Speakers
June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada
June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada
Adam Laurie (RFIDIOt, UK)Practical RFID hacking without soldering irons (or Patent Attorneys) ![[schedule]](/_images/schedule.png)
RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even!
For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....
Adam Laurie is a UK based freelance security consultant. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother, Ben, became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.
More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has also spoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is also bringing several security issues to the fore. More detail can be found here: http://rfidiot.org.
Andre Cormier (CCIRC, CA)Building a no frills malware lab: How to construct a relatively inexpensive, yet effective, malware analysis lab for CIRTs
Summary: CCIRC would like to host a 3 hour session that involves the creation of a relatively cheap malware analysis lab. The session will focus on open source tools, procedures, hardware and software that can be combined to create a highly effective malware analysis station that can rival modern commercial versions. The session will cover the requirements, setup demonstration, and employment of the tools in the analysis of an archived CCIRC malware related incident.
Background: Incident handlers often need to perform a quick behavior analysis of malware when handling infected computers. There are many online and commercial services offering this capability ranging from free, to extremely expensive. However, in many instances the information to be analyzed may be sensitive, and the need arises for a CIRT team to perform its own analysis. The question then arises as to how do you process malware, which is sensitive and/or not typically detected by modern vendors, in a timely manner? The answer is that each CIRT team needs the ability to analyze any malware it receives. CCIRC will present a setup that will equal no more than the cost of two PCs, configured to match the organization standards of each organization. CCIRC will base the development of this presentation on an actual proven setup currently in use by our office, and demonstrate its effectiveness through the processing of an archived CCIRC malware event.
(Note: We have decided to pursue a three hour session as it will provide ample time to show the setup, configuration, and application of the lab in a real world example. This presentation can be reduced to a single session in which only the requirements would be covered if space is limited. However, for the full effect, a three hour session is preferred.)
Andrea Rigoni (Symantec, UK)Models and Experiences for National and International Information Sharing
Today almost any organization relies on ICT infrastructures to deliver core and critical services. Risk scenario is changing so quickly that a new Dynamic Risk Management approach is required.
One of the major challenges is to keep a shared situational awareness of the Digital Battlefield, which is fragmented under the responsibility and visibility of many private and public organizations.
Information Sharing can help both the single organizations and national bodies to keep an updated situational awareness and to define proactively the correct countermeasures. Despite a common acknowledgment on the importance of Information Sharing, many initiatives have failed and many organizations still look at it with suspect.
During his speech, Andrea will illustrate the different approaches adopted by private companies, service providers and national authorities for Information Sharing and Early Warning. In particular, Andrea will show how the positive developments of the Military doctrine (Network Centric Operations) can be used to define new information sharing approaches. He we also provide an overview of the different initiatives in US and Europe and will discusses the issues that have prevented Information Sharing to be widely adopted at a National and International level.
WHAT WILL BE COVERED:
HOW THE AUDIENCE WILL BENEFIT FROM THE INFORMATION:
Andrea Rigoni is in charge of Symantec’s EU and European Critical Infrastructure Protection Consulting. Based in Brussels, Rigoni has over 16 years experience in the security sector having concentrated on the government ICT security sector for the past decade, both in European Member States and Middle East.
Rigoni regularly participates in international initiatives calling for Symantec’s expertise in information security. As such he recently joined the European Commission’s critical infrastructure expert group. Rigoni has also participated in the Interpol IT crime working group, Italian association of critical infrastructures experts, Union for the Coordination of Transmission of Energy (UCTE), Council for Large Power Companies (CIGRE), Italian Police, and Information Security Forum.
Before joining Symantec in 2003, Rigoni worked 4 years in Getronics as director of the mission critical BU, working on security and business continuity projects. Rigoni is an expert in critical infrastructure protection (CIP), computer incidents and emergency response (CERT) and security operation centres.
He is fluent in Italian and English speaker. 
Anton Chuvakin (LogLogic, Inc., US)System, Network and Security Log Analysis for Incident Response
The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from concepts and methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include many detailed case studies from the real world, some complete with logs and tools used in them.
Here is the brief summary:
Dr Anton Chuvakin, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic’s product vision and strategy to the outside world, conducting logging research, as well as influencing company vision and roadmap.
A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance" and the upcoming book on logs. Anton also published numerous papers on a broad range of security and logging subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as one at http://chuvakin.blogspot.com
Antonio Liu (PRESECURE, DE)GridCERT Services - Modification of traditional and additional new CERT Services for Grids
A CERT that services a Grid community faces certain specific challenges due to the technical nature of Grids. The traditional CERT services have to be modified to meet the needs of a Grid community and to offer added value to the community.
The presentation will briefly outline the necessary modifications of traditional CERT services. In addition to that it will introduce new CERT services developed for a Grid community.
These new services cannot be categorized to the traditional three CERT services - reactive, proactive and security quality management services. But rather these new services form a new category of CERT services. The new CERT Services will improve the operational security level by improving reliability and integrity in the Grid and therefore will benefit and offer added value to a Grid community.
Atanai Sousa Ticianelli (CAIS/RNP – Brazilian Academic and Research Network, BR)Phishing without URL, when miscreants go malware
This presentation will focus on Phishing that don't rely on fake url and fake web-pages. Three examples of phishing that don't need a fake page will be shown during this live presentation. This new vector used by phishers need to be known by the security community in order to identify such type of attack.
Atanaí Sousa Ticianelli holds an Engineer degree in Computer Engineering at Universidade Federal de São Carlos - UFSCar along with one post-graduate degree, obtained from the Computer Science Institute of Universidade de Campinas - Unicamp. He holds GSIP (GIAC Secure Internet Presence) and SSP-CNSA (Computer and Network Security Awareness). Working as security analyst at the Brazilian Research and Academic Network CSIRT (CAIS), he has 5 years of experience in the security field. He is currently focused on the incident response process at CAIS.
Bobby Singh (Smart Systems for Health Agency, CA)Managing Security & Privacy Incidents in the Health Care Environment
The purpose of the presentation is to provide an overview on how to build a comprehensive and integrated security & privacy incident mgt program in the health care sector. Privacy incidents are becoming common but there is not available in the market place such as use cases and documented examples to assist health care organizations with incident mgt.
Where ever we look privacy incidents are grabbing the headlines. As Canada moves towards eHealth protecting personal health information is going to be front and centre. However, the cost to maintain a ‘perfectly secure’ system will be too high so organizations such as hospitals, IT organizations such as Smart Systems for Health Agency (SSHA) will have to be prepared to handle security & privacy breaches.
SSHA has developed a comprehensive Enterprise Security & Privacy Incident management program (ESPIM) to manage security & privacy breaches to ensure high security posture for the organization and to continue to retain clients trust in its infrastructure.
ESPIM identifies, analyses, resolves and reports on security and privacy incidents and breaches to minimize risk to individuals, clients and SSHA.
ESPIM is built on International Standards and meets the reporting requirements set out in the PHIPA Legislation (Ontario).
Mr. Singh has 13+ years experience in IT Security with extensive experience in Risk Management, Business Operations, Public Relations, Consulting and Auditing. As the Director of Information Security for the Smart Systems for Health Agency, Mr. Singh’s role involves ensuring that security is built-in both at the enterprise-level and to SSHA product and service offerings. He provides leadership in the development and promotion of security standards and practices within the Agency; and the establishment and maintenance of security standards and practices that enhance credibility and engender trust. He has extensive experience developing and implementing security programs for public and private sector organizations. He is a frequent speaker at conferences and round tables. Prior to joining SSHA, Mr. Singh has held positions at Bank of America and Deloitte were he focused on delivering security services to clients and developing the Security practice. Mr. Singh received his MBA from University of Pittsburgh and holds CISSP, CISM, CISA and CPA designations.
