DEFCON7 / BlackHat 1999

The Blackhat Briefings and DEFCON 7.0 were held in Las Vegas this month. BlackHat is a "serious" computer security conference, while DEFCON is a hacker conference. However, much of the same topics were discussed and some speakers attended both conferences.

BlackHat distributed binders with a good many of the slides from the presentations; these may or may not be available online. Some speakers have their presentations on their home websites, I think. Ask if you want to see the slides.

Blackhat was held at the Venetian in Las Vegas, a new hotel/conference centre with an extravagantly opulent decor (see the Lobby Photo). However, the conference was marred somewhat by repeated alarm system tests over the PA system, the casino (placed between the accommodation and the conference centre) smelled strongly of something like hair oil, and I ended the second day with a severe headache. Here's a photo of the large ballroom, used for Track A and keynotes.
I missed all the bad weather - as someone pointed out, casinos are supposed to insulate people from the outside world. When we emerged, water was cascading down the parkade stairs and they'd had to sandbag the elevators.

BlackHat

More detail is available in the Speakers Schedule at the Blackhat site. I attended the

flagged talks.

First Day:
09:00 - 09:40
First Keynote Address - Dr. Jeffrey A. Hunker, Introduction by John Davis

Dr. Hunker talked about the possibility of cyber war, based on some Washington thinktank studies reported in Wired magazine last year I think. The US Federal government has some plan supposed to be complete in 2003 to address some of the problems; discussed a 10-point plan to detect intrusions, report, recover etc. See www.ciao.gov. Buzzwords NIPC - National Infrastructure Protection Center(s), ISAC - Information Sharing and Assessment Centre(s)

09:40 - 10:20
Second Keynote Address - William R. Cheswick, Security Ideas from all over

Bill gave a talk about mapping the Internet from his base inside Lucent. Very sophisticated multi-threaded tracing algorithms. Take my maps on sitka/net and multiply by 2000. He showed some big PostScript maps which will probably be available commercially as posters sometime soon. See his site at Bell Labs. This one may still be in the TRIUMF web cache. (430Kb GIF)

10:40 - 12:00
Track A & B - Bruce Schneier - Mistakes and Blunders: A hacker looks at cryptography

Bruce talked about the problems of doing cryptography properly (very hard) and basically said that only open-source crypto and random-number generators could be trusted (or at least open to peer review). He likened (as I recall) regular programming to "programming Murphy's computer" and crypto to "programming Satan's computer". Interesting date factoid - the Verisign root key (used to authenticate many e-commerce sites) will expire sometime.
Criminal network attacks - like hikers being chased by a bear - "you don't have to outrun the bear, you just have to outrun the other hikers".
Bruce has a good website at counterpane.com, with an interesting crypto newsletter.

Track C - Panel - John Davis, William Ozier - The panelists will provide a short overview of risk from the environment of your corporate infrastructure. They will then discuss what are the concerns from external & internal viewpoints with management and technical points of concern.

12:00 - 13:20
Lunch + Richard Thieme - Remote Viewing, Actionable Intelligence, and Complex Networks

13:30 - 14:30 Track A - Simple Nomad - Modern NetWare Hacking

I didn't see this one, but I have the slides. He presented a GUI Netware hacking/security tool.

Track B - Sarah Gordon - Viruses in the Information Age

Sarah talked about viruses, the virus-writing culture (which is still somewhat distinct from the hacker culture), and a profile of virus creators. Apparently most virus writers are normal, intelligent, socially well-adjusted teenagers. Older virus writers are a bit weird (not socially responsible ?)

Track C - Jim Litchko - Total BS Security: Business-based Systems Security

14:40 - 15:40
Track A - Rooster - DNS security issues

CISCO routers - can update route map with tftp; people often lazy about setting passwords.
SNMP - lots of information here - don't use "public" and "private" for names.. need ACL to block SNMP put and tftp access, need ACL to avoid spoofing - block inside addresses from outside etc. Need proper logging. Switches are better than hubs.

Track B - Marcus Ranum - Burglar alarms and Booby Traps

Marcus talked about network burglar alarms, like "putting a hand grenade under the stereo". He said that in high-end physical alarm systems it was usually more effective to trap the dresser drawers and the jewel case than trap the external doors, and that the same thing applies to network systems. You don't initially care how someone broke in, you just want to know that they did. Some of you may have come across "ifstatus" at TRIUMF, which is a simple alarm watching for packet sniffers.

Track C - Teresa Lunt - Taxonomy of Intrusion Detection Systems

Teresa talked about intrusion detection systems, and some efforts to set up a common intrusion detection mechanism. She presented some material showing that common commercial keyword-based detection systems typically detect 20% of attacks, with a 1% false positive fate, while the best research systems detect about 60% with a 0.02% false positive rate, so there is room for improvement.

16:00 - 17:00
Track A - Brent Huston - Appliance Firewalls: A Detailed Review

Brent talked about several Appliance Firewalls - a supposedly turnkey firewall in a box - such as Phoenix, Interceptor, Firebox. Prices range from $650 to $25,000

Track B - Peter Stephenson - Introduction to Cyber Forensic Analysis
Track C - Rebecca Base - Security (or the lack thereof) and ?Our Friends In Redmond?

17:10 - 18:10
Track A - Dominique Brezinski - Building a Forensic Tool kit That Will Protect You From Evil Influences

There were several talks on this topic and some schedule changes; I forget who said what. One speaker (Dominique I think) talked about building a forensic toolkit from statically linked binaries on a CD-ROM. The intent is to maintain a clean set of tools (ls, ps etc.) that have not been compromised with which to investigate a possibly compromised system. This is apparently difficult in NT since DLLs in the system cache have precedence over ones on disk and special steps must be taken to purge them.

Track B - Panel: Competitive Intelligence -
Track C - Jon David - Putting Intrusion Detection into Intrusion Detection Systems

18:10 - 20:00
Catered Reception - Unwind with an open bar and food. A good starting point for the rest of your evening in Las Vegas!

