forked from FeeiCN/Security-PPT
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bh-us-11-briefings.html
2182 lines (1508 loc) · 164 KB
/
bh-us-11-briefings.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Black Hat ® Technical Security Conference: USA 2011 // Venue</title>
<link rel="shortcut icon" href="../../images/favicon.ico" type="image/ico" />
<link href="css/us-11-style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<center>
<div id="container">
<div style="text-align:left;">
<a href="#">
<img src="images/bh-us-11-masthead.png" alt="Black Hat USA 2011" /></a>
</div>
<div id="nav" align="left">
<a href="index.html">schedule</a>
/ <a href="bh-us-11-speaker_bios.html">speakers</a>
/ <a href="bh-us-11-arsenal.html">arsenal</a>
</div>
<div id="navSOCIAL" align="left">
+ <a href="mailto:[email protected]">EMAIL</a><br />
+ <a href="https://www.blackhat.com/BlackHatRSS.xml">RSS</a><br />
+ <a href="https://twitter.com/BlackHatEvents" target="_blank">TWITTER</a><br />
+ <a href="http://www.facebook.com/pages/Black-Hat-Briefings/107691635153" target="_blank">FACEBOOK</a><br />
+ <a href="http://www.linkedin.com/groups?gid=37658&trk=hb_side_g" target="_blank">LINKED.IN</a><br />
</div>
<div id="navGRAYLIST" align="left">
<div class="wireframemenu" style="margin-top:14px;">
<ul>
<li><a href="#">// <span style="color:#999;font-variant:small-caps;">keynote speaker</span></a></li>
<li><a href="#Black">Cofer Black</a></li>
<li><a href="#Zatko">Peiter Zatko</a></li>
<li><a href="#">// <span style="color:#999;font-variant:small-caps;">briefers</span></a></li>
<!--<li><a href="#lastName">Name</a></li>-->
<li><a href="#Johnson">Joshua Abraham</a></li>
<li><a href="#Acquisti">Alessandro Acquisti</a></li>
<li><a href="#Grossman">Brad Arkin</a></li>
<li><a href="#Arlen">James Arlen</a></li>
<li><a href="#Bailey">Don Bailey</a></li>
<li><a href="#Balduzzi">Marco Balduzzi</a></li>
<li><a href="#Laurie">Andrea Barisani</a></li>
<li><a href="#Beresford">Dillon Beresford</a></li>
<li><a href="#Laurie">Daniele Bianco</a></li>
<li><a href="#Borgaonkar">Ravishankar Borgaonkar</a></li>
<li><a href="#Willis">Kris Britton</a></li>
<li><a href="#Brossard">Jonathan Brossard</a></li>
<li><a href="#Brown">Fran Brown</a></li>
<li><a href="#Bursztein">Elie Bursztein</a></li>
<li><a href="#Butler">Jamie Butler</a></li>
<li><a href="#Chamales">George Chamales</a></li>
<li><a href="#Clark">Robert Clark</a></li>
<li><a href="#Zovi">Dino Dai Zovi</a></li>
<li><a href="#Stamos">Tom Daniels</a></li>
<li><a href="#Daswani">Neil Daswani</a></li>
<li><a href="#Davis">Andy Davis</a></li>
<li><a href="#Shields">Nick DePetrillo</a></li>
<li><a href="#Dinaburg">Artem Dinaburg</a></li>
<li><a href="#Elhage">Nelson Elhage</a></li>
<li><a href="#Hamiel">Justin Engler</a></li>
<li><a href="#Esser">Stefan Esser</a></li>
<li><a href="#Johnson">Tom Eston</a></li>
<li><a href="#Hamiel">Gregory Fleischer</a></li>
<li><a href="#Bursztein">Ivan Fontarensky</a></li>
<li><a href="#Laurie">Zac Franken</a></li>
<li><a href="#Giannetsos">Thanassis Giannetsos</a></li>
<li><a href="#Borgaonkar">Nico Golde</a></li>
<li><a href="#Siddharth">Aleksander Gorkowienko</a></li>
<li><a href="#datagram">datagram</a></li>
<li><a href="#Granick">Jennifer Granick</a></li>
<li><a href="#Stamos">Aaron Grattafiori</a></li>
<li><a href="#Grossman">Jeremiah Grossman</a></li>
<li><a href="#Hamiel">Nathan Hamiel</a></li>
<li><a href="#Hassell">Riley Hassell</a></li>
<li><a href="#Grossman">Alex Hutton</a></li>
<li><a href="#Rohlf">Yan Ivnitskiy </a></li>
<li><a href="#Johansen">Matt Johansen</a></li>
<li><a href="#Grossman">John Johnson</a></li>
<li><a href="#Johnson">Kevin Johnson</a></li>
<li><a href="#Kaminsky">Dam Kaminsky</a></li>
<li><a href="#Laurie">Adam Laurie</a></li>
<li><a href="#Hamiel">Seth Law</a></li>
<li><a href="#Wolf">Alex Lanstein</a></li>
<li><a href="#Le">Long Le</a></li>
<li><a href="#Lineberry">Anthony Lineberry</a></li>
<li><a href="#Litchfield">David Litchfield</a></li>
<li><a href="#Hassell">Shane Macaulay</a></li>
<li><a href="#Mandt">Tarjei Mandt</a></li>
<li><a href="#Marlinspike">Moxie Marlinspike</a></li>
<li><a href="#Bursztein">Matthieu Martin</a></li>
<li><a href="#McCoy">Jon McCoy</a></li>
<li><a href="#McGrew">Robert McGrew</a></li>
<li><a href="#McNabb">John McNabb</a></li>
<li><a href="#Miller">Charlie Miller</a></li>
<li><a href="#Moussouris">Katie Moussouris</a></li>
<li><a href="#Butler">Justin Murdock</a></li>
<li><a href="#Nakibly">Gabi Nakibly</a></li>
<li><a href="#Nohl">Karsten Nohl</a></li>
<li><a href="#Le">Thanh Nguyen</a></li>
<li><a href="#Ormandy">Tavis Ormandy</a></li>
<li><a href="#Stamos">B.J. Orvis</a></li>
<li><a href="#Johansen">Kyle Osborn</a></li>
<li><a href="#Ose">Greg Ose</a></li>
<li><a href="#Paget">Chris Paget</a></li>
<li><a href="#Tsai">Ming-chieh Pan</a></li>
<li><a href="#Vuksan">Tomislav Pericin</a></li>
<li><a href="#Perkins">Richard Perkins</a></li>
<li><a href="#Bursztein">Jean-Michel Picod</a></li>
<li><a href="#Polyakov">Alexander Polyakov</a></li>
<li><a href="#Ptacek">Thomas Ptacek</a></li>
<li><a href="#Radcliffe">Jerome Radcliffe</a></li>
<li><a href="#Brown">Rob Ragan</a></li>
<li><a href="#Borgaonkar">Kevin Redon</a></li>
<li><a href="#Rohlf">Chris Rohlf</a></li>
<li><a href="#Roth1">Thomas Roth</a></li>
<li><a href="#Sabanal">Paul Sabanal</a></li>
<li><a href="#Schuetz">David Schuetz</a></li>
<li><a href="#Shah">Shreeraj Shah</a></li>
<li><a href="#Shields">Tyler Shields</a></li>
<li><a href="#Slaviero">Marco Slaviero</a></li>
<li><a href="#Stamos">Alex Stamos</a></li>
<li><a href="#Lineberry">Tim Strazzere</a></li>
<li><a href="#Sullivan">Bryan Sullivan</a></li>
<li><a href="#Sutton">Michael Sutton</a></li>
<li><a href="#Nohl">Chris Tarnovsky</a></li>
<li><a href="#Perkins">Mike Tassey</a></li>
<li><a href="#Thieme">Richard Thieme</a></li>
