Black Hat Briefings, Japan 2005 [Audio] Presentati

"In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research. Michael Sutton is a Director for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. He heads iDEFENSE/VeriSign and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP). Prior to joining iDEFENSE/VeriSign, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Adam Greene is a Security Engineer for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE/VeriSign include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women."

"Our networks are growing. Is our understanding of them? This talk will focus on the monitoring and defense of very large scale networks, describing mechanisms for actively probing them and systems that may evade our most detailed probes. We will analyze these techniques in the context of how IPv6 affects, or fails to affect them. A number of technologies will be discussed, including: * A temporal attack against IP fragmentation, using variance in fragment reassembly timers to evade Network Intrustion Detection Systems * A high speed DNS tunneling mechanism, capable of streaming video over a firewall-penetrating set of DNS queries * DNS poisoning attacks against networks that implement automated defensive network shunning, and other unexpected design constraints developers and deployers of security equipment should be aware of * Mechanisms for very high speed reconstruction of IPv4 and IPv6 network topologies, complete with visual representation of those topologies implemented in OpenGL. * Analysis of the potential for using name servers as IPv4->IPv6 gateways. * In addition, we'll briefly discuss the results of research against MD5, which allows two very different web pages to emit the same MD5 hash. Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya's Enterprise Security Practice, where he works on large-scale security infrastructure. Dan's experience includes two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", was a co-author of "Stealing The Network: How To Own The Box", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley."

"In forensic research it is imperative to search for Japanese language strings. However many of the tools used in forensic research are being developed outside of Japan, and therefore not tuned for the Japanese language. In Japan there is research being done on using character encoding for anti-forensic countermeasures, and therefore character encoding and Japanese are significant issues for Japanese agents. This session will cover the various issues on Japanese when using popular forensic tools and other technical issues for future considerations. Hideaki Ihara was born in 1973. He Specializes in Windows system security, intrusion detection and analysis and computer forensics. He was awarded the MVP for Windows Security by Microsoft and is author of many books regarding security published by O'reilly, Shoeisya. Ihara has been director at NetAgent Inc. since June 2005"

"This presentation details the methods attackers utilize to gain access to wireless networks and their attached resources. Examples of the traffic that typifies each attack are shown and discussed, providing attendees with the knowledge too identify each attack. Defensive measures that can be taken in real time to counter the attack are then presented. Chris Hurley (Roamer) is a Senior Penetration Tester working in the Washington, DC area. He is the founder of the WorldWide WarDrive, a four-year effort by INFOSEC professionals and hobbyists to generate awareness of the insecurities associated with wireless networks and is the lead organizer of the DEF CON WarDriving Contest. Chris has spoken at several security conferences and published numerous whitepapers on a wide range of INFOSEC topics. Chris is the lead author of "WarDriving: Drive, Detect, Defend ", and a contributor to "Stealing the Network: How to Own an Identity", "Aggressive Network Self-Defense", "InfoSec Career Hacking", and "OS X for Hackers at Heart"."

"Many of the various attacking mechanism such as spam email, DDoS that are attacking the internet as whole in recent years can be attributed to Botnets. However there is not much information on these Botnets yet. Telecom ISAC-Japan and JPCERT/CC conducted a detailed investigation regarding botnet activity. This session will cover what was found during the investigation and the current state of the massive amount of infected users and sub-species of botnets. Satoru Koyama Joined NIPPON TELEGRAPH AND TELEPHONE CORPORATION (NTT) in 1998. Prior to this, in 1995m Koyama Was part of launching NTT's ISP business OCN. After the launch became instrumental in building the OCN security services. * Telecom-ISAC Japan: Steering Commitee Member, Associated Director Planning and Coordination Division * Secure Trusted Network Forum Business model Task force Chairman * Security Promotion Realizing sEcurity meAsures(SPREAD): Distribution Board member "

"The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. It?s imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. We?re all very familiar with each of those issues. Instead, we?ll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent international conference speaker at the Blackhat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites."

