Program Overview

• Keynote Speakers
• Side events
• Workshop
• Tutorials
• Geek Zone
• Main Conference
• Special Interest Groups
• Added Attractions

Keynote Speakers

• 

  Lord Toby Harris of Haringey (House of Lords, UK)  

  Lord Toby Harris was made a Life Peer in June 1998. He is Chair of the All-Party Parliamentary Group on Policing and Treasurer of the Parliamentary Information Technology Committee (PITCOM). He is also a member of the House of Lords Select Committee currently investigating Personal Internet Security.

  He was born in 1953 and graduated from Cambridge University in 1975, having studied Natural Sciences and Economics. His professional career began with four years in the Economics Division of the Bank of England. He then spent seven years at the Electricity Consumers’ Council, becoming Deputy Director in 1983. In 1987, he became Director of the Association of Community Health Councils for England and Wales (the national statutory body representing patients’ interests). He remained there until October 1998, when he established his own public affairs consultancy, Toby Harris Associates. Organisations he advises or has advised include KPMG, the National Grid, Unisys, the Anite Group, Transport for London, Wyeth Laboratories and the Commission for Patient and Public Involvement in Health.

  He was a member of the London Assembly from May 2000 to June 2004, on which he led the Labour Group. He was the first Chair of the Metropolitan Police Authority (MPA), during that period and a member of the Executive of the Association of Police Authorities from 2000 to 2006. He continues to sit on the MPA as the representative of the Home Secretary with a remit to oversee the national and international functions of the Metropolitan Police - primarily its counter-terrorism role.

  He was a member of Haringey Council from 1978 to 2002 and was its Leader from 1987 to 1999, having previously spent five years as Chair of Social Services. He was Chair of the Association of London Government, representing the 33 local authorities in London, from its formation in 1995 until 2000, having previously chaired the Association of London Authorities.

  From 1986 to 1993, he was Chair of the Association of Metropolitan Authorities’ Social Services Committee and led for local government in negotiations about the introduction of Community Care and the Children Act. He is Vice-President of and was formerly a member of the Executive of the Local Government Association.

  He has been a non-executive director of the London Ambulance Service, a Senior Associate of the Kings Fund, and a member of the Committee on the Medical Effects of Air Pollutants.

  He is a former member of the Committee of the Regions of the European Union.

  Prioritising Information Security

  Information security is not given a high enough priority by individuals, the corporate sector and by Government. There are a variety of reasons for this – emotional, cultural, financial and cynical. Is information security user-friendly enough? Whose responsibility is it anyway? What should the service providers be doing? What should Governments be doing? Does the global nature of the internet make solutions impossible? Is Microsoft’s Vista the answer? Is self-regulation sufficient or does there have to be legislation? Are market pressures a help or a hindrance? Who is going to clear the mess up when it all ends in tears?

  • Slides: harris-toby-slides.pdf (102.71 Kb)
• 

  Francisco García Morán (Director General, DG Informatics, European Commission, EU)  

  Francisco García Morán holds a degree in Mathematics by the University of Sevilla and a degree in Computer Science by the Politechnic University of Madrid.

  He worked as a teacher at the University of Sevilla and as an IT analyst at its Data Centre between 1974 and 1976.

  He joined the Data Center of the Ministry of Education and Science in Madrid in 1976 where he held several positions as head of departments and he started the project of "decentralised IT" to Delegations of the Ministry.

  In 1982 he joined the Ministry of Education and Science of the Regional Government of Andalucia where he headed the IT department for nearly 4 years.

  He joined the Informatics Directorate of the European Commission in November 1986 and held several positions in charge of IT solutions for the office automation, information systems development and Data Centre environments.

  In 1998, he joined the Directorate General for Translation as Head of the IT unit until he was appointed in April 2001 Director of "Informatics" in the Directorate General for Personnel and Administration.

  Since May 2004, he has been heading the Directorate General for Informatics (DIGIT) where he was appointed Deputy Directorate General in July 2004. He was appointed Director General in November 2005.

  Since 01/01/2007 his Directorate General is responsible for the IDAbc (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens) programme

  He seats as representative of the European Commission in the Management Board of ENISA (European Network and Information Security Agency) and he also seats in the "Advisory Committee for eAdministration" to the Minister of Public Administration (MAP) in Spain.

  The speech will present the security strategy of the European Commission in the framework of the EU security policy as outlined by the European Council in 2004.

  After introducing the European Commission and its role in the EU institutional framework, the presentation will describe the EC's IT organisation and governance and will highlight the role of security in the "Roadmap towards an Integrated eCommission" the internal eGoverment initiative of the EC launched in the context of the i2010 initiative.

  The presentation will outline the principles inspiring the security policy , "a secure Europe in a better world", and will describe the EC strategy for Network and Information Security explaining the dimensions of the problem, from technical to social and ethical. Then the Research Security Policy will be introduced describing all the efforts and preparatory actions that had lead to the allocation of 1.4 M€ for security research in FP 7.

  It will also describe the initiatives regarding Safer Internet and those in the area of Justice, Freedom and Security.

  Finally, the EC internal security policy will be outlined and the implementation efforts regarding the policy will be presented including the description of the peripheral security infrastructure, security of IT configurations and Information Systems as well as the measures put in place to fight viruses and spam.

  • Slides: garcia_moran-francisco-slides.pdf (7.71 Mb)
• 

  Andrea Pirotti (Executive Director, ENISA, EU)  

  Andrea Pirotti, since 2004, is the Executive Director of the European Network and Information Security Agency (ENISA).

  He has been Vice President at the British owned Company Marconi spa and Managing Director- General Manager of Marconi subsidiaries Companies in Asia, South America and Spain.

  He held positions at the Italian Ministry of Communications, being Counsellor to the Italian Minister of Communication.

  During 1967-76 he was an Italian Army Signal Corps officer. He is a graduate of the Military Academy, Signal Corps, and holds a University Degree in Strategic Science.

  Why was ENISA created?

  ENISA was conceived in the spring of 2001, at a time when there was only limited co-operation and information exchange between the Members States of the European Union (EU), governments and industry in the field of Information Security. At the same time, the paramount importance of ensuring the continuing functioning of the Information Society was becoming increasingly clear, given its growing impact on everyday life, business and the Digital Economy.

  ENISA was created to bridge gaps, to promote good practice and to spread a culture of security across Europe. By using an –open method of co-ordination– between the Member States and industry, ENISA is facilitating and contributing to a significant improvement in the exchange of Information Security knowledge and best practices between the Member States. The Agency also acts as a spokesman on Network and Information Security (NIS) matters within the EU.

  Why is NIS important?

  It is not necessary to address the importance of Network and Information Security, as the audience at the FIRST AGM is fully aware of that. Just to sum up our mission:

  ENISA:

  • Is a Centre of Excellence for Member States and EU Institutions in Network and Information Security
  • Is a switchboard of information on Good Practice
  • Facilitates contacts between EU institutions, the Members States and private business and industry

  In these ways, ENISA contributes towards the modernisation of Europe and helps secure the smooth functioning of the Digital Economy and the Information Society.

  ENISA and the CERT communities

  CERTs in Europe identified very early on that co-operation was crucial for successful incident response as attacks from the Internet are global by nature and call for teamwork across traditional borders. CERTs collaborate in communities like Terenas Task Force CSIRT (TF-CSIRT) and the European Government CERT Group (EGC). Such communities are essential as rich sources of information, tools and activities for network and information security. In its role as a facilitator and information broker, ENISA promotes CERT co-operation and helps these communities grow stronger

  — in Europe and beyond!

  ENISA and FIRST

  ENISA acknowledges the importance of the FIRST as a worldwide facilitator of CERT cooperation. This is the reason why, since September 2006, ENISA is a Liaison Member of FIRST. The potential benefit is mutual:

  FIRST acts as a premier provider of (not only) CERT related security information and assembles under its umbrella a world-spanning network of Computer Emergency Response Teams, Hard- and Software Vendors and other security experts. ENISAs experts can learn much from the expertise and good practices collected and provided by FIRST.

  ENISA brings together the public and the private sectors to join forces in their efforts for a more secure Internet - a role that it shares with the FIRST. ENISA also acts as a contact point for the EU Member States and all EU Bodies, and acts as a premier channel for NIS related information to these stakeholders. So ENISA is the most obvious body to bring FIRSTs important messages and information to otherwise impossible to reach audiences.

