Program Overview

Download the event program

first-program.pdf (PDF format, 680Kb)

1st Brazilian CSIRTs Forum – 26 March (co-located event hosted by CERT.br)

•  US

  Botnet Take-Downs

  Maarten Van HorenbeeckMaarten Van Horenbeeck ( Microsoft Corporation, US)

  Maarten Van Horenbeeck is a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST. Maarten is also Chief Information Security Officer with Zendesk. Prior to this role, he was Vice President, Security Engineering at edge cloud network Fastly and managed the Threat Intelligence team at Amazon. Maarten has a master's degree in Information Security from Edith Cowan University, and a Masters degree in International Relations from the Freie Universitat Berlin. He is also Lead Expert to the Internet Governance Forum’s Best Practices Forum on Cybersecurity.

  March 28, 2012 10:00-10:45

•  BR

  Brazilian Federal Police Cybercrime Unit: Challenges and Perspectives

  Carlos Eduardo Miguel Sobral (Brazilian Federal Police, BR), Flávio Silveira da Silva (Brazilian Federal Police, BR), Ivo Carvalho Peixinho (Brazilian Academic and Research Network)

  

  Ivo de Carvalho Peixinho has a BS degree on Computer Science at Universidade Federal da Bahia, with two post-graduations, one in Distributed Systems and another on Mechatronics. He is also a BS7799 certified auditor.

  Ivo has more than 10 years of experience on network security, and worked the last two years on security research and incident handling. Actually works as a Forensics Expert at the Brazilian Federal Police Department.

  
  

  March 28, 2012 11:00-12:00

•  BR

  CSIRT Assistance Program

  Jacomo Piccolini (ESR/RNP, BR)

  Jacomo Dimmit Boca Piccolini has an Engineer degree in Industrial Engineering at Universidade Federal de Sao Carlos - UFSCar, with two post-graduation one obtained on the Computer Science Institute and other on the Economics Institute of Universidade de Campinas - Unicamp. Hi is GCIA, GIAC Certified Intrusion Analyst and GCFA, GIAC Certified Forensics Analyst, working as the security training coordinator at the Brazilian Research and Academic Network Educational Team (ESR/RNP). With 12+ years of experience in the security field he is the current hands-on coordinator for FIRST Technical Colloquium.

  March 27, 2012 10:00-10:45

•  US

  CVSS

  Seth HanfordSeth Hanford (Proofpoint, US)

  Seth Hanford is a Principal Engineer at Proofpoint. In his role, he serves as security architect, and as an advisor to the enterprise CSIRT, PSIRT, and other Global Information Security functions responsible for designing secure architectures and protecting customer and enterprise data for the company. He has previously worked as Sr. Manager for Detection & Response for a Fortune 100 financial services firm, as well as various vulnerability & threat intelligence roles, and as a PSIRT incident manager for a Fortune 100 network technology company. He has been active in the FIRST community over the past decade, including service on the CVSS SIG during v2, and as SIG chair for the development of CVSS v3.

  March 28, 2012 15:45-16:45

  hanford-seth-slides.pdf

  MD5: 2175f395dd5de1bf0b179393cf000902

  Format: application/pdf

  Last Update: March 30th, 2012

  Size: 577.65 Kb

•  US

  Evaluating Your CSIRT Operations

  Robin Ruefle (Carnegie Mellon University, US)

  

  Robin Ruefle is a member of the technical staff in the CERT CSIRT Development Team at the Software Engineering Institute at Carnegie Mellon University. Her work focuses on the development of best practice standards and guidelines for helping new and existing CSIRTs improve and expand their services. She also develops and delivers training courses for CSIRT managers and staff. She is currently working with the rest of the CSIRT Development Team on developing an incident management framework and a methodology for assessing CSIRT operations.
  
  She is co-author of the Handbook for CSIRTs (2nd Edition), Defining Incident Management Processes for CSIRTs: A Work in Progress, The State of the Practice of CSIRTs, Organizational Models for CSIRTs, and the CSIRT Services List.
  

  March 28, 2012 12:00-13:00

•  JP

  How to Communicate with your Government (Lessons from Japan)

  Suguru Yamaguchi (FIRST, JP)

  March 27, 2012 15:45-16:30

  yamaguchi-suguru-slides.pdf

  MD5: 707446e70ede928dcacfb4dcc0c7a5ff

  Format: application/pdf

  Last Update: March 27th, 2012

  Size: 1.81 Mb

• iOS

  Ken Van Wyk (KRvW Associates, LLC)

  Important: Students (who want to do the hands-on exercises) will need a Mac running OS X (Lion preferred). They will need to have Xcode installed and functional, with the ability to run iOS apps in the iPhone simulator. Xcode should be version 4.3, although 4.2 should work fine as well. Approximately 10 gigabytes of available disk space is also required.

  This class looks at the unique security problems faced by application developers writing code for today’s mobile platforms. In this first class of the smart phone series, we take a close look at Apple?s iOS platform used by iPhones, iPads, and iPod Touch devices. The class presents a clear and practical view of the problems, how they can be attacked, as well as remediation steps against the various attacks. It is heavily hands-on driven to not just describe but demonstrate both the problems and the solutions available.

