Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, July 29
 

8:00am

Breakfast
Wednesday July 29, 2009 8:00am - 8:50am

9:00am

10:00am

Dino Dai Zovi: Macsploitation with Metasploit
While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed
by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Daizovi

Wednesday July 29, 2009 10:00am - 10:20am
Florentine 1-2-3-4

10:00am

John McDonald & Chris Valasek: Practical Windows Heap Exploitation
As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#McDonald

Wednesday July 29, 2009 10:00am - 11:00am
Augustus Ballroom 5-6

10:00am

FX: Router Exploitation
Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimen in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Lindner

Wednesday July 29, 2009 10:00am - 11:00am
Roman Ballroom

10:00am

Rod Beckstrom: Beckstrom's Law
Beckstrom's Law is a new model or theorem of economics formulated by Rod Beckstrom. It purports to answer 'the decades old question of "how valuable is a network."' It is granular and transactions based and can be used to value any network. It applies to any network: social networks, electronic networks, support groups and even the Internet as a whole. To read a white paper explaining the law and mathematics in detail, please see Economics of Networks. This new model values the network by looking from the edge of the network at all of the transactions conducted and the value added to each. It states that one way to contemplate the value the network adds to each transaction is to imagine the network being shut off and what the additional transactions costs or loss would be.

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Beckstrom

Wednesday July 29, 2009 10:00am - 11:00am
Milano Ballroom 1-2-3-4

10:00am

Wolfgang Kandek: The Laws of Vulnerabilities 2.0
The Law of Vulnerabilities, version 2.0, is the updated version of the Laws research that was premiered at Black Hat in 2003. This research exposes findings on patch trends, prevalence, persistence and exploitability of vulnerabilities within global enterprise networks for internal and external systems.
What"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Kershaw

Wednesday July 29, 2009 10:00am - 11:00am
Pompeiian Ballroom

10:00am

Billy Hoffman & Matt Wood: Veiled - A Browser Based Darknet
The concept of a darknet has been around for several years now: a hidden underground where people anonymously and securely communicate and share files with each other. Various projects like Tor, FreeNet, WASTE, decentralized peer to peer networks, and other services attempt to provide people with some of these properties. Regardless of how people use darknets, the concept of a private secure network where people can freely communicate ideas as well as distribute content is compelling from both a technological and a philosophical perspective. Unfortunately, the reality is not as clean as the idea. Darknets traditionally require various software programs or components to be installed and configured. This is not for the technically faint of heart. This and other barriers of entry limit those who can participate in a darknet.
In this talk we will discuss and demonstrate Veiled, a proof-of-concept browser-based darknet. A browser-based darknet allows anyone to join from any platform which has a web browser whether it be it a PC or an iPhone. Veiled embodies many of the traditional properties of a darknet. Users can communicate with each other through encrypted channels. Shared files are encrypted, fragmented, and redundantly stored locally across members of Veiled. Another feature, inspired by Ross Anderson"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Hoffman

Wednesday July 29, 2009 10:00am - 11:00am
Milano Ballroom 5-6-7-8

10:00am

Peter Kleissner: Stoned Bootkit
Stoned bootkit is a brand new Windows bootkit. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. You can use it to create your own boot software (diagnostic tools, boot manager, etc.). It gives the user back the control to the system and has exciting features like integrated FAT and NTFS drivers, automated Windows pwning, plugins and boot applications, and much much more. It finally goes back to the roots - so in this way,
Your PC is now Stoned! ..again

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Kleissner

Wednesday July 29, 2009 10:00am - 11:00am
Augustus Ballroom 1-2

10:00am

Michael Tracy, Chris Rohlf, & Eric Monti: Ruby for Pentesters
Getting up to speed quickly on projects where you're down deep reversing protocols or applications can be challenging at best and catastrophic at worst. In this talk we highlight our use of Ruby to solve the problems we're faced with every day. We use Ruby because it's easy to leverage its flexibility and power for everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications. Having a great set of tools available to meet your needs might be the difference between a successful result for your customer and updating your resume with the details of your former employer.
If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented 'bag-o-tricks' approach.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Tracy

Wednesday July 29, 2009 10:00am - 11:00am
Augustus Ballroom 3-4

10:20am

Mike Kershaw: Kismet and MSF
Airpwn-style TCP stream hijacking on wifi networks inside the MSF Framework. "You want urchin.js? Sure, we can do that. Here it is. Trust me." Demo client attacks against popular websites by poisoning the TCP stream, feeding MSF payloads to clients, and tail-modification of already transmitted tcp streams.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Kershaw

Wednesday July 29, 2009 10:20am - 10:40am
Florentine 1-2-3-4

10:40am

Chris Gates: Breaking the 'Unbreakable' Oracle with Metasploit
Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Gates

Wednesday July 29, 2009 10:40am - 11:00am
Florentine 1-2-3-4

11:00am

Coffee Service
Wednesday July 29, 2009 11:00am - 11:15am

11:15am

Nathan Hamiel & Shawn Moyer: Weaponizing the Web
Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Hamiel