Bruce Monroe (Intel, US)Vendor SIG
Carol Overes (GOVCERT.NL, NL)The HoneySpider Network: Fighting client-side threats
The Honeyclient Project is a joint venture between NASK/CERT Polska, GOVCERT.NL and SURFnet. The goal is to develop a complete open source honeyclient system, based on existing state-of- the-art client honeypot solutions and an advanced crawler. The system is focused primarily on attacks against, or involving the use of Web browsers. These include detection of drive-by downloads, malicious binaries and phishing attempts. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature. The major incentive to start this project is the rapidly growing number of browser exploits involving varying degrees of user interaction. These types of attacks lie outside the scope of current monitoring systems in use by the three parties. Therefore we view this new system as an expansion of our current monitoring and early warning abilities. Interfaces with existing systems - the CERT Polska ARAKIS system and SURFnet IDS - will be designed. The system will improve situational awareness of what is happening on the Internet and improve security services offered by the parties to their constituents. The project itself is the result of very close cooperation of three different organizations from two different countries – such cooperation involving research into new areas and software development has been rare so far in the CERT community. The proposed article and presentation will include a short introduction of client honeypots and the state-of-the-art. It will then describe how attacks that involve malicious web servers are being carried out and what techniques attackers use to make analysis of such activity more difficult. The functional requirements and architecture of the solution will be presented. It will also briefly touch upon the lesson learned regarding international cooperation. Novel detection heuristics for low interaction client honeypots will be introduced. Finally, preliminary results of the functioning of the system will be published.
Network Monitoring SIG - Large-scale Monitoring of Fast-Flux Service Networks
Network Monitoring SIG - Monitoring and Detection of Fast-Flux Service Networks
Carol Overes started to work for CERT-RO (former name of GOVCERT.NL) in 2003. In these four years, he has been involved with the operational side of GOVCERT.NL; mostly writing advisories and handling incidents.
His personal security interest is monitoring in general. Two years ago, Carol started with an experiment to set up a monitoring network for GOVCERT.NL, based on honeypot technology. This experiment was the starting point for an official monitoring project. One of the first results of that project is the establishment of a distributed intrusion detection system, based on the tool SURFids.
At the moment, Carol is involved with the second phase of the monitoring project, namely the development of a complete honeyclient solution.
His background comes from the ISP environment. Carol have worked for quite some years for the Dutch Telco-provider KPN, where he has worked as a network engineer for their IP-network. He loved to work with routing protocols, such as BGP (Border Gateway Protocol). He also worked on projects like expanding the European peering network of KPN and the MPLS-migration of the IP-backbone. During his period at KPN, Carol was also kernel member of KPN’s CERT, called Uni-CERT.
Chia-Mei Chen (TWCERT/CC – National Sun Yat-Sen University, TW)A Collaborative Approach to Anti-Spam
Growing volume of spam mails has generated a need for a reliable anti-spam filter detecting unsolicited e-mails. Most works focus on spam detection on a standalone mail server. This paper presents a collaborative approach on classification, discovery, and exchange of spam information. The spam filter can be built based on the mixture of rough set theory, genetic algorithm, and reinforcement learning.
In this paper, we integrate our spam filter with Open Web Mail to validate the performance of proposed approach. The results of collaborative spam filter draw the following conclusion: (1) The rules exchanged among mail servers indeed help the spam filter block more spam messages than standalone one. (2) A combination of filtering algorithms improves accuracy and reduces false positives of spam detection.
Chris Gormley (Tiversa, Inc., US)The Easiest Score on the Internet - PII and corporate secrets for the taking on P2P file sharing networks.
Forget hacking and phishing – criminals, competitors, and the media are using the same P2P file sharing programs that teenagers use to obtain thousands of your sensitive, confidential, and classified documents each day putting your organization, customers, and partners at significant risk.
Real-life and highly concrete examples will be used for each part of the presentation.
Christopher Gormley - Chief Operating Officer, Tiversa, Inc.
Christopher Gormley is Chief Operating Officer of Tiversa. In this role, he is responsible for Client Services, P2P Information Recovery and Analysis, Marketing, and Public Relations. Mr.Gormley joined Tiversa in 2005.
Prior to Tiversa, Mr. Gormley was VP of Marketing and Business Development for Haley Systems, a leading business process and middleware software provider. Before Haley Systems, Mr. Gormley was VP of Product Management at FreeMarkets, a world leader in purchasing and supply management technology and services. Prior to his tenure at FreeMarkets, Mr. Gormley was a management consultant with McKinsey & Company and held several marketing and engineering positions with the General Electric.
He holds an MBA in Finance & Strategy from the Wharton School and earned an undergraduate degree in Chemical Engineering from Worcester Polytechnic Institute.
Chris van Breda (Cyberklix, CA)Computer Forensics for Managers and IT Administrators What you need to know
As a manager or IT administrator, why is it important to understand computer forensics? Simply stated electronic data can be fleeting and easily changed or overwritten. If computer forensics isn’t part of your incident response plan, you are substantially increasing the chances that someone may get away with malicious activity on your network. This could include illegal activity or policy violations such as harassment, unacceptable use of computer resources or deliberate destruction of files and data.
Digital forensics has evolved to address these issues but many IT security officers, managers and IT administrators are not aware of the processes involved and have not incorporated proper forensic procedures into their incident response plans. The application of computer forensics requires specific knowledge and skills that are not common within the IT security industry.
This presentation provides a quick overview of what computer forensics is and the various incident response points where it must be considered. It includes some real life examples of how simple things done wrong can impede incident response.
This presentation is a condensed version of a free half-day workshop on Computer Forensics conducted on a regular basis for IT security officers, all managers (not just IT) and IT administrators.
The author can tailor the presentation to a suitable time slot from one hour to two hours.
Mr. Chris van Breda has over 30 years experience in the fields of communications, information management and IT security, with emphasis computer incident response team set-up, development and management. Mr. van Breda has experience in computer forensics, conducting Threat and Risk Assessments, IT security, HR, leadership, training development and production management. Mr. van Breda has been a member of of the Forum of Incident Response and Security Teams (FIRST) for the past eight years and a founding board member of the Ottawa Chapter of the High Technology Crime Investigation Association (HTCIA) in 2001. Mr. van Breda has also presented tutorials on security team essentials and the need for computer forensics at international security forums and teaches computer forensics.
Mr. van Breda spent over 28 years in the Canadian Armed Forces working in signals intelligence, electronic warfare, IT security and finished his military career as the DND CIRT Team Manager.
Christopher Abad (20 GOTO 10, US)Trends in the Internet Underground / Cyber Kadogos
For better or worse, the ideas and technology of WEB 2.0 has changed the way the younger internet generation interacts with each other and carries out ideas. These effects are seen in the internet underground. Security is completely consumed by academia and corporate R&D, and the internet is not the wild west it once was still only a decade ago. Internet youth are working together in larger groups than ever before, with an amazing ability to naturally organize, communicate and task but opt to use very low tech attacks when conducting internet warfare and have very few ties to the previous generation of (blackhat) hackers.
I am Christopher Abad, an internet native, a hacker, a scientist and an artist….a jack of many trades but master of none. With such diverse experience and network of peers, I've been about to observe and participate in many aspects of internet and normal society without moral bias. I've worked for numerous security companies including Foudstone, Qualys, nCircle and Cloudmark as a security researcher and now I currently work for a performance advertising company. I attended UCLA for Mathematics. I own an art gallery in San Francisco, 20 GOTO 10, dedicated to the folk art of the internet as well as emerging urban artists.
Christopher Burgess (Cisco, US)Intellectual Property Loss in the Global Marketplace
The speaker will address the global realities with respect to the threat to a corporation's Intellectual Property. Via the case study vehicle, the attendee will learn of the experiences of firms from around the world and the impact loss of Intellectual Property caused or could have caused to otherwise healthy firms as seen from the optic of the insider, the competitor, the state entity and the organized criminal element. The session should be of interest to any individual who has an interest or responsibility for safeguarding their own or their employer's Intellectual Property, as they draft policy, and engage the government's of the world to enforce intellectual property protection strategies.