  March 29, 2012 09:00-12:30

• Malware analysis with OllyDBG

  Guilherme Vênere (Brazilian Academic and Research Network)

  Important note: Students need to bring a Windows XP Virtual Machine. The samples to be used in the class are not malicious.

  In this training we will see how to use OllyDBG, a free and powerful application debugger, to analyze malicious samples and discover some tricks used by malware to difficult the analysis. The intent of this training is to show how one can use OllyDBG powerful features to bypass the protection and obfuscation used in malware. The samples used during the training have been crafted by the author to mimic the behavior of such malware, but without the malicious payload. The training is an entry level course and will be divided in 4 sessions with the following content:

  Module 1

  • Knowing your tools: OllyDBG, Process Explorer, FileAlyzer
  • Tips on analyzing malware
  • Activity 1: Hello World
  • Recognizing compiler code

  
  

  Module 2

  • Activity 2: Hidden Code
  • How to use Olly features to bypass malware protection
  • Thread Local Storage (TLS)

  
  

  Module 3

  • Activity 3: Protected.exe
  • Decrypting data
  • API calls
  • File operations

  
  

  Module 4

  • Activity 4: Code Injection
  • Dll Injection vs Code Injection
  • Hardware/Software breakpoints
  • Memory breakpoints

  
  

  Requirements: Due to the nature of this training, a basic knowledge of Assembly language is required. Good knowledge of programming languages is a plus, as it may help understand the structures seen in Assembly. The student must also have a virtual machine with Windows XP ready to use, and install the following software on it:

  OllyDBG
  http://www.ollydbg.de/download.htm

  Process Explorer
  http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

  FileAlyzer
  http://www.safer-networking.org/en/filealyzer/index.html

  The student also need to copy the example samples provided in class to the virtual machine.

  March 29, 2012 09:00-12:30

•  DO

  Network Forensic for CSIRTs

  James Pichardo (InfoSec Consultant at Ministry of Finance, DO)

  • Short introduction to Network Forensics and CSIRT operations
  • New trends in malware and attack vectors
  • Collaborative intelligence concepts
  • Network traffic characterization and patterns
  • Network forensics basic methodology
  • Proactive and reactive approaches to Network Analysis and Forensics
  • Generating Network based IOCs (Indicators of Compromise)
  • Collaboration, IOCs, and Collective Intelligence Framework
  • Building a network forensics lab (working with Bro 2.0, ELSA, StreamDB and Cuckoo Sandbox. Using Security Onion Distro)
  • Analysis of several real world examples:
    • Backdoors and covert channels (DNS and ICMP based)
    • Analyzing Botnets traffic (Zeus DNS queries) using Metasploit vsploit
    • Anomaly detection using NFsen and Bro 2.0
    • Malware analysis Network based IOCs generation with Bro/ELSA, NFSEN and Cucko Sandbox
    • Communicating with other CSIRTs (using openIOC to share incident data)
    • etc. (depending on class)

  Students will need:

  • a laptop with Vmware installed
  • at least 4GB RAM
  • at least 25GB free disk space

  March 29, 2012 13:30-17:00, March 30, 2012 09:00-12:30

•  BR

  Phishing and Trojan Banking cases affecting Brazil

  Cristine Hoepers (CERT.br - Brazilian Internet Steering Committee, BR)

  An Overview of Phishing and Trojan Banking cases affecting Brazil or hosted in Brazil. This presentation will cover the challenges of getting takedowns, statistics about network distribution, uptimes, efficiency of AVs, etc.

  March 28, 2012 14:30-15:30

  hoepers-cristine-slides.pdf

  MD5: 391238d065b4bd917fe5879881686ef3

  Format: application/pdf

  Last Update: June 5th, 2012

  Size: 3.91 Mb

•  BR

  Security incidents overview in Brazilian academic networks

  Atanaí Sousa Ticianelli (Brazilian Academic and Research Network, BR)

  The Brazilian Academic and Research Network (RNP) is an universe with more than 800 institutions, 3.5 million users and an infinity of connected systems. The diversity of this network represents a challenge to information security and specifically to incident handling. This presentation will cover the results of incident handling activity along the last years at the Brazilian Academic and Research Network, explaining how this process works at a national backbone, the main challenges, numbers and indicators related to it.

  March 27, 2012 11:00-12:00

  ticianelli-atanai-slides.pdf

  MD5: 9c5cc0000e31dad40f10014e1c26741e

  Format: application/pdf

  Last Update: March 30th, 2012

  Size: 1.46 Mb

•  ES

  [SQL|FTP|Cache] Malicious data Injection in drive-by downloads

  David Barroso Berrueta (S21sec, ES)

  Drive-by downloads are one of the most common infection vectors nowadays. There are thousands of infected webpages that are continuosly trying to infect their visitors. But which are the main methods of infecting those pages? We'll have a quick look to the most used methods, and examine in detail one additional method that we haven't seen in the wild, but we could probably see it in a near future: web cache infection.

