Black Hat DC 2009 Briefings Speakers

Hyatt Regency Crystal City • February 16-17

Speakers and Topics

Michael Flick

XSS Anonymous Browser

Current anonymous Internet browsing applications build dynamic routes using a network of willing hosts and layers of encryption along the route. The cross site scripting anonymous browser ("XAB") exploits vulnerable web sites/applications and victim browsers to build a network of drones. The intent of XAB is not to replace the current applications, such as Tor, but rather to provide an alternative that does not require willing participants and further stretches the functionality and intent of JavaScript and other browser technology.

For more than 8 years, Matt Flick has developed his career in the information security industry, with expertise in application security and other areas within information security management, services, and auditing. Matt has worked with both commercial and federal government clients to help plan, develop, and assess their information security programs. Matt is currently a Principal with FYRM Associates Inc., an information security professional services organization, and a member of OWASP DC, ISACA and ISSA.

Xinwen Fu

One Cell is Enough to Break Tor's Anonymity

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this talk, we will present a new class of attacks, protocol-level attacks, against Tor. Different from existing attacks, these attacks can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In protocol-level attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender. The manipulated cells traverse middle onion routers and arrive at an exit onion router along a circuit. Because Tor uses the counter mode AES (AES-CTR) for encrypting cells, the manipulated cells disrupt the normal counter at exit onion routers and decryption at the exit onion router incurs cell recognition errors, which are unique to the investigated protocol-level attacks. If an accomplice of the attacker at the entry onion router also controls the exit onion router and recognizes such cell recognition errors, the communication relationship between the sender and receiver will be confirmed. Protocol-level attacks can also be used for launching the denial-of-service (DoS) attack to disrupt the operation of Tor. We systematically analyze the impact of these attacks. We have implemented these attacks on Tor and our experiments validate their effectiveness and efficiency. We also present guidelines for defending against such attacks.

Xinwen Fu is an assistant professor in the Department of Computer Science, University of Massachusetts Lowell. He has been teaching classes on software security, intrusion detection, digital forensics and basic computer security stuff. The presentations from Black Hat Briefings are his favorite class materials. He tried his best to demonstrate those tricks to students. "Hack Proofing Your Network" was the textbook for his classes, software security and intrusion detection. Dr. Fu's current research interests are in network security and privacy. He has been building systems, and hacking kernels and systems through his research. He believes that hacking plays a key role in making systems secure.

Travis Goodspeed

Reversing and Exploiting Wireless Sensors

Wireless sensors will soon be part of many industrial, military, and home networks. Of the various networking protocols—Zigbee, ISA100, Wireless HART, 6LowPAN, and others--none has yet become a definitive standard. Neither have vendors standardized upon a given operating system, compiler, or microcontroller. Users of these sensor networks are often given no command-line, no internal documentation, and no access to the internals of each device.

This lecture provides a thorough introduction to reverse engineering such devices, both in hardware and in software. Along the way, plenty of methods of exploiting and patching them will be covered.

Travis Goodspeed is a neighborly fellow from Knoxville in Southern Appalachia. He has spoken at ToorCon 9 and the Texas Instruments Developer's Conference regarding stack overflow exploits of the MSP430-based wireless sensor networks. At Black Hat 2008, he demonstrated a timing attack which allows confidential code to be extracted from recent revisions of the chip. Having demonstrated that such attacks are possible, his present research is aimed at porting defense techniques to low-power embedded systems.

Vincenzo Iozzo

Let Your Mach-O Fly

Mac OS X is starting to spread among users, as such new exploitation techniques have to be discovered. Even if a lot of interesting ways of exploitation on OSX were presented in the past, the lack of anti-forensics techniques is clear. The talk is focused on an in memory injection technique. Specifically how it is possible to inject into a victim's machine any kind of binaries ranging from your own piece of code to real applications like Safari. This is accomplished without leaving traces on the hard disk and without creating a new process, since the whole exploitation is performed in memory. If an attacker is able to execute code in the target machine, it is possible to run this attack instead of a classic shellcode and to use it as a trampoline for higher-lever payloads. Other similar payloads like meterpreter or meterpretux exist but none of them is able to run on Mac OS X. Besides many of those techniques require to run specific crafted binaries, that way precompiled applications are left out from the possible range of payloads.

