S P E A K E R S
routing, and tunneling protocols
The protection of networked computers depends on the security and integrity of the underlying communication layers. In the last years, many people invested time to research bugs and exploits on the application level and less interest was on the network layers.
We are going into the realms of protocols of ISO OSI layer 2 and 3. The audience will get a quick refresher on what Layer 2 and 3 are about and which general attack approaches exist. Layer 2 will be covered quickly and attacks using the well known ARP, CDP and some more will be explained.
The primary part of the session will be focused on the abuse of ICMP and interior routing protocols (RIP & IGRP), how to scan for autonomous systems and for IP protocols other then TCP/UDP. Re-routing of packet streams for sniffing/interception will be covered as well.
The finale will explain and show how to attack VPNs using GRE and how tunneling can enable you to circumvent NAT.
FX of Phenoelit is the leader of the german Phenoelit group. His and the groups primary interests are in security implementations and implications of standards or less-known protocols. FX currently works as field infosec engineer at Lucent Worldwide Services ESS where he is supported in doing the things he generally prefers to do.
|Thor||Grabbing User Credentials via W2k ODBC Libraries|
The Sys-Security Group
|Introducing X: Playing
Tricks with ICMP
During my research with the “ICMP Usage In Scanning” project, I have discovered some new active and passive operating system fingerprinting methods using the ICMP protocol. Methods that are simple, and efficient.
The active operating system fingerprinting methods were not correlated into a certain logic. A logic that would allow us to have the ability to use any available method in order to, wisely, actively fingerprint an operating system.
In this talk I will be releasing a new active operating system fingerprinting tool using the active OS fingerprinting methods with the ICMP protocol I have discovered. I will be explaining the tool’s inner works and the various active OS fingerprinting methods with ICMP implemented and used with the tool.
The tool’s limitations, ways to detect its usage, and how to defend our selves from its abilities will also be discussed. Future plans and enhancements, which include a different approach to OS detection, will be presented as well.
Ofir Arkin is the Founder of the Sys-Security Group, a free computer security research body. Ofir is most widely known for his research about the ICMP protocol usage in scanning. He has extensive knowledge and experience with many aspects of the Information Security field including: Cryptography, Firewalls, Intrusion Detection, OS Security, TCP/IP, Network Security, Internet Security, Networking Devices Security, Security Assessment, Penetration Testing, E-Commerce, and Information Warfare. Ofir has worked as consultant for several European finance institutes where he played the rule of Senior Security Analyst, and Chief Security Architect in major projects. Ofir has published several papers, the newest deal with “Passive Fingerprinting techniques” and with the “ICMP protocol usage In Scanning”.
MBA, CISA, CISSP, GCIA, CNA
Audit Project Leader
|Windows NT and Novell
Host Based Intrusion Detection Using Native Logging and 3rd Party Log Reporting
Auditing is defined for this presentation
as the process of examining operating system (OS) audit logs to assure
information stored on computers is properly protected, and meets corporate
security policies. This presentation will cover the Novell NetWare
4.11 (NW) and Windows NT 4.0 (NT) operating systems. NW is capable
of auditing Novell Directory Services
These features monitor events related to system security, to identify any security breaches, and to determine the extent and location of any damage. The level of audited events is adjustable to suit the needs of an organization. This presentation illustrates the usage of NT and NW security monitoring separately; however, the concepts apply to any platform.
The costs and benefits along with the weaknesses of such logging will also be addressed. While these are two older platforms that the software vendors would love to see upgraded, they are both still used in many organizations.
Michael Cohen is currently an Audit Project Team Leader at a large California based bank, specializing in network and Internet security. He has over 5 years information security audit experience. He currently holds the CISA and SSCP certifications, even though he has a great disdain for such things. Previously, he worked as a big 5 security consultant and cut his teeth as network administrator holding together the worlds most poorly configured NetWare server and two of the most insecure Cisco routers.
Robert Grill is currently an Audit Project Team Leader at a large California based bank. He has an MBA in Management Information Systems and has over 10 years information security audit experience. He holds the SANS GIAC; GSEC, GCIA, GCIH and GCFW certifications, as well as the CISA, CISSP, SSCP, CNA and CCNA certifications.
Network Security Researcher
Agents: The Future of Electronic Warfare and Defense
The study of Artificial Intelligence bring many treasures to the development of both offensive and defensive network tools. Code can be designed to make "intelligent" decisions based on a presented data sample. When rules are explicitly laid out by RFC to indicate proper connection handling, these rules can be mapped and recalled. This would allow for an automated handling of network traffic with decision making enforced on next-packet injection.
The DEF CON speech will focus on Intravenous. Information will be shared with regard to overhead handling, event priority, as well as database and sensor/decoder optimizations. Examples in logic considerations will be broken down for simple attack scenarios. The IV specific design constraints and project goals will be discussed, a maillist will be announced for open discussion about the code that has been developed so far, and improvements of the overall design criteria.
First, we will discuss what the word "intelligence" means and how it relates to source code. We will explain the need for code that is not only self-aware, but aware of the environment it runs in. We will briefly discuss the research conducted in the Artificial Intelligence field as it relates to TCP/IP networking and overall Computer Security. Many developers are writing code with AI properties and fail to capitalize on it.
Second, we will discuss the state of tools/exploits today, and where they are headed tomorrow, in lieu of current security tools being seperate and disjoint. Packet sniffers seldom share information with packet crafters and IDS systems seldom share information with network scanners, for example. We will explain the need for agent code to assist in data collection, storage, retrieval and analysis for use within the scope of any tool that either runs interactively or in daemon mode for long periods of time. Discussion of toolsuite integration so that the network auditing and network detection are a more seamless process. Most exploits can be classified in only a handful of categories, most of which the discovery are based on custom scripts and source code analyzers.
We will then explain the future of network assessment. We will explain where "non-intelligent" code falls flat, and how introducing rule bases, knowledge bases and a back-tracking method (memory), can allow an application to deduce plausible scenarios based on the data collected. This, in turn, will allow an application to be able to react to situations based on mathematical probabilities and or metrics to hopefully choose the correct answer(s). Even without correct answers, it can still present the user with empirical data that may lead to a plausible next event.