Bill Cheswick brought his Internet maps for everyone to look at

Thursday, July 8th

09:00 - 09:40 Keynote Addresses
Track A, B & C - Dr. Mudge -

Mudge gave an interesting talk - L0pht is maybe going public, or at least serious. He says managing hackers is like "herding cats". Other quotes:
- "Senior management are really bright people, but so buffered from the real world they have no idea what's going on."
- "Big suid binaries (RCS, CVS etc.) are impossible to secure".
- "Quick and dirty fixes are always permanent"
- "People are poor sources of entropy" - e.g choosing keys, passwords
He announced a new tool, soon available off l0pht.com, called "ANTISNIF", capable of detecting Ethernet sniffers.
He pointed out that both Sun and Microsoft have given source code to Universities in the past, so that if you think the worng people don't already have source code you are deluded.
There's some old stuff on ZDnet with Mudge; see here.

09:50 - 10:50
Track A - JD Glaser - Auditing NT - Catching Greg Hoglund
Track B - Larry Korba - Hope, Hype, Horrors... E-Commerce Explored
Track C - Ira Winkler - The Road to Riches

11:00 - 12:00
Track A - Eric Schultze and George Kurtz - Over the Router, Through the Firewall, to Grandma?s House We Go
Track B - Adam Shostack - Towards a taxonomy of network security testing techniques
Track C - Rob Karas - Open Source Monitoring

Not what it seems. Rob talked about monitoring public media (clipping services) for misleading or damaging material about a company which might affect its image or stock price, and responding quickly to Usenet postings etc.

12:00 - 13:20 Lunch + Meet the Fed Panel

Met some guy who used to work in some security agency somewhere; mentioned crypto chips used in secure phone or something made in a secure wafer plant for the CIA which were tamper-proofed by chemical means - any attempt to cut open the chip would release some acid or something which would destroy the etched area. Security freaks and hackers are also into guns it seems - at least in the US (and Alberta). One pair had 7 guns between them. Apparently in Las Vegas one can rent a submachine gun for an afternoons firing practice (I didn't bother).

13:30 - 14:30
Track A - Peter Shipley & Tom Jackiewicz - Security issues with implementing and deploying the LDAP directory system
Track B - Mike Schiffman - The Firewalk tool

Mike presented a tool which could be used to map a network inside a firewall. As I recall, it uses a traceroute-like technique to map towards a given node without actually contacting it, and may be tuned to use arbitrary ports which are allowed through the firewall.

Track C - Scott Culp - Building a Security Response Process

14:40 - 15:40 Track A - David Bovee - VPN Architectures: Looking at the complete picture
Track B - Eugene Schultz - Security Issues with configuring and maintaining an IIS 4 server
Track C - Padgett Peterson - Overlooked Local Attack Techniques

Padgett talked about defending a network from attack. "Defenders need to close all holes, attackers need to find just one."
Perimeter defense - easiest and most cost-effective.
Desktop defense - can't update quickly, if at all.
Factoid - some firewalls strip bit 16 of port number, so can maybe come in on (unsecured) port 32791 as telnet (port 23)
problems with email attachments. I think it was Padgett said he'd block all email attachments, period. Some Windows boxes are set to automatically execute certain programs without even asking, if they are "trusted".
Need two, maybe 3 crisis management teams. The Melissa virus crisis lasted 5 days at some sites.

16:00 - 17:00
Track A - Ed Gerck - Overview of Certification Systems: x.509, CA, PGP and SKIP
Track B - Greg Hoglund - 1000 Hackers in a Box: Failings of "Security Scanners"
Track C - Jennifer Grannick - Forensic Issues in Hacker Prosecutions

Jennifer comes from the legal side and talked about tracing, etc. (in the US).
Can get a subpoena to examine logs - most ISPs will cave in and release logs as a matter of course, and don't need to tell the people involved. If they do tell, can move to quash the subpoena.
Wiretaps need a court order, issued only for stuff like drugs, terrorist activity. Required to look at mail in transit. Can only listen to things mentioned in the order.
Employers can monitor logs, mail etc. for "reasonable business purposes" - statistics, security, fraud etc. To read mail at its destination, need a search warrant under ECPA - electronic privacy act in US.
Employees may have "reasonable right of privacy" in email unless their site policy, conditions of hiring etc. say otherwise. Scanning email for viruses is probably covered under "reasonable business practice".

17:10 - 18:10
Track A - Batz - Security Issues Affecting Internet Transit Points and Backbone Providers
Track B - Jeremy Rauch - How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public?
Track C - G. Alec Tatum, III & Rich Alu - Managing the External Environment

intelagts.com are a couple of ex-FBI guys who talked about dealing with threats in the real world. They represent a service you might call if you don't want to involve government agencies - someone talked about the "garbage bag" syndrome where the Feds would come in and take away your infrastructure in green garbage bags so that your business goes down the tubes anyway. (Apparently they are now much better and are capable of just making disk copies.)
"80% of security problems are from inside", "85% of attacks are handled internally".
"It takes 30 seconds to pick a Master lock"
Disaster recovery plan - keep stuff off-site

18:20 - Closing

Bill Cheswick again; gave a humorous talk with slides of "perimeter defenses" - great wall of China, flowerpots outside the Capitol Building in Washington, Edinburgh Castle, UK Houses of Parliament - stick barrier "shows intent", not really going to stop someone - phone down the road to the army barracks to say "someone broke my stick". Heidelberg castle 1622 - fell to 2-month siege - "denial-of-service attack". Edinburgh Castle fell to Edward I "Hammer of the Scots" (a good hacker name) who used "social engineering" to breach the defenses (started to slaughter the townspeople).
Castle failure modes: #1 - denial of service, #2 - inside job
Monocultures are dangerous - Java, Windows, RedHat Linux

DEFCON 7.0

DEFCON attendees were big on teeshirts with appropriate text. There's a few pictures from DEFCON and Las Vegas here (apologies for quality).

