Presentations
June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada
June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada
![[schedule]](/_images/schedule.png)
Scott Charney (Corporate Vice President, Trustworthy Computing, Microsoft, US)
Scott Charney serves as corporate vice president of Microsoft’s Trustworthy Computing (TwC) Group within the Core Operating System Division. The group’s mission is to drive Trustworthy Computing principles and processes within Microsoft and throughout the IT ecosystem. This includes working with business groups throughout the company to ensure their products and services uphold Microsoft’s security and privacy policies, controls and best practices. The TwC group also collaborates with the rest of the computer industry and the government to increase public awareness, education and other safeguards.
In addition, Charney oversees Microsoft’s efforts to address critical infrastructure protection, Engineering Excellence, network security, and industry outreach about privacy and security.
Charney possesses a wealth of computer privacy and security experience in both the government and the private sector. Before joining Microsoft in 2002, he was a principal for the professional services organization PricewaterhouseCoopers (PwC), where he led the firm’s Cybercrime Prevention and Response Practice. He provided computer security services to Fortune 500 companies and smaller enterprises. These services included designing and building computer security systems, testing existing systems and conducting cybercrime investigations.
Before PwC, Charney served as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice. As the leading federal prosecutor for computer crimes, he helped prosecute nearly every major hacker case in the United States from 1991 to 1999. He co-authored the original Federal Guidelines for Searching and Seizing Computers, the federal Computer Fraud and Abuse Act, federal computer crime sentencing guidelines and the Criminal Division’s policy on appropriate computer use and workplace monitoring. He also chaired the Group of Eight nations (G8) Subgroup on High-Tech Crime, served as vice chair and head of the U.S. delegation to an ad hoc group of experts on global cryptography policy for the Organization for Economic Cooperation and Development (OECD). In addition, he was a member of the U.S. delegation to OECD’s Group of Experts on Security, Privacy and Intellectual Property Rights in the Global Information Infrastructure.
Charney also served as an assistant district attorney in Bronx County, N.Y., where he later was named deputy chief of the Investigations Bureau. In addition to supervising 23 prosecutors, he developed a computer-tracking system that was later used throughout the city for tracking criminal cases.
Charney has received numerous professional awards, including the prestigious John Marshall Award for Outstanding Legal Achievement in 1995 and the Attorney General’s Award for Distinguished Service in 1998. He was nominated to the Information System Security Association’s Hall of Fame in 2000. That same year, the Washington Chapter of the Armed Forces Communications and Electronics Association presented him with its award for excellence in critical electronic infrastructure protection. Among his other affiliations, he served on the American Bar Association Task Force on Electronic Surveillance, the American Health Lawyers Association Task Force on Security and Electronic Signature Regulations, the Software Engineering Institute Advisory Board at Carnegie-Mellon University, and the Privacy Working Group of the Clinton administration’s Information Infrastructure Task Force.
He holds a law degree with honors from Syracuse University in Syracuse, N.Y., and bachelor’s degrees in history and English from the State University of New York in Binghamton.
Imagine a more trusted, privacy enhanced Internet experience where devices and software enable people to make more effective choices and take control over who, and what, to trust online. Scott Charney, VP Trustworthy Computing, describes a new approach that focuses on stronger authentication and accountability in the appropriate environments as a means of making the Internet a safer place to work, play, communicate, and conduct business. Join Scott as he summarizes his ideas around End to End Trust and seeks the community’s feedback.
J. D. Frazer (UserFriendly.org, CA)
JD "Illiad" Frazer is a Canadian 40-something cartoonist, writer and occasional thinker. He started down the hallowed path of technology at a tender age, immersing himself in punch cards, acoustic couplers, and eventually, boat anchors. His greatest epiphany came when he beheld modem-transferred text that appeared faster than he could read it. His much-too-indulgent cartoon strip UserFriendly.Org has been published once a day, every day, since November of 1997, and has appeared in such august publications as The National Post, Linux Journal, and the Spuzzum Weekly Courier. He's won a few awards but his neighbour's dog has eaten them all. Despite his generally facetious approach to life, he is a vocal advocate of freedom of expression, corporate ethics and rational discourse. He has spoken at over fifty events in North America, Europe and Australia.
Human beings by their very nature are insecure. They spend all of their lives seeking ways to make themselves feel more secure, and usually fail despite superhuman efforts, huge spending and support from the rest of their tribe. Professionals in Information Technology face exactly the same situation, except for the huge spending and tribal support parts.
This talk will cleverly point out the absurdities we face as we each search for a safe corner against which we can place our backs.
William Cook (Wildman, Harrold, Allen and Dixon LLP, US)
William J. Cook is partner at Wildman, Harrold, Allen & Dixon LLP, a 200-attorney national law firm with an established reputation in high-stakes legal matters, successfully defending novel theories from the plaintiffs’ bar and emphasizing complex litigation. Mr. Cook’s practice areas include intellectual property, data security, intellectual property litigation and investigations. Mr. Cook has authored over 500 presentations on online law and liability.
Mr. Cook has been involved with the practical, legal implications of IT security for 25 years first as a prosecutor and currently as a counselor and litigator at a major Chicago law firm.His speech will deal with the specific realities of legal issues facing security professionals in the commercial, educational and government sectors. He will address the real costs of data breaches and privacy compromises, the practical implications of the Advanced Persistent Threat, the actual implications of federal and EU regulatory actions and discuss at the current status of employee espionage and data theft.He will also address the implications of electronic discovery and records retention. As in the past, Mr. Cook will rely heavily on current case laws and IT security issues facing his clients.
Ivan Krstić
Ivan Krstić is a software architect and researcher currently on leave from Harvard University. Until recently, he worked as director of security architecture at One Laptop per Child, an education non-profit that aimed to produce a $100 laptop for children in the developing world. Prior to that, Ivan served as director of research at the medical informatics laboratory of a European children's hospital, tackling infrastructure and security problems in wide-scale digital healthcare. Ivan is deeply involved in open-source and free software, co-authored the best-selling Official Ubuntu Linux Book, and specializes in architecture and security of large distributed systems.
He has consulted on both matters for some of the largest websites on the Internet. Described by Wired magazine as a "security guru", in 2007 the MIT Technology Review named him one of the world's top innovators under the age of 35 for his work on the OLPC security platform, Bitfrost. Recently, eWEEK declared him one of the top three most influential people in modern computer security.
It's 2008. About 75% of all corporate machines are infected with at least one piece of malicious code. We're seeing the emergence of weapons-grade botnets, designer trojans, smart mobile malware, and the graduation of the black hat community from what was once a ragtag army of rebels without a cause to a group of well-paid professionals engaging in research-quality work to rake in profits and evade detection. The entrenched players in the security industry have been predictably slow to respond. Now, seemingly bewildered by the new security landscape, they are increasingly finding salvation in restrictive new systems that threaten to transform your computer into little more than a glorified abacus. There must be a better way. This session will turn to history and explain how we dug ourselves into the present predicament, and then look at Bitfrost, the One Laptop per Child security system, for lessons on how we might dig ourselves out.
John Stewart (Cisco Systems, US)
Mr. Stewart provides leadership and direction to multiple corporate security and government teams throughout Cisco, strategically aligning with business units and the IT organization to generate leading corporate security practices, policies, and processes. His organization focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, eDiscovery, source code security, identification management, as well as special programs that promote Cisco, Internet, and national security. Additionally, he is responsible for overseeing the security for Cisco.com—the infrastructure supporting Cisco’s more than $35 billion business.
