Speakers

Speakers will be posted as they are selected.

Call for Papers is now closed. Keep checking this space for speaker updates!


Speaker List


Alpha by speaker

BackTrack Foo - From bug to 0day


Mati Aharoni
Owner, Offensive Security

As pentesters and hackers we often find the need to create our exploits on the fly. Doing this always presents a challenge. But one challenge took us to a new limit and a new level. We want to share the method with you. From Bug to 0Day will show the audience the process of fuzzing, locating the bug, using egghunters then figuring out to build a pure alphanumeric shellcode to exploit it.

This will truly be the most mind bending 60 mins you will spend in exploit development.

Mati is a network security professional, currently working with various Military and Government agencies as well as private sector businesses. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing.

Mati is most know for his role in creating the award winning, internationally acclaimed linux pentesting distro, BackTrack. As well as his lead role in creating the hottest security training school in the international market today, "Offensive Security". This focused, intense school hones the skills for security professionals by teaching them the tools and methodologies popular in the market. Mati has been training security and hacking courses for over 10 years and is actively involved in the security arena.

Top of page

Autoimmunity disorder in Wireless LAN


Md Sohail Ahmad
Senior Wireless Security Researcher, Airtight Networks Inc.
JVR Murthy
Senior Wireless Security Researcher, Airtight Networks Inc.
Amit Vartak
Senior Wireless Security Researcher, Airtight Networks Inc.

An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body tissue. This presentation is about discovery of autoimmunity disorder in select open source and commercial 802.11 AP implementations. By sending specially crafted packets, it is possible to trigger autoimmunity disorder and cause AP to turn hostile against its own clients. Eight examples of autoimmune disorder will be demonstrated.

Autoimmunity disorder can be exploited to craft new DoS attacks. Although 802.11w promises immunity from DoS attacks, we show that autoimmunity disorder leaves a door open through which DoS attacks can still be launched. One example of DoS attack against MFP(11w) will be demonstrated.

Md Sohail Ahmad is a wireless security researcher in AirTight Networks. Mr Ahmad possesses strong background in secure driver development, protocol development, and open source tool development. He is currently working on mitigation of various security aspects of IEEE802.11w and IEEE 802.11n standards and in its implementations.

Prior to this, he has also demonstrated the more potent form of Evil Twin Attack called "Multipot" in Defcon-15. He has discovered "Caffe Latte" attack which was presented in ToorCon9, which is about retrieving WEP key from an isolated client in the absence of its authorized access point.

Top of page

Time-Based Blind SQL Injection using heavy queries:


A practical approach for MS SQL Server, MS Access, Oracle and MySQL databases and Marathon Tool


Chema Alonso
Microsoft MVP Windows Security,Informática64
José Parada
Microsoft IT Pro Evangelist,Microsoft

This presentation describes how attackers could take advantage of SQL Injection vulnerabilities using time-based blind SQL injection. The goal is to stress the importance of establishing secure development best practices for Web applications and not only to entrust the site security to the perimeter defenses. This article shows exploitation examples for some versions of Microsoft SQL Server, Oracle DB Engine,MySQL and Microsoft Access database engines, nevertheless the presented technique is applicable to any other database product in the market. This work shows a NEW POC Tool.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politécnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional from 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines as "Windows TI Magazine", "PC Actual" or "Hackin9". He is currently working on his PhD thesis under the direction of Dr. Antonio Guzmán and Dr. Marta Beltran. Recently spoke at BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks. More info:http://mvp.support.microsoft.com/gp/mvpInsider_2006-08

José Parada is an IT Pro Evangelist in Microsoft. He is a very famous speaker in Spanish conferences about IT Infrastructures, Microsoft Technologies and Security. He has been working in the Microsoft Technet Program from 2005 delivering conferences, webcasts and technical information.

Top of page

The Anatomy of a Subway Hack:


Breaking Crypto RFID's and Magstripes of Ticketing Systems


Zack Anderson
Student, MIT
RJ Ryan
Student, MIT
Alessandro Chiesa
Student, MIT

Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We go over social engineering attacks we executed on employees, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote to perform these attacks. With live demos, we will demonstrate how we broke these systems.

Zack Anderson is studying electrical engineering and computer science at MIT. He is an avid hardware and software hacker, and has built several systems such as an autonomous vehicle for the DARPA Grand Challenge. Zack is especially interested in the security of embedded systems and wireless communications. He has experience building and breaking CDMA cellular systems and RFID. Zack has worked for a security/intelligence firm, and has multiple patents pending. He enjoys building systems as much as he enjoys breaking them.

RJ Ryan is researcher at MIT. His longtime passion for security has resulted in a number of hacks and projects, including a steganographic cryptography protocol. RJ works on a number of technical projects ranging from computer security to operating systems, distributed computation, compilers, and computer graphics. He enjoys learning how things work, and how to make things work for him.

Alessandro Chiesa is a Junior at MIT double majoring in Theoretical Mathematics and in Electrical Engineering and Computer Science. Born and raised in Varese,Italy, he came to MIT with interests in computational algebraic geometry, machine learning, cryptography, and systems security. He has authored papers such as "Generalizing Regev's Cryptosystem", which proposes a new cryptosystem based on shortest vector problems in cyclotomic fields. He is currently working with Oracle's Database Security group.

Top of page

Digital Security: a Risky Business


Ian O. Angell
Professor of Information Systems. London School of Economics

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.

Ian Angell has been Professor of Information Systems at the London School of Economics since 1986. Prior to that he researched and taught Computer Science at Royal Holloway College, and University College London.

Angell has very radical and constructive views on his subject, and is very critical of what he calls the pseudo-science of academic Information Systems. He has gained a certain notoriety worldwide for his aggressive polemics against the inappropriate use of artificial intelligence and so-called knowledge management, and against the hyperbole surrounding e-commerce.

His main research work concentrates on organizational and national I.T. policies, on strategic information systems, and on computers and risk (both opportunities and hazards), particularly the systemic risks inherent in all socio-technical systems and the security threats posed to organisations by the rapidly diffusing international information infrastructure.

Top of page

VulnCatcher: Fun with Vtrace and Programmatic Debugging



atlas

Countless hours are spent researching vulnerabilities in proprietary and open source software for each bug found. Many indicators of potential vulnerabilities are visible both in the disassembly and debugging, if you know what to look for. How much can be automated? VulnCatcher illustrates the power of programmatic debugging using the VTRACE libraries for cross-platform debugging.

atlas a disciple of the illustrious Skodo, has a history in programming, systems support, telecom, security, and reverse engineering. His introduction to the hard-core hacking world was through dc13's CTF Qualifiers. Captain of two-time CTF-winner "1@stplace" and individual winner of CTF-2005, atlas has released hacking tools and toolkits such as disass, atlasutils, and is co-maintainer of the python library for x86 disassembly: libdisassemble.

Top of page

Pen-Testing is Dead, Long Live the Pen Test


Taylor Banks
Security Evangelist
Carric
DEFCON Goon

This talk explores the death and subsequent re-birth of the penetration test. Comprised of conclusions drawn from the collective experiences of two seasoned pen-testers, our talk is filled with facts, fun and rhetoric. We will describe the landscape, the problems, and offer real solutions.

In our talk, we will explore the problems with modern-day pen-tests and pen-testers, and ways to stand out amongst the frauds selling their lackluster vuln-scan services under the guise of a true penetration test.

We discuss penetration tests that are overly tool-driven and/or lacking in methodology as well as pen-testers who lack the experience and creativity to identify the architectural problems that real attackers frequently exploit.

Along the way, we'll discuss the difficulties faced by real penetration testers and complement these with real-world war-stories to provide both context and comic relief.

