DEFCON 15 [Audio] Speeches from the hacker conventions

David Mortman, Moderator CSO-in-Residence, Echelon One Paul Proctor, Moderator VP, Gartner Window Snyder, Vendor Director of Ecosystem Development, Mozilla Corporation Ian Robertson CSO, RIM David Maynor CTO, Errata Security Dave Goldsmith Concerns about ethics for security professionals has been on the rise of late. It's time for researchers and vendors to meet up and discuss the issues of ethical behavior in our industry and start setting some guidelines for future research and discussion. Join active analysts, vendors and researchers for a lively discussion.

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON XVI.

This year we will have so many feds representing their federal agencies that we will have to break it up into two separate panels: IA Panel: Information Assurance, CERTS, first responder's organizations from agencies including DC3, DHS, SOCOM, NSA, OSD, NDU, and GAO. LE Panel: and Law Enforcement, Counterintelligence agencies including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG, FLETC, and RCMP. Each of the agency reps will make an opening statement regarding their agencies role, and then open it up to the audience for questions. Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS, National White Collar Crime Center (NWC3), Special Operations Command (SOCOM), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University, Federal Law Enforcement Training Center (FLETC), and the Government Accountability Office (GAO). For the third year in a row, the "Meet the Feds" panel has gone international. We will have a rep from the Royal Canadian Mounted Police. For years Defcon participants have played "Spot the Fed" For the 2nd year, the feds will play "Spot the Lamer" Come watch the feds burn another lamer.

The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system. Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation. This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off. Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option. Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a recent computer science graduate of the University of Southampton. Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this.

Lukas Grunwald CTO of DN-Systems Enterprise Internet Solutions GmbH This talk will show what happens if security is driven by politics and compromise, also I will cover additional security risks by the new generation of electronic passports. It will show why it could be possible to produce fake biometric fingerprints from the new generation electronic passports, for example by rogue regimes. The new bogus security attempts to secure the ePassports via EAN (Extended Access Control). Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting office working mainly in the field of security identity, and internet/eCommerce and Supply Council solutions for enterprises. Lukas presented at the Lower House of German Parliament for the Free Democratic Party as RFID and ePassport expert at the hearing for the new ePassport Law to allow the use of biometrics in electronic travel documents. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT and Blackhat Briefings.

With this presentation we will demonstrate a new tool called eescan that automates extrusion and exploitability scanning using a client/server approach. Eescan will be released under the GPL and utilizes python to create an extensible framework for testing extrusion and exploit defenses. All network security systems have gaps. Layered security tries to cover the gaps with overlapping protections like firewalls, intrusion prevention, proxies and other mechanisms. How do you really know where the gaps are before the weeds grow through? Vulnerability assessment tools scan for vulnerable systems from an attackers perspective. This technique has value but fails to represent the risk posed by client application usage and attacks. They also fail to assess extrusions - the traffic content allowed to leave a network. Extrusion and exploitability scanning attempts to find these gaps using an automated scanning framework. The scanning techniques simulate user and attacker behavior from the client perspective to holistically measure the amount of risk in a given security system. Matt Richard works on the Rapid Response team at iDefense, a Verisign company. At iDefense he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. For 7 years prior to iDefense Matt created and ran a managed security service used by 130 banks and credit unions. In addition he has done independent forensic and security consulting for a number of national and global companies. Matt has written a number of tools including a web application testing tool, log management and intrusion detection application and an automated Windows forensics package. Matt currently holds the CISSP, GCIA, GCFA and GREM certifications.

Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind. In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget. Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity. Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network. Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide. The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed. The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions. Ofir Arkin is the CTO of Insightix (http://www.insightix.com), leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (http://www.sys-security.com), a computer security research group.

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping (with newly released technical information), using the Freedom of Information Act to dumpster dive with the law, tips and tricks for hacking evoting machines legally, how censorship, surveillance and privacy invasions are spreading throughout the world - and how hackers' can defend civil liberties at home and abroad, threats to freedom from digital TV, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you. "KEVIN BANKSTON, an EFF Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin. MARCIA HOFMANN is an EFF Staff Attorney based in Washington, DC, where she focuses on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College. MATT ZIMMERMAN is a Staff Attorney with the Electronic Frontier Foundation, specializing in electronic voting issues. For the 2004 and 2006 elections, he coordinated a team of nationwide legal volunteers who responded to election-day problems with e-voting technology for the non-partisan Election Protection Coalition. He currently heads EFF's efforts to coordinate nationwide e-voting litigation and amicus support and evaluate emerging voting technology. He is also actively involved in e-voting-related grassroots development and public education efforts. His practice further includes ongoing work in areas such as online privacy, anonymity, and intellectual property. Prior to joining EFF, Matt was Privacy Fellow at the public interest law firm The First Amendment Project where he specialized in privacy and open government issues. Previously, Matt worked at the international law firm Morrison & Foerster LLP, where he focused on technology and commercial litigation matters, and the nonprofit advocacy organization The First Amendment Project, where he specialized in privacy and free speech issues. DANNY O'BRIEN is the International Outreach Coordinator for the EFF. He works to help us collaborate with organizations and individuals fighting for liberties across the world. Danny has documented and fought for digital rights in the UK for over a decade, where he also assisted in building tools of open democracy like Fax Your MP. He co-edits the award-winning NTK newsletter, has written and presented science and travel shows for the BBC, performed a solo show about the Net in the London's West End, and once successfully lobbied a cockney London pub to join Richard M. Stallman in a spontaneous demonstration of Bulgarian folk dance. SETH SCHOEN created the position of EFF Staff Technologist, helping other technologists understand the civil liberties implications of their work, EFF staff better understand the underlying technology related to EFF's legal work, and the public understand what the technology products they use really do. Schoen comes to EFF from Linuxcare, where he worked for two years as a senior consultant. While at Linuxcare, Schoen helped create the Linuxcare Bootable Business Card CD-ROM. Prior to Linuxcare, Schoen worked at AtreNet, the National Energy Research Scientific Computing Center at Lawrence Berkeley National Laboratory, and Toronto Dominion Bank. Schoen attended the University of California at Berkeley with a Chancellor's Scholarship. KURT OPSAHL is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook. In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Sometimes even the top dudes need a refresher course. Remedial Heap Overflows is not so much a lesson to the lame, but a refresher for the leet. One day the speaker was approached (in a subway, of course) by a top-notch dude (who has his own posse) and asked how they work. Clearly not even the best of the best always know everything. atlas, a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. atlas won the individual contest in 2005 and lead the winning team "1@stplace" in 2006. atlas has written the WEP-cracking tool bssid-flatten, the @Utility-Belt (toolkit for hacking and exploitation), and his favorite tool, disass.

