:speakers

John Draper
Web/Java consultant, E-Commerce application
also known as Cap'n Crunch (see article in Hebrew/English).

Andy Mueller-Maguhn
Chaos Computer Club
will talk about:
"Handling the illusion of computer-security in the internet",
and will conduct the panel on Hackers vs. Industry

Alan Bishoff - PacketStorm/Securify - Site Architect and Content Manager
will talk about:
Cellular phones hacking and physical security

Gia - PacketStorm/Securify - Operations Manager/Director
will talk about:
DoS/Full Disclosure and hackers relations with the industry


Neora Shem-Shaul
Coordinator of Y2hacK, programmer, teaching cyberculture in TAU, author of "Digital Affair", journalist (in fact, though i don't consider myself a hacker, i got my first journalist job in Globes, by hacking their system and reporting about it in my first article.

Ofir Arkin
Security specialist at www.packet-technologies.com
will talk about:
Information Gathering Techniques - Netwrok Scanning, Past Present Future

Mark Gazit, Network & Security Expert.
VP Technology, Infrastructure - NetVision.
will talk about:
What are the threats to the industry?


David M.
Networks, Communication for companies like *nix, Microsoft, Novell, Cisco, Checkpoint. Lecturing on Security/Hacking, Networks Solutions and Communication for several organizations.
will talk about:
IIS Database security and Virus/Trojan Horses


Oren Tirosh - Imagineer and entrepreneur
will conduct the panel:
Full Disclosure

Lecture Details

"Handling the illusion of computer-security in the internet"
Andy Mueller-Maguhn
- technical and cultural basics of the internet
- virtual realitys between cyber communism and electronic commerce
- security problems, technical solutions, and problems of the solutions
- examples from the danger fields of misuse and dangers
- black box vs. open source; understanding the snafu principle
- solutions between client/server/network structures
- security vs. surveillance vs. technology-acceptance
- ideas for a fair risk-handling

IIS/Database security... ("why is it so simple to hack?")
David M.

This lecture should interest anybody who's running E-commerce applications under Windows NT-IIS /asp environments. Live examples will be given! Updates on bugs and security holes will show how 30% to 45% of the medium E-commerce and heavy forms sites are not protected well enough.


Information Gathering Techniques - Netwrok Scanning, Past Present Future

Ofir Arkin
The lecture will present past, present and future Network Scanning Techniques. We will describe the traditional attack pardigm, understand the significant of every stage and then focus on Scanning Techniques: Host Detection, Service Detection, Network Toplogy Mapping and Operating System Identification.
We will discuss techniques such as Coordinated scanning, stealth scanning, scanning when a firewall is present, and more.
Explanation of the way attackers hide themselves when scanning, understanding why their tactics work, and how to fool intrusion detection systems will also be given.
Future methods of scanning (aka distributed) will be explained.


DoS/Full Disclosure

Gia
As Packet Storm works with both the underground and corporations, I am in a unique position to show why full disclosure is needed. As proof would be the $10,000 contest that we held on how to defend the internet against distributed denial of service. The press wanted to know why we hosted the tools on our site if they could be misused. Our argument was essentially that of "Proof of Concept" in that unless you made the code available and proved that there was a weakness, we could never come up with a method to defend against it.


Risk Handling & security risks not yet exploited
John Draper
In this forum, I'm going to discuss various levels of risk, and how to address the more common risks of computer security. I'll also be discussing new possible risks not yet addressed, based on weaknesses in the Internet protocol. It is also important to understand that we don't want to risk personal privacy when dealing with future changes the internet might evolve into.
Planning to go into more detail on E-Commerce Security, and outline some common sense, yet simple approaches a site administrator should follow to protect their customers private information, and how you can protect your site from fraud and hacking.
There are many levels a hacker can plug into, to extract sensitive information from a web server. Unfortunately, many people prefer using NT servers for hosting their sites. NT Security is often considered a joke to most hackers, who can usually own a machine in as little as 10 minutes.
The biggest mistake made by most E-Commerce site administrators is they keep customer information on their server in one form or another in plaintext form. It is possible to look at the logs of the web server in realtime, and watch for a legit transaction to be entered in the log. If a hacker has gained control of the machine during that time, they can use the info in the logs to extract the data (AFTER it has been decrypted) by knowing the directory name and file from the logs... even if this file isn't going to stay in this state for long. Because most servers would have it encrypted, soon after they get it from the forms page.... timing is everything of course, but despite the fact that even SSL is used, there ARE times when this information is not encrypted, and if a hacker can OWN a machine, then they can get this information.


Kevin Mitnick - Conference call

 See his latest pictures

Day 2 - Lecture Details

Panel 1 - Hackers vs. Industry
Andy Mueller-Maguhn
"Hacking as a well organized culture in the internet paradigm -
keeping independent in the information warfare age"
- History of hackers & hacker-ethics. Motivation and those of other actors.
- Status Quo of the world wide cultural space internet and boarders to the "RL"
- Hackers in the fields of dangers between organized criminality,
   organized legality and governmental organizsations
- Different cultural use of hacker-activity and problem cases
- Examples of hacker-activities and missbehaviour of other groups
- Future compatible acting, handling of problems and interfacing to other groups

Liraz Siri - "white hat" hacker
vs.
Miki Bozaglo - Security specialist, still in the army. Caught and investigated. See last "documented hack".
+ guests from Israeli authorities


Panel 2 - Full disclosure
should information be restricted?
can information be restricted?
Oren Tirosh - Imagineer and entrepreneur
Haim Ravia - Lawyer specializing in cyber law - www.law.co.il
and guests from Israeli Police


Panel 3-Blue Box vs. Mobile hacking
John Draper (Cap'n Crunch)
Alan Bishoff - PacketStorm/Securify
This forum will discuss and examine the historical progression of the "Blue box" technology, and it's race with the newer enhancements to "in-band" (TONE) signalling. Will cover some historical aspects of the early R2 signalling, covering lightly into the C5 methods in use today. The second part will focus on Mobile hacking, and some of the trends, but will be less technical then the earlier sections. PCS and GSM systems will be discussed in general. Also, the technology of Stacking Tandoms, and Guard banding that makes it possible.



Panel 4 - Y2sKan
Survey results of the Israeli auditing project
Neora, Oren Tirosh, Liraz Siri
The entire IP address space of Israel was scanned as part of a security survey. The automatic scanner performing the survey detected the presence of several well-known security vulnerabilities. Detected vulnerabilities were not exploited in any way.
The purpose of this public survey is to raise the awareness of security issues and improve the overall security of the network. It is performed with the cooperation of our service providers Tevel and Netvision. The collected information is in statistical form only - information about specific sites will not be available.
This survey is a local version of the more comprehensive Internet Auditing Project.




WorkShop 1 - Virus/Trojan Horses
David M.

All about trojan horses and viruses. Learn more about viruses and how the most sophisticated ones can invade your privacy. The history of malicious code and self-distributing programs, their current state and a fascinating look at what may be waiting for us in the future. See why our computing environments are so vulnerable and make it so simple to implement a virus.

WorkShop 2 - Linux kernel hacking
Ury Segal - Kernel phreak

Since the Linux kernel is open-sourced, it is a heaven for the everyday kernel hacker. You can easily understand what's going on and make Gadgets, Widgets and loan ornaments from it easily. I will give a brief overview of the file structure, and the kernel structure. Then I'll go over the open() system call and see how it goes from the user to the kernel implementation.
Target audience : People who know some C. This is minimum.









SpooksDemo 1: SpyCams
Arie Rudich

You have to SEE it to belive -
come see what you shouldn't: Spy Cams!