Speakers

• Aashish Sharma (NCSA-IRST, US)

  Unique Challanges for Incident Response in a Grid Environment 

  Incident response within an organization can often be a challenging task. There are usually multiple levels within an organization, as well as multiple departments that you may have to work with when responding to an incident. What are the challenges when you now have a grid environment where you may have thousands of users using resources within your organization that you have no control over? Then when an incident does happen (that's not an "if"), how do the organizations within the grid work together to respond to the incident, which can usually have spillover to many sites within the grid. This work addresses the challenges of incident handling and response in the more complex environment of grid computing where there is a distributed user base and multiple physical entities composing a virtual organization. We will cover how the TeraGrid sites deal with coordinated incident response and give some real world examples on actual incidents.

  • Slides: barlow-james-slides.pdf (417.06 Kb)

• Adam Laurie (The Bunker Secure Hosting Ltd., UK)

  A day in the life of a hacker... Things we get up to when nobody is looking, and that keep me awake at night. 

  In this session I will give a roundup of some the issues I've spoken about over the last year, which include:

  • Magstripes
  • InfraRed
  • RFID
  • ATM Machines

  Whilst I aim to make this reasonably technical, it will be fairly relaxed and informal, with live demonstrations and some room for experimentation if any of the participants are brave enough... :)

  • Slides: laurie-adam-slides.pdf (9.43 Mb)

  Adam Laurie is a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own -ApacheSSL - which went on to become the defacto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of reusing military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON (http://www.defcon.org) since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, where he is now a regular training instructor (http://www.blackhat.com), and he is also a member of the Bluetooth SIG Security Experts Group (http://www.bluetooth.org). His current focus is on RFID, and he has recently published an opensource RFID software library, written in Python, which can be found at http://rfidiot.org.

• Andrea Pirotti (Executive Director, ENISA, EU)

  Keynote Speaker 

  Why was ENISA created?

  ENISA was conceived in the spring of 2001, at a time when there was only limited co-operation and information exchange between the Members States of the European Union (EU), governments and industry in the field of Information Security. At the same time, the paramount importance of ensuring the continuing functioning of the Information Society was becoming increasingly clear, given its growing impact on everyday life, business and the Digital Economy.

  ENISA was created to bridge gaps, to promote good practice and to spread a culture of security across Europe. By using an –open method of co-ordination– between the Member States and industry, ENISA is facilitating and contributing to a significant improvement in the exchange of Information Security knowledge and best practices between the Member States. The Agency also acts as a spokesman on Network and Information Security (NIS) matters within the EU.

  Why is NIS important?

  It is not necessary to address the importance of Network and Information Security, as the audience at the FIRST AGM is fully aware of that. Just to sum up our mission:

  ENISA:

  • Is a Centre of Excellence for Member States and EU Institutions in Network and Information Security
  • Is a switchboard of information on Good Practice
  • Facilitates contacts between EU institutions, the Members States and private business and industry

  In these ways, ENISA contributes towards the modernisation of Europe and helps secure the smooth functioning of the Digital Economy and the Information Society.

  ENISA and the CERT communities

  CERTs in Europe identified very early on that co-operation was crucial for successful incident response as attacks from the Internet are global by nature and call for teamwork across traditional borders. CERTs collaborate in communities like Terenas Task Force CSIRT (TF-CSIRT) and the European Government CERT Group (EGC). Such communities are essential as rich sources of information, tools and activities for network and information security. In its role as a facilitator and information broker, ENISA promotes CERT co-operation and helps these communities grow stronger

  — in Europe and beyond!

  ENISA and FIRST

  ENISA acknowledges the importance of the FIRST as a worldwide facilitator of CERT cooperation. This is the reason why, since September 2006, ENISA is a Liaison Member of FIRST. The potential benefit is mutual:

  FIRST acts as a premier provider of (not only) CERT related security information and assembles under its umbrella a world-spanning network of Computer Emergency Response Teams, Hard- and Software Vendors and other security experts. ENISAs experts can learn much from the expertise and good practices collected and provided by FIRST.

  ENISA brings together the public and the private sectors to join forces in their efforts for a more secure Internet - a role that it shares with the FIRST. ENISA also acts as a contact point for the EU Member States and all EU Bodies, and acts as a premier channel for NIS related information to these stakeholders. So ENISA is the most obvious body to bring FIRSTs important messages and information to otherwise impossible to reach audiences.

  ENISA will be open for further collaboration with FIRST – in the field of CERT cooperation and beyond!

  • Slides: pirotti-andrea-slides.pdf (2.19 Mb)

  Andrea Pirotti, since 2004, is the Executive Director of the European Network and Information Security Agency (ENISA).

  He has been Vice President at the British owned Company Marconi spa and Managing Director- General Manager of Marconi subsidiaries Companies in Asia, South America and Spain.

  He held positions at the Italian Ministry of Communications, being Counsellor to the Italian Minister of Communication.

  During 1967-76 he was an Italian Army Signal Corps officer. He is a graduate of the Military Academy, Signal Corps, and holds a University Degree in Strategic Science.

• Andreas Schuster (Deutsche Telekom AG, Group Security, DE)

  Do it yourself: The latest in forensic tools and techniques to examine Microsoft Windows 

  Responding to IT incidents and investigating computers looking for signs of a compromise can be a challenging and time consuming task. This full-day presentation with embedded hands-on exercises will describe methods and techniques to investigate a potential intrusion. The course aims at a technical audience, preferably incident responders and forensic examiners. Participants should be familiar with the Microsoft Windows platform.

  The morning session is dedicated to data acquisition. We will start up with building a “First Responders Toolkit”, a write protected media with trusted binaries which we will tweak so we avoid using system wide DLLs. We will also discuss several methods to obtain memory dumps and their specific pros and cons. After that participants will be able to choose the right tool for their environment.

  We will employ our toolkit to collect various pieces of evidence in the order of volatility: main memory, the swap file, NTFS meta data files, the Registry and lots more.

  During the second session we’ll then show how to analyze the data collected before. We will analyze the $Mft, the heart of NTFS, looking for Alternate Data Streams, commonly used File System Anti-Forensic techniques and discrepancies from user mode and the raw data. Further more we will demonstrate how to analyze the raw Windows Registry files, how to quickly analyze the binary files collected from the running system and how to effectively use databases of hashes from known operating system files.

  After an introduction into the basics of Windows memory management we will start to explore the memory dumps. We will focus on tools which are available for free, so participants can take them home and start working with them immediately. Additionally we’ll cover some of the leading-edge commercial tools in the field. For every tool we will discuss how it works and what its limitations are. Participants will try out the tools on sample images to uncover exploits and actual rootkit infections on their own.

  Participants are expected to bring their own laptop. Microsoft Windows will be required to run some of the programs provided. Sample files for analysis will be available during class. Detailed instructions will be publicized before the conference.

  Andreas Schuster (GCFA) is a Senior Computer Forensic Examiner with the security department of Deutsche Telekom AG since December 2003. Previously he led a commercial computer incident response team and had worked in the internet business for about seven years. Andreas had got his first computer in 1981. Though times have significantly changed he regularly falls back to low-level tools like disassemblers and hex editors when he explores the inner mechanics of an operating system or a new piece of malware.

• Andrew Cormack

  Managing Privacy in Network Operations: Learning from the Law 

  System and Network Managers and Incident Response Teams can represent a serious threat to the privacy of individual users. To ensure smooth operation of their systems and ensure they are not a threat to others, administrators may need to be able to read, modify or block any file or communication, or to pass it to their Incident Response colleagues for investigation. However those same powers, if misused either accidentally or misguidedly, can cause serious harm to individuals and organisations. Lacking written guidance on how to exercise their considerable powers, many administrators are left to rely on their own consciences to find the balance between protecting the individual and protecting the wider community: this is not a comfortable position for the administrator, their organisation or their users.

  The European legal system has at least half a century of experience of protecting individual privacy, formalised in 1950 in Article 8 of the European Convention on Human Rights, which established the “right of respect for private and family life, home and correspondence”. This talk will suggest how principles established in the Convention and in subsequent European and national legislation to protect personal data and communications can be applied to network operations and incident response. The focus will be on developing good practice based on fundamental principles, so should benefit those from other legislative traditions as well as those who have to ensure that their practices comply with their particular local privacy law.

  • Slides: cormack-andrew-slides.pdf (399.83 Kb)

  Andrew Cormack joined UKERNA as Head of JANETCERT in March 1999. In January 2002 he took up the new post of Chief Regulatory Advisor, concentrating on the awareness, policy, legal and regulatory aspects of computer and network security. Andrew is active in promoting cooperation between organisations working on computer security in the UK and Europe. He is a member of TERENA's Technical Committee and of the Permanent Stakeholders Group of the European Network and Information Security Agency (ENISA). He spends a lot of time talking to people about the problem of computer insecurity and what to do about it. He is a regular presenter of training courses on IT security and policy development and a speaker at national and international conferences.