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems. All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America. The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator. We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!). In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts." Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

If you're responsible for the burglar alarm at your facility, do you understand how it's being monitored by the "Data Monitoring Group" flunkees? Are all those alarm conditions real? The Completion Backward Principle covers issues arising from Internet-enabled monitoring of burglar alarm systems, and possible mitigations. Spot The Fed will most assuredly be played at this talk. For the past seventeen years, geoffrey has been a Facility Security Officer and ComSec manager in support of various tla's. Securing computer networks, telephone systems, and buildings is not just an adventure, it's his job. He can often be found giggling, like a schoolgirl, at the thought of global warfare being waged upon nouns. geoffrey is also available for childrens' parties.

The recent case of Julie Amero has cast a bright spotlight on the difference in understanding between the worlds of technology and the law. We will examine adoption of technology within the legal profession, trial court decisions, as well as legislative and appellate decisions which may be inconsistent with generally accepted security measures. John Benson is the co-chair of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University, and an electronic discovery analyst at a large midwestern law firm. While in law school he excelled in the areas of evidence and trial advocacy, produced papers on the Sony XCP Rootkit and NSA warrantless wiretapping program, and was a general menace to the local network administrators.

The presentation details the process whereby journalists select, discard, research and ultimately publish security related articles. It outlines the credibility necessary for security researchers to be taken seriously in the presentation of their findings and examines the "blowback" that criminal and kiddie hackers have on the security industry from a journalists perspective. This talk also looks at the current practices of legitimate software companies between secure content (DRM et al), metadata tracking, hardware and software tracking, and the very close parallels between their methods and those of the "hacking" universe. Peter Berghammer owns a number of companies in the military and consumer electronics market spaces. Additionally he has written monthly articles for the past few years dealing with security, the law, legislation. In 2005 he was named a Fellow at Stanford Law's Center for Internet and Society (researching security items and munitions law). He speaks frequently in international venues on items surrounding security, security breaches, privacy issues and pending legislation. Full bio info at: www.zoominfo.com

Intrusion Analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability attribute attacks to specific individuals or groups. Sean M. Bodmer is an active developer and deployer of intrusion detection systems. Sean is also an active Honeynet Researcher, specializing in analyzing signatures and behaviors used by the blackhat community regarding patterns, methods, and motives behind attacks. Currently Sean is working on a highly-adaptive sensor network under a joint commercial venture in which global sensors are deployed to generate better understandings of various attack approaches and techniques.

Last semester I taught a new course in "Ethical Hacking and Network Defense" at City College San Francisco. I had legal, ethical, and practical concerns about this class, so I took several precautions to prevent the students from one another, and others from them. The course was a success--it was full and popular, and there were no security problems (at least none that I found out about). We have built hacking into our Computer Networking and Information Technology program. The topic is important and exciting for the students, and reinforces their security knowlege. I encourage other college teachers to do the same. "Degrees: B.S. in Physics, Edinboro University of PA; Ph.D. in Physics, University of Illinois, Urbana Champaign Industry Certifications: Microsoft Certified Professional, Microsoft Certified Desktop Support Technician, Network+, Security+, Certified Fiber Optic Technician Sam Bowne has been teaching at CCSF since 2000.

I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing log data. In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs. Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views. Our tools and algorithm descriptions can be found at http://kerf.cs.dartmouth.edu"For the past five years, my research at Dartmouth's Institute for Security Technology Studies was related to application of information theory and machine learning to log analysis and other security topics. Before that, I worked as a research scientist at BBN Technologies on applications of similar techniques to Natural Language Processing, English text and speech.

"Being in the know" is key to supporting or violating a security infrastructure. Whether you're taking over the Taco Bell drive through or listening in during a presidential visit, being armed with the right information could drastically affect your outcome and ultimately lead to your success. This talk will focus on modern radio systems and the challenges of listening to them. We will provide information on several utilities and resources to aid in reconnaissance efforts as well as provide detailed information about how various types of radio systems function in today's modern world. Lastly we will cover some of the hardware to help make you successful and review some fun things to listen to here in Vegas and to do when you get back home. Brett Neilson is a manager of network and information security systems and has a strong background in the wireless industry. Previously, he worked for one of the leading wireless communication companies as a Senior Systems Administrator and RF Field Technician. Currently he spends his time overseeing a team of system owners for a major financial institution. Brett is also an active amateur radio operator and scanner enthusiast who can be frequently found mapping and monitoring RF systems in his area. Taylor Brinton is an IT manager for the leading Property Management Company in Utah. He is also a managing partner in a web hosting company, which provides design and hosting services nationwide. Taylor is an active amateur radio operator, who loves to learn new technologies and teach others about radio and computer/network systems..