Schedule cribbed from the Speaking Schedule at defcon.org.

The "big event", reported on CNN, Wired, etc., was cDc's release of Back Orifice 2000. Perhaps surprisingly, BO2K is less "evil" than its predecessor and is packaged as a remote administration tool for Windows 95, 98 and NT (it does not self-install as a trojan). It's also gone open-source. However, there's still plenty of scope for abuse with all the usual BO stuff like keystroke logging, Windows password "decryption" etc.

Cult of the Dead Cow - BO2K!
What will we be doing? R0xiN the HAU-aus, BIzaTch!!!@@!2121lf... But that goes with out saying. In addition to the rocking of the aforementioned house, we will also be releasing BO2k. We won't reveal our sekrets of BO-Fu, but trust me when we tell you that it will make BackOrifice v1.0 look like LOGO for the TI99/4a.
Founded in 1984, the Cult of the Dead Cow (cDc) is the oldest group still active in the computer underground; the only group (aside from a few layme p1RaT3 gR0oPzZz) with a female group member; the only group to host its own annual HoHoCon hacker convention; and, with over 300 text files in circulation, the most prolific group. cDc is definitely cooler than the Legion of Doom (LoD), and more importantly, our T-shirts are more colorful. We also have stickers.
Great, you may say, but have we ever disrupted communications on two continents by moving telecommunications satellites? Mhm. Hacked computing resources belonging to the three-letter agencies and the Pentagon? Yep. Altered environmental controls in local malls via modem? Done that. But unlike other hacker groups you've undoubtedly read about, we've never been caught.
With qualifications like these, it's not surprising that over the past few years, the media has looked to us as the darling boy (and girl) torch-bearers of the DIY-cyber-hacker-underground movement. It's our unfortunate cross to bear. But as the whole of Generation X follows our lead into the new millennium, we feel it is our duty to our peers to maintain the struggle and "raise high our freak flag," as it were. On their behalf, we intend to dominate and subvert the media wherever possible. Information is a virus. And we intend to infect all of you.

BO2K links:

www.bo2k.com
mcafee.com
datafellows
sophos
iss.net                                     
norton.com

Ira Winkler - The myths associated with hiring hackers.

While Ira Winkler is not an advocate of hiring your off the street hacker, he has come to the opinion that many of them are more useful than people who call themselves security professionals. He believes that compounding the problems are bureaucrats who don't understand the problem, and try to form solutions without thinking. For example, the Critical Infrastructure Assurance Office (CIAO), formed by a Presidential Directive to help protect the Critical Infrastructure, was considering a plan to recruit a group of teenagers who they would guide through their college careers to be the Info Warriors of the future. Ira talks about the myths associated with hiring hackers and security professionals, as well as the problems with the efforts to supposedly protect the Infrastructure. An "Are you Clueless?" test for "Security professionals" is given. Also recommendations to excel in the corporate world are given for hackers who are really skilled.

Ian Goldberg - Zer0knowledge Network (zks.net) Using the Internet Pseudonymously: One Year Later

I didn't get to this one due to track conflict, but chatted afterwards. ZNS sounds really cool - proper anonymity with client-side encryption, multiple traffic paths, plausible deniability etc.

Last year we told you about the plans for the Freedom network from Zero-Knowledge Systems: user-trivial, strong-crypto, pseudonymous use of the Internet. See how far we've gotten now. We will present the current status of the network, and discuss the challenges and obstacles we've encountered along the way.

Jason Scott - TEXTFILES, G-PHILES, AND LOG FILES: Remembering the 1980's Through ASCII
In the 1980's, life started to move online, bringing with it all the wonder, terror, and breadth of human nature. Most markedly, an entire generation of teenagers turned their energies and efforts onto this growing culture and turned the world of Bulletin Board Systems into a combination street corner and clubhouse, sharing their knowledge, lying and bragging into infamy, and creating a shared experience that lasts in their hearts and minds to this day as they become the foundation of the Internet Society.
While the unique forces that combined to make BBSes the experience they were have since shifted and formed other cultures in the years since, a feel for the 1980's can be found in the Textfiles (also known as g-files or 'philes') that nearly every self-respecting BBS traded, offered, or created as a matter of gaining notoriety (and more importantly, callers) in a sea of similar voices. In these textfiles, readers can reminisce or learn anew about what the BBS experience meant to those who lived through it, and easy parallels can be drawn to the 'scenes' that are now thriving online today.
This talk will attempt to give historical perspective and narrative to the BBS 'scene' of the 1980's, presented by a user who was around for a good portion of it and took notes. Expect shouted refutations from the audience and eerily familiar battles waged across the message boards to live again.
Jason Scott (Formerly The Slipped Disk) has been an observer and participant in the world of BBSs since about 1982, cutting his teeth on Boards such as OSUNY, Sherwood Forest II and III, Milliways/Outland, The Dark Side of The Moon AE/BBS, as well as hundreds of others. His experience in BBS culture of the 80's ranges from Compuserve and The Source to Deversi-dials, AE Lines and anything else that gave a carrier when you called it. He is best known as the SysOp of The Works BBS, a textfile-only board that he ran from 1986-1988 before switching to SysOp-At-Large from 1989 to the present. Realizing an entire generation's shared lore was being diluted and lost, he has started the site www.textfiles.com, dedicated to preserving all things ASCII from the 1980's. This web site is slowly killing him.

Simple Nomad - Overview of activities at the Nomad Mobile Research Centre.
Simple Nomad will give an overview of activities at the Nomad Mobile Research Centre, provide status on several projects, and give a detailed overview of NMRC's latest Netware hacking tool, Pandora. The new version of Pandora sports a "point, click, and attack" GUI interface, and works against Novell Netware versions 4.x and 5.x.
Simple Nomad is the author of several FAQs on hacking, including "The Hack FAQ" which is a combined FAQ covering Netware, NT, Unix, and web technologies. The Nomad Mobile Research Centre is a non-profit organization dedicated to independent computer security research, with a focus on corporate-deployed commercial file servers.