<li><a href="#Ptacek">Michael Tracey</a></li>
<li><a href="#Tsai">Sung-ting Tsai</a></li>
<li><a href="#Vuksan">Mario Vuksan</a></li>
<li><a href="#Shields">Ralf-Phillipp Weinmann</a></li>
<li><a href="#Willis">Chuck Willis</a></li>
<li><a href="#Wolf">Julia Wolf</a></li>
<li><a href="#Lineberry">Tim Wyatt</a></li>
<li><a href="#Shields">Chris Wyospal</a></li>
<li><a href="#Yamaguchi">Fabian Yamaguchi</a></li>
<li><a href="#Sabanal">Mark Yason</a></li>
<li><a href="#Stamos">Paul Youn</a></li>
</ul>
</div>
<div class="wireframemenu" style="margin-top:14px;">
<ul>
<li><a href="#">// <span style="color:#999;font-variant:small-caps;">workshops</span></a></li>
<li><a href="#Case">Andrew Case</a></li>
<li><a href="#Cerrudo">Cesar Cerrudo</a></li>
<li><a href="#Diskin">Gal Diskin </a></li>
<li><a href="#Kushner">Lee Kushner</a></li>
<li><a href="#Ramachandran">Vivek Ramachandran</a></li>
<li><a href="#Roth2">Thomas Roth</a></li>
<li><a href="#Russinovich">Mark Russinovich</a></li>
<li><a href="#Searle">Justin Searle</a></li>
<li><a href="#Siddharth">Sumit Siddharth</a></li>
</ul>
</div>
<div class="wireframemenu" style="margin-top:14px;">
<ul>
<li><a href="#">// <span style="color:#999;font-variant:small-caps;">Turbo Talks</span></a></li>
<li><a href="#Anstis">Bradley Anstis</a></li>
<li><a href="#Belenko">Andrey Belenko</a></li>
<li><a href="#Cache">Johnny Cache</a></li>
<li><a href="#SClark">Sandy Clark</a></li>
<li><a href="#Costa">Richard Costa</a></li>
<li><a href="#Cui">Ang Cui</a></li>
<li><a href="#Cui">Jatin Kataria</a></li>
<li><a href="#Kennedy">Mark Kennedy</a></li>
<li><a href="#Kiani">Khash Kiani</a></li>
<li><a href="#LeMasters">Aaron LeMasters</a></li>
<li><a href="#Kennedy">Igor Muttik</a></li>
<li><a href="#Raber">Jason Raber</a></li>
<li><a href="#Ristic">Ivan Ristic</a></li>
<li><a href="#Skehan">Joe Skehan</a></li>
<li><a href="#Cui">Salvatore Stolfo</a></li>
</ul>
</div>
</div>
<div id="content" align="left">
<h1>Black Hat USA 2011 <span style="color: rgb(119, 119, 119);">//briefings</span></h1>
<h3>Caesars Palace Las Vegas, NV • August 3 - August 4</h3>
<hr />
<h2>( MEDIA LEGEND )</h2>
<table>
<tr>
<td><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a></td>
<td style="padding-top:15px;"><h2>white paper document</p></h2></td>
<td><img src="images/BHarchive-webdeck.png" width="50" height="50" title="Presentation" /> </a> </td>
<td style="padding-top:15px;"><h2>presentation</h2></td>
</tr>
<tr>
<td><a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a></td>
<td style="padding-top:15px;"><h2>black hat website</h2></td>
<td><img src="images/BHarchive-websource.png" width="50" height="50" title="source" /> </a> </td>
<td style="padding-top:15px;"><h2>source</h2></td>
</tr>
</table>
<!--
TEMPLATE!!!
<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" title="WWW-Archives" /> </a>
<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-websource.png" title="Source Material" /></a>
<br/>-->
<!--
<a title="Register for Black Hat Europe 2011" href="registration/bh-eu-11-registration.html"><img src="../../images/ContentTitle-home_USreg.png" alt="Register for Black Hat Europe 2011" border="0" /></a><a title="Register for Black Hat Europe 2011" href="" target="_blank"></a>-->
<!--
<a name="LastName"></a>
<h3>Name</h3>
<h2>Breifing Name</h2>
<p>Abstract</p>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#LastName">//BIO: Name</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
-->
<hr />
<!-- ******************** START BRIEFINGS LIST ************************** -->
<h1>Keynote Speaker</h1>
<hr />
<a name="Black"></a>
<h3>Cofer Black
</h3>
<h2>10th Anniversary of 9/11 and Lessons Learned for Black Hat </h2>
<!---<p>
</p>--->
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Black">//BIO: Cofer Black</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Zatko"></a>
<h3>Peiter "Mudge" Zatko
</h3>
<h2>How a Hacker Has Helped Influence the Government - and Vice Versa</h2>
<p>Mudge, front man for the L0pht, founder of @stake, author of L0phtCrack, and a pioneer in vulnerability discovery and disclosure still calls himself a "hacker". As a senior DoD official working as a Program Manager at DARPA (the Defense Advanced Research Project Agency) he is designing and funding cyber research programs for the U.S. Government. He is additionally working to build areas of aligned interest between the cyber security research community and the government so that both parties can better become resources to each other where appropriate and more articulately convey divergent beliefs and goals in others.
</p>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Zatko">//BIO: Peiter Zatko</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<!-- <div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#LastName">//BIO: Name</a>
</div>-->
<h1>Briefings</h1>
<hr />
<a name="Acquisti"></a>
<h3>Alessandro Acquisti</h3>
<h2>Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be</h2>
<p>Have online social networks created one of the largest databases of identities in the world? We investigate the technical feasibility and privacy implications of combining publicly available Web 2.0 images with off-the-shelf face recognition technology, for the purpose of large-scale, automated individual re-identification. A series of experiments demonstrate a high degree of success in identifying, as well as inferring sensitive information about, strangers online and offline based on profile pictures posted on popular online social networks. The results highlight the technological and legal implications of the convergence of face recognition technologies and online social networks, and the future of privacy in an augmented reality world.</p>
