Black Hat Briefings, Europe 2007 [Audio] Presentations from the security conference‪.‬ Jeff Moss

Jeff Moss introduces the Keynote and welcomes everyone tthe Amsterdam 2007 conference!

Roger will provide an overview of the work of CPNI in reducing vulnerability in information systems that form part of the UK. He will then challenge the community on a number of issues, including the development of the malicious market place, and the role security researchers in addressing vulnerabilities as used by a range of threat actors.

Until 31 January 2007 Roger Cumming was Director of the National Infrastructure Security Co-ordination Centre (NISCC), the UK centre responsible for minimising the impact of electronic attack on the UK critical national infrastructure. Since 1 February Roger has been Head of Advice Delivery and Knowledge Development at the UK Centre for the Protection of National Infrastructure (CPNI). CPNI provides protective security advice on information security as well as physical and personnel security treduce the vulnerability of the UK's national infrastructure tterrorism and other threats.

RFID is being embedded in everything... From Passports tPants. Door Keys tCredit Cards. Mobile Phones tTrash Cans. Pets tPeople even! For some reason these devices have become the solution tevery new problem, and we can't seem tget enough of them....

"Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application.

This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker tset up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision.

This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for twcomplex heap corruption vulnerabilities.

The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable tother browsers as well. "

"The last years have seen the growth of botnets and its transformation inta highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends tshow what are the major challenges faced by botnet authors and what they
might try in the future tsolve them.
The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used tmake botnets more reliable, extensible and hard tput down."

"Data theft is becoming a major threat, criminals have identified where the money is, In the last years many databases
from fortune 500 companies were compromised causing lots of money losses. This talk will discuss the Data Theft problem focusing on database attacks, we will show actual information about how serious the data theft problem is, we will explain why you should care about database security and common attacks will be described, the main part of the talk will be the demostration of unknown and not well known attacks that can be used or are being used by criminals teasily steal data from your databases, we will focus on most used database servers: MS SQL Server and Oracle Database, it will be showed how to
steal a complete database from Internet, how tsteal data using a database rootkit and backdoor and some advanced database 0day exploits. We will demostrate that compromising databases is not big deal if they haven't been properly secured. Alsit will be discussed how tprotect against attacks syou can improve database security at your site."

"The Achilles' heel of network IDSes lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS traise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets tproduce false alerts, thereby lowering the defences of the IT infrastructure.

Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they dnot correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. Tdemonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture.

Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the twsystems. APHRODITE is able treduce the rate of false alarms from 50% t100% (improving accuracy) without reducing the NIDS ability tdetect attacks (completeness)."