Christopher Burgess is a senior security advisor to the chief security officer of Cisco®, where he focuses on intellectual property strategies. Additionally, Christopher leads the Global Investigative Support team, providing forensic support to the enterprise, as well as the Government Security Office, addressing global national industrial security support and administration, from within the Corporate Security Programs Office. Prior to joining Cisco, Christopher served as a senior national security executive for more than 30 years. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America where he acquired a deep understanding of the people, cultures, and business practices of these respective areas.
Christopher is the co-author of the book, Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008). In March 2008, CSO magazine published his study on “Nation States’ Espionage and Counterespionage, Overview of the 2007 Global Economic Espionage Landscape.” He also co-authored the four-part study of the global threat to intellectual property, which was published by CSO Magazine in June 2006, also titled Secrets Stolen, Fortunes Lost and excerpted in CIO Magazine in July 2006; and How to Stop Industrial Espionage, published in CSO Magazine in August 2006. As an invited speaker, he has addressed various corporate intellectual property strategy teams and industry organizations on the many threats to intellectual property. His breadth of knowledge and expertise allows him to focus his substantive efforts on education, awareness and prevention of industrial espionage.
Christopher, serves on the advisory board of a number of technology firms, and holds membership in a number of security professional organizations and is an advisor to Secure Computing Magazine.
Mr. Burgess’s recent and future speaking engagements include:
Damir (Gaus) Rajnovic (Cisco PSIRT – Cisco Systems Co., UK)Vendor SIG
David Pybus (Diageo, UK)Techies Can Communicate Too !
The importance of good communication in incident management today cannot be overestimated. The incident manager's interests spread all the way from the users and ICT staff to the management and board levels, and include also contacts with PR, accountancy and risk management people. At all levels effective communication is in need to make clear that proper incident management is one of the boundary conditions for continued success. Different levels talk different languages and the incident manager needs to understand and honour those. This workshop aims to raise awareness for this exciting challenge, enable a better understanding of the wonder of communication and provide a few basic techniques to build on in everyday work.
Foster awareness of the powers of language, both verbal and non-verbal, and show and practice together useful techniques to build constructively on that awareness, and become more effective in communicating. Group size:
8-12. Will break up in groups of 2-3 regularly to do practical work.
In a relaxed and joyful manner, the trainers will explain and demo the following basic concepts of NLP and adjacent fields:
NLP – Neuro Linguistic Programming – is a model that is best used to foster effective and constructive communication.
For most topics covered we seek a format as follows:
We will achieve the following with the trainees:
All details - see full submission pdf.
David Pybus graduated from Royal Holloway with an MSc in Information Security in 1999. His first position was performing security research and producing security documentation at Internet Security Systems (ISS). David subsequently moved to COLT where he was instrumental in the setup of their CSIRT and forensics capability. At present David is working at Diageo managing their CSIRT, having in 2006 successfully led the team through accreditation to FIRST.
Recognising the importance of the human component in successful information security and incident response David has sought to broaden his skill set beyond the technical and to this end sought and obtained a qualification as Certified Practitioner in the Art of Neuro-Linguistic Programming (NLP). In his every day work David is continually looking at how these techniques can be applied in the CSIRT environment to make his work, and the work of those around him, more effective – and enjoyable.
Derrick Scholl (FIRST Steering committee chair, US)Special: Closing Remarks
Special: Opening Remarks
Don Stikvoort (S-CURE, NL)Techies Can Communicate Too !
The importance of good communication in incident management today cannot be overestimated. The incident manager's interests spread all the way from the users and ICT staff to the management and board levels, and include also contacts with PR, accountancy and risk management people. At all levels effective communication is in need to make clear that proper incident management is one of the boundary conditions for continued success. Different levels talk different languages and the incident manager needs to understand and honour those. This workshop aims to raise awareness for this exciting challenge, enable a better understanding of the wonder of communication and provide a few basic techniques to build on in everyday work.
Foster awareness of the powers of language, both verbal and non-verbal, and show and practice together useful techniques to build constructively on that awareness, and become more effective in communicating. Group size:
8-12. Will break up in groups of 2-3 regularly to do practical work.
In a relaxed and joyful manner, the trainers will explain and demo the following basic concepts of NLP and adjacent fields:
NLP – Neuro Linguistic Programming – is a model that is best used to foster effective and constructive communication.
For most topics covered we seek a format as follows:
We will achieve the following with the trainees:
All details - see full submission pdf.
CERTification: Assessing CSIRT Maturity
The CSIRT scene is maturing slowly. If it was in its infancy in the early 90s, then it is in its teens now – still developing, but the signs of maturity are visible. CSIRTs need to be measurable in their maturity for at least two reasons:
This paper proposes a model which evolves from the already existing CSIRT accreditations (e.g. Trusted Introducer) to better and more objective measures of CSIRT maturity and quality through verification and certification. This model focuses on team maturity rather than the personal development of CSIRT members. Certification of team members remains a potential parameter in assessing CSIRT maturity however. Further the authors will demonstrate the benefits of increasing maturity this way – benefits for management/board level, for the team itself and for interoperation with other CSIRTs (and other stakeholders). The boundary conditions for accreditation and certification will be discussed, including the need for a self-funded, independent, community oriented verification mechanism.
Don Stikvoort obtained an MSc (Hons) degree in physics in 1987. After an effective management training as Infantry platoon commander in the Dutch Army, he joined SURFnet, the Dutch national research and educational network. Starting out with consultancy he soon found himself lucky to be among the pioneers who built the European Internet, started RIPE, etcetera. Don was involved in the formation of CERTNL in 1991 (today SURFcert) and was its chairman from 1992-1998. Together with Klaus-Peter Kossakowski he started the cooperation of CERTs in Europe which eventually led to both TF-CSIRT and the Trusted Introducer. In 1998 he finished the first version of the "Handbook for Computer Security Incident Response Teams (CSIRTs)" together with Kossakowski and Moira J. West-Brown of CERT/CC – Don’s collaboration with CERT/CC has remained till today.
Don’s short FIRST history:
CERT-NL became the second European member of FIRST in 1992 – in total Don has been the rep of three FIRST member teams, and mentored several more towards membership. From 1996-8 Don was member of the Future of FIRST Task Force I (FoFI) and secretary to FoF II. Don was chairman of the Program Committee for the 1999 FIRST conference in Brisbane, Australia. In the same year he set up the FIRST Secretariat (FSS), which he managed till mid 2007. Currently Don is a liaison member of FIRST and member of the FoF III task force.
In 1998 Don co-founded STELVIO, a Dutch company specialising in Internet related consultancy. Within STELVIO he helped build Kennisnet, the Dutch schools' network connecting over 10,000 schools. Several CERTs were created with his help and guidance, among which GovCERT.NL (the Dutch Government team), and the teams for Philips and several academic institutions. Second opinions and maturity assessments in this area are among his specialties. In 2000 Don set up the Trusted Introducer accreditation for CERTs in Europe (TI). In 2002/2003 Don was co-ordinator of eCSIRT.net, an EU funded research project that aimed at developing pragmatical standards for the interoperation of CSIRTs.
Don left STELVIO in 2004 to continue with S-CURE. He was among the first two Europeans accredited by CERT/CC as "Certified Incident Handler" in 2004. At this moment, apart from engaging on consultancy and coaching projects for SURFnet and others, Don leads the TI CERT accreditation service. As subcontractor to TERENA, Don supports the development and operation of the TRANSITS courses for CSIRT professionals – a not for profit project meant to educate CSIRT professionals in Europen – and is also one of the tutors there.