The Nemesis injection routines will be used in Intravenous. The threat of Nemesis by itself will be discussed with examples sited from published sources, and then will be contrasted with the introduction of AI componsents, that will make up the overall study, Intravenous (an agent concept model).
Mark Grimes is a network security researcher whose focus is primarily on enterprise wide, multi-layered network threat, the study of TCP/IP packet pattern analysis, and the interest of machine learning and expert systems. Mark is best known for Nemesis, an eight protocol packet crafting tool suite. There are a number of articles and misc. tools, as well as the concept slides/video of the initial Intravenous concept available at http://www.packetninja.net/
Mark Grimes is currently the Red Team Network Security and Forensics Lead for a Fortune 300 company. He has been the security lead of many high profile commercial, government and military contracts. Mark is also a developer for the ultra secure, multi-architecture OpenBSD Project led by Theo De Raadt.
This talk will be about the art of creating backdoors. Starting with automated shell scripts as an example, moving quickly to suid-exec wrappers and finally an introduction into writing kernel modules, and modifying existing ones using Linux in this case. In this talk there will be non-public code written especially for the talk. I'm not sure if this is for the haxors or the uber haxors. Probably uber haxors, as you'd need to at least be able to read some C, and the major focus will be on Linux kernel module creation and modification.
|Phil King||8 Bits and 8 Pins:
More Fun With Micro controller Hacking
"Microcontrollers" are microprocessors with additional peripherals, I/O controls, and memory all built into one chip. Last year, Phil introduced the wonderful world of 8-bit micro controllers and showed how to set up your own project development lab. This year he looks at more fun, cute, and devious electronic devices you can build, this time focusing on micro controllers with only 8 pins. What can you do with 2K of code spaces and only a few I/O lines? More than you might imagine! We'll look at various tiny projects, and see what can be done in small space and on a small budget. Bring your questions and project ideas. The people with the best ideas will go home with a complete Atmel AVR micro controller hardware development package.
This talk will have a fairly high fun-factor looking at cool electronic toys, but there will be talk about and examples of low-level code and hardware design. Some programming experience and electronics vocabulary will definitely make the material more understandable.
Phil King is a hardware design engineer in Silicon Valley with 9 years of experience at various hardware and software jobs. He is also a part time lecturer at Stanford University, where he co-taught EE-281, the graduate level Embedded Systems Design Lab course last fall.
|TechnoDragon||Hardware mods, how
to look for them, what telltale signs to look for, how to identify what
hardware most likely can be modified, etc.
Hardware mods. Have you ever wondered what special features can be enabled is your hardware, or even crippled for security reasons? Well, I will cover theory, fact and many designs covering identification and activation of hidden features wether they be hardware or software.
Topics will include:
Live demos will be performed on the platforms covered and tutorials on ways to go about discovering what mods can be performed on the hardware of your choice.
|Raven Alder||A Perl script that
tracks Denial of Service attacks across Cisco backbones.
Denial of Service attacks are well known in the security field, but in recent years distributed Denial of Service attacks have become more of a worry and a priority to ISPs. Recognizing when a DDoS attack is crossing your network is important, and being able to shut it down at your network's edge is even more so. But due to the increasing ease of spoofing the source IPs of a DDoS attack, correctly finding where the traffic is entering your network becomes more difficult. Rather than being able to traceroute via normal routing methods, most tracing of spoofed addresses has to be done hop by hop, one router at a time. In a large backbone, this can take hours, particularly when you consider that many DDoS attacks come from hundreds of different IP addresses.
There aren't many tools out there to aid NOCs in tracing these sorts of attacks. Indeed, many NOCs are still forced to trace attacks by hand. To address this problem, I have written a Perl script to trace DDoS attacks backwards through a Cisco-router network. The script can handle spoofed IPs, and will run both on Cisco's older routers (7500 series) and on their Gigabit Switch Routers. This talk will present the script and provide a guided tour through the code to explain how and why it works.
Raven Alder is a senior network engineer for a Tier 1 ISP, and hunts down DDoS attacks in the wild for fun. In addition to supporting Cisco routers, Raven is also a Solaris/Linux/BSD sysadmin, and enjoys Shorin Ryu martial arts and particle physics.
|Robert Muncy||Securing Cisco Routers
We will begin with basic IOS Commands to secure a router, looking at unneed services and turning off seldom used protocols. From there we will look at configurations for defeating basic attacks against your network, including DDos,SMURF and other nasty things you can do to netowrks. Next we will look at some Simply Access list and nifty tricks you can do with them! I will also discuss the basics of Encryption, RADIUS and other security measures you can use when making connections to multiple sites. For this Talk I have assumed you have at least heard of TCP/IP Ports, Basic Cisco IOS Commands, and the internet and how it works! This talk is geared to Cisco noviecs but who have done basic networking already.
Robert Muncy is currently employed by a financial company as Network Security Engineer. Previous to that I worked as a hired gun for several computer consultant companies.
|Using Open BSD, snort,
Linux, and a few other tricks to set up a transparent, ACTIVE Ids.
Basically I will cover: How to set up Snort Sensor in Openbsd. - How to use Perl & Rules to actively adapt rules to attacks, while keeping yourself from being "DOSSED" - How to use ACID to make logs more easily accessible, and analyzed, - How to Use database portion to look at historical attack trends and react appropriately. - How to set up "safe" management segment on your network that is both accessible to you, but hard for "them" to get into.
|Anders Ingeborn||Designing small payloads
This talk presents how to use double injection over an existing netwok connection to write small remote buffer overflow exploits. A number of practical tips and code examples will be given. It will also be explained how this design can be used to hide an attack from both network based and host based intrusion detection systems.
Anders Ingeborn works with vulnerability assessment and penetration tests at iXsecurity in Sweden. iXsecurity's clients during the last couple of years include government agencies, banks, nuclear power plants and major corporations throughout Scandinavia. Anders also holds a MS in computer security.
|The Captive Portal
Adam and I have been doing research on wireless security from a practical perspective. Basically discovering what's wrong with the current security models in 802.11 networking and how they can be fixed or worked around.