Mr. Stewart’s longstanding career in information security encompasses numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a research scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. He has professional experience in software development, systems and network administration, and is a software specialist, author, and instructor.
Throughout his career, Mr. Stewart has been an active member of the security industry community. He served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire, Inc. Currently, Mr. Stewart sits on technical advisory boards for Panorama Venture Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, Inc. He is on the board of directors for KoolSpan, Inc., and a member of the CSIS commission on cyber security for the 44th Presidency.
Mr. Stewart’s publications and recent speaking engagements include:
Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.
In today’s networked world, private industry plays an increasingly vital role in the physical and cyber protection of critical infrastructures. Companies in the U.S. and across the globe are evolving close partnerships with government counterparts to address growing infrastructure complexity as well as local and worldwide threats. Cisco’s commitment and leadership in cyber-security, global incident response collaboration, public-private partnerships and information sharing demonstrates the positive effect that enterprises can have on helping to secure public critical infrastructure. Join Cisco chief security officer John N. Stewart as he shares his perspective on the opportunities associated with delivering, managing, and expanding the reach of corporate security programs in a global environment relative to critical infrastructure assurance.
Derrick Scholl (FIRST Steering committee chair, US)
Derrick Scholl (FIRST Steering committee chair, US)
Pan Pacific Hotel Crystal Pavilion (Waterfront Road & Howe Street at Canada Place)
* Limited to FIRST team members and their invited guests, subject to approval by the Steering Committee
Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)
Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania. Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference. Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program. From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment. Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.
Mark Zajicek (CERT/CC – Carnegie Mellon University, US)
Mark Zajicek is a member of the technical staff at the Software Engineering Institute (SEI) at Carnegie Mellon University.
Zajicek's current work is focused on helping other organizations to build their own computer security incident response team (CSIRT) or incident management capability (IMC). As a member of the CERT® CSIRT Development Team
Robin Ruefle (CERT/CC – Carnegie Mellon University, US)
Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She works as a member of the CERT® CSIRT Development team (CDT). Ruefle’s focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, including Creating a CSIRT, Managing CSIRTs, Fundamentals of Incident Handling, and Advanced Incident Handling for Technical Staff. She also participates in the Train-the-Trainer program that licenses these products to existing CSIRTs. The CSIRT Development Team also provides guidance in the development of implementation strategies, policies, standard operating procedures, response plans, and training programs for new and existing CSIRTs. As part of that work, Ruefle has authored or co-authored publications including: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. These documents can be found on the CSIRT Development webpages at [http://www.cert.org/csirts/]. Ruefle has presented at numerous incident response and security conferences, including The Forum for Incident Response and Security Teams (FIRST), The US Government Forum for Incident Response and Security Teams (GFIRST), EDUCAUSE, SECURE IT, and other similar venues. Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh
This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).
For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.
A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.
Anton Chuvakin (LogLogic, Inc., US)
Dr Anton Chuvakin, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic’s product vision and strategy to the outside world, conducting logging research, as well as influencing company vision and roadmap.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance" and the upcoming book on logs. Anton also published numerous papers on a broad range of security and logging subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as one at http://chuvakin.blogspot.com
The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from concepts and methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include many detailed case studies from the real world, some complete with logs and tools used in them.
Here is the brief summary:
David Pybus (Diageo, UK)
David Pybus graduated from Royal Holloway with an MSc in Information Security in 1999. His first position was performing security research and producing security documentation at Internet Security Systems (ISS). David subsequently moved to COLT where he was instrumental in the setup of their CSIRT and forensics capability. At present David is working at Diageo managing their CSIRT, having in 2006 successfully led the team through accreditation to FIRST.
Recognising the importance of the human component in successful information security and incident response David has sought to broaden his skill set beyond the technical and to this end sought and obtained a qualification as Certified Practitioner in the Art of Neuro-Linguistic Programming (NLP). In his every day work David is continually looking at how these techniques can be applied in the CSIRT environment to make his work, and the work of those around him, more effective – and enjoyable.
Don Stikvoort (S-CURE, NL)
Don Stikvoort obtained an MSc (Hons) degree in physics in 1987. After an effective management training as Infantry platoon commander in the Dutch Army, he joined SURFnet, the Dutch national research and educational network. Starting out with consultancy he soon found himself lucky to be among the pioneers who built the European Internet, started RIPE, etcetera. Don was involved in the formation of CERTNL in 1991 (today SURFcert) and was its chairman from 1992-1998. Together with Klaus-Peter Kossakowski he started the cooperation of CERTs in Europe which eventually led to both TF-CSIRT and the Trusted Introducer. In 1998 he finished the first version of the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC – Don’s collaboration with CERT/CC has remained till today.
Don’s short FIRST history:
CERT-NL became the second European member of FIRST in 1992 – in total Don has been the rep of three FIRST member teams, and mentored several more towards membership. From 1996-8 Don was member of the Future of FIRST Task Force I (FoFI) and secretary to FoF II. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia. In the same year he set up the FIRST Secretariat (FSS), which he managed till mid 2007. Currently Don is a liaison member of FIRST and member of the FoF III task force.
In 1998 Don co-founded STELVIO, a Dutch company specialising in Internet related consultancy. Within STELVIO he helped build Kennisnet, the Dutch schools' network connecting over 10,000 schools. Several CERTs were created with his help and guidance, among which GovCERT.NL (the Dutch Government team), and the teams for Philips and several academic institutions. Second opinions and maturity assessments in this area are among his specialties. In 2000 Don set up the Trusted Introducer accreditation for CERTs in Europe (TI). In 2002/2003 Don was co-ordinator of eCSIRT.net, an EU funded research project that aimed at developing pragmatical standards for the interoperation of CSIRTs.
Don left STELVIO in 2004 to continue with S-CURE. He was among the first two Europeans accredited by CERT/CC as "Certified Incident Handler" in 2004. At this moment, apart from engaging on consultancy and coaching projects for SURFnet and others, Don leads the TI CERT accreditation service. As subcontractor to TERENA, Don supports the development and operation of the TRANSITS courses for CSIRT professionals – a not for profit project meant to educate CSIRT professionals in Europen – and is also one of the tutors there.
Since 2004 Don acquired the C.M.H., C.Hyp. and CPNLP accreditations in psycho/hypnotherapy and NLP. Don has started taking up work in those areas and the adjacent coaching as well, and is also using this to enrich his portfolio in security and explore new grounds – like the “Techies Can Communicate Too!” workshop he is developing with David Pybus. In March 2008 he will acquire the MPNLP – master practitioner NLP - level.
The importance of good communication in incident management today cannot be overestimated. The incident manager's interests spread all the way from the users and ICT staff to the management and board levels, and include also contacts with PR, accountancy and risk management people. At all levels effective communication is in need to make clear that proper incident management is one of the boundary conditions for continued success. Different levels talk different languages and the incident manager needs to understand and honour those. This workshop aims to raise awareness for this exciting challenge, enable a better understanding of the wonder of communication and provide a few basic techniques to build on in everyday work.
Foster awareness of the powers of language, both verbal and non-verbal, and show and practice together useful techniques to build constructively on that awareness, and become more effective in communicating. Group size:
8-12. Will break up in groups of 2-3 regularly to do practical work.