Cyber - How to use BSD to set up a firewall/gateway.
This talk will cover the basics of using free software to setup a firewall/gateway machine. Basic concepts will be reviewed, and why certain things are important will be covered. Ideal setups as well as practical solutions will be discussed. Step by step instruction with examples will be given. Q/A will be done time permitting, slides will be availible online.
Erik has done computer security for a number of years. He has added crypto layers to existing products, as well as designed and implementedthe security authentication and authorization model for an internal account control system for a major US bank. He currently works as a consultant for KPMG LLP.

Freaky - Macintosh Security.
From the Author of Freaks Macintosh Archives, Freak will be hosting a topic this year at the con about macintosh security, the programs out there and their flaws. Some new programs will be released for the macintosh platform to help secure your MacOS. And more programs will be released to Exploit your mac and many other platforms.

John Q. Newman -
Security Experts Panel - Growing on the popularity of last years panel discussion of security issues and audience Q&A, this years panel will be organized by Alhambra, and currently includes the following speakers:
Sarah Gordon - Viruses on (and off) the Internet. Panel Session.
Computer viruses are currently freely available on the Internet, as well as via various mailing lists. The recent Melissa virus incident has focused attention on some issues surrounding the public availability of viruses. The panel (representing virus writers, antivirus product developers, open source advocates and academics) will represent a wide range of views on topics such as: "Is it cool to make viruses available via the Internet? Is posting of viral source code to mailing lists as a 'necessary evil' which can force developers to improve products. Should virus writing itself be illegal?". We want to hear *your* views, too, so the session will end with Q&A Interactive.
Sarah Gordon graduated from Indiana University with special projects in both UNIX system security and ethical issues in technology. She currently works with the anti-virus science and technology R&D team at IBM Thomas J. Watson Research Center. Her current research projects include development of antivirus product certification standards, test criteria, and testing models. She has been featured in publications such as Forbes, IEEE Monitor, The Wall Street Journal, and WIRED, and is published regularly in publications such as Computers & Security, Network Security Advisor and Virus Bulletin. She has won several awards for her work in various aspects of computing technology, and volunteers in an advisory capacity to Virus Bulletin, The WildList Organization, and The European Institute for Computer Antivirus Research.

Richard Thieme - Trust, Betrayal, and Nested Levels of Loyalty: Who Do We Think You Are and How Do We Think We Know?

"Spot the Fed" is a Def Con game, but anyone who has been invited to visit the local FBI office for a focused conversation or has watched helplessly as their hard drive is carried into the night, wrapped in a search warrant, knows it isn't just a game. The threat of hard core hacking in a wired world is not some trophy hunter hoping to impress his friends: it's the real threat to the infrastructure of nations and the global economy that can be used to leverage the power of blackmail, sabotage, and terrorism. Under the cloak of Y2K paranoia, in a world that is increasingly gray, it pays to know who we can trust. After all, we have to work in "trusted networks," a handshake is the basis for capitalism, and identity and self are decisions rather than discoveries in a digital environment. So who do we think you are, and how do we think we know? Who are you, anyway? And who in the hell are we?

Jericho- Fakes Walk Among Us.
The recent explosion of the security industry has found itself littered with newcomers, all 'experts' in the field. Unfortunately, many of these 'experts' are nothing more than self proclaimed windbags that are no more qualified to help you with security than your local 6 year old. How do these charlatans manage to find work? Why are they accepted? More important, how do you distinguish legitimate security professionals from the fakes? These are valid concerns in today's security community. Answers to follow?
Jericho is a security consultant (read: not an expert) working almost full time these days. His travel has taken him to standard corporate networks, to consulting for wacky spooks that everyone fears. On top of run-of-the-mill consulting, he has participated in network analysis via penetration testing, computer forensics and more. He hates crowds. :)

Prof. Feedlebom- Followup on Micropower Radio.
Last DefCon, Prof. Feedlebom led a discussion on Micropower Radio that kinda glossed over a lot of the technical details. This year, he returns to discuss in more detail some of the things required to place a micropower station on the air. Will also include a short synopsis on the current state of Micropower Radio, including the effort to legalize it in the United States. Handouts from last year's session will be available for those who did not recieve them in the mail (sorry).
Prof. Feedlebom has operated The Voice of Mercury and the Desert Crossing Radio broadcasts for the last five years. While he's taking the year off this year from the Big Broadcast, he has been responsible for strange radio emissions that have been heard in Los Angeles and Kern Counties on a variety of frequencies. He also acts as the chief engineer for Radio Invasion, a former micropower station now broadcasting through Real Audio.

Dr. Byte- IPv6: Who/What/When/Where/How/Why.

"Goldilocks problem" in IPV4 - class A is too big, C is too small, B is just right - not enough class B. IPV6 is supposed to solve these problems by generating a 128-bit address space - offering 100,000 addresses for every person on the pl;anet for the forseeable future. Will offer roaming IP addresses, unicast, multicast & anycast, authentiation, ability to turn on a laptop in a hotel lobby, have it find an IR hub and automatically connect using its own IP address.

The Internet Protocol has undergone substantial changes in past few years from version 4 (Classical IP) to version 6 (Next Generation IP). This presentation will overview who's using the new protocol, what the new protocol's features are, when it will become mainstream, where it's being deployed, how the transition from IPv4 to IPv6 is planned, and why we need a new fundamental protocol on the Internet. This speech will contain many technical details and will assume the knowledge of the basics of TCP/IP.
Dr. Byte is a Ph.D. candidate in Computer Engineering and an instructor of Computer Engineering at a major university. He received his B.S. and M.S. in Computer Engineering in 1994 and 1997 respectively. For his M.S., he worked with a real time bit error rate simulator, and developed a next generation real time hardware system for bit error rate simulations. He has developed a 16 bit RISC microprocessor in VHDL in a Field Programmable Gate Array (FPGA) able to run compiled 'C' code. His research interests include developing a taxonomy of attacks and applying it to different network environments. He has co-authored 3 papers on IEEE 802.11 and IPv6.