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy service for the attacker's browser after scanning the internal network for web servers. New requests are retrieved from the attack server by using the width and height of truncated images (only 66 bytes) as a covert channel.*** This bypasses the browser DOM normal behavior of allowing data to be requested only from the server that provided the HTML. Before demonstrating the tool, anti-DNS pinning will be explained in a way that anyone familiar with the basics of DNS and HTTP will understand. The presenter will describe the presentation environment and attack components, then walk through the steps in an attack. Once the foundation concepts have been established, the live demonstration will be performed. Towards the end, the presentation will also briefly cover suggested defenses, including changing pinning behavior in browsers, better intranet security, gateway behavioral scanners, increased granularity for IE security zones, and introduction of security zones into Mozilla and other browsers. Enhancements to the tool are in-progress to add binary socket capabilities using an untrusted Java Applet. These changes will be complete in time for the presentation. This will allow for full access to any TCP protocol via a web browser supporting JavaScript and a JVM. The attacker would access this via a SOCKS proxy interface. The image dimension-based covert transfer is too slow for many protocols, so a second technique involving Cascading Style Sheets is used.*** The data is smuggled in border values of sequentially named classes. This is clearly a superior method, but there is still benefit from demonstrating the image-based method. *** I developed this technique and couldn't find any reference to it, but others may have used it before. Several key use-cases are outlined below. The actors involved are: * Victim browser: Once a malicious or XSS infected site is visited, any browser can be used * Slave.js: The JavaScript that registers the victim browser with the attack website and polls for new commands * Proxy.js: The JavaScript that executes arbitrary HTTP commands from the attacker * Controller.pl: A multipurpose CGI script that acts as the central control point for victim browsers, as a management console for the attacker, and coordinates the firewall & DNS changes required for the anti-pinning attack * Database: Stores session state and new commands for victim browsers * Proxy.pl: Runs an HTTP proxy that translates attacker requests into JavaScript commands * Attacker web server: Hosts controller.pl on primary and secondary IP addresses * Firewall: Blocks inbound requests to the secondary IP address during the anti-pinning attack * DNS Server: Serves up the "A" records used for the anti-pinning attack Initial infection 1. The victim browser visits an attack website and downloads slave.js 2. Slave.js registers with controller.pl and polls for new commands Port scanning 1. The attacker sends a request to controller.pl to have the victim browser scan a range of addresses for specific ports running web servers 2. Controller.pl generates and inserts the port scan JavaScript code for the victim browser 3. Slave.js polls for new commands and receives the scanning script from controller.pl 4. The scanning script creates a new iframe for each host/port combination and sets the ?onload? event to create an img object. This image has a source of controller.pl with parameters indicating a successful port scan for the host/port combination. 5. Controller.pl receives the image request logs the successful scan event into the database. Out-of-channel img communications for value retrieval 1. A proxy.js component calls GetValue with a command, unique description, and call-back function as argument 2. GetValue creates an img object a. The source is set to controller.pl with a query string containing the relevant command b. The id is set to a string containing a unique description and sequence number c. The "onload" attribute is set to a callback function with the command, unique description, the counter value, and a secondary call-back function to resume execution 3. GetValue appends the img object to the document 4. The victim browser requests the image from the attack web server 5. Controller.pl processes the request and returns a dynamically generated bitmap with the width and height properties used to encode a two byte integer value as a response. The bitmap only needs to be 66 bytes, regardless of the dimensions. 6. The victim browser loads the image and fires the onload call-back 7. The call-back function checks the width and height of the image, decodes the value and stores it in a global array with the unique description & sequence number as the index 8. The call-back function calls the secondary call-back function and resumes execution within proxy.js Out-of-channel img communications for string retrieval 1. A proxy.js component calls GetString with a command, unique description, and call-back function as argument 2. GetString requests the string length from controller.pl using out-of-channel img communications, prepending "stringlength" to the relevant command 3. GetString creates an img object for every two bytes of the string (1&2, 3&4, etc) a. The source is set to controller.pl with a query string containing the relevant command and the string position of the bytes b. The id is set to a string containing a unique description and sequence number c. The "onload" attribute is set to a callback function with the image id as the only parameter 4. The victim browser will asynchronously request all of the generated images a. Controller.pl processes the request and returns a bitmap with the width and height properties used to encode the two byte string. b. The victim browser loads the image and fires the onload call-back c. The call-back function checks the width and height of the image, decodes the string segment and stores it in a global array with the img object id as the index 5. As the browser is requesting the images, GetString calls the CompileString function, which checks the global array to see if all string components have been returned & stored. 6. If the string is not complete, CompileString pauses, then calls itself again using SetTimeout. 7. Once the string is complete, CompileString calls the call-back function to resume execution with proxy.js First request for an iframe proxy 1. The attacker sends a command to controller.pl to activate the proxy for a victim browser 2. Controller.pl starts proxy.pl on a random port and modifies the PAC file to point at that port 3. The attacker browser sends a request to proxy.pl for a target IP address detected in the port scanning phase 4. Proxy.pl checks in the database to see if the victim browser has an iframe proxy for the requested target IP address. Since this is the first request for the target IP address, there will be no iframe record. 5. Proxy.pl creates a random host name record in the DNS server and points it to the attack web server's secondary IP address 6. Proxy.pl inserts a JavaScript command to create a new iframe proxy in the victim browser pointed at the random host name 7. Proxy.pl inserts the attacker's HTTP request in the database and begins to poll for the result 8. Slave.js polls for new commands and receives the iframe command from controller.pl 9. Slave.js creates a new iframe. The source attribute of the iframe points at controller.pl on the random hostname, with the command requesting proxy.js 10. Once proxy.js has been downloaded, controller.pl blocks access from the victim IP address to the web server's secondary IP address, and changes the random hostname to point at the target IP address 11. Using out-of-channel img communications, proxy.js polls controller.pl, until the DNS & firewall changes are confirmed 12. Using out-of-channel img communications, proxy.js requests the next HTTP command 13. Proxy.js uses XMLHttpRequest to process the provided HTTP command, using the random hostname. Because of the firewall rule, the victim browser will timeout after trying to reconnect to the cached secondary IP address. 14. Continue to attempt XMLHttpRequest until the browser realizes the server isn't there, and dumps its host / IP address cache. 15. The victim browser re-queries DNS, this time getting the IP address of the targeted web server 16. The browser runs the request and returns the result to proxy.js 17. Proxy.js creates a new iframe with a unique ID 18. Proxy.js creates a form with a POST method, an action pointing at controller.pl on the primary IP address, a target at the new iframe, and a single textarea input 19. Proxy.js sets the textarea value to the HTTP results and submits the form. Since the target is an iframe, there will be no redirection 20. Controller.pl receives the HTTP response and inserts it into the database 21. Proxy.pl polls the database, finds the response, and returns it to the attacker browser Proxy requests for an existing iframe are essentially the same, but steps 5-11, 14, 15 are not required." Specializing in web application security, David Byrne is a seven year veteran of the Information Security industry. He is currently the Security Architect for EchoStar Satellite, owner of Dish Network. David is also the founder and current leader of the Denver chapter of the Open Web Application Security Project (OWASP).

Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has clearly been an afterthought. While every product claims isolation, it seems that's only when you don't have an attacker involved. Despite what the press releases say, it's not free to put all your machines on the same hardware. We'll be brushing aside the dust and trying to figure out part of the cost. " *BSD and Windows 2000. He has also published a few articles describing

Social engineering has traditionally been more of an art than a science, we try different things, and if they work, we continue to use them over and over again. Some of the best social engineers have developed excellent technique even without understanding why what they're doing works. Mike & Anton are skilled communicators trained in NLP, hypnosis, FACS and other sciences of influence, and will present (and demonstrate) some of the cutting edge research on influence and persuasion. Mike Murray A 10-year veteran of the security industry, Mike Murray focuses his expertise on building strong security teams, and helping security professionals create successful and fulfilling careers. Dubbed "Mr. Security Career", his new book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries. Learn more at ForgetTheParachute.com and at Mike's blog at Episteme.ca. Additionally, through his training as a master practitioner in Neurolinguistic Programming, and a certified hypnotherapist, Mike has developed skills in communication that have allowed him to understand the precise nature of human communication and persuasion. Dr. Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic's product vision and strategy, conducting logging research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with a security information management company. A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs

This presentation reviews the important prosecutions, precedents and legal opinions of the last year that affect internet and computer security. We will discuss the differences between legal decisions from criminal cases and civil lawsuits and what that means to the security professional. Additionally, we look at topics such as: email retention and discovery; active response; use of CFAA as non-competition methods; identity theft and notification issues; legal aspects of emerging technologies; lawsuits involving IT corporations (Google, Yahoo, Apple, Microsoft); and of course, the NSA surveillance litigation. As always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate. Mr. Robert Clark is the principal point of contact in the Department of the Navy Secretariat and the Office of the General Counsel for legal issues regarding information management/information technology. As such he is responsible for advising on critical infrastructure protection; information assurance; FISMA; privacy; electronic government; identity management; spectrum management; records management; information collection; Open Source Software; and, infrastructure protection program both physical and cyber assets. Prior to this position Mr. Clark was the legal advisor on computer network operations to the Army Computer Emergency Response Team. Both these positions require coordination and consulting with the DoD Office of General Counsel, NSA, and DoJ Computer Crime and Intellectual Property Section. He is a previous Black Hat lecturer and lectures at Def Con, the Army's Intelligence Law Conference and the DoD's Cybercrimes Conference.

Satellite imagery was once restricted to organizations like CTU, but now it is freely available to us all via powerful free online tools and commercial services. In this talk we will look at commercial collection platforms and capabilities, orbital mechanics and a variety of imagery analysis techniques. We will analyze examples from interesting places around the world and explore issues surrounding the future of satellite surveillance. Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization by No Starch Press. His work can be found at www.gregconti.com

The core of the security problem is that most software contains latent bugs, and many of these bug can be exploited by attackers to cause the software to do something undesirable to the victim's computer. To block this threat, one can either use only perfect software (of which there is a shortage :) or use a security system to control what software may and may not do. The problem is that such systems are historically very difficult to use. AppArmor is an application security system that directly attacks the ease of use problem, making it possible for widespread adoption by developers, system administrators, and users. AppArmor provides for security profiles (policies) that specify the the files that a given program may read, write, and execute, and provides tools to quickly and automatically generate these profiles. This presentation will briefly introduce the AppArmor system, and then spend much of the time showing how to best use AppArmor to confine applications and protect systems. AppArmor is pure GPL software, and is avilable for SUSE, Slackware, Ubuntu, Gentoo, and Red Hat Linux. Crispin Cowan has been in the computer business for 25 years, and security for 10 years. He was the CTO and founder of Immunix, Inc., acquired by Novell in 2005. Dr. Cowan is now the Security Architect for SUSE Linux, and applications that Novell offers for Linux. Dr. Cowan developed several host security technologies under DARPA funding, including prominent technologies like the StackGuard compiler defense against buffer overflows, and the LSM (Linux Security Modules) interface in Linux 2.6. Dr. Cowan also co-invented the "time-to-patch" method of assessing when it is safe to apply a security patch. Prior to founding Immunix, he was a professor with the Oregon Graduate Institute. He is the program co-chair for the 2007 and 2008 Network and Distributed System Security conferences. He holds a Ph.D. from the University of Western Ontario and a Masters of Mathematics from the University of Waterloo.