  In the past Andrew has worked for Cardiff University, where he looked after web servers and caches as well as dealing with security incidents; the NERC's Research Vessel Services, running scientific computer systems on board ships with uncertain power supplies and moving floors; and Plessey Telecommunications. He has degrees in mathematics from Cambridge University and law from the Open University, and is a European Chartered Engineer.

• Anton Chuvakin (LogLogic, Inc., US)

  System, Network and Security Log Analysis for Incident Response 

  The presentation will cover the use of various system, network and security logs and audit trails in the incident response process, from methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include several detailed case studies.

  Here is the brief summary:

  • Brief incident response process overview
  • Relationship between incident response and forensics
  • Logs: what are they and what are they for?
    • Log use at various stages of the response process: from incident detection to lessons learned
    • Use of logs from various sources (firewall, IDS, system, application, etc) during incident response
  • Log review and monitoring processes
    • Routine log review
    • In-depth log analysis and log mining for incident recognition
  • Log evidence integrity and DoJ criteria challenges
    • Raw vs parsed/tokenized logs as evidence
  • Practical scenarios
  • Conclusions

  Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementations. He was previously a Chief Security Strategist with a security information management company.

  A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3" and the upcoming book on PCI. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as http://chuvakin.blogspot.com

• Art Manion (CERT/CC, US)

  Vulnerability Remediation Decision Assistance system 

  • Slides: ito-yurie-slides.pdf (1,001.66 Kb)
  • Paper: ito-yurie-paper.pdf (168.76 Kb)

  Art Manion is the Vulnerability Analysis Team Lead at the CERT Coordination Center (CERT/CC). The Vulnerability Analysis Team works with vendors, reporters, researchers, and other parties on vulnerability coordination, response, and disclosure. In addition, the team researches new ways to manage vulnerability information and improve software security. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.

• Avi Corfas (Skybox Security, Inc, US)

  Security Risk Management: breaking through technology and market barriers – a real life story 

  Modern enterprise networks have many thousands of vulnerabilities, only a few of which are usually exposed to attack. Finding those exposures manually has proven to be a daunting task, especially in light of daily publishing of new vulnerabilities and constant network changes. Attack simulation is a new technology that helps security professionals prioritize vulnerabilities and focus on actual exposures. In addition to the technology challenges involved in security and network modelling, the creation of a new market category in the security space is a challenge in itself. This is an overview of the technology and its evolution from idea to a running business.

  • Slides: corfas-avi-slides.pdf (1.08 Mb)

  Avi Corfas is a seasoned software, technology and security executive and entrepreneur, with 28 years of international experience. He manages the European business of Skybox Security – the recognised leader in security risk management automation software.

  Previously, Mr. Corfas was Executive Vice President (Europe, Middle East & Africa) for @stake, one of the world’s leading information security consulting companies, recently acquired by Symantec. Before joining @stake, Corfas held global executive positions with CommerceQuest Inc., Compaq and Digital Equipment (among other roles, he was Chief Operating Officer and VP International Sales & Services for CommerceQuest and World-wide Director for Electronic Commerce at Digital). In the mid-1990’s, he was the Chairman of EEMA, the European Forum for Electronic Business.

  In 1994, Avi Corfas co-founded FutureTense, Inc., a successful content management and publishing software vendor. Previously, he held software development and consulting positions with information technology companies in various countries in Europe, North and South America and the Middle East. He developed secure real-time and commercial systems and provided strategic and technical advice to large government, academic and business organisations.

  Mr. Corfas holds an Executive MBA from France’s Haute École de Commerce.

• Dr. Bernd Grobauer (Siemens-CERT, DE)

  Dealing with Unreliable Software: Exile, Jail, and other Sentences 

  In terms of security, web browsers are most unreliable fellows: during the past few years, no other application type has been as error prone, inviting a plethora of attacks. Yet, modern business cannot do without web browsers any more. Other application types handling data accessed via the Internet such as messaging applications, document viewers, peer-to-peer applications, etc., are also increasingly under attack, but at least some of them cannot be done without. What is one to do?

  This talk discusses the possibilities of mitigating risk by separating unreliable software from production systems. We provide an overview of various methods of separation (exile on a dedicated system, jail in virtual or change-root-like environments, ...), discuss the security gain that can be achieved, and highlight the challenges in integrating such separated systems with the production environment so as to achieve satisfactory usability.

  • Slides: wimmer-martin-slides.pdf (6.67 Mb)

  Experiences with Building, Deploying and Running remote-controlled easily installable Network Sensors 

  A remote manageable network sensor on a live CD may allow a CERT with little or no direct control over its networks to achieve improved situation awareness: because installation of such a sensor requires very little effort on part of local system administrators, the barrier of deploying IDS sensors is significantly lowered. Furthermore, an easily installable network sensor is a valuable tool for fast response to ongoing incidents in which network data must be collected.

  This talk reports about the experiences collected by Siemens CERT in creating an easily installable IDS sensor, deploying it within the company and running the sensor network: We describe the design of the sensor and sensor management console and report on lessons learned in interacting with local system administrators and operating the sensors. We also describe experiences with using remote sensors as honeypots rather than IDS sensors.

  Building on our experiences, other CERTs should be able to get up to speed fast with creating and rolling out network sensors in their network.

  • Slides: grobauer-bernd-slides.pdf (2.44 Mb)

  Dr. Bernd Grobauer is a Senior Consultant with Siemens CERT. He received an M.Sc. degree in computer science in 1997 from the Munich University of Technology, Germany, and a Ph.D. degree from Aarhus Universitiy, Denmark. When joining Siemens CERT in March 2002, Bernd Grobauer turned his attention from program verification and program transformation — topics relevant for research towards more dependable systems — to IT security. Bernd Grobauer coordinates the research activities of the Siemens CERT services team and acts as security consultant regarding security governance topics.

• Bob Ayers (Chatham House, UK)

  The Security needs of the State versus the rights of the individual 

  The spectre of international terrorism has changed the traditional balance between the rights of the citizen to freedom privacy versus the needs of the Nation State to provide security for the population. In the United Kingdom, surveillance technology is already extensively deployed monitoring many aspect of daily life of the population, with even more intrusive programmes planned or under way. Is the loss of privacy the price we must pay for security and safety in the 21^st century? What are the future consequences of this increasing loss of individual freedom and privacy?

  • Slides: ayers-bob-slides.pdf (222.39 Kb)

  Bob is currently the Vice President for Homeland Security for Selex Sensors and Airborne Systems

  Prior to this, Bob was the Managing Director of Ayers & Associates, specialising in the provision of intelligence, counter-intelligence and security services.

  As Director for Critical National Infrastructure Defence and Homeland Security for Northrop Grumman Mission Systems Europe, bob was responsible for national-level business development and customer relations management.

  As Director of Business Risk Services with @Stake Ltd he provided Board-level professional security consulting services and business development.

  As Vice-President and Managing Director of Para-Protect Europe, an IT security company in the UK he managed an UK- based IT security business.

  From 1998-2000, he was the principal security consultant for Business Risk Management with Admiral plc, serving clients in the banking, financial, and telecommunications markets in the UK, Belgium, Singapore and Australia.

  Before moving to the UK, Bob had a distinguished career in the US Government.

  As Director, DoD-wide Information Systems Security Improvement Program, Bob established the 1st DoD Computer Emergency Response Team (CERT), the 1st Penetration Testing programme and the 1st Infosec training programme.

  As Director, Defensive Information Warfare Program Bob lead a DoD programme to protect all DoD systems from attack by a hostile nation state.

  A head of Computer Security in the Defence Intelligence Agency Bob was responsible for security of 40,000 intelligence systems at 55 worldwide locations.

  As SAFE Program manager, Bob managed a $300M development programme to automated the CIA and DIA workplaces, he then implemented the system in DIA.

  While serving in the DoD Indications and Warning System Secretariat, Bob conceived and implemented the DoD Worldwide Warning Indicator Monitoring System.

  As an Army Officer, Bob served in positions of Counter-Intelligence Agent, Command Intelligence Officer for a Nuclear capable unit and Strategic Intelligence Officer with the United Nations Command Korea and the DIA.

  Bob is a noted public figure, with over 600 appearances on television and radio in the US, Europe, and Asia.

  He is a frequent lecturer at Government, academic and business conferences on a variety of security and intelligence matters.

• Carlos Abad (Spanish National Cryptologic Center (CCN), ES)

  Setting up a governmental CERT: The CCN-CERT case study 

  The CCN-CERT is the Spanish National Information Security Incident Response Team that was born in late 2006 with the mission of being the support and coordination centre of security incidents that affects public organizations, helping the governmental organisms to respond efficiently before the security threats affect their information systems.

