Black Hat Briefings, Las Vegas 2005 [audio] Presentations From The Security Conference



Past speeches and talks from the Black Hat Briefings computer security conferences.The Black Hat Briefings USA 2005 was held July 27-28 in Las Vegas at Caesars Palace.A post convention wrap up can be found at Hat Briefings bring together a unique mix in security: the best minds from government agencies and global corporations with the underground's most respected hackers. These forums take place regularly in Las Vegas, Washington D.C., Amsterdam, and TokyoVideo, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! Past speeches and talks from Black Hat in an iPod friendly .mp3 cbr 64k audio format. If you want to get a better idea of the presentation materials go to and download them. Put up the .pdfs in one window while listening the talks in the other. Almost as good as being there!


  • Philip R. Zimmermann: The Unveiling of My Next Big Project

    04/06/2006 Duração: 50min

    Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. Phil has been working on a new project and plans to have freeware ready for all Black Hat attendees.

  • Adam L. Young: Building Robust Backdoors In Secret Symmetric Ciphers

    04/06/2006 Duração: 48min

    This talk will present recent advances in the design of robust cryptographic backdoors in secret symmetric ciphers (i.e., classified or proprietary ciphers). The problem directly affects end-users since corporations and governments have in the past produced secret symmetric ciphers for general use (e.g., RC4 and Skipjack, respectively). The problem itself is challenging since it involves leaking secret key material in the ciphertexts that are produced by a deterministic function, whereas traditional subliminal channels have relied on the use of randomized cryptographic algorithms. Such attacks can be regarded as advanced Trojan horse attacks since the secret block cipher securely and subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public. The material that will be surveyed was published in Fast Software Encryption (FSE '98), the Australasian Conference on Information Security and Privacy (ACISP '03), and Se

  • Alex Wheeler and Neel Mehta: Owning Anti-Virus: Weaknesses in a Critical Security Component

    04/06/2006 Duração: 01h05min

    AV software is becoming extremely popular because of the its percieved protection. Even the average person is aware they want AV on their computer (see AOL, Netscape, Netzero, Earthlink, and other ISP television ads). What if: Instead of protecting ppl from hackers AV software was actually making it easier for hackers? This talk will outline general binary auditing techniques using AV software as an example, and demonstrate examples of remote AV vulnerabilities discovered using those techniques. Alex Wheeler is a security researcher, who specializes in reversing engineering binaries for security vulnerabilities. His research experience was cultivated during his time with ISS X-Force, which he spent auditing critical network applications and technologies for security vulnerabilities. Alex's recent audit focus on AV products has lead to the discovery of serious systemic and point vulnerabilities in many major AV products. Neel Mehta works as an application vulnerability researcher at ISS X-Force, and l

  • Paul Vixie: Preventing Child Neglect in DNSSEC-bis using Lookaside Validation

    04/06/2006 Duração: 01h15min

    Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. Early in his career, he developed and introduced sends, proxynet, rtty, cron and other lesser-known tools. Today, Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Domain Version 8, the open source reference implementation of the Domain Name System (DNS). He formed the Internet Software Consortium (ISC) in 1994, and now acts as Chairman of its Board of Directors. The ISC reflects Paul's commitment to developing and maintaining production quality open source reference implementations of core Internet protocols. More recently, Paul cofounded MAPS LLC (Mail Abuse Prevention System), a California nonprofit company established in 1998 with the goal of hosting the RBL (Realtime Blackhole List) and stopping the Internet's email system from being abused by spammers. Vixie is currently the Chief Technology Officer of Metromedia F

  • Andrew van der Stock: World Exclusive - Announcing the OWASP Guide To Securing Web Applications and Services 2.0