Wednesday July 29, 2009 11:15am - 12:30pm
Augustus Ballroom 5-6

11:15am

Aaron LeMasters & Michael Murphy: Rapid Enterprise Triaging
magine this scenario - routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#LeMasters

Wednesday July 29, 2009 11:15am - 12:30pm
Roman Ballroom

11:15am

Dmitri Alperovitch: Fighting Russian Cybercrime Mobsters
A Supervisory Special Agent from the FBI and a native Russian security researcher join forces to present an in-depth insider view of the most prominent cases against Russian and other Eastern European-based online crime syndicates of the past decade. Learn about their experiences gained from being in the middle of major international cybercrime investigations by US law enforcement. The talk will include an in-depth discussion of the investigation into the DarkMarket carding forum, the biggest cybercrime operation by the FBI of 2008, by the agent who has spent 2 years undercover working to identify and shutdown the leading criminals in the organization.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Alperovitch

Wednesday July 29, 2009 11:15am - 12:30pm
Milano Ballroom 1-2-3-4

11:15am

Peter Silberman & Steve Davis: Metasploit Autopsy - Reconstructing the Crime Scene
Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Silberman

Wednesday July 29, 2009 11:15am - 12:30pm
Florentine 1-2-3-4

11:15am

Bob West: CSO Panel - Black Hat Strategy Meeting
A comprehensive inside look at the impact of the research being released at Black Hat this year. The panel will also discuss overall strategy with new vulnerabilities.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel3

Wednesday July 29, 2009 11:15am - 12:30pm
Pompeiian Ballroom

11:15am

Andrea Barisani & Daniele Bianco: Sniff keystrokes with Lasers / Voltmeters
TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data, are often mentioned by the security community, movies and wanna-be spies (or NSA employees, we guess).
While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched.
Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.
We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and power line leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.
We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Barisani

Wednesday July 29, 2009 11:15am - 12:30pm
Milano Ballroom 5-6-7-8

11:15am

Dino Dai Zovi: Advanced Mac OS X Rootkits
The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Daizovi

Wednesday July 29, 2009 11:15am - 12:30pm
Augustus Ballroom 1-2

11:15am

Michael Eddington: Demystifying Fuzzers
Fuzzing is an important part of the secure development lifecycle (SDL) and a popular tool for both defensive and offensive security researchers, consultants, and even software developers. With this popularity comes a plethora of fuzzers both open source and commercial. This briefing takes a look at these different fuzzers and provides insights in to "if" and "what" they should be used for. As the developer for Peach, I am often asked to compare various fuzzers and clarify terms tossed around such as Smart and Dumb fuzzing. Additionally the hidden costs and pitfalls will be addressed.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Eddington

Wednesday July 29, 2009 11:15am - 12:30pm
Augustus Ballroom 3-4

12:30pm

Lunch
Wednesday July 29, 2009 12:30pm - 1:45pm
Forum Ballroom

1:45pm

Moxie Marlinspike: More Tricks for Defeating SSL
This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Marlinspike

Wednesday July 29, 2009 1:45pm - 3:00pm
Augustus Ballroom 5-6

1:45pm

Graeme Neilson: Netscreen of the Dead
Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Neilson

Wednesday July 29, 2009 1:45pm - 3:00pm
Roman Ballroom

1:45pm

Tiffany Rad & James Arien: Your Mind - Legal Status, Rights and Securing Yourself
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.
Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Rad

Wednesday July 29, 2009 1:45pm - 3:00pm
Milano Ballroom 1-2-3-4

1:45pm

Egypt: Using Guided Missiles in Drive-Bys - Automatic Browser Fingerprinting
The blackhat community has been using client-side exploits for several years now. Multiple commercial suites exist for turning webservers into malware distribution centers. Unfortunately for the pentester, acquiring these tools requires sending money to countries with no extradition treaties, taking deployed packs from compromised webservers, or other acts of questionable legality. To ease this burden, the Metasploit Project will present an extensible browser exploitation platform integrated into the metasploit framework.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Egypt

Wednesday July 29, 2009 1:45pm - 3:00pm
Florentine 1-2-3-4

1:45pm

Eli O : Analyzing Security Research in the Media
This session will comprise a panel discussion on the ways in which the media affects the security research community, why some seemingly insignificant security stories are hyped while other quite legitimate stories are ignored, and how the advent of news and research blogs has changed the way that security news is covered. The media have made stars out of researchers such as Dan Kaminsky, David Litchfield, Dino Dai Zovi and others, eagerly reporting their every movement, no matter how insignificant, and regularly play up low-frequency, high-impact stories like electrical grid vulnerabilities and Chinese government hacking. This has led to a high level of frustration in both the security community and the press that the only stories that get covered are the sensational ones designed to drive traffic and get on Slashdot. The discussion will focus on what factors drive the coverage of security stories, whether coverage of vulnerabilities and new attacks is a net good and how the media influence which flaws are patched and how quickly they're fixed.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel4