Christian Hedegaard-Schou - What is opensource?
This talk will focus on what opensource is, what it isn't, debunking some myths, showing some examples, and giving reasons why opensource is ready for the real world. This talk is primarily aimed at government and corporate IS/MIS/IT staff and managers, but anyone who's curious as to what this "open source" thing is they've heard so much about in the past months are encouraged to attend.
Christian Hedegaard-Schou I is a private contractor and consultant who first embraced opensource about 5 years ago when he discovered linux and installed it over his DOS partition. He's never gone back. Since he first discovered linux he also played with FreeBSD and NetBSD on various architectures, and has been a proponent of Free software, GNU, and the newly defined "open source" movement.

V1RU5 - Lock Picking explored
14 years as a professional magician, V1rus will assist on the Lock picking class and will talk about Hand cuffs, and how to improv picks.

Craig H. Rowland - How to be aware of security problems on your network.

Craig talked about some security products (portsentry, hostsentry) available through psionic.com, for logging TCP/UDP port access and login/logout anomalies. I'll probably be evaluating these.

A critical component of network security is being aware of what is occurring on your systems so you can spot security problems before they become a big headache. The Abacus Project is a suite of free security tools that allows administrators to monitor critical aspects of system operations on a variety of Unix hosts to help increase their awareness.
The core components of the project attempt to address the more common indicators of an attack such as: 1) Strange messages in audit files indicating errors or invalid input that indicate security problems. 2) Port probes that are a pre-cursor to attack and compromise. 3) Compromised user accounts and suspicious user activity.
The three currently released tools address the above issues using generic techniques that work on a number systems. These tools are: Logcheck, PortSentry, and HostSentry.
This talk will detail why it is important to watch your systems closely for problems and how these and other free security tools can help bolster your site security using a variety of simple techniques.
Craig H. Rowland is a security software developer and consultant currently working for Cisco Systems Inc. His area of focus falls into network attack tool programming and intrusion detection systems. He is the author of several free security tools on the Internet and maintains the Psionic Software website to distribute security tools, papers, and advice.

Steven Alexander- Firewalls: Trends and Problems.
This talk will cover some of the new firewalling trends and how many of them are detrimental to security. The focus of this talk will be on how the discussed trends work and how they can be used by an attacker to defeat security, and how security problems can be avoided. The discussion will not cover specific products in order to allow anyone to apply the subject matter to their current configuration.
Steven works for a small ISP, attends his local college as a math major and spends his free time studying cryptography.

Robert Lupo -Introduction to computer Viruses.
This class covers how different virus work and how to defend agent them, including: Boot Sector Virus, File infecters, Multi parti, Macro, and Fakes in the world.

Michael J. Martinez - Hackers and the Media: A Love-Hate Thing.
For hackers, contact with the media is both exciting and frustrating. Everybody loves to grab that 15 minutes of fame and set the record straight, but the media has this annoying habit of getting things wrong, at least from a hacker's point of view. Mainstream reporters feel the same way -- hacking is cool, sexy, and guarantees readership. But hackers are so evasive, way too full of themselves, and then there's this godawful technology to try to understand. How can reporters and hackers work together, or at least understand each other?
Michael J. Martinez reports on technology for ABCNEWS.com. In addition to covering more mainstream issues, Martinez has written about hacker culture, the VX community, the Pentagon's "cyberwar" problems, and the Melissa virus. His articles have been featured on Slashdot and the Hacker News Network.

Steve Mann - Inventor of the so-called "wearable computer"

Steve Mann's talk was disturbed by someone running a denial-of-service attack against an upstream router, so we had questions first followed by the presentation. Dr Mann was in Toronto, linked by a speakerphone and a webcam-type link (not H.323 or Mbone) to his eyeglass-mounted camera. See wearcam.org for photos, etc.
Dr Mann is somewhat of an eccentric (or visionary..) with strong views on open source software, advertising, privacy etc. One of his ideas is to use his eyetap camera to filter out advertising (spam) from the real world, by recognising, say, Cola billboards and replacing them with neutral images.

Steve Mann, inventor of the so-called "wearable computer" (WearComp) and of the EyeTap video camera and reality mediator (WearCam), is currently a faculty member at University of Toronto, Department of Electrical and Computer Engineering.
Dr. Mann has been working on his WearComp invention for more than 20 years, dating back to his high school days in the 1970s. He brought his inventions and ideas to the Massachusetts Institute of Technology in 1991, founding, what was to later become the MIT Wearable Computing Project. He also built the world's first covert fully functional WearComp with display and camera concealed in ordinary eyeglasses in 1995, for the creation of his award winning documentary ShootingBack. He received his PhD degree from MIT in 1997 in the new field he had initiated. He is also the inventor of the chirplet transform, a new mathematical framework for signal processing. Mann was both the founder and the Publications Chair of the first IEEE International Symposium on Wearable Computing (ISWC97).
Mann has chaired the first Special Issue on Wearable Computing in Personal Technologies Journal, and has given numerous Keynote Addresses on the subject, including the Keynote at the first International Conference on Wearable Computing, the Keynote at the Virtual Reality conference, and the Keynote at the McLuhan Conference on Culture and Technology, on the subject of Privacy issues and Wearable Computers. He can be reached via e-mail at mann@eecg.toronto.edu

Cyber - What are public keys?

Peter Shipley - Intro to TCP/IP exploits.

Gh0st - Phreaking and PBX tricks

Dead Addict -After working for The Man (TM) for several years, DA is finally working for the little guy - implementing worldwide financial systems for multinational banking corporations.
He will speak on currency systems, credit systems and associations, SET technology, its message flow, crypto usage, implementation issues, and surrounding industry issues. He will alsobriefly discuss security issues with current ecommerce implementations.