<a href="materials/Acquisti/BH_US_11_Acquisti_Faces_of_Facebook_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Acquisti/BH_US_11_Acquisti_Faces_of_Facebook_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Acquisti">//BIO: Alessandro Acquisti</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Arlen"></a>
<h3>James Arlen</h3>
<h2>Security When Nano-seconds Count</h2>
<p>There's a brave new frontier for IT Security-a place where "best practices" does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading-all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now.</p>
<a href="materials/Arlen/BH_US_11_Arlen-HFT_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>---><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Arlen">//BIO: James Arlen</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Bailey"></a>
<h3>Don Bailey</h3>
<h2>War Texting: Identifying and Interacting with Devices on the Telephone Network</h2>
<p>Devices have been attached to the telephone network for years. Typically, we think of these devices in terms of modems, faxes, or TTY systems. Now, there is a growing shift in the nature of the devices that are accessible over the telephone network. Today, A-GPS tracking devices, 3G Security Cameras, Urban Traffic Control systems, SCADA sensors, Home Control and Automation systems, and even vehicles are now telephony enabled. These systems often receive control messages over the telephone network in the form of text messages (SMS) or GPRS data. These messages can trigger actions such as firmware updates, Are You There requests, or even solicitations for data. As a result, it is imperative for mobile researchers to understand how these systems can be detected by attackers on the global telephone network, then potentially abused.</p><p>
These systems are increasingly capable of affecting the physical world around us. Additionally, devices attached to the phone network cannot be easily compartmentalized or firewalled from potential abusers the same way that IP enabled systems can. Therefore, understanding the threat models associated with these devices and the telephone network will allow mobile researchers and embedded engineers to correctly implement security solutions that minimize a device's exposure to threat actors.</p><p>
Empirical evidence will be presented that demonstrates creative and successful ways to classify potential devices amongst millions of phone numbers world wide. Once properly classified, devices can be interacted with in simple and efficient ways that will be revealed by the speaker. Simple scripts and software will be released that exemplify these techniques with real world examples, but are designed in a pluggable fashion that allows mobile researchers to develop their own device profiles and methods for interaction.</p>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Bailey">//BIO: Don Bailey</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Balduzzi"></a>
<h3>Marco Balduzzi</h3>
<h2>Automated Detection of HPP Vulnerabilities in Web Applications</h2>
<p>HTTP Parameter Pollution (HPP) is a recent class of web vulnerabilities that consists of injecting encoded query string delimiters into other existing HTTP parameters. When a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks.</p>
<p>To begin with, I introduce HTTP Parameter Pollution by analyzing different real attacking scenarios and discussing the problems that may face. I will then present the first automated system, called PAPAS that we designed for the detection of HPP flaws in real web applications. PAPAS combines a modified version of Firefox with a crawler and two scanners in order to analyze web pages efficiently for the presence of vulnerable parameters that can be injected with arbitrary HPP payloads.</p>
<p>PAPAS has been used to conduct a large-scale experiment of the Internet by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Facebook, Google and Paypal.
</p>
<p>The talk features a live demo of PAPAS, which has been made available as a free-to-use service recently. I will conclude the talk by discussing the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities. </p>
<a href="materials/Balduzzi/BH_US_11_Balduzzi_HPP_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Balduzzi/BH_US_11_Balduzzi_HPP_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Balduzzi">//BIO: Marco Balduzzi</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Beresford"></a>
<h3>Dillon Beresford</h3>
<h2>Exploiting Siemens Simatic S7 PLCs</h2>
<p>During this presentation we will cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities. I plan to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.</p>
<a href="materials/Beresford/BH_US11_Beresford_S7_PLCs_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Beresford/BH_US11_Beresford_S7_PLCs_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Beresford">//BIO: Dillon Beresford</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Borgaonkar"></a>
<h3>Ravishankar Borgaonkar + Nico Golde + Kevin Redon</h3>
<h2>Femtocells: A poisonous needle in the operator's hay stack</h2>
<p>Femtocells are an emerging technology deployed by the operators around the world to enhance 3G connectivity. These secured devices are installed in the customers home and connect the mobile phone to the mobile network operator's core network using an existing broadband connection.</p>
<p>Various researchers have shown in the past that these devices are not secure and it is possible to compromise these devices. However, nobody has actually published further attacks that utilized the device. We will give a short introduction to femtocell technology and show different attacks based on a rogue femtocell. These attacks can target end-users being logged into a femtocell, femtocell owners, as well as network operators.</p>
