Joanna Rutkowska & Alexander Tereshkin: IsGameOver(), anyone?

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population.

Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks.

Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can be deducted from the incident and studied in preparation for future engagements in cyber-space.

Gadi Evron works for the Mclean, VA based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, and especially in the realm of botnets and phishing as well as is the operations manager for the Zeroday Emergency Response Team (ZERT). He is a known expert on corporate security and espionage threats. Previously Gadi was the Israeli Government Internet Security Operations Manager (CISO) and the Israeli Government CERT Manager which he founded.

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework.

REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. In the industry, we tend to discount the feeling in favor of the reality, but the difference between the two is important. It explains why we have so much security theater that doesn't work, and why so many smart security solutions go unimplemented. Two different fieldsbehavioral economics and the psychology of decision makingshed light on how we perceive security, risk, and cost. Learn how perception of risk matters and, perhaps more importantly, learn how to design security systems that will actually get used.

Bruce Schneier is an internationally renowned security technologist and CTO of BT Counterpane, referred to by The Economist as a "security guru." He is the author of eight booksincluding the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography"and hundreds of articles and academic papers. His influential newsletter, Crypto-Gram, and blog "Schneier on Security," are read by over 250,000 people. He is a prolific writer and lecturer, a frequent guest on television and radio, has testified before Congress, and is regularly quoted in the press on issues surrounding security and privacy.

A Dangling Pointer is a well known security flaw in many applications.

When a developer writes an application, he/she usually uses pointers to many data objects. In some scenarios, the developer may accidentally use a pointer to an invalid object. In such a case, the application will enter an unintended execution flow which could lead to an application crash or other types of dangerous behaviors.

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16.

Brad Stone, New York Times technology correspondent
Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits.

>From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles.

He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London.

Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio.

Patrick Chung, Partner, NEA
Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars.

Maria Cirino, Co-Founder and Managing Director, .406 Ventures
Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997.

Mark McGovern, Tech Lead, In-Q-Tel
Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts.

Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents.

Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue.

Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry.

Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now.

This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems.

All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide detours in case they affect the plotted course. The system is increasingly being used around Europe and North America.

The audience will be introduced to RDS/RDS-TMC concepts and protocols and we'll show how to decode/encode such messages using a standard PC and cheap home-made electronics, with the intent of injecting information in the broadcast RDS-TMC stream manipulating the information displayed by the satellite navigator.

We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!).

In order to maximize the presentation we'll also demo the injection...hopefully at low power so that we won't piss off local radio broadcasts.

Virtualization is changing how operating systems function and how enterprises manage data centers. Windows Server Virtualization, a component of Windows Server 2008, will introduce new virtualization capabilities to the Windows operating system. This talk will focus on security model of the system, with emphasis on design choices and deployment considerations. Aspects of virtualization security related to hardware functions will also be explored.

Tracing a malicious insider is hard; proving their guilt even harder. In this talk, we will discuss the challenges faced by digital investigators in solving electronic crime committed by knowledgeable insiders. These challenges will be presented in light of three real world investigations conducted by the presenters. The focus of this talk will on the technicalities of the attacks, the motivation of the attackers, and the response techniques used by the investigators to solve the respective crimes.

The first case is the high-profile U.S. v Duronio trial, in which Keith Jones testified as the DoJ?s computer forensics expert. Mr. Jones testified for over five days about how Mr. Duronio, a disgruntled employee, planted a logic bomb within UBS?s network to render critical trading servers unusable. His testimony was key in the prosecution of the accused on charges of securities fraud and electronic crime. Mr. Jones will present the information as he did to the jury during this trial.

The second incident involved a recently fired employee at a large retail organization. The irked employee made his way from a store wireless network into the company's core credit card processing systems. The purpose of the attack was to malign the company?s image by releasing the stolen data on the Internet. We will discuss the anatomy of the "hack", the vulnerabilities exploited along the way, and our sleepless nights in Miami honing in on the attacker.

The final case presented will focus on the technicalities of web browser forensics and how it facilitated the uncovering of critical electronic evidence that incriminated a wrong-doer, and more importantly freed an innocent systems administrator at a law firm from being terminated and facing legal music.

The common thread in all these cases - a malicious insider!

The Information Assurance Directorate (IAD) within the National Security Agency (NSA) is charged in part with providing security guidance to the national security community. Within the IAD, the Vulnerability Analysis and Operations (VAO) Group identifies and analyzes vulnerabilities found in the technology, information, and operations of the Department of Defense (DoD) and our other federal customers. This presentation will highlight some of the ways that the VAO Group is translating vulnerability knowledge in cooperation with many partners, into countermeasures and solutions that scale across the entire community. This includes the development and release of security guidance through the NSA public website (www.nsa.gov) and sponsorship of a number of community events like the Cyber Defense Initiative and the Red Blue Symposium. It also includes support for, or development of, open standards for vulnerability information (like CVE, the standard naming scheme for vulnerabilities); the creation of the extensible Configuration Checklist Description Format (XCCDF) to automate the implementation and measurement of security guidance; and joint sponsorship, with the National Institute of Standards and Technology (NIST) and the Defense Information Systems Agency (DISA), of the Information Security Automation Program (ISAP), to help security professionals automate security compliance and manage vulnerabilities.

The presentation will also discuss the cultural shift we have been making to treat network security as a community problem, one that requires large -scale openness and cooperation with security stakeholders at all points in the security supply chainoperators, suppliers, buyers, authorities and practitioners.

Tony Sager is the Chief of the Vulnerability Analysis and Operations (VAO) Group, part of the Information Assurance Directorate at the National Security Agency. The mission of the VAO organization is to identify, characterize, and put into operational context vulnerabilities found in the technology, information, and operations of the DoD and the national security community and to help the community identify countermeasures and solutions. This group is known for its work developing and releasing security configuration guides to provide customers with the best options for securing widely used products. The VAO Group also helps to shape the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), partnering with National Institute for Standards and technology (NIST) on the Information Security Automation Program (ISAP), developing the eXtensible configuration checklist description format (XCCDF), and for hosting the annual Cyber Defense Exercise and the Red Blue Symposium. Mr. Sager is active in the public network security community, as a member of the CVE (Common Vulnerabilities and Exposures) Senior Advisory Council and the Strategic Advisory Council for The Center for Internet Security. He is in his 29th year with the National Security Agency, all of which he has spent in the computer and network security field.