Dead Addict talked about SET (Secure Electronic Transactions or some such), which is the credit card processing scheme endorsed by MasterCard etc. Seems it's more advanced in Europe and Asia than North America. SET takes the credit card information out of the hands of the merchant and encrypts it straight to the bank, so is much more resistant to hacking. Only for credit cards. See setco.org.
"Nobody cares about privacy".
Credit card - fraud in face to face transactions relatively low. Merchants must pay more for mail order/telephone/net transactions to cover fraud. SET, e-commerce etc. is waiting for Y2K to blow over.
Current situation - sniffing transactions not a real problem so SSL not really needed, but if a site doesn't have SSL it probably has a really weak back-end.
Probably get certificates from issuing bank. Can maybe store certificates on remote secure server instead of having to secure your PC.
May end up with smartcards - SET has smartcard extensions.

Winn Schwartau - HERF Guns, EMP Bombs and Weapons of Mass Disruption (UnClassified)
At DefCon III, Winn Schwartau talked about High Energy Radio Frequency Guns, Electromagnetic Pulse Bombs and assorted nefarious weapons. Trouble is, the government doesn?t admit to a thing. However, through constant research, he has found more than the government would like.
The August issue of Popular Science, due out on or about July 15 will feature Schwartau?s article on these emerging devices - but you will get an early peek at DefCon 7 on Saturday afternoon. Russian HERF and EMP devices for sale world wide. Some are even on the Internet! Terrorist level weapons made in a garage for less than $500 and put out an E field in excess of 1MV/meter. A video of real HERF at work. Be ready with your questions and Schwartau, as usual, will have answers.

Deanna Peugeot - Embedded systems hacking.

Not "how to hack embedded systems", but "how to make an embedded system with which to hack something else". Over the heads of much of the audience, I think, as it concerned picking up a soldering iron and building a computer - well, something with a CPU, ROM, RAM and Ethernet - or buying a demo board from Nat. Semi. or someone. The basic idea was to build an Ethernet sniffer or keystroke monitor that was planted using a bit of social engineering, then later retrieved. Deanna works (worked) on modems in real life.

Embedded systems can often go where the average hacker cannot. They don't reside on the server to be detected by a vigilant sysop, nor do they need the dedicated resources of a computer. But no one in the hacking community seems to be taking advantage of this arena. This will cover the possible uses for a custom embedded system and how to go about creating it.

Bennett Haselton and possibly Brian Ristuccia - The "Anti-Censorship Proxy" and technological circumvention of Internet censorship.
Brian Ristuccia's Anti-Censorship Proxy (ACP) is a tool for circumventing network-level Internet censorship. It combines functionality of older software such as PGP, Anonymizer, and steganography software, enabling Internet users to bypass firewalls and proxy servers without detection. ACP can be used to circumvent firewalls used by China and Saudi Arabia to block criticism of their governments, or to bypass software used in American schools to censor pages about contraception, animal rights, and many non-Christian religions.
These countries and institutions are likely to crack down on the use of such software, provoking an "arms race" between ACP developers and their opponents. (The use of strong encryption in ACP may even conflict with some countries' import/export regulations.) This talk will describe the ACP and look at some of the directions that such an "arms race" might take, as well as describing real-world implementations of network-level censorship (in China, Serbia, the Middle East, as well as many U.S. schools), what kind of content is censored, and how the ACP could be used to bypass these restrictions. More information at http://ians.978.org or http://www.peacefire.org/bypass/Proxy/
Bennett Haselton has been publishing studies of Internet censorship software since 1996. His reports have been used as evidence in First Amendment court cases filed by the ACLU and People For the American Way, and he has been invited to speak on Internet censorship at Computers Freedom and Privacy 99, the American Library Association national conference, the ACLU of Ohio annual conference, InfoWarCon 99, and Spring Internet World 99. Peacefire's reports criticizing censorship software have been featured on CNN financial news, MTV, Court TV, and MSNBC.

R - The Defcon Proxy Server.
R will give an overview of the Defcon Proxy Server - what it is, how it came to be, and how to access and use it. Don't want your boss to know where you're surfing to on his dime? Would you like to anonymously view your artwork after the fact? If this is you, don't miss this informational talk. It will cover new features and access policies.
Rstarted out in life as a BBS operator in 1989. After setting up Unix boxes to provide Usenet and Email via UUCP for his customers, he gave out shell accounts on the same machines - and after cleaning up that mess, he was a Security Expert! He also authored the first Windows based email application and roaming code for American Mobile Satellite Corporation and the Trimble C/GPS transceiver, and was head of Network Security for Telegroup, Inc.

Mr Phillip J. Loranger - The United States Army. The ethics/morality/practicality/patriotism of hacking.

Angus Blitter - Fear and Loathing in Cyberspace: The art and science of enemy profiling Quickly identifying your opponent, in any conflict, can mean the difference between success and failure. Knowing their capabilities, resources and limitations can provide the tactical advantage. The lack of this type of decision support is a serious deficiency in most information warrior's arsenals. Relying on single source intelligence is pure folly. Charlatans and carpetbaggers are salivating at the millions in government and corporate dollars earmarked for such a competitive advantage. Our discussion will provide a working definition for "profiling", how it is used and why it effects everyone!
Angus Blitter is the founder and Grand Poopa of HSK.

Daremoe - The Firewall Appliance: Friend or Foe?
An introduction to appliance firewalls. What they are, how they work and what you can expect when you encounter them in the wild. These "new breed" firewalls are popping up everywhere, so be prepared when you meet them...
Daremoe is the Alpha-Dog of the WolfPak, a "614 based group of security minded individuals". He is an independent computer security consultant with over ten years experience in e-commerce. He has just completed a comprehensive evaluation of appliance firewalls and their market.