  ENISA will be open for further collaboration with FIRST – in the field of CERT cooperation and beyond!

  • Slides: pirotti-andrea-slides.pdf (2.19 Mb)
• 

  Mary Ann Davidson (Chief Security Officer, Oracle, US)  

  Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information Security’s top five “Women of Vision” and is 2004 Fed100 award recipient from Federal Computer Week.

  Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.

  Securing the Brave New World

  The increasing reliance of organizations on information technology makes IT the backbone for much of critical infrastructure. At the same time, IT infrastructure has morphed from a model of well-defended castles of information to multiple “tents” housing disparate data, with, in some cases, a “welcome” mat in front of each tent. How can the security landscape evolve to effect a correct balance between openness and secrecy? How can the security community itself evolve – including users, guardians, and “police”of information - to ensure that cybercommunities continue to be inhabitable and hospitable, instead of “The Wild West?”

  • Slides: davidson-mary ann-slides.pdf (256.07 Kb)
• 

  George Stathakopoulos (General Manager of Product Security, Microsoft, US)  

  As general manager of Microsoft product security for the Security Engineering and Communications Group, part of the Security Technology Unit at Microsoft Corp., George Stathakopoulos directs four teams of more than 100 people that collectively help make Microsoft® products and services more secure and help protect the company’s customers from online threats. The four teams have the following responsibilities:

  • The Security and Privacy Product Policy team creates internal policies and processes to ensure that security is a primary consideration during product development and throughout the security development lifecycle (SDL).
  • The Secure Windows® Initiative is designed to check for vulnerabilities in products and enforce the SDL, using methods hackers employ to find potential security weaknesses.
  • The Microsoft Security Response Center responds to externally reported vulnerabilities and coordinates the company’s response to viruses and worms.
  • The Security Community Team reaches out to security researchers, industry groups, and technology companies and governments to collaborate on security-enhancement projects and increase awareness about Microsoft’s security efforts.

  Stathakopoulos began working for Microsoft in 1991. Before his current role, he helped several Microsoft product groups, including the Microsoft Internet Explorer and Windows groups, respond to security issues and enhance product security. He has been on the front line of Microsoft’s response to every major computer worm, including Melissa, I Love You, BubbleBoy and Zotob.

  After working on Microsoft Excel®, Windows 3.1, Windows 95 and Internet Explorer®, Stathakopoulos began focusing on security in 1996, spearheading Microsoft’s response to the first Internet Explorer security bugs. That same year he helped form the first Internet Explorer Security team, which was among the first monitors of the secure@microsoft.com e-mail address.

  Stathakopoulos joined Microsoft after graduating from Portland State University in Portland, Ore., where he earned a computer science degree in 1991. He also holds Certified Information Systems Security Professional (CISSP) certification.

  Born and raised in Greece, Stathakopoulos moved to the U.S. when he was 19. He remains fluent in Greek and visits his homeland at least once a year. Away from work, he enjoys scuba diving and photography.

  • General History of MS security efforts
  • Current situation in the ecosystem
  • Microsoft’s strategy
  • Call to action

  • Slides: stathakopoulos-george-slides.pdf (6.15 Mb)
• 

  Graham Whitehead (Futurologist, BT, UK)  

  Graham Whitehead joined the British Post Office in 1968 as a Post Office University Student. He spent 12 months, before attending university, in all parts of the business from the chairman's office to the deepest, muddiest hole in the ground. He graduated from Leeds University in 1972 with a BSc honours degree in Mechanical Engineering. He is a member of the IMechE and IEE.

  He joined the BT Laboratories after graduation and has worked a wide variety of disciplines, such as mechanical connections and structures, optical transmission systems, the packaging and cabling of optical fibres, hydro space engineering. He was production manager of the optical receiver project which designed and manufactured the receivers used in the T AT-8, PTAT and NPC trans- Atlantic and trans- Pacific submarine systems. For the latter he was awarded the Queen's Award for Technology in 1990.

  In 1989 he moved to the USA on secondment to Du Pont as the production manager and co-ordinator for the manufacture of the optical amplifiers and tuneable narrow linewidth lasers which were part of product portfolio of BT&D, a joint venture of the two companies.

  In 1990 he returned to the BT Labs and was appointed manager of the Business Systems Group which investigates the modelling of business structures and their mutual interactions.

  In 1992 he became BT's Advanced Concepts Manager. Over the last few years he has specialised in presenting the work of the BT Labs to both customers and other parts of BT. He delivers more than 300 presentations every year, and has produced a series of video tapes. He also contributes to many journals, newspapers, radio and TV programmes.

  In 1999 he became one of BT's Principal Consultants looking at the future of telecomms and IT.

  In 2004 he was appointed as Visiting Professor at the Business School at Salford University.

  He lives in East Anglia and has two children Sarah, an Environmental Science graduate, and John, an Aerospace Engineering graduate. He is an active Morrisman, and plays and calls for most of the folk bands in East Anglia. To get away from it all he walks over mountains -a difficult task in the eastern counties!

  You Haven't Seen Anything Yet!……

  The human race has always been fascinated by numbers and computing. Recently I have been challenged that Moore's Law (created by Gordon Moore in 1968 that predicted that the number of transistors on a chip would double every two years and the price would halve in the same time) will not only cease being true but will saturate and flatten off. I do not believe this to be the case -I see in the next few years greater and greater computing power being available.

  The advent of Broadband connections, originally by ADSL, and new networks like BT’s 21CN will bring an era of AORT A (Always On Real Time Access). The human will be abstracted from the complexity of searching for information. Artificial Intelligent Agents will wander around this new information maze looking for information that might be of interest to you and push it towards you. These agents will have faces, voices, will hear and understand what you say, and might even have personalities! The whole process will get very conversational.

  But we will go further than just artificial people, we will start immersing ourselves in virtual environments. Imagine a virtual High Street where you can wander and visit the shops of your choice. These establishments will be "peopled" by avatars which look and behave just like the real people in the real shops -but there will be no queues.

  With the advent of the SmartCard we will be carrying enormous amounts of personal information and exchanging it in public places. One SmartCard could carry all your personal details from your ID card and passport to driving licence and medical history .I see everything having SmartCard readers (computers, phones, mobiles, TVs) and the appropriate information will be exchanged without the extreme efforts that are required of the human today -re-typing the same details on every web-page. I also see the security hologram on the card still being a visual security device, but also becoming a thumb print reader. The SmartCard becomes a "This is me -honestly it really is me" security token. With the advent of Web Services on the AORTA network, I could be at an electronic point-of-sale machine and the insertion of the token automatically brings all my relevant data (including current picture) to that point in the network.

  In the near future everything is going mobile. We will all have personal communicators (yes just like Star Trek!) which will connect us to voice communications and information. You will start asking your mobile phone questions and receive information that is pertinent to you at this time and at this location. Soon, with 3G type systems, we will be able to send and receive moving pictures. In fact in the very near future we will as carelessly pass images and moving images over these devices as we just talk to them today.

  And as we enter this new information age, we must look at how we will trade with our customers. It is vitally important that we target each individual customer and personalise our communication with him or her. Gone are the days when a simple advertisement was good enough, and we expected our customers to come and find us. Now we have to build a bridge and an interactive, proactive experience for our customers.

  Technology is changing very fast indeed. I predict that you will see more change in the next 10 years than has been experienced in the past 150 years. Technology is changing -the question is " Are you changing as fast" because if you do not you and your organisation might not be trading in the next few years!

  • Slides: whitehead-graham-slides.pdf (17.06 Mb)

Side events

• Annual General Meeting (AGM)  

  * Limited to FIRST team members, FIRST liaison members and their invited guests, subject to approval by the Steering Committee

  The AGM is FIRST's Annual General Meeting, where the FIRST members meet and discuss and decide about FIRST and its road ahead. This includes the elections for the 5 Steering Committee slots that go vacant each year at the AGM.

  The 2007 FIRST AGM will take place on Thursday, June 21^st, 2007 from 17:00 till approximately 18:50 local time in Seville, during the 2007 FIRST Conference.

  The AGM will be conducted in accordance with the FIRST Operational Framework.

  Attendance and participation at the FIRST Annual General Meeting is limited to FIRST team members, FIRST liaison members and their invited guests, subject to approval by the Steering Committee.

Workshop

• Train the Trainers Workshop  

  (Members only)

Tutorials

• 

  Creating and Managing CSIRTs  

  Robin Ruefle (CERT/CC, US)

  Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute at Carnegie Mellon University. She works as a member of the CERT® CSIRT Development team (CDT).