Vincenzo Iozzo is a student at the Politecnico di Milano where he does some research regarding malware and IDS. He is involved in a number of open source projects, including FreeBSD due to Google Summer of Code. He also works as a security consultant for Secure Network, an Italian company, and as a reverse engineer for Zynamics.

Prajakta Jagdale

Blinded by Flash: Widespread Security Risks Flash Developers Don't See

In this presentation I will examine the Flash framework and then delve into the Flash security model and the transitions it has undergone over the years. To explore the avenues of compromise in the security model, I will use a test Flash application and demonstrate various attack vectors including Cross-Site Request Forgery, data injection and script injection. During this demonstration, I will explain the associated threats in detail and discuss means to mitigate these threats. Even though the test application validates the attack surface, the question remains: how many applications actually deployed are vulnerable to these threats? I will answer this question by providing astonishing statistics about vulnerable, real world applications I was able to find using simple Google queries. At the end of the presentation, I will demonstrate and deliver a free tool designed to perform Flash Security Analysis. The tool will decompile SWF files and detect and report vulnerabilities in Flash applications developed using any Actionscript version.

Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Prajakta focuses on automated discovery of Web application vulnerabilities and crawling technologies. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis.

Dan Kaminsky

DNS 2008 and the New (old) Nature of Critical Infrastructure

TBA

Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Server 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

William Kimball

Emulation-based Software Protection Providing Encrypted Code Execution and Page Granularity Code Signing

We present an original emulation-based software protection scheme providing protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. Protection mechanisms execute in trusted emulators while remaining out-of-band of untrusted systems being emulated. This protection scheme is called SecureQEMU and is based on a modified version of Quick Emulator. RCE uncovers the internal workings of a program. It is used during vulnerability and intellectual property (IP) discovery. To protect from RCE program code may have anti-disassembly, anti-debugging, and obfuscation techniques incorporated. These techniques slow the process of RCE, however, once defeated protected code is still comprehensible. Encryption provides static code protection, but encrypted code must be decrypted before execution. SecureQEMUs' scheme overcomes this limitation by keeping code encrypted during execution. Software exploitation leverages design and implementation errors to cause unintended behavior which may result in security policy violations. Traditional exploitation protection mechanisms provide a blacklist approach to software protection. Specially crafted exploit payloads bypass these protection mechanisms. SecureQEMU provides a whitelist approach to software protection by executing signed code exclusively. Unsigned malicious code (exploits, backdoors, rootkits, etc.) remain unexecuted, therefore, protecting the system.

William Kimball has a M.S. in Cyber Operations from the Air Force Institute of Technology, a B.S. in Computer Science from the University of Dayton, and is currently a research assistant for the Center for Cyberspace Research. Kimball is the developer of Fylasso Antivulnerability, ShellDeny, L.E.V.I. (released BlackHat U.S. 06), the Vulnerability Discovery Framework and SecureQEMU. Kimball has spoken at BlackHat, ISSA, Ohio Information Security Group, Ohio Academy of Science and has briefed the Air Force Scientific Advisory Board, Swedish Defense Ministry, and other U.S. military and government officials.

Paul Kurtz

Keynote

Paul B. Kurtz is a recognized cyber security and homeland security expert. He served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush and is currently an on-air consultant to CBS News. Mr. Kurtz advises clients on cyber-security and homeland security issues. He joins Good Harbor after serving as the founding Executive Director of the Cyber Security Industry Alliance (CSIA), an advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, technology, education and awareness. Prior to joining CSIA, Mr. Kurtz most recently was special assistant to the President and senior director for critical infrastructure protection on the White House's Homeland Security Council (HSC), where he was responsible for both physical and cyber security. Before joining HSC in 2003, Mr. Kurtz served on the White House's National Security Council (NSC) as senior director for national security of the Office of Cyberspace Security and a member of the President's Critical Infrastructure Protection Board, where he developed the international component of the National Strategy to Secure Cyberspace. Previously, he was a director for counterterrorism in the NSC's Office of Transnational Threats from 1999–2001. Prior to his White House work, Mr. Kurtz served in several bureaus in the State Department, specializing in weapons of mass destruction non-proliferation policy and strategic arms control. He also served as political advisor to Operation Provide Comfort in Incirlik, Turkey, and as science attaché in Vienna, Austria. He participated in several arms control inspection teams, traveling to Iraq and North Korea. Mr. Kurtz received his bachelor's degree from Holy Cross College and his master's degree in International Public Policy from Johns Hopkins University's School of Advanced International Studies