"Last year at Black Hat, we introduced the rootkit FU. FU took an unprecented approach to hiding not previously seen before in a Windows rootkit. Rather than patching code or modifying function pointers in well known operating system structures like the system call table, FU demonstrated that is was possible to control the execution path indirectly by modifying private kernel objects in memory. This technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in detecting this form of attack caused concern for anti-malware developers. This year, FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In this talk we will explore the idea of memory subversion. We demonstrate that is not only possible to hide a rootkit driver in memory, but that it is possible to do so with a minimal performance impact. The application (threat) of this attack extends beyond rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its application to worms and other forms of malware. Memory scanners beware the axiom, "vidre est credere". Let us just say that it does not hold the same way that it used to. Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Computer Engineering and subsequently switched to Computer Science after developing an interest in reverse code engineering and computer security. She also holds a graduate certificate in Computer Forensics. Currently, her research interests include offensive / defensive malicious code technologies and related issues in digital forensic applications. Jamie Butler is the Director of Engineering at HBGary, Inc. specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies"and co-author of the newly released bestseller "Rootkits: Subverting the Windows Kernel"due out late July. Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. and a computer scientist at the NSA. He holds a MS in CS from UMBC and has published articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information Management and Computer Security. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention, buffer overflows, and reverse engineering. Jamie is also a contributor at rootkit.com."

"Has your network ever been hacked, and all you have to show for your investigative efforts is an IP address belonging to an ISP in Irkutsk? Are you tired of receiving e-mails from Citibank that resolve to Muscovite IP addresses? Would you like to hack the Kremlin? Or do you think that the Kremlin has probably owned you first? Maybe you just think that Anna Kournikova is hot. If the answer to any of the above questions is yes, then you need an introduction to the Gulag Archipelago of the Internet, the Cyberia of interconnected networks, Russia. Do not let the persistent challenges of crossing international boundaries intimidate you any longer. In this briefing, we will follow several real-world scenarios back to Russia, and you will learn valuable strategies for taking your investigations and operations one big geographical step further. A brief introduction to Russia will be followed by 1,000 traceroutes over the frozen tundra described in detail, along with an explanation of the relationship between cyber and terrestrial geography. Information will be provided on Russian hacker groups and law enforcement personnel, as well as a personal interview with the top Russian cyber cop, conducted in Russian and translated for this briefing. Quick: name one significant advantage that Russian hackers have over you. They can read your language, but you cannot read theirs! Since most Westerners cannot read Russian, the secrets of Russian hacking are largely unknown to Westerners. You will receive a short primer on the Russian language, to include network security terminology, software translation tools, and cross-cultural social engineering faux-pas (this method will apply to cracking other foreign languages as well). Hacking in a Foreign Language details a four-step plan for crossing international frontiers in cyberspace. First, you must learn something about the Tribe: in this case, the chess players and the cosmonauts. Second, you must study their cyber Terrain. We will examine the open source information and then try to create our own network map using traceroutes. Third, we will look at the Techniques that the adversary employs. And fourth, we will conquer Translation. The goal is to level the playing field for those who do not speak a foreign language. This briefing paves the way for amateur and professional hackers to move beyond their lonely linguistic and cultural orbit in order to do battle on far-away Internet terrain. Kenneth Geers (CISSP, M.A. University of Washington, 1997) has worked for many years as a programmer, Web developer, translator, and analyst. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg , harvested grapes in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Mr. Geers is the author of "Cyber Jihad: Computer Networks as a Battle Ground in the Middle East"; "Hacking in a Foreign Language: A Network Security Guide to Russia"; and "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall". He loves his wife Jeanne, and daughters Isabelle, Sophie and Juliet."

"Look at your new device! It has a great case, plenty of buttons, and those blue LEDs - wow! But when you strip away the trappings of modern artistic design, what does it really do and how does it help you sleep at night? Perhaps most importantly, what do hackers know about this new toy that you do not? Would you be surprised to know that simple TCP fragmentation can evade most security products in the world? What would you think if you learned that a hacker can apply simple, normally accepted encoding schemes to launch attacks right through most security tools? Come and see what hackers know; if you rely on these products to keep you safe, you can't afford not to. David Maynor Mr. Maynor is a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs."