  Ruefle’s focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CDT, Ruefle develops and delivers sessions in the suite of courses offered to CSIRT managers and incident handling staff, including Creating a CSIRT, Managing CSIRTs, Fundamentals of Incident Handling, and Advanced Incident Handling for Technical Staff. She also participates in the Train-the-Trainer program that licenses these products to existing CSIRTs.

  The CSIRT Development Team also provides guidance in the development of implementation strategies, policies, standard operating procedures, response plans, and training programs for new and existing CSIRTs. As part of that work, Ruefle has authored or co-authored publications including: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, The Role of Computer Security Incident Response Teams in the Software Development Life Cycle, as well as numerous other articles and best practice guides. These documents can be found on the CSIRT Development webpages at http://www.cert.org/csirts/.

  Ruefle has presented at numerous incident response and security conferences, including The Forum for Incident Response and Security Teams (FIRST), The US Government Forum for Incident Response and Security Teams (GFIRST), EDUCAUSE, SECURE IT, and other similar venues.

  Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.

  Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)

  Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania.

  Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference.

  Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program.

  From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment.

  Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.

  This full-day tutorial is designed to provide those in the process of creating a CSIRT, those already managing a CSIRT and others who may interact with incident management and CSIRT staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs for those new to the field who are interested in learning about a CSIRT and the type of activities a CSIRT performs.

  This tutorial will provide a discussion of best practices in creating and managing a CSIRT. The course provides an overview of the incident handling process and the types of tools and infrastructure needed to be effective. It also provides a high level overview of the key issues and decisions that must be addressed in establishing a CSIRT. The tutorial will explore the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach.

• 

  Creating, Managing and Using a Malware Lab  

  Grant Deffenbaugh (CERT/CC, US)

  Grant Deffenbaugh is a member of the technical staff at the Software Engineering Institute's CERT® Coordination Center (CERT/CC). He currently is the team lead for CERT/CC's Malware Laboratory and has a PhD in Computer Systems Engineering from Rensselaer Polytechnic Institute. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

  Lisa Sittlerl (CERT/CC, US)

  Lisa Sittler is a member of the technical staff at the Software Engineering Institute’s CERT® Coordination Center (CERT/CC). Lisa is a system administrator for the CERT/CC’s Malware Lab. Prior to joining the CERT/CC, Lisa worked as a system administrator and as a quality assurance engineer for a well-known supplier of networking equipment. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

  Nick Ianelli (CERT/CC, US)

  Nicholas (Nick) Ianelli is a member of the technical staff at the Software Engineering Institute's CERT® Coordination (CERT/CC). Nick is an analyst on the CERT/CC's Artifact Analysis team researching malicious code. Prior to joining the CERT/CC, Nick worked as a network engineer at a national (US) Internet service provider. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

  During the first part of the day we will present a tutorial on what is required in building and managing a Malware Laboratory from a systems administration point-of-view. Network design, services and infrastructure will be covered. Special attention will be given to creating an environment for runtime analysis. Risk assessment and techniques for implementing network security will be examined. Other topics include developing policy and procedures to maintain a secure and reliable malicious code analysis environment.

  The second half of the day will cover collection of malicious code, safe handling practices, and platforms to perform analysis. We will focus on the use of virtualization technologies, discuss various analysis tools, and engaged in actual malware analysis.

  Participants are asked to bring a laptop with a valid VMware license pre-configured with a Windows guest. A sample Linux guest as well as tools and malicious code will be distributed during the tutorial.

• 

  Do it yourself: The latest in forensic tools and techniques to examine Microsoft Windows  

  Andreas Schuster (Deutsche Telekom AG, Group Security, DE)

  Andreas Schuster (GCFA) is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years. Andreas had got his first computer in 1981. Though times have significantly changed he regularly falls back to low-level tools like disassemblers and hex editors when he explores the inner mechanics of an operating system or a new piece of malware.

  Pär Österberg (Swedish IT Incident Centre, Sitic, SE)

  Pär Österberg (CISSP) started his career doing Unix and Windows network administration, but quickly migrated into doing only security related work, like administrating firewall and intrusion detection systems. After working several years doing penetration testing for various consulting firms, he started working for the Swedish Gvt CERT (Sitic), where he among other things has been handling IT incidents for the last five years.

  Responding to IT incidents and investigating computers looking for signs of a compromise can be a challenging and time consuming task. This full-day presentation with embedded hands-on exercises will describe methods and techniques to investigate a potential intrusion. The course aims at a technical audience, preferably incident responders and forensic examiners. Participants should be familiar with the Microsoft Windows platform.

  The morning session is dedicated to data acquisition. We will start up with building a “First Responders Toolkit”, a write protected media with trusted binaries which we will tweak so we avoid using system wide DLLs. We will also discuss several methods to obtain memory dumps and their specific pros and cons. After that participants will be able to choose the right tool for their environment.

  We will employ our toolkit to collect various pieces of evidence in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.

  During the second session we’ll then show how to analyze the data collected before. We will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams, commonly used File System Anti-Forensic techniques and discrepancies from user mode and the raw data. Further more we will demonstrate how to analyze the raw Windows Registry files, how to quickly analyze the binary files collected from the running system and how to effectively use databases of hashes from known operating system files.

  After an introduction into the basics of Windows memory management we will start to explore the memory dumps. We will focus on tools which are available for free, so participants can take them home and start working with them immediately. Additionally we’ll cover some of the leading-edge commercial tools in the field. For every tool we will discuss how it works and what its limitations are. Participants will try out the tools on sample images to uncover exploits and actual rootkit infections on their own.

  Participants are expected to bring their own laptop. Microsoft Windows will be required to run some of the programs provided. Sample files for analysis will be available during class. Detailed instructions will be publicized before the conference.

• 

  System, Network and Security Log Analysis for Incident Response  

  Anton Chuvakin (LogLogic, Inc., US)

  Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with a security information management company.

  A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as http://chuvakin.blogspot.com

  The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include several detailed case studies.

  Here is the brief summary:

  • Brief incident response process overview
  • Relationship between incident response and forensics
  • Logs: what are they and what are they for?
    • Log use at various stages of the response process: from incident detection to lessons learned
    • Use of logs from various sources (firewall, IDS, system, application, etc) during incident response
  • Log review and monitoring processes
    • Routine log review
    • In-depth log analysis and log mining for incident recognition
  • Log evidence integrity and DoJ criteria challenges
    • Raw vs parsed/tokenized logs as evidence
  • Practical scenarios
  • Conclusions
• 

  Understanding & Analyzing Botnets  

  Jeff Nathan (Arbor Networks, US)

  Jeff Nathan is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) service and innovating new security technology. Prior to joining Arbor Networks, Jeff served as a Senior Software Engineer for Sygate Technologies Inc., where he developed intrusion detection technologies. Before Sygate, Jeff worked in various capacities at McKesson Corp., @stake Inc. and Hiverworld, Inc.

  During the past seven years, Jeff has also been a core member of the Snort project, an elected member of the Honeynet Project, lead developer of the Nemesis Project, and an occasional contributor to a number of open-source software projects.

  Jose Nazario (Arbor Networks, US)

  

  Dr. Jose Nazario is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service.

  Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains WormBlog.com, a site devoted to studying worm detection and defense research.

  This two-day workshop is designed to provide attendees with a thorough understanding of botnets: what they are, how they’re created, how to identify them, and how to stop them. The workshop will consist of both presentations and hands-on sessions where attendees can interact with the instructors for further support. The notion of "rapid response" is taken into consideration with each aspect of the workshop, focusing on techniques and methodologies that can be applied in timely manner. At the completion of this workshop, attendees will walk away with applicable real world knowledge that can be applied in their daily work.

  The goals of this training session are for the attendees to more fully understand botnets, build tools to identify their presence in the wild and build intelligence as to their presence on their own networks, and how to defend against their attacks. Attendees are expected to be technically savvy and in network or security operations.

Geek Zone

• 

  A day in the life of a hacker... Things we get up to when nobody is looking, and that keep me awake at night.  

  Adam Laurie (The Bunker Secure Hosting Ltd., UK)

  Adam Laurie is a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own -ApacheSSL - which went on to become the defacto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of reusing military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON (http://www.defcon.org) since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, where he is now a regular training instructor (http://www.blackhat.com), and he is also a member of the Bluetooth SIG Security Experts Group (http://www.bluetooth.org). His current focus is on RFID, and he has recently published an opensource RFID software library, written in Python, which can be found at http://rfidiot.org.