Since 2004 Don acquired the C.M.H., C.Hyp. and CPNLP accreditations in psycho/hypnotherapy and NLP. Don has started taking up work in those areas and the adjacent coaching as well, and is also using this to enrich his portfolio in security and explore new grounds – like the “Techies Can Communicate Too!” workshop he is developing with David Pybus. In March 2008 he will acquire the MPNLP – master practitioner NLP - level.
Dr. Martin Wimmer (Siemens AG, Corporate Technology, CT IC CERT, DE)About the Security Pros and Cons of Server Virtualization
Recently, the discussion about security of virtualized IT infrastructures has intensified. Several research papers have been published discussing both, the pros and cons of virtualization for security. Additionally, new business ideas and products have been developed for enhancing security for virtualized IT. With this paper we provide a survey of the recent advances in computer security for server virtualization.
Dr. Martin Wimmer is Consultant with Siemens CERT. After studying computer science at the University of Passau, where he received his Diploma degree in 2003, he worked as research assistant at the University of Passau and, from April 2004 on, at the Munich University of Technology where he received his PhD in 2007. His research activities mainly focused on security requirements of upcoming service oriented IT infrastructures. In April 2007 he joined the research group of Siemens CERT, where he is currently working on techniques to detect system compromise.
Earl Zmijewski (Renesys, US)Has Pakistan stolen your traffic lately? – Threats to Internet Routing and Global Connectivity
We will review recent disruptions to global connectivity, including cable systems breaks in the Middle East and Taiwan, network hijacks (Pakistan vs. YouTube) and partitions of the Internet brought about by soured business relationships (Cogent vs. Telia). While most Internet-savvy users are very familiar with typical electronic threats to desktop machines and their corresponding countermeasures (firewalls, virus scanners, etc.), threats to Internet routing are not nearly as well understood. In both arenas, it’s the Internet’s outmoded model of implicit trust and cooperation that underlies many of the problems. Unfortunately, there are fewer means for risk mitigation when it comes to threats to the core infrastructure. After reviewing specific incidents and looking at the problem from a holistic standpoint, we’ll consider some of the available remedies.
VP and General Manager, Internet Data Services Earl Zmijewski is responsible for all of Renesys's Internet Data software, services and operations. He has nearly 20 years of experience encompassing scientific computing and most areas of IT, with particular emphasis on networking and security. Before Renesys, Earl was IT Director at Fluent Inc., a computational fluid dynamics software company, where he was instrumental in establishing new offices throughout the US, Europe and Asia and in the promotion and implementation of Linux clustering technologies. He was also principal architect in the design of Fluent’s networks and Internet security posture. Before that, Earl held various academic positions at Cornell University, University of California, and James Madison University. Earl has a PhD and MS in Computer Science from Cornell University and an MS and BA in Mathematical Sciences from The Johns Hopkins University.
Emin Akhundov (NASK/CERT Polska, PL)Barriers to CSIRTS cooperation with other CSIRTS and The CLOSER Project
The growing number of network security incidents and computer crime statistics indicate that the current condition of ICT security is unfavorable and the future is ambiguous. This can have a significant negative impact on the world economy which is increasingly dependant on electronic communication.
It is not clear who is responsible for such a situation and why there is no breakthrough in security despite many initiatives over the years. Home users, vendors, ISPs, governments have often different points of view and interests looking at their roles in the process of improving Internet security.
Nevertheless a success in combating harmful and illegal activates on the Internet is very much related to the intensity and quality of a cooperation between all stakeholders. A cooperation within a particular stakeholder community is important as well.
Undoubtedly the CSIRT community is an important player in this area and it has potentially all the assets required to build models of effective cooperation both inside a community and with external parties. To achieve this goal, barriers to cooperation should be analyzed and proposals to overcome them should be created - including proper incentives.
In the article the authors will present existing barriers, such as:
In a correspondence to these barriers preliminary proposals of solutions and incentives will be presented. Ideally this could involve a discussion which start some initiatives (e.g. SIGs) and projects to that could foster better CSIRT cooperation.
The CERT concept, after almost 20 years of the existence, is recognized as the one of the most effective way of combating illegal activities in the Internet. This effectiveness is in part a result of a good communication between incident response teams. However, communication sometimes becomes a problem because of a lack of sufficient coverage by CSIRTs in a particular region. To improve this situation, the CERT Polska team, with the NATO support, started the CLOSER project, which is mainly about establishing the new teams in the regions where there are white spots on the map of the CSIRT world (project duration 2007-2009). Participants of the project are countries associated in CEENet http://www.ceenet.org (see attachment).
The project is aimed at building a network of operational CSIRT teams through:
For successful integration of new established teams with existing international cooperation forums emphasis will be put on helping new teams in formal and informal joining of international forums (e.g. FIRST). We believe that experiences from the CLOSER project could be valuable in the discussion on how to reach out to new areas with the CERT concept.
Eric Fleischman (Boeing, US)Safety and Security of Networked LANs in Aircraft
Civil aviation aircraft certification, including existing procedures, policies, and Federal and International Law, centers upon aircraft safety. A new generation of digital aircraft (e.g., B787, A350, A380) are being fielded in which electrical components and software perform avionics functions that traditionally were accomplished by hydraulics and other analog systems. These digital systems are connected via internal local area networks (LANs). Simultaneously, economic forces are encouraging aircraft to internally deploy Internet protocols and support digital communications with ground entities. These vectors have created the need to address security issues within the current safety milieu.
This presentation summarizes some of the findings of the Federal Aviation Authority’s (FAA) Airborne Networked Local Area Network (LAN) study that took place during 2005 and 2006. This study investigated the methodologies for identifying and mitigating potential security risks of onboard networks that could impact safety. It also investigated techniques for mitigating security risks in the certification environment.
Networks are inherently hostile environments because every network user, which includes both devices (and their software) and humans, are potential threats to that environment. Networked entities form a fate-sharing relationship with each other because any compromised networked entity can theoretically be used to attack other networked entities or their shared network environment. Safety and security have therefore become intertwined concepts within networked airborne environments. Security engineering addresses the potential for failure of security controls caused by malicious actions or other means. Safety analysis focuses on the affects of failure modes. The two concepts (safety and security) are therefore directly related through failure effects.
This study concluded that the primary issue impacting network airborne system safety is how to extend existing safety assurance processes into networked systems and environments in a mathematically viable manner. This study recommends that the existing safety processes can be extended into arbitrarily vast network environments in a mathematically viable manner by using the Biba integrity model framework. This study maps current airborne software processes into the Biba integrity model framework using well established system security engineering processes to define airborne safety requirements. It applies best current information assurance techniques upon those airborne safety requirements to create a generic exemplar airborne network architecture that simultaneously addresses the safety and security requirements of airborne infrastructures.
Eric Fleischman is a certified information system security professional (CISSP), who has worked for The Boeing Company for over 16 years. He was the principal investigator on the Federal Aviation Authority’s (FAA) Airborne Networked Local Area Network (LAN) study. He was formerly Boeing's chief data communications architect, who led the migration of Boeing's previously disjoint internal network systems into a unified enterprise network infrastructure built upon Internet technologies in the early to mid-1990s. He has been active within the Internet Engineering Task Force (IETF) since 1992. He has worked for Boeing on multiple US Department of Defense (DoD) programs, helping to develop tactical military communications products and DoD network designs. He formerly was the electronic commerce architect for the Microsoft Corporation, designing and helping to deploy their electronic commerce infrastructure. He also previously worked for AT&T Bell Laboratories, Digital Research, and Victor Technologies.
Foy Shiver (The Anti Phishing Working Group, US)The State of Internet Phishing and Fraud and Useful Means to Combat It
The fight against Internet Fraud and Phishing is continually evolving as the miscreants change tactics in response to successful countermeasures by brand owners and fraud fighters. This presentation will discuss by example the current tactics employed by the fraudsters as seen by the APWG crime fighters such as fast-flux name servers and variants of the Rock phish and the future expectations. Additionally, current APWG and ICANN activities in making the DNS system less useful to phishers will be examined, along with the latest news from the DNS Whois Privacy discussions will be covered. The talk will close with recent APWG work on strategies to converse with customers with compromised web servers, how too recover useful forensic data from those servers; and how to report and remove fraudulent sites from the Internet.