Adam has developed a system called the Captive Portal that will allow wireless networks to be setup that are resilent to problems with link-level authentication and encryption schemes. The system is still in development, but will be "released" by conference time (as much as open source software gets released ;). In the coming months we will be writing a paper on the Captive Portal; how it works, what it's strenghts and weaknesses are, and instructions on getting one going.
I will give the first part of the talk, Adam will give the second part the part that deals directly with the Captive Portal.
We will also setup a wireless network at DC so folks can try and hack the portal. We're always looking for ways to improve our idea.
Bruce Potter is the founder of The Shmoo Group, an organization of security, crypto and privacy professionals. He has done work as a network engineer, software security consultant, CTO of a failed startup, and a wire monkey. Bruce posts daily security news to Securitygeeks.com.
In 1993 Adam started the first ISP in his home town of Dunedin New Zealand. Since then he has worked for several ISP's, small and large, in various capacities, mostly as a UNIX systems administrator. His current project is Personal Telco which is trying to leverage consumer grade 802.11b gear to build internet accessible neighborhood communities.
Dan Kaminsky, CISSP
Hacking Impossible Tunnels Through Improbable Networks with OpenSSH and
the GNU Privacy Guard
1) Theory of Gateway Cryptography
|eBooks security –
theory and practice
Security aspects of electronic books and
documents, and a demonstration of how weak they are:
My name is Dmitry Sklyarov. I'm employee of the ElcomSoft Company. As we have demonstrated in our speech on Black Hat Win2K Security (February 2001), encryption in Microsoft Office documents is very weak and password protection may be removed without any problems in most cases. In this speech I'll try to cover password protection aspects of electronic books and documents. The most attention will be paid to documents in PDF format.
|Optyx||KIS - kernel Intrusion
This is the release of KIS. KIS is a self contained binary that when executed on a system installs itself so that it will be loaded on reboot and loads a kernel module. This LKM hides itself, all of its subprocesses or desired processes, all of their files, directories, and network connections automatically. The presentation will consist of demonstrating how to setup and use KIS as well as explain some of the basic design concepts.
Optyx is a programmer, age 20, currently living in san francisco, california.
Covert Network Channels
Two parties, both operating in hostile network territory, need to communicate covertly via an internetwork. They need to do so in a manner such that a well-resourced attacker cannot gain knowledge of the content of their transactions, nor even gain evidence beyond plausible deniability that discrete communication is taking place. The assumptions made are extreme; it is understood that lives may be at stake.
Is the creation of such a clandestine network mechanism technically feasible? Absolutely. Should you be concerned about the implications of undetectable traffic? Most definitely.
An initial r+d implementation in library form as well as proof-of-concept code built upon it will be presented. By taking advantage of peculiarities in many fielded protocols, steganographic techniques applied to the network layers, and using dynamic polymorphism based on local traffic patterns and cryptographic control, the channel is effectively able to resist detection and attack. Discussion concerning the theory, implementation, and political ramifications is welcomed.
Jason Peel (email@example.com) is a Senior Network Architect with Network Thought Co. Recent research+development efforts have covered wireless infrastructure auditing (including marsupial-in-the-middle attacks), PKI, anti-promisc-detection, managed enterprise lockdowns, and IPv6 vulnerabilities.
Polymorphism has been around for years in the form of virus attacks. There is a wealth of information pertaining to this. This presentation will concern itself with the implementation of an API designed to place some black-box code (probably shellcode) within an encoded structure and deliver it against a number of Architectures (SPARC,HP,IA32,more soon).
This code has been tested thoroughly against a number of popular NIDS Sensors (ISS, snort, dragon, NFR, ), and has proven that as of yet, the code itself can NOT be detected at all. There are some possible methods of detection and that will be analyzed and future modifications to further evade these measures.
K2 is a security consultant for a major multi-national company, personally located in Vancouver, Canada. Spare time spent mostly investigating OS/Network vulnerabilities and the exploitation there of :) Years of assembly experience and a well developed cross-platform knowledge base.
|Rob Shein||Evaluating VPN Solutions
This session will detail a methodology by which security professionals may independently examine the security of a VPN. We will cover basic concepts of key exchange and management, leading into a description of good and bad ways by which the two ends of a VPN connection arrive at the necessary shared secret. We will discuss common mistakes such as improper random seeding or key exchange, and step through a checklist of things to check. Finally, we will apply this methodology before the audience in the testing of a running VPN system, and demonstrate two vulnerabilities that exist.
|Nick Farr||Designing Secure
Interfaces "for Dummies"
"The old addage holds there is an inverse relationship between usability and security. The more user-friendly the system, the less secure it is. However, recent user heuristics research may lend insight into how to design more usable, more secure operating system interfaces--independent of the underlying OS architecture, AND the gullibility of the user.
By highlighting the graphical and subtexual
cues recently highlighted in popular OS interfaces, the speech will cover
how users are betrayed by them, either into a state of paranoia or a false
sense of security. The speech will show how both states can be used to
exploit the system
As well, five guidelines for future interface design will be presented, showing how increasing the security of the interface can actually be used to increase, instead of restrict usability. While the talk is theoretical, each guidline will be applied as integrated into the design of a work-in-progress Kiosk package currently under development."
Nick recently graduated from the U of Michigan with a degree in Social Science, which included some graduate work at the School of Information in Human Computer Interaction. He works as a developer for the School of Public Health at the University of Michigan.
|Adam Bresson||Data Mining with
Adam Bresson has been programming in PHP, MySQL and HTML for over five years. After his DEF CON talk on Palm Security last year, he decided to explore security on a different, free platform. With ten years of networking experience behind him, he created GNU methods for monitoring security and data mining in PHP. He hopes you extend this foundation. Ask questions!
Chieh Chun Lin
Jan Che Su
|Survey of Country-Wide
Web Server Security
This presentation describes how we did the country-wide web server security evaluation in 1999 and 2001. It covers methodology and results. Also, we compared the difference between these 2 surveys, make some conclusion on current status and advisories to the government. Vulnerable web servers by type and percentages as well as trends are covered.
Biing Jong Lin I established TW-CERT (Country CERT in Taiwan) and worked there from 1997 to 2000. Now he works in the Science and Technology Infomation Center in National Science Council. Biing John Lin is also a consultant of nCERT, a government sponsored CERT after the cyberwar between China and USA in May, 2001 began.