  In this session I will give a roundup of some the issues I've spoken about over the last year, which include:

  • Magstripes
  • InfraRed
  • RFID
  • ATM Machines

  Whilst I aim to make this reasonably technical, it will be fairly relaxed and informal, with live demonstrations and some room for experimentation if any of the participants are brave enough... :)

  • Slides: laurie-adam-slides.pdf (9.43 Mb)
• 

  Botnet: Creation, usage, detection and eradication  

  Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network, BR)

  Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)

  Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.

  Francisco Monserrat (IRIS-CERT – RedIRIS, ES)

  • Slides: monserrat-francisco-slides.pdf (2.41 Mb)
• 

  Espionage – Reality or Myth? A Demonstration of Bugging Equipment  

  Emma Shaw (Esoteric Ltd, UK)

  Emma has been actively involved at all levels in both covert and overt investigations for approximately 20 years. The early part of her career was spent with the Royal Military Police, followed by a career in UK government. Emma is now the Managing Director of Esoteric Ltd, a specialist security and covert investigations company, which she founded in 1998. The company provide bespoke confidential services, which assist their clients to deal with issues such as Theft, Fraud, Counterfeiting, employment related issues, and economic and corporate espionage. Esoteric Ltd have been approved the National Security Inspectorate to the prestigious BS EN9001: 2000. Emma is a member of the Council for the Security Institute, the Registrar for the Validation Board of The Security Institute, Southern Region Chair for the Defence Industry Security Association (DISA), a member of the Professional Development Committee for the American Society of Industrial Security (ASIS) and the Counter Terrorist Committee with the Joint Security Industry Council (JSIC).

  The single greatest asset held by most companies is their information. Its protection is key to the success of any business, particularly in competitive markets where new designs, intellectual property and technological advance have significant commercial value. A growing number of companies and government departments are now taking proactive action to protect their information and so deter terrorists, criminals and others before damage can be done.

  Information is also key to the success of terrorists, criminals and others who need to obtain sufficient information on their targets if they are to achieve their aim.

  The threats from those wishing to steal information is real and there are many recent examples of this both in the UK and elsewhere. Your company is most likely already a target for this type of activity. It may involve staff collusion with external bodies, infiltration, or unauthorised access to gain information through physical or technical means.

  This presentation looks at the threats organisations face from espionage, and the impact the loss of vital information to the company. The presentation will provide an insight into the world of espionage, how it is conducted and by whom; the legalities of bugging, the vulnerabilities of emerging technologies, along with statistics, case studies and actual examples of bugging devices. We will examine the facts whether espionage is “Reality or a Myth”

  If time allows we can include a practical demonstration.

• 

  Forensic Discovery  

  Dr. Wietse Z. Venema (IBM Research – GSAL, US)

  Wietse Venema is known for his software such as the TCP Wrapper and the POSTFIX mail system. He co-authored the SATAN network scanner and the Coroner's Toolkit (TCT) for forensic analysis, as well as a book on Forensic Discovery.

  Wietse received awards from the System Administrator's Guild (SAGE), the Netherlands UNIX User Group (NLUUG), as well as a Sendmail innovation award. He served a two-year term as chair of the international Forum of Incident Response and Security Teams (FIRST).

  Wietse is a research staff member at the IBM T. J. Watson research center. After completing his Ph.D. in physics he changed career to computer science and never looked back.

  Wietse presents lessons learned about the persistence of information in file systems and in main memory of modern computers - not only how long information persists, but also why this happens, and what the limitations of that information are.

  After an introduction to the basic concepts of volatility and persistence, Wietse presents examples of how to recover time line information from a variety of network and host-based sources, including a walk-though of a post-mortem file system analysis.

  The presentation ends with results from file and memory persistence measurements. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.

  This presentation includes content from the "Forensic Discovery" book that was co-authored with Dan Farmer.

  • Slides: venema-wietse-slides.pdf (381.66 Kb)
• 

  I know what you (and your company) did last summer...  

  Roelof Temmingh (Paterva, ZA)

  Born in South Africa, Roelof studied at the University of Pretoria and completed his Electronic Engineering degree in 1995. His passion for computer security had by then caught up with him and manifested itself in various forms. He worked as developer, and later system architect at an information security engineering firm from 1995 to 2000. Early in 2000 he started the security assessment and consulting firm SensePost along with some of the leading thinkers in the field. During his time at SensePost he was the Technical Director in charge of the assessment team and later headed the Innovation Centre for the company. Roelof spoke at various international conferences such as Blackhat, Defcon, RSA, Ruxcon, Hack-in-the-box and FIRST (2003). He also contributed to books such as “Stealing the network: How to own a continent”, “Penetration Tester's Open Source Toolkit” and was one of the lead trainers in the “Hacking by Numbers” training course. Roelof also authored several well known security testing applications like Wikto, Crowbar, BiDiBLAH and Suru. At the start of 2007 Roelof founded Paterva in order to pursue R&D in his own capacity. Paterva will be a vehicle for exploring a new train of thought in the information security industry.

  In recent times a lot of emphasis has been placed on the interaction and collaboration between individuals on the Internet – the old asymmetrical nature of the web has changed from a data producer/consumer model to a model where everyone is a producer and a consumer at the same time. This change has been very rapid without set guidelines or policies – it's best described as a phenomenon rather than a well thought out process – and it is indeed one that is driven by the community rather than an RFC. The challenges faced by the traditional producers of yesterday is now on the doorstep of individuals – with the difference that the environment and role players are a lot less defined. The high level of interaction and connections between produced information, the vague identity of the producer and the abundance of distribution channels make the Internet of today the ideal breeding ground for those with less-than-honest intentions that utilize trickery such as personal (online) identity theft, public opinion manipulation, viral campaigns or simply discovering valuable or restricted information by means of extensive data mining. These types of attacks could be performed by individuals with minimum technical knowledge and infrastructure.

  In this presentation I will look at how the abundance of information available on the Internet combined with a generation of less-questioning, more trusting Internet users can lead to vulnerabilities that are hard to delineate, hard to anticipate, hard to protect against, and, as will be shown in the presentation, a disturbing reality. The presentation will further look at possible ways to defend against this types of attacks as well as discussing and demonstrating a framework for generic information gathering that could be used in both a defensive and attacking role.

  • Slides: temmingh-roelof-slides.pdf (1.34 Mb)
• 

  Identity theft in the corporate environment – demonstration and hands-on  

  Peter Wood (First Base Technologies, UK)

  Peter’s innovative and entertaining style has led him to present to the boards of the largest international companies as well as at international conferences on many IT security-related topics.

  He was recently rated the British Computer Society’s number one speaker.

  Peter has worked in the electronics and computer industries since 1969. He has extensive experience of international communications and networking, with hands-on experience of many large-scale systems. Peter’s board-level responsibilities have included sales, marketing and technical roles, giving him a broad industry view.

  Founded in May 1989 as a vendor-independent consultancy, First Base Technologies now provides security testing and audit services to clients as diverse as B&Q, Bradford & Bingley, Brighton & Hove City Council, Co-operative Group, the Finance & Leasing Association, the Learning & Skills Council, Screwfix, Skipton Building Society and Trinity House Lighthouse Service. Peter has hands-on technical involvement in the firm on a daily basis, working in areas as diverse as penetration testing, social engineering and skills transfer.

  Peter is a Fellow of the British Computer Society and member of the Institute of Electrical and Electronics Engineers, the Information Systems Audit and Control Association and the Association of Computing Machinery. He is also a BCS Registered Security Consultant, a Microsoft Certified Product Specialist and a member of Mensa.

  Popular topics:

  • Casebook of an ethical hacker
  • Why penetration test?
  • Google Hacking - an ethical hacker’s view
  • Identity Theft in the Corporate Environment
  • An Ethical Hacker on Denial of Service Attacks.

  Identity theft and fraud is an important and growing problem. It affects individuals, government departments and private sector organisations, and often forms part of more serious criminal operations such as people trafficking and drug smuggling. It is estimated that more than 120,000 people are affected by identity theft in the UK each year. The latest estimate is that identity fraud costs the UK economy £1.7 billion.

  In the words of Fox Mulder, 'trust no-one.' If someone steals your password at work, it is a significant step towards stealing your identity. It won't just impact your employer but your personal life too. In fact it could easily leave you with a reputation for enjoying illegal pronography, a large credit card bill and even larger overdraft.