Charles Faulkner - Hacking Human Minds
Human expertise is not found in the sum of explicit practices or algorithms. It's in the experience, mental models and heuristics of individuals. Invisible to current Knowledge Engineering, psychology and (most) linguistics, these 'rules of thumb' are available (can be hacked) through specific pragmatic, syntactic, and semantic 'filters/handles' that can be detected, influenced, and transferred. Applications / instantiations to humans achieved. Computing and human/computer interface applications sought.
Charles Faulkner is a hacker (modeler, in polite society) of human experience and expertise whose projects have included language acquisition, futures trading, metaphoric communication, and object oriented software testing.

Michael Peros -Privacy Electronics - Detecting wiretaps
This year I would like to speak about how to identify body wires, recorders and government informants. Also I have verified from a very reliable source that President Clinton passed a wiretap bill through executive order of the White House allowing the Federal Government to Wiretap and intercept electronic-oral communication without a warrant. This came into law as of January of 1999. He did not have to go in front of the congress to bring this into law.
Michael Peros can be reached via email, Gail Thackeray - Maricopa Count Prosecutor,AZ - Kevin Higgins - Nevada Attorney General -

Each will do a brief thing on a topic near & dear to their hearts, and then open the session to an "ask the prosecutor" Q & A so people with Burning Questions can ask about whatever interests them.

James Jorasch - "Hacking Las Vegas."
If you missed it last year, don't miss it this year. Excellent.

Peter Stephenson - Principle consultant of the Intrusion Management and Forensics Group (IMF). Introduction to Cyber Forensic Analysis

An interesting talk about forensics.
"only" 4 attacks - denial-of-service, sicial engineering, technical, and sniffing.
ECPA issues - need a policy to investigate logs - banners may work. may need signed agreements from employees to read content.
Forensics - must not contribute to evidence. Procedure for a DOS box - power down then boot a disk-image-copy program e.g. NII or NTObjectives. Maintain chain of custody. Disk treasures - swapfiles, cache, slack space, unallocated space. Linux, Solaris, ditto for disk image then analyze copy on another box.

This session will address the techniques used to investigate network-based intrusions, especially those originating from the public Internet. Emphasis will be on techniques that provide an acceptable chain of evidence for use by law enforcement or in anticipation of civil litigation. We will cover back-tracing, forensic tools, end-to-end tracing and evidence collection and preservation as well as the forensic use of RMON2-based tools for documenting the path of an attack.
Peter Stephenson is a well-known writer, consultant and lecturer with an international reputation in large scale computer networks and information protection. He has lectured extensively on network planning, implementation, technology and security. He has written or co-authored 14 books (including foreign language translations) and several hundred articles in major national and international trade publications. He is the principle consultant for InfoSEC Technologies division of Sanda International Corp.
Mr. Stephenson has participated in investigations of computer system intrusions, Internet misuse and abuse and has performed forensic analysis of computer disk drives as well as backtracing analysis of intrusions coming from the Internet. He has used forensic techniques to recover lost data from computer disk drives.
Stephenson is a member of the Information Systems Audit and Control Association (ISACA), the Information Systems Security Association (ISSA) and the High Technology Crime Investigation Association (HTCIA). He provides volunteer assistance on request to the Michigan State Police and other law enforcement agencies. Natasha Grigori - Founder, Anti Child Porn Militia (ACPM) - ACPM Grand Announcement

The Anti Child Pornography Militia will be making a showing at the 7th Annual DefCon Conference in Las Vegas, Nevada on July 9th - 11th. The ACPM will be actively recruiting individuals sympathetic to our cause and willing to take an active role in the battle to eliminate child pornography from the Internet.
"We have big plans for DefCon", says Natasha Gregori, founder of the ACPM, "Not only will we be recruiting from a Hospitality Suite at the Convention, and seeking sponsors and allies; Plans are in the works for ACPM to make a presentation during the three day event, and be introduced by a major personality in the community."
The Defcon Conference will also signify the commencement of operations for ACPM, after 5 months of preparation, organization, and amazing growth from its original one-woman cause.
"I feel confident that the kick-off will be a success," Lawless, Director of ACPM Education, "from there, we will begin entering the political arena, lobbying for tougher enforcement against child pornography online, while assisting in any way possible with current enforcement."
The Anti Child-Pornography Militia (ACPM) is an organization committed to removing child pornography from the Internet. Child Pornography is readily available on the Internet from Usenet, web sites, and chatchannels. These photographs of children, used to feed the grotesque sexual desires of pedophiles, contribute to the rising numbers in child sexual abuse cases world wide by emboldening and enticing potential perpetrators into committing acts of child abuse. The ACPM will be working to achieve its goal of Zero Child Pornography through legal, political, and legal technical means. The ACPM in no way promotes or condones illegal attacks against individuals or computers connected to the Internet.

Tom - from because-we-can.com. Security problems associated with client-side scripting in popular web-based services.

An interesting talk. The bottom line is, there's a basic flaw in all Webmail, chat, forum, online auction systems etc. whereby if an untrusted person can upload code (scripts) to a webserver, there are potential problems, because from a third party's point of view, the untrusted script is on the same site as the server's page and can therefore be trusted to access any forms that may exist, and so be able to read information such as passwords that the user may enter.

This info will also be appearing in Wired magazine around the same time as Defcon so it's good timing, and extends the 'shorts' in Business Week (may 17, p8) and NY Times (thurs of same week).See this link for the story..

Kevin Poulsen & Jennifer Grannick - The Legalities and Practicalities of Searches and Interrogations.
You all know who Kevin Poulsen is. If you don't, please go learn.
Jennifer Stisa Granick is a criminal defense attorney in San Francisco, California. She defends people charged with computer-related crimes, as well as other offenses. Jennifer has been published in Wired and the magazine for the National Association of Criminal Defense Lawyers.

Vic Vandal - Hacking Oracle 101
So you've hacked your way into your "test" O/S. What are you going to do now? All the really fun data is stored in a database, probably an Oracle database. This talk will discuss some of the gory details of Oracle security and insecurity. Vic
Vandal is a certified information security professional. He has been providing enterprise-level security design and implementation for U.S. government and military entities for the past 10 years. He currently works for a major consulting firm as a Senior Information Security Engineer. His areas of expertise are; O/S security, database security, network security, application security, firewalls, encryption, VPN's, and digital signatures.