Co-author is Chieh Chun Lin and Chan Che Su. They work at Internet Security Solutions, Intl in Taiwan. They are senior security experts and consultants, specialized in security assessment and penetration.
|D-Krypt||Web Application Security|
|Richard Thieme||Hacking a Trans-Planetary
Net: The Essence of Hacking in a Context of Pan-global Culture, the Wetware
/ dryware Interface, and Going to Europa.
When Richard Thieme spoke at DefCon 4, he said hacking was practice for trans-planetary life in the 21st century. Well, guess what? It was. But a changing context has also changed what hacking looks like. Context is content, and what was hacking at MIT on a PDP-6 just doesn't cut it any more. The essence of hacking is the same, but the game is played differently. When space war involves holographic image projection, cloaking devices, multispectral camouflage, micro-know-bots and the creation of synthetic environments that an adversary thinks are real ... when cells are switched on to conduct heat and electricity ... and the exploration of Titan and Europa make Mars and the moon look like inner suburbs ... hacking means more than knowing how to spray paint a website or shut down a server. Hacking means an artist's imagination, an obsessive hunger for knowledge, and a deep understanding of cyborg humanity. Thieme illuminates the topography of that weird landscape.
Key concepts: context is content, i.e. what makes sense in one context no longer makes sense in another, what is wise in one context is insanity in another; hacking in its essence is a way to approach life with identifiable qualities and characteristics - some are innate and some can be learned. the ones that can be learned and how to learn them are spelled out; the attributes of hacking as it evolved in the sixties, if translated whole hog into the 21st century, make you look like a dork; it's not about being a script kiddie, doing ddos attacks, or leaving graffiti - it is about the tools of imagination, the weapons of the mind, in a world of widespread deception; the practice of deception - the creation of illusion, the use of misdirection, the lethality of ridicule - are examined in relationship to hacking as the quest to know the truth; specific scenarios will be described, using the most current human resources, including war in space; the fusion of information war and space war through the "information web;" the changing definitions of humanity at the wetware/dryware interface, with emphasis on materials science and advances in brain enhancement; how life in space changes people and changes the species; and the bottom line - how the real attributes of hacking can be ported into this Borg world and used imaginatively, mischievously, and with a light touch to give real style to one's hacking and transform one's cyberlife into a work of art.
CCNP / CCDA
|802.11b War Driving
and Lan Jacking
Mr. Shipley will discuss his latest research concerning open WLANs in the corporate and home environment. Early results will be presented along with maps illustrating the current threats showing that the current security models in 802.11 networking have set the state of network security back a decade.
Mr. Shipley is one of the few individuals who is well known and highly respected in the professional world as well as the underground / hacker community. With thirteen years experience in the Computer Security field he has extensive experience in system and network security as well as programming and project design. Past positions and titles include "Chief Security Architect" at KPMG, Former and Chief Engineer for Network Security Assocates and Founder/VP at DNAI (a prominent Bay Area ISP),
Mr. Shipley's specialties are third party penetration testing and firewall review, computer risk assessment, secure systems design and security training. Mr. Shipley also performs post-intrusion analysis as well as expert witness testimony.
|Michael Wilson||Hacker Doctrine in
It is now an accepted fact that computer hackers, crackers, hacktivists, virus writers, and other politically-aware individuals in the computer underground are 'taking matters into their own hands.' Whether through website defacementsor full-scale denial-of-service attacks, non-governmental, non-aligned individuals and groups are conducting what the military refers to as 'information operations' of increasing sophistication.
What is clearly missing in these independent operations, however, is a complete and thorough understanding of how to think about attacks, how to undertake'mission planning,' and how to be truly effective. Based on our own understanding of practical applications in information warfare, 7Pillars Partners will present educational material on information operations that canhelp fill in these 'gaps' in a hacker's comprehensive understanding.
Michael Wilson is the Managing Partner of 7Pillars Partners, with 20 years field experience in military and intelligence operations. He is an inventor, pioneer, and an acknowledged leader in infrastructural warfare, information operations, open source intelligence, and next-generation intelligence. He is the winner of the U.S. National Defense University's Sun Tzu Award in 1997, and the G2 Intelligence Professional Award in both 1997 and 1998. Mr. Wilson can be reached at firstname.lastname@example.org, and a number of his professional papers are available at http://www.7pillars.com/.
|Marcus Andersson||Firewalling wireless
The different technologies today for providing IP-access over the air to handheld devices all pose some interesting questions about traditional securitywork. How to firewall? What is the physical differences of being on the "inside" versus the "outside" of the firewall? How to implement prudent securitymeasures if there is no security on the physical layer? Today, we can conclude that most base-stations used for Radio LAN:s, regardless of technology (Bluetooth or IEEE 802.11) have coverage outside the building. This means that if someone is in the parking lot, with a PC and a RadioLAN connection, one is connected to the office LAN...
The presentation suggests some architechtureal workarounds to some of these problems, namely for example to put all handheld devices on their OWN "demilitarized" network, and not on the "inside" of the firewall. Other suggestions are made on how to implement some security on the handheld devices themselves, in order to protect them from compromising the whole network, as an unsecured "endpoint" in such a network would do. The topic of personal firewalls and automated virus-scanners for handheld devices comes in at this level.
Some issues regarding implementing cryptography in different layers of the OSI-model are discussed, as is both risks and verified securityholes with current cryptographical implementations on the link-layer (such as WEP). A brief discussion on cryptographical protection and the impact on intrusion detection (the sensors can't see what happens if the traffic is encrypted) and virus-scanners (scanners can't scan encrypted mail) in included as well.
It is not in the scope of the presentation to suggest a best practice, but rather to give some information on the threats of these new echnologies, so that risk management can make their own decisions based on that.
|Jay Beale||Attacking & Securing
Red Hat AKA How Effective Has Bastille Linux Been?
This talk will demonstrate each of the major (widely available) exploits against Red Hat 6.x, before and after hardening the system with Bastille Linux. The idea is to show, very concretely, how Bastille Linux was effective at stopping/containing attacks, before the exploit was ever written. This is not simply a "product demo" for an Open Source tool, though! We'll describe exactly what hardening steps are taken to combat each attack and illustrate how these prevented/contained a compromise.
