM/DCOM application development. His most recent achievement was the successful formation of NT OBJECTives, Inc., a software company exclusively centered on building NT security tools. Since it's inception, over 100,000 of those security tools have been downloaded and put into practice. In addition, he has written several critical, unique intrusion audit papers on NT intrusion forensic issues. Currently, JD has been retained as a featured speaker/trainer for all the BlackHat Conferences on NT security issues.

Saumil provides information security consulting services to Foundstone clients, specializing in ethical hacking and security architecture. He holds a designation as a Certified Information Systems Security Professional (CISSP). Saumil has had over 6 years of experience with system administration, network architecture, integrating heterogenous platforms and information security, and has performed numerous ethical hacking exercises for many significant companies in the IT arena.  Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young where he was responsible for their ethical hacking and security architecture solutions. 

Saumil graduated from Purdue University with a Masters in Computer Science and a strong research background in operating systems, computer networking, information security and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in Computer Engineering from Gujarat University, India. Saumil has also authored a book titled "The Anti-Virus Book" published by Tata McGraw-Hill India. Saumil has also worked at the Indian Institute of Management, Ahmedabad as a research assistant.


Jeremiah Grossman, Founder and Chairman of WhiteHat Security

Web Application Security: The Land that Information Security Forgot

Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.

Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".

This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.

Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.

During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.

Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.


Ofir Arkin - Managing Security Architect, @stake

Xprobe - Remote ICMP Based OS Fingerprinting Techniques 

Written and maintained by Fyodor Yarochkin and Ofir Arkin, Xprobe is an Active OS fingerprinting tool based on Ofir Arkin's ICMP Usage in Scanning Research project (http://www.sys-security.com).

Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting.

Xprobe's inner working will be discussed and explained. This includes the various active OS fingerprinting methods, using the ICMP protocol, implemented with the tool, and the little tricks and gizmos used in the
process. The tool's advantages, as well as disadvantages, will be demonstrated.

A new version of Xprobe will be presented (v0.1, to be released at Black Hat Europe 2001) adding a signature database support to the tool. I will be explaining how this new version works, and what problems it aims to solve.

The tool's limitations, ways to detect its usage, and how to defeat its usage will also be discussed. Future plans and enhancements will also be presented.

Ofir Arkin is a Managing Security Architect for @stake. Ofir is most widely known for his research about the ICMP protocol usage in scanning. He has extensive knowledge and experience with many aspects of the Information Security field including: Cryptography, Firewalls, Intrusion Detection, OS Security, TCP/IP, Network Security, Internet Security, Networking Devices Security, Security Assessment, Penetration Testing, E-Commerce, and Information Warfare. Ofir has worked as consultant for several European finance institutes where he played the role of Senior Security Analyst, and Chief Security Architect in major projects. Ofir has published several papers, the newest deal with "Passive Fingerprinting techniques" and with the "ICMP protocol usage In Scanning", available from his web site http://www.sys-security.com


David Litchfield, Managing Director and co-founder of Next Generation Security Software

Hackproofing Lotus Domino

This talk will discuss and demonstrate how an attacker would attempt to break into a web server running Lotus Domino on an NT or UNIX platform and how to secure against the methods used. Further to the known issues, David will examine four new features and bugs with Domino that can allow an attacker to read arbitrary files from the file system, enumerate every Notes database on the server and discover every form, agent and view, both hidden and visible, in a given database remotely. Lastly, David will consider the security implications of running Domino as a component of Microsoft's Internet Information Server and what new holes are opened up by this and what must be done to secure the server.


LSD, Last Stage of Delirium Research Group

Kernel Level Vulnerabilities Exploitation: Behind the Scenes of the 5th Argus Hacking Contest

During a presentation a general discussion of the kernel level security vulnerabilities and their exploitation techniques will be shown. Specifically, x86 operating systems LDT bug will be presented along with another yet-unpublished kernel level security vulnerability. Next, a brief reconstruction of the events which lead us to the winning of the 5th Argus Hacking Contest will be given. It will include brief discussion of the contest's rules, explanation of uselessness of the standard user mode vulnerabilities and finally the technique that had to be applied in order to adopt the LDT bug to hack Argus Pitbull Foundation B1 operating system.