<a href="materials/Borgaonkar/BH_US_11_RaviNicoKredon_Femtocells-WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>---><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Borgaonkar">//BIO: Ravishankar Borgaonkar</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Golde">//BIO: Nico Golde
</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Redon">//BIO: Kevin Redon
</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Brossard"></a>
<h3>Jonathan Brossard</h3>
<h2>Post Memory Corruption Memory Analysis</h2>
<p>In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process.</p><p>
We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...),
or kernel anti exploitation features (ASLR, NX...).</p>
<p>We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;)</p><p>
In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read
can be turned into an invalid write or used to infere the mapping of the binary.</p><P>We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR).</P><P>Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself.</P><p>Those techniques are implemented in the form of a proof of concept tool
running under x86 GNU/Linux to be released during the conference : pmcma.</p>
<a href="materials/Brossard/BH_US_11_Brossard_Post_Memory_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>---><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Brossard">//BIO: Jonathan Brossard</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Brown"></a>
<h3>Fran Brown + Rob Ragan</h3>
<h2>Pulp Google Hacking:The Next Generation Search Engine Hacking Arsenal</h2>
<p>Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning…</p>
<p>This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are:</p>
<ul class="list">
<li>BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.</li>
<li> DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones.</li>
<li> GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.</li>
<li> FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.</li>
<li> SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.</li>
<li> MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?"</li>
<li> AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.</li>
<li> DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.</li>
</ul>
<p>That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again. WARNING: For safety, you should be in good health and free from high blood pressure, heart, back or neck problems, motion sickness, or other conditions that could be aggravated by this adventure.</p>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Brown">//BIO: Fran Brown</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Ragan">//BIO: Rob Ragan</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Bursztein"></a>
<h3>Elie Bursztein + Ivan Fontarensky + Matthieu Martin + Jean-Michel Picod</h3>
<h2>Beyond files undeleting: OWADE</h2>
<p>You recovered a bunch of files from a used hard drive and now what ?</p>
<P>If you ever wanted to push Windows offline forensic to the next level, come to our talk where we will show you how to use our open source tool OWADE (Offline Windows Analyzer and Data Extractor) to recover many interesting information from a used hard drive including web credentials, instant messaging credentials and user habits information.</P>
<p>We will walk you through the entire recovery chain process and demonstrate how to use OWADE to handle Windows various level of encryption (Syskey, DPAPI…) and extract the maximum information from used drives. OWADE is based on our work on DPAPIck our tool to decrypt DPAPI secrets.</p><p>
We will present various statistics we computed on the data we gathered from the eBay used hard drive we bought to test and develop OWADE.</p><P>
At the end of the talk we will release OWADE so you can play with it.</p>
<a href="materials/Bursztein/BH_US_11_Bursztein_Owade_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>---><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Bursztein">//BIO: Elie Bursztein</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Fontarensky">//BIO: Ivan Fontarensky</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Martin">//BIO: Matthieu Martin</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Picod">//BIO: Jean-Michel Picod</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Butler"></a>
<h3>Jamie Butler + Justin Murdock</h3>
<h2>Physical Memory Forensics for Cache</h2>
<p>Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations.</p>
<p>Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.</p>
<a href="materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Butler">//BIO: Jamie Butler</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Murdock">//BIO: Justin Murdock</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Chamales"></a>
<h3>George Chamales</h3>
<h2>Lives On The Line: Defending Crisis Maps in Libya, Sudan, and Pakistan</h2>
<p>Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities.</p>
<p>These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations.</p>
<p>In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online).</p>
<p>The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe.</p>
<p>Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community, enabling them to build more secure systems and more effective, life-saving deployments.</p>
<a href="materials/Chamales/BH_US_11_Chamales_Lives_on_the_Line_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>---><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Chamales">//BIO: George Chamales</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Clark"></a>
<h3>Robert Clark</h3>
<h2>Legal Aspects of Cybersecurity–(AKA) CYBERLAW: A Year in Review, Cases, issues, your questions my (alleged) answers</h2>