Jay Beale is the Security Team Director at MandrakeSoft, makers of Mandrake Linux. He is also the Lead Developer of the Bastille Linux Project, which creates a hardening program for Linux. Jay is the author of a number of articles on Unix/Linux security, along with the upcoming book Securing Linux the Bastille Way, to be published by Addison-Wesley. You can learn more about his articles, talks and favorite security links via http://www.bastille-linux.org/jay.
Warfare theory to generate a higher level of knowledge from current IDS.
The two greatest weaknesses of Intrusion Detection Systems (IDS) are the ease of which they may be evaded and their tendency to generate vast amounts of false alarms. Sophisticated attackers are able to easily avoid detection, maintaining a low profile by spreading out the attack both in time and (network) space. Meanwhile alerts are generated by normal user activity. IDS have not yet reached a level where they can reliably detect and assess advanced attacks while being able to separate normal user activities.
This presentation discusses the use of Information Warfare theory, combined with multiple target tracking algorithms to generate a higher level of knowledge from current IDS. Instead of looking at IDS as the final stage in attack determination, it becomes the first stage. The IDS are treated as sensors on our network gathering information that is fed into a data fusion engine. By gathering information from different types of IDS and other sensors distributed throughout one or more networks, we aim to generate a higher level of knowledge, a situational awareness, that paints a much clearer picture of the activity on out networks.
By combining and fusing data gathered from many independent networks, it is possible to move away from the traditional defensive posture of network security. In its place we are given more of bird's eye view of the scene, and are able to see the activity of individual attackers spread out across many networks.
This presentation is based on research being conducted at the Institute for Security Technology Studies (ISTS), a federally funded research institute housed at Dartmouth College. A demonstration of the data fusion / target tracking system will be provided during the presentation.
Daniel first became interested in computer security shortly after getting a 300 baud modem to connect his C64 to the outside world. Since that time he has moved on to bigger and (somewhat) better things. These have included work in virtual reality systems at the Institute for Simulation and Training at the University of Central Florida, high speed hardware motion control software for laser engraving systems, parallel and distributed simulation research at Dartmouth College, and most recently distributed intrusion detection and analysis at the Institute for Security Technology Studies.
He is also the proud owner of a DefCon leather jacket won at Hacker Jeopardy at DefCon 8.
for Security Technology Studies (www.ists.dartmouth.edu)
The Institute and its core program on cyber-security and information infrastructure protection research serve as a principal national center for counter-terrorism technology research, development and assessment. It is funded by the U.S. Justice Department's National Institute of Justice, Office of Science and Technology to which it will also provide technical support. The Institute studies and develops technologies addressing counter-terrorism especially including counter-cyber terrorism issues in the areas of threat characterization and intelligence, threat detection and interdiction, preparedness and protection, response, and recovery.
|Arranging an Anonymous
Rendezvous: Privacy Protection for Internet Servers
As the Internet grows in popularity around the world, we are beginning to see clashes between individuals and governments from different cultural backgrounds. Corporations, organizations, and legislatures are using local laws in order to enforce their wishes on others worldwide.
Much work has been put into producing privacy-enhancing technologies that protect clients of online interactive Internet services. In this talk, we present the _rendezvous server_, a primitive which allows the transformation of any such technology into one which can equally protect the providers of those services.
It is our hope that being able to provide privacy for providers of online services, such as mailing lists, discussion groups, web sites, file servers, and chat rooms, they will be less susceptible to attack, and so will help prevent the Internet from becoming a place where the powerful can control the availability of content worldwide.
Dr. Ian Goldberg is Chief Scientist and Head Cypherpunk of Zero-Knowledge Systems, a Canadian company producing Internet privacy software for consumers. Having recently received his Ph.D. from UC Berkeley, Ian is recognized internationally as one of the leading cryptographers and cypherpunks. In addition to developing many of the leading network software titles for the Palm Pilot, Ian is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours, for breaking Netscape's implementation of the encryption system SSL, for breaking the cryptography in the GSM cellular phone standard, and for throwing lots of parties.
|Keith Nugent||Windows 2000 Security:
How to lock down your Win2k boxes
Windows 2000 provides a lot of new security features that were previously not available in earlier versions. The NT line, however, has never been considered very secure right out of the box. We'll be talking about how to use NTFS permissions, Default Security templates, Custom Security templates, and Group Policy to lock down a Win2k box. We'll look at what level of security is applied by default on a Win2k box, how to analyze these settings against proposed settings, and how to apply identical settings across multiple boxes.
Keith Nugent has been playing with computers since his father first brought home an Apple iic. Being the youngest child, it thrilled him to no end to have something that would respond to HIS commands, as he was used to being the one who followed commands. Keith toyed with Apples and PC's for the next few years while he did other things, like grow up, go to college, run a business, and drive a tractor-trailer around the country. Then, a few years back, as tends to happen, he was the guy who was always fixing, operating, and training others on the computer. So he gave in and became the network administrator. Now years later, he's given up the pager and 3am-the-sky-is-falling phone calls of network administration to train full time. Keith is currently the technical training supervisor for a large computer training center in Chicago, IL.
DeWinter Information Solutions
|IP V6 Security
What's new. What are new risks? What are new opportunities.
|HC||NTFS Alternate Data
Windows NT (WNT) and Windows 2000 (W2K) have powerful graphical user interfaces that make the job of assessing the security condition of and securing these operating systems considerably easier. Changing the bad logon limit is, for example, relatively easy to both understand and do in both of these Windows operating systems. Providing adequate security does not, however, always involve working with mainstream features of applications, operating systems, and networks. Alternate data streams (ADSs) are an example. This little-known feature available with the NT File System (NTFS) in WNT 4.0 and Win2K (RICH98) has been available since the advent of NTFS in the first WNT release, WNT 3.1. Although this feature is relatively unknown by the vast majority of WNT users and administrators, it provides a potentially very powerful attack mechanism for malicious individuals intent on compromising and exploiting WNT and W2K systems.