In a relaxed and joyful manner, the trainers will explain and demo the following basic concepts of NLP and adjacent fields:
NLP – Neuro Linguistic Programming – is a model that is best used to foster effective and constructive communication.
For most topics covered we seek a format as follows:
We will achieve the following with the trainees:
All details - see full submission pdf.
Richard Perlotto (Shadowserver Foundation, US)
Richard Perlotto is one of two directors running the Shadowserver Foundation, an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.
Mr. Perlotto runs the technology and operational side of the organization with a focus on streamlining the processes and information gathering techniques.
Richard Perlotto is an Information Security Adviser for Cisco Systems providing assistance and guidance on Information, Internet Risks and Threats to Cisco and their Customers. Previously he ran Security Operations worldwide for all of Cisco for almost four years. He is a ten-year Cisco veteran.
This would be a half-day demonstration of the infection of systems, the capture, and analysis of the malware, and the live interaction of a botnet.
To participate in this class, each member will be required to have a computer system that they bring that is capable of running a VMWare image. Each system will need to have a USB port, as well as a hard wired ethernet connection. The host system should have some form of Anti-Virus and firewall software loaded. This class will be working with and utilizing live infecting malware and there is always a chance of a local infection if your system is not up to date and protected.
Dr. Martin Wimmer (Siemens AG, Corporate Technology, CT IC CERT, DE)
Dr. Martin Wimmer is Consultant with Siemens CERT. After studying computer science at the University of Passau, where he received his Diploma degree in 2003, he worked as research assistant at the University of Passau and, from April 2004 on, at the Munich University of Technology where he received his PhD in 2007. His research activities mainly focused on security requirements of upcoming service oriented IT infrastructures. In April 2007 he joined the research group of Siemens CERT, where he is currently working on techniques to detect system compromise.
Recently, the discussion about security of virtualized IT infrastructures has intensified. Several research papers have been published discussing both, the pros and cons of virtualization for security. Additionally, new business ideas and products have been developed for enhancing security for virtualized IT. With this paper we provide a survey of the recent advances in computer security for server virtualization.
Raffael Marty (Splunk, US)
As chief security strategist and senior product manager, Raffy is customer advocate and guardian - expert on all things security and log analysis at Splunk. With customers, he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions. Inside Splunk, he is the conduit for customer issues, new ideas and market requirements to the development team. Fully immersed in industry initiatives, standards efforts and activities, Raffy lives and breathes security and visualization. His passion for visualization is evident in the many presentations he gives at conferences around the world and the upcoming "Applied Security Visualization" book. In addition, Raffy is the author of AfterGlow, founder of the security visualization portal http://secviz.org, and contributing author to a number of books on security and visualization.
Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to visually analyzing data.
I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net), which was written by the submitter. It is a very simple tool to visualize preprocessed information. The analysis I will go over in the workshop will show how to find insider abuse, help with compliance reporting, and use visualization for perimeter threat (e.g., IDS and firewall log analysis).
The goal of the workshop is to leave the audience with the knowledge and tools to do visual log analysis on their own data. I will be discussing log sources, how to get from the data to graphs, what open source tools are available for visualization, and how to address the above use-cases in detail.
Wim Biemolt (SURFnet, NL)
SURFnet is a high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to the Internet. During the 18th annual FIRST conference we presented our plans to roll-out a Distributed Intrusion Detection System within SURFnet. [1] Some of the design principles for our IDS included: * Runs out-of-the-box * Completely passive * No false positive alerts * Runs in a standard LAN environment * Comparison of statistics At this moment we have actually widely deployed our IDS, called SURFids. Roughly at 30 institutions and at almost 100 different network locations. SURFids is actively being developed and the latest versions contain additional features such as: * Argos integration * Layer 2 detection o ARP poisoning attack o Rogue DHCP server * RSS reports * Improved email reporting * CWSandbox support This contribution will focus on the various experiences of running SURFids and what can and needs to be done to work with other CSIRT Teams around the globe, to interact with ISPs and to improve security. Some features to achieve this are: * IDMEF export * netflow analysis [1] http://www.first.org/conference/2006/program/a_distributed_intrusion_detection_system_based_on_passive_sensors.html
Richard Perlotto (Shadowserver Foundation, US)
Richard Perlotto is one of two directors running the Shadowserver Foundation, an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.
Mr. Perlotto runs the technology and operational side of the organization with a focus on streamlining the processes and information gathering techniques.
Richard Perlotto is an Information Security Adviser for Cisco Systems providing assistance and guidance on Information, Internet Risks and Threats to Cisco and their Customers. Previously he ran Security Operations worldwide for all of Cisco for almost four years. He is a ten-year Cisco veteran.
We will present two to three different case studies on botnet herders and showing examples of behavior and activity.
Andre Cormier (CCIRC, CA)
Robert Pitcher (CCIRC, CA)
Summary: CCIRC would like to host a 3 hour session that involves the creation of a relatively cheap malware analysis lab. The session will focus on open source tools, procedures, hardware and software that can be combined to create a highly effective malware analysis station that can rival modern commercial versions. The session will cover the requirements, setup demonstration, and employment of the tools in the analysis of an archived CCIRC malware related incident.
Background: Incident handlers often need to perform a quick behavior analysis of malware when handling infected computers. There are many online and commercial services offering this capability ranging from free, to extremely expensive. However, in many instances the information to be analyzed may be sensitive, and the need arises for a CIRT team to perform its own analysis. The question then arises as to how do you process malware, which is sensitive and/or not typically detected by modern vendors, in a timely manner? The answer is that each CIRT team needs the ability to analyze any malware it receives. CCIRC will present a setup that will equal no more than the cost of two PCs, configured to match the organization standards of each organization. CCIRC will base the development of this presentation on an actual proven setup currently in use by our office, and demonstrate its effectiveness through the processing of an archived CCIRC malware event.
(Note: We have decided to pursue a three hour session as it will provide ample time to show the setup, configuration, and application of the lab in a real world example. This presentation can be reduced to a single session in which only the requirements would be covered if space is limited. However, for the full effect, a three hour session is preferred.)
Pär Österberg Medina (Swedish IT Incident Centre, Sitic, SE)
Pär Österberg-Medina (CISSP) started his career doing Unix and Windows network administration, but quickly migrated into doing only security related work, like administrating firewall and intrusion detection systems. After working several years doing penetration testing for various consulting firms, he started working for the Swedish Gvt CERT (Sitic), where he among other things has been handling IT incidents for the last five years.
Responding to IT incidents and investigating computers for signs of a compromise can be a challenging and time consuming task, which becomes all the more complicated with the proliferation of malware and rootkit technology. This full day tutorial will teach forensic acquisition and analysis techniques with a focus on investigating and identifying potential intrusions involving the Windows OS. The course is aimed at a technical audience, preferably incident responders and forensic examiners, who are interested in learning the latest in volatile data analysis and live forensics techniques.
The course is split into two sessions, the first focusing on acquisition, and the second on analysis.
After a outlining a methodology for conducting forensic incident response, we will, in the morning session, walk through the construction of a 'First Responders Toolkit', the purpose of which is the live collection of volatile data from a potentially compromised windows OS. Participants will be walked through the process of first assembling the toolkit from a number of open source and freely available tools, and then hardening this trusted toolset.