Most importantly, we'll discuss how to solve these problems, through contributions to open methodologies, transparency in process, and shifts in technological paradigms. We'll tell you how to deal with the latest technologies, even those that change day-by-day. For those that take penetration testing seriously, this talk will be a fun, informative and enlightening presentation on the things we need to do to keep pen-testing worthwhile. Attendees will learn how to perform pentests accurately and obtain compelling and valuable results that ensure real return on investment for their clients.

Taylor Banks is a security evangelist and privacy pundit with over 15 years in the information technology industry, the last 10 focused exclusively on information security and privacy. Since 1998, he has been designing, implementing, teaching and managing secure information systems for Federal Government, US Military, private universities and public companies, from start-ups to Fortune 100. Taylor, aka "dr.kaos," is also the PoC for the Atlanta DEFCON Group (DC404), and in 2005 founded "kaos theory security research," creators of the Anonym.OS LiveCD. Between 1999 and 2002, Taylor worked at SecureIT (later acquired by VeriSign) providing CheckPoint, Nokia, NAI, Web Security and Applied Hacking training to hundreds of enterprise customers, as well as review, design and development of secure network architecture and related security policies for numerous Fortune 500 organizations. During that time, Mr. Banks devised testing methodologies and audit procedures, and helped found the VeriSign FIRE team to provide penetration tests and security audits for internal departments and enterprise customers. In 2003, Taylor trained the US Marine Corps 13-member Computer Emergency Response Team (MARCERT) to perform penetration tests and security audits to assess and improve the security of their own military and public networks. The MARCERT team subsequently entered DEFCON's prestigious CTF competition, ranking 3rd at the conclusion of the DEFCON XI conference. Since 2007, Taylor has been focused on virtualization and its impact on enterprise information security.

Carric is a Goon. Buy him beer.

Top of page

Owning the Users with Agent in the Middle


Jay Beale
Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc.

This talk introduces a new open source, plugin extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, Agent in the Middle, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable.

Jay Beale is an information security specialist, well known for his work on threat avoidance and mitigation technology. He's written two of the most popular security hardening tools: Bastille UNIX, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space,participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. Jay also contributed to the OVAL project and the Honeynet Project.

Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and SecurityPortal. Jay has co-authored or edited nine books in the Information Security space. Six of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series. Jay is a security analyst and managing partner at Intelguardians, where he gets to work with brilliant people on topics ranging from Page 4 application penetration to virtual machine escape. Prior to this, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the then third largest retail Linux distribution.

Top of page

They're Hacking Our Clients! Introducing Free Client-side Intrusion Prevention


Jay Beale
Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc.

In the face of far stronger firewall and IPS-protected perimeters,attackers are compromising far more systems by hacking our web browsers, e-mail clients, and office document tools. Unfortunately,vulnerability assessment practices still focus on checking listening services, even on workstations. Detecting vulnerable clients is left for patch management tools, which aren't in consistent or wide enough use. Even when organizations are able to invest the time and money in a patch management system, a series of critical problems keeps the botnet builders in business.This talk, by Bastille UNIX creator Jay Beale, introduces a free tool to detect vulnerable clients and keep them out of the botnets.

Jay Beale is an information security specialist, well known for his work on threat avoidance and mitigation technology. He's written two of the most popular security hardening tools: Bastille UNIX, a system lockdown and audit tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. Jay also contributed to the OVAL project and the Honeynet Project. Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and SecurityPortal. Jay has co-authored or edited nine books in the Information Security space. Six of these make up his Open Source Security Series, while two are technical works of fiction in the "Stealing the Network" series.

Jay is a security analyst and managing partner at Intelguardians, where he gets to work with brilliant people on topics ranging from application penetration to virtual machine escape. Prior to this, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the then third largest retail Linux distribution.

Top of page

Predictable RNG in the vulnerable Debian OpenSSL package, the What and the How


Luciano Bello
Engineer (Information Systems),CITEFA/Si6
Maximiliano Bertacchini
Researcher, CITEFA/Si6

Recently, the Debian project announced an OpenSSL package vulnerability which they had been distributing for the last two years. This bug makes the PRNG predictable, affecting the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn). We will talk about this bug, its discovery and publication, its consequences, and exploitation. As well, we will demonstrate some exploitation tools.

Luciano Bello is an Engineer (Information Systems) and works as a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina. He has been a Debian Developer since 2007.

Maximiliano Bertacchini is a PhD student in Computer Engineering at ITBA (Technological Institute of Buenos Aires). He is a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina.

Top of page

When Lawyers Attack! Dealing with the New Rules of Electronic Discovery


John Benson "jur1st"
Electronic Discovery Consultant

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes- Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

John Benson currently works as an electronic discovery consultant at a large Kansas City law firm. A graduate of the University of Missouri from both Columbia and Kansas City campuses, he is a member of the Missouri Bar Association and serves as the chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee. He has taught law, ethics and (oddly enough) finance as an adjunct professor at The Colorado Technical University. In 2008 he founded the Cowtown Computer Congress, a hackerspace and umbrella organization for the advancement of user-driven technology activities in Kansas City. He has presented at hacker cons around the country including LayerOne, Pumpcon, Shmoocon and DEFCON. He can be found on the DEFCON boards and assisting with radio communications at DEFCON. His website can be found at http://www.john-benson.com.

Top of page

The emergence (and use) of Open Source Warfare


Peter Berghammer
CEO, Copernio Holding Company

The presentation will deal briefly (20 minutes) with the concepts surrounding Open Source Warfare (OSW) and broader adoption for use not only within the context of war fighting, but also its uses within the political arena in order to influence opinion.

The presentation will only deal with publicly available data, couple with real world deployment examples. It WILL NOT contain any type of classified data or anything that can be construed as such.

OSW has become a highly lucrative area that covers topics such as computer security, shaping of potential battlefields and populations, and actual in the field uses of mutated electronics devices such as microwave ovens, model rockets, remote controlled aircraft as well as computer based command and control protocols. What is so particularly interesting in this presentation (as well as the field itself) is how under funded and ill-equipped insurgency (and counter insurgency) groups can make use of off-the-shelf technology to fight against vastly better funded armies. It will also examine communications methods of these groups - and how they approach not only Internet style communication (and in some cases set up their own superior communications networks) but also how they approach communications security.

Peter Berghammer CEO of Copernio (founded 2001), is an accomplished aerospace, semiconductor and optical disc industry professional. Though best known for his marketing acumen, he also possesses a thorough understanding and appreciation for strategic alliances, acquisitions, and mergers. He is noted for the rapid expansion of The Copernio Holding Company ñ taking it from simply an IT solutions provider to an organization with divisions handling consulting, research, warehousing & logistics. Under his tenure, Copernio has expanded from a single location to an international corporation with warehouses and offices in over eighteen countries. His goal however has always remained the same: to assist clients achieve their business objectives through the intelligent and efficient use of information technology and infrastructure. The Copernio Holding Company is headquartered in Huntington Beach, CA and Brussels, BE.

Top of page

What To Do When Your Data Winds Up Where It Shouldn't


Don Blumenthal
DMB & Associates

Stories about the loss of sensitive data are becoming more common, and an untold number of others probably are not known because they were not covered by law or did not get the attention of regulators. A loss may happen when data is stolen or simply lost, or when a system is breached. Existing federal and state laws cover specific industries and prescribe particular responses, but pending legislative proposals threaten to expand coverage significantly. This presentation will discuss the relevant federal and state laws concerning disclosure of sensitive information. In addition, it will explore the elements of a plan for responding to a data loss and the considerations that occur should that plan have to be put into use. These plans, elements, and considerations are critical for addressing a data loss and for dealing with such disparate groups as regulators, the public, employees, and shareholders after your, and their, data is gone.