What is an ADS? How can ADSs be created and how can executables be run in them? How can they be misused (e.g., by having malicious executables run in them)? How can they be found? This paper addresses these and other related issues concerning ADSs and security considerations.
|James Bamford||Researching Secrets|
|Bryan Glancey||Weakest Link
Presentation and demonstration of attack attempts against common security software. Highlighting use of common hacking tools to attack Boot Protection, File Encryption, and other misplaced ideas. Seeking out the weakest section of security architecture and attacking based upon it
Bryan Glancey is the Director of Professional Services for Pointsec Mobile Technologies, the leading provider of mobile device security. Bryan has worked extensively with the implementation of Security Systems for Fortune 100 customers for the last 10 years. Bryan has spoken at a variety of industry conventions regarding information security, Document Management and control, and internet technologies. Bryan holds an degree in Physics; during his research he worked on 1/f frequency signal analysis, computational analysis of astronomical data, and research into electron migration using 3d modeling.
|Simple Nomad||Widdershins: De-evolution and the Politics of Technology|
|Enrique Sanchez||Distributed Intrusion
Detection System Evasion
Distributed Intrusion Detection System (DIDSE)
A fast connection is the new era, but your IDS system can handle it?, your Operating System can handle it?. Can you handle it?.
A DDoS is not the worse thing that an attacker can do in a distributed way. A evasion attack can take place while your IDS is just dropping packets, while it is just there checking an innumerable amount of unused packets with unused connections.
There is no tool such as this, or is it? DIDSE distributes the attack ranging the amount of packets to be sent to the network to cause a flood to even modem connections in a timing and hidden way the is virtually impossible to hide it, combined with some accuracy in penetration an attacker could easily bypass the new era security systems. He can bypass your IDS.
Enrique A. Sanchez is an Industrial Engineer wich previously worked as system administrator before becomming senior pen-tester in an european security firm. Enrqiue A. Sanchez is involved in education, R&D and pen-testing.
|Bruce Schneier||Bruce Schneier Answers Questions|
|Jim Christy||Meet the FED Panel
This years panel will build on last years format: A brief introduction and statement from each of the panel memebers, and then right into Audience Questions and Answers. Jim Christy will be moderating.
So far the Panel includes:
the past three years, Dr. Tafoya has been Professor of Criminal Justice
at Governors State University. Previously he was Director of Research,
Office of International Criminal Justice, University of Illinois at Chicago.
He is a retired Special Agent of the Federal Bureau of Investigation.
For 12 months (July 1989 – July 1990), he served as Congressional Research Fellow for the 101st Congress in Washington, DC. There he conducted research on police use of high technology as well as future crime. He remains the only law enforcement officer ever selected to serve in this capacity on behalf of the U. S. Congress. He has guest lectured at numerous universities and various venues internationally. In 1991 he founded the Society of Police Futurists International.
Prior to his retirement from the FBI in June 1995, he was assigned in Washington, DC, Quantico, Virginia, and San Francisco, California. Dr. Tafoya served for 11 years at the FBI Academy as a senior faculty member of the Computer Crimes Training and Behavioral Science Units.
He was the first law enforcement officer to make investigative use of the Internet. He created the UNABOMber web site in December 1993. It was generated on a NASA computer because at that time the FBI did not have the capability to implement Bill’s ideas on its own computer system. Bill subsequently developed the FBI’s Oklahoma City Bombing web page in April 1995.
At Governors State University Dr. Tafoya teaches courses in Computer Crime Investigation, Research Methods and Statistics, as well as Strategic Planning. His current research interests are in CyberTerrorism and the application of Virtual Reality for training of law enforcement officers.
His 1986 Ph.D. in Criminology is from the University of Maryland; it was a forecast of future of law enforcement. He was recently appointed an advisor to the National Cybercrime Training Partnership of the U. S. Department of Justice. Both the print and electronic media have interviewed him extensively nationally and internationally. Twice he has been featured in U. S. News & World Report. More recently he was featured in the April 2001 issue of Information Security.
CEO / co-founder of SafeWeb
Triangle Boy: IP spoofing and strong encryption in service of a free Internet
SafeWeb is an encrypted (SSL) anonymous proxy service, used approximately 100 million times per month by hundreds of thousands of people worldwide. Triangle Boy is an Open Source program that lets volunteers turn their PCs into entry points into the SafeWeb network, thereby foiling censorship in countries like China and Iran. Triangle Boy uses IP spoofing and innovative packet routing to minimize the load on volunteer machines. I discuss SafeWeb's goals and technologies, its involvement with the CIA through In-Q-Tel (the agency's venture fund) and the Internet as a catalyst for social transformation in China.
Stephen Hsu is the CEO and co-founder of SafeWeb. He is currently on leave from his position as a professor of theoretical physics at the University of Oregon. Previously, he was an assistant professor at Yale University, and a research fellow at Harvard. His research specialty is quantum field theory and its applications to particle physics, astrophysics and cosmology. He holds a PhD from UC Berkeley and a BS from Caltech.
|Lile Elam||Renagade wireless
networks, Creating Connectivity on Demand.
A panel of wireless hackers will describe how adhoc open wireless networks have been successfully set up for various events and places. From small/large happenings to local neighborhood access, learn how to create open wireless networks for all to use. After all, what is hacking without connectivity!
Lile Elam, a hacker artist residing in Silicon Valley, has managed various un*x based systems and networks since the late 80's. Founder of Art.Net (1994), Lile has always had an interest in sharing enabling technologies and creating networked communities.
|Dennis Salguero||The business side
of starting your own consulting firm and how they can succeed.
I currently run my own computer consulting
firm and I think that I can help others. I don't specialize in security,
but obviously, there are similar tasks that need to be done. I would cover
To find out more about me, I invite you visit my web site at http://www.beridney.com There, you will find out about the books I have written and other conferences that I have spoken at.
|Principles of Cyber Anarchy|
|The Defendant||So you got your lame
ass sued: A legal narrative.