    04/06/2006 Duração: 53min

    After three years of community development, the Open Web Application Security Project (OWASP) is proud to introduce the next generation of web application security standards at BlackHat USA 2005. The Guide to Securing Web Applications and Services 2.0 is a major new release - written from the ground up, with many new sections covering common and emerging risks, including: * How to design more secure software * How to conduct a security review using the Guide * How to perform the most difficult web application processes correctly: processing credit cards, interacting with payment gateways (such as PayPayl), and anti-phishing controls * Reorganized and easily navigated chapters on web application controls including: web services, comprehensive authentication and authorization controls, session management, data validation, interpreter injection, and many new controls within existing chapters * Secure configuration and deployment * And software quality assurance. The Guide has

  • Eugene Tsyrklevich: Ozone HIPS: Unbreakable Windows

    04/06/2006 Duração: 01h16min

    Windows is the number one target on the Internet today. It takes less than 5 minutes for an unpatched Windows machine, connected to the Internet, to get owned. Yet the most prevalent security practices still consist of running anti-viruses and constant patching. This presentation introduces a new tool, called Ozone, that is designed to protect against most of the commonly exploited attack vectors. To protect against the most common of these, buffer overflows, Ozone uses an address space randomization technique. In addition, Ozone runs all processes in a sandbox that severely limits what a compromised process is allowed to do. Finally, Ozone protects itself and the underlying operating system against further attacks. Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military environments. Eugene has presented his research at a number of security conferences including Usenix Secur

  • Michael Sutton and Adam Greene: The Art of File Format Fuzzing

    04/06/2006 Duração: 43min

    In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file

  • Alex Stamos and Scott Stender: Attacking Web Services: The Next Generation of Vulnerable Enterprise Apps

    04/06/2006 Duração: 01h12min

    Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc) can be retooled to work with the next-generation of enterprise applications. The speakers will also demonstrate some of the first publicly available tools for finding and penetrating web service enabled systems. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital sec

  • spoonm and skape: Beyond EIP

    04/06/2006 Duração: 30min

    When we built Metasploit, our focus was on the exploit development process. We tried to design a system that helped create reliable and robust exploits. While this is obviously very important, it's only the first step in the process. What do you do once you own EIP? Our presentation will concentrate on the recent advancements in shellcode, IDS/firewall evasion, and post-exploitation systems. We will discuss the design and implementation of the technologies that enable complex payloads, such as VNC injection, and the suite of tools we've built upon them. We will then present a glimps of the next generation of Metasploit, and how these new advances will serve as it's backbone. Spoonm Since late 2003, spoonm has been one of the core developers behind the Metasploit Project. He is responsible for much of the architecture in version 2.0, as well as other components including encoders, nop generators, and a polymorphic shellcode engine. A full-time student at a northern university, spoonm spends too much of his

  • Sherri Sparks and Jamie Butler: "Shadow Walker" - Raising The Bar For Rootkit Detection

    04/06/2006 Duração: 01h14min

    Last year at Black Hat, we introduced the rootkit FU. FU took an unprecented approach to hiding not previously seen before in a Windows rootkit. Rather than patching code or modifying function pointers in well known operating system structures like the system call table, FU demonstrated that is was possible to control the execution path indirectly by modifying private kernel objects in memory. This technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in detecting this form of attack caused concern for anti-malware developers. This year, FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In this talk we will explore the idea of memory subversion. We demonstrate that is not only possible to hide a rootkit driver in memory, but that it is possible to do so with a minimal performance impact. The application (threat) of this attack extends beyond rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its application to worms and othe

  • Derek Soeder and Ryan Permeh: eEye BootRoot

    04/06/2006 Duração: 01h13min

    This presentation will cover the eEye BootRoot project, an exploration of technology that boot sector code can use to subvert the Windows NT-family kernel and retain the potential for execution, even after Windows startup-a topic made apropos by the recent emergence of Windows rootkits into mainstream awareness. We will provide some brief but technical background on the Windows startup process, then discuss BootRoot and related technology, including a little-known stealth technique for low-level disk access. Finally, we will demonstrate the proof-of-concept BootRootKit, loaded from a variety of bootable media. Derek Soeder is a Software Engineer and after-hours researcher at eEye Digital Security. In addition to participating in the ongoing development of eEye's Retina Network Security Scanner product, Derek has also produced a number of internal technologies and is responsible for the discovery of multiple serious security vulnerabilities. His main areas of interest include operating system internals and