Don Blumenthal is a professional with over 20 years proven experience in technology, law, and policy, and has worked on data breach matters from both the law enforcement and private sector sides. He is a consultant and attorney based in Ann Arbor, MI, specializing in data security and privacy issues, as well as other technology-related matters such as electronic discovery, spam, malware, and Internet evidence development. He also is a Senior Principal with Global Cyber Risk, LLC, of Washington, DC. In addition, Mr. Blumenthal is an adjunct professor in the University of Michigan School of Information and serves as a legal affairs SME for the Centre for Assurance Studies, a NSA Center of Academic Excellence in Information Assurance Education at the University of Detroit Mercy.

Top of page

Working with Law Enforcement


Don M. Blumenthal
DMB & Associates

Security-related laws and regulations, with parallel privacy measures, are assuming an ever-expanding role in American society. As a result, the likelihood that an organization will receive a call, visit, subpoena, or letter from a law enforcement agency is constantly increasing. This program will address issues related to addressing these contacts. It will explore relevant legal questions but also the real world processes and considerations that should go into protecting private sector interests, and even lessening the burden of government inquiries. In addition, it will discuss considerations concerning proactive fostering of relationships with law enforcement to mutual benefit.

Don M. Blumenthal is a professional with over 20 years proven experience in technology, law, and policy. He is a consultant and attorney based in Ann Arbor, MI, specializing in data security and privacy issues, as well as other technology-related matters such as electronic discovery, spam, malware, and Internet evidence development. He also is a Senior Principal with Global Cyber Risk, LLC, of Washington, DC. In addition, Mr. Blumenthal is an adjunct professor in the University of Michigan School of Information and serves as a legal affairs SME for the Centre for Assurance Studies, a NSA Center of Academic Excellence in Information Assurance Education at the University of Detroit Mercy.

Top of page

Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol


Magnus Bråding
Security Researcher, Fortego Security

Recent years, and especially this past year, have seen a notable upswing in developments toward anti online privacy around the world, primarily in the form of draconian surveillance and censorship laws (both passed and attempted) and ISPs being pressured into individually acting as both police and informants for commercial interests. Once such first steps are taken, it's of course also of huge concern how these newly created possibilities could be used outside of their originally stated bounds, and what the future of such developments may be.

There are no signs of this trend being broken anytime soon, and combined with the ever growing online migration of everything in general, and privacy sensitive activities in particular (like e.g. voting and all kinds of discussions and other personal groupings), this will in turn unavoidably lead to a huge demand for online anonymization tools and similar privacy means.

If not designed carefully though, such anonymization tools will yet again be easy targets for additional draconian legislation and directed (il)legal pressure from big commercial interests. Thus, a good, robust and theoretically secure design for an anonymization protocol and infrastructure is needed, which is exactly what is set out to be done with this project.

What is presented in this talk is the design of a protocol and complete system for anonymization, intended as a candidate for a free, open, community owned, de facto anonymization standard, vastly improving on existing solutions such as TOR, and having the following important main properties and design goals:

  1. Completely decentralized.

  2. No critical or weak points to attack or put (il)legal pressure on.

  3. Maximum resistance against all kinds of DoS attacks.
    - Direct technical destructive attacks will practically be the only possible way to even attempt to stop it.

  4. Theoretically secure anonymization.
    - Probabilistic methods (contrary to deterministic methods) must be used in a completely decentralized design like this, where no other peer can be trusted, so focus is put on optimizing these methods.

  5. Theoretically secure end-to-end transport encryption.
    - This is simple in itself, but still important in the context of anonymization.

  6. Completely (virtually) isolated from the "normal" Internet.
    - No one should have to worry about crimes being perpetrated from their own IP address.

  7. Maximum protection against identification of protocol usage through traffic analysis.
    - You never know what the next draconian law might be.

  8. Capable of handling larger data volumes, with acceptable throughput.
    - Most existing anonymization solutions are practically unusable for (or even prohibit) larger data volumes.

  9. Generic and well-abstracted design, compatible with all new and existing network enabled software.
    - Software application developer participation should not be needed, it should be easy to apply the anonymization to both new and already existing products like e.g. web browsers and file transfer software.

The Phantom protocol has been designed to meet all these requirements, and will be presented in this talk.

Magnus Bråding is a security researcher at (and co-founder of) Swedish IT security specialist firm Fortego Security.

His life-long passion for reversing, understanding and ultimately controlling any and all aspects and processes around him has resulted in, among other things, a solid security background with more than 15 years worth of experience within the fields of reverse engineering and network security and forensics. He is also a central contributor, maintainer and driving force behind one of the world's most long-running and well-known online reverse engineering resources.

Top of page

Buying Time - What is your Data Worth?


(A generalized Solution to distributed Brute Force attacks)


Adam Bregenzer
Security Researcher

Brute Force attacks are often marginalized as a user issue or discounted as a non-issue because of sufficient password complexity. Because rainbow tables have provided a re-invigoration of this type of attack, maintaining password security is simply not enough. In this session, I will be releasing a framework for easily creating a brute force attack tool that is both multithreaded and distributed across multiple machines. As computing power continues to grow along with the ability to rent cycles and storage space, it becomes reasonable to add a money-time trade-off to brute force and dictionary attacks. Distributed computing combined with rainbow tables mean brute force attacks can now be very effective. I will present a version of a popular brute force tool which I modified to increase its speed by several orders of magnitude. Additionally I will demonstrate how to adopt an existing tool to utilize this framework.

Adam Bregenzer is actively involved in technology research and development. As a charter member of the kaos.theory computer security consortium, he developed and presented various projects to the Information Security industry at a number of national conventions. He was a contributing author to the O'Reilly Series of programming manuals. He developed a number of nationally recognized websites and projects receiving worldwide press from Wired News, the New York Times, The Register, the Boston Globe, and the LA Times.

Top of page

ModScan: A SCADA MODBUS Network Scanner


Mark Bristow
Security Researcher

ModScan is a new tool designed to map a SCADA MODBUS TCP based network. The tool is written in python for portability and can be used on virtually any system with few required libraries. The presentation includes a demonstration of the ModScan scanner as well as a rundown of the various features and modes available. I will also be covering the MODBUS and MODBUS TCP protocols including packet construction and communication flows. A brief SCADA primer is also included for the education of the audience.

Mark is a Certified SCADA Security Architect with three years experience in the information assurance business. He has done research and analysis of the SCADA MODBUS and MODBUS TCP protocol leading to the development of his ModScan tool. In addition to his SCADA work, Mark is a Web Application Security penetration tester and consultant. He regularly speaks at local events in DC and VA and frequently conducts training on the subject. Mark received his bachelors degree in Computer Engineering from The Pennsylvania State University.

Top of page

Deciphering Captcha


Michael Brooks
Security Engineer, Fruition Security

This presentation will detail two methods of breaking captcha. One uses RainbowCrack to break a visual captcha. The other uses fuzzy logic to break an audio captcha. Both methods are 100% effective. These are real attacks that affect real world software: CVE-2008-2020 CVE-2008-2019. Exploit code is available to the public

Michael Brooks is a puzzle master. Some people like Sudoku, but Michael likes hacking. Michael is a Computer Science student at Northern Arizona University. Michael has worked in web application development, penetration testing as well as other forms of software quality control. Currently he works in the finical industry for https://www.paythentrade.com/ as a security engineer. Michael has recently started the website: http://www.rooksecurity.com/ . As you can see Michael has published a wide range of real world attacks against web applications.