Wednesday July 29, 2009 1:45pm - 3:00pm
Pompeiian Ballroom

1:45pm

Nitesh Dhanjani: Psychotronica
This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.
Topics of discussion will include:
Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.
Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.
Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.
The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Dhanjani

Wednesday July 29, 2009 1:45pm - 3:00pm
Milano Ballroom 5-6-7-8

1:45pm

Erez Metula: Managed Code Rootkits
This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.
This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Metula

Wednesday July 29, 2009 1:45pm - 3:00pm
Augustus Ballroom 1-2

1:45pm

Eduardo Vela Nava & David Lindsay: Our Favorite XSS Filters and How to Attack Them
Present several techniques that have been used, are being used, and could be used in the future to bypass, exploit and attack some of the most advanced XSS filters. These would include the new IE8 XSS Filters, browser addons (NoScript), server side IDSs (mod_security, PHP-IDS), and human log-review. We will present innovative techniques that expand the scope of what we think we know about XSS filters. We will give you some ideas on what to do to find your own based upon some real world examples, discoveries, techniques and attacks.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#VelaNava

Wednesday July 29, 2009 1:45pm - 3:00pm
Augustus Ballroom 3-4

3:15pm

I)ruid: MSF & Telephony
An important attack vector missing in many penetration testing and attack tools available today is the tried-and-true telephony dial-up. With the recent surge in popularity of VoIP connectivity, accessing such attack vectors has become both cheap and easy. Using the new Metasploit telephony components, users are now able to both scan for and dial up directly to telephony-accessible exploitation targets.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Trammell

Wednesday July 29, 2009 3:15pm - 3:50pm
Florentine 1-2-3-4

3:15pm

Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes coupled with increasingly complex cross-communication layers has created a nuanced and precarious trust layer between many different previously unrelated components.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Dowd

Wednesday July 29, 2009 3:15pm - 4:30pm
Augustus Ballroom 5-6

3:15pm

3:15pm

Cormac Herley: Economics and the Underground Economy
The popular and trade presses are full of stories about the underground economy and the easy money to be made there. We are told that phishers and spammers harvest money at will from the online population. Even those without skills can buy what they need and sell what they produce on IRC markets. Estimates of the size of this underground economy vary, but common to most accounts is that it is large and growing rapidly.
In a careful examination of the evidence, we find that these claims are speculation, unsupported by evidence. Estimates of the cybercrime economy are enormous extrapolations from very noisy and poorly-sourced data. Reports that exploits like phishing and spam are worth billions appear to be off by orders of magnitude. Our analysis suggests that the laws of economics have not been suspended. Phishing and spam are subject to the tragedy of the commons so that returns are kept low. IRC channels are infested with rippers so that buying and selling is hard. Cybercrime is a ruthlessly competitive business, and low-skill jobs still pay like low skill jobs. Much as in the regular economy, to do well you need a rare skill or a barrier to entry. However cybercrime is still a very big deal.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Herley

Wednesday July 29, 2009 3:15pm - 4:30pm
Milano Ballroom 5-6-7-8

3:15pm

Amit Yoran: DC Panel - Update from Washington
Washington is giving cyber security more attention. What does this mean for current cyber security bills? This panel will look at security and website liability, consumer privacy legislation, government access to cloud computing data, location privacy and international human rights issues.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel5

Wednesday July 29, 2009 3:15pm - 4:30pm
Pompeiian Ballroom

3:15pm

Steve Topletz, Jonathan Logan & Kyle Williams: Global Spying
When talking about the threat of Internet surveillance the argument most often presented is that "there is so much traffic that any one conversation or email won't be picked up unless there is reason to suspect those concerned; it is impossible that "
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Topletz

Wednesday July 29, 2009 3:15pm - 4:30pm
Milano Ballroom 5-6-7-8

3:15pm

Jeff Williams: There's a Fox in the Henhouse
How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Williams

Wednesday July 29, 2009 3:15pm - 4:30pm
Augustus Ballroom 1-2

3:15pm

Stefan Esser: State of the Art Post Exploitation in Hardened PHP Environments
When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP's internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions. In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections.
This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Esser

Wednesday July 29, 2009 3:15pm - 4:30pm
Augustus Ballroom 3-4

3:50pm

Val Smith, Colin Ames & David Kerb: MetaPhish pt. 1
Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#VSmith

Wednesday July 29, 2009 3:50pm - 4:30pm
Florentine 1-2-3-4

4:30pm

Coffee Service
Wednesday July 29, 2009 4:30pm - 4:45pm

4:45pm

Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09
Place an order for a stock on a retail brokerage, and you've set off a long chain of events across a broad, proprietary network of systems running at most financial institutions around the world. Orders are created, tagged, and stored in multiple databases. Messages are created in middleware stacks, funneled through order routing systems, and stored in persistence layers backed by everything from embedded databases to Oracle servers. Traders at firms large and small join in as the other side of the order, working from proprietary Windows trading dashboards, web applications, and magical excel spreadsheets. Sub-second latencies matter, so parts of this patchwork quilt are written in C, and virtually none of it is encrypted.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Ptacek