Brian Krumheuer

QuietRIATT: Rebuilding the Import Address Table Using Hooked DLL Calls

For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes.

QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can’t be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.

Brian Krumheuer is a Reverse Engineer for the Software Security Team at Riverside Research Institute. He worked for over eight years in IT and Software Development before entering the field of Reverse Engineering. Currently, he plays a vital role on the team by developing many ring-3 and ring-0 reverse engineering tools for both Windows and Linux. He has also helped create an instructional course on Reverse Engineering.

Jason Raber serves as the technical lead for the Riverside Research Institute Red Team which provides government and commercial entities with specialized software security support. Focus areas include:Reverse Engineering:Specializes in extracting intellectual property from a broad spectrum of software. This includes user applications, DLLs, drivers, OS kernels, and firmware. The software can be based on a variety of platforms (Windows/Linux/Mac/Embedded etc). Malware/Virus/RootKit Analysis:Identifies and analyzes intrusion software to characterize and/or neutralize the threat. Jason has spent 8 years in the world of reverse engineering, preceded by 5 years working at Texas Instruments developing Compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc). Developing C compilers for 5 years prior to reverse engineering has provided a good foundation for understanding machine language and hardware to be utilized in reverse engineering tasks.

Adam Laurie

Satellite Hacking for Fun and Profit

Ever wondered just how much data and how many services are being beamed down at you from space right now? We all know there are thousands of channels out there, but how can we make sense of them all? How can we find the stuff "they" don't want us to know about? Is there any such stuff? What can we do with it once we've found it? Will we go blind, like mother told us?

Adam Laurie is Chief Security Officer and Technical Director of The Bunker Secure Hosting Ltd., and has been involved in the computer industry since the Eighties. In the late Nineties, he and his brother, Ben Laurie, published the secure web server package 'Apache-SSL', which went on to become the leading secure web server software worldwide, and set the de-facto standard. This, in turn, led to a focus on computer security, and the founding of 'The Bunker', a hosting facility dedicated to highly-secure hosting. Adam has been responsible, since it's inception, for the recruitment and training of all of the security and sysadmin staff at The Bunker, and continues to provide the framework for ongoing and future training. He is also a long time member of the DEFCON 'goon' staff, and was involved in the initial years of setting up the Black Hat conferences. In his spare time (what little of it there is), he likes to make small (usually round) holes in things, preferably from a great distance.

Andrew Lindell

Making Privacy-Preserving Data Mining Practical with Smartcards

Data mining provides large benefits to the commercial, government and homeland security sectors, but the aggregation and storage of huge amounts of data about citizens inevitably leads to erosion of privacy. To achieve the benefits that data mining has to offer, while at the same time enhancing privacy, we need technological solutions that simultaneously enable data mining while preserving privacy. This need has been recognized by the US government, as can be seen in the February 2008 report on data mining by the Office of the Director of National Intelligence (see pages 9-12). In this presentation, we demonstrate surprisingly simple and extraordinarily efficient protocols for a number of non-trivial tasks related to privacy-preserving data mining. Our protocols use standard smartcards and standard smartcard infrastructure, and are the first truly practical solutions for these problems that provide strong security guarantees.