Exploit code written by Michael:
http://milw0rm.com/author/677

CVE's from Michael:
CVE-2008-2019,CVE-2008-2020,CVE-2008-2043,CVE-2007-6471,CVE-2007-6459,CVE-2007-6458,CVE-2007-0134,CVE-2007-0132,
CVE-2007-0130,CVE-2006-6781,CVE-2006-3208,CVE-2006-3207,CVE-2006-3206,CVE-2006-3205,CVE-2006-3204,CVE-2006-3203.

Top of page

CSRF Bouncing†


Michael Brooks
Security Engineer, Fruition Security

In this talk I will be discussing Exploit Chaining in Web Applications and CSRF. I will discuss the surface area problem in security and how to gain access to a l attack surface using CSRF. I will detail the process I used to find and exploit a vulnerability in a real world application. I will discuss how to have fun in a sandbox and defeating CSRF protection. I will also talk about the defenses against these attacks. I will be releasing an 0-day exploit and provide a machine for the audience to break into.

Michael Brooks is a security researcher engaged in exploit development. Michael is interested in real world attacks as well as new methods of exploitation. He enjoy finding flaws in applications and writing exploit code. http://milw0rm.com/author/677

CVE's from Michael:
CVE-2008-2019,CVE-2008-2020,CVE-2008-2043,CVE-2007-6471,CVE-2007-6459,CVE-2007-6458,CVE-2007-0134,CVE-2007-0132,
CVE-2007-0130,CVE-2006-6781,CVE-2006-3208,CVE-2006-3207,CVE-2006-3206,CVE-2006-3205,CVE-2006-3204,CVE-2006-3203.

Michael is a computer science student at Northern Arizona University. Michael has successfully worked in penetration testing as well as software quality control. Currently he works for http://fruitionsecurity.com/ as a security engineer and recently started the website: http://www.rooksecurity.com/

Top of page

Bypassing pre-boot authentication passwords


by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)


Jonanthan Brossard
Lead Security Researcher, Iviz

Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

Jonanthan Brossard is French,and has recently moved to India to build and lead the research and exploitation team of Iviz (http://www.ivizindia.com/iviz/aboutus.html). Jonathan's daily activities involve exploit writing, reverse engineering, code auditing and research in disruptive low level hacking methodologies.

Before moving to India, Jonathan worked as a security researcher in the Defense area in France for Sagem Defense Securite, where he designed and patented new protection schemes for protecting applications against reverse engineering under GNU/Linux architectures. Prior to that position, He has also worked in French pioneer pentesting consulting company Edelweb. Therefore he has experience with both ends of the security industry...

During college, Jonathan was employed as a network administrator of one of the major school network in France, which gave him a strong taste for networking and network security.

Jonathan started getting interested with low level security issues more than 10 years ago, when he learnt x86 asm under MS-DOS. Many things have changed since those good old times of real mode OSes, but there is still room for surprises... Low level attacks involving deep knowledge of computers internals are not dead... just read the paper ;) Jonathan would also like to mention his ties to excellent security research groups such as pulltheplug.org and blacksecurity.org :this is where public information ends and where security research begins...

Top of page

Grendel-Scan: A new web application scanning tool


David Byrne
Security Consultant, Trustwave
Eric Duprey
Senior Security Engineer, Dish Network

While commercial web application scanners have been available for quite a while, the selection of open source tools has been limited. Grendel-Scan is a new tool that aims to provide in-depth application assessment. Written entirely in Java and featuring an easy to use GUI, the tool is intended to be useful to a wide variety of technical backgrounds: from IT security managers, to experienced penetration testers.

Grendel-Scan can test for authentication and authorization bypass, SQL injection (blind and error-based), XSS, CRLF injection / response splitting, session key strength, session fixation, file/directory/backup enumeration, directory indexing, web server mis-configuration, and other vulnerabilities. Exploration of the web application can be accomplished through an embedded proxy server, via automated spidering, or search engine reconnaissance.

The accuracy of the testing is increased by powerful features such as automatic detection and correction of logged out sessions, heuristic file-not-found detection, and an embedded HTML DOM parser and JavaScript engine for full page analysis. Grendel-Scan was architected with extensibility in mind. Powerful libraries offering features such as input/output tracing, session tracking, or HTML DOM comparisons make the development of new test modules much easier.

The presentation will feature an overview of the application's design, results of comparative analysis against similar tools, and a live demonstration of the tool using a real application (not an intentionally vulnerable app).

David Byrne is a penetration tester in Trustwave's SpiderLabs division. David was also the founder of the Denver chapter of the Open Web Application Security Project (OWASP).

Eric Duprey is a Senior Security Engineer with Dish Network and leader of the Denver chapter of OWASP.

Top of page

Building a Real Session Layer


D.J. Capelis

It's past time for a session layer. It's time to replace port knocking with a real authentication framework. It's time to do what DNS did with IP addresses to port numbers. It's time to run services over NATs, eliminate the need for vhosts in your webserver and provide optional transparent encryption for any client who wants it. In this talk, we'll do that and a couple other tricks... within the framework of a little-known RFC that was written almost 2 decades ago.

D.J. Capelis spends his time at University of California, San Diego eating pizza. A portion of the remaining time is dedicated to research on building more secure computer systems. His latest research areas include building trusted platforms that aren't evil, looking for the next hot thing among old ideas and raining on the parades of people who think virtualization is a wonderful idea for production systems. He yearns for a time when XML was a scary dream, SPRITE would transparently migrate your processes between machines and real programmers had an inexplicable hatred for quiche.

Top of page

Hacking E.S.P.


Joe Cicero
Network Specialist Instructor, Northeast Wisconsin Technical College
Michael Vieau
Independent security researcher

Have you gone to school? Are you going to school? Do you work at a school? How do you prove you went to a particular high school, college or university? FACT: Educational institutions MUST keep your personal/confidential information. Therefore, your personal/confidential information might be at risk! This presentation will be about typical software packages found at educational institutions and their vulnerabilities. We will use known attacks to show new vulnerabilities in several typical educational software packages. The presentation will focus on the vulnerabilities, what tools were used to find them, and why successfully exploiting a weak system will allow you to gain access to a secure system.

Joe Cicero is currently a Network Specialist Instructor for Northeast Wisconsin Technical College, he specializes in teaching Linux, Network Security, and Computer Forensics Courses. He is originally from Green Bay and in 1985 he joined the Marines. His final duty assignment was as the Operations Chief for Tactical Warfare Simulations Evaluations Analyses Systems (TWSEAS) where he traveled the world conducting training through use of computer simulations.

Michael Vieau is an independent security researcher located in United States where he conducts security assessments & penetration tests on new and existing technology for various customers (and sometimes just for fun). His main focus is on *NIX security, mobile devices, and wireless security. He comes from a wide technical background ranging from network infrastructure, to programming, instructing, & of course security.

Top of page

Hacking Desire


Ian Clarke
CEO, Uprizer Labs LLC & Coordinator, The Freenet Project

What do you want? This is the question that almost every commercial organization on the planet thinks they have an answer to, but do they? Figuring out what people want is essentially a process of reverse engineering human needs, desire, and preference. It turns out that hackers are particularly adept at reverse engineering, so what happened when we applied our skills to reverse engineering what you, and everyone else, wants?

This talk will describe how we constructed a model for how the human mind decides what it wants, and then customize this model to imitate particular individuals, and thus anticipate specifically what they want. I will demonstrate the effectiveness of this approach on guessing how much particular users will like particular movies, based on the feedback they've given to a popular movie rental website. I'll also discuss flaws in how "collaborative filters" are designed, and measured, and explain why our approach is an improvement.

This talk will discuss sophisticated ideas in machine learning and artificial intelligence, but no background in these topics will be required for attendees.