  Peter Wood has developed a set of methodologies to stimulate corporate identity theft attacks, both external and internal. He shares his experiences in perpetrating licensed attacks against a variety of clients over the last year, as well as the results of criminal investigations. His methods and recommendations should prove invaluable to any business.

  • Slides: wood-peter-slides.pdf (1.71 Mb)
  • Paper: wood-peter-paper.pdf (17.50 Kb)
• 

  Insider Threat – The Visual Conviction  

  Raffael Marty (ArcSight, Inc., US)

  Raffael Marty, GCIA, CISSP manages the solutions team at ArcSight, the global leader in Enterprise Security Management. Raffy's information security expertise includes log management, intrusion detection, insider threat, regulatory compliance and security data visualization. He is involved in security industry initiatives and standards efforts, such as the open vulnerability and assessment language (OVAL). Raffy has written a number of automation and visualization tools such as Thor (http://thor.cryptojail.net) and AfterGlow (http://afterglow.sourceforge.net) and is the founder of the security visualization portal http://secviz.org.

  Raffy has served as a contributing author to several security books including the Snort book and also presents on the topic of visualization at various occasions around the world. Before joining ArcSight, Raffy used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related research projects.

  Insider Threat has increasingly been discussed in the past months. Information Leaks, Sabotage, and Fraud have been reported all over big institutions. One way to address the insider threat problem is to analyze log files and find suspicious behavior before it results in direct or indirect financial loss for the company.

  Signs of suspicious behavior or users lend themselves very well to visualization techniques. Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This workshop takes a step-by step approach to analyzing signs of insider threat. I will use a few open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net) which was written by the presenter. It is a very simple tool to visualize preprocessed information. The analysis I will go through in the workshop will show how early warning signs of insider activity manifest themselves in the log files, making it possible to prevent further damage and assess the impact of the activities.

  The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data.

  • Slides: marty-raffael-slides.pdf (6.08 Mb)
• 

  Provider practicalities and paranoia: Modern ISP incident response – the tooling of incident response at a ISP  

  Scott McIntyre (KPN-CERT, NL)

  Scott McIntyre is the Security Officer of XS4ALL Internet, the oldest ISP in The Netherlands. In addition to that role, Scott also serves as one of the kernel members KPN-CERT, which serves the entire KPN (Royal Dutch Telecom) business for incident response and computer security advice and information.

  Previously, Scott has worked as a Security Officer (and all-around Unix geek) for SMS & WAP services companies, government and scientific research organisations, and NRENs.

  Scott gives regular lectures and presentations on the importance of IT security management policies and procedures and the need to maintain proportionality of invasiveness when it comes to violating privacy in the name of security.

  In Baltimore, Scott was elected to the FIRST Steering Committee and is currently halfway through his first term as a SC member.

  As a follow-on from the Wednesday session on ISP response, this session will delve in deep to precisely the tech-tools we built, use and rely upon for detecting security incidents to and from our customers. A wide variety of tooling related topics will be covered, including some popular open-source and commercial solutions for incident detection and response. This detailed discussion of our methods and tooling will include specifics on: customer notification, walled-garden technology, darknet analysis, server security, log analysis and some of our many countermeasures employed. It is hoped that this session may serve as a springboard for a possible Tooling SIG within FIRST where specific incident response and mitigation tools can be shared amongst members. The session is meant to be highly interactive with others interested in detailed incident tooling!

• 

  Tools and techniques to automate the discovery of zero day vulnerabilities  

  Joe Moore (Pentest, UK)

  Joe Moore has for the past four years been working as an IT Security Consultant with Pentest Limited, a leading UK based security consultancy.

  During his employment with Pentest Limited, Joe has specialized in penetration testing and vulnerability assessment, and has provided security consultancy services to a number of Pentest's clients.

  The scope of this consultancy has ranged from Internet based application and infrastructure testing, to on-site audits of large corporate networks.

  Joe also has a keen interest in software security research, and has been instrumental in the discovery and reporting of numerous critical vulnerabilities in a variety of software.

  Currently, Joe's research is focused on mobile device security and embedded operating system vulnerability research.

  Mark Rowe (Pentest, UK)

  Mark Rowe is a co-founder of Pentest Ltd a leading UK based security consultancy. Mark has specialised in vulnerability assessment and penetration testing, carrying out work for a wide range of clients including utilities, government agencies, financial institutions, and retail organisations.

  Mark is an active security researcher and has worked with software and hardware vendors such as Microsoft, IBM, Oracle, Skype, Sony, Widcomm, Bluetooth SIG and Nokia to identify and fix security vulnerabilities in their products.

  Mark was also major contributor to the SANS institute's Oracle Step-by-Step security guide. More recently Mark has been conducting leading edge research in the area of mobile device security, which includes Bluetooth wireless connectivity.

  Mark is also a member of the trifinite.group (http://www.trifinite.org), a loose group of computer experts that spend their free time doing research in wireless communications and related areas.

  This half day session will explore the software testing technique of fuzzing and how it can be used to find security defects. It will cover the advantages and disadvantages of fuzz testing and will give some practical insight into the current free tools and techniques available to security testers. During the session several demonstrations will be given showing how fuzzing may have been used in the past to discover some well publicised security vulnerabilities. The attendees will also be encouraged to gain some hands on experience.

  • Slides: rowe-mark-slides.pdf (1.21 Mb)
• 

  UNIX/C Programming traps and pitfalls  

  Dr. Wietse Z. Venema (IBM Research – GSAL, US)

  Wietse Venema is known for his software such as the TCP Wrapper and the POSTFIX mail system. He co-authored the SATAN network scanner and the Coroner's Toolkit (TCT) for forensic analysis, as well as a book on Forensic Discovery.

  Wietse received awards from the System Administrator's Guild (SAGE), the Netherlands UNIX User Group (NLUUG), as well as a Sendmail innovation award. He served a two-year term as chair of the international Forum of Incident Response and Security Teams (FIRST).

  Wietse is a research staff member at the IBM T. J. Watson research center. After completing his Ph.D. in physics he changed career to computer science and never looked back.

  Neither the UNIX system, nor the C programming language were built with security as a primary goal. Consequently, building a secure program can be like building a house on quicksand. The challenge for the implementor is to avoid the mechanisms that are weak, and to carefully build on the few mechanisms that remain. This tutorial focuses on implementation errors, why these errors happen, and how an implementor can avoid making such errors.

  Security problems happen when system behavior does not match the user's expectation. Wietse illustrates this with a very small and obviously correct file shredder program that does not work at all, and for more reasons than most people can think of. This is followed by a segment that illustrates several flaws that were found in real applications that used the UNIX file system in an exploitable manner.

  The set-uid feature is unique to UNIX, and deserves its own segment. Wietse demonstrates why it is fundamentally impossible to write set-uid software without creating a security hole.

  Finally, Wietse presents the open source Postfix mail system, and how its partitioned design not only helped to build a secure mail system, but also helped to avoid code degeneration as the system expanded in size by more than four times.

  • Slides: venema-wietse-2-slides.pdf (998.37 Kb)

Main Conference

• 

  An Internet Threat Evaluation Method based on Access Graph of Malicious Packets  

  Masaki Ishiguro (Mitsubishi Research Institute, Inc., JP)

  Masaki Ishiguro is a senior researcher at Information Security Research Group, Mitsubishi Research Institute, Inc. He received his master’s degree at the Graduate school of information science, the University of Tokyo in 1994 and then has been working for Mitsubishi Research Institute. He has been engaged in research and development projects for internet threat detection system, verification system for security protocols, medical image recognition system, formal methods etc.

  Hironobu Suzuki (Mitsubishi Research Institute, Inc., JP)

  Malicious packets generated by Internet worms or port scans can be captured by monitoring ports of IP addresses where any network service is provided. Several methods have been proposed for detecting threats over the Internet by monitoring malicious packets. Most of these methods apply statistical methods to time-series frequencies of malicious packets captured at each port.

  This paper proposes a new method for evaluating threats in the Internet based on access graph defined by the relation between sources and destinations of malicious packets. This method represents access relation between sources and destinations of malicious packets by bipartite graph and defines relation of threat and vulnerability between sources and destinations of malicious packets. In order to evaluate threats on the Internet, we apply a new method to this relation. This method evaluates threats by using spacial structure of access graph which has not been used by traditional methods. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method.