Wednesday July 29, 2009 4:45pm - 6:00pm
Augustus Ballroom 5-6

4:45pm

Andrew Fried, Paul Vixie & Christopher Lee: Internet Special Ops
Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Fried

Wednesday July 29, 2009 4:45pm - 6:00pm
Roman Ballroom

4:45pm

Jennifer Granick: Computer Crime Year in Review
Its been a booming year for computer crime cases as cops and civil litigants have pushed the envelope to go after people using fake names on social networking sites (the MySpace suicide case), researchers giving talks at DEFCON (MBTA v. Anderson), and students sending email to other students (the Calixte/Boston College case). The Electronic Frontier Foundation has been front and center in these cases, either filing amicus briefs or directly representing the coders and speakers under attack. At this presentation, Jennifer Granick and other EFF lawyers fresh from the courtroom will share war stories about these cases, thereby informing attendees about the latest developments in computer security law and giving pointers about how to protect yourselves from overbroad legal challenges.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Granick

Wednesday July 29, 2009 4:45pm - 6:00pm
Milano Ballroom 1-2-3-4

4:45pm

Val Smith, Colin Ames & David Kerb: MetaPhish pt. 2
Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#VSmith

Wednesday July 29, 2009 4:45pm - 6:00pm
Florentine 1-2-3-4

4:45pm

Rich Mogul: VC Panel - Security Business Strategies During a Recession
All too often we forget that economics, not any collection of vulnerabilities, exploits, or technologies, affects the practice of security more than any other single factor. Economics determines what data the attackers target, what resources we have for defense, and what technologies are at our disposal. Over the past year we've seen all aspects of the global economy affected by the current recession, and security is no exception.
Our panel of investors and analysts will present their latest findings on the current state of the business side of the security industry, and how to best thrive in a down economy. Is cyber security immune, as some like to claim, or will enterprise budgets be slashed as new technologies wither without funding? Are startups better off now, or will security innovation have to migrate back to the large vendors? Can you take advantage of the downturn to pressure your vendors for better prices and services? Does the recession create opportunities to improve security strategies? How does the economy affect the offensive side of security? As we answer these questions, our panel will also review the major security business trends for the next three years, with specific predictions on which technologies and vendors will survive, which will die, and how it all affects the day-to-day practice of security.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel6

Wednesday July 29, 2009 4:45pm - 6:00pm
Pompeiian Ballroom

4:45pm

Alessandro Acquisti: I just found 10 Million SSNs
Social Security numbers (SSNs) were created in the 1930s as identifiers for accounts tracking individual earnings. Over time,they started being used (and abused) as sensitive authenticators. Hence, they became one of the pieces of information most often sought by identity thieves. To respond to growing concerns with SSN over-exposure and counter the rise of identity theft, policy makers have encouraged individuals to keep their SSNs safe and confidential, and, more recently, enacted legislation to reduce their public availability. But what if even well-meaning consumers may provably be unable protect their SSNs, and legislative initiatives aimed at reducing their availability may in fact backfire? We will examine the possibility that SSNs may be more predictable than currently acknowledged, and discuss the unintended consequences of policy initiatives in the area of identity theft prevention.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Acquisti

Wednesday July 29, 2009 4:45pm - 6:00pm
Milano Ballroom 5-6-7-8

4:45pm

Alexander Tereshkin & Rafal Wojtczuk: Introducing Ring -3 Rootkits
Rootkit Evolution over the past decade: Ring 3 == usermode rootkits
Ring 0 == kernelmode rootkits
Ring -1 == hypervisor rootkits (BluePill)
Ring -2 == SMM rootkits
Now, we're going to introduce Ring -3 Rootkits.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Tereshkin

Wednesday July 29, 2009 4:45pm - 6:00pm
Augustus Ballroom 1-2

4:45pm

Riley Hassell: Exploiting Rich Content
As RIA (Rich Internet Application) technologies flourish onto the marketplace many wonder what impact they will have on the security landscape. Routinely iSEC Partners performs assessments of emerging technologies to better understand their risks and how to remediate these risks in live deployments. As RIA technologies advance vendors move to complex file formats as a solution to deliver rich content. With this in mind iSEC Partners performed an assessment of various file formats used by the popular RIA implementations. During the assessment of these technologies several issues were discovered in the popular technologies. At initial glance these issues may appear harmless. This presentation will demonstrate how these often considered low risk issues can be carefully exploited to have a much deeper impact. Developers should be aware of these common programming mistakes when developing complex file formats, which are especially critical in Rich Internet Applications.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Hassell

Wednesday July 29, 2009 4:45pm - 6:00pm
Augustus Ballroom 3-4

6:00pm

Gala Reception
Wednesday July 29, 2009 6:00pm - 7:30am

6:00pm

Johnny Long: Me to We
From scrubby C64 pirate to professional hacker to reluctant "Internet rockstar", the past five years of Johnny's journey have been interesting. The last few months, however, have been straight-up bizarre. While many strain to maintain and others scrape and scratch at the ladder, Johnny's jumped off the top rung. This is a story of what it takes to make it in this industry, and what the view's like from the top. This is a story about how utterly teh suck the view from the top really is and why you might want to just jump off now before it's too late. This is the story of a rise and fall and the crossover cable those terms require. This is a story that's relevant if you're in for the long haul. This is Johnny's story, as only Johnny can tell it. Which means it might be funny.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Long