Ian Clarke is a Computer Scientist and Entrepreneur, with a track record of both technical and business innovation, and an outspoken thinker and activist on issues relating to freedom of speech, intellectual property law, and technology. Ian is the founder and coordinator of the Freenet Project; designed to allow true freedom of communication, Freenet was the first decentralized anonymous peer-to-peer network, and a precursor of the "distributed hashtable" data structure. Ian has also founded a number of innovative and diverse commercial ventures, including Revver, the first online video website to share revenue with video creators, and Thoof, a collaboratively generated personalized news website. Ian has a degree in Artificial Intelligence and Computer Science from Edinburgh University, Scotland.

Top of page

Climbing Everest: An Insider's Look at one state's Voting Systems


Sandy Clark "Mouse"
University of Pennsylvania

Hanging Chads, Hopping votes, Flipped votes, Tripled votes, Missing memory cards, Machine malfunctions, Software glitches, Undervotes, Overvotes. Reports of voting machine failures flooded the news after the last elections and left most voters wondering "Does my vote really count?" "Can these electronic voting machines be trusted?" "How secure are my state's voting systems?"

In December 2007, we published an in depth, source code and hardware analysis of all the voting systems used by the state of Ohio, funded by the Ohio Secretary of State. Come find out what we learned, and draw your own conclusions.

Sandy Clark, "Mouse" has been taking things apart since the age of two, and still hasn't learned to put them back together. Luckily, in the University of Pennsylvania's Distributed Systems Lab, this behavior is actively encouraged. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game, not the person) and infrastructure hacking. Her research explores human scale security and the unexpected ways that systems interact.

Top of page

Could Googling Take Down a President, a Prime Minister, or an Average Citizen?


Greg Conti
United States Military Academy

Every time we use the web, we disclosure tremendous amounts of information to ISPs, Internet backbone providers, and online companies; information that will be shared and data mined, but rarely discarded. Email addresses, phone numbers, aggregated search queries, cookies, IP addresses - any unique feature of our behavior provides a mechanism to link, profile, and identify users, groups, and companies. From these revelations all aspects of our daily lives emerge, including our activities, locations, and social networks. Making matters worse, ubiquitous advertising networks, dominant online companies, complicit network providers, and popular web analytic services possess the ability to track, and in some cases, eavesdrop on and modify our online communications.

The AOL dataset debacle and subsequent public outrage illustrated one facet of the problem - Search. This talk covers all aspects of the problem, including end user computers, network providers, online companies, and advertising networks. It also includes countermeasures to help protect your personal and organizational privacy. It is important to note that the research presented is the inverse of Google Hacking, which strives to retrieve sensitive information from the databases of search engines. This talk instead focuses on what information online companies can pull from you, as well as what network providers can see and modify. The long-term implications of web-based information disclosure are profound. Interaction by interaction we are ceding power to ISPs and online companies, disclosures which may one day alter the course of elections, remove world leaders from power, or cause the outspoken citizen to disappear from the web.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy, West Point, NY. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

Top of page

Compromising Windows Based Internet Kiosks


Paul Craig
Principal Security Consultant, Security-Assessment.com

Internet Kiosks have become common place in today's Internet centric society. Public Internet Kiosks can be found everywhere, from Airports, Train stations, Libraries and Hotels to corporate lobbies and street corners. Kiosks are used by thousands of users daily from all different walks of life, creed, and social status.

Internet kiosk terminals often implement custom browser software which rely on proprietary security mechanisms and access controls. Kiosks are designed to limit the level of access a user has to the Internet kiosk, and attempt to thwart malicious activity. Kiosk users are prohibited from accessing the Kiosk's local file system, or the surrounding local network attached to the Kiosk. The only guaranteed functionality is a "secured" web-browser. For a service so common-place, there has been practically zero research regarding the security of Internet Kiosk software. This talk will cover Internet Kiosk software exploitation techniques, and demonstrate multiple methods of compromising Windows based Internet Kiosk terminals.

Paul Craig is a principal security consultant at Security-Assessment.com based in Auckland New Zealand. Paul is a kiwi hacker with a passion for breaking technology whenever possible. Its highly suggested to buy Paul a beer whenever possible.

Top of page

Shifting the Focus of WiFi Security: Beyond cracking your neighbor's wep key


Thomas d'Otreppe de Bouvette "Mister_X"

Rick Farina "Zero_Chaos"

In this talk we will discuss the paradigm shift of WiFi attacks away from the Access Points and focusing toward the clients. We will cover in depth how simple tricks such as HoneyPot Access Points or even hotspotter simply are not enough anymore and more flexible and powerful methods are being developed and used. The older, dated technologies built into Access Points for ensuring network security have failed the test of time paving way for new overlay security vendors to begin selling "Wireless Intrusion Detection and Prevention Systems" to fill the gap left by the Access Point manufacturers and the ieee802.11 committee.

We will explore a variety of feature of these devices, and see what claims stack up and which ones do not. Finally, we will explore a new frontier for WiFi networks, licensed frequencies. Many vendors currently ship ieee 802.11 compliant devices that operate on non-public bands. We will explore what types of things you can find with some simple driver modifications and why the current generation of tools needs to improve to play by these new rules. If you want to learn about what wireless hacking will look like in the coming year, instead of just cracking wep, you can't afford to miss this talk.

Thomas d'Otreppe is the creator of Aircrack-ng and also designed the WiFu course (Offensive-security) with Mati Aharoni.

Rick Farina is a member of the aircrack-ng team and has been working with wireless security for 8 years. In the past Rick has been involved in low-level network hacking such as ettercap and generally enjoys hanging out at layer 2.

Top of page

Hacking Data Retention: Small Sister your digital privacy self defense


Brenno De Winter
J.S.A.A.F., De Winter Information Solutions

Over the last couple of years a range of privacy threats have been in occurring. Europe is starting to look like the playing field of what is to come to the US: Storage of all e-mail traffic, online presence, phone calls, actual traveling throughout nations and filtering of content. Fortunately a closer look at the measures shows that it is never smart to overestimate the abilities European governments have and digital self defense is possible. But since we don't want to underestimate the threat as well. So that's why we look how these measures effects can be greatly reduced and how we can have fun online again. This knowledge is something we probably want to extend to many people to help them reclaim their digital rights with the use of simple and existing technologies. The Small Sister Project shows you how to do that and delivers the tools to make that easier. Learn how simple measures can make a huge difference.

Brenno De Winter started experimenting with security at the age of 9. He has a background in open source that dates back to 1993 and he contributed to several projects like MySQL, GnuPG, Gnucomo (Gnu Computer Monitoring) and recently started the Small Sister-project for privacy-friendly internet usage. In his daily job he practices security,teaches it and works as an IT-journalist. His writings have triggered several debates in parliament and often raises questions. ///

Top of page

Security and anonymity vulnerabilities in Tor: past, present, and future


Roger Dingledine
Project leader, The Tor Project

There have been a number of exciting bugs and design flaws in Tor over the years, with effects ranging from complete anonymity compromise to remote code execution. Some of them are our fault, and some are the fault of components (libraries, browsers, operating systems) that we trusted. Further, the academic research community has been coming up with increasingly esoteric --- and increasingly effective! --- attacks against all anonymity designs, including Tor.

Roger will walk through some of the most egregious bugs and design flaws we've had, and give some intuition about lessons learned building and deploying the largest distributed anonymity network ever. Then he'll outline the wide variety of current vulnerabilities we have, explain what they mean for our users, and talk about which ones we have a plan for and which ones will continue to be a pain for the coming years. Last, we'll speculate about categories and topics that are likely to introduce new problems in the future.