  • Slides: ishiguro-masaki-slides.pdf (182.62 Kb)
  • Paper: ishiguro-masaki-paper.pdf (115.86 Kb)
• 

  Assessing Incident Severity in a Network and Automatic Defense Mechanisms  

  Klaus-Peter Kossakowski (SEI Europe GmbH, DE)

  Klaus-Peter Kossakowski is a Visiting Scientist at the SEI in Europe. He is currently researching the business processes related to incident response as integral part of - not only IT specific - risk management. He has defended his Doctorate Thesis in "Information Technology – Incident Response Capabilities" at the University of Hamburg. He also holds a first-class degree in Information Science from the University of Hamburg. After his studies he worked as a senior consulting and managing director for German based security providers and consulting companies. He has served for many years in various roles within the international CERT communities.

  • Moira J. West-Brown ; Don Stikvoort ; Klaus-Peter Kossakowski (1998) Handbook for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-98-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA
  • Georgia Killcrece ; Klaus-Peter Kossakowski ; Robin Ruefle ; Mark Zajicek (2003) Organizational Models for Computer Security Incident Response Teams (CSIRTs), CMU/SEI-2003-HB-001, Carnegie Mellon University, Pittsburgh, PA, USA

  Luis Francisco Servin Valencia (PRE-CERT – PRESECURE Consulting GmbH, DE)

  Luis Servin has worked since 2002 in the software development. Since 2004 he's been living in Germany while doing his Master of Science in Information and Communication Systems at the University of Technology in Hamburg-Harburg. He joined PRESECURE Consulting GmbH as a researcher to complete his Master Thesis. The topic of the thesis is the assessment of network security. His areas of interest include artificial intelligence, digital image and signal processing, and network security. Luis Servin studied Electrical Engineering in Mexico, at the Instituto Tecnológico y de Estudios Superiores de Monterrey at Mexico City.

  Till Dörges (PRE-CERT – PRESECURE Consulting GmbH, DE)

  Till Dörges joined PRESECURE Consulting GmbH as a researcher in 2002. The two major projects he's currently working on are a network of distributed IDS-sensors (evolved from the EC-funded project "eCSIRT.net") and the also EC-funded research project about proactive security monitoring in a policy-based framework ("POSITIF"). Both projects strongly relate to Intrusion Detection, Honeynets and (Security-) Policies.

  He also is the team representative of PRESECURE within the European community of accredited CSIRTs ("Trusted Introducer") as well as for FIRST.

  Till Dörges studied Computer Sciences in Hamburg, Toulouse and Leipzig. He holds a French "Maîtrise d'Informatique" and a German "Informatik-Diplom".

  Threat sources for computer networks are diverse and increasingly complex. Attackers usually make use of vulnerabilities or configuration mistakes to break the external lines of defense and into different hosts or pry on what should otherwise be a secure/private communication channel.

  Unfortunately, the means to defend from and react to attacks are scarce and work mostly isolated. Among these we can count firewalls,Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and honeypots, as well as the possibility of doing penetration tests from within or from outside the network.

  By using all these methods at hand, there is a lot of information available that has to be processed to assess the current situation. Based on this the security policies governing a network can be adjusted. This is by no means trivial and could overwhelm a person trying to do it manually.

  This paper presents a framework that concentrates the input from different sensor types, assesses the situation and decides on the action to take to counter a possible attack. This ranges from (semi-)automatically changing the security policies for the whole network, to reconfiguring a service within a host.

  In particular the processing method to make the assessment will be the core of this article.

  • Slides: servin-luis-slides.pdf (1.69 Mb)
  • Paper: servin-luis-paper.pdf (492.37 Kb)
• 

  Beyond the CPU: Defeating Hardware Based RAM Acquisition Tools  

  Joanna Rutkowska (Invisible Things Lab, PL)

  Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world. In April 2007 she has founded Invisible Things Lab, a consulting company dedicated for cutting edge research into operating systems security.

  Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes.

  This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot.

  The presented technique has been designed and implemented to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

  • Slides: rutkowska-joanna-slides.pdf (722.81 Kb)
• 

  Building a scalable, accurate, actionable Incident Response system  

  Dr. Ken Baylor (CISSP CISM, VP & CISO Symantec, US)

  Ken Baylor serves as Symantec's Chief Information Security Officer (CISO), and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). As CISO, he is responsible for development of all information systems security policies, oversight of implementation of all security-related policies and procedures, and global protection of electronic and digital assets. He also works closely with internal products groups on security capabilities in Symantec products, head-ups the Information Security department and oversees Privacy issues.

  Ken Baylor has 15 years of experience leading global IT and security teams. Prior to joining Symantec in November 2006, Dr. Baylor led a number of strategic initiatives within McAfee, where he was recognized as an expert in Intrusion Prevention Systems and Risk Management. He was active in developing strategic alliances and creating the Service Provider program.

  Dr Baylor holds bachelors and doctorate degrees in Science from the National University of Ireland, a law degree from University of Wolverhampton, England and an MBA from the University of Texas. He is active within the security community.

  With a global presence and over 100k nodes, Symantec’s challenge is common to large enterprises. This presentation will focus on their deployment of technologies that form the basis of Symantec’s internal Incident Response and Risk Management capabilities. The approach taken by Symantec’s InfoSec team, in developing an end to end layered security infrastructure and compliance reporting framework will be described along with results to date.

• 

  Cyber Fraud Trends and Mitigation  

  Ralph Thomas (Verisign/iDefense, US)

  Mr. Thomas heads the iDefense Malicious Code Operations Group, responsible for the active collection of open-source intelligence, and for the reporting and analysis of public reports and outbreaks of malicious code. Mr. Thomas also directs the malicious code research lab in iDefense, which is tasked with the development of tools for discovery and analysis of malicious code and related threats. Before joining iDefense, Mr. Thomas worked as Principal Computer Forensics Consultant in several data acquisition and litigation support projects and served as expert witness in federal court. Early in his career Mr. Thomas designed hardware and realtime software in the controls and digital television sectors before turning his attention to enterprise software. A Certified Lotus Specialist, he has expertise in e-mail archiving, document imaging, Siebel, SAP and Oracle Applications. Mr. Thomas holds a Master of Science degree in Electrical Engineering from the University of Dortmund in Germany.

  Phishing Trojan horse programs are not traditional bots, but sophisticated and original pieces of malicious code. Since iDefense began tracking this technique in May 2006, attackers have quietly seeded dozens of variants into the wild to target at least 30 specific banking institutions. These attackers had intimate knowledge of each targeted bank’s Web infrastructure and built a sophisticated command-and-control system that completely automated the attacks. The authors believe that criminal organizations are using these phishing Trojans to compromise millions of bank accounts across the globe. These Phishing Trojan attacks can defeat sophisticated authentication schemes that security experts previously thought rock solid.

  This presentation discusses mitigation techniques that work and fail in light of these new malicious code attacks. The audience will be given an overview on malicious code attacks against the financial infrastructure and an introduction to banking authentication schemes. The presentation also includes cyber fraud detection and mitigation strategies.

  • Slides: thomas-ralph-slides.pdf (1.38 Mb)
  • Paper: thomas-ralph-paper.pdf (281.68 Kb)
• 

  Data on Data Breaches: Past, Present, and Future  

  Chris Walsh (cwalsh.org, US)

  Currently an information security architect for a consumer goods firm operating in 180 countries, Chris has previously held information security and incident response roles in academia, and the financial sector, as a hands-on technologist, a consulting team lead, and a divisional manager.

  A number of high-profile data loss incidents have focused attention on questions surrounding the collection, storage, and protection of personal information.

  Measures aimed at protecting those whose personal information has been put at risk through such incidents have become widespread in the U.S., with increasing calls for similar regulation in the EU, Canada, and elsewhere.

  We examine past and present security breaches to illustrate the thesis that to understand, we must discuss. Effective measures to address security breaches can only be developed through empirical reserach. We can learn what contributes to such breaches, and their impact that on those whose information is revealed and on the breached entity.

  We conclude by discussing future steps that can be taken legislatively and by the research community to facilitate greater understanding in this area.