  March 27, 2012 14:30-15:30

• The OWASP Top 10 Mobile Security Risks

  Ken Van Wyk (KRvW Associates, LLC)

  Ken is a CERT® Certified Computer Security Incident Handler, as well as an internationally recognized information security expert and author of the popular O'Reilly and Associates books, Incident Response and Secure Coding: Principles and Practices, as well as a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.

  Ken has previously held senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-CERT incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.

  Ken has previously served as the Chairman and as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He currently sits on their Steering Committee and Board of Directors. He holds a mechanical engineering degree from Lehigh University and is a frequent speaker at technical conferences, including S3, CSI, ISF, and others FIRST.

  March 27, 2012 17:00-17:00

  wyk-van-ken-slides.pptx

  MD5: 17e5aaf17fff2ad355fe40386da70461

  Format: application/vnd.openxmlformats-officedocument.presentationml.presentation

  Last Update: March 28th, 2012

  Size: 3.83 Mb

•  BR

  VoIP Security

  André Ricardo Landim (BR), Frederico R. C. Costa (Information Security Coordinator at CAIS/RNP, BR)

  Considering the growing number of organizations that has adopted VoIP technology in their phone systems and the increase of security incidents involving these infrastructures, this course aims to familiarize students with major security concerns related to VoIP infrastructures and the major threats that these infrastructures are exposed, as well as existing mechanisms to make these environments safer.

  The course will address techniques used by miscreants ranging from hide and/or change the origin of a call, to problems related to information leakage through the so-called "digital eavesdropping."

  Content

  • Intro & Review
    • VoIP: Architecture and Protocols
    • VoIP: Common Threats
  • Vulnerability Assessement
    • Information gathering
    • Authentication flaws
    • Call Manipulation & Eavesdropping
    • (T)DoS
    • SPIT
  • Risk Analisys
    • Toll Fraud
    • Information leakage
    • Service Unavailability
  • Mitigations and Countermeasures
    • Servers/Service Hardening
    • VPN's and VLAN's
    • Encryption (signaling and media)

  
  

  Students will need

  • a laptop with:
    • at least 4GB RAM
    • at least 30GB free disk space
    • at least VMWare Player 3.0 installed (or newest version)

  
  

  Reminder - VoIP Security hands-on requirements

  • Bring a headset microphone, some labs will need this. A simple headset will work fine;
  • Check version of your VMWare player, if you have one installed. All labs require VMWare Player 3.1 or newer;
  • The total disk space needed for VM's is around 15Gb, but it's recommended to have at least 20GB
  • We'll provide a DVD with all VM's, support programs and course material, so don't worry about download the material;
  • Make sure that your laptop can run 3 VM's simultaneously, if you have at least a 2Ghz CPU (32bit or 64bit) and 3GB of RAM you won't have problems;

  
  

  March 30, 2012 09:00-12:30

•  DE

  Volatility

  Andreas Schuster (Deutsche Telekom AG, DE)

  The class provides a brief introduction into memory management of the Intel x86 architecture, and memory management concepts of Microsoft Windows. Participants will gain an overview over memory acquisition techniques and learn how to use Volatility 2.0 to analyze RAM images.

  An Ubuntu-based training environment with Volatility 2.0 and real-world RAM images will be provided. Participants are expected to provide their own laptop, with at least 1 GB RAM free for applications, 10 GB free disk space, and the latest version of VMware (either Workstation, Player, or Fusion) installed. The virtual machine image will be available for download from http://r.forens.is/saopaulo starting March 27, 2012.

  March 30, 2012 13:30-17:00

• Welcome and Opening Remarks

  Ken Van Wyk (KRvW Associates, LLC)

  Ken is a CERT® Certified Computer Security Incident Handler, as well as an internationally recognized information security expert and author of the popular O'Reilly and Associates books, Incident Response and Secure Coding: Principles and Practices, as well as a monthly columnist for Computerworld. Among his numerous professional roles, Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.

  Ken has previously held senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-CERT incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.

  Ken has previously served as the Chairman and as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He currently sits on their Steering Committee and Board of Directors. He holds a mechanical engineering degree from Lehigh University and is a frequent speaker at technical conferences, including S3, CSI, ISF, and others FIRST.

  March 28, 2012 09:00-09:15

•  DE

  YARA

  Andreas Schuster (Deutsche Telekom AG, DE)

  YARA is more than just a malware classifier. Students will learn major elements of YARA's rule description language. In four hands-on labs participants will write their own rules and develop patterns to identify and classify obfuscation techniques as well as hash functions and encryption algorithms.

  An Ubuntu-based training environment will be provided. Participants are expected to provide their own laptop, with at least 1 GB RAM free for applications, 10 GB free disk space, and the latest version of VMware (either Workstation, Player, or Fusion) installed. The virtual machine image will be available for download from http://r.forens.is/saopaulo starting March 27, 2012.

  March 29, 2012 13:30-17:00

• 2012 FIRST Symposium, São Paulo
  • Program Overview
  • Hotel Information
  • Travel Information