Volatile memory acquisition will then be introduced, identifying specific pro's and con's of the currently available approaches, providing participants with the knowledge of how to choose the right tool for their circumstances.
The culmination of the morning session is to employ the constructed toolkit to collect various pieces of evidence from a live system in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.
The second session is organized into two components: analysis of storage related data, and analysis of volatile memory. In this session, participants will be shown how to analyze the data collected in the morning session.
In the storage analysis section, we will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams and commonly used File System Anti-Forensic techniques. We then introduce analysis techniques which identify malware behavior by identifying discrepancies between the user mode view of the filesystem, and the raw filesystem. Additional practical topics covered include analysis of the raw Windows Registry files, fast analysis of binary files collected from running system and how to effectively use databases of hashes to distinguish unknown files and modified binaries from known operating system files.
The volatile memory analysis component of the second session will begin with an introduction into the basics of Windows memory management. Then we will start to explore memory dumps, employing freely available forensic memory analysis tools, so participants can take them home and start working with them immediately. We will cover some of the leading-edge commercial tools in the field, and identify their merits relative to the freely available tools. Participants will be instructed in the use of the Windows debugging infrastructure for exploring memory dumps, and verifying the semantic integrity of these dumps. The afternoon session will culminate in participants trying out the tools on a number of sample images to uncover exploits and actual rootkit infections on their own.
Participants are expected to bring their own laptop with a DVD player and Microsoft Windows will be required to run most of the programs provided. Sample files for analysis will be available during class so save at least 10GB of free hard drive space.
This course is based on the course "The latest in forensic tools and techniques to examine Microsoft Windows", which was presented at the 2007 FIRST conference in Seville. Developed and presented by Andreas Schuster and Pär Österberg Medina, the course received high ratings from participants.
Till Dörges (PRE-CERT – PRESECURE Consulting GmbH, DE)
Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about pro-active security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.
Last, but not least, he is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST. Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".
Early Warning is a very helpful concept when it comes to getting the “big picture” of larger computer networks, e. g. corporate networks or the Internet, and providing others with information about harmful events that are spreading through the network. Situational Awareness as the basis for Early Warning usually involves gathering as much data as possible from the network. An analyst, however, certainly cannot deal with all this data but it has to be condensed into something more abstract and manageable. While this condensation is part of an analyst’s job, he or she needs help in processing the amounts of data any non-trivial network will generate. The problem itself is pretty well known from other domains, e. g. intrusion detection systems (IDS), which tend to generate so many false positives that the real alerts pass unnoticed by any human.
This paper presents existing aggregation approaches. It then discusses one implementation based on the Early Warning system CarmentiS. The resulting findings are generally positive but plenty of future work remains.
Kenneth R. van Wyk (KRvW Associates, LLC, US)
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: Founder and moderator of the “Secure Coding” mailing list, SC-L@SecureCoding.org, Member of the Board of Directors and Steering Committee for non-profit organization, FIRST.org, Inc. (http://www.first.org), monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu). Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications international Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At Carnegie Mellon University’s Software Engineering Institute, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented tutorials and technical sessions CSI, ISF, USENIX, FIRST, AusCERT, and others. Kenis also a CERT® Certified Computer Security Incident Handler.
Robert Floodeen (Spectrum, US)
Robert Floodeen is cofounder of Outbreak Security, LLC, an Information Security Architect for the Envision Labs division of Spectrum Comm Inc., and a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor for the CERT/CC. Robert has led teams in Intrusion Detection for various U.S. DoD Agencies, to include the Pentagon and as an Operations Manager for the Defense Threat Reduction Agency CERT. Robert holds an undergraduate degree in computer science, with honors and is finishing his Masters degree, also in computer science. He has been formerly trained by the U.S. Army in network administration and computer network defense.
We propose that proper identification of automated network scanning tools has value to network monitoring teams. Currently it is simply misunderstood, improperly handled, or over looked. Furthermore, there is value in the identification and cataloguing of the identification features and options used in those tools. Using a few open source tools (TCPDump, Silk toolset - rwscan with Threshold Random Walk, and MySQL) we will show that valuable information can be catalogued from a simple process of detecting, identifying, and transforming captured network packets (pcap) into a much smaller database record with identification characteristics. This process can also be seamlessly implemented in existing open source NSM products like Sguil, ACID, or BASE.
The following are valuable analysis results gained from identifying and storing scan metadata:
Greg Bassett (Intel Corporation, US)
Greg Bassett joined Intel and the Ocotillo Site Automation in August 1995 to support the Production UNIX infrastructure for manufacturing operations. As a Senior UNIX Engineer, he provided creative solutions to address availability, performance, security and capacity issues on a variety of Mission Critical UNIX systems and configurations. He led a variety of cross-site teams, including an effort to reduce patching timelines across manufacturing sites. Late 2004, he joined the Security Operations Center as a security specialist to drive identification and analysis operational efforts of new malware and other external threats found, research and testing of mitigation to protect internal networks. He developed the Automated Worm Detection Tool (AWDT), an automated system to load firewall blocks based on infected system traffic seen through NIDS and other sources. Prior to joining Intel, Greg worked for Digital Equipment Corporation Manufacturing testing and troubleshooting Alpha/VAX systems.
Contact Email: greg.l.bassett@intel.com
Steve Mancini (Intel Corporation, US)
Steve Mancini has been with Intel since 1997 when he graduated from the Purdue University computer science program. After surviving a year in a technical support role he moved on to UNIX applications where he was a member of the team responsible for building an extensive UNIX application tool suite critical to chip design. In early 2000 he seized the opportunity to pursue his college interest as a security program manager and has since worked as a senior information security specialist and now security strategist. During his time he been involved with several Intel security initiatives including the formation of the Security Operations Center, co-authored of Intel’s risk assessment process with his interest in incident handling which resulted in his creation of the first generations of RAPIER. Steve has received 3 SANS certifications with honors in Incident Handling and Auditing. In his spare time Steve volunteers as a digital forensics examiner for the city and county police department.
Having a global presence looks great on paper and is perhaps even doing wonders for your bottom line. The downside to being spread across the global is the ability to properly staff certain emergency job roles, such as incident response. Not everyone is trained to do incident response; not everyone possesses the mindset for this work. The question is how to do then operate a successful incident response program across a company where you may have a computer presence but not trained staff to address incidents?
With the release of 3.2 of RAPIER, we have created a client / server architecture for our information gathering tool suite. Now a disperse company can establish repositories for information gathering during incident handling - your IR specialists no longer have to muddle through getting accurate information off a remote system or worse, walk someone through gathering the data over the phone. RAPIER 3.2 includes several new modules and can be configured to execute against a remote target.
Michael La Pilla (VeriSign – iDefense, US)
Michael La Pilla, Manager, iDefense Malicious Code Operations Team
Mr. La Pilla leads the iDefense Malicious Code Operations Group (Malcode), responsible for the active collection of open-source intelligence, and for the reporting and analysis of new and prevalent malicious code. Mr. La Pilla also develops and maintains projects for the iDefense malicious code lab. Mr. La Pilla's expertise lies in the area of malicious code that targets financial institutions and their customers. Prior to joining iDefense, Mr. La Pilla worked as a contractor in the Web hosting sector while pursuing a BS in Computer Engineering from Virginia Tech.