<p>The past year has recently gotten really busy. Jailbreaking and Sony are going places not seen before – subpoenaing records from ISPs, Twitter, etc - and we're beginning to get some recognition from court cases on the unique aspect of information technology. This presentation will look at these legal developments particularly:
<p> Jailbreaking; Google faces class action over wi-fi downloads yet police intercept unsecured wi-fi without a warrant and that's not a search;</p>
<p> Sony faces class action for negligence - what is the standard required for cybersecurity - one court has already held a bank negligent, could this happen with Sony; a magistrate denies a search warrant for a computer as over-broad stating police must exclude use of the "plain view" doctrine and conduct a tailored search using a taint team – government is appealing; similarly other judges beginning to acknowledge computers contain massive amounts of data and searches need limitations;</p>
<p> TimeWarner eliminating ISP competition in North Carolina; damages for seized computers; 5th Amendment and password protected computers; use and admissibility of emails in litigation; juror's and Facebook; Supreme Court looks into employer email monitoring; smart phones treated as computers and searched in addition Michigan State Police doing some interesting things with traffic stops and smart phones; are IP addresses personally identifiable information;</p>
<p> Patent wars- Microsoft in front of Supreme Court to lower patent standard; spouses, divorces and spyware; computer search terms – hearsay or evidence when they involve schemes to murder; and, stealing your boss' email is probably not only a crime but a bad idea.</p>
<p> This presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.</p>
<a href="materials/Clark/BlackHat_US_2011_Clark_Cyberlaw_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Clark/BlackHat_US_2011_Clark_Cyberlaw_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Clark">//BIO: Robert Clark</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Zovi"></a>
<h3>Dino Dai Zovi</h3>
<h2>Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption</h2>
<p>As the popular smartphone platforms have increased in popularity with consumers, many enterprises and businesses are considering broadening their support beyond their traditionally support platforms. These new smartphone platforms such as iOS and Android, however, come with a lack of detailed understanding of their security features and shortcomings. This presentation is the result of an extended assessment of the security mechanisms and features of Apple's iOS with an emphasis on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices.</p>
<p>iOS 4 implements several key security mechanisms: Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization. Each of these mechanisms' precise operation is documented in detail as revealed through static and dynamic binary analysis, as well as their strengths and any identified weaknesses.</p>
<p>We examine and document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail. Finally, based on the strengths and weaknesses identified, concrete recommendations will be made on what compensating measures an organization can and should take when deploying iOS-based devices for business use.</p>
<a href="materials/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/DaiZovi/BH_US_11_DaiZovi_iOS_Security_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Zovi">//BIO: Dino Dai Zovi</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Daswani"></a>
<h3>Neil Daswani</h3>
<h2>Mobile Malware Madness, and How To Cap the Mad Hatters</h2>
<p>This talk surveys mobile malware (such as DroidDream, Ikee, and Zitmo) that have recently infected hundreds of thousands of user devices, and shows demos of how web malware threats such as drive-by-downloads and malvertising are on the horizon for mobile devices. We also discuss how behavioral-based malware detection techniques can be used to identify and neutralize such malware.</p>
<a href="materials/Daswani/BH_US_11_Daswani_Mobile_Malware_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Daswani/BH_US_11_Daswani_Mobile_Malware_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Daswani">//BIO: Neil Daswani</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="datagram"></a>
<h3>datagram</h3>
<h2>Tamper Evident Seals: Design and Security </h2>
<p>Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. Defcon 18 (2010) held the first ever "Tamper Evident" contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be "tamper proof." All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, the security of many of these devices are over-represented and it is difficult for the average person to compare different technologies.</p>
<p>This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We'll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices.</p>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#datagram">//BIO: datagram</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Davis"></a>
<h3>Andy Davis</h3>
<h2>USB: Undermining Security Barriers</h2>
<p>Although the concept of identifying and exploiting vulnerabilities in USB drivers is not new, the approach presented here will be, as it provides the capability to test any USB platform or device (previous techniques have been either device or USB-host dependent). Although the new approach is quite simple, its effectiveness has been clearly demonstrated over the past few months by identifying vulnerabilities in USB drivers of many of the well-known operating systems in use today. The presentation will cover typical USB vulnerability classes and also discuss the implications of this type of vulnerability for Endpoint security products.</p>
<a href="materials/Davis/BH_US_11-Davis_USB_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Davis/BH_US_11-Davis_USB_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Davis">//BIO: Andy Davis</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Dinaburg"></a>