Wednesday July 29, 2009 6:00pm - 7:30am
Florentine Ballroom

6:00pm

Pwnie Awards
The Pwnie Awards will return for the third consecutive year to the BlackHat USA conference in Las Vegas. The award ceremony will take place during the BlackHat reception on July 29, 2009 and the organizers promise an extravagant show.
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:
Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor Response Most Overhyped Bug Best Song Most Epic FAIL Lifetime Achievement award for hackers over 30

Wednesday July 29, 2009 6:00pm - 7:30am
Roman Ballroom
 
Thursday, July 30
 

8:00am

Breakfast
Thursday July 30, 2009 8:00am - 8:00am

8:50am

Keynote 2
TBD

Thursday July 30, 2009 8:50am - 9:50am
Augustus Ballroom

10:00am

Alfredo Ortega: Deactivate the Rootkit
There are three things that you should know about the Rootkit:
1. If you have a notebook, you probably have The Rootkit.
2. You can't erase the Rootkit, but you should know how to deactivate it.
3. Finally, you should know how you (or somebody else) could activate the Rootkit.

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Ortega

Thursday July 30, 2009 10:00am - 10:30am
Roman Ballroom

10:00am

Ales Stamos, Andrew Becherer & Nathan Wilcox: Cloud Computing Models
Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the "big picture"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Stamos

Thursday July 30, 2009 10:00am - 11:00am
Augustus Ballroom 3-4

10:00am

Rafal Wojtczuk & Alexander Tereshkin: Attacking Intel® Bios
We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed. As an extra bonus we describe yet-another-one, on-the-fly, previously undisclosed attack against SMM on Intel platforms affecting most of the recent chipsets.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Wojtczuk

Thursday July 30, 2009 10:00am - 11:00am
Milano Ballroom 5-6-7-8

10:00am

Zane Lackey & Luis Miras: Attacking SMS
With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Lackey

Thursday July 30, 2009 10:00am - 11:00am
Milano Ballroom 1-2-3-4

10:00am

Hacker Court
This presentation is a mock trial that demonstrates legal issues in cyberspace. All events are fictitious, but legally accurate. A summary of the case follows:
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel10

Thursday July 30, 2009 10:00am - 11:00am
Pompeiian Ballroom

10:00am

Datagram: Lockpicking Forensics
Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Datagram

Thursday July 30, 2009 10:00am - 11:00am
Augustus Ballroom 5-6

10:00am

Jeongwook Oh: Fight Against 1-Day Exploits
This is about binary diffing vs anti-binary-diffing technique. Security patch is usually meant to fix security vulnerabilities. And it's for fixing problems and protect users and computers from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. Since being introduced by Halvar back in few years ago, binary diffing is now so common and easily affordable technique. Aside from expensive commercial tools like "bindiff," there are already 2-3 free or opensource tools that can be used to identify exact patched points in the patch files.
This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and theories they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches (typically takes few hours to few days).
From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. So now it became crucial to make theses practices more difficult and time-consuming so that earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Oh

Thursday July 30, 2009 10:00am - 11:00am
Augustus Ballroom 1-2

10:30am

Kevin Stadmeyer: Worst of the Best of the Best
This talk provides an overview of popular, and lesser known but similar sounding awards, and the correlation between them and security vulnerabilities found. The analysis will use publicly available information for statistics and sanitized examples of award-winning products that are clearly vulnerable to common attacks.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Stadmeyer

Thursday July 30, 2009 10:30am - 11:00am
Roman Ballroom

11:00am

Coffee Service
Thursday July 30, 2009 11:00am - 11:15am

11:15am

Daniel Raygoza: Automated Malware Similarity Analysis
While it is fairly straightforward for a malware analyst to compare two pieces of malware for code reuse, it is not a simple task to scale to thousands of pieces of code. Many existing automated approaches focus on run-time analysis and critical trait extraction through signatures, but they don't focus on code reuse. Automated code reuse detection can help malware analysts quickly identify previously analyzed code, develop links between malware and its authors, and triage large volumes of incoming data. The tool and approach presented is best suited for groups that often perform in depth analysis of malware samples (including unpacking) and are looking for methods to develop links and reduce duplicated effort.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Raygoza

Thursday July 30, 2009 11:15am - 11:40am
Roman Ballroom

11:15am

Matt Conover: SADE: Injecting agents in to VM guest OS
As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by virtual machines running on the same physical machine could significantly reduce the overall resource consumption. The refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine's virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification.
To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Conover

Thursday July 30, 2009 11:15am - 12:30pm
Augustus Ballroom 3-4

11:15am

Travis Goodspeed: A 16-bit Rootkit and Second Generation Zigbee Chips
This lecture in two parts presents first a self-replicating rootkit for wireless sensors, then continues with recent research into the security of second generation Zigbee radio chips such as the CC2430/2431 and the EM250. A live demo and a vulnerability will be released as a part of this presentation.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Goodspeed