  • Slides: walsh-chris-slides.pdf (2.65 Mb)
• 

  Dealing with Unreliable Software: Exile, Jail, and other Sentences  

  Dr. Bernd Grobauer (Siemens-CERT, DE)

  Dr. Bernd Grobauer is a Senior Consultant with Siemens CERT. He received an M.Sc. degree in computer science in 1997 from the Munich University of Technology, Germany, and a Ph.D. degree from Aarhus Universitiy, Denmark. When joining Siemens CERT in March 2002, Bernd Grobauer turned his attention from program verification and program transformation — topics relevant for research towards more dependable systems — to IT security. Bernd Grobauer coordinates the research activities of the Siemens CERT services team and acts as security consultant regarding security governance topics.

  Dr. Heiko Patzlaff (Siemens-CERT, DE)

  Dr. Heiko Patzlaff is a security consultant with Siemens CERT. He received a MSc. degree in physics in 1993 from Martin-Luther University of Halle and a PhD in theoretical statistical physics in 1997 from the University of Leipzig. Before joining Siemens he worked in the Anti-Virus industry as a researcher and member of the systems development group of SophosLabs at Sophos PLC in the United Kingdom. Beside his continuing interest in anti-virus and malware topics, Dr. Heiko Patzlaff current responsibilities include forensics, security consulting and research.

  Martin Wimmer (Siemens-CERT, DE)

  Martin Wimmer is Associate Consultant with Siemens CERT. After studying computer science at the University of Passau, where he received his Diploma degree in 2003, he worked as research assistant at the University of Passau and, from April 2004 on, at the Munich University of Technology. His research activities mainly focused on security requirements of upcoming service oriented IT infrastructures. In April 2007 he joined the research group of the Siemens CERT.

  In terms of security, web browsers are most unreliable fellows: during the past few years, no other application type has been as error prone, inviting a plethora of attacks. Yet, modern business cannot do without web browsers any more. Other application types handling data accessed via the Internet such as messaging applications, document viewers, peer-to-peer applications, etc., are also increasingly under attack, but at least some of them cannot be done without. What is one to do?

  This talk discusses the possibilities of mitigating risk by separating unreliable software from production systems. We provide an overview of various methods of separation (exile on a dedicated system, jail in virtual or change-root-like environments, ...), discuss the security gain that can be achieved, and highlight the challenges in integrating such separated systems with the production environment so as to achieve satisfactory usability.

  • Slides: wimmer-martin-slides.pdf (6.67 Mb)
• 

  Developing a trusted partnership to prepare a framework for the collection of information security data  

  Carsten Casper (ENISA, GR)

  Carsten Casper is a Senior Expert for Information Security Tools & Architectures at ENISA, the European Network and Information Security Agency.

  Mr. Casper conducts and moderates studies and research on information security topics such as information security certifications, security challenges in emerging applications and technologies, sharing of sensitive information on security incidents and consumer confidence, security and anti-spam measures of electronic communication service providers, and best practices for information security policies.

  Prior to working for ENISA, Mr. Casper worked as a Senior Research Analyst for Gartner and META Group. He holds a diploma in computer science from the Technical University of Berlin.

  Public and private decision makers need accurate statistical and economic data on information security. They need information about trends and volumes of security problems, but also about the level of confidence that clients and citizens put in information processing resources. Various public and private sources of such data exist, within an organisation, within a country and beyond borders. However, in most cases such data is kept in silos, not compared with data from other sources. This happens for technical reasons, but also because every incident is embarrassing for the owner of the technical infrastructure and most think that such information is best kept secret.

  ENISA, the European Network and Information Security Agency, has received the task to evaluate whether a trusted partnership can be developed and to prepare a framework for collection of such data. This could include Managed Security Service Providers, Electronic Communication Service Providers, vendors, users, government entities and others. The goal is not to actually share data - that would be too ambitious, given the sensitive nature of the information - but rather to discuss under which circumstances sharing of such sensitive data can be possible. In June 2007, first results of this relationship-building will be visible. The goal of this session is to present them to the public.

  • Slides: casper-carsten-slides.pdf (100.53 Kb)
  • Paper: casper-carsten-paper.pdf (28.13 Kb)
• 

  Electronic Forensics: a Casefor First responders  

  Dr. Henry B. Wolfe (University of Otago, NZ)

  Dr. Wolfe has been an active computer professional for 48 years. He has earned a number of university degrees culminating with a Doctor of Philosophy from the University of Otago (Virus Defenses in the MS/DOS Environment). The first ten years of his career were spent programming and designing systems in the manufacturing environment; the most notable was one of the first fully automated accounting systems in the U.S. The next ten years of ever increasing responsibility was devoted to serving in the U.S. Federal Government rising to the position of Director of Management Information Systems for the Overseas Private Investment Corporation.

  In 1979 Dr. Wolfe took up an academic post at the University of Otago and for the past twenty or so years has specialized in computer security (and is currently in the process of designing and creating an Information Assurance degree – based on the NSA model). During that period he has earned an international reputation in the field of forensics, encryption, surveillance, privacy and computer virus defenses.

  Dr. Wolfe writes about a wide range of security and privacy issues for Computers & Security, Digital Investigation (where he is also an Editorial Board Member), Network Security, the Cato Institute, Cryptologia (where he is also an Editorial Board Member), and the Telecommunications Reports. He is a Fellow of the New Zealand Computer Society. He is also a member of Standards New Zealand SC/603 committee on Security, Secretary of the AsiaCrypt Steering Committee (representing New Zealand), a member of the New Zealand Law Society’s Electronic Commerce Committee, and was on the Board of Directors of the International Association of Cryptologic Research finishing up in January 2003.

  He has provided advice on security matters to major government bodies within New Zealand and to Australian, Panamanian, Singaporean and U.S. Government organizations; and additionally to New Zealand businesses and the major New Zealand Internet Service Providers. He has been commissioned to provide training in electronic forensics for law enforcement organizations internationally (New Zealand, Australia and Singapore). Over the past fifteen years he has conducted and supervised computer security audits of more than one-hundred-twenty-five (125) New Zealand businesses and government bodies. His opinions are regularly sought by the various media organizations (newspaper, radio and television).

  Dr. Wolfe speaks on security and privacy issues (both technical and policy) regularly at international conferences – more than 55 in the past fourteen years (as an invited speaker and occasionally as a keynote speaker) – some of the most recent being in America, Australia, England, China, Greece, Ireland, Hong Kong, Japan, Korea, Malaysia, Panama, Poland, Portugal, Russia, Serbia, Singapore, Sri Lanka and of course in New Zealand. During the same period, he has been an invited speaker at 20 non-conference venues as well. His primary research interest is centered around the emerging discipline of computer forensics as well as private communications techniques, which focus on the implementation of various cryptographic algorithms that are currently available and the associated hardware and software necessary to implement such systems.

  Almost every aspect of our lives is touched or somehow controlled by technology driven processes, procedures and devices. It is therefore important to understand that because of this pervasive electronic influence, there is a high probability that a successful criminal or unacceptable incident will occur within the perimeter of an organization’s information and/or computer and network infrastructure. The difference between conducting a successful investigation resulting in a potential prosecution or failing these will often lie squarely in the lap of the electronic forensic investigator. If potential evidence is compromised at any point in the investigation, it will be unacceptable in a court of law. The highest risk of compromise occurs at the point prior to evidentiary acquisition. The first responder’s primary responsibility is to protect and preserve potential evidence and to see to it that suspect electronic devices and storage media are not tampered with by anyone until such time as the professional electronic forensics investigator (law enforcement or private) takes full control of the scene. This paper will explore electronic forensics demonstrating the need and making the case for the appointment and training of a first responder to incidents where electronic devices may have been used.

  • Slides: wolfe-henry-slides.pdf (73.00 Kb)
  • Paper: wolfe-henry-paper.pdf (73.00 Kb)
• 

  Experiences with Building, Deploying and Running remote-controlled easily installable Network Sensors  

  Dr. Bernd Grobauer (Siemens-CERT, DE)

  Dr. Bernd Grobauer is a Senior Consultant with Siemens CERT. He received an M.Sc. degree in computer science in 1997 from the Munich University of Technology, Germany, and a Ph.D. degree from Aarhus Universitiy, Denmark. When joining Siemens CERT in March 2002, Bernd Grobauer turned his attention from program verification and program transformation — topics relevant for research towards more dependable systems — to IT security. Bernd Grobauer coordinates the research activities of the Siemens CERT services team and acts as security consultant regarding security governance topics.

  A remote manageable network sensor on a live CD may allow a CERT with little or no direct control over its networks to achieve improved situation awareness: because installation of such a sensor requires very little effort on part of local system administrators, the barrier of deploying IDS sensors is significantly lowered. Furthermore, an easily installable network sensor is a valuable tool for fast response to ongoing incidents in which network data must be collected.