<h3>Artem Dinaburg</h3>
<h2>Bit-squatting: DNS Hijacking without exploitation</h2>
<p>Barring deliberate sabotage, we generally assume that computer hardware will work as described. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction manifests in DRAM chips as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed.</p>
<p>
This presentation will show that bit flips pose a real attack vector. First, the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data, the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party.</p>
<p>
The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors</p>
<a href="materials/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Dinaburg">//BIO: Artem Dinaburg</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Elhage"></a>
<h3>Nelson Elhage</h3>
<h2>Virtualization Under Attack: Breaking out of KVM</h2>
<p>KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.</p><p>
We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.</p><p>
Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.</p>
<a href="materials/Elhage/BH_US_11_Elhage_Virtunoid_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Elhage/BH_US_11_Elhage_Virtunoid_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Elhage">//BIO: Nelson Elhage</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Esser"></a>
<h3>Stefan Esser</h3>
<h2>Exploiting the iOS Kernel </h2>
<p>The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.</p>
<p>This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.</p>
<p>Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.</p>
<a href="materials/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Esser">//BIO: Stefan Esser</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Giannetsos"></a>
<h3>Thanassis Giannetsos</h3>
<h2>Spy-Sense: Spyware Tool for Executing Stealthy Exploits Against Sensor Networks </h2>
<p>As the domains of pervasive computing and sensor networking are expanding, a new era is about to emerge, enabling the design and proliferation of intelligent sensor-based applications. At the same time, sensor network security is a very important research area whose goal is to maintain a high degree of confidentiality, integrity and availability of both information and network resources. However, a common threat that is often overlooked in the design of secure sensor network applications is the existence of spyware programs. As most works try to defend against adversaries who plan to physically compromise sensor nodes and disrupt network functionality, the risk of spyware programs and their potential for damage and information leakage is bound to increase in the years to come.</p>
<p>This work demonstrates Spy-Sense, a spyware tool that allows the injection of stealthy exploits in the nodes of a sensor network. Spy-Sense is undetectable, hard to recognize and get rid of, and once activated, it runs discretely in the background without interfering or disrupting normal network operation. It provides the ability of executing a stealthy exploit sequence that can be used to achieve the intruder's goals while reliably evading detection. To the best of our knowledge, this is the first instance of a spyware program that is able to crack the confidentiality and functionality of a sensor network. By exposing the vulnerabilities of sensor networks to spyware attacks, we hope to instigate iscussion on these critical issues because sensor networks will never succeed without adequate provisions on security and privacy.</p>
<a href="materials/Giannetsos/BH_US_11_Giannetsos_SpySense_Spyware_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Giannetsos/BH_US_11_Giannetsos_SpySense_Spyware_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Giannetsos">//BIO: Thanassis Giannetsos</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Granick"></a>
<h3>Jennifer Granick</h3>
<h2>The Law of Mobile Privacy and Security</h2>
<p>Increasingly, individuals use mobile devices to communicate and access the internet. Mobile security is thus increasingly important, and so are the laws that govern mobile hacking and data privacy. This talk is for anyone who uses a cell phone or hacks a cell phone. Through the speaker's professional experience with phone hackers, mobile applications providers, law enforcement requests for location tracking, attendees will learn about cutting edge legal questions on this topic including: wiretapping/Title III, FCC regulations of IMSI catchers, jailbreaking and security, commercial and law enforcement access to device IDs and location data, cell tower triangulation and GPS tracking.</p>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>--->
<a href="materials/Granick/BH_US_11_Granick_Law_Mobile_Hacking_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Granick">//BIO: Jennifer Granick</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Grossman"></a>
<h3>Jeremiah Grossman + Brad Arkin + Alex Hutton + Adrain Lane + John Johnson</h3>
<h2>PANEL: Trillions of Lines of Code and Counting: Securing Applications At Scale</h2>
<p>As the entire computer security industry is fully and painfully aware, applications are the #1 target for malicious attack. Whether we're talking exploitation of Web browsers, file readers, or Web applications, the root of the problem is the same, vulnerable software -- trillions of lines worth of code and counting. Now that almost every person, government, and company is online, it's difficult to imagine a bigger, more challenging, complex, and important problem to solve than application security.</p><p>