Roger Dingledine is project leader for The Tor Project. The Tor network has grown to over 1500 relays handling traffic for hundreds of thousands of users daily. In the past few years The Tor Project has also gotten an increasingly diverse set of funders, become an official 501c3 nonprofit, and expanded its community of both volunteer and funded developers.

In addition to all the hats he wears for Tor, Roger organizes academic conferences on anonymity and security, speaks at industry and hacker cons, and does tutorials on anonymity for national and foreign law enforcement.

Top of page

Next Generation Collaborative Reversing with Ida Pro and CollabREate


Chris Eagle
Associate Chairman of the Computer Science Dept, Naval Postgraduate School (NPS)
Tim Vidas
Research Associate, Naval Postgraduate School (NPS)



A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture..

Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 23+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Toorcon, CodeCon, and Shmoocon and is the author of the upcoming "The IDA Pro Book". In his spare time he heads up the Sk3wl of r00t CTF team and can be found pulling all-nighters at Defcon.

Tim Vidas is a Research Associate in the Computer Science Department at the Naval Postgraduate School (NPS). His current primary research focuses around high assurance trusted computing, but interest also strays to digital forensics, reverse engineering, and the like. He maintains several academic affiliations and has previously spoken at conferences such as Shmoocon, CanSecWest, DC3 and HTCIA. In his free time he toys around with digital forensics competitions, CTF exercises, and any other interesting look challenges.

Top of page

Markets for Malware: A Structural Economic Approach


Brian K. Edwards
Economist, Los Alamos National Laboratory
Silvio J. Flaim
Economist, Los Alamos National Laboratory

Much literature has addressed the issue of the relative sizes of shadow economies in different countries. What is largely missing from this discussion is a more structured discussion on how to incorporate estimates of shadow economic activity into the national income accounting framework and a discussion of how the shadow components of specific industries can be analyzed in either an input-output or macroeconomic framework. After a brief discussion of existing estimates of black market activity, we discuss how black market activities might be measured and incorporated in standard economic models of the economy. We then focus particular attention on the malware industry and discuss how malware activity influences other economic activity (both official and shadow) and discuss possible methods of how malware activity can be estimated, and how the contribution of malware to overall economic activity can be measured. Finally, we discuss how the methods used to integrate malware economic activity into the national income accounts can be applied to other sectors of the economy, and hence how to develop an alternative measure of the size of the shadow economy. With a new baseline incorporating these "shadow" activities, the economic model is used to examine questions such as: What is the net economic contribution of malware and other shadow economic activity? What would be economic impact of eliminating malware and other shadow activity in all its forms?

Brian K. Edwards received his Ph.D. in economics from the University of California, San Diego, in 1984 and has over twenty years of experience in economic modeling, econometrics, macroeconomic and regional economic modeling, forecasting, and in energy, environmental, and natural resource economics. He has published numerous reports, academic publications, and recently authored a book The Economics of Hydroelectric Power (2003). He is currently the Team Lead of the Socio-Economics Network Team of the Decision Analysis Division of Los Alamos National Laboratory. He has also economist positions at the National Marine Fisheries Service, U.S. Government Accountability Office, Argonne National Laboratory, LECG, and RCF Economic and Financial Consulting. He also has a private consulting practice, Brian K. Edwards Associates.

Top of page

Panel: All Your Sploits (and Servers) Are Belong To Us:


Vulnerabilities Don't Matter (And Neither Does Your Security)


David Mortman
CSO in Residence, Echelon One
Rich Mogull
Securosis
Chris Hoff
Unisys
Robert "RSnake" Hansen
CTO, SecTheory
Robert Graham
CTO, Errata Security
David Maynor
CTO, Errata Security

Think that latest buffer overflow or XSS exploit matters? It doesn't. Think your network is secure because you have the latest and greatest IPS? It isn't. The truth is all exploits or defenses on their own are worthless; it's how you use your tools and respond to incidents that really matters. This panel, composed of top vulnerability and security researchers, will roll through a rapid-fire series of demonstrations as they smash through the security of popular consumer and enterprise devices and systems, often using simple techniques rather than the latest 0day exploits (but we'll see a few of those too). They'll then debate the value of any single attack vector or defense, and show how it's the practical application of attacks, defenses, and (more importantly) responses that really matters. From iPhones to browsers to SCADA, it isn't your advanced attack or defensive tool that matters, it's what you do with it.

As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007, InfoSecurity 2003, Blackhat 2004, 2005, 2006 and 2007, Defcon 2005, 2006 and 2007 and Information Security Decisions 2007 as well. Mr. Mortman sits on a variety of advisory boards including Qualys, Applied Identity and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago.

Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of SecTheory. SecTheory is a web application and network security consulting firm. Robert has been working with web application security since the mid 90's, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti virus strategies. Robert also sits on the technical advisory board of ClickForensics and contributes to the security strategy of several startup companies. Robert is best known for founding the web application security lab at ha.ckers.org and co-authoring XSS Exploits and Defense. Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.

David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.

Top of page

Panel: Black vs. White: The complete life cycle of a real world breach


David Kennedy
Practice Lead: Profiling & e.Discovery, SecureState
Ken Stasiak
President & CEO, SecureState
Scott White
Senior Security Consultant, SecureState
John Melvin
Senior Security Consultant, SecureState
Andrew Weidenhamer
Staff Security Consultant, SecureState

Black vs. White: The complete life cycle of a real world breach combines a unique idea and a real-world case study from a client of ours that details the start of a hack to the identification, forensics, and reversing. We will be discussing some advanced penetration techniques and reversing topics. Starting off, we will be performing a full system compromise from the internet (complete with live demos), installing some undetectable viruses, and having a separate team reverse it, and show you what its doing and how it works. This is the ultimate battle of evil verses good.

Additionally, what would a con be without some awesome tool releases? We will be releasing (and demoing) two tools, one a Windows GUI for the windows folks that does everything for SQL injection rooting, minus making you breakfast, one Linux based tool that auto crawls a site and performs blind/error based SQL injection with reverse command shells using various options for payload delivery.

David Kennedy CISSP, GSEC, MCSE 2003, is the practice lead for the profiling and e.Discovery group at SecureState, a Cleveland Ohio based security consulting company. David has been in the security field for over eight years. David has released tools in the past, including the popular python based tool called Fast-Track, included in Back|Track 3. David is also a contributor to the Back|Track suite. David runs a team of highly skilled security individuals that perform penetration tests on large to mid-sized businesses. Some of our clients include top ten banks, fortune 500/1000 companies, and multi-billion dollar organizations. Prior to SecureState, David worked for the National Security Agency (N.S.A.) working in a specialized security group as an active duty Marine. David has developed several systems for the DoD relating to security and are still being used to-date. David has presented at several speaking engagements including the international INFOSEC summit, the international HTCIA, and various other large-scale forums.

Ken Stasiak CISSP, CISA, GSEC, CISM, QSA, is the president and CEO of SecureState and has been involved in security for over fourteen years. Ken originally began his security career at Ernst & Young where he had the privilege of working with extremely talented people including Jeff Moss, and the original founders of Foundstone. After E&Y, he moved to Arthur Anderson where he headed up an entire regional security group for the organization. Ken started SecureState a week after September 11th, 2001 to create an elite dedicated security company that was known throughout the world.

Scott White is SecureState's lead web application security penetration tester. Scott is heavily involved with the OWASP, running the Cleveland, Ohio OWASP chapter. He has been instrumental in securing web applications for companies all over the country.