"The Defendant" put up a website critical of his ex-employer, and within a week found himself in the center of a $120,000 lawsuit, facing some of the most powerful lawyers and largest firms in the country. With a week to fight the restraining order put against him, he had to learn everything he needed to know about legal procedures, presenting a defense, and speaking to the press. Through this, he kept the website up, answered many questions, and became the lightning rod for hundreds of angry, mistreated employees. Come listen to what he learned, and get some ideas in case it's ever you in the courtroom.
|Barry J. Stiefel||NAT For Newbies and
Not-So-Newbies: A Tutorial
Network Address Translation (NAT) is a cheap and simple method for boosting the effectiveness of your firewall. Properly configured NAT can help hide your internal network structure from outsiders, enforce “outbound only” connections from internal hosts, and preserve scarce IPv4 addresses. This tutorial moves quickly through the basics, discusses a typical NAT configuration, describes NAT in action, enumerates the benefits of NAT, explains several potential pitfalls and shows how to configure DNS to accommodate the translated addresses.
Barry J. Stiefel ("Stee-ful"), B.Sc., MBA, CISSP, MCSE, CCNA, CCSA/E/I, A+, is the Chief Technical Consultant at Information Engine, Inc., a Silicon Valley networking and security consulting firm. Previously, he was the founding Manager of Information Systems at Galileo Technology and was President of the Windows NT Engineering Association.
|Dario D. Diaz, Esq.||Digital Millennium
A presentation of the DMCA, a discussion of the terms and meanings with specific reference to the technical aspect of the Act, a case law study of specific cases around the country (not many as the law is very new and untested), and the repercussions of specific "hacking" acts that may result in a violation of the Act.
|Dr. Cyrus Peikari||An open-source, international,
attenuated computer virus
The unchecked proliferation of global information networks has left society vulnerable to a digital Armageddon. Computer viruses can counter this vulnerability by stabilizing and strengthening information systems. Using analogies from medicine, this paper demonstrates the pressing need for well-designed computer viruses. This paper also proposes the design, implementation, and distribution of an open-source, international, attenuated computer virus.
Dr. Cyrus Peikari is the Chief Technology Officer of VirusMD Corporation. He is the author of "Windows Internet Security: Privacy and Protection." being released this fall from Prentice-Hall publishers. He is a former teacher of advanced mathematics at the Southern Methodist University Learning Enhancement Center in Dallas, TX. In addition, Dr. Peikari speaks on the radio about Internet Security every Friday night as a correspondent for CBS affiliate A.M 1080 KRLD in Dallas, TX
|Shatter||FAQ The newbies:
Information for people new to security, hacking or Defcon.
ETTIQUITE: How to approch people, talk with people, introduce yourself and how not to be a lamer. Example will include real life anecdotes, stories from past cons, and even things that happened the night before.
PHILOSOPHY: Why are you here, and what are you doing? What is your motivation to be here? Why do you hack?
Also included in this section is the concept of ethics: How your actions effect yourself, others, and the net at large, responcibility for your actions, and the differences of white/grey/black hat hacking, and why real hackers don't wear hats.
LEARNING: Where to go to learn, proper steps to true knowledge, and how to avoid the trappings of being a script kiddie. Knowing the difference from downloading a useful tool for your set and grabbing a script and wrecking havok.
REAL WORLD: What the media dosn't tell you, why hacking is easier on tv and the movies, and the you don't get 6 figure jobs by getting busted for hacking a .gov installation. Debunking some of the myths that the gov't and private sector look for the best hackers to hire from the lists of convicted hackers.
WHERE TO GO FROM HERE: What you can get out of defcon, what you can learn, and where to go after you nurse a major hangover.
This is the general idea of the lecture, same overall concept from last year, but teh content is dynamic and updated to always remain current.
Shatter has been involved on many angles of the computer genre for over 20 years, and has spent 15+ of those years in the online/hacking aspects of it. Shatter has written many of the core '80s text files (under numerous nom de plumes) during the times when they were traded on variou bbs's. Recent work has been in online data management and profiling (enough for an entire lecture on what's really happening) as well as side security projects, artwork, and 3D design work. His next assignment is project manager on a building wide telemetry and control integration system with full accountability in real time on a tcp/ip house net with full security implimentation, as well as physical buiding security.
|What is SSL, a CA
The goal of FreeCertis to provide free or low-cost certificate authority services to individuals and organizations with limited budgets, as well as raise awareness of the services that CA's actually provide.
Many users of the Internet today are unaware of what role a CA plays in the process of secure website viewing. In my presentation, I intend to give a brief explanation of how SSL works and what it is that a CA does. I will explain what the browser warning messages mean to the user, and what to do when encountering them. I will discuss the dangers of trusting CAs, and methods of ensuring that certificates are valid when the CA cannot be ultimately trusted.
Following this, I will present details about FreeCert: what it does and does not intend to accomplish, who can benefit from it, and how it will execute these goals. Information on becoming involved in the development of FreeCert will be provided, and questions about FreeCert will be answered.
Len Sassaman is a Systems Engineer for PDC Solutions, Inc. His primary focus is information security, specializing in email security and anonymity services. Len is an anonymous remailer operator, a member of The Shmoo Group, and a CryptoRights Foundation staff member.
|Jennifer Granick||European Cybercrime treaty|
|Ryan Lackey||HavenCo: One Year
In addition, I'll discuss some of our current development projects, and how our services can be useful to pro-liberty forces around the world.
Ryan Lackey is HavenCo's CTO and co-founder, living on Sealand full-time.He has worked on electronic cash and software-based datahaven systems, and originally got involved with HavenCo when looking for a secure place to host central electronic cash servers. In addition to Sealand, he has lived in Anguilla, considered wrongly or rightly as another possible datahaven location during the US crypto export restricted period. HavenCo has taught him how to deal with media, politicians, and large numbers of lawyers, while running an international multi-site network, living in a 10 000 square foot concrete fortress for 3 months at a time, and missing just about every worthwhile party in the world for over a year.
Super Dave, of the DoC
|Introduction to Quantum
The subject is Quantum Cryptography, and the scope of the paper will be targeted toward a lay audience with a basic understanding of physics (what is an electron, a photon, etc.), computers (that they deal with binary information), and cryptography (that combining data with noise makes the data unreadable unless the noise is removed).
I will move quickly and at a basic level through the quantum physics involved and the cryptographic principles and leave the audience with an understanding of the state and potential of quantum computing and quantum cryptography.