Between February 2007 and November 2007 one group was responsible for at least 13 targeted email campaigns using various government agencies to trick victims into installing malicious code. Using a combination of investigative tactics, custom written tools and perseverance it is possible to follow the attackers footprints and infrastructure through the attacks. During the investigation the attacker is seen modifying attack codes, improving targeting and altering his/her cash out scheme to adapt to shutdowns, law enforcement and investigations.
The goal of the presentation is to provide a case study in tracking long term malicious code campaigns using this series of incidents. The data collected includes preventative information used to mitigate some attacks before they were released and protect victims from fraudulent transactions.
Russ McRee (holisticinfosec.org, US)
Russ McRee, GCIH, GCFA, CISSP is a security analyst working for the Windows Live Security Incident Management team. Prior speaking engagements include SecureWorld Expo, ISSA Northwest Regional, WSA SIG, RAID 2005, and Linuxfest Northwest.
He's the author of ISSA Journal's monthly column Toolsmith, and has written for Information Security, Linux Pro, SysAdmin and others, including an OWASP whitepaper. Russ is a board member of ISSA Puget Sound, and a member of PACCISO, InfraGard and CCSA. Russ maintains holisticinfosec.org.
The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover tools and methodology useful to handlers, analysts, and administrators. From detection and discovery, capture and containment, count on a useful discussion meant to further your understanding of the information security practitioner's greatest bane.
Atanai Sousa Ticianelli (CAIS/RNP – Brazilian Academic and Research Network, BR)
Atanaí Sousa Ticianelli holds an Engineer degree in Computer Engineering at Universidade Federal de São Carlos - UFSCar along with one post-graduate degree, obtained from the Computer Science Institute of Universidade de Campinas - Unicamp. He holds GSIP (GIAC Secure Internet Presence) and SSP-CNSA (Computer and Network Security Awareness). Working as security analyst at the Brazilian Research and Academic Network CSIRT (CAIS), he has 5 years of experience in the security field. He is currently focused on the incident response process at CAIS.
Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)
Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.
This presentation will focus on Phishing that don't rely on fake url and fake web-pages. Three examples of phishing that don't need a fake page will be shown during this live presentation. This new vector used by phishers need to be known by the security community in order to identify such type of attack.
Adam Laurie (RFIDIOt, UK)
Adam Laurie is a UK based freelance security consultant. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother, Ben, became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.
More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here: http://rfidiot.org.
RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even!
For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....
Rodrigo Werlinger (University of British Columbia, CA)
Rodrigo Werlinger (CISSP) received a degree in Electrical Engineering from the University of Chile. He has work experience in IT security in the telecommunications sector, having designed and implemented IT security for telecommunication services from 2002 to 2006. Currently, he is doing his MASc in the Electrical & Computer Engineering Department at the University of British Columbia. He is also a research assistant in the Laboratory for Education and Research in Secure Systems Engineering (LERSSE), working on the HOT Admin project.
Kirstie Hawkey is a Postdoctoral Research Fellow in the Departments of Computer Science and Electrical & Computer Engineering at the University of British Columbia. She is working on the HOT Admin project in the Laboratory for Education and Research in Secure Systems Engineering. She received her PhD in Computer Science from Dalhousie University in 2007. Her research interests include personal information management and usable privacy and security, particularly within the context of group work.
Konstantin (Kosta) Beznosov is an assistant professor at the University of British Columbia’s Department of Electrical and Computer Engineering. He founded and leads the university’s Laboratory for Education and Research in Secure Systems Engineering. He previously was a security architect with Hitachi Computer Products, where he designed and developed products for security integration of enterprise applications. He has also been a consultant for large telecommunication and banking companies on the architecture of security solutions for distributed enterprise applications. He’s a coauthor of Enterprise Security with EJB and CORBA (John Wiley & Sons, 2001) and Mastering Web Services Security (John Wiley & Sons, 2003). He received his PhD in computer science from Florida International University.
It is important to consider not just the technological factors impacting IT security, but also the human and organizational factors. One key aspect of security that requires attention from these perspectives is security incident response, a field that has not yet reached maturity in terms of best practices. The empirical study we report in this paper was conducted to investigate the challenges that security practitioners face as they implement security controls as well as how the security practitioners respond to security incidents within their organizations. This understanding is important in order to identify opportunities for improvement of tools and processes. In this paper, we present our findings based on qualitative analysis of 29 in-situ semi-structured interviews along with questionnaires and participatory observation. The challenges our participants discuss provide context for the tasks, strategies, skills, and tools that they used when engaged in security incident response. We contrasted our findings with industry recommendations and case studies of security incidents. This comparison provided insight as to the potential sources of breakdown between recommended best practices and actual practices as impacted by human, organizational, and technological factors. We found several opportunities to improve the security processes and tools used by security professionals when performing their tasks and responding to security incidents in order to better support the best practices.
Kenneth R. van Wyk (KRvW Associates, LLC, US)
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: Founder and moderator of the “Secure Coding” mailing list, SC-L@SecureCoding.org, Member of the Board of Directors and Steering Committee for non-profit organization, FIRST.org, Inc. (http://www.first.org), monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu). Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications international Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At Carnegie Mellon University’s Software Engineering Institute, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented tutorials and technical sessions CSI, ISF, USENIX, FIRST, AusCERT, and others. Kenis also a CERT® Certified Computer Security Incident Handler.
Penetration testing is the most common form of security testing software, yet it fails the most basic measurement of testing efficacy -- code coverage. To thoroughly and rigorously test the security of software, we must go beyond the penetration test. This session describes many of the testing methods available today including fuzz testing, dynamic validation, as well as how to improve penetration testing practices to drive up measurements such as code coverage.
Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)
Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.
Ivo Carvalho Peixinho (CAIS/RNP – Brazilian Federal Police, BR)
Ivo de Carvalho Peixinho has a BS degree on Computer Science at Universidade Federal da Bahia, with two post-graduations, one in Distributed Systems and another on Mechatronics. He is also a BS7799 certified auditor.
Ivo has more than 10 years of experience on network security, and worked the last two years on security research and incident handling. Actually works as a Forensics Expert at the Brazilian Federal Police Department.
This presentation is a working in progress study. A Windows Vista system was configured with a ssh server and weak passwords. The diary to be presented will show all the activity done by miscreants over 9 months period. This honeypot is on-line for 3 months now and will be kept on until the conference; where all information collect will be shared. For the first three months this experiment shown very interesting findings, since attackers were not expecting to find a Windows system when they ssh brute-force a system.
Peter Wood (First Base Technologies, UK)
Peter’s innovative and entertaining style has led him to present to the boards of the largest international companies as well as at international conferences on many IT security-related topics.He was recently rated the British Computer Society’s number one speaker.
Peter has worked in the electronics and computer industries since 1969. He has extensive experience of international communications and networking, with hands-on experience of many large-scale systems. Peter’s board-level responsibilities have included sales, marketing and technical roles, giving him a broad industry view.
Founded in May 1989, First Base Technologies provides security testing and audit services to international companies and UKL government. Peter has hands-on technical involvement in the firm on a daily basis, working in areas as diverse as penetration testing, social engineering and skills transfer.
Peter is a Fellow of the British Computer Society and a Chartered IT Professional. He is a member of the BCS Register of Security Specialists and a CISSP. He is also a member of ACM, HTCIA, IEEE, IISP, IMIS, ISACA, ISSA and Mensa.