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. We're going to talk about the important skills, traits and knowledge that a security pro needs, not just the usual stuff (like "go get a CISSP"), we're going to come from the perspective of two people who spend much of their time talking to hiring managers and companies looking for security stars, as well as talking to those same security stars about their careers, where they're going, what's working for them, and, most importantly, what's not. And we're going to use that information to teach you how to manage your own career to find the job that keeps you challenged, growing, happy and appropriately compensated. Mike Murray: A 10-year veteran of the security industry, Mike Murray focuses his expertise on building strong security teams, and helping security professionals create successful and fulfilling careers. Dubbed "Mr. Security Career", his new book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries. Learn more at ForgetTheParachute.com and at Mike's blog at Episteme.ca. Lee Kushner is the President of LJ Kushner and Associates, LLC, an Executive Search firm dedicated exclusively to the Information Security industry and its professionals. Founded in 1999, LJ Kushner has successfully represented Fortune 2000 companies, Information Security Software Companies, Information Security Services Companies and large technology firms in enabling them to locate, attract, hire, and retain top level Information Security talent. He has been an invited speaker on the subjects of recruitment, retention, and industry trends at Information Security Conferences that include The Black Hat Briefings, The RSA Security Conference, Information Security Decisions, and a variety of ISSA Chapter Conferences.

Ever wanted to hijack a connection between machines on a LAN, deny service between a host you're attacking and a log server or intrusion detection system, or maybe wanted to sniff traffic on a switched network? Now you can! Er, wait... You already could with the ARP attacks we all know and love. While these network attacks are quite effective, they do have their weaknesses, as well as security controls to help prevent them. In this talk I will build on the previous research in this field and introduce new, more reliable attacks against the ARP protocol which are much less identifiable and able to protect against. Jesse 'x30n' D'Aguanno is a security researcher and software engineer who has been involved in the security industry and "underground" for over 10 years. As a software engineer he has contributed to numerous open source and commercial projects. As a researcher, he has written and published many papers and proof of concept tools. His current research interests are primarily focused on binary reverse engineering, anti- forensics, exploit development and network attack. He is a frequent presenter at different industry conferences and events. By day he works as the Director of Professional Services and Research for Praetorian Global, a security services company in California. In his "spare" time, he is the team captain for Digital Revelation, a security think tank most known as the two time winners (And almost annual participants) of Defcon CTF.

Hacking Social Lives: MySpace.com. This presentation will discuss how to hack MySpace.com using web application hacking methods implementing minimal tools outside of the internet, a text editor, and a cookie editor. How to find exploits will be discussed, as well as what to do with the exploits. Multiple exploits will be revealed and broken down. MySpace XSS filter evasion will be discussed. Session hijacking using cookies provided from MySpace will be proven and shown using patched exploits. The live demonstration (with audience participation) will be using a 0-Day MySpace exploit! The methodology and practices used in the presentation will always be relevant to MySpace as well as many other sites containing Cross Site Scripting holes. MySpace is filled with hundreds of unattended and undiscovered Cross Site Scripting exploits. Discussion on how to prevent these attacks and secure sites using web applications will also be touched upon. Also, tips on how to mess with your friends :). Questions and volunteers are encouraged! Now everyone can have a crack at their friend's MySpace! Just don't ruin anyone's precious social life? Rick is a full-time IT Specialist at an established CPA firm in Cleveland, Ohio. Rick is also a part-time student working to achieve a Bachelor's degree in Networking through the University of Akron. Rick has been involved in multiple web application attacks that have been reported and fixed. Rick has been involved in information systems security for a few years and continues to discover and learn in order pursue a career involving such.

Security researchers around the world have been SLAPPed (strategic lawsuits against public participation) across the face by vulnerable software vendors. Bogus legal threats intended to intimidate and prevent public exposure of vulnerabilities are becoming increasingly common. If the software industry succeeds at silencing these researchers the public, governments, global industries, and end user customers are ill served and increasingly vulnerable. Successful silencing of research does not stop it, this merely drives it into private and underground economies. While private commercial exploit economies are being launched, and underground exploit economies are flourishing, the independent researchers (including small security shops) are increasingly the source of open and honest security information. Corporate security researchers often have contractual relationships with vendors preventing the public disclosure of critical security vulnerabilities. It is in this context that vulnerable software vendors attempt (often successfully) to silence hackers through bogus legal threats. While the debate regarding appropriate disclosure protocols is interesting (although seemingly unending), I'm not going to talk about it. This isn't about designing a disclosure utopia, but how to deal with disclosure as it stands today. Confrontational approaches serve no one (except perhaps aggressive attorneys increasing their billable hours), and legal threats are demonstrably counterproductive. I'm going to tell everyone what to do: vendors, customers, hackers, and the press. I'll tell vendors how to handle any disclosure with integrity and their best interests in mind; an admittedly tricky task. I'll remind customers that they have the choice in the products they purchase, and it may be wise to reward those that address security issues responsibly. I'll then give some friendly advice to hackers (no legal advice will be given). Finally I'll address the role of the press and how their reporting can ensure the public interest is served. If everyone starts playing nicely together, we'll all be better off. "Dead Addict helped found DEFCON 14 years ago. He has been DEFCON staff since then, has spoken at 7 DEFCONs, the Black Hat Briefings, Rubicon, as well as invitational security conferences. Professionally his employers have included a dominant operating system manufacturer, a respected computer security think tank, an internationally recognized financial infrastructure company, a popular telecommunications hardware and infrastructure company, as well as other smaller security and software firms. He lives in a strange foreign land with a beautiful intelligent creative mischievous DEFCON speaker as well as two affectionate rats. His credentials do not ensure the value of his words; analyze and determine their usefulness for yourself.