  More than the standard basic steps that include the setting up of a CERT, the creation and development of a CERT with national government constituency entails some key problems and challenges.

  • Slides: abad-carlos-slides.pdf (1.50 Mb)

  Carlos Abad is the coordinator of the CCN-CERT (Governmental CERT) in the National Cryptology Centre (CCN) of Spain. Other duties in the CCN are to increase IT security awareness through guides and normative for the Spanish Administration organisms (CCN-STIC Guides), and work as assistant of the Common Criteria Accreditation team.

  Previously in the private sector: software testing engineer, analyser of UMTS protocols and IMS nodes tester, among other things.

• Carol Overes (GOVCERT.NL, NL)

  Network Monitoring SIG 

• Carsten Casper (ENISA, GR)

  Developing a trusted partnership to prepare a framework for the collection of information security data 

  Public and private decision makers need accurate statistical and economic data on information security. They need information about trends and volumes of security problems, but also about the level of confidence that clients and citizens put in information processing resources. Various public and private sources of such data exist, within an organisation, within a country and beyond borders. However, in most cases such data is kept in silos, not compared with data from other sources. This happens for technical reasons, but also because every incident is embarrassing for the owner of the technical infrastructure and most think that such information is best kept secret.

  ENISA, the European Network and Information Security Agency, has received the task to evaluate whether a trusted partnership can be developed and to prepare a framework for collection of such data. This could include Managed Security Service Providers, Electronic Communication Service Providers, vendors, users, government entities and others. The goal is not to actually share data - that would be too ambitious, given the sensitive nature of the information - but rather to discuss under which circumstances sharing of such sensitive data can be possible. In June 2007, first results of this relationship-building will be visible. The goal of this session is to present them to the public.

  • Slides: casper-carsten-slides.pdf (100.53 Kb)
  • Paper: casper-carsten-paper.pdf (28.13 Kb)

  Carsten Casper is a Senior Expert for Information Security Tools & Architectures at ENISA, the European Network and Information Security Agency.

  Mr. Casper conducts and moderates studies and research on information security topics such as information security certifications, security challenges in emerging applications and technologies, sharing of sensitive information on security incidents and consumer confidence, security and anti-spam measures of electronic communication service providers, and best practices for information security policies.

  Prior to working for ENISA, Mr. Casper worked as a Senior Research Analyst for Gartner and META Group. He holds a diploma in computer science from the Technical University of Berlin.

• Chris Fry (Cisco Systems, US)

  Inside the Perimeter: 6 Steps to Improve Your Security Monitoring 

  Most attacks from the Internet are not actionable. They're automated, noisy distractions from the real problems your enterprise is facing. The threat has driven deeper into your enterprise; infected hosts are remote-controlled and attacking your naked infrastructure.

  For this reason, Cisco's Computer Security Incident Response Team's (CSIRT) has begun orienting its security monitoring toward internal threats. CSIRT engineers will describe their approach, topology, challenges, and lessons learned in the process. This highly practical session will illustrate security monitoring with CS-IPS version 5 and 6, CS-MARS 4, Netflow v7, and syslog. CSIRT engineers will describe how the global solution was deployed, tuned, and lessons learned in the process. Participants should expect to leave with practical insights and best practices in deploying internal monitoring for incident response.

  • Slides: nystrom-martin-slides.pdf (9.84 Mb)

  Chris has been a member of Cisco's Computer Security Incident Response Team (CSIRT) for 3 years, focusing on deployment of intrusion detection and network monitoring tools. He began his career at Cisco in 1997 as an IT analyst, supporting Cisco's production services. His four years as a Network Engineer on Cisco IT's internal network support organization give him valuable knowledge and insight about production enterprise networks. Chris holds a BA in Corporate Financial Analysis and Master's Degree in Information and Communication Sciences from Ball State University.

• Chris Painter (Department of Justice, US)

  Law Enforcement / CSIRT Cooperation SIG 

  At last year's FIRST Conference, the 1st "CSIRTs meet LEs, Les meet CSIRTs" workshop was held. The workshop was bridged the gap between two different communities by introducing their mission, policy and culture with regard to responding to cyber incidents and information handling. Also the case studies demonstrated the value of the partnership and collaboration between CSIRT and Law Enforcement.

  With the success and overwhelming response to the 1st workshop, this year FIRST and the G8 High Tech Crime Subgroup plan to hold the 2nd "CSIRTs meet LEs, LEs meet CSIRTs" workshop. This year's theme is "Forensics" and identifying what data is most useful for Incident Response teams to gather and present for successful Legal action to be taken and to working with LEs. There will be Forensics techniques and tools being introduced from both communities and best practices.

  
  

  View the workshop schedule in the conference schedule in PDF format.

  • Paper: painter-chris-paper.pdf (164.62 Kb)

• Chris Walsh (cwalsh.org, US)

  Data on Data Breaches: Past, Present, and Future 

  A number of high-profile data loss incidents have focused attention on questions surrounding the collection, storage, and protection of personal information.

  Measures aimed at protecting those whose personal information has been put at risk through such incidents have become widespread in the U.S., with increasing calls for similar regulation in the EU, Canada, and elsewhere.

  We examine past and present security breaches to illustrate the thesis that to understand, we must discuss. Effective measures to address security breaches can only be developed through empirical reserach. We can learn what contributes to such breaches, and their impact that on those whose information is revealed and on the breached entity.

  We conclude by discussing future steps that can be taken legislatively and by the research community to facilitate greater understanding in this area.

  • Slides: walsh-chris-slides.pdf (2.65 Mb)

  Currently an information security architect for a consumer goods firm operating in 180 countries, Chris has previously held information security and incident response roles in academia, and the financial sector, as a hands-on technologist, a consulting team lead, and a divisional manager.

• Christoph Fisher (BFK Edv-Consulting Gmbh, DE)

  New Trends and technologies in Identity Theft 

• Damir (Gaus) Rajnovic (Cisco PSIRT – Cisco Systems Co., UK)

  How to Join FIRST 

• David Barroso (S21sec, ES)

  The Evolution of Online Fraud 

  There is a more and more popular threat arising in our daily tasks: online fraud attacks; those threats are now being migrated from real life to the Internet environment. It is very common to receive a phishing e-mail, a scam asking for money, or even malware that is silently stealing your identities while surfing the web.

  This presentation’s aim is to show the different online fraud methodologies detected during the years 2005-2006 and how the fraud is evolving. Besides, we will not focus only on the phishing and pharming attacks, but also in the malware techniques seen in the wild. Botnets and C&C are real threats and they are everywhere. We’ll show different C&C panels and explain the business model behind those attacks.

  David Barroso is the director of research for S21sec’s R&D division, S21Labs. In this role, he oversees the company’s research projects that are related to different information security domains: malware, RFID, wireless, VoIP, log management, pentesting, biometrics, … He also manages a tight cooperation with the S21sec SOC, and its online fraud service.

  Prior to S21Labs, Barroso worked as a security consultant in S21sec where he was specialized in forensics and penetration testing, and in AT&T, where his role was the Spain and Portugal Security Coordinator.

  Barroso has been involved in the security field since more than ten years, contributing to open source security tools (spamassassin, libnet, drac, honeysnap, gotek, wireshark, …), developing exploits (Microsoft IIS, Cisco VTP, …), writing different security articles and developing Yersinia, the framework for layer two attacks.

  He is a frequent speaker on different security topics in several conferences (BlackHat, NcN, Securmática, Respuestas SIC, …) and holds the GSEC, GCIA, CISSP, BS-7799 Lead Auditor and other security products certifications.

• Eloy Paris (Cisco PSIRT, US)

  Taming Packets: The Network Expect Framework for Building Network Tools 

  Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network.

  Network Expect was heavily influenced by, and inspired on, the "Expect" program written by Don Libes, which allows to "talk" to interactive programs in a scripted fashion. Because of this, there are lots of similarities between commands in Network Expect and commands in Expect.

  A Network Expect script can send traffic to the network and then take decisions based on the received network traffic. The type of things that Network Expect can do are usually very low level network operations, which usually require writing a custom program in a language like C.

  Network Expect’s philosophy is based on the observation that network applications always operate on an action-reaction principle in which something is sent over the network to an application running on a remote host and a response is then received.

  Network Expect can generate arbitrary network traffic and inject it into a network at layer 2 or layer 3. A wide range of protocols is supported, including IP version 6 as well as protocol options like IPv4 options, IPv6 extension headers, and TCP options. Network Expect can also listen for network traffic, decode it, and take decisions based on the type of traffic received.

