Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference Jeff Moss

Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world.

Phil has been working on a new project and plans to have freeware ready for all Black Hat attendees.

This talk will present recent advances in the design of robust cryptographic backdoors in secret symmetric ciphers (i.e., classified or proprietary ciphers). The problem directly affects end-users since corporations and governments have in the past produced secret symmetric ciphers for general use (e.g., RC4 and Skipjack, respectively).

The problem itself is challenging since it involves leaking secret key material in the ciphertexts that are produced by a deterministic function, whereas traditional subliminal channels have relied on the use of randomized cryptographic algorithms. Such attacks can be regarded as advanced Trojan horse attacks since the secret block cipher securely and subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public. The material that will be surveyed was published in Fast Software Encryption (FSE '98), the Australasian Conference on Information Security and Privacy (ACISP '03), and Selected Areas in Cryptography (SAC '04).

Adam Young received his BS degree in Electrical Engineering from Yale University in '94, his MS degree in Computer Science from Columbia University in '96. He was awarded his PhD degree in Computer Science with distinction from Columbia University in '02. He has authored publications in IEEE Foundations of Computer Science, Crypto, Eurocrypt, Asiacrypt, Security in Communication Networks (SCN), Fast Software Encryption, Algorithmic Number Theory Symposium (ANTS), PKC, CT-RSA, SAC, IEEE Security and Privacy, Cryptographic Hardware and Embedded Systems (CHES), ACISP, and the IEEE Information Assurance Workshop.

He is the author of the book "Malicious Cryptography: Exposing Cryptovirology" that is co-authored with Dr. Moti Yung. Adam has given invited talks at Xerox PARC, MITRE, Bell Labs, NYU, Sandia National Labs, the Naval Postgraduate School, the AMS-MMS special session on coding theory and cryptography, and the 2nd International Conference on Advanced Technologies for Homeland Security (ICATHS '04). In April Adam will be giving a talk at the DIMACS Workshop on Theft in E-Commerce that is being held at Rutgers University.

Adam's work experience includes serving as a cryptographic consultant for CertCo, Inc., performing research for Lucent as a Member of Technical Staff, acting as a Principal Engineer for Lockheed Martin Global Telecommunications, and conducting Federally funded research for the DoD.

AV software is becoming extremely popular because of the its percieved protection. Even the average person is aware they want AV on their computer (see AOL, Netscape, Netzero, Earthlink, and other ISP television ads). What if: Instead of protecting ppl from hackers AV software was actually making it easier for hackers?

This talk will outline general binary auditing techniques using AV software as an example, and demonstrate examples of remote AV vulnerabilities discovered using those techniques.

Alex Wheeler is a security researcher, who specializes in reversing engineering binaries for security vulnerabilities. His research experience was cultivated during his time with ISS X-Force, which he spent auditing critical network applications and technologies for security vulnerabilities. Alex's recent audit focus on AV products has lead to the discovery of serious systemic and point vulnerabilities in many major AV products.

Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. Early in his career, he developed and introduced sends, proxynet, rtty, cron and other lesser-known tools.

Today, Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Domain Version 8, the open source reference implementation of the Domain Name System (DNS). He formed the Internet Software Consortium (ISC) in 1994, and now acts as Chairman of its Board of Directors. The ISC reflects Paul's commitment to developing and maintaining production quality open source reference implementations of core Internet protocols.

More recently, Paul cofounded MAPS LLC (Mail Abuse Prevention System), a California nonprofit company established in 1998 with the goal of hosting the RBL (Realtime Blackhole List) and stopping the Internet's email system from being abused by spammers. Vixie is currently the Chief Technology Officer of Metromedia Fiber Network Inc (MFNX.O).

Along with Frederick Avolio, Paul co-wrote "Sendmail: Theory and Practice" (Digital Press, 1995). He has authored or co-authored several RFCs, including a Best Current Practice document on "Classless IN-ADDR.ARPA Delegation" (BCP 20). He is also responsible for overseeing the operation of F.root-servers.net, one of the thirteen Internet root domain name servers.

After three years of community development, the Open Web Application Security Project (OWASP) is proud to introduce the next generation of web application security standards at BlackHat USA 2005. The Guide to Securing Web Applications and Services 2.0 is a major new release - written from the ground up, with many new sections covering common and emerging risks, including:

* How to design more secure software
* How to conduct a security review using the Guide
* How to perform the most difficult web application processes correctly: processing credit cards, interacting with payment gateways (such as PayPayl), and anti-phishing controls
* Reorganized and easily navigated chapters on web application controls including: web services, comprehensive authentication and authorization controls, session management, data validation, interpreter injection, and many new controls within existing chapters
* Secure configuration and deployment
* And software quality assurance.

The Guide has adopted and extended the popular OWASP Top 10 approach - security objectives, how to identify if you are at risk, with recommended remediations in three popular frameworks, and further reading. The Guide is platform neutral, and has examples in J2EE, ASP.NET and PHP. The Guide 2.0 is on the conference materials CD-ROM in its entirety. As it is free (as in beer as well as in freedom), you can redistribute or print it as often as you wish.

To demonstrate the incredible versatility of the Guide and its pragmatic approach, we will be conducting a live security review of software selected at random by the audience. To perform the review demonstration, we will be using just a few off-the-shelf web development tools with Firefox to demonstrate how easy it is to subvert the average application, and how simple it is to fix issues properly by using the Guide.

We expect this talk will be useful to all attendees, but those who set secure coding standards within their organization, manage risk from custom software, manage software development or are software architects or developers will benefit the most from attending this session.

Andrew van der Stock is among the many contributors to the OWASP project over the years. Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, and AusCERT, and is a leading Australian web application researcher. He helps run the OWASP Melbourne chapter, started the OWASP Sydney chapter, and is ex-President of SAGE-AU, the System Administrator's Guild of Australia. You can read more about OWASP, the Open Web Application Security Project at http://www.owasp.org/ and you can read more about Andrew at http://www.greebo.net/.

Windows is the number one target on the Internet today. It takes less than 5 minutes for an unpatched Windows machine, connected to the Internet, to get owned. Yet the most prevalent security practices still consist of running anti-viruses and constant patching.

This presentation introduces a new tool, called Ozone, that is designed to protect against most of the commonly exploited attack vectors. To protect against the most common of these, buffer overflows, Ozone uses an address space randomization technique. In addition, Ozone runs all processes in a sandbox that severely limits what a compromised process is allowed to do. Finally, Ozone protects itself and the underlying operating system against further attacks.

Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military environments. Eugene has presented his research at a number of security conferences including Usenix Security, BlackHat Europe and BlackHat USA. Eugene holds both a Bachelor and a Masters degree in Computer Science from the University of California, San Diego