Foy Shiver is President and CEO of Woodstock Clinical Data Systems and Deputy Secretary-General for the Anti-Phishing Working Group (APWG). Mr. Shiver took over operations of the new non-profit Anti-Phishing Working Group in 2003. He has helped develop this organization into a global industry, law enforcement and research group dedicated to countering the growing threat of electronic crime. In 2005 Mr. Shiver accepted an appointment as Deputy Secretary-General of the APWG for which he is charged with cultivating the membership base around research to fight internet crimeware and fraud. This role includes cultivation of the APWG’s eCrime Researchers Summit. This annual event works with academia and industry partners to focus projects in the electronic crime area through publication and scholarship monies.
Mr. Shiver left a successful career in Lotus/IBM in 2000 to pursue development of new applications in the clinical software field. He was recruited to join KafkaAdaptive, Ltd., a venture-funded UK start-up, as a member of the board of directors and Director of Development. After partial development of some clinical data logistics systems, the UK venture fund dissolved KafkaAdaptive and agreed to the appointment of Mr. Shiver as President and CEO of the successor company, Woodstock Data. In this role he continues to develop web-driven study enrollment platforms dedicated to automate study cohort formation. Meanwhile, Mr. Shiver retains a seat on the technical advisory board of Facultech, a developer of cognitive reasoning skills tests for schoolchildren based on handheld microcomputers.
Franck Veysset (France Télécom R&D, FR)FMC (Fixed Mobile Convergence) - What About Security
Since 2007, new FMC (Fixed Mobile Convergence) solutions are emerging. Three main technologies seem to rule the market: WiFi SIP, UMA (Unlicensed Mobile Access) and Cell (Femto/pico cell). Those solutions look very attractive to customers, as they open new possibilities in term of telecommunication. After introducing those technologies, we will focus on the security aspects of those solutions. They might have strong impacts on customers / companies security, but things are also quite complicate from the telco point of view, as new threats are emerging (Operators will have to “open” some part of their core network, which is not an easy issue…).
The goal of this presentation is to give an overview of FMC solutions, including the security aspects.
Franck Veysset is a network security expert working for France Telecom R&D / Orange labs. His activities are focused on Wi-Fi security, honeypot, cybersecurity and more generally IP security.
He has presented at numerous technical and security conferences (BlackHat, ToorCon, Shmoocon, Eurosec, First, Hack.lu...). He is also a program chair member of different conferences (SSTIC, JSSI...). Aside from these activities, he is member of the board of the French Information Systems and Network Security Observatory (OSSIR), and he lectures in different university and engineering schools.
Frank Wintle (PanMedia Ltd, UK)Security and Education – Bringing it all Together
In his address to the 19th FIRST conference inSeville, Frank Wintle argued that the exclusive “private languages” spoken by Internet Technology specialists were a major cause of “ordinary” users falling victim to viruses, sabotage and criminal attacks, and urged delegates to find a lingua franca which would enable lay people to comprehend security practices and apply or comply with them competently and confidently.
At the Vancouver 2008 conference, Wintle, who is FIRST’s communications consultant, takes his argument to the next stage, sharing a programme which will enable delegates to return to their organisations and take the first steps towards the conversion of “lay” colleagues into security evangelists. Wintle will argue that the experts’ constant refrain against the non-specialist mass of colleagues – “They just don’t get it!” – betrays a first and fatal flaw in the conventional approach: the division of the problem between the us-savants and the them-idiots.
Only holistic mentoring techniques will begin the process of transforming each organisation’s culture towards an inclusively security-conscious universe. Sharing the building-block principles of his communications techniques, Wintle demonstrates how to bring colleagues onside and build up a momentum for change in which word-of-mouth (everywhere recognised as the most potent persuasive force) gradually begins to augment and reinforce more formal dialogues as part of the tutorial matrix.
What are the major obstacles along the way? How will you know when the message is getting through? How will you stop momentum from flagging after the change-programme has ended? These are just a few of the questions which will be answered in a session which will excite delegates to rise to the challenges of a new model of security education.
Frank Wintle runs the London-based communications consultancy PanMedia, offering courses in internal and external communications, individual coaching in communications skills, and agenda, production and presentation services for business seminars. His clients include Cisco Systems, HSBC Actuaries and Consultants, Virgin Money, E-ON Ruhrgas, Deloitte, and FIRST (the international Forum of Incident Response and Security Teams). He also trains Peace Observers in reporting and diary-keeping before their tours of duty in the Middle East.
In his writing and producing career for factual television Frank Wintle won gold and silver medals from the New York Film and TV Festival, the Golden Gate Award from the San Francisco Film and TV Festival, best programme award from the Royal Television Society and an Emmy nomination.
He has written two books and continues to contribute to the national Press.
Gavin Reid (Cisco Systems, US)CVSS SIG
With the time remaining we will have a roundtable discussion on CVSS futures lead by Seth Hanford and Sasha Romanosky.
Gavin manages the Computer Security Incident Response Team for Cisco Systems. His team has global responsibility for investigation on all security monitoring, events and incidents.
Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)Creating and Managing Computer Security Incident Response Teams(CSIRTs)
This one-day course is designed to provide a high-level overview of the issues involved in creating and managing an effective computer security incident response team (CSIRT).
For anyone who is new to the field or who is interested in the type of activities a CSIRT performs, this course will provide valuable insight and suggestions for developing such a capability.
A high-level discussion of key issues and topics is covered in this one-day tutorial, focusing on the purpose and structure of CSIRTs, incident management processes, key design and implementation elements, CSIRT operational issues, and other CSIRT functions.
Incident Management Mission Diagnostic(IMMD) Method
The Incident Management Mission Diagnostic (IMMD) is a risk-based approach for determining the potential for success of an organization's incident management capability (IMC).
An organization's IMC potential for success is based on a finite set of current conditions – a limited set of key indicators used to estimate the current IMC health relative to a defined benchmark. Decision-makers can determine if the current state of their IMC is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of an IMC to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.
This presentation will provide an overview of the IMMD method.
Incident Management Mission Diagnostic Method, Version 1.0
http://www.cert.org/archive/pdf/08tr007.pdf
CSIRT Metrics SIG
Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania. Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference. Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program. From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment. Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.
Gib Sorebo (SAIC, US)Security Breaches: To Disclose or not to Disclose
Laws are increasingly requiring more breach reporting. Just when should you disclose and to whom This is a question frequently asked as breaches now include not only verified data compromises but also security vulnerabilities where there is only a mere possibility of compromise. This session will discuss recent disclosures, analyze hypothetical scenarios, and offer guidance.
The presentation will begin by discussing the notion of the security breach and how that term has evolved from a clear cut case of data compromise to a more speculative scenario where a vulnerability has been discovered or data was sent over the Internet in the clear. Examples of recent disclosures will be presented to show how these concepts have changed over time. We will then examine the relevant laws, such as SB-1386 in the US and laws of other countries, and look at how they define security breaches and potential implications of not disclosing. The presentation will then walk through the steps of investigating of potential breach from the initial discovery of a security event to the notification of affected parties. The session will describe the roles for attorneys, IT professionals, and managers. The talk will then consider the pros and cons of disclosing. Such considerations will include the organization’s reputation, customer obligations, and the potential for over-reporting. We will then summarize a recommended approach to security breaches that takes into account the technical aspects of the potential breach, the type of information involved, and the legal obligations of the organization.
By the end of the session, the participants will have a good understanding of the pros and cons of disclosing security breaches and will be able to provide their organizations with additional information to help make this difficult decision and help it mitigate harms to customers and the organizations reputation.