"Interpreted, dynamically-typed, and object-oriented languages like Ruby and Python are very good for many programming task in my opinion. Such languages have many benefits from rapid, easy development to increased security against memory allocation and manipulation related vulnerabilities. However, choice of programming language alone does not guarantee the resulting software written in the language will be free of security vulnerabilities, which is an obvious point, but the sources of the potential vulnerabilities may not be obvious at all. Ruby is an elegant and powerful language that supports concepts like reflection and meta-programming. As more developers use the powerful features, more layers of the language implementation get exposed. In the presentation, I will review several vulnerabilities found in Ruby and its standard libraries, some publicly disclosed and others reported privately to the core Ruby developers. The focus of the vulnerability review is to highlight the different levels of the language implementation that need to be audited to identify vulnerabilities for a given application based on the complexity of the language features used. Though Ruby is the example language used in the presentation, the concepts extend to most interpreted languages commonly used today. Dominique Brezinski, resident technologist at Black Hat, has spent the last few years thinking about and implementing advanced intrusion detection and response at the operating system level. His background in security spans the last decade and includes extensive experience in protocol and software vulnerability analysis, penetration testing, software research and development, and operations/incident response in large-scale computing environments. Dominique's former employers include Amazon.com, Decru, In-Q-Tel, Secure Computing Corporation, Internet Security Systems, CyberSafe, and Microsoft."

"This presentation will cover SIP and VoIP related automated fuzzing techniques. Using real world vulnerabilities and audit engagements we will give a technical understanding of this emerging technology and its common attack vectors. The techniques discussed in this talk will not only be limited to SIP but will apply to methodical audit approaches for fuzzing text based protocols which can be more complex then fuzzing binary protocols. This talk will include: * 0 day vulnerabilities (or one day) * Example fuzzing scripts * Proof of concept code Ejovi Nuwere is the founder of SecurityLab Technologies. Nuwere gained media attention and international recognition for his highly publicized security audit of Japan's National ID system--JukiNet. Nuwere is the Chief Technology Officer of SecurityLab Technologies where he heads the companies VoIP security auditing group. He currently lives in Boston and is working on his second book, Practical Penetration Testing (O'Reilly)."

"ARPANET was established in 1968. In 1971, "creeper"programmed by Bob Thomas moved from computer to computer on ARPANET and displayed on each user's screen "I'm the creeper. Catch me if you can!". Xerox PARC set up the ethernet in 1973 since researchers were interested in the concept of "distributed processing". They were testing programs whose function were to check other computers on a network to see if they were active. One of the programs became known as the Xerox worm. More than thirty years have passed since the dawn of distrubuted processing. Sun Tzu, a Chinese philosopher wrote "When you know others, then you are able to attack them. When you know yourself, you are able to protect yourself."Or Bismarck, as prime minister of Prussia, said "Fools say they learn from experience; I prefer to learn from the experience of others." This presentation considers "the day-after"and lessons learned. Katsuya Uchida graduated from the Department of Industrial Engineering, the University of Electro-Communications. He engaged in system development and user support at a small business computer dealer, a EDP auditing and a technical support of the electronic banking system at an American bank in Japan, and an implementation project of computer insurance and information security research and study at a major non-life insurance company in Japan. Currently, he teaches "Information Security Management System"and "Hands-on Secure system"at the Institute of Information Security. Mr. Uchida also works on "Education and Training Project for Information Security professionals", and "Research on Security and Reliability in Electronic Society"of the 21st Century Center of Excellence (COE) Program at Chuo University. His main topics of research are "Information Security Management Systems", "Network Security", "Malicious Programs", "Information Forensics"and so on. Mr. Uchida is a member of Computer Security Institute and a member of Information Processing Society of Japan."