What is a hacker: Someone who breaks into computer systems in order to steal or change or destroy information? Someone for whom computing is its own reward? Hacking is a way of thinking. A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. Hacking applies to all aspects of life and not just computers. The new blended attack is social engineering plus technology. Over the past fifteen years, Peter Wood has conducted numerous penetration tests for some of the largest organisations in the world. His experience in simulating attacks for these organisations has led to a unique approach combining real-world criminal methods and tools in both the social engineering and technical spheres. This workshop will describe how criminals are succeeding in stealing information, often without the victims even being aware it. He will call on case histories and "war stories" to illustrate each type of blended attack, and demonstrate some techniques and tools in real time on the day.
Johnathan Nightingale (Mozilla, CA)
Johnathan Nightingale is the Mozilla Corporation's Human Shield. Educated in cognitive science and artificial intelligence, now working on security, usability & coding for Firefox, he can usually be found occupying the centre of a Venn diagram. He has written for Dr. Dobb's Journal about software integration, and for O'Reilly's Make: magazine about making tea. He lives just outside Toronto, Canada, in a house that needs more room for books.
In this presentation, Johnathan Nightingale will share best practices for building secure applications when implementing an open source model. He will highlight the benefits of remaining open and transparent throughout the security process.
Developers generally agree on the importance of security, but there are options for incorporating security into the development environment. With threats emerging daily, the importance of building more secure applications is rising. A solid security process throughout the development lifecycle will provide a road map to guide the team in making and measuring security improvements during every step of application development.
Mozilla’s open source security model describes how to build security into a software project. Johnathan will share the 5 primary aspects of applying this model to the development environment:
Ryan Olson (VeriSign – Verisign/iDefense, US)
Ryan Olson has worked for iDefense as a member of their Malicious Code Operations team since 2006. His primary security interests include automated malicious code analysis and Trojan's specifically targeting financial institutions. He holds a BS from Iowa State University in Management Information Systems and a MS in Security Informatics from The Johns Hopkins University.
Modern Trojan horses frequently report their activities to a central command and control (C&C) server. Specifically, information stealing Trojans typically use a C&C server as the storage location for the data they steal. These servers are very numerous, reside on a variety of networks, and in many countries around the world, but exist much more frequently in certain locations. Attackers often use so called “bullet proof” hosting providers which are unresponsive to take-down notices to host these servers and ensure that they remain active. Tracking which networks new Trojans report their data allows security administrators to proactively monitor for traffic generated by clients infected with these Trojans and take appropriate action.
This presentation discusses how to detect traffic generated by toolkit-based information stealing Trojans using network based intrusion detection systems like Snort. The audience will receive an overview of popular toolkit-based Trojans and common locations used to host C&C servers based on their network and country of origin.
Christopher Abad (20 GOTO 10, US)
I am Christopher Abad, an internet native, a hacker, a scientist and an artist….a jack of many trades but master of none. With such diverse experience and network of peers, I've been about to observe and participate in many aspects of internet and normal society without moral bias. I've worked for numerous security companies including Foudstone, Qualys, nCircle and Cloudmark as a security researcher and now I currently work for a performance advertising company. I attended UCLA for Mathematics. I own an art gallery in San Francisco, 20 GOTO 10, dedicated to the folk art of the internet as well as emerging urban artists.
For better or worse, the ideas and technology of WEB 2.0 has changed the way the younger internet generation interacts with each other and carries out ideas. These effects are seen in the internet underground. Security is completely consumed by academia and corporate R&D, and the internet is not the wild west it once was still only a decade ago. Internet youth are working together in larger groups than ever before, with an amazing ability to naturally organize, communicate and task but opt to use very low tech attacks when conducting internet warfare and have very few ties to the previous generation of (blackhat) hackers.
Michael H. Warfield (IBM Internet Security Systems, US)
Michael Warfield is a Senior Researcher and Analyst for the X-Force Threat Analysis Team of IBM Internet Security Systems, Inc. (IBM-ISS).
With computer security experience dating back to the early 1970s and Unix experience dating back to the early 1980s, Mike is responsible for doing research into security vulnerabilities and intrusion protection techniques for IBM-ISS X-Force, the research division of IBM-ISS.
Prior to joining Internet Security Systems, Mike has held positions such as, a Unix systems engineer, Unix consultant, security consultant and network administrator on the Internet. He is one of the resident Unix gurus at the Atlanta UNIX Users Group and is one of the founding members of the Atlanta Linux Enthusiasts. He is also an active member of the Samba development team and is a contributor to the Linux Kernel and numerous Open Source Software projects. Mike has published articles on both Samba and on Security and is a respected cryptographer in the Open Source community.
Lately, the term "virtualization" has been all the rage in the news and in technology forums. For many, the term virtualization brings to mind products like VMware and Xen and virual machines. But virtualization has been around much longer than VMware or Xen and is much broader than either of these two specific examples. Virtualization is also well known in the security underground, where it is also a popular topic from both an offensive perspective and a defensive perspective.
Chia-Mei Chen (TWCERT/CC – National Sun Yat-Sen University, TW)
Growing volume of spam mails has generated a need for a reliable anti-spam filter detecting unsolicited e-mails. Most works focus on spam detection on a standalone mail server. This paper presents a collaborative approach on classification, discovery, and exchange of spam information. The spam filter can be built based on the mixture of rough set theory, genetic algorithm, and reinforcement learning.
In this paper, we integrate our spam filter with Open Web Mail to validate the performance of proposed approach. The results of collaborative spam filter draw the following conclusion: (1) The rules exchanged among mail servers indeed help the spam filter block more spam messages than standalone one. (2) A combination of filtering algorithms improves accuracy and reduces false positives of spam detection.
Jeff Boerio (Intel Corporation, US)
Jeff Boerio is an Information Security Specialist for Intel Corporation. He has two main focuses there. One is managing the IT Emergency Response Process for intelligence gathering, meaning that in a cyber incident he and his team are responsible for gathering and reporting as much information as possible. The second is managing the operational security of UNIX platforms across the company, including driving enforcement of minimum security specifications for operating systems and applications as well as the hardening of the same. Jeff was hired by Intel in October, 1993 after obtaining a Bachelor of Science in Computer Science from Purdue University, and has held positions from UNIX Systems Administrator to Software Project/Program Manager. He also has a GIAC Security Essentials Certification (GSEC Silver) from SANS. When not at work, Jeff and his wife live in the heart of Oregon’s wine country on a small farm, raising his three-year old son and caring for five horses. He enjoys wine, photography, rock n’roll, sports and Corvettes. Not necessarily in that order.
Managing the response to vulnerabilities in a heterogeneous enterprise is no simple task. A significant growth in applicable vulnerabilities, a complex network of devices, and constraining budgets create a problem for managers when it comes to resources. In this paper, we will propose some measures to address handling the growing number of alerts while decreasing the staff needed to do so. We begin with a review of the vulnerability management process, offering suggestions to improve consistency in processing vulnerability reports and risk ratings. Then we examine possible solutions for automating and streamlining several key steps of the process, such as processing alerts, assigning risk, and disposition them for patching.
Emin Akhundov (NASK/CERT Polska, PL)
Krzysztof Silicki (NASK/CERT Polska, PL)
Krzysztof Silicki graduated from Warsaw University of Technology, Department of Fine Mechanics. After graduation, he worked in the Institute of Electron Technology. He joined NASK at the very beginning of the company's establishment (in 1993). Since February 2000 he has held the post of Technical Director.