Gib Sorebo is a Senior Information Security Analyst and Program Manager for SAIC where he assists government and private sector organizations in complying with legal and regulatory requirements related to information security and privacy. He has been working in the information technology industry for more than fifteen years in both the public and private sector. He is recognized for his expertise in information security compliance where has helped government and commercial customers comply with FISMA, GLBA, HIPAA, and other legal obligations. Additionally, Gib leads an incident response and computer forensics team that investigates computer-based intrusions and employee misconduct. Prior to joining the private sector, he held a variety of positions with the U.S. Senate and U.S. House of Representatives in support of their information technology infrastructures.
Gib is also an attorney, specializing in information security and privacy issues. He has been active with the American Bar Association’s Information Security Committee for several years and has contributed to publications relating to PKI, information security liability, and electronic evidence. He has spoken at national conferences on the subjects of information security liability and Sarbanes-Oxley. Gib holds a Bachelor of Arts from the University of Chicago, a Master of Arts from George Washington University, and Juris Doctor from Catholic University. He is also an active member of the Virginia State Bar.
Greg Bassett (Intel Corporation, US)Incident Handling around the world in 80 ms. (Well not really that fast)
Having a global presence looks great on paper and is perhaps even doing wonders for your bottom line. The downside to being spread across the global is the ability to properly staff certain emergency job roles, such as incident response. Not everyone is trained to do incident response; not everyone possesses the mindset for this work. The question is how to do then operate a successful incident response program across a company where you may have a computer presence but not trained staff to address incidents?
With the release of 3.2 of RAPIER, we have created a client / server architecture for our information gathering tool suite. Now a disperse company can establish repositories for information gathering during incident handling - your IR specialists no longer have to muddle through getting accurate information off a remote system or worse, walk someone through gathering the data over the phone. RAPIER 3.2 includes several new modules and can be configured to execute against a remote target.
Greg Bassett joined Intel and the Ocotillo Site Automation in August 1995 to support the Production UNIX infrastructure for manufacturing operations. As a Senior UNIX Engineer, he provided creative solutions to address availability, performance, security and capacity issues on a variety of Mission Critical UNIX systems and configurations. He led a variety of cross-site teams, including an effort to reduce patching timelines across manufacturing sites. Late 2004, he joined the Security Operations Center as a security specialist to drive identification and analysis operational efforts of new malware and other external threats found, research and testing of mitigation to protect internal networks. He developed the Automated Worm Detection Tool (AWDT), an automated system to load firewall blocks based on infected system traffic seen through NIDS and other sources. Prior to joining Intel, Greg worked for Digital Equipment Corporation Manufacturing testing and troubleshooting Alpha/VAX systems.
Contact Email: greg.l.bassett@intel.com
Haythem EL MIR (Technical Department / NACS, TN)Tunisia’s experience in building an information sharing and analysis center
Tunisia as an outstanding example for the developing country, have built its CERT and launched many projects to improve computer security in the national area. we are trying through this document, to present the used approach in order to set an ISAC in a specific environment and context, while taking in account several constraints as the socioeconomic factors.
Indeed, we will present the different components of the project as well as the deployed mechanisms, to achieve a collection, analysis and risk assessment system to inform about potential threat incurred by the national cyberspace.
Haythem EL MIR is an information security professional; he acted as a member in the starting team which founded the National Agency for Computer Security and the Tunisian CERT. He is now the NACS Technical Manager, responsible on the national IT security projects, critical infrastructure protection, cyberspace monitoring, etc.
He is also currently the head of the incident response team at cert-Tcc which deal with incident handling at the national scale and computer forensics. With 6 years of experience in the IT security field, Haythem is a security trainer and he is working as a consultant for many companies.
Dr. Heiko Patzlaff (Siemens AG, Corporate Technology, CT IC CERT, DE)Push-Email in the Enterprise. Is it BlackBerry, WindowsMobile or Symbian?
Over the last few years push-email on mobile devices has become a major trend and is taken up by companies to mobilize their workforce. Various risks are associated with the use of mobile devices outside the company perimeter - in particular with respect to the transmission and storage of confidential information.
This paper compares the different approaches the three operating system platforms Symbian, Windows Mobile and Blackberry take in offering this functionality. It explores the security architectures and features and evaluates the suitability for a deployment in the enterprise.
The paper develops a set of criterias for the comparison of the security features of mobile devices. It covers the areas infrastructure security, device security, services, protection of static data, protection of data in transit, administration and mobile malware.
Born in 1966, Mr. Heiko Patzlaff received a PhD in statistical theoretical physics from Leipzig University. For several years he worked in the anti-virus industry as a researcher and systems developer for Sophos Antivirus in Oxford, United Kingdom. He is currently employed by Siemens Germany where he is responsible for forensic and malware topics and is involved in various research activities. He lives with his wife and three children in Munich and enjoys outdoor activities in the nearby mountains and the local bavarian cuisine.
Ivan KrstićThe Dark Future of Desktop Security and How to Stop It
It's 2008. About 75% of all corporate machines are infected with at least one piece of malicious code. We're seeing the emergence of weapons-grade botnets, designer trojans, smart mobile malware, and the graduation of the black hat community from what was once a ragtag army of rebels without a cause to a group of well-paid professionals engaging in research-quality work to rake in profits and evade detection. The entrenched players in the security industry have been predictably slow to respond. Now, seemingly bewildered by the new security landscape, they are increasingly finding salvation in restrictive new systems that threaten to transform your computer into little more than a glorified abacus. There must be a better way. This session will turn to history and explain how we dug ourselves into the present predicament, and then look at Bitfrost, the One Laptop per Child security system, for lessons on how we might dig ourselves out.
Ivan Krstić is a software architect and researcher currently on leave from Harvard University. Until recently, he worked as director of security architecture at One Laptop per Child, an education non-profit that aimed to produce a $100 laptop for children in the developing world. Prior to that, Ivan served as director of research at the medical informatics laboratory of a European children's hospital, tackling infrastructure and security problems in wide-scale digital healthcare. Ivan is deeply involved in open-source and free software, co-authored the best-selling Official Ubuntu Linux Book, and specializes in architecture and security of large distributed systems.
He has consulted on both matters for some of the largest websites on the Internet. Described by Wired magazine as a "security guru", in 2007 the MIT Technology Review named him one of the world's top innovators under the age of 35 for his work on the OLPC security platform, Bitfrost. Recently, eWEEK declared him one of the top three most influential people in modern computer security.
Ivo Carvalho Peixinho (CAIS/RNP – Brazilian Federal Police, BR)Tales from the dark. Diary of a compromised Windows Vista
This presentation is a working in progress study. A Windows Vista system was configured with a ssh server and weak passwords. The diary to be presented will show all the activity done by miscreants over 9 months period. This honeypot is on-line for 3 months now and will be kept on until the conference; where all information collect will be shared. For the first three months this experiment shown very interesting findings, since attackers were not expecting to find a Windows system when they ssh brute-force a system.
Ivo de Carvalho Peixinho has a BS degree on Computer Science at Universidade Federal da Bahia, with two post-graduations, one in Distributed Systems and another on Mechatronics. He is also a BS7799 certified auditor.
Ivo has more than 10 years of experience on network security, and worked the last two years on security research and incident handling. Actually works as a Forensics Expert at the Brazilian Federal Police Department.
J. D. Frazer (UserFriendly.org, CA)Insecurity
Human beings by their very nature are insecure. They spend all of their lives seeking ways to make themselves feel more secure, and usually fail despite superhuman efforts, huge spending and support from the rest of their tribe. Professionals in Information Technology face exactly the same situation, except for the huge spending and tribal support parts.
This talk will cleverly point out the absurdities we face as we each search for a safe corner against which we can place our backs.