David Sobel - General Counsel to the Electronic Privacy Information Center - "Internet Anonymity Under Assault: The 'John Doe' Lawsuits"

Like it says, David talked about getting subpoenas in the US system; AOL/Yahoo! have people on staff specifically to deal with these.

Several recent court cases around the country highlight an increasingly popular litigation tactic: the use of civil discovery to unmask the identities of anonymous Internet posters. In the last few months, a growing number of corporations have issued subpoenas to Internet service providers (ISPs) and operators of online message boards seeking to identify and locate individuals who posted material that the companies, for one reason or another, find objectionable. A spokesman for Lycos recently told Salon Magazine that the firm receives subpoenas on "pretty close to a regular basis." The underlying allegations in these cases include defamation, misappropri- ation of trade secrets and securities law violations. Many observers worry, however, that the legal tactic can easily be used to intimidate potential critics into silence and destroy the anonymity that has contributed to the Internet's explosive growth. David Sobel will discuss these cases and efforts to protect online anonymity.
David Sobel is General Counsel to the Electronic Privacy Information Center in Washington, DC, where he has litigated numerous cases under the Freedom of Information Act (FOIA) seeking the disclosure of government information on cryptography and privacy policy. Among his cases are those involving Operation Sun Devil, the Clipper Chip, the FBI's Digital Telephony wiretap proposal and the Secret Service's Pentagon City 2600 raid. David served on the Association for Computing Machinery's Special Panel on Cryptography Policy, which produced the report "Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy."
David also served as co-counsel in ACLU v. Reno, the successful constitutional challenge to the Communications Decency Act decided by the U.S. Supreme Court in 1997. He has been profiled as a "Newsmaker" by CNET's NEWS.COM for his work on Internet liberties issues.
David has a longstanding interest in national security and civil liberties issues and has written and lectured on these issues frequently since 1981. He was formerly counsel to the National Security Archive, and his FOIA clients have included Coretta Scott King, former Ambassador Kenneth Rush, the Nation magazine and ABC News.

Rooster - Insecurities in Networking Devices
Routers and switches. These devices make up the core of what is networking. Devastatingly important, this infrastructure is key to a properly working environment. Amazingly, many administrators don't know the weaknesses and holes that are being exposed to the Internet. This talk will discuss the most common security issues in routers and switches, how they can be exploited, what a person gains from this, and how to prevent people from gaining access to your network equipment.
Rooster has extensive knowledge of systems and networking. his experience includes all manner of networking and systems including; ATM, BGP, GigabitEthernet, FDDI, etc. Rooster is currently a network engineer at a fortune 500 company where he maintains the Internet connectivity.

Jonathan Wignall - Extra Border Hacking - How a company can be hacked without the hacker ever picking on that companies machine.

Jonathan was so hung over he was wearing shades in the (dimly lit) convention room, but managed to deliver a pretty coherent speech in spite of this. He'd brought his mini-laptop with slides, but its VGA port would not generate a slow enough frame rate for the overhead projector. Said laptop was placed on the podium with comments like "you can all see this, can't you?" (screen size about 3"x5"). The talk discussed things like setting up bogus websites, possibly with duplicate content then switching to bogus content after the real stuff's all been indexed. Corrie found one last month listed on the Victoria Freenet - cbcstereo.com was in Russia, nothing to do with the CBC, and was linked to some sex sites. Possible defense included reserving all variants of your name with misspellings and character substitution (e.g. A0L.com for AOL.com). Other things discussed were poinoned email - pretending to be from an organisation - talking up/down stocks or spreading rumours, DNS redirection, hosing an ip connection ( firewalls make this easier by slowing the connection) etc.

Companies may defend themselves from hacking attacks from the internet by using firewalls and other defences, but what about their defences beyond their site's boundary? Can attacks here cause damage? or enable an intruder to break into their sites? This presentation will outline what tricks can happen on the internet and how you can defend yourself outside your normal area of control, without resorting to illegal measures.
An experienced college lecturer despite being under Thirty years of age. Is well used to public speaking and his research interest is in the field of Internet Security. Head of programme for higher education courses in Computer Networking at St Helens college, he is also actively tring to establish simular courses on Information Security.

Identity Theft

Can't find the speaker in the list. A scary topic. The speaker had first-hand information from a guy who lived in the UK and made "business trips" to the US where he would steal several identities, run up their credit, and go home a couple of $100,000 richer. Seems it's easier in the US - easier access to credit reporting agencies and less privacy safeguards than Europe (or Canada - I hope).
It goes like this:
Find some guys in professional organisations (doctors, physicists...) with slightly unusual names (easier to search). Get a work address from the professional org. online registry. Get a home address from 411.com etc. Fly to the US. Buy a fake drivers licence. See e.g. sherlock, Internet DMV. Using the licence, rent an apartment. Obtain the guy's credit record. Using the apartment address, send off for credit cards to all the banks (s)he doesn't belong to, simultaeously, spreading the load across several credit reporting agencies. You may need to know the target's date of birth - phone them up, pretending to be from the professional organisation - "We need to update our records", "we're issuing tie clips to longtime members" etc. Open a bank account. When the credit cards arrive, use the convenience cheques to pay cash into the bank account. Buy counter cheques or money orders to your real name (or one of your aliases). Make sure each transaction is below the FBI radar of $20,000. Then move to another state and do it all over again.
Social Security Numbers in the US are a big source of problems - they were never intended as a universal database key.

Other Stuff

Other events at DEFCON included Capture-the-Flag, an online hacking contest. Contestants plugged their systems into an Ethernet cable and try to capture other systems (plant a textfile in /tmp). Systems included Irix, Linux, MacOS, Win95 etc. - one running Linux off a CD proved difficult to write to.

Andrew Daviel, July 1999

For general network security tools, links etc. see my Security Page.