What would you do if you had a massive collection of malware? What secrets could you uncover? This rapid fire presentation seeks to reveal some of these secrets based on the analysis of Offensive Computing's large malware collection. (Over 100,000 samples) What are malware author's commonly using to pack their binaries? What are the rarest packers, and could this indicated a targeted attack? How do Anti-Virus companies generally perform on a data set known to contain a large number of malware? These are the some of the questions we will answer in Malware Secrets. "Delchi has been involved in computers and computer security for over 15 years. He currently works doing real time incident response protecting sensitive data. He specializes in data mining, log corelation, IDS signature creation and is a member of the Cult of the Dead Cow's NSF an8 d most recently has contributed his skills as a both a computer security analyst and spiritual advisor to the Offensive Computing project . Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. Marc is a member of a number of professional security organizations, including the American Society of Industrial Security (ASIS), Association of Firearms and Tool Marks Examiners (AMatt Fiddler leads a Threat Management Team for a Fortune 100 Organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 15 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics, and Intrusion Analysis. Currently Mr. Fiddler is the Connecticut Chapter President and active Board Member of Locksport International.FTE), American Polygraph Association (APA) and American Association of Police Polygraphists (AAPP)

Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical). We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS). We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway. This talk will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss future research efforts. Jared DeMott is a vulnerability researcher, with a passion for hunting down and exploiting bugs in software. Mr. DeMott is the president of www.vdalabs.com and is pursuing a PhD from Michigan State University, with dissertation work to be done on fuzzing. Mr. DeMott is a past DEFCON speaker.

Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable." Ganesh Devarajan currently works as a Security Researcher for TippingPoint Inc., a division of 3Com. currently he focuses on SCADA Securities and other Application based securities. Prior to this, he worked as a Security Researcher for the CASE Research Center Syracuse , NY. He has publications in various fields such as RBAC, Wireless Securities, XML based Signatures and Runtime Software Application patches and holds a Masters Degree in Computer Engineering from Syracuse University .

Tor project, an anonymous communication system for the Internet that has been funded by both the US Navy and the Electronic Frontier Foundation. Roger Dingledine is a security and privacy researcher. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while retaining anonymity for its users. He is best known for leading the Tor project, an anonymous communication system for the Internet that has been funded by both the US Navy and the Electronic Frontier Foundation. He organizes academic conferences on anonymity, speaks at such events as Blackhat, Defcon, O'Reilly ETech, Toorcon, 21C3, and What the Hack, and also does tutorials on anonymity for national and foreign law enforcement.

Today there is a lot of hype around some new proof-of-concept technology or around politically motivated trojans, etc. This talk will deliver a reality check, give an idea what kind of malware the McAfee Research organisation is actually seeing to be used in the real world and show how the different trojans work, what the impact is. The material used are internal statistics of the various threats sent to or discovered by us, some more detailed analysis to make functionality more transparent and some demo's, screenshots, etc. to make clear how complex the trojans used today in real attacks are. This also gives a a very clear picture of how the threat changed now that there is a lot of money involved in using trojans to steal personal data of all kind - from bank details to identities in online games. Toralv Dirro works for McAfee as Avert Labs EMEA Security Strategist. Working in in Virus Research for many years since 1994 at McAfee (Dr Solomon's Software back then) after analysing viruses at the University of Hamburg before that, he got finally got bored with debugging things and focused on Network IPS and Vulnerability Assessment / Management. He recently rejoined the Research team. Toralv Dirro is a well reputed expert on next generation AV Technology and Network Intrusion Prevention and is a frequent speaker on those topics. Dirk Kollberg works as Virus Research Lead within the McAfee Avert, focused on analysis of worms such as massmailer, P2P and service exploiting threats like Slammer or RPC-DCOM threats. Dialers, PWS trojans, IRC bots, script- and macro viruses. Being born and working based in Hamburg, he does have a good view on European threats, especially on those from Germany. Before he started at McAfee in 1999, he has been working for 5 years as electronics technician on automated manufacturing processes and another year as 3D designer for product presentations on the web. He blames Commodore PET as reason of his addiction to bits and bytes.

Ever wonder just what rules law enforcement must follow? When do the police have to read you the Miranda Warnings? Who is subject to a Stop and Frisk? When does Double Jeopardy apply. What does a cop actually have to know before they can legally stop you? What is the effect of an Invalid arrest? Just when can the SWAT team kick your door without knocking first? When must an officer have a search warrant? During the "Ask the Criminal Justice Professor" part of the program I'll answer* your "hypothetical" questions concerning police procedure. * If I don't know the answer, I'll make something up that sounds good. Steve Dunker is a former police detective who worked as a planner and supervisor of an anti-crime and decoy unit. He was assigned to the Southwest Missouri Major Case Squad as a photographer. He is the Director of the Collegiate Officer Program and an Assistant Professor of Criminal Justice at Northeastern State University.

I will talk about the evolution and differences of the hacking communities around the world. Why and how this affects the hackers being taken to the corporate life, motivations, or just why is it better to stay totally underground. How companies attract and manage hackers, and how the scare them away. Computers are cool now, like the tshirt says, and small kids already know what ip addresses are, how to use netstat, etc. Is security gonna become a commodity? Come on over, let's talk about it. The more diverse the crowd is, the better. Luiz Eduardo, security engineer, paranoid sometimes, hacker, and overall, a good guy. Started a long time ago w/ applications, then all kinds of network technolgies, landed in wireless security for a while and now it's up for something new. Spoke at conferences in Mexico, Brazil and the US, wlan network guy for some security conferences (Defcon, Blackhat, CCC, Shmoocon, Layerone, H2hc, etc). Collects infosec certifications in the spare time and long flights in coach class while enjoying chicken or pasta.

Kernel vulnerabilities are often deemed unexploitable or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question. This talk intends to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited. The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed to determine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice. The vulnerabilities that will be discussed are: - FreeBSD 802.11 Management Frame Integer Overflow Found and exploited by Karl Janmar. Advisory: http://www.signedness.org/advisories/sps-0x1.txt - NetBSD Local Kernel Heap Overflow Found by Christer Oberg, exploited by Christer Oberg and Joel Eriksson. - Windows (2000 & XP) Local GDI Memory Overwrite Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory: http://projects.info-pull.com/mokb/MOKB-06-11-2006.html More information about the vulnerabilities can be found at: http://kernelwars.blogspot.com/" Joel Eriksson is the CTO of Bitsec, a newly founded security company based in Sweden. Joel has been working in the computer security field since 1997 when he started out as an independent consultant. His primary focus is within vulnerability research, exploit development and reverse engineering. Joel has previously spoken at BlackHat Europe and UNCON.