  These capabilities make it very easy to emulate network protocols to do vulnerability testing and auditing, penetration testing, network protocol research, etc.

  The presentation "Taming Packets: The Network Expect Framework for Building Network Tools" will give an introduction to the Network Expect framework and provide examples of how Network Expect has been used to solve real-life problems.

  Network Expect is Open Source Software that was developed by Eloy Paris from Cisco Systems.

  • Slides: paris-eloy-slides.pdf (110.95 Kb)
  • Paper: paris-eloy-paper.pdf (110.95 Kb)

  Eloy has been with Cisco since July 2001. He spent three years in Cisco's Critical Infrastructure Assurance Group (CIAG), where he focused on the group's Incident Response Support initiative, providing support to Cisco's Incident Response teams like the Cisco Product Security Incident Response Team (PSIRT) and the internal Information Security team, and provided support to the CIAG's Research initiative by writing network tools used in security research of protocols like BGP and IPv6. Eloy has been an Incident Manager with the Cisco PSIRT since June 2004. In his current role, he is part of the team responsible for managing security vulnerabilities in all Cisco products.

  Eloy developed the Open Source Network Expect framework for building network tools to fill several needs that arose while working in Cisco's CIAG, PSIRT, and the Technical Assistance Center (TAC).

  Prior to joining Cisco, Eloy worked for 5 years at the Venezuelan subsidiary of Rockwell Automation originally as a Field Support Engineer supporting industrial automation equipment and later in the IT organization.

  Originally from Venezuela, Eloy holds a Bachelor's Degree in Electrical Engineering from Universidad Simon Bolivar in Caracas, Venezuela and an MBA from Carnegie Mellon University in Pittsburgh, PA, USA. Eloy participates in various Open Source Software projects, and works as a volunteer developer in the Debian GNU/Linux project. He also enjoys doing malware analysis and reverse engineering, and writing network tools.

• Emma Shaw (Esoteric Ltd, UK)

  Espionage – Reality or Myth? A Demonstration of Bugging Equipment 

  The single greatest asset held by most companies is their information. Its protection is key to the success of any business, particularly in competitive markets where new designs, intellectual property and technological advance have significant commercial value. A growing number of companies and government departments are now taking proactive action to protect their information and so deter terrorists, criminals and others before damage can be done.

  Information is also key to the success of terrorists, criminals and others who need to obtain sufficient information on their targets if they are to achieve their aim.

  The threats from those wishing to steal information is real and there are many recent examples of this both in the UK and elsewhere. Your company is most likely already a target for this type of activity. It may involve staff collusion with external bodies, infiltration, or unauthorised access to gain information through physical or technical means.

  This presentation looks at the threats organisations face from espionage, and the impact the loss of vital information to the company. The presentation will provide an insight into the world of espionage, how it is conducted and by whom; the legalities of bugging, the vulnerabilities of emerging technologies, along with statistics, case studies and actual examples of bugging devices. We will examine the facts whether espionage is “Reality or a Myth”

  If time allows we can include a practical demonstration.

  Emma has been actively involved at all levels in both covert and overt investigations for approximately 20 years. The early part of her career was spent with the Royal Military Police, followed by a career in UK government. Emma is now the Managing Director of Esoteric Ltd, a specialist security and covert investigations company, which she founded in 1998. The company provide bespoke confidential services, which assist their clients to deal with issues such as Theft, Fraud, Counterfeiting, employment related issues, and economic and corporate espionage. Esoteric Ltd have been approved the National Security Inspectorate to the prestigious BS EN9001: 2000. Emma is a member of the Council for the Security Institute, the Registrar for the Validation Board of The Security Institute, Southern Region Chair for the Defence Industry Security Association (DISA), a member of the Professional Development Committee for the American Society of Industrial Security (ASIS) and the Counter Terrorist Committee with the Joint Security Industry Council (JSIC).

• Fong Lian Yong (National University of Singapore, SG)

  NUS IT Security Landscape 

  Universities have the dual challenge of creating an environment that fosters experimentation and learning while protecting the users against unauthorized access and other internet threats. In a large enterprise network like NUS, where there are more than 30 000 online nodes, this challenge is more acute. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, majority of the network users are students.

  I will present the enterprise wide security framework adopted by NUS. This framework is built on PPT Methodology (i.e. People, Process and Technology). The People Element is the most important element and as the saying goes “Human is the weakest link in the security chain”. Under the people element, I will detail the strategy to address upper management, user buy-in, staff morale, user awareness and training requirements. Under the process element, I will discuss the process framework we adopt to track progress and success. Processes include vulnerability management, threat management, incident management, audits and penetration testing. etc. On the technology aspect, NUS has looked beyond the traditional firewalls, intrusion detection and prevention systems, antivirus, anti-spyware, anti-spam implementation. Many systems are developed inhouse as many off-shelf systems are not effective in a unique environment like NUS. Our blackholing mechanism, honeynet implementation and vulnerability management system are some examples of our innovative security implementations.

  I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organizations in the that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.

  • Slides: yong_fong-lian-slides.pdf (182.90 Kb)

  Yong Fong Lian received the B. S in Computer Science from the National University of Singapore in 1981. She is currently working in the National University of Singapore, Computer Centre as the Manager of the InfoComm Security/Quality Assurance Group. She is also the chairperson of NUSCERT, the Computer Emergency Response Team of NUS.

• Francisco García Morán (Director General, DG Informatics, European Commission, EU)

  Keynote Speaker 

  The speech will present the security strategy of the European Commission in the framework of the EU security policy as outlined by the European Council in 2004.

  After introducing the European Commission and its role in the EU institutional framework, the presentation will describe the EC's IT organisation and governance and will highlight the role of security in the "Roadmap towards an Integrated eCommission" the internal eGoverment initiative of the EC launched in the context of the i2010 initiative.

  The presentation will outline the principles inspiring the security policy , "a secure Europe in a better world", and will describe the EC strategy for Network and Information Security explaining the dimensions of the problem, from technical to social and ethical. Then the Research Security Policy will be introduced describing all the efforts and preparatory actions that had lead to the allocation of 1.4 M€ for security research in FP 7.

  It will also describe the initiatives regarding Safer Internet and those in the area of Justice, Freedom and Security.

  Finally, the EC internal security policy will be outlined and the implementation efforts regarding the policy will be presented including the description of the peripheral security infrastructure, security of IT configurations and Information Systems as well as the measures put in place to fight viruses and spam.

  • Slides: garcia_moran-francisco-slides.pdf (7.71 Mb)

  Francisco García Morán holds a degree in Mathematics by the University of Sevilla and a degree in Computer Science by the Politechnic University of Madrid.

  He worked as a teacher at the University of Sevilla and as an IT analyst at its Data Centre between 1974 and 1976.

  He joined the Data Center of the Ministry of Education and Science in Madrid in 1976 where he held several positions as head of departments and he started the project of "decentralised IT" to Delegations of the Ministry.

  In 1982 he joined the Ministry of Education and Science of the Regional Government of Andalucia where he headed the IT department for nearly 4 years.

  He joined the Informatics Directorate of the European Commission in November 1986 and held several positions in charge of IT solutions for the office automation, information systems development and Data Centre environments.

  In 1998, he joined the Directorate General for Translation as Head of the IT unit until he was appointed in April 2001 Director of "Informatics" in the Directorate General for Personnel and Administration.

  Since May 2004, he has been heading the Directorate General for Informatics (DIGIT) where he was appointed Deputy Directorate General in July 2004. He was appointed Director General in November 2005.

  Since 01/01/2007 his Directorate General is responsible for the IDAbc (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens) programme

  He seats as representative of the European Commission in the Management Board of ENISA (European Network and Information Security Agency) and he also seats in the "Advisory Committee for eAdministration" to the Minister of Public Administration (MAP) in Spain.

• Francisco Monserrat (IRIS-CERT – RedIRIS, ES)

  Botnet: Creation, usage, detection and eradication 

  • Slides: monserrat-francisco-slides.pdf (2.41 Mb)

• Francisco. (Paco) Monserrat (IRIS-CERT – RedIRIS, ES)

  First Team Members Update Panel 

  • Slides: kostiantyn-korsun-slides.pdf (324.18 Kb)

• Frank Wintle (PanMedia Ltd, UK)

  Our Own Worst Enemies 

  In his address to the 18^th FIRST annual conference in Baltimore, guru Bruce Schneier asked and answered a critical question: “How do you compel the home user to secure a PC against Trojans and worms? You don’t. You can’t.”

  Twelve months later, the theme of the 19th FIRST conference is Seville is digital privacy, in the wake of a year in which millions of items of personal data were lost or stolen from corporates with disastrous consequences for the reputation of e-commerce.