Thursday July 30, 2009 11:15am - 12:30pm
Milano Ballroom 5-6-7-8

11:15am

Charlie Miller & Collin Mulliner: Fuzzing the Phone in your Phone
In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). We show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, we present the results of this fuzzing and discuss their impact on smart phones and cellular security.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Miller

Thursday July 30, 2009 11:15am - 12:30pm
Milano Ballroom 1-2-3-4

11:15am

Hacker Court (continued)
This presentation is a mock trial that demonstrates legal issues in cyberspace. All events are fictitious, but legally accurate. A summary of the case follows:
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel10

Thursday July 30, 2009 11:15am - 12:30pm
Pompeiian Ballroom

11:15am

Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Grossman

Thursday July 30, 2009 11:15am - 12:30pm
Augustus Ballroom 5-6

11:15am

Nick Harbour: Win at Reversing
This presentation will discuss a new free tool for Reverse Engineering called API Thief, the "I Win" button for malware analysis. The unique way the tool operates will be explored as well as how it is able to provide better quality data than other tracing tools currently availible. Advanced usage of the tool for malware analysis will be demonstrated such as Sandboxing functionality and a new technique for automated unpacking.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Harbour

Thursday July 30, 2009 11:15am - 12:30pm
Augustus Ballroom 1-2

11:40am

Chris Weber: Unraveling Unicode
The complex landscape of Unicode provides many angles for exploiting software and end users. We've known about some of these for years, we've seen buffer overflows exploited because of faulty Unicode handling, and we've seen homograph attacks in URL's. However, the real mysteries remain latent, unapparent to most software developers and even to the security community. I'm going to raise awareness around the interesting attack vectors and new areas of research into Unicode, as well as open people's eyes to the modern Visual Spoofing attacks of today.
This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks. We'll take a close technical look at many of the issues in Unicode software which are not well-known even in the security research community:
* How Unicode characters can be mishandled to take on powerful formatting properties such as white space.
* When unexpected UTF-8 sequences can lead to over-consumption and character deletion which enable attacks such as cross-site scripting and file system manipulation.
* What happened to non-shortest form UTF-8 and UTF-7?
* Why best-fit mappings lurking in common frameworks and API's will enable drastic misbehavior and attacks within your applications, allowing for control over file systems and interpreters/parsers such as HTML.
* When casing operations enable a special character to be converted into something useful for cross-site scripting and other attacks.
* Why normalization operations can enable a Latin Modifier character to be converted into an exploitable HTML greater than sign.
* How normalization and casing operations can expand a single character by up to 18x leading to buffer overflows.
* Why the BOM and Mongolian Vowel Separator are great inputs to use in test cases.
* How Internationalized Domain Names work and why they're still vulnerable to Visual Spoofing attacks today.
This presentation's intention is to educate the audience on categorized security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases, inputs, and practices for finding and avoiding vulnerabilities. I'll also cover the visual security issues relating to script spoofing and the 'confusables'. Internationalized Domain Names have been with us since 2003 yet are less understood in the security community. Internationalized top-level-domains are coming up, as are email addresses. I'll be demonstrating how I can fool end users with lookalikes and homograph attacks in modern browsers with common .COM and .ORG domains.
Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Weber

Thursday July 30, 2009 11:40am - 12:30pm
Roman Ballroom

12:30pm

Lunch
Thursday July 30, 2009 12:30pm - 1:45pm

1:45pm

Bryan Sullivan: Defensive Rewriting
Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Sullivan

Thursday July 30, 2009 1:45pm - 2:10pm
Roman Ballroom

1:45pm

Haroon Meer: Clobbering the Cloud!
Cloud Computing dominates the headlines these days but like most paradigm changes this introduces new risks and new opportunities for us to consider. Some deep technical research has gone into the underlying technologies (like Virtualization) but to some extent this serves only to muddy the waters when considering the overall threat landscape. During this talk, SensePost will attempt to separate fact from fiction while walking through several real-world attacks on "the cloud." The talk will focus both on attacks against the cloud and on using these platforms as attack tools for general Internet mayhem. For purposes of demonstration we will focus most of our demos and attacks against the big players...
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Meer

Thursday July 30, 2009 1:45pm - 3:00pm
Augustus Ballroom 3-4

1:45pm

Joe Grand, Jacob Appelbaum & Chris Tarnovsky: 'Smart' Parking Meter Implementations, Globalism, and You
Throughout the United States, cities are deploying "smart" electronic fare collection infrastructures that have been commonplace in European countries for many years. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves.
In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Grand

Thursday July 30, 2009 1:45pm - 3:00pm
Milano Ballroom 5-6-7-8

1:45pm

Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
The world has never been more connected. Over a billion mobile devices ship every year, five times the number of PCs in the same period. The iPhone and Android have accelerated the mass adoption of smart devices, mobile applications, and high speed mobile networks. Meanwhile, mobile devices are now a material target: they contain sensitive personal and corporate data, access privileged networks, and routinely perform financial transactions. The question remains, how do we keep these devices safe?
Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Mahaffey