Today, application security is about program execution at a scale large enough to match the threat - and that's the hard part. On an internet-wide scale, how do we go about writing more secure code? How do we deal with the massive backlog of vulnerable code already in wide circulation? What are the best strategies for ensuring code remains secure as threats evolve?</p>
<p>
This is but a taste of the questions on the topic that our panelists, all respected experts with relevant field experience, will be ready to discuss.</p>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>--->
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Grossman">//BIO: Jeremiah Grossman</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Arkin">//BIO: Brad Arkin</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Hutton">//BIO: Alex Hutton</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#JJohnson">//BIO: John Johnson</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Lane">//BIO: Adrian Lane</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Hamiel"></a>
<h3>Nathan Hamiel + Justin Engler + Seth Law + Gregory Fleischer</h3>
<h2>Smartfuzzing The Web: Carpe Vestra Foramina </h2>
<p>It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become increasingly complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested.</p>
<p>There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided. We also provide a tool that begins to solve some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?</p>
<a href="materials/Hamiel/BH_US_11_Hamiel_Smartfuzzing_Web_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Hamiel/BH_US_11_Hamiel_Smartfuzzing_Web_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Hamiel">//BIO: Nathan Hamiel</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Engler">//BIO: Justin Engler </a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Law">//BIO: Seth Law</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Fleischer">//BIO: Gregory Fleischer</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Hassell"></a>
<h3>Riley Hassell + Shane Macaulay</h3>
<h2>Hacking Androids for Profit</h2>
<p>We will reveal new threats to Android Apps, and discuss known and unknown weaknesses in the Android OS and Android Market. This presentation will offer insight into the inner working of Android apps and the risks any user faces when installing and using apps from the marketplace. The speakers will reveal previously undisclosed vulnerabilities in vendor apps installed on millions of US mobile phones and techniques to evade all available security solutions.</p>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Hassell">//BIO: Riley Hassell</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Macaulay">//BIO: Shane Macaulay</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Johansen"></a>
<h3>Matt Johansen + Kyle Osborn</h3>
<h2>Hacking Google Chrome OS </h2>
<p>Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking – everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data. </p>
<p>Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:</p>
<ul class="list">
<li>Exposing of all user email, contacts, and saved documents.</li>
<li>Conduct high speed scans their intranet work and revealing active host IP addresses.</li>
<li>Spoofing messaging in their Google Voice account.</li>
<li>Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.</li>
</ul>
<p>While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.</p>
<a href="materials/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Johansen">//BIO: Matt Johansen</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Osborn">//BIO: Kyle Osborn</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Johnson"></a>
<h3>Kevin Johnson + Tom Eston + Joshua Abraham</h3>
<h2>Don't Drop the SOAP: Real World Web Service Testing for Web Hackers </h2>
<p>Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments. </p>
<p>In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.</p>
<a href="materials/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a>
<a href="materials/Johnson/BH_US_11_Johnson_msf_web_services.zip"><img src="images/BHarchive-websource.png" title="Source Material" /></a>
<a href="materials/Johnson/BH_US_11_johnson_dvwa-dvws.zip"><img src="images/BHarchive-websource.png" title="Source Material" /></a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Johnson">//BIO: Kevin Johnson</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Eston">//BIO: Tom Eston</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Abraham">//BIO: Joshua Abraham</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Kaminsky"></a>
<h3>Dan Kaminsky</h3>
<h2>Black Ops of TCP/IP 2011</h2>
<p>Remember when networks represented interesting targets, when TCP/IP was itself a vector for messiness, when packet crafting was a required skill? In this thoroughly retro talk, we're going to play with systems the old fashioned way, cobbling together various interesting behaviors with the last few shreds of what low level networking has to offer. Here's a few things to expect:</p>
<ul class="list">
<li>IPv4 and IPv6 Fragmentation Attacks, Eight Years In The Making </li>
<li> TCP Sequence Number Attacks In Modern Stacks </li>
<li> IP TTLs: Not Actually Expired </li>
<li> Inverse Bug Hunting: More Things Found On The Open Net </li>
<li> Rebinding Attacks Against Enterprise Infrastructure </li>
<li> BitCoin: Network Manipulation for Fun And (Literal) Profit </li>
<li> The Net Neutrality Transparency Engine</li></ul>
<p>DNS might show up, and applications are going to be poked at. But this will be an old style networking talk, through and through.</p>
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Kaminsky">//BIO: Dan Kaminsky</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Laurie"></a>
<h3>Adam Laurie + Zac Franken + Andrea Barisani + Daniele Bianco</h3>
<h2>Chip & PIN is definitely broken</h2>
<p>Credit Card skimming and PIN harvesting in an EMV world.