He established and actively manages the CERT NASK team ("CERT Polska" since December 2000) - the first such team in Poland. He also created and was the main co-ordinator of the "SECURE" conference, which is held by NASK since 1997. Silicki is a well-known creator in the IT environment and the chief editor (since 1999) of the monthly IT magazine NETforum. He is the author of many publications devoted to the problem of securing networks and has issued many expert opinions on network security and confidentiality mechanisms, authorisation technologies and principles for proceeding in the event of a breach of network security. Since 2004 Krzysztof Silicki has held a position of Polish representative in the ENISA Management Board.
Miroslaw Maj (NASK/CERT Polska, PL)
Miroslaw Maj is employed in the Research and Academic Computer Network since 1995. From 1996 to 1999 he was member of the NASK Security Team. From 1996 he is member of CERT Polska Team and from 2001 he is the head of this team. Mirosław Maj is the organizer and lecturer of security conferences in Poland. He is the author of the papers on security statistics and others subjects from the security area. He is involved in international cooperation between CSIRT teams as well as in formal European projects related to security issues (standards, statistics, fighting with an illegal content, building security awareness and establishing new CSIRT teams). He participates in the activities on the national level with the goal of protecting critical ICT infrastructure.
Mirosław Maj has successfully completed the training in Carnegie Mellon University – Managing Computer Security Incident Response Teams. He also completed PRINCE2 methodology training.
Since 2004 Mirosław Maj has held a position of Polish Liaison Officer for ENISA. For the last two years he is a member of ENISA Working Group on CERT Cooperation and Support. He is also a co-author of documents prepared for ENISA about CERT Cooperation and CERT exercises.
The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.
It is not clear who is responsible for such a situation and why there is no breakthrough in security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.
Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.
Undoubtedly the CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.
In the article the authors will present existing barriers, such as:
In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.
The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).
The project is aimed at building a network of operational CSIRT teams through:
For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.
Klaus-Peter Kossakowski (PRE-CERT – PRESECURE Consulting GmbH, DE)
As the co-chair of the IETF working group “Guidelines and Recommendations for Incident Processing” (GRIP), he was instrumental for the development of the RFC-2350 providing a format for descriptions of CSIRT services. He is also the author of many papers about CSIRTs and international cooperation. Together with Don Stikvoort he initiated a closer cooperation among European CSIRTs and organised several annual meetings to support these. He was elected as a member of the FIRST Steering Committee in 1997, 1999, 2001 and 2003. From June 2003 to June 2005 he was representing FIRST, the worldwide forum of CSIRTs, product security and abuse teams as Chair. Most recently he became chair of the ENISA ad-hoc working group on CSIRT cooperation.
Don Stikvoort (S-CURE, NL)
Don Stikvoort obtained an MSc (Hons) degree in physics in 1987. After an effective management training as Infantry platoon commander in the Dutch Army, he joined SURFnet, the Dutch national research and educational network. Starting out with consultancy he soon found himself lucky to be among the pioneers who built the European Internet, started RIPE, etcetera. Don was involved in the formation of CERTNL in 1991 (today SURFcert) and was its chairman from 1992-1998. Together with Klaus-Peter Kossakowski he started the cooperation of CERTs in Europe which eventually led to both TF-CSIRT and the Trusted Introducer. In 1998 he finished the first version of the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC – Don’s collaboration with CERT/CC has remained till today.
Don’s short FIRST history:
CERT-NL became the second European member of FIRST in 1992 – in total Don has been the rep of three FIRST member teams, and mentored several more towards membership. From 1996-8 Don was member of the Future of FIRST Task Force I (FoFI) and secretary to FoF II. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia. In the same year he set up the FIRST Secretariat (FSS), which he managed till mid 2007. Currently Don is a liaison member of FIRST and member of the FoF III task force.
In 1998 Don co-founded STELVIO, a Dutch company specialising in Internet related consultancy. Within STELVIO he helped build Kennisnet, the Dutch schools' network connecting over 10,000 schools. Several CERTs were created with his help and guidance, among which GovCERT.NL (the Dutch Government team), and the teams for Philips and several academic institutions. Second opinions and maturity assessments in this area are among his specialties. In 2000 Don set up the Trusted Introducer accreditation for CERTs in Europe (TI). In 2002/2003 Don was co-ordinator of eCSIRT.net, an EU funded research project that aimed at developing pragmatical standards for the interoperation of CSIRTs.
Don left STELVIO in 2004 to continue with S-CURE. He was among the first two Europeans accredited by CERT/CC as "Certified Incident Handler" in 2004. At this moment, apart from engaging on consultancy and coaching projects for SURFnet and others, Don leads the TI CERT accreditation service. As subcontractor to TERENA, Don supports the development and operation of the TRANSITS courses for CSIRT professionals – a not for profit project meant to educate CSIRT professionals in Europen – and is also one of the tutors there.
Since 2004 Don acquired the C.M.H., C.Hyp. and CPNLP accreditations in psycho/hypnotherapy and NLP. Don has started taking up work in those areas and the adjacent coaching as well, and is also using this to enrich his portfolio in security and explore new grounds – like the “Techies Can Communicate Too!” workshop he is developing with David Pybus. In March 2008 he will acquire the MPNLP – master practitioner NLP - level.
The CSIRT scene is maturing slowly. If it was in its infancy in the early 90s, then it is in its teens now – still developing, but the signs of maturity are visible. CSIRTs need to be measurable in their maturity for at least two reasons:
This paper proposes a model which evolves from the already existing CSIRT accreditations (e.g. Trusted Introducer) to better and more objective measures of CSIRT maturity and quality through verification and certification. This model focuses on team maturity rather than the personal development of CSIRT members. Certification of team members remains a potential parameter in assessing CSIRT maturity however. Further the authors will demonstrate the benefits of increasing maturity this way – benefits for management/board level, for the team itself and for interoperation with other CSIRTs (and other stakeholders). The boundary conditions for accreditation and certification will be discussed, including the need for a self-funded, independent, community oriented verification mechanism.
Chris van Breda (Cyberklix, CA)
Mr. Chris van Breda has over 30 years experience in the fields of communications, information management and IT security, with emphasis computer incident response team set-up, development and management. Mr. van Breda has experience in computer forensics, conducting Threat and Risk Assessments, IT security, HR, leadership, training development and production management. Mr. van Breda has been a member of of the Forum of Incident Response and Security Teams (FIRST) for the past eight years and a founding board member of the Ottawa Chapter of the High Technology Crime Investigation Association (HTCIA) in 2001. Mr. van Breda has also presented tutorials on security team essentials and the need for computer forensics at international security forums and teaches computer forensics.
Mr. van Breda spent over 28 years in the Canadian Armed Forces working in signals intelligence, electronic warfare, IT security and finished his military career as the DND CIRT Team Manager.
As a manager or IT administrator, why is it important to understand computer forensics? Simply stated electronic data can be fleeting and easily changed or overwritten. If computer forensics isn’t part of your incident response plan, you are substantially increasing the chances that someone may get away with malicious activity on your network. This could include illegal activity or policy violations such as harassment, unacceptable use of computer resources or deliberate destruction of files and data.