Along with the presentation, an accompanying technical document will be provided, containing more detailed discussion concerning presented material. It will include ready to use sample codes for exploiting discussed kernel level vulnerabilities along with the Argus Pitbull exploit code used during the hacking contest.

Last Stage of Delirium Research Group is a non-profit organization established in 1996 in Poland. Its main fields of activity cover various aspects of modern network and information security, with special emphasis on analysis of technologies for gaining unauthorized accesses to systems (including the actual search for vulnerabilities, developing reverse engineering tools, proof of concept codes as well as general technologies for exploitation of vulnerabilities). The group has significant experience in performing penetration tests (based upon own codes, tools and techniques) as well as in design and deployment of security solutions for complex network infrastructures including experiments with Intrusion Detection and Prevention Systems.

The group consists of four members, all graduates (M.Sc.) of Computer Science from the Poznan University of Technology. For the last six years they have been working as Security Team at Poznan Supercomputing and Networking Center. As the LSD Research Team, they have also discovered several vulnerabilities for commercial systems and provided proof of concept codes for many others. More information including samples of their work can be found at the LSD website.


Deep Knowledge Speakers
Halvar Flake, Reverse Engineer - Black Hat Consulting

Third Generation Exploits on NT/Win2k Platforms

Due to the fact that standard stack-smashing overflows are getting a bit rare in well-audited code new ways of executing arbitrary code on attacked machines are badly needed. With the appearance of format string bugs and malloc()/free()-manipulations the attacking side has two powerful techniques of writing more or less arbitrary data to more or less arbitrary locations.

Assuming we classify the different overrun exploitation techniques into generations it could look like this:

Generation 1: Standard return address overwrites
Generation 2: Frame pointer overwrites, off-by-ones etc.
Generation 3: malloc()/free() overwrites, format bugs etc.

While third generation exploits have been documented on *NIX platforms, documentation concerning their exploitation under NT/Win2k is rare. But of this class of vulnerabilities is especially interesting from the reverse engineer's perspective on closed-source platforms, as traditional means of vulnerability research (e.g. stress testing with tools like Retina(tm) or Hailstorm(tm)) fail to detect these problems.

This speech will consist of two halves: The first half will cover format string vulnerabilities, covering all aspects ranging from detection (both in source and binary) to reliable exploitation in multithreaded environments without killing the exploited service. The second half of the speech will focus on malloc()/free() overwrites, explaining their general principle, documenting the different implementations of heap management under NT/Win2k (Borland C++, Visual C++, native operating system support in various versions etc.) and explaining how to exploit them in various situations.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.


Dale Coddington - Systems Security Engineer, eEye Digital Security
Ryan Permeh - Developer and Researcher, eEye Digital Security

Decoding and Understanding Internet Worms

In the past months Internet worms have grown in popularity with the advent of Code Red, Code Red II, and Nimda.  It is becoming increasingly important for both system administrators and security professionals alike to understand the ways worms proliferate and also ways to mitigate the spread of worms. Through lecture and hands-on laboratory exercises this course will take a look at worms “under the hood”. This course will take the student through a historical overview of past worms and an actual analysis of a recent worm. Due to the technical nature of this course it is recommended that participants are familiar with using a disassembler. In order to participate in the hands-on segments of the course students are encouraged to bring a Windows 2000 laptop loaded with their disassembler of choice. Instructors will be using Ida Pro v4.17.

Dale Coddington is a Systems Security Engineer with eEye Digital Security, a computer security products and consulting company located in sunny Southern California. In the past Dale has conducted training courses at several Nasa Centers, State of Washington, Naval Justice Center, privately owned companies in the U.S. and abroad, and the U.S. Department of Justice. In 1999 Dale was appointed one of two technical consultants by the Defense Team of Kevin Mitnick.

Ryan Permeh is a Developer and Researcher with eEye Digital Security.  He works on the Retina and SecureIIS product lines and leads Disassembly and Custom exploitation efforts for eEye’s research Team.  He has experience in NT systems and application programming as well as large scale secure network deployment and maintenance.