  • Paul Simmonds: The Jericho Challenge - Finalist Architecture Presentations and Awards

    04/06/2006 Duração: 41min

    The days of the corporate network, completely isolated with a well-secured outer shell are long gone; yet we continue to cling to this model. Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners. Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line? Can the CISO be seen as a true partner in corporate strategic thinking? What does business need from its suppliers to make this a feasible reality? What do you need to be doing now to achieve this goal? The Jericho Challenge is an industry-wide competition with for secure architecture design and related Jericho compliancy concepts, available at The top three finalists will present their papers during this session. Judges will give cash awards to papers that contribute most to the debate on Jericho Ar

  • SensePost: Automation - Deus ex Machina or Rube Goldberg Machine?

    04/06/2006 Duração: 01h06min

    How far can automation be taken? How much intelligence can be embodied in code? How generic can automated IT security assessment tools really be? This presentation will attempt to show which areas of attacks lend themselves to automation and which aspects should best be left for manual human inspection and analyses. SensePost will provide the audience a glimpse of BiDiBLAH - an attempt to automate a focussed yet comprehensive assessment. The tool provides automation for: * Finding networks and targets * Fingerprinting targets * Discovering known vulnerabilities on the targets * Exploiting the vulnerabilities found * Reporting Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding"

  • Mike Pomraning: Injection Flaws: Stop Validating Your Input

    04/06/2006 Duração: 29min

    Years after the debut of XSS and SQL Injection, each passing week sees newly disclosed vulnerabilities ready to be exploited by these same techniques. Labelling all of these as "input validation flaws" isn't helping anymore. In this Turbo Talk we turn the situation upside-down to get a better perspective, and cover specific techniques to address the problems. Mike Pomraning is a systems and process troubleshooter, finding trouble and shooting it. He works for SecurePipe, Inc., a managed security services provider, and holds a CISSP. He prefers to debug application misbehavior with code traces, kernel traces and packet dumps, though at higher layers he prefers dialogue and audit. Along the way has written a few helpful programs, including pynids, a python wrapper to the libnids NIDS framework, and more perl than he can recall.

  • Ejovi Nuwere and Mikko Varpiola: The Art of SIP fuzzing and Vulnerabilities Found in VoIP

    04/06/2006 Duração: 01h04min

    This presentation will cover SIP and VoIP related automated fuzzing techniques. Using real world vulnerabilities and audit engagements we will give a technical understanding of this emerging technology and its common attack vectors. The techniques discussed in this talk will not only be limited to SIP but will apply to methodical audit approaches for fuzzing text based protocols which can be more complex then fuzzing binary protocols. This talk will include: * 0 day vulnerabilities (or one day) * Example fuzzing scripts * Proof of concept code Ejovi Nuwere is the founder of SecurityLab Technologies. Nuwere gained media attention and international recognition for his highly publicized security audit of Japan's National ID system--JukiNet. Nuwere is the Chief Technology Officer of SecurityLab Technologies where he heads the companies VoIP security auditing group. He currently lives in Boston and is working on his second book, Practical Penetration Testing (O'Reilly). Mikko Varpiola

  • Mudge aka Peiter Mudge Zatko: Economics, Physics, Psychology and How They Relate to Technical Aspects of Counter Intelligence/Counter Espionage Within Information Security

    04/06/2006 Duração: 01h11min

    The computer and network security fields have made little progress in the past decade. The rhetoric that the field is in an arms race; attacks are becoming more complicated and thus defenses are always in a keep-up situation makes little sense when 10 year old root kits, BGP and DNS attacks that have been widely publicized for years, and plain-text communications streams are still being taken advantage of. This talk looks at the environment without being skewed by currently marketed solutions. It then presents corollaries for environments in different disciplines, such as economics and physics, talks to certain psychological situations that prohibit researchers and organizations from being able to correctly address the problems, maps these solutions into Counter Intelligence and Counter Espionage models and finally applies them to low level network and systems communications. This presentation involves audience participation to point out ways of breaking the helplessness cycle (for the defensive side) or to b