Digital forensics has evolved to address these issues but many IT security officers, managers and IT administrators are not aware of the processes involved and have not incorporated proper forensic procedures into their incident response plans. The application of computer forensics requires specific knowledge and skills that are not common within the IT security industry.
This presentation provides a quick overview of what computer forensics is and the various incident response points where it must be considered. It includes some real life examples of how simple things done wrong can impede incident response.
This presentation is a condensed version of a free half-day workshop on Computer Forensics conducted on a regular basis for IT security officers, all managers (not just IT) and IT administrators.
The author can tailor the presentation to a suitable time slot from one hour to two hours.
Ralph Thomas (VERISIGN iDefense, US)
Financial institutions worldwide face an ever-increasing number of malicious code and phishing attacks that adapt and mature constantly. Regulators and industry promote authentication as panacea while the crooks are developing and deploying highly specialized Trojans designed to target and circumvent multifactor authentication schemes. Hijacking transactions that a user has initiated and authorized is the newest of these targeted threats. This technique has been discussed theoretically for some time but has now left the malware labs and is actively being used in real world attacks, not only against financial institutions. Technology and implementation are important factors for the effectiveness of multifactor authentication schemes and even strong technologies with correct implementations that thwart transaction-hijacking attempts have weaknesses that might constitute a surface for future attack scenarios.
This presentation discusses state of attack and mitigation techniques surrounding transaction-hijacking and lessons learned from real world incidents. The audience will be given an overview on implementation details that can make or break a successful authentication scheme in light of these new threats.
JinWook Choi (Financial Security Agency, KR)
JinWook Choi joined the FSA as a founding member in December 2006 and works as a security coordinator. JinWook was a KrCERT/CC member in 2003 and 2004 and has experience in online game security (NCSOFT, 2004-2006) and military (retired, Navy Lieutenant Junior Grade). He has a Bachelor’s degree in Computer Science from SoongSil University and has also studied at the University of Victoria, Canada as an exchange student.
Securing electronic financial transactions have been an important issue all over the world.
In Korea, internet banking customer has increased dramatically reaching 42,450,000(Sep. 2007) for 19 Banks. And the government led high attention to set up a policy and technology to make the online transaction safe.
Accordingly, every financial institution that has online service should provide security programs such as anti-virus and anti-keylog to their customers in Korea. However, cyber threats to the financial institutions and to their customers are increased day by day, the techniques for the attack are evolving everyday, so a dedicated organization is needed to follow-up and fight for such risks. Finally, Financial Security Agency (“FSA”) was established in Dec 2006.
In this presentation, incident cases, new threats, and the efforts of Korean financial institutions and government will be introduced.
KFCERT in FSA is a FIRST full member since Dec. 2007.
Terri Forslof (TippingPoint, a division of 3Com, US)
Terri Forslof is the Manager of Security Response for TippingPoint. Her team is responsible for managing and resolving all security issues relating to TippingPoint products. Additionally, her team oversees the vendor disclosure of vulnerabilities purchased through the Zero Day Initiative.
Prior to joining TippingPoint, Terri was a Security Program Manager for the Microsoft Security Response Center, focused on driving the resolution of security vulnerabilities within Microsoft products. She has 12+ years of experience in the information technology industry, including Systems Engineering and Administration, with a focus on Information Security for the past 6 1/2 years. Terri holds a Certified Information Systems Security Professional designation.
Security vulnerabilities: once mysterious and elusive to IT professionals and developers alike, they have now grown to become the stock and trade of the security research industry. Government, business and criminals seek out new and exciting “Zero Day” vulnerabilities like forbidden fruit, and guard them as if precious jewels. The business of security research has officially migrated from the hacker spending long nights in the basement seeking momentary glory to professionals building and offering portfolios of fresh, cutting-edge security research for hire.
We must consider today’s vulnerability research as a commodity, such as orange juice, wheat, oil, or other commodities that you might find on Wall Street and similar traditional marketplaces. While many people have heard the term “black market” used to describe non-traditional buyers and sellers, it’s just one of several global markets where a security researcher can receive compensation for their work.
In this presentation we will explore the history and evolution of these different markets, how they interact with each other and how they impact the rest of the global information security economy.
Franck Veysset (France Télécom R&D, FR)
Franck Veysset is a network security expert working for France Telecom R&D / Orange labs. His activities are focused on Wi-Fi security, honeypot, cybersecurity and more generally IP security.
He has presented at numerous technical and security conferences (BlackHat, ToorCon, Shmoocon, Eurosec, First, Hack.lu...). He is also a program chair member of different conferences (SSTIC, JSSI...). Aside from these activities, he is member of the board of the French Information Systems and Network Security Observatory (OSSIR), and he lectures in different university and engineering schools.
Since 2007, new FMC (Fixed Mobile Convergence) solutions are emerging. Three main technologies seem to rule the market: WiFi SIP, UMA (Unlicensed Mobile Access) and Cell (Femto/pico cell). Those solutions look very attractive to customers, as they open new possibilities in term of telecommunication. After introducing those technologies, we will focus on the security aspects of those solutions. They might have strong impacts on customers / companies security, but things are also quite complicate from the telco point of view, as new threats are emerging (Operators will have to “open” some part of their core network, which is not an easy issue…).
The goal of this presentation is to give an overview of FMC solutions, including the security aspects.
Antonio Liu (PRESECURE, DE)
A CERT that services a Grid community faces certain specific challenges due to the technical nature of Grids. The traditional CERT services have to be modified to meet the needs of a Grid community and to offer added value to the community.
The presentation will briefly outline the necessary modifications of traditional CERT services. In addition to that it will introduce new CERT services developed for a Grid community.
These new services cannot be categorized to the traditional three CERT services - reactive, proactive and security quality management services. But rather these new services form a new category of CERT services. The new CERT Services will improve the operational security level by improving reliability and integrity in the Grid and therefore will benefit and offer added value to a Grid community.
Earl Zmijewski (Renesys, US)
VP and General Manager, Internet Data Services Earl Zmijewski is responsible for all of Renesys's Internet Data software, services and operations. He has nearly 20 years of experience encompassing scientific computing and most areas of IT, with particular emphasis on networking and security. Before Renesys, Earl was IT Director at Fluent Inc., a computational fluid dynamics software company, where he was instrumental in establishing new offices throughout the US, Europe and Asia and in the promotion and implementation of Linux clustering technologies. He was also principal architect in the design of Fluent’s networks and Internet security posture. Before that, Earl held various academic positions at Cornell University, University of California, and James Madison University. Earl has a PhD and MS in Computer Science from Cornell University and an MS and BA in Mathematical Sciences from The Johns Hopkins University.
We will review recent disruptions to global connectivity, including cable systems breaks in the Middle East and Taiwan, network hijacks (Pakistan vs. YouTube) and partitions of the Internet brought about by soured business relationships (Cogent vs. Telia). While most Internet-savvy users are very familiar with typical electronic threats to desktop machines and their corresponding countermeasures (firewalls, virus scanners, etc.), threats to Internet routing are not nearly as well understood. In both arenas, it’s the Internet’s outmoded model of implicit trust and cooperation that underlies many of the problems. Unfortunately, there are fewer means for risk mitigation when it comes to threats to the core infrastructure. After reviewing specific incidents and looking at the problem from a holistic standpoint, we’ll consider some of the available remedies.