There is a pervasive dream about a free Internet which is robust, fully decentralized yet efficient, and which ensures privacy for all users. For seven years, the Freenet project has been the most visible embodiment of this vision. This talk will show that the recent 0.7 release of Freenet -- marketed to solve most of the problems -- entirely fails to deliver. Freenet 0.7 promises efficient routing in restricted-route networks, often also called friend-to-friend (F2F) networks or darknets. Our work shows that a crucial step in the routing protocol can be easily subverted by an adversary which is no more powerful than any ordinary node operator. The attack targets a fundamental aspect of the routing protocol; in particular, it does not rely on minor flaws in the Freenet implementation and can thus not be easily addressed. The goal of this talk is not to destroy the dream of a free Internet. Instead, the talk will educate the audience about pitfalls on the path to utopia, improving our progress to this shared vision by shining a light on certain dead ends.

Estonia is one of the most advanced countries in the world, and just now survived what has been referred to as "the first 'real' cyber conflict". What really happened there, and what does it mean to us? Gadi Evron works for the McLean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

The thousands of servers in collation centers and hosting farms are irresistible targets for bot-herders in the market for an ideal attack platform. Learn how ISPs are . with varying success . detecting and responding to bot-herders. frequent attempts to take control. Gadi Evron works for the McLean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Matt Fiddler leads a Threat Management Team for a Fortune 100 Organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 15 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics, and Intrusion Analysis. Currently Mr. Fiddler is the Connecticut Chapter President and active Board Member of Locksport International. Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. Marc is a member of a number of professional security organizations, including the American Society of Industrial Security (ASIS), Association of Firearms and Tool Marks Examiners (AMatt Fiddler leads a Threat Management Team for a Fortune 100 Organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 15 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics, and Intrusion Analysis. Currently Mr. Fiddler is the Connecticut Chapter President and active Board Member of Locksport International.FTE), American Polygraph Association (APA) and American Association of Police Polygraphists (AAPP)

An overview and demonstration of common access control and biometric systems. This will include the key elements of their implementation and includes in-depth technical analysis of their common weakness. I will then demonstrate bespoke hardware developed to perform an attack that renders most access control systems useless. Zac Franken has been running operations for Defcon for nearly 14 years. Generally preferring to stay behind the scenes, he finally has allowed himself to be talked into a presentation. When not running Defcon operations or attending security conferences, he skulks in his dormant volcano lair .With a penchant for physical security and access control systems, he noodles around with access control systems, designs workarounds, and weeps at the inadequacy of todays access control technology.

Come and spend 50 minutes with the King, not Elvis, but King Tuna. He is going to give you a peak into EvDo and some of the goodies it has to offer. After a very brief overview of what EvDo is he is going to go into detail about the different hardware options you have, and most importantly, how EvDo cards can be hacked and the advantages of delving into the insides of the card. Can ESN's be moved? Can EvDo be used in monitor mode? Bring a bag because there will be treats for 100 people with a patch so you can use your EvDo card on your laptop as a client or access point. King Tuna has been a hacker since he discovered DOS 6.0 before pre k. He has matured his knowledge in hacking with time and experience. Currently he works for Wardrivingworld helping customers extend there range as well as at schools to develop classes about improving & testing wireless security.

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out. Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the DEFCON audience will hear about the future of cyber control, and the future of cyber resistance."Kenneth Geers has worked for many years in a wide variety of technical and not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of Cyber Jihad and the Globalization of Warfare; Hacking in a Foreign Language: A Network Security Guide to Russia; Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall; and IPv6 World Update. His website, chiefofstation.com, is devoted to the intersection of art, the fate of nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!

Damian Gomez is a Security Researcher at Immunity, which he joined in February 2006, after five years as the Chief Security Officer at Informar Argentina S.A., where his responsibilities included internal security auditing, network design, and intellectual property management with watermarking technologies. Prior to Informar, Damian worked on secure networking infrastructure at the Comision Nacional de Comunicaciones. In addition to consulting services, Damian is an exploit developer for Immunity and is lead developer for Immunity's VisualSploit. Damian's current main project is the developing of the vuln-dev oriented Immunity Debugger and the integration of it with the other Immunity's frameworks. Damian is located at Argentina, South America.

This presentation pertains to a discovery of a more potent variant of Evil Twin. We call it Multipot. Multipot consists of multiple APs which are configured with the same SSID and lure WiFi clients into connecting to them. The term Multipot is derived from multiple and honeypot. Multipot can occur naturally in the form of multiple Municipal APs or Metro APs around the victim client, all of which are naturally configured for the same SSID (e.g., GoogleWiFi). Such a natural Multipot can induce non-policy compliant communication from wireless clients of an organization. There can also be a handcrafted or malicious version of Multipot where an attacker can combine it with known Evil Twin attack tools (e.g., KARMA, delegated) and launch a Man-in-the-Middle attack against wireless clients. The prevalent Evil Twin defenses are ineffective against Multipot. In particular, the prevalent defenses include: i) Taking precaution so that clients are not lured to Evil Twins (e.g., specialized client side software), and ii) since these precautions are not always foolproof or practical, using a Wireless Intrusion Prevention System (WIPS) to block clients? connections to Evil Twins. Most of the current WIPS use deauthentication (deauth) based session containment to defend against this threat. In this presentation, we demonstrate that Multipot renders the deauth based session containment completely ineffective. Multipot provides a glimpse into the complexities of evolving wireless vulnerabilities and their countermeasures."K. N. Gopinath (Gopi) is a senior wireless security researcher and senior engineering manager at AirTight Networks. Gopi has several years of experience with 802.11 protocol implementations, device drivers, WiFi networks, and wireless intrusion detection and prevention. His research focuses on making wireless networks secure. His current interest includes understanding wireless MAC implementation anomalies and wireless devices fingerprinting. Gopi also has invented several patent pending wireless intrusion detection and prevention techniques. Gopi holds a Master's degree in Computer Science and Engineering from the Indian Institute of Technology Kanpur (IITK), and in the past has worked as a researcher at Bell Laboratories at Murray Hill, NJ. He has published several technical papers and delivered invited talks in international networking and security conferences/workshops.