JD "Illiad" Frazer is a Canadian 40-something cartoonist, writer and occasional thinker. He started down the hallowed path of technology at a tender age, immersing himself in punch cards, acoustic couplers, and eventually, boat anchors. His greatest epiphany came when he beheld modem-transferred text that appeared faster than he could read it. His much-too-indulgent cartoon strip UserFriendly.Org has been published once a day, every day, since November of 1997, and has appeared in such august publications as The National Post, Linux Journal, and the Spuzzum Weekly Courier. He's won a few awards but his neighbour's dog has eaten them all. Despite his generally facetious approach to life, he is a vocal advocate of freedom of expression, corporate ethics and rational discourse. He has spoken at over fifty events in North America, Europe and Australia.
Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)Phishing without URL, when miscreants go malware
This presentation will focus on Phishing that don't rely on fake url and fake web-pages. Three examples of phishing that don't need a fake page will be shown during this live presentation. This new vector used by phishers need to be known by the security community in order to identify such type of attack.
Tales from the dark. Diary of a compromised Windows Vista
This presentation is a working in progress study. A Windows Vista system was configured with a ssh server and weak passwords. The diary to be presented will show all the activity done by miscreants over 9 months period. This honeypot is on-line for 3 months now and will be kept on until the conference; where all information collect will be shared. For the first three months this experiment shown very interesting findings, since attackers were not expecting to find a Windows system when they ssh brute-force a system.
Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.
Jeff Boerio (Intel Corporation, US)Automating Vulnerability Management in a Heterogeneous Enterprise
Managing the response to vulnerabilities in a heterogeneous enterprise is no simple task. A significant growth in applicable vulnerabilities, a complex network of devices, and constraining budgets create a problem for managers when it comes to resources. In this paper, we will propose some measures to address handling the growing number of alerts while decreasing the staff needed to do so. We begin with a review of the vulnerability management process, offering suggestions to improve consistency in processing vulnerability reports and risk ratings. Then we examine possible solutions for automating and streamlining several key steps of the process, such as processing alerts, assigning risk, and disposition them for patching.
Jeff Boerio is an Information Security Specialist for Intel Corporation. He has two main focuses there. One is managing the IT Emergency Response Process for intelligence gathering, meaning that in a cyber incident he and his team are responsible for gathering and reporting as much information as possible. The second is managing the operational security of UNIX platforms across the company, including driving enforcement of minimum security specifications for operating systems and applications as well as the hardening of the same. Jeff was hired by Intel in October, 1993 after obtaining a Bachelor of Science in Computer Science from Purdue University, and has held positions from UNIX Systems Administrator to Software Project/Program Manager. He also has a GIAC Security Essentials Certification (GSEC Silver) from SANS. When not at work, Jeff and his wife live in the heart of Oregon’s wine country on a small farm, raising his three-year old son and caring for five horses. He enjoys wine, photography, rock n’roll, sports and Corvettes. Not necessarily in that order.
Jeff Williams (Microsoft, US)Malware Without Borders - Multi-Party Response
As malware and potentially unwanted software are becoming motivated more and more by financial gain, their nature is also changing. The attackers often use social engineering techniques to lure the user to run their code and usually will show some messages or bogus warnings using some language. The effectiveness of the attack in any specific region will then rely on the popularity of that language in that region. Other factors may impact too such as the level of user education in that region and the usage of security products there. The result is that we see more and more threats that affect specific countries or regions more than they affect others. This paper will overview some major differences in the types of malware and spyware that exist in different regions around the world and will provide specific examples. The information for this paper is collected from hundreds of millions of computers around the world.
Given the locality of many of the threats, the model of national response teams and organizational response teams can be extremely helpful. The paper is going to call for even higher level of interaction between these response teams and the security software industry as well as several working examples which illustrate success.
As the principal group manager for the Microsoft Malware Protection Center (MMPC), Jeff Williams is responsible for the coordination of response activities both within the MMPC and in the broader research community. He is also involved in the release of protection technologies such as the Malicious Software Removal Tool (MSRT).
Williams is responsible for a number of critical functions for Microsoft Corp.’s anti-malware research and response efforts, including the monthly release of the MSRT, internal and external outreach to security researchers and partner organizations, competitive analysis, and the incubation and business development of new response technologies and methods. His team is responsible for handling vendor inquiries and disputes relating to inclusion in Windows Defender and Windows Live OneCare anti-malware definitions, and provides subject matter expertise and analysis for Microsoft’s semiannual Security Intelligence Report. In addition, Williams helps represent Microsoft to industry organizations such as the Anti-Spyware Coalition, a consortium of anti-malware companies and nonprofit organizations, and manages the Microsoft Virus Initiative, a program to share critical security information with other anti-malware independent software vendors.
Williams has worked in security at Microsoft since October 2001, when the company launched its Strategic Technology Protection Program, the precursor to today’s Trustworthy Computing. Before his current position, Williams served as divisional privacy officer for Microsoft’s support and consulting businesses, where he was responsible for protecting data relating to Microsoft’s customers, employees and partners on thousands of systems and educating thousands of employees worldwide on privacy and data protection. Williams also ensured that the methods the company uses to collect, store, use and transport such data were conducted in a manner that complied with all laws and the higher bar of Microsoft’s corporate policies relating to data handling.
Before joining Microsoft in 2000, he was senior network architect for an international provider of financial services in San Francisco, and an adjunct professor of risk management and telecommunications for the University of Phoenix’s Bay Area campuses.
Williams holds a master’s degree in business administration in technology management from the University of Phoenix. He received his bachelor’s degree from Bennington College.
JinWook Choi (Financial Security Agency, KR)Efforts to Secure Electronic Financial Transactions
Securing electronic financial transactions have been an important issue all over the world.
In Korea, internet banking customer has increased dramatically reaching 42,450,000(Sep. 2007) for 19 Banks. And the government led high attention to set up a policy and technology to make the online transaction safe.
Accordingly, every financial institution that has online service should provide security programs such as anti-virus and anti-keylog to their customers in Korea. However, cyber threats to the financial institutions and to their customers are increased day by day, the techniques for the attack are evolving everyday, so a dedicated organization is needed to follow-up and fight for such risks. Finally, Financial Security Agency (“FSA”) was established in Dec 2006.
In this presentation, incident cases, new threats, and the efforts of Korean financial institutions and government will be introduced.
KFCERT in FSA is a FIRST full member since Dec. 2007.
JinWook Choi joined the FSA as a founding member in December 2006 and works as a security coordinator. JinWook was a KrCERT/CC member in 2003 and 2004 and has experience in online game security (NCSOFT, 2004-2006) and military (retired, Navy Lieutenant Junior Grade). He has a Bachelor’s degree in Computer Science from SoongSil University and has also studied at the University of Victoria, Canada as an exchange student.
John Stewart (Cisco Systems, US)The Enterprise’s Role in Protecting Critical Infrastructures
In today’s networked world, private industry plays an increasingly vital role in the physical and cyber protection of critical infrastructures. Companies in the U.S. and across the globe are evolving close partnerships with government counterparts to address growing infrastructure complexity as well as local and worldwide threats. Cisco’s commitment and leadership in cyber-security, global incident response collaboration, public-private partnerships and information sharing demonstrates the positive effect that enterprises can have on helping to secure public critical infrastructure. Join Cisco chief security officer John N. Stewart as he shares his perspective on the opportunities associated with delivering, managing, and expanding the reach of corporate security programs in a global environment relative to critical infrastructure assurance.
Mr. Stewart provides leadership and direction to multiple corporate security and government teams throughout Cisco, strategically aligning with business units and the IT organization to generate leading corporate security practices, policies, and processes. His organization focuses on global information security consulting and services, security evaluation, critical infrastructure assurance, eDiscovery, source code security, identification management, as well as special programs that promote Cisco, Internet, and national security. Additionally, he is responsible for overseeing the security for Cisco.com—the infrastructure supporting Cisco’s more than $35 billion business.