Thursday July 30, 2009 1:45pm - 3:00pm
Milano Ballroom 1-2-3-4

1:45pm

DHS Roundtable
TBD

Thursday July 30, 2009 1:45pm - 3:00pm
Pompeiian Ballroom

1:45pm

Hristo Bojinov, Elie Bursztein & Dan Boneh: Embedded Management Interfaces
Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Bojinov

Thursday July 30, 2009 1:45pm - 3:00pm
Augustus Ballroom 5-6

1:45pm

Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Quist

Thursday July 30, 2009 1:45pm - 3:00pm
Augustus Ballroom 1-2

2:10pm

Rachel Engel: Gizmo
Gizmo is a free new open source web proxy designed to be lightweight, speedy, and responsive. When someone is performing a web pentest, they want a tool that lets them edit and search through requests quickly. The tool should let them search through and edit requests without slowing down web traffic or taking up the user's attention with heavyweight user interfaces. Gizmo was created with this in mind. The user interface is focused on the keyboard so that once the initial (very small) learning curve is over, the user can operate gizmo without their hands leaving the keyboard. A great deal of effort was also spent ensuring that gizmo proxies traffic snappily enough that a user's web browsing experience isn't hampered. The presentation will be focused on a presentation of the featureset of gizmo, and a demonstration of how snappy and responsive web proxies can be.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Engel

Thursday July 30, 2009 2:10pm - 2:35pm
Roman Ballroom

2:45pm

Tony Flick: Hacking the Smart Grid
The city of Miami and several commercial partners plan to rollout a "smart grid" citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Flick

Thursday July 30, 2009 2:45pm - 3:05pm
Roman Ballroom

3:15pm

Marc Bevand: MD5 Chosen
In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. Software techniques to achieve the breakthrough performance gain will be demonstrated.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Bevand

Thursday July 30, 2009 3:15pm - 3:40pm
Roman Ballroom

3:15pm

Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
Virtualization is everywhere, and VMware is a major actor in the domain. A MacOS user running a Windows only application in a Fusion guest. A malware researcher analysing the latest Conficker in a Workstation guest. A big company running a cloud virtualized on some ESX servers. All of them rely on the security offered by the virtualization software, as a breakout would have disastrous consequences.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Kortchinsky

Thursday July 30, 2009 3:15pm - 4:30pm
Augustus Ballroom 3-4

3:15pm

Chris Tarnovsky: What the Hell is In there?
An in-depth look inside the latest high-security smartcard devices commonly found inside GSM sim cards. Several different manufactuers have been torn down. Most are certified at the highest Common Criteria levels available. High-resolution images will be the focal point of the discussion as well as how secure really are these devices. Is the latest Comp128 algorithm secure or is there is a risk of exposure from one of these sim cards?
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Tarnovsky

Thursday July 30, 2009 3:15pm - 4:30pm
Milano Ballroom 5-6-7-8

3:15pm

Jesse Burns: Exploratory Android Surgery
It's hard to resist open, Linux-based phones with sophisticated programming environments and a novel security model. Android has application-level isolation, new kernel primitives for communication, and fancy UI features wrapped around its open source heart. This talk will explore Android's fancy new kernel and user mode security mechanisms, how to test them, and how to mess around inside your droid.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Burns

Thursday July 30, 2009 3:15pm - 4:30pm
Milano Ballroom 1-2-3-4

3:15pm

Meet the Feds: Feds vs. Ex-Feds
Did you ever wonder if the Feds were telling you're the truth when you asked a question? This year we're inviting you to "Meet the Feds and Ex-Feds" to answer your questions. The objective is to get you the answers to your questions without getting a public official fired! Come ask your question and compare the answers you get.
Each of the agency reps and ex-agency rep will make an opening statement regarding their agencies role, then open it up to the audience for questions.
Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel7

Thursday July 30, 2009 3:15pm - 4:30pm
Pompeiian Ballroom

3:15pm

Alexander Sotirov & Mike Zusman: Breaking the Security Myths of Extended Validation SSL Certificates
Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Sotirov

Thursday July 30, 2009 3:15pm - 4:30pm
Augustus Ballroom 5-6

3:15pm

K. Chen: Reversing and Exploiting an Apple® Firmware Update
I describe how an attacker can install malicious code into the firmware of an Apple aluminum keyboard.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Chen

Thursday July 30, 2009 3:15pm - 4:30pm
Augustus Ballroom 1-2

3:40pm

Steve Ocepek: Long-Life Sessions
Whether it's a credit card sniffer, a chatty web application, or unauthorized remote control software, long-lived network sessions are frequently being used to establish bi-directional conduits into and out of our networks. Unlike traditional "pull" oriented sessions, long-life sessions create channels that last anywhere from several minutes to several days. This behavior is not inherently bad, but since each connection represents a direct path into a network resource, being able to scrutinize these pathways would certainly even the odds a bit.
This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Ocepek