Shaun Clowes - IT Director, SecureReality

injectso: Modifying and Spying on Running Processes Under Linux and Solaris

In a 1994 Windows Systems Journal article Jeffrey Richter described a method for injecting Dynamic Link Libraries into running windows processes. The method, generally referred to as injecting a dll, has since become an extremely common technique in low level windows utilities, particularly when used with a variety of methods of modifying the processes behaviour after DLL injection.

Being able to safely and easily modify a processes behaviour at run time provides an amazing array of opportunities for the systems programmer, or black/whitehat since it can be used to:

  • Insert debugging/profiling routines at run time 
  • Dynamically modify a running program to be invulnerable to a known security issue 
  • Dynamically backdoor a running process leaving no obvious traces (e.g modified disk binaries, restarted services) 
In this talk Shaun will discuss and demonstrate various methods that have commonly been used in Unix operating systems to modify the behaviour of processes, including binary patching, dynamic loader interception and in core patching. He will then present a new tool called injectso that can inject shared libraries into Linux/Solaris processes and assist the libraries to intercept function calls occuring inside the running process. He will then demonstrate use of the tool (and shared libraries using features of the tool) to protect a vulnerable process and subvert a running process.

Shaun Clowes is the IT Director of SecureReality, a small cutting edge security consultancy based in Sydney, Australia. Shaun holds an honors degree in Computing Science from the University of Technology Sydney and has a wide technical  background in IT including Unix systems programming, networking and systems/security administration. Shaun leads the vulnerability research arm of SecureReality which is broadly exploring the security landscape testing both the obvious targets and the glue that holds everything together.


Anders Ingeborn, Vulnerability Assessment - iXsecurity

IDS Evasion Design Tricks for Buffer Overflow Exploits

The concept of double injection for stack overflow exploits can be used to reduce the size needed for an initial payload. If a payload is small enough not to disrupt the underlying stack frame, a clean return might be possible. A clean return means that the process won't crash. No crash means no log entry and that adds to the requirements of a host based intrusion detection system. To take advantage of this trick it is neccessary to know some of the memory addresses within the vulnerable server application. One problem is that if the overflow occurs in a dynamically loaded library, the addresses will be set at run time and might differ from what's requested at compile time. I will specifically discuss an example of a clean return into a dll.

I will also cover a way to disassemble an application to get the information needed to write an exploit that uses the existing network connection. By doing so, no packets with unrecognized port numbers will be sent over the network. That means a lot of network based intrusion detection systems will be given more of a challenge. I will finish with a discussion of some ways to detect/prevent attacks with these tricks. This presentation builds further on to the one held at Defcon 9 this summer.

Anders Ingeborn works with vulnerability assessment and penetration tests at iXsecurity in Sweden. iXsecurity's clients during the last couple of years include government agencies, banks, nuclear power plants and major corporations throughout Scandinavia. Anders also holds a MS in computer security.


Tim Mullen - CIO,  AnchorIS.Com

Web Vulnerability and SQL Injection Countermeasures: Securing Your Servers From the Most Insidious of Attacks. 

The demands of the Global Marketplace have made web development more complex than ever. With customer demands and competitive influences, the functions our applications must be capable of performing constantly push our development into new areas.

Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and properly configured, poor design methodology can leave our systems open for attack. This session will take a look at the vulnerabilities created by deploying weak web forms, the manipulation of URL structures, the injection of SQL code, and other methods. From there, we will take an in-depth look at what steps to take to minimize the impact of these attacks, including:

  • User Input Validation and Sanitation
  • Variable declaration and typing
  • SQL procedure structure and parameter passing

Live demonstrations highlighting potential issues in currently deployed real-world web applications will be made, followed by an audience participation session where we will use some of the covered topics to analyze the extent that these companies are vulnerable, and what could be done to mitigate the risk these sites pose.

Attendants will also get the first look at SQueaL, a Linux-based tool written by Thor (based on DilDog's TalkNTLM code) that acts as a rogue MS SQL Server to accept SQL connections and negotiate NTLM authentication in order to parse out a client's username and challenge/response pairs. 

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.