  These are the starting points for Frank Wintle’s presentation to Conference 19. Why don’t home users care and why don’t they act? Why, in the UK, did more than half a million people walk away from Internet banking in 2006? Why are phishers still able to pose as financial institutions, sucker innocents and detach them from $millions? What’s the root cause of corporate carelessness?

  Could one reason be that the Internet security industry has a huge communications problem?

  Wintle thinks that it is, and in this presentation he will argue that the “I’m-a-geek-and-I’m-proud-to-speak-geekspeak” attitude betrays the kind of pride which almost always goes before a big fall – if the fall isn’t happening already.

  He then goes on set out the principles of a communications approach which can make even the most arcane subject lucid and engaging for non-specialist audiences, and illustrates how effective communications can change attitudes and actions.

  Lastly, he discusses strategies and evaluation, exploring ways in which CERT’s within nations or organisations can define communications targets they want to reach and behaviours they want to change and then use appropriate PR techniques to reach their objectives.

  • Slides: wintle-frank-slides.pdf (1.69 Mb)

  Frank Wintle runs the London-based communications consultancy PanMedia, offering courses in internal and external communications, individual coaching in communications skills, and agenda, production and presentation services for business seminars. His clients include Cisco Systems, HSBC Actuaries and Consultants, Virgin Money, E-ON Ruhrgas, Deloitte, and the international Forum of Incident Response and Security Teams. He also trains Peace Observers in reporting and diary-keeping before their tours of duty in the Middle East.

  In his writing and producing career for factual television Frank Wintle won gold and silver medals from the New York Film and TV Festival, the Golden Gate Award from the San Francisco Film and TV Festival, best programme award from the Royal Television Society and an Emmy nomination.

  He has written two books and continues to contribute to the national Press.

• Gaus . (Cisco Systems, US)

  Internet Infrastructure Vendors (Vendor SIG) 

• Gavin Reid (Cisco Systems, US)

  Common Vulnerability Scoring System (CVSS-SIG) 

  • Slides: terada-masato-slides.pdf (332.53 Kb)

• George Stathakopoulos (General Manager of Product Security, Microsoft, US)

  Keynote Speaker 

  • General History of MS security efforts
  • Current situation in the ecosystem
  • Microsoft’s strategy
  • Call to action

  • Slides: stathakopoulos-george-slides.pdf (6.15 Mb)

  As general manager of Microsoft product security for the Security Engineering and Communications Group, part of the Security Technology Unit at Microsoft Corp., George Stathakopoulos directs four teams of more than 100 people that collectively help make Microsoft® products and services more secure and help protect the company’s customers from online threats. The four teams have the following responsibilities:

  • The Security and Privacy Product Policy team creates internal policies and processes to ensure that security is a primary consideration during product development and throughout the security development lifecycle (SDL).
  • The Secure Windows® Initiative is designed to check for vulnerabilities in products and enforce the SDL, using methods hackers employ to find potential security weaknesses.
  • The Microsoft Security Response Center responds to externally reported vulnerabilities and coordinates the company’s response to viruses and worms.
  • The Security Community Team reaches out to security researchers, industry groups, and technology companies and governments to collaborate on security-enhancement projects and increase awareness about Microsoft’s security efforts.

  Stathakopoulos began working for Microsoft in 1991. Before his current role, he helped several Microsoft product groups, including the Microsoft Internet Explorer and Windows groups, respond to security issues and enhance product security. He has been on the front line of Microsoft’s response to every major computer worm, including Melissa, I Love You, BubbleBoy and Zotob.

  After working on Microsoft Excel®, Windows 3.1, Windows 95 and Internet Explorer®, Stathakopoulos began focusing on security in 1996, spearheading Microsoft’s response to the first Internet Explorer security bugs. That same year he helped form the first Internet Explorer Security team, which was among the first monitors of the secure@microsoft.com e-mail address.

  Stathakopoulos joined Microsoft after graduating from Portland State University in Portland, Ore., where he earned a computer science degree in 1991. He also holds Certified Information Systems Security Professional (CISSP) certification.

  Born and raised in Greece, Stathakopoulos moved to the U.S. when he was 19. He remains fluent in Greek and visits his homeland at least once a year. Away from work, he enjoys scuba diving and photography.

• Georgia Killcrece (CERT/CC – Carnegie Mellon University, US)

  Creating and Managing CSIRTs 

  This full-day tutorial is designed to provide those in the process of creating a CSIRT, those already managing a CSIRT and others who may interact with incident management and CSIRT staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs for those new to the field who are interested in learning about a CSIRT and the type of activities a CSIRT performs.

  This tutorial will provide a discussion of best practices in creating and managing a CSIRT. The course provides an overview of the incident handling process and the types of tools and infrastructure needed to be effective. It also provides a high level overview of the key issues and decisions that must be addressed in establishing a CSIRT. The tutorial will explore the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach.

  CSIRT Metrics 

  Georgia Killcrece is a Member of the Technical Staff and joined the CERT® Coordination Center (CERT/CC) in 1989. The CERT/CC, established in 1988, is part of the CERT® Program based at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pennsylvania.

  Since 1999 Killcrece has led the CERT® CSIRT Development Team and takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide. She has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. She is internationally recognized as a leader in CSIRT development and has been invited to present at a number of international conferences. Killcrece also chaired the 2006 FIRST conference.

  Killcrece participates in the creation and delivery of public and onsite training courses, as well as facilitate workshops focused on CSIRT development. As part of broader outreach efforts in the CSIRT community, her team licenses the suite of CSIRT training materials to external transition partners. In 2003, to meet the need for trained incident handling staff, the CERT Program created and launched a certification program.

  From 1994 to 1999 Killcrece was a technical coordinator and incident response coordinator in the CERT/CC. In those roles, she gained firsthand knowledge of the processes involved in forming, operating, and managing incident response teams, including the dynamics of working in a fast-paced team environment.

  Killcrece is author or contributor to a suite of CSIRT documents and reports, available on the CERT web site at http://www.cert.org/csirts/. Killcrece can be reached directly by email at georgia@cert.org.

• Graham Whitehead (Futurologist, BT, UK)

  Keynote Speaker 

  You Haven't Seen Anything Yet!……

  The human race has always been fascinated by numbers and computing. Recently I have been challenged that Moore's Law (created by Gordon Moore in 1968 that predicted that the number of transistors on a chip would double every two years and the price would halve in the same time) will not only cease being true but will saturate and flatten off. I do not believe this to be the case -I see in the next few years greater and greater computing power being available.

  The advent of Broadband connections, originally by ADSL, and new networks like BT’s 21CN will bring an era of AORT A (Always On Real Time Access). The human will be abstracted from the complexity of searching for information. Artificial Intelligent Agents will wander around this new information maze looking for information that might be of interest to you and push it towards you. These agents will have faces, voices, will hear and understand what you say, and might even have personalities! The whole process will get very conversational.

  But we will go further than just artificial people, we will start immersing ourselves in virtual environments. Imagine a virtual High Street where you can wander and visit the shops of your choice. These establishments will be "peopled" by avatars which look and behave just like the real people in the real shops -but there will be no queues.

  With the advent of the SmartCard we will be carrying enormous amounts of personal information and exchanging it in public places. One SmartCard could carry all your personal details from your ID card and passport to driving licence and medical history .I see everything having SmartCard readers (computers, phones, mobiles, TVs) and the appropriate information will be exchanged without the extreme efforts that are required of the human today -re-typing the same details on every web-page. I also see the security hologram on the card still being a visual security device, but also becoming a thumb print reader. The SmartCard becomes a "This is me -honestly it really is me" security token. With the advent of Web Services on the AORTA network, I could be at an electronic point-of-sale machine and the insertion of the token automatically brings all my relevant data (including current picture) to that point in the network.

  In the near future everything is going mobile. We will all have personal communicators (yes just like Star Trek!) which will connect us to voice communications and information. You will start asking your mobile phone questions and receive information that is pertinent to you at this time and at this location. Soon, with 3G type systems, we will be able to send and receive moving pictures. In fact in the very near future we will as carelessly pass images and moving images over these devices as we just talk to them today.

  And as we enter this new information age, we must look at how we will trade with our customers. It is vitally important that we target each individual customer and personalise our communication with him or her. Gone are the days when a simple advertisement was good enough, and we expected our customers to come and find us. Now we have to build a bridge and an interactive, proactive experience for our customers.

  Technology is changing very fast indeed. I predict that you will see more change in the next 10 years than has been experienced in the past 150 years. Technology is changing -the question is " Are you changing as fast" because if you do not you and your organisation might not be trading in the next few years!

  • Slides: whitehead-graham-slides.pdf (17.06 Mb)

  Graham Whitehead joined the British Post Office in 1968 as a Post Office University Student. He spent 12 months, before attending university, in all parts of the business from the chairman's office to the deepest, muddiest hole in the ground. He graduated from Leeds University in 1972 with a BSc honours degree in Mechanical Engineering. He is a member of the IMechE and IEE.