  This talk reports about the experiences collected by Siemens CERT in creating an easily installable IDS sensor, deploying it within the company and running the sensor network: We describe the design of the sensor and sensor management console and report on lessons learned in interacting with local system administrators and operating the sensors. We also describe experiences with using remote sensors as honeypots rather than IDS sensors.

  Building on our experiences, other CERTs should be able to get up to speed fast with creating and rolling out network sensors in their network.

  • Slides: grobauer-bernd-slides.pdf (2.44 Mb)
• 

  Flaws and frauds in the evaluation of IDS/IPS technologies  

  Stefano Zanero (Politecnico di Milano T.U. & Secure Network S.r.l., IT)

  Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

  One of the things that amazes me on mailing lists and in conferences regarding intrusion detection is the symmetric presence of two concurrent issues:

  • customers asking "what is the better IDS for my architecture, or for this specific requirement ?"
  • vendors and scientists claiming "my IDS is better than that", all the time

  Both are very reasonable stances, per se. Trouble is, we don't have answers for those customers, and we don't have benchmarks to actually measure if one IDS is better than another. Since a key issue in developing technologies is measuring how well they compare with earlier attempts, it is an unsurprising result that we don't have really good IDS yet, just a very wide bunch of (often unconvincing) suggestions on how an IDS should be made.

  So, I'd like to help fellow practitioners and researchers by debunking claimed "performances" of current IDS systems, by demolishing current "testing methodologies" and by showing how practical testing architectures can be created to compare systems.

  The key points to take away from this lecture are:

  • how to easily debunk most current literature on the subject, in particular marketing material, and
  • how to devise tests that can efficiently help us choose among different technologies when implementing an IDS solution

  • Slides: zanero-stefano-slides.pdf (483.90 Kb)
  • Paper: zanero-stefano-paper.pdf (199.96 Kb)
• 

  Forensics for Managers – Presenting and understanding forensics from the MBA point of view  

  Mr. Ryan Washington (Crucial Security, US)

  Mr. Washington brings 14 years of experience in Military Intelligence, High Technology Administration and Federal Law Enforcement to Crucial Security. Along with experience leading small fire teams in the Marine Corps to managing larger projects in several technology companies, he is a Certified Information System Security Professional (CISSP), National Security Agency/Information Assurance Methodology (NSA/IAM) certified, Certified Computer Examiner (CCE), and Certified Ethical Hacker (CEH). Mr. Washington holds a Bachelor of Science in Management from National-Louis University and a Master of Business Administration (MBA) from Indiana University.

  This period of presentation delivers a basic understanding of forensics from an MBA's point of view. What is forensics? Why do we need it? Who wants our information? Why would someone attack us? Why do these tools cost so much? These questions and more will be answered from an easy to understand point of view. This class was designed to help mid-level and upper management understand and appreciate the cost, payback, and time needed to conduct an investigation, but is ideal for anyone desiring to understand exactly what is involved in digital media exploitation. This will not be an in-depth class, nor a vendor specific class, but common industry specific tools will be mentioned for their pro's and con's as used in a real-world environment.

  • Slides: washington-ryan-slides.pdf (1.80 Mb)
• 

  Handling Less-Than-Zero-Day Attack – A Case Study  

  Ma Huijuan (National University of Singapore, SG)

  Dr. Ma Huijuan is an IT Security Engineer with the InfoComm Security/QA Group of Computer Centre. She has about 6 years experience in the IT industry. Her duties include penetration tests, incident handling and response, security audits, network reviews, evaluating and testing of new technologies and user awareness training. Dr. Ma holds a PhD degree in Engineering.

  While some people are still suspicious about the existence and significance of zero-day threats and attacks, less-than-zero-day attacks have come into the scene. Less-than-zero-day attacks refer to those targeting vulnerabilities that haven’t been publicly disclosed. With the trend that hackers target more on financial gain instead of fame in recent years, it’s expected less-than-zero-day attacks will pose greater risk to organizations. However, it’s very difficult to defend against due to the fact that the vulnerabilities are unknown.

  In this presentation, I will share our experience in dealing with such attacks. Monitoring and alerting of the incident will be introduced first, followed by containment of the damage, analysis of the compromised system, and identification of less-than-zero-day attack. After that, I will talk about the process of reporting the unpublished vulnerability to Cert Coordination Centre and the relevant vendor, as well as assisting the vendor to fix it, so that organizations using this software can be protected. At the end, I will talk about the lessons learnt and the security measures we find useful in dealing with such kind of attacks.

  I hope by sharing our experience, more people will join in the efforts to combat against less-than-zero-day attacks, report unpublished attacks, and help the vendors to fix them, so that organizations globally are protected and the internet security as a whole can be improved.

  • Slides: huijuan-ma-slides.pdf (157.37 Kb)
• 

  How many RAT's do you know out there?  

  Simon Gunning (Digilog UK Limited, UK)

  Simon, a co-founder of DigiLog, is responsible for directing and managing all IT related elements of DigiLog's AVS Solutions, including risk assessment, design, build, installation, configuration, testing and support.

  His extensive technical experience with Nemesysco's VRA technologies, when combined with the wide variety of successful AVS deployments, ensures that DigiLog has world leading capabilities in this field – both in terms of customerfacing provision and in enhancing the development of the VRA technologies according to AVS requirements.

  Simon has worked extensively in the field of Voice Risk Analysis with a variety of International Corporate and Public Bodies, including Police and National Security Services.

  He is a member of the Association of Certified Fraud Examiners (ACFE) and sits on the Executive of the UK Chapter. He is also a member of the Fraud Advisory Panel and is affiliated to the International Chamber of Commerce Cyber Crime Unit. In 2002, Simon was the author of the London UK Wireless Security Report.

  He is a regular and highly regarded speaker on VRA Technologies, ‘Cyber Crime' and Forensic IT Investigation.

  This session will be an insight to the world of the Remote Access Trojan (RAT).

  In this session we will explore some of the current RATS that are being deployed in the wild; the idea is to give an overview of their workings and some examples of deployments and connections. No RATs will be harmed during this session - except of course by anti-virus software ... but will the AV be able to detect them?.

• 

  How to Join FIRST  

  Damir (Gaus) Rajnovic (Cisco PSIRT – Cisco Systems Co., UK)

• 

  Identity Management Systems: the forensic dimension  

  Peter Sommer (London School of Economics, UK)

  Peter Sommer is a Research Fellow at the London School of Economics where his interest is "the legal reliability of information systems", a subject which includes e-commerce protocols, computer forensics and many other aspects of computer-derived evidence. He is also a Senior Visiting Research Fellow at the Open University where he is developing a course on computer incident response and forensics. Since 2005 he has been the Joint Lead Assessor for the computer evidence speciality at the UK Council for the Registration of Forensic Practitioners.

  He read law at Oxford and has had careers in both conventional book publishing and in electronic publishing. His first expert witness assignment was in 1985 and his casework has included the Datastream Cowboy / Rome Labs hack, the Demon v Godfrey Internet libel, NCS Operation Cathedral into large scale distribution of paedophile images, NHCTU Operation Blossom into global warez piracy and, very recently Operation Crevice (terrrorism) and a defamation action involving Sir Martin Sorell of WPP and some Italian former business associates. He is currently instructed in complex state corruption case in South Africa.

  He sits on a number of Whitehall advisory panels was Specialist Advisor for E-Commerce to the UK House of Commons Trade & Industry Select Committee to support their scrutiny of government policy and legislation.

  Identity Management Systems: the forensic dimension

  An identity management system consists of an enabling technology, a means of managing that technology, and a framework of policies, law and regulations. If all works out well we achieve a balance of reliability in authentication and appropriate levels of confidentiality for those taking part.

  But over a period of time the quality of the enabling technology and its management may become eroded. The technology may be less robust than first appeared, or advances may make compromise easier. A management system may show unexpected defects.

  We need to study these eroding factors in identity management systems as we do more widely in computer security systems.

  One of the least understood is the role of specialists in digital forensics. These people are constantly reverse-engineering hardware and software in order to identify digital footprints of activities which can then be used in legal proceedings. Their aims are often of the highest - to bring wrong-doers to justice. But in so doing in relation to identity management systems, they create the means by which people become prematurely de-anonymised and /or personal data is revealed in circumstances not originally envisioned.

  I propose to examine the dilemmas, produce s