The Black Hat conference is the biggest, and most important security conference in the world. Black Hat has become a premiere venue for elite security researchers, and serves the information security community by delivering timely, and actionable, security information. The Black Hat conference series is now held four times a year

  • Black Hat DC: January 16-19, 2011 in Arlington, VA
  • Black Hat Europe: March 15-18, 2011 in Barcelona, Spain
  • Black Hat USA: July 30 – August 4, 2011 in Las Vegas, NV
  • Black Hat Abu Dhabi: November 2011 in United Arab Emirates

and is separated into a training portion and a briefings portion.

Black Hat DC 2011 Conference

The Black Hat Briefings are a series of highly technical information security presentations that bring together leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and knowledge.

Black Hat also provides hands-on, high-intensity, multi-day Trainings. The training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees.

The 2011 Black Hat DC conference will be held January 16 – 19 at the Hyatt Regency in Arlington, VA. The training portion of the conference will be from January 16 to 17, and the briefings portion will be from January 18 to 19.

Black Hat DC 2011 Registration Fees

Registration is now open for the 2011 Black Hat DC conference, and the registration fee schedule is as follows:

  • Briefings
    • Regular: $1395 (ends Dec 15)
    • Late: $1595 (ends Jan 15)
    • Onsite: $1895 (Jan 16 – Jan 19)
    • Academic: $600 (ends Dec 15)
    • Group: 10% – 15% discount (ends Dec 15)
    • Press: $0
  • Training
    • $1800 – $3800 per course

Group Registration: There is a 10% discount for groups of 6 or more. Groups of 12 or more receive a 15% discount. This discount rate applies to the Briefings portion only. If there are 4 or more people from your group attending the same training class and session, you can also qualify for a discount on the Training portion. The discount will be based on the rate at the time that you submit your group registration agreement form. Group registrations must be paid by Dec 15.

Academic Registration: The Academic registration is available to those who are either full-time students or full-time professors at an accredited university. The academic registration rate is $600, but gives you access to the Briefings portion only. Registration for the Academic pass ends on December 15, 2010.

Press Registration: Any media member that works for a publication that covers computer security on a regular basis can apply for a free press pass. Be prepared to show copies of your articles, a business card, and your assignment editor’s contact information. The press pass is normally only granted for the Briefings portion, but in very rare cases may be granted for the Training portion as well. During the conference a press room with internet access will be provided, and a separate room for filming interviews may also be available.

Briefings for Black Hat DC 2011

The 14 briefings that will be presented at the 2011 Black Hat DC are as follows:

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Speaker: David Perez

In this presentation they will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. They will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim’s data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Counterattack: Turning the tables on exploitation attempts from tools like Metasploit
Speaker: Matthew Weeks

In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.

Checkmate with Denial of Service
Speaker: Tom Brennan

Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users. A new and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered. An attacker will send properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

They will demonstrate how an “agentless” DDOS botnet can be created via malicious online games and how a victim website can be brought down in matter of minutes using the HTTP POST DDOS attack.

The Getaway: Methods and Defenses for Data Exfiltration
Speaker: Sean Coyne

There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for, the game’s not over. During this presentation they will take a look at some of the advanced methods of stealing data they have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products, and how attackers use a victim’s own infrastructure and architecture against them.

De-Anonymizing Live CDs through Physical Memory Analysis
Speaker: Andrew Case

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, they present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. They also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

Beyond AutoRun: Exploiting software vulnerabilities with removable storage
Speaker: Jon Larimer

Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, they will examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, they will look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, they will provide a demonstration showing how they can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Malware Distribution via Widgetization of the Web
Speaker: Neil Daswani

The Web 2.0 transformation has in part involved many sites using third-party widgets. They present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Attacking Oracle Web Applications With Metasploit
Speaker: Chris Gates

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code, lets see what can be done with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. They will also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Inglourious Hackerds: Targeting Web Clients
Speaker: Laurent Oudot

This talk will look at technical security issues related to multiple internet web clients. While such tools are used to crawl the internet and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols, and by doing some kind of fuzzing operations, they will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations.

Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE
Speaker: Rob Havelt

The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages, either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC.

Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. They will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.

Your crown jewels online: Attacks to SAP Web Applications
Speaker: Mariano NUNEZ Di Croce

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Kernel Pool Exploitation on Windows 7
Speaker: Tarjei Mandt

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, they show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, they show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, they conclusively propose ways to further harden and enhance the security of the kernel pool.

Identifying the true IP/Network identity of I2P service hosts
Speaker: Adrian Crenshaw

They will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the internet host providing the service, the anonymity set of the person that administrates the service can be greatly reduced. The core of this presentation will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators may make that could expose a service provider’s identity or reduce the anonymity set they are part of. They will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network.

Responsibility for the Harm and Risk of Software Security Flaws
Speaker: Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, made software security an international problem. There are no mathematical risk models available today to assess networked systems with interdependent failures. Experience suggests that no party is solely responsible for the harm and risk of software security flaws, but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

This presentation describes the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions, and the results on the state of software security.

Black Hat DC 2011 Conference

Training Courses for Black Hat DC 2011

There will be 11 courses offered at the 2011 Black Hat DC conference, ranging in price from $1800 to $3800 per course. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each class. The 11 courses are as follows:

Cyber Network Defense Bootcamp
Trainer: Adam Meyers

A two day workshop focusing on the progression from incident identification, investigation and malware analysis to explaining to management why it matters. In other words, how to go from geek to sleek.

Real World Security: Attack, Defend, Repel
Trainer: Peak Security

An intensive two day course for security professionals that want to up the ante on their current skill sets in offensive and defensive security. Learn new tactics and receive guidance from expert instructors while you test yourself in a team vs team environment.

Designing Secure Protocols and Intercepting Secure Communication
Trainer: Moxie Marlinspike

This training covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.

CISSP Boot Camp (Four Day Course – Jan 16-19)
Trainer: Shon Harris

This Logical Security course trains students in all areas of the security Common Body of Knowledge (CBK). Using this course, students prepare for the exam, while at the same time obtaining essential security knowledge that can be immediately used to improve organizational security.

Information Assurance Officer (IAO) Course (CNSS-4014E) Certified
Trainer: Information Assurance Associates (IA2)

Very intense, highly concentrated, non-technical professional training necessary to achieve the fundamental knowledge needed to define, design, integrate and manage information system security policies, processes, practices, and procedures within federal interest information systems and networks.

Tactical Exploitation
Trainer: Val Smith

Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

Virtualization for Incident Responders
Trainer: Eric Fiterman, Methodvue

Principles and techniques for recovering evidence from virtualized systems and cloud environments – this course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.

Digital Intelligence Gathering Using Maltego
Trainer: Paterva

Unlock the true potential and raw power of Maltego. Learn how to navigate and map the internet’s darkest rivers.

TCP/IP Weapons School 3.0
Trainer: Richard Bejtlich, TaoSecurity

Use the network to your advantage while building incident detection and response skills to counter advanced and targeted threats.

Database Breach Investigations: Oracle Edition
Trainer: David Litchfield

This training course will teach students the tricks and techniques hackers use to break into Oracle database servers and then how to peform a database security breach investigation covering evidence collection, collation and analysis using V3RITY for Oracle, the world’s first database specific forensics and breach investigation tool.

Windows Physical Memory Acquisition and Analysis
Trainer: Matthieu Suiche

Learn all about memory dumps, including how they work and deep analysis using Windbg.

Black Hat DC 2011 Conference

More on Black Hat

You can follow Black Hat on Twitter, Facebook, and LinkedIn.

Twitter: Black Hat has two accounts on Twitter. For security research and updates on Black Hat events, follow @blackhatevents. For behind the scenes information from Black Hat HQ staff members, follow @blackhathq.

Facebook: Black Hat maintains an active Facebook page to communicate with members of the security community and provide information updates.

LinkedIn: Black Hat also maintains a LinkedIn group to reach out to professional security experts and provide information updates.

Will you be attending Black Hat DC 2011? Have you attended past Black Hat events? If so, what did you like the best?