  He joined the BT Laboratories after graduation and has worked a wide variety of disciplines, such as mechanical connections and structures, optical transmission systems, the packaging and cabling of optical fibres, hydro space engineering. He was production manager of the optical receiver project which designed and manufactured the receivers used in the T AT-8, PTAT and NPC trans- Atlantic and trans- Pacific submarine systems. For the latter he was awarded the Queen's Award for Technology in 1990.

  In 1989 he moved to the USA on secondment to Du Pont as the production manager and co-ordinator for the manufacture of the optical amplifiers and tuneable narrow linewidth lasers which were part of product portfolio of BT&D, a joint venture of the two companies.

  In 1990 he returned to the BT Labs and was appointed manager of the Business Systems Group which investigates the modelling of business structures and their mutual interactions.

  In 1992 he became BT's Advanced Concepts Manager. Over the last few years he has specialised in presenting the work of the BT Labs to both customers and other parts of BT. He delivers more than 300 presentations every year, and has produced a series of video tapes. He also contributes to many journals, newspapers, radio and TV programmes.

  In 1999 he became one of BT's Principal Consultants looking at the future of telecomms and IT.

  In 2004 he was appointed as Visiting Professor at the Business School at Salford University.

  He lives in East Anglia and has two children Sarah, an Environmental Science graduate, and John, an Aerospace Engineering graduate. He is an active Morrisman, and plays and calls for most of the folk bands in East Anglia. To get away from it all he walks over mountains -a difficult task in the eastern counties!

• Grant Deffenbaugh (CERT/CC, US)

  Creating, Managing and Using a Malware Lab 

  During the first part of the day we will present a tutorial on what is required in building and managing a Malware Laboratory from a systems administration point-of-view. Network design, services and infrastructure will be covered. Special attention will be given to creating an environment for runtime analysis. Risk assessment and techniques for implementing network security will be examined. Other topics include developing policy and procedures to maintain a secure and reliable malicious code analysis environment.

  The second half of the day will cover collection of malicious code, safe handling practices, and platforms to perform analysis. We will focus on the use of virtualization technologies, discuss various analysis tools, and engaged in actual malware analysis.

  Participants are asked to bring a laptop with a valid VMware license pre-configured with a Windows guest. A sample Linux guest as well as tools and malicious code will be distributed during the tutorial.

  Grant Deffenbaugh is a member of the technical staff at the Software Engineering Institute's CERT® Coordination Center (CERT/CC). He currently is the team lead for CERT/CC's Malware Laboratory and has a PhD in Computer Systems Engineering from Rensselaer Polytechnic Institute. The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC) sponsored by the US Department of Defense (Under Secretary of Defense for Acquisition, Technology and Logistics) and managed by Carnegie Mellon University.

• Guilherme Vênere (CAIS/RNP – Brazilian Academic and Research Network, BR)

  Botnet: Creation, usage, detection and eradication 

  • Slides: monserrat-francisco-slides.pdf (2.41 Mb)

• Hal Burch (CERT/CC, US)

  Vulnerability Remediation Decision Assistance system 

  • Slides: ito-yurie-slides.pdf (1,001.66 Kb)
  • Paper: ito-yurie-paper.pdf (168.76 Kb)

  Hal Burch is a member of technical staff at the CERT Coordination Center (CERT/CC). Hal's responsibilities at CERT/CC include the Secure Coding Initiative and development of tools for vulnerability handling at CERT/CC. CERT/CC is a Federally Funded Research and Development Center (FFRDC) operated by the Software Engineering Institute at Carnegie Mellon University.

• Hart Rossman (SAIC, US)

  SafeSOA: Managing Privacy & Risk In The Global Service Oriented Environment 

  The ongoing convergence of Enterprise SOA and Web 2.0 require flexibly integrated security and business policies to thrive in the evolving enterprise risk model. This presentation will articulate the need to address the secure composibility challenge of services oriented solutions; shifting the market from an emphasis on system vulnerability to practicable, embedded, risk & capability management resulting in service oriented security. However, in the quest for service oriented security, privacy and identity management must be integral to the successful solution set. Prevailing enterprise identity and privacy solutions tend to emphasize the rights and needs of the corporation over the individual which is in many ways in opposition to consumer trends on the Internet that emphasize user-generated content and an architecture or participation. We will discuss the impact of Web 2.0 (characterized by user-generated content, wide-spread meta-data, extension of the systems integration value chain, architectures of participation, and a social computing culture) & and the Identity 2.0 movement on traditional privacy & security solutions and begin to bridge the gap between services oriented security, Web 2.0, and next generation constructs for identity management. Demonstrated through technical use cases, including sourcecode & implementation examples, of how top down system integration and bottom up application mashups converge to operationalize requirements at the point of use...intrepid Internet developers and consumers! We’ll end with a few thoughts on the impact these changes will have on incident management and the role privacy and user-generated content plays in incident response in the service oriented enterprises of the future.

  Hart Rossman is Assistant Vice President and Chief Security Technologist at SAIC’s Intelligence and Information Solutions Business Unit, SAIC’s center for information security and secure information sharing. In this role, he brings together people, process, and technology to create solutions that meet customers’ current challenges – and respond to issues they may not have foreseen. He leads the business unit’s exploration and assessment of existing and emerging technologies, vendors, tools, devices, and applications to promote continuous integration of the best into client and in-house solutions. He is a frequent speaker and contributor on security and information-sharing issues worldwide. Mr. Rossman is currently exploring the implications of risk management and system security in netcentric computing and is a co-founder of the SafeSOA initiative (www.safesoa.org).

• Dr. Heiko Patzlaff (Siemens-CERT, DE)

  Dealing with Unreliable Software: Exile, Jail, and other Sentences 

  In terms of security, web browsers are most unreliable fellows: during the past few years, no other application type has been as error prone, inviting a plethora of attacks. Yet, modern business cannot do without web browsers any more. Other application types handling data accessed via the Internet such as messaging applications, document viewers, peer-to-peer applications, etc., are also increasingly under attack, but at least some of them cannot be done without. What is one to do?

  This talk discusses the possibilities of mitigating risk by separating unreliable software from production systems. We provide an overview of various methods of separation (exile on a dedicated system, jail in virtual or change-root-like environments, ...), discuss the security gain that can be achieved, and highlight the challenges in integrating such separated systems with the production environment so as to achieve satisfactory usability.

  • Slides: wimmer-martin-slides.pdf (6.67 Mb)

  Using instrumented browser instances for detecting 0-day exploits and filtering web traffic 

  In the past three years the main infection vectors of malware have shifted from network scanning worms targeting server software and social engineering based attacks such as email worms to attacks targeting vulnerabilities in client software. The most popular target of these attacks is Microsofts Internet Explorer. One idea that has been employed in the past to deal with scanning worms also proves useful in these new scenarios: honeypots.

  In the talk the idea of using a client honeypot to protect a small workgroup environment is explored. We present an architecture for integrating an automated instance of Internet Explorer into a web proxy to transparently filter malicious web sites. We provide implementation details, report on problems encountered and give measurements of run-time metrics such as latency.

  • Slides: patzlaff-heiko-slides.pdf (4.52 Mb)

  Dr. Heiko Patzlaff is a security consultant with Siemens CERT. He received a MSc. degree in physics in 1993 from Martin-Luther University of Halle and a PhD in theoretical statistical physics in 1997 from the University of Leipzig. Before joining Siemens he worked in the Anti-Virus industry as a researcher and member of the systems development group of SophosLabs at Sophos PLC in the United Kingdom. Beside his continuing interest in anti-virus and malware topics, Dr. Heiko Patzlaff current responsibilities include forensics, security consulting and research.

• Dr. Henry B. Wolfe (University of Otago, NZ)

  Electronic Forensics: a Casefor First responders 

  Almost every aspect of our lives is touched or somehow controlled by technology driven processes, procedures and devices. It is therefore important to understand that because of this pervasive electronic influence, there is a high probability that a successful criminal or unacceptable incident will occur within the perimeter of an organization’s information and/or computer and network infrastructure. The difference between conducting a successful investigation resulting in a potential prosecution or failing these will often lie squarely in the lap of the electronic forensic investigator. If potential evidence is compromised at any point in the investigation, it will be unacceptable in a court of law. The highest risk of compromise occurs at the point prior to evidentiary acquisition. The first responder’s primary responsibility is to protect and preserve potential evidence and to see to it that suspect electronic devices and storage media are not tampered with by anyone until such time as the professional electronic forensics investigator (law enforcement or private) takes full control of the scene. This paper will explore electronic forensics demonstrating the need and making the case for the appointment and training of a first responder to incidents where electronic devices may have been used.