Andrew Weidenhamer is SecureState's lead penetration tester and has been involved in security tool development in the community as well as performing large scale penetration efforts on numerous organizations. Andrew first started his security career at Key Bank, handling bank level security. Quickly desiring a more robust and fast-paced environment, Andrew joined SecureState and quickly became their lead penetration tester.

John Melvin CISSP, GSEC, is SecureState's lead forensics investigator and handles all incident response, reverse engineering, and virus development at SecureState. John's mission is to respond and handle breaches to organizations and identify how, when, and why they occurred. Prior to SecureState, John worked for several highly classified programs, specifically pertaining to reverse malware/virus anomaly detection.

Top of page

Panel: Ask EFF: The Year in Digital Civil Liberties Panel


Kevin Bankston
Senior Staff Attorney, EFF
Eva Galperin
Referral Coordinator, EFF
Jennifer Granick
Civil Liberties Director, EFF
Marcia Hofmann
Staff Attorney, EFF
Corynne McSherry
Staff Attorney, EFF
Kurt Opsahl
Senior Staff Attorney, EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA wiretapping and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, highlighting our open government efforts with documents obtained through the Freedom of Information Act on government surveillance efforts, introducing the Coder's Rights Project, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kevin Bankston an EFF Senior Staff Attorney specializing in free speech and privacy law, was EFF's Equal Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focused on the impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and free expression. Before joining EFF, Kevin was the Justice William J. Brennan First Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU, Kevin litigated Internet-related free speech cases, including First Amendment challenges to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal statute regulating Internet speech in public libraries (American Library Association v. U.S.). Kevin received his J.D. in 2001 from the University of Southern California Law Center, and received his undergraduate degree from the University of Texas in Austin.

Eva Galperin As the referral coordinator, Eva is usually the first person to encounter a request for legal assistance when it is brought to EFF. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills. Her interests include aerials, rock climbing, opera, and not being paged at 3 o'clock in the morning because the mail server is down. This is her first DEFCON since 2001.

Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. She practices in the full spectrum of Internet law issues including computer crime and security, national security, constitutional rights, and electronic surveillance, areas in which her expertise is recognized nationally. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Marcia Hofmann is an EFF Staff Attorney focusing on government transparency and civil liberties issues. Along with her colleague David Sobel, she established EFF's FOIA Litigation for Accountable Government (FLAG) Project. Prior to joining EFF, Marcia was Director of the Open Government Project at the Electronic Privacy Information Center (EPIC), where she spearheaded EPIC's efforts to learn about emerging policies in the post-9/11 era and was lead counsel in several Freedom of Information Act (FOIA) lawsuits. Documents made public though her work have been reported by the New York Times, Washington Post, National Public Radio, Fox News, and CNN, among others. She is a graduate of the University of Dayton School of Law and Mount Holyoke College.

Corynne McSherry is a Staff Attorney at EFF, specializing in intellectual property and free speech litigation. Representative cases include: Lenz v. Universal (copyright misuse), MoveOn.org et al. v. Viacom International (copyright misuse), Ricciuti et al v. Sony BMG (class action based on music label's use of DRM that introduced security flaws into users' computers), as well as numerous amicus briefs on trademark, copyright and patent issues. Prior to joining EFF, Corynne was a civil litigator at the law firm of Bingham McCutchen, LLP. Corynne holds a Ph.D from the University of California at San Diego, and a J.D. from Stanford Law School. While in law school, Corynne published Who Owns Academic Work?: Battling for Control of Intellectual Property (Harvard University Press, 2001).

Kurt Opsahl is a Senior Staff Attorney with the Electronic Frontier Foundation focusing on civil liberties, free speech and privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal, which established the reporter's privilege for online journalists.

Top of page

Panel: Hacking in the Name of Science


Tadayoshi Kohno
Assistant Professor, University of Washington
Jon Callas
Chief Technology Officer, PGP Corporation
Alexei Czeskis
PhD Student, University of Washington
Dan Halperin
PhD Student, University of Washington
Karl Koscher
PhD Student, University of Washington
Michael Piatek
PhD Student, University of Washington

Our talk will start with some of our latest and greatest hacks. In 2003 we were the first to analyze the security of Diebold's AccuVote-TS voting machine software. We'll discuss the inside scoop on how we got the code, broke it, and then went public. In 2008 we also published the first attacks against a real, common wireless implantable medical device – an implantable defibrillator and pacemaker – and we did so using off-the-shelf software radios. What else will we talk about? Well, there was our research in measuring just how frequently ISPs are injecting ads into people's web pages, our framing of network printers for copyright infringement (and receiving DMCA takedown notices to those printers), our invention of clock skew-based remote physical device fingerprinting, and much more.

Are we hackers? No, we're scientists at a leading public university. So what turns hacking into "science" when it's done by academics? We'll answer these and other questions in the second half of the talk, which is geared to give you an inside glimpse into the world of academic security research. Along the way we'll answer questions like: How do we choose which technologies to hack – or as we say – "analyze," "study," and "investigate?" What might we hack next? What can we do as academic researchers in public institutions that industry researchers can't? What ethical and legal issues do we need to consider? And why is what we do considered "science?"

Anyone who doesn't want their product to be the next technology hacked (sorry, "studied") by academics like us should definitely attend this talk. And, of course, come to this talk if you're considering grad school in computer security. We'll also debate how academics and industry security researchers could better work together. Here we'd particularly like your feedback. What can academics learn from you? What do you think we could do better? What would you like us to look at next?

(Standard academic disclaimer: Many of the works will discuss were previously published in conjunction with other researchers. We'll acknowledge all relevant parties in the talk.)

Tadayoshi (Yoshi) Kohno is an Assistant Professor of Computer Science and Engineering at the University of Washington. He worked as a cryptography and computer security consultant with Bruce Schneier, back when Counterpane Systems had less than a handful of full-time cryptographers and before the days of Counterpane Internet Securities, Inc. Since then he's conducted published security analyses of technologies as varied as: electronic voting machines, implantable wireless defibrillators, file encryption systems, popular consumer devices, and ISP ad injectors. Kohno has a Ph.D. in Computer Science (cryptography) from the University of California at San Diego.

Jon Callas served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Mr. Callas served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane's Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force's (IETF's) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Mr. Callas has a B.S. in Mathematics from the University of Maryland.

Alexei Czeskis is a graduate student in the Computer Science and Engineering department of the University of Washington, where he hacks, or more benignly -- performs research, under Professor Yoshi Kohno. Formerly, he was a part of CERIAS -- Center for Education and Research in Information Assurance and Security at Purdue University. Alexei has also spent time in industry working with Amazon.com's transaction risk management group.

Dan Halperin is a PhD student in computer science and engineering at the University of Washington. His research includes wireless networking, with a current focus on next-generation technologies, and practical security and privacy in the wired and wireless, digital and physical domains. He received his BS in computer science and mathematics from Harvey Mudd College and his MS at Washington. He likes to make and break things in his spare time, and on the side helps teach lock picking to Washington undergraduates and is an avid participant in urban spelunking. In addition to memberships in dry academic communities, Daniel is a member of the EFF.

Karl Koscher is a computer science PhD student at the University of Washington. While interested in a wide variety of security topics, the bulk of his work has focused on the privacy and security issues surrounding RFID and other ubiquitous technologies. He is informally known around the department as "big brother."

Michael Piatek is a PhD at the University of Washington. After spending his undergraduate years working on differential geometry, his research interests now include incentive design in distributed systems, network measurement, and large-scale systems building.

Top of page

Panel: Internet Wars 2008


Gadi Evron
Moderator

Some of the panel members in previous years:

Andrew Fried IRS
Thomas Grasso FBI
Dan Hubbard Websense
Dan Kaminsky IOActive
Randy Vaughn Baylor
Paul Vixie ISC

This year's panel members will be announced closer to the conference date.