  • Shawn Moyer: Owning the C-suite: Corporate Warfare as a Social Engineering Problem

    04/06/2006 Duração: 18min

    Let's face it, you ROCK at building InfoSec tech, but you SUCK at corporate warfare. Sooner or later, you WILL have to sit in a boardroom with the suits and justify your existence. If you approach your own survival and that of your security team's as a Social Engineering problem, it can not only work for you, but it can be FUN. Don't let them own you, own THEM. Shawn Moyer is a Lead Security Product Manager for InfoSec for one of the US's largest finance companies. He has lots of three and four letter acronyms after his name, and has led InfoSec teams at startups and smaller companies in the past. He has spent much of his career getting people who hate security to love it, and finding ways to get non-geeky people to see why they need geeks. He has been attending BH and DC for quite a few years, but has managed to keep his mouth shut until now.

  • Panel: CISO QA with Jeff Moss

    04/06/2006 Duração: 01h05s

    Jeff Moss, founder of Black Hat, invites Chief Information Security Officers from global corporations to join him on stage for a unique set of questions and answers. What do CISOs think of Black Hat, David Litchfield, Dan Kaminsky, Joe Grand, Johnny Long, Metasploit, and DEFCON? How many years before deperimeterization is a reality? Is security research more helpful or harmful to the economy? What privacy practices do CISOs personally use? These questions and others from the audience will be fielded by this panel of security visionaries. Scott Blake is Chief Information Security Officer for Liberty Mutual Insurance Group and is responsible for information security strategy and policy. Prior to joining Liberty, Scott was Vice President of Information Security for BindView Corporation where he founded the RAZOR security research team and directed security technology, market, and public affairs strategy. Scott has delivered many lectures on all aspects of information security and is frequently sought by the p

  • Panel: The National ID Debate

    04/06/2006 Duração: 01h12min

    As a result of the Real-ID Act, all American citizens will have an electronically readable ID card that is linked to the federal database by May 2008. This means that in three years we will have a National ID card system that is being unilaterally controlled by one organization (DHS) whether we want it or not. Organizations such as the ACLU are already exploring opportunities for litigation. Privacy advocates cite Nazi Germany and slippery slopes, while the government waves the anti-terrorism flag back in their faces. Compromises and alternate solutions abound. Join us for a lively debate/open forum as an attempt to find a useable solution to this sticky problem. We will review solutions from the AMANA as well as ask why passports are not considered to be a privacy problem in the same ways. Would a National ID card make us safer? What to do about 15 million illegal immigrants? If college students can fake an ID, why can't a terrorist? What civil rights are abrogated by requiring everyone to possess an ID?

  • Robert Morris: The Non-Cryptographic Ways of Losing Information

    04/06/2006 Duração: 01h02min

    To fully understand how to protect crucial information in the modern world, one needs to fully understand how the modern spy steals it. Since the glorious days of cryptanalysis during World War II, the art of stealing and protecting information has drastically changed. Using over 25 years of NSA field-stories, this talk will highlight the lesser-known world of stealing data: eavesdropping, theft, purchase, burglary, blackmail, bribery, and the like. Furthermore, my talk will highlight ways one can avoid the common pitfalls of carelessness and overconfidence that give the modern spy a full access pass. Robert Morris received a B.A. in Mathematics from Harvard University in 1957 and a M.A. in Mathematics from Harvard in 1958. He was a member of the technical staff in the research department of Bell Laboratories from 1960 until 1986. On his retirement from Bell Laboratories in 1986 he began work at the National Security Agency. From 1986 to his (second) retirement in 1994, he was a senior adviser in the porti

Página 1 de 4