  • Slides: wolfe-henry-slides.pdf (73.00 Kb)
  • Paper: wolfe-henry-paper.pdf (73.00 Kb)

  Dr. Wolfe has been an active computer professional for 48 years. He has earned a number of university degrees culminating with a Doctor of Philosophy from the University of Otago (Virus Defenses in the MS/DOS Environment). The first ten years of his career were spent programming and designing systems in the manufacturing environment; the most notable was one of the first fully automated accounting systems in the U.S. The next ten years of ever increasing responsibility was devoted to serving in the U.S. Federal Government rising to the position of Director of Management Information Systems for the Overseas Private Investment Corporation.

  In 1979 Dr. Wolfe took up an academic post at the University of Otago and for the past twenty or so years has specialized in computer security (and is currently in the process of designing and creating an Information Assurance degree – based on the NSA model). During that period he has earned an international reputation in the field of forensics, encryption, surveillance, privacy and computer virus defenses.

  Dr. Wolfe writes about a wide range of security and privacy issues for Computers & Security, Digital Investigation (where he is also an Editorial Board Member), Network Security, the Cato Institute, Cryptologia (where he is also an Editorial Board Member), and the Telecommunications Reports. He is a Fellow of the New Zealand Computer Society. He is also a member of Standards New Zealand SC/603 committee on Security, Secretary of the AsiaCrypt Steering Committee (representing New Zealand), a member of the New Zealand Law Society’s Electronic Commerce Committee, and was on the Board of Directors of the International Association of Cryptologic Research finishing up in January 2003.

  He has provided advice on security matters to major government bodies within New Zealand and to Australian, Panamanian, Singaporean and U.S. Government organizations; and additionally to New Zealand businesses and the major New Zealand Internet Service Providers. He has been commissioned to provide training in electronic forensics for law enforcement organizations internationally (New Zealand, Australia and Singapore). Over the past fifteen years he has conducted and supervised computer security audits of more than one-hundred-twenty-five (125) New Zealand businesses and government bodies. His opinions are regularly sought by the various media organizations (newspaper, radio and television).

  Dr. Wolfe speaks on security and privacy issues (both technical and policy) regularly at international conferences – more than 55 in the past fourteen years (as an invited speaker and occasionally as a keynote speaker) – some of the most recent being in America, Australia, England, China, Greece, Ireland, Hong Kong, Japan, Korea, Malaysia, Panama, Poland, Portugal, Russia, Serbia, Singapore, Sri Lanka and of course in New Zealand. During the same period, he has been an invited speaker at 20 non-conference venues as well. His primary research interest is centered around the emerging discipline of computer forensics as well as private communications techniques, which focus on the implementation of various cryptographic algorithms that are currently available and the associated hardware and software necessary to implement such systems.

• Hironobu Suzuki (Mitsubishi Research Institute, Inc., JP)

  An Internet Threat Evaluation Method based on Access Graph of Malicious Packets 

  Malicious packets generated by Internet worms or port scans can be captured by monitoring ports of IP addresses where any network service is provided. Several methods have been proposed for detecting threats over the Internet by monitoring malicious packets. Most of these methods apply statistical methods to time-series frequencies of malicious packets captured at each port.

  This paper proposes a new method for evaluating threats in the Internet based on access graph defined by the relation between sources and destinations of malicious packets. This method represents access relation between sources and destinations of malicious packets by bipartite graph and defines relation of threat and vulnerability between sources and destinations of malicious packets. In order to evaluate threats on the Internet, we apply a new method to this relation. This method evaluates threats by using spacial structure of access graph which has not been used by traditional methods. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method.

  • Slides: ishiguro-masaki-slides.pdf (182.62 Kb)
  • Paper: ishiguro-masaki-paper.pdf (115.86 Kb)

• Jacomo Piccolini (CAIS/RNP – Brazilian Academic and Research Network, BR)

  Botnet: Creation, usage, detection and eradication 

  • Slides: monserrat-francisco-slides.pdf (2.41 Mb)

  Malware distribution trough software piracy: a case study 

  Trust no one or you will be assimilated! This is the current scenario inside the software cracking and piracy community. This paper focuses on the study of the usage of pirate software to infect systems and their abuse by miscreants. Statistics from collected malware related to software piracy will be presented.

  The author believes software piracy will always exist, here included operational systems, applications and games. The problem is directly related to the customer’s compulsory behavior for new features and releases leading the user to consume any product; even in beta version (sometimes faked versions) and piracy products.

  To deal with this demand, some specialized piracy groups had, for long time, supplied this market with diverse products, among others, we emphasize keygens, which are applications that can generate a registration key to allow software installation and cracks, which are modifications in files from the target software that allows their execution or removes existing protections.

  With the advance of software protection techniques, new forms to circumvent these protections and to make this content available are being offered, such as installation packages, cracked versions ready to run and CD emulators. The piracy community is always developing new ways to take care of the demand and to circumvent the protections that are implemented.

  The universe of software piracy possess multiple mechanisms of distribution: sites specialized in cracks, keygens and emulators (cd-roms), ftp servers, CDs being sold in streets or offered in sites and mainly P2P applications.

  The process of malware distribution uses any of these mechanisms, with only small differences. We must understand that miscreants are very creative and their main goal is to infect as many systems as possible. Files that are accessible through web pages are hosted in sites that explore vulnerabilities in navigators. Why wait for user to download and execute if the system can be infected and controlled through browser vulnerabilities?

  Even the malware files, available as keygens and cracks, possess different forms of infection; the great majority of analyzed specimens will infect a system in a second stage, after the installation and decompression. This technique is used only to make more difficult the file identification as malware. The main functionality of this type of malware also varies from simple downloaders and adware to botnets. From the miscreant’s point of view this is the perfect scenario, the end user is downloading and executing malicious code with their consent and without any restrictions.

  In 2006 one of the main sources of malware propagation through software piracy was the creation of dozens of crackers for the Windows Genuine Advantage. The constant updates of the WGA tool had made users of counterfeit versions of Windows to often search for new versions of crackers and, when they did not succeed, they simply started to install all available crackers. From the WGA cracking files collected, almost 70% were classified as downloaders and bots with elevated degree of sophistication and difficult removal process.

  The same issue occurred in the end of the 2006 with the launching of the new version of the Internet Explorer, whose installation only successes through the authentication of the operational system as being legit.

  This kind of exploitation and propagation is not restricted to Microsoft products; any popular software with some installation restriction is being used as an attack vector.

  The consumer of piracy software is at this moment being heavily targeted by the piracy community which only aims to infect and to control their system for illicit purposes and to feed the piracy industry, normally by stealing all serial numbers of installed software from the users system and later distribution on web sites, without forgetting the traditional use of the systems as part of botnets.

  The message here is simples, there is no crack or keygen or another tool related to software piracy that can be considered safe to use, even to download. Users must be discouraged to consume any kind of software piracy in order to avoid their personal information and systems being used my miscreants.

  • Slides: piccolini-jacomo-slides.pdf (491.79 Kb)
  • Paper: piccolini-jacomo-paper.pdf (12.92 Kb)

  Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as a senior security analyst at the Brazilian Research and Academic Network CSIRT (CAIS/RNP). With 10+ years of experience in the security field his is the lead instructor of CAIS/RNP and hands-on coordinator for FIRST Technical Colloquiums. He is currently fighting the misuse of RNP backbone infrastructure by hackers.

• James J. Barlow (NCSA-IRST – National Center for Supercomputing Applications, US)

  Unique Challanges for Incident Response in a Grid Environment 

  Incident response within an organization can often be a challenging task. There are usually multiple levels within an organization, as well as multiple departments that you may have to work with when responding to an incident. What are the challenges when you now have a grid environment where you may have thousands of users using resources within your organization that you have no control over? Then when an incident does happen (that's not an "if"), how do the organizations within the grid work together to respond to the incident, which can usually have spillover to many sites within the grid. This work addresses the challenges of incident handling and response in the more complex environment of grid computing where there is a distributed user base and multiple physical entities composing a virtual organization. We will cover how the TeraGrid sites deal with coordinated incident response and give some real world examples on actual incidents.

  • Slides: barlow-james-slides.pdf (417.06 Kb)

  James J. Barlow is the Head of Security Operations and Incident Response at the National Center for Supercomputing Applications (NCSA). Jim has been at NCSA for over 12 years where he has been involved in system administration and security, and has been doing security full time for the last 6 years. He is also involved with some of the security research projects being done within the National Center for Advanced Secure System Research division (www.ncassr.org) and participates in the TeraGrid security working group (www.teragrid.org).