We analyze the practicality of credit card information skimming, cloning and PIN harvesting on Chip & PIN enabled POS terminals.
We intentionally ignore Magstripe skimming (which is still effective and widely used) and focus on the chip interface.</p>
<a href="materials/Laurie/BH_US_11_Laurie_Chip_Pin-WP.pdf"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/Laurie/BH_US_11_Laurie_Chip_Pin-Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Laurie">//BIO: Adam Laurie</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Franken">//BIO: Zac Franken</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Barisani">//BIO: Andrea Barisani</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Bianco">//BIO: Daniele Bianco</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Le"></a>
<h3>Long Le + Thanh Nguyen</h3>
<h2>ARM exploitation ROPmap</h2>
<p>It is no doubt that ARM will be the next mainstream of exploitation with hundred of millions smartphones, tablets delivered today. There are several talks and papers about ROP on ARM but no any public ROP toolkit for ARM has been released so far as leet hackers keep their tools privately.</p>
<p>
In this presentation we will show how ROP exploitation on ARM can be done easily via a systematic, generic approach to generate, search and chain gadgets together. A simple Intermediate Language will be presented that helps people write ROP shellcode and get it transformed automatically to chain of gadgets. As a part of the presentation, we will release an updated version of ROPEME with additional ARM support along with a demo of advanced ROP payloads on latest Android OS.</p>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>--->
<a href="materials/Le/BH_US_11_Le_ARM_Exploitation_ROPmap_Slides.pdf"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Le">//BIO: Long Le</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Nguyen">//BIO: Thanh Nguyen</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Lineberry"></a>
<h3>Anthony Lineberry, Tim Strazzere and Tim Wyatt</h3>
<h2>Don't Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle</h2>
<p>A new Android vulnerability is discovered today. When will the phone in your pocket be patched? We studied firmware update events across millions of Android devices around the world, to answer this question and many more. As it turns out, updating mobile devices is significantly more complex than the desktop world.</p>
<p>Android has become a top player in the smartphone explosion. Its success is due in no small part to its openness and flexibility, enabling an entire ecosystem of unique devices built on an open-source core. This proliferation has not been without the challenge of fragmentation. In this talk, we survey what it takes to push a security update in the Android ecosystem, study prominent vulnerabilities that have affected the platform, and examine the patch history and current state of prominent devices to answer the question: What is the half-life of a vulnerability on Android?</p>
<!---<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdoc.png" width="50" height="50" title="White Paper" /> </a>
<a href="materials/LASTNAME/FILENAME"><img src="images/BHarchive-webdeck.png" title="Presentation" hspace="10" /> </a><br/>--->
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Lineberry">//BIO: Anthony Lineberry</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Strazzere">//BIO: Tim Strazzere</a>
</div>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Wyatt">//BIO: Tim Wyatt</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Litchfield"></a>
<h3>David Litchfield</h3>
<h2>Hacking and Forensicating an Oracle Database Server </h2>
<!---<p></p>--->
<a href="leavingcd.html"><img src="images/BHarchive-gohome.png" width="50" height="50" title="WWW-Archives" /> </a>
<div class="biobox">
<a class="thumbnail" href="bh-us-11-speaker_bios.html#Litchfield">//BIO: David Litchfield</a>
</div>
<hr style="border-bottom:1px dotted #333;" />
<a name="Mandt"></a>
<h3>Tarjei Mandt</h3>
<h2>Windows Hooks of Death: Kernel Attacks Through User-Mode Callbacks</h2>