Joe Grand is an electrical engineer, prominent speaker, and prolific inventor with multiple pending patents and over a dozen commercially available products. He is the President of Grand Idea Studio, a San Francisco-based product research, development, and licensing firm, where he specializes in the design of consumer electronics and video game accessories. Involved in computers and electronics since the age of 7, Joe has had the fortune of being a member of the legendary Boston-based hacker collective L0pht Heavy Industries, testifying before the United States Senate Governmental Affairs Committee under his nom de hack, Kingpin, and being praised as a "modern day Paul Revere" by the Senators for his research and warnings of computer security weaknesses. Recognized for his unconventional approaches to product development and licensing, Joe is also a well-known hardware hacker, the author of two books, contributor to four others, on the technical advisory board of MAKE Magazine, and is a co-host of an upcoming engineering show for Discovery Channel.

The simple decision by a researcher to tell what he or she has discovered about a software product or website can be very complicated both legally and ethically. The applicable legal rules are complicated, there isn't necessarily any precedent, and what rules there are may be in flux. In this presentation, I will use Cisco and ISS's lawsuit against Michael Lynn (from Black Hat 2005) and HID's cease and desist letter to IOActive (from Black Hat 2006) to discuss major intellectual property law doctrines that regulate security research and disclosure. I will give the audience some practical tips for avoiding claims of illegal activity. "Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and writes on the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Granick came to Stanford after almost a decade practicing criminal defense law in California. Her experience includes stints at the Office of the State Public Defender and at a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. Granick, where she focused on hacker defense and other computer law representations at the trial and appellate level in state and federal court. At Stanford, she currently teaches the Cyberlaw Clinic, one of the nation's few law and technology litigation clinics. Granick continues to consult on computer crime cases and serves on the Board of Directors of the Honeynet Project, which collects data on computer intrusions for the purposes of developing defensive tools and practices. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

.This presentation is an introduction to hardware design and reverse engineering, with an eye towards developing an individual laboratory for future exploration. We start by covering the basic tools and setting up a laboratory. In this section, we cover the basic tools, such as soldering tools, oscilloscopes, and logic analyzers. The focus is on getting the tools for low or no cost. From there, we cover the forward engineering process, including various microcontroller designs. Finally, we will go over hardware reverse engineering and its relation to the forward engineering process. There will be demonstrations of low cost oscilloscopes, logic analyzers, and flash dumping tools. These tools will be used against consumer-grade hardware to demonstrate the beginning of a reverse engineering attempt. This talk assumes slight prior knowledge of electronics on a hobbyist level. The ability to read a schematic will come in handy, but isn't required. Even if you don't have a hobby-level interest in electronics, we hope you will by the end of the presentation. "nonsequitor" David has been working as an embedded software developer since 2001. He spent 3 years interning at Astronautics Corporation of America working with safety critical avionics devices for projects ranging from the space shuttle to commercial airliners. After graduation he spent 8 months working on embedded devices for building control networks containing thousands of networked devices on various topologies. David then took a job doing quality assurance at Imperfect Networks verifying a suite of products relating to malicious traffic generation. He has since moved back into embedded software and spent a year developing and testing software for the AirBus A380 Super Jumbo. He is currently working on Maritime Control Systems for ZF. Ab3nd plays with electronics for fun and programs computers for money. His past projects have included Tesla coils, a lighting system for a model apartment, telepresence drones, sentry guns, a wearable computer, magnetic card readers and writers, and mad scientist props. His future projects are legion. Abend enjoys good gin

Malware has come a long way since it consisted mostly of small-scale (if prolific) nuisances perpetrated by script kiddies. Today, it's increasingly being created by professional programmers and managed by international criminal organisations. This talk will look at the methods and technology employed by the professional malware idustry, which is turning out "product" that matches (and in some cases even exceeds) the sophistication of standard commercial software, but with far more sinister applications. Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption including the X.509 Style Guide for certificates, and is the author of "Cryptographic Security Architecture: Design and Verification" (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.

Sysmin The Hacker Pimps Marklar The Hacker Pimps This presentation focuses on analysis and strategies in dealing with systems that gather information, more specifically, personal information. This talk suggests that we need to start looking at the technology of the future through different a different set of eyes, the ones of a researcher. A new classification method is introduced for the classification of attacks on information gathering systems and strategies are introduced for dealing with this technology. Systems that are unreliable cannot be counted on, so the best defense is a good offense. Sysmin and Marklar are two of the founding members of the Hacker Pimps, an independent security research think tank. The Hacker Pimps provide research in to areas of information security and privacy. Members of the Hacker Pimps have been speakers at a variety of different security events. Sysmin is a senior security consultant for a large consulting firm. He is a frequent public speaker on a variety of different topics and has spoken at many events including: DEFCON, HOPE, ShmooCon, ToorCon, and even the Pentagon just to name a few. Sysmin holds a veritable bevy of certifications in the area of information security and has a Master of Science in Information Technology with a specialization in Information Security. He is also the POC for the DC904 and a member of the Jacksonville 2600, Stegonet project, and the North American IPv6 Task Force. Marklar is one of the foremost marklars on marklar. He has been pondering the effects of marklar on the World Wide Marklar for many years and hopes to foster conversation on enabling greater marklar on the marklar so that our marklar marklar can remain marklar.