Thursday July 30, 2009 3:40pm - 4:05pm
Roman Ballroom

4:05pm

Peter Guerra: How Economics and Information Security Affects Cyber Crime
This turbo talk will explore the links between US law, international cybercrime, malware proliferation, and the economics of botnets. During this time, I will present research into the impact the current worldwide economic crisis has had on cybercrime and the impact on security professionals. I will also use economics to link cybercrime activity to emerging markets countries (Brazil, Russia, India, and China) and show research into how the CAN-SPAM act created economic incentives for an increase in botnets, spam, malware, and phishing attacks.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Guerra

Thursday July 30, 2009 4:05pm - 4:30pm
Roman Ballroom

4:30pm

Ice Cream Sundae Social
Thursday July 30, 2009 4:30pm - 4:45pm

4:45pm

Michael Brooks: BitTorrent hacks
This is the journey of two pirates hacking BitTorrent. This talk will cover ways of abusing the BitTorrent protocol, finding vulnerabilities in BitTorrent clients and exploiting them. We will also cover counter measures to these attacks.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Brooks

Thursday July 30, 2009 4:45pm - 5:10pm
Roman Ballroom

4:45pm

Bruce Schneier: Reconceptualizing Security
Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields-behavioral economics, the psychology of decision making, evolutionary biology-shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Schneier

Thursday July 30, 2009 4:45pm - 6:00pm
Augustus Ballroom 3-4

4:45pm

Mike Davis: Recoverable Advanced Metering Infrastructure
Smart Grid. Smart Meters. AMI. Certainly no one has escaped the buzz surrounding this potentially ground-breaking technology. However, equally generating buzz is the heightened threat of attack these technologies provide. Mike Davis and a team of IOActive researchers were able to identify multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The team was able to "weaponize"
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#MDavis

Thursday July 30, 2009 4:45pm - 6:00pm
Milano Ballroom 5-6-7-8

4:45pm

Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
IPhones are now widely used by people; as a consequence the number of factory phones is ever increasing. Until very recently, researchers focused on exploitation techniques for jailbroken phones. Most of these approaches are not usable on factory phones due to a number of protections including code signing and additional memory protections. For that reason, even with the ability to execute arbitrary code in an exploit, it is very hard to know what to do. This presentation will show how is it possible to effectively run high level payloads on a factory phone by defeating code signing protections after exploitation. Specifically by injecting an arbitrary non-signed library in the victim's process address space, an attacker is able to run his own code thus granting a much higher attack efficacy. This is especially important because on factory iPhones, there are no useful utilities, not even a shell. With this technique, an attacker can bring along their own tools, including the ability to get directory listing, upload and download files, even pivot attacks, in the form of Meterpreter!
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Iozzo

Thursday July 30, 2009 4:45pm - 6:00pm
Milano Ballroom 1-2-3-4

4:45pm

A Black Hat Vulnerability Risk Assessment
Security professionals regularly fall into the trap that security is only about vulnerabilities and who has more. In reality, vulnerabilities need to be viewed in the context of how the system or "
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#panel8

Thursday July 30, 2009 4:45pm - 6:00pm
Pompeiian Ballroom

4:45pm

Bill Blunden: Anti-Forensics: The Rootkit Connection
Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Blunden

Thursday July 30, 2009 4:45pm - 6:00pm
Augustus Ballroom 5-6

4:45pm

Mario Vuksan: Fast & Furious Reverse Engineering with TitanEngine
A great challenge of modern reverse engineering is taking apart and analyzing binary protections. During the last decade, vast number of shell modifiers has appeared. At the same time protection tools have evolved from encryption that protects executable and data parts to sophisticated protections that are "packed" with tricks that are specifically tasked to slow down the reversing process. As the number of such techniques increase, we need to ask ourselves, can we keep up with the tools that we have?
Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.
TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:
* In-depth description of integrated x86/x64 debugger
* Debugger: software, hardware, memory, library and flex breakpoints
* Dumping memory and loaded modules
* Comprehensive description of integrated import resolving module
* Repairing import table with a simple data gathering
* Automatic scan for all known import redirections and eliminations
* In-depth description of integrated PE file manipulation module
* Working with PE header, imports, exports, relocations, resources
* Complete description on how to use the engine to write an unpacker
* Making an executable unpacker
* Making a library unpacker

The talk will conclude with demos of two new tools that are based on the TitanEngine:
* RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
* ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports

This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Vuksan

Thursday July 30, 2009 4:45pm - 6:00pm
Augustus Ballroom 1-2

5:10pm

Mikko Hypponen: The Conficker Mystery
Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. Apparently written in Ukraine, this worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.

Thursday July 30, 2009 5:10pm - 5:35pm
Roman Ballroom

5:35pm

Muhaimin Dzulfakar: Advanced MySQL Exploitation
This talk focuses on how MySQL SQL injection vulnerabilities can be used to gain remote code execution on the LAMP and WAMP environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Dzulfakar

Thursday July 30, 2009 5:35pm - 6:00pm
Roman Ballroom