David Gessel spent seven years of his childhood hammering steel in front of a coal-fired forge as a blacksmith’s apprentice. He then went to MIT to get a degree in physics where he focused on fusion, robotics, and precision engineering. Switching coasts, David joined Apple’s Advanced Technology Group and worked on a wide range of projects including pen-based computers, LCD technology, and digital cameras. David left Apple to join Interval Research Corp, researching rapid design/prototyping technologies for mechanical systems. After a few startups, David is now a consultant to Teradyne, Inc. and holds positions at Delta-e, LLC; PicoStar, LLC; idbias; and Nebucon, Inc.
|John L. Dodge
Bernadette H. Schell
Hacker Study Update
Laurentian University's Hacker Research Team from Sudbury Ontario Canada interviewed and surveyed self-professed hackers at Def Con 8 in Las Vegas and H2K in New York City in July 2000. The objective of the study was an attempt to give a balanced view on hackers - including the "white hats" and the "back hats". Its intent was to collect information that would give a realistic picture of the way hackers think, feel, and behave rather than some unbalanced and contrived picture based on the media or innuendo. The 22-page questionnaire had five parts:(I) hacker demographics, (II) health and mind-body symptoms, (III) routine behaviors, (IV) respondents' likes and dislikes and (V) decisions regarding work and/or school.
The media and academic writers have created many hacker myths based on their feelings or observations. Are they supported by fact or are they just fiction? Of the 20-hacker myths investigated we will present which are supported by the questionnaire data and which are not. We begin to crack the myths with a balance view.
John L. Dodge is a professor within the School of Commerce andAdministration at Laurentian University, Sudbury, Ontario Canada. As a partner in a management-consulting firm, he lectures and consults widely on e-commerce and organizational strategy issues. Prior to his academic career he was President and CEO of a venture capital firm and Vice President Development for a mining and development company. He holds a Bachelor of Engineering from Dalhousie University, a Master of Business Administration from the University of Western Ontario and a Ph.D. from the University of Bradford in the U.K. He is a Certified Management Consultant (CMC) and a Professional Engineer (P.Eng.).
Bernadette H. Schell is Director of the School of Commerce and Administration, Laurentian University, Canada. President of an HR consulting firm in Sudbury, Ontario, she lectures widely on stress management, executive stress, and stalking protection measures. She is author of a Self-Diagnostic Approach To Understanding Organizational And Personal Stressors (1997), Management In The Mirror (1999) and Stalking, Harassment And Murder In The Workplace (2000) all published by Quorum Books. She is the recipient of the Laurentian University research excellence award (2000).
|Sharad||Security & privacy
are critically important issues in todays digitally connected age
The typical netizen is blissfully unaware of the dangers that lurk each time he or she gets connected. Others consider security to be a "black art", too complex to understand - and therefore studiously avoid anything to do with it.
This session serves as an introduction to the dangers that abound in today's networked existence. Besides presenting an overview of various attacks, the talk tries to demystify them by explaining the "how it works" of the attacks.
We move from basic to more sophisticated attacks, cover a "proof of concept" case study and consider the counter measures possible. The session aims to serve as a starting point for all those interested in safe guarding their online existence, for those responsible for their organiztion's security issues and for just about anyone who is interested in security.
Sharad Popli is the CTO and founding director of QuantumLink Communications Pvt. Ltd. (QLC), a five year old software company (based in Bombay, India), with a focus on Internet technologies and a specialization in Java.
Sharad, an old timer on the Net (more than 10 years now) is the chief architect behind PostMaster, a popular mailserver with more than 1500 installations across the world. A strong advocate of Open Source, he has been an early adopter of various open source technologies and software (including Linux since its 1.0 days and PHP when it was known as PHP/FI :))
Sharad writes from time to time (when persuaded enough!) His articles have appeared in most publications in India and also on CNETs international sites.
He is an oft-invited speaker at various seminars and conferences and has addressed numerous conventions on subjects including: Java Technologies, Servlets, Linux, Email, Security issues, MTAs on Linux, Advertising on the Net, and other generic net-based topics.
When not ensnared by the Net, he enjoys reading, music and the great outdoors.
|Dan Moniz||_The Impact of P2P
on Security in the Enterprise_
Increasing democratization of the network means more and more users are finding interesting things to do with the resources at their disposal. In the wake of watershed decentralized applications such as Napster, many commercial and open source efforts are producing so-called "peer-to-peer" (P2P) or decentralized applications and computing frameworks. The genesis of P2P, decentralization, and distributed computing as a fundamental architecture has serious implications for the way security is handled, not only in the wilds of public networks like the Internet, but also in closed enterprise environments. Like it or not, users will be using these apps and participating in these networks. It behooves every security administrator to become familiar with the nature of P2P systems and to understand both the potential threats and possible benefits of such systems, as well as to anticipate user adoption and related issues.
Dan Moniz is a Research Scientist and Chief Security Architect at OpenCola, a leading developer of distributed computing infrastructure (DCI) software, including peer-to-peer (P2P) applications and reliable multicast systems. His primary work to date has been in the area of security architecture for generalized P2P applications, protocols, and frameworks. Previous projects have involved digital rights management (DRM) systems predicated on true electronic rights inside capability-based secure environments as well as analysis and design of authentication protocols for distributed media streaming applications.
Before joining OpenCola in September of 2000, Mr. Moniz worked as a Researcher for Viasec Limited, a crypto software development firm, and contributed to their flagship email encryption server Consus, as well as additional internal research projects involving single sign-on (SSO) technology, biometric identification systems, smartcard tokens, capability-based systems, and security for mobile devices.
Mr. Moniz supplements this experience with several years of exposure and participation in the public infosec community at large.
|Freaky||OS/X and Macintosh
Macintosh Security has gone unnoticed by the public for many years, only recently it has become a topic due to the release of Apple's Mac OS X. With BSD functionality there is a whole new realm of security issues to be discussed. This years discussion will include the following, if there are other topics you would like discussed please email email@example.com with the topics.
You will also learn about the latest Macintosh security / hacking tools and see demonstrations of new apps. Plus Q&A at the end, and a guest speaker from the Macintosh Underground group Team2600 have a special announcement!
|John Q. Newman||How background investigations are conducted & how they can be defeated|