Continuing our new tradition from the past two years, leading experts from different industries, academia and law enforcement will go on stage and participate in this panel, discussing the current threats on and to the Internet, from regular cyber-crime all the way to the mafia, and even some information warfare.

In this panel session we will begin with a short (2-5 minutes) introductory presentation from Gadi Evron on the latest technologies and operations by the Bad Guys and the Good Guys. What's going on with Internet operations, global routing, botnets, extortion, phishing and the annual revenue the mafia is getting from it. The members will accept questions on any subject related to the topic at hand, and discuss it openly in regard to what's being done and what we can expect in the future, both from the Bad Guys and the Good Guys.

Discussion is to be limited to issues happening on the Internet, rather than this or that vulnerability. The discussion is mostly technological and operational in nature, although for example two years ago attendees chose to ask questions directing the discussion to the legal side of things. Participants are people who are involved with battling cyber-crime daily, and are some of the leaders in the security operations community of the Internet.

Gadi Evron is recognized globally for his work and leadership in Internet security operations. He is the founder of the Zeroday Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing. Previously, Gadi was CISO at the Israeli government ISP (eGovernment project) and founded the Israeli Government CERT. Gadi authored two books on information security and is a frequent lecturer.

Top of page

Panel: Meet the Feds 2008


Speaker List
to be announced

Ever had to sweat through an interrogation or watch some poor sap suffer a similar fate? Have you ever wanted to turn the tables and put those cruel individuals responsible on the chopping block? Well, now you can! With representatives from NSA, NASA, FBI, IRS, DHS, and other fine Federal agencies, you will have an abundance of opportunities to attempt to humiliate, harass, threaten, or even bring them to tears. Go ahead hack away and take your best shot! Remember, what is said on this panel in Vegas, stays on this panel in Vegas...

Again this year we will have many federal agencies -

Information Assurance Panel: CERTS, first responder's organizations from agencies including DC3, DHS USCERT, NSA, OSD, and NDU

Law Enforcement Counterintelligence Panel: including DC3, FBI, IRS, NCIS, NASA, NWC3, US Postal IG

Each of the agency reps make an opening statement regarding their agencies role, then open it up to the audience for questions.

Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.

For years Defcon participants have played "Spot the Fed." For the 3rd year, the feds will play "Spot the Lamer". Come out and nominate a Lamer and watch the feds burn'em.

Top of page

de-Tor-iorate Anonymity


Nathan Evans
Ph.D Student, University of Denver
Christian Grothoff

Feel safe and comfortable browsing the Internet with impunity because you are using Tor? Feel safe no more! We present an attack on the Tor network that means that the bad guys could find out where you are going on the Internet while using Tor. This presentation goes over the design decisions that have made this attack possible, as well as show results from a Tor network that reveals the paths that data travels when using Tor. This method can make using the Tor network no more secure than using a simple open web proxy. We go over the attack in detail, as well as possible solutions for future versions of Tor.

Nathan Evans is a Ph.D student and the University of Denver working in the areas of security, privacy, anonymity, and performance in P2P networks. While he seems to be running around trying to break all the networks his intentions are to improve the current state of affairs wrt security. Previous work includes Routing in the Dark: Pitch Black (presented at Defcon 15) and work on evaluating various P2P systems published in the German magazine IX.

Christian Grothoff is an assistant professor of computer science at the University of Denver. He earned his PhD in computer science from UCLA in expressive type systems for object-oriented languages. His research interests include compilers, programming languages, software engineering, networking and security. He also is the primary author and maintainer of GNUnet, GNU's peer-to-peer framework.

Top of page

Hacking the Bionic Man


Gadi Evron

Science fiction or security in 2040?

In this lecture we will discuss how security issues may impact the future, which may be confused with science fiction.

Already today we find cyber-implants of different kinds embedded within the human machine. As security professionals we know there is no such things as perfect code, and security solutions are far from perfect. What will we be facing in 2040, and how might we defend ourselves - if at all.

Gadi Evron is recognized globally for his work and leadership in Internet security operations. He is the founder of the Zeroday Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing. Previously, Gadi was CISO at the Israeli government ISP (eGovernment project) and founded the Israeli Government CERT. Gadi authored two books on information security and is a frequent lecturer.

Top of page

Identification Card Security: Past, Present, Future


Doug Farre
Administrative Director, Locksport International

Come learn how identification cards have taken over our lives, how they can be manufactured at home, and how you can start a legal ID making business. Come learn all the tips and tricks about amateur id manufacturing and pickup the first ever Complete Amateur ID Making Guide. Also, come test your ability to spot a fake, vs. a real, and check out the newest in ID technology. Polycarbonate laminates, biometrics, Teslin, and RFID. Lastly, see how corporations are affecting the identification card fiasco in the U.S. What's in your wallet?

Doug Farre is the Administrative Director of Locksport International, President of the Longhorn Lockpicking Club, and Editor in Chief of Non Destructive Entry Magazine. Doug is interested in all types of security and is currently a Geophysics student at the University of Texas at Austin. He teaches scuba diving in his free time.

Top of page

Snort Plug-in Development: Teaching an Old Pig New Tricks


Ben Feinstein
Security Researcher, SecureWorks Counter Threat Unit

Snort has become a standard component of many IT security environments. Snort is mature and widely deployed, and is no longer viewed as new or exciting by the industry. However, with such widespread deployment, enhancing Snort’s capabilities offers the potential for a large and immediate impact. Instead of chasing the industry’s new-hotness of the day, it frequently makes more sense to add new capabilities to an existing security control.

With this in mind, the author set out to implement new and innovative capabilities in the form of GPL-licensed Snort plug-ins. The author will introduce the Snort plug-in architecture and the relevant APIs used when implementing extensions to Snort. Lessons learned and pitfalls to avoid when developing Snort plug-ins will be covered. Some interesting code snippets will be discussed. Ideas for future work in the area of Snort extensions will be presented.

Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Top of page

The Wide World of WAFs


Ben Feinstein
Security Researcher, SecureWorks Counter Threat Unit

With webapp protection now mandated by the PCI standard, web-application firewalls (WAFs) have received newfound interest from both consumers of security technologies, as well as from security researchers and potential attackers. Now that WAFs are a PCI-approved substitute for code reviews, expect many vendors to opt for this potentially less costly route to compliance. Of course, security researchers and potential attacks will increasingly train their sights on this lucrative and expanding target.

This talk will explore the ModSecurity Apache module and how it is being used as a WAF to meet the PCI 6.6 webapp protection requirement. The relative strengths and weaknesses of WAFs in general and ModSecurity in particular will be highlighted. Common deployment scenarios will be discussed, including both in-the-cloud, stand-alone and Apache server embedded deployments. The ModSecurity rules language will be covered and several ModSecurity Core Rules that are representative of its capabilities will be dissected in depth. Finally, some interesting uses of ModSecurity's content injection capabilities will be discussed. Anyone up for hacking the hacker via scripting injected into your webapp's response to an attempted attack? This talk will show you how!

Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Top of page

VLANs Layer 2 Attacks: Their Relevance and their Kryptonite


Kevin Figueroa
CEO & Information Security Engineer, K&T International Consulting, Inc.
Marco Figueroa
CEO & Senior Security Analyst, MAF Consulting, Inc.
Anthony L. Williams
CEO & Information Security Architect, IRON::Guard Security, LLC

Proper network infrastructure configuration is a crucial step in a successful defense in depth strategy for any organization. The fact that the network fabric is susceptible to these attacks years after their initial discovery is alarming and disgusting at the same time. We propose to revisit these attacks using contemporary techniques and tools and also offer equally contempo