• James N. Duncan (BB&T Corporation, US)

  What We Learn From Cyber Exercises, or Not 

  • Slides: (4.00 Kb)

• Javier Masa (University of Malaga, ES)

  Privacy matters in directories 

  Modern institutional directory services nowadays are confronting a clear conflict of interests. On the one hand, there is the need of members of the institution to find other members in the same or different institution. On the other hand, there are the privacy rights of the individuals.

  This has made us to develop a mechanism to solve this confrontation using information access controls that can be managed both by the institutions and the individuals.

  This presentation will discuss our implementation of such mechanism based on LDAP classes and attributes, and OpenLDAP Access Control Lists.

  We will also present information of adoption of the privacy control attributes in other institutions after more than a year of promoting them. This research is being carried out during the first quarter of 2007.

  The posibility of using the Access Controls in RedHat Directory Server is also being assessed during the first quarter of 2007 and we will also present how to do it in case the result are possitive as expected.

  • Slides: giralt-victoriano-slides.pdf (2.99 Mb)
  • Paper: giralt-victoriano-paper.pdf (136.84 Kb)

• Jeff Nathan (Arbor Networks, US)

  Understanding & Analyzing Botnets 

  This two-day workshop is designed to provide attendees with a thorough understanding of botnets: what they are, how they’re created, how to identify them, and how to stop them. The workshop will consist of both presentations and hands-on sessions where attendees can interact with the instructors for further support. The notion of "rapid response" is taken into consideration with each aspect of the workshop, focusing on techniques and methodologies that can be applied in timely manner. At the completion of this workshop, attendees will walk away with applicable real world knowledge that can be applied in their daily work.

  The goals of this training session are for the attendees to more fully understand botnets, build tools to identify their presence in the wild and build intelligence as to their presence on their own networks, and how to defend against their attacks. Attendees are expected to be technically savvy and in network or security operations.

  Jeff Nathan is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) service and innovating new security technology. Prior to joining Arbor Networks, Jeff served as a Senior Software Engineer for Sygate Technologies Inc., where he developed intrusion detection technologies. Before Sygate, Jeff worked in various capacities at McKesson Corp., @stake Inc. and Hiverworld, Inc.

  During the past seven years, Jeff has also been a core member of the Snort project, an elected member of the Honeynet Project, lead developer of the Nemesis Project, and an occasional contributor to a number of open-source software projects.

• Joanna Rutkowska (Invisible Things Lab, PL)

  Beyond the CPU: Defeating Hardware Based RAM Acquisition Tools 

  Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes.

  This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot.

  The presented technique has been designed and implemented to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

  • Slides: rutkowska-joanna-slides.pdf (722.81 Kb)

  Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world. In April 2007 she has founded Invisible Things Lab, a consulting company dedicated for cutting edge research into operating systems security.

• Joe Moore (Pentest, UK)

  Tools and techniques to automate the discovery of zero day vulnerabilities 

  This half day session will explore the software testing technique of fuzzing and how it can be used to find security defects. It will cover the advantages and disadvantages of fuzz testing and will give some practical insight into the current free tools and techniques available to security testers. During the session several demonstrations will be given showing how fuzzing may have been used in the past to discover some well publicised security vulnerabilities. The attendees will also be encouraged to gain some hands on experience.

  • Slides: rowe-mark-slides.pdf (1.21 Mb)

  Joe Moore has for the past four years been working as an IT Security Consultant with Pentest Limited, a leading UK based security consultancy.

  During his employment with Pentest Limited, Joe has specialized in penetration testing and vulnerability assessment, and has provided security consultancy services to a number of Pentest's clients.

  The scope of this consultancy has ranged from Internet based application and infrastructure testing, to on-site audits of large corporate networks.

  Joe also has a keen interest in software security research, and has been instrumental in the discovery and reporting of numerous critical vulnerabilities in a variety of software.

  Currently, Joe's research is focused on mobile device security and embedded operating system vulnerability research.

• Johannes Wiik (Agder University, NO)

  Long term instability of high priority incident response – A system dynamics simulation approach 

  Effective incident response is dependent on detection. A CSIRT typically relies on detection via intrusion detection techniques, or reports from various sites. In this paper we only focus on high priority incidents reported from sites. If a CSIRT depends on its constituency as the primary source for incident detection and reporting, especially incidents of higher priority, then the service provided itself depends on these reports. One major factor is the pool of various sites inside and outside the constituency that accept the CSIRT as the point of contact and henceforth report such incidents. Due to this dependency, the relationship between the CSIRT and the reporting sites within the constituency as well to other cooperating sites and other CSIRTs is very important to maintain.

  However, empirical data we have found indicates that this relationship is very unstable over time. Viewed over a time frame of years, the number of reporting sites and the high priority workload seems to show an oscillatory behaviour pattern independent on the available resources to handle this workload. This is a problem, because such instability means that the effect, quality and efficiency of the incident response service is also unstable over time.

  This article therefore tries to address the following questions:

  1. What factors cause this instability and how does this influence the effectiveness of high priority incident response?
  2. What can be done to dampen this instability and make high priority incident response more effective?

  This research problem has been studied as a part of a larger PhD research project investigating the effectiveness of incident response in a well known context of a coordinating CSIRT. ASystem Dynamics simulation model has been developed to serve as a controlled environment to identify the main causal relationships creating the instability between certain key variables of interest:

  • The number of reporting sites
  • The number of high priority incidents
  • Quality of service

  The results from the simulation model indicate that the instability in these key variables are caused by long time delays in the interaction between CSIRT and reporting sites. Attraction of reporting sites is very much dependent on the past quality of service by the CSIRT. Building reputation takes time and so does losing reputation as well. At the same time the attraction of new reporting takes time. There is a tendency that a good quality of service (and thereby reputation) will lead to attraction of new reporting sites. This will increase the workload driving down the quality. However, the impact of lower quality on future attraction is delayed. Hence, there is a risk of overshoot in the workload before the perception about quality starts to decline. Conversely, the same delays can lead to undershoot in reporting and the workload despite improving quality. The behaviour pattern over time will thereby be oscillatory for the number of reporting sites, the number of high priority incidents reported, and the quality of service. However, it is very hard to identify because the delay times are so long that the pattern is only visible over several years.

  Through the model, the following policies of interest were tested:

  1. Decrease delay times to close the gap between perceived and actual quality of service among reporting sites.
  2. Add more people to the IRT staff

  The model showed that alternative 2 tended to dampen the oscillatory behaviour. Alternative 2 only gave a temporary solution, before the instability came back over the course of time.

  • Slides: wiik-johannes-slides.pdf (1.23 Mb)

  Johannes Wiik is a PhD fellow at Agder University College and the University of Bergen. He is currently studying the main factors influencing the effectiveness of a CSIRT over time from a management perspective. The method chosen for this study is system dynamics modelling and simulation. He holds a master in System Dynamics from the University of Bergen. After his Master studies he spent several years working as an international consultant applying system dynamics modelling to strategic problems in a wide range of industries. In 2001, he became the head of the consulting department of Powersim AS. In 2003 he started working as an advisor for organisations in the area of crisis management and contingency planning before he started on his PhD research.

  • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2006) Effectiveness of Proactive CSIRT Services, 18th Annual FIRST Conference, Baltimore, USA
  • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2005) Limits to effectiveness in Computer Security Incident Response Teams, 23rd International System Dynamics Conference, Boston, Mass., USA
  • Johannes Wiik ; José J. Gonzalez ; Klaus-Peter Kossakowski (2005) Dynamics of Incident Response, 17th Annual FIRST Conference, Singapore
  • Johannes Wiik ; José J. Gonzalez ; Howard Lipson ; Tim Shimeall (2004) Dynamics of Vulnerability - Modeling the Life Cycle of Software Vulnerabilities, 22nd International System Dynamics Conference, Oxford, UK.

• Jose Nazario (Arbor Networks, US)

  Understanding & Analyzing Botnets 

  This two-day workshop is designed to provide attendees with a thorough understanding of botnets: what they are, how they’re created, how to identify them, and how to stop them. The workshop will consist of both presentations and hands-on sessions where attendees can interact with the instructors for further support. The notion of "rapid response" is taken into consideration with each aspect of the workshop, focusing on techniques and methodologies that can be applied in timely manner. At the completion of this workshop, attendees will walk away with applicable real world knowledge that can be applied in their daily work.

  The goals of this training session are for the attendees to more fully understand botnets, build tools to identify their presence in the wild and build intelligence as to their presence on their own networks, and how to defend against their attacks. Attendees are expected to be technically savvy and in network or security operations.

  

  Dr. Jose Nazario is a Senior Security Engineer within Arbor Networks' Arbor Security Engineering & Response Team (ASERT). In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service.

  Dr. Nazario's research interests include large-scale Internet trends such as rea