Andrew Lindell is the Chief Cryptographer at Aladdin Knowledge Systems and an Assistant Professor at Bar-Ilan University in Israel. Andrew attained a Ph.D. at the Weizmann Institute of Science in 2002 and spent two years at the IBM T.J.Watson research lab as a Postdoctoral fellow in the cryptography research group. Andrew has carried out extensive research in cryptography, and has published more than 50 conference and journal publications, as well as an undergraduate textbook on cryptography and a book detailing secure protocols. Andrew has presented at numerous international conferences, workshops and university seminars, and has served on program committees for top international conferences in cryptography. In addition to Andrew's notable academic experience, he joined Aladdin Knowledge Systems in 2004. In his position as Chief Cryptographer, he has worked on the cryptographic and security issues that arise in the design and construction of authentication schemes, smartcard applications, software protection schemes and more. Offering a unique combination of academic and industry experience, Andrew brings a fresh and insightful perspective on many of the crucial security issues that arise today.

David Litchfield

The Forensic Investigation of a Compromised Oracle Database Server

Database Forensics expert David Litchfield will discuss his new tool and paper. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate "stale" data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box.

David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Chief Scientist of Next Generation Security Software Ltd.

Moxie Marlinspike

New Techniques For Defeating SSL/TL

This presentation will demonstrate some new tools and techniques that allow attackers to silently alter, inject, and log traffic intended for secure transmission by SSL/TLS in common web applications such as online banking and secure logins without the user being notified by any warnings.

This project builds off of tools and research into SSL/TLS man-in-the-middle exploit paths that I published in 2002 (http://www.thoughtcrime.org/ie-ssl-chain.txt) and will include demonstrations of a new tool for exploiting new use patterns as well as data gathered from field testing in the real world.

Moxie Marlinspike

Jon Miller

Cutting Through the Hype: An Analysis of Application Testing Methodologies

In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to blackbox testing, whitebox testing, graybox testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.

Jon Miller

Michael Muckin

Windows Vista Security Internals

This presentation will describe in detail some of the specific changes in Windows Vista's security internals. Focus is on actual security modules and functions relevant to authentication, passwords, network communications and IPSec enhancements. The primary purpose of this presentation is to provide the audience with an overview of what these changes entail, the knowledge necessary to modify existing or craft new tools, and to explore and understand the risks present within the new security architecture. Potential areas of vulnerability will be presented and discussed in detail. These changes were primarily discovered through a lot of research, security testing and reverse engineering tasks and will be presented in this context. This talk is NOT about DEP, ASLR and other enhancements in Vista that have already been adequately covered elsewhere. The main benefits of application of this knowledge will fall into the post-exploitation arena.

Michael Muckin is the Team Lead for the Lockheed Martin Security Engineering Test Team where he regularly performs penetration tests, vuln research, reverse engineering, product assessments and other various security tasks. Prior to LM, Michael worked at Foundstone as a Managing Principal Consultant and at Microsoft as a Security Services Specialist for the Enterprise Services group.

Duc Nguyen

Your Face Is NOT Your Password

Biometrics has nowadays been of universal interest and has been developed and used for many purposes such as for the detection of criminals and undesirables, identification and access control. Within this paper, we would like to concern about Facial Cognitive Biometric Systems and their application in User Authentication Based on Face Recognition.

Lenovo, Asus, and Toshiba are known as the first three big computer manufacturers to put that technology into practical use and to bring about greater convenience for their customers. The one question to ask is whether such technology is really safe and secure for its users to enjoy.

My research, which is concluded in this paper, will prove that the mechanisms used by those three vendors haven’t met the security requirements needed by an authentication system and that they cannot wholly protected their users from being tampered.

Mr. Duc Nguyen is senior searcher of Bkis. He is manager of Application Security Department. His responsibilities cover both technical and management aspects of studies on network security and security vulnerability research. He is also an instructor of Bkis Security Training Course for Banks, ISPs... in Vietnam.

Peter Silberman

Snort My Memory

For almost a decade Network Intrusion Detection Systems (NIDS) have been a critical technology used by network security professionals to identify attacks against their infrastructure. There are numerous sources producing signatures for the latest malware outbreak or “Patch Tuesday” exploit. In many circumstances, these network-based indicators exist in host memory and can be detected using the same signatures that are used in NIDS products. This presentation introduces a method for using these network-based signatures to identify hosts with malware or shellcode present using memory forensic analysis techniques. The benefits of using snort signatures in memory are: malware may not have sent the strings over the network yet; and malware that encrypts strings over the network may have decrypted strings in memory prior to calling into some encryption library. The talk concludes with the introduction of MindSniffer, a new tool that converts a Snort IDS signature to a Memoryze™ filter. The demo uses existing signatures, converts them to filters and shows how these filters can identify malware or potential shellcode in live system memory or acquired memory images.

Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning

Michael Sutton

A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage

As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as persistent cookies, Flash storage and Google Gears. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting.

Michael Sutton

Rafal Wojtczuk & Joanna Rutkowska

Attacking Intel^® Trusted Execution Technology

We describe what Intel^® TXT is, how it works, and how it can be used to build more secure systems. We also show, however, weaknesses in current TXT implementations and how they can be practically exploited. We will show a working exploit code against tboot - Intel^®'s implementation of trusted boot process for Xen and Linux.

Rafal Wojtczuk has 10 years experience with computer security. He has found vulnerabilities in popular operating systems and virtualization software. He has published articles on advanced exploitation techniques, among others about exploiting buffer overflows in partially randomized address space environment. He is also the author of libnids, a low-level packet reassembly library. In July 2008 he joined Invisible Things Lab, the company known for research in hypervisor security.

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world. In 2007 she founded Invisible Things Lab, a boutique security consulting company focusing on OS and virtualization systems security.

Paul Wouters

Defending Your DNS in a Post-Kaminsky World

The Kaminsky bug sent everyone scrambling to fix their DNS. Or did it? While nearly all of the big DNS providers have taken measures, most of the smaller players are still vulnerable. People are afraid to make changes to their DNS infrastructure, and although the world is moving towards DNSSEC, that will not be reality for at least another two years.

Contrary to popular belief, the IETF is not leaving people in the dark until they adopt DNSSEC. It has come up with some viable workarounds that can be deployed. This presentation will teach the counter measures that can be taken with minimal changes to currently deployed DNS infrastructure. And heck, we'll even explain Bernstein's dnscurve.

Paul Wouters is often involved with cryptography, digital rights and cypherpunk projects. He co-founded "Xtended Internet", one of the first the Dutch ISP's back in 1996. In 2003 he co-founded Xelerance, a company specialised in VPN technology that develops and maintains "Openswan", the Linux IPsec software. He has been involved with the deployment of DNSSEC worldwide, and is an active IETF and RIPE contributor. In 2006 he published "Building and integrating Virtual Private Networks with Openswan". He currently maintains various cryptographic software and DNS related packages for Red Hat's Fedora and RHEL Linux, including the popular Instant Messenger encryption software "Off the Record". If not travelling, he can regularly be found at Toronto's HackLab collective.

Earl Zmijewski

Defending Against BGP Man-In-The-Middle Attacks

At DEFCON 16, Alex Pilosov and Tony Kapela presented a new BGP attack in which traffic to a victim is hijacked, but then transparently routed to the intended recipient. This allows for wholesale eavesdropping, including alteration, of all incoming traffic to the victim. In this talk, we review enough BGP routing background to understand the threat and how it breaks the trust model inherent in Internet routing. Then we review possible detection mechanisms via data aggregation from global route collection. The tip-off to such attacks includes prefix de-aggregation, invalid originations, invalid AS adjacencies, and even improbable AS paths. Detection techniques depend whether or not you know ground truth, i.e., if you are looking to defend your own network or simply observe such hijacks in the wild. We conclude with case studies of applying these techniques to global routing data.

Earl Zmijewski is responsible for all of Renesys's Internet Data software, services and operations. He has over 20 years of experience encompassing scientific computing and most areas of IT, with particular emphasis on networking and security. Before Renesys, Earl spent over 12 years as IT Director at Fluent Inc., a computational fluid dynamics software company, where he was instrumental in establishing new offices throughout the US, Europe and Asia and was the principal architect in the design of Fluent’s networks and Internet security posture. Before that, Earl held various academic positions at Cornell University, University of California, and James Madison University. Earl has a PhD and MS in Computer Science from Cornell University and an MS and BA in Mathematical Sciences from The Johns Hopkins University.