Mr. Stewart’s longstanding career in information security encompasses numerous roles. He was the Chief Security Officer responsible for operational and strategic direction for corporate and customer security at Digital Island. Mr. Stewart has served as a research scientist responsible for investigating emerging technologies in the Office of the CTO at Cable & Wireless America. He has professional experience in software development, systems and network administration, and is a software specialist, author, and instructor.
Throughout his career, Mr. Stewart has been an active member of the security industry community. He served on advisory boards for Akonix, Cloudshield, Finjan, Ingrian Networks, Riverhead, and TripWire, Inc. Currently, Mr. Stewart sits on technical advisory boards for Panorama Venture Capital (formerly JPMorganPartners Venture), RedSeal Networks, and Signacert, Inc. He is on the board of directors for KoolSpan, Inc., and a member of the CSIS commission on cyber security for the 44th Presidency.
Mr. Stewart’s publications and recent speaking engagements include:
Mr. Stewart holds a Master of Science Degree in Computer and Information Science from Syracuse University, Syracuse, New York.
Johnathan Nightingale (Mozilla, CA)The Most Important Thing: How Mozilla Does Security and What You Can Steal
In this presentation, Johnathan Nightingale will share best practices for building secure applications when implementing an open source model. He will highlight the benefits of remaining open and transparent throughout the security process.
Developers generally agree on the importance of security, but there are options for incorporating security into the development environment. With threats emerging daily, the importance of building more secure applications is rising. A solid security process throughout the development lifecycle will provide a road map to guide the team in making and measuring security improvements during every step of application development.
Mozilla’s open source security model describes how to build security into a software project. Johnathan will share the 5 primary aspects of applying this model to the development environment:
Johnathan Nightingale is the Mozilla Corporation's Human Shield. Educated in cognitive science and artificial intelligence, now working on security, usability & coding for Firefox, he can usually be found occupying the centre of a Venn diagram. He has written for Dr. Dobb's Journal about software integration, and for O'Reilly's Make: magazine about making tea. He lives just outside Toronto, Canada, in a house that needs more room for books.
Juan Díez González (INTECO, ES)National spam monitoring network
Spam, as unsolicited e-mail, has become a serious problem not only for final users, but also for companies that use e-mail on a daily basis at work, due to the economic damage that it causes. Nowadays, it seems that this issue has no direct solution, although more and more efficient antispam solutions are constantly developed.
In this context, it is extremely important to have mechanisms that allow us to measure in some way the most significant information about the current spam situation.
For this reason, due to its status of national public institution, INTECO-CERT has promoted the establishment of collaboration agreements with a group of different and varied organizations. As a result of these agreements, programs acting as sensors or meters have been installed in these organizations to collect information about spam. The information is centralized and properly analyzed, which makes easier its future exploitation.
The most useful information that results from this process is shown in form of statistics in a web site accessible to the general public, thanks to the advantages that the widespread use of Internet offers.
In this sense, users can interact in a friendly way with the application, which will offer them results that can be easily interpreted and a general view of the spam situation in Spain and in the rest of the world
Juan Díez González holds a degree in Computer Science from the University of León and a MCSE certification by Microsoft.
He has more than seven years of experience in the IT sector, basically in IT Consulting projects for clients, such as Cap Gemini, Oracle EMEA, T-Systems, the Regional Government of Catalonia and BBVA.
In 2006, he joined ISDEFE, becoming a member of the Centre of Early Alert on Viruses and Computer Security.
Currently, he is the Head of the Development Team of INTECO-CERT, actively involved, among other projects, in the deployment of a sensor network of spam detection.
Kenneth R. van Wyk (KRvW Associates, LLC, US)Identifying network scanning tools
We propose that proper identification of automated network scanning tools has value to network monitoring teams. Currently it is simply misunderstood, improperly handled, or over looked. Furthermore, there is value in the identification and cataloguing of the identification features and options used in those tools. Using a few open source tools (TCPDump, Silk toolset - rwscan with Threshold Random Walk, and MySQL) we will show that valuable information can be catalogued from a simple process of detecting, identifying, and transforming captured network packets (pcap) into a much smaller database record with identification characteristics. This process can also be seamlessly implemented in existing open source NSM products like Sguil, ACID, or BASE.
The following are valuable analysis results gained from identifying and storing scan metadata:
Security Testing: Moving Beyond the Penetration Test
Penetration testing is the most common form of security testing software, yet it fails the most basic measurement of testing efficacy -- code coverage. To thoroughly and rigorously test the security of software, we must go beyond the penetration test. This session describes many of the testing methods available today including fuzz testing, dynamic validation, as well as how to improve penetration testing practices to drive up measurements such as code coverage.
Kenneth R. van Wyk is an internationally recognized information security expert and author of the O’Reilly and Associates books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, (http://www.KRvW.com), he currently holds numerous positions: Founder and moderator of the “Secure Coding” mailing list, SC-L@SecureCoding.org, Member of the Board of Directors and Steering Committee for non-profit organization, FIRST.org, Inc. (http://www.first.org), monthly columnist for on-line security portal, eSecurityPlanet (http://www.eSecurityPlanet.com), and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute (http://www.sei.cmu.edu). Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications international Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.
Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At Carnegie Mellon University’s Software Engineering Institute, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented tutorials and technical sessions CSI, ISF, USENIX, FIRST, AusCERT, and others. Kenis also a CERT® Certified Computer Security Incident Handler.
Klaus-Peter Kossakowski (PRE-CERT – PRESECURE Consulting GmbH, DE)CERTification: Assessing CSIRT Maturity
The CSIRT scene is maturing slowly. If it was in its infancy in the early 90s, then it is in its teens now – still developing, but the signs of maturity are visible. CSIRTs need to be measurable in their maturity for at least two reasons:
This paper proposes a model which evolves from the already existing CSIRT accreditations (e.g. Trusted Introducer) to better and more objective measures of CSIRT maturity and quality through verification and certification. This model focuses on team maturity rather than the personal development of CSIRT members. Certification of team members remains a potential parameter in assessing CSIRT maturity however. Further the authors will demonstrate the benefits of increasing maturity this way – benefits for management/board level, for the team itself and for interoperation with other CSIRTs (and other stakeholders). The boundary conditions for accreditation and certification will be discussed, including the need for a self-funded, independent, community oriented verification mechanism.
As the co-chair of the IETF working group “Guidelines and Recommendations for Incident Processing” (GRIP), he was instrumental for the development of the RFC-2350 providing a format for descriptions of CSIRT services. He is also the author of many papers about CSIRTs and international cooperation. Together with Don Stikvoort he initiated a closer cooperation among European CSIRTs and organised several annual meetings to support these. He was elected as a member of the FIRST Steering Committee in 1997, 1999, 2001 and 2003. From June 2003 to June 2005 he was representing FIRST, the worldwide forum of CSIRTs, product security and abuse teams as Chair. Most recently he became chair of the ENISA ad-hoc working group on CSIRT cooperation.
Kowsik Guruswamy (Mu Dynamics, US)Who’s watching the watch dogs? Security Audits for network infrastructure security enforcement devices
Many products simulate attacks on end-systems and validate whether or not the systems are up-to-date with their patches. However, there are very few, if any, analysis tools to verify that network infrastructure security enforcement devices such as Intrusion Prevention Systems, Firewalls, UTMs, or any deep-inspection device are vulnerable to 0-day attacks. In other words, nobody is watching the watchdogs.
There is an ongoing need to audit network infrastructure security enforcement devices to ensure that they have the ability to block attack and protect end-systems and networks as advertised.
This presentation will discuss the new security analyzer market and solutions, and why security analyzers are instrumental in providing systematic, comprehensive negative testing and auditing. The speaker will also discuss why it is essential that customers continuously audit and conduct negative testing on their network infrastructure in order to min