« back to Papers & Presentations

Papers & Presentations

18th Annual FIRST Conference on Computer Security Incident Handling

June 25–30, 2006 — Baltimore, Maryland, United States

  • A Distributed Intrusion Detection System Based on Passive SensorsReturn to TOC

    Sherri Davidoff


    SURFnet is a very high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world. SURFnet handles many computer security incidents in which a SURFnet customer is involved, either as a victim or as a suspect. In order to decrease the amount of computer security incidents, SURFnet is going to roll-out a Distributed Intrusion Detection System (D-IDS) as a service to SURFnet connected parties.

    Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort. This approach has four major disadvantages:
    • The sensor must be upgradeable in order to add future honeypots and new signatures.
    • The sensor may be vulnerable to the exploits used against the honeypot and passive analysis software.
    • The D-IDS will generate false positive alerts.
    • Installing and running the sensor is not plug and play.

    In order to avoid these disadvantages SURFnet is setting up a different design for a D-IDS. In this paper we describe a new approach for setting up and rolling out a D-IDS. This approach is based on the following rules:
    • The sensor should run out-of-the-box.
    • The sensor should be completely passive and therefore maintenance free.
    • The D-IDS should not generate any false positive alerts.
    • A sensor should be able to run in a “standard” LAN.
    • Comparison of statistics generated by sensors and groups of sensors should be possible.


  • A Framework for Effective Alert VisualizationReturn to TOC

    Jon Ramsey (SWRX CERT), Uday Banerjee (SWRX CERT)


    Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply as much correlation as possible to this data in order to be able to see things from a bird's eye perspective. Even at this point, a human could use some additional help in deciphering the situation. The authors believe that visualization is a key component to this end. This paper describes general methods and principles that allow the use visualization as an efficient tool for alert analysis. The paper is organized as follows: Section 1 talks about related work in the field of visualization to aid alert analysis and anomaly detection. Section 2 details some fundamental requirements and considerations that must be incorporated into the design of visualizations and related tools. Section 3 discusses a visualization tool used within our organization to aid in alert and anomaly analysis - while highlighting its place within the framework of requirements. Section 4 discusses a sample visualization, and how its design allows for intuitive analysis. Finally, the paper concludes by pointing out a few key areas where improvements could be made to improve existing visualization methodologies.

  • A Strategy for Inexpensive Automated Containment of Infected or Vulnerable SystemsReturn to TOC

    Steven Sim Kok Leong (NUSCERT)


    Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively contain and remedy these infected or critically vulnerable machines. Universities are unlike corporations because they cannot impose overly restrictive policies that could hamper research and sharing. In corporate environments, network users are primarily rule-abiding employees. However, in university environments, bulk of their network users are student customers.

    In this paper, I shall detail an inexpensive strategy currently deployed in the National University of Singapore that has proven pretty effective in containment and remediation of these infected or critically vulnerable machines. The strategy involves in-house integration of opensource early warning and detection mechanisms coupled with self-developed quarantine mechanisms and self-help portals on the technology side as well as user process workflow formalization.

    With the framework and infrastructure in place, we are able to contain both infected and vulnerable systems rapidly and sent new virus variants undetected in our environment for our corporate antivirus vendor to come up with new detects. In the period of from Jan 2005 till Sep 2005 alone, we submitted more than 30 binaries.

    This strategy plays an important role in aiding the National University of Singapore to become one of three finalists in the MIS Asia Best IT Security Strategy international award 2005.3

    I will discuss how management approval for this project was justified, how the project involving multiple groups including helpdesk and network teams was implemented, what successful steps that could be followed and the pitfalls to avoid. Through this paper, I hope that sharing our experience with the strategy that helped us and the pitfalls to avoid can prove valuable to both universities and similar organisations in the FIRST community that do not already have a similar strategy in place but are facing enterprise-level threat mitigation issues and inhibiting cost factors.



  • Automated Extraction of Threat Signatures from Network FlowsReturn to TOC

    Piotr Kijewski (CERT POLSKA)


    The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what constitutes a good signature for use in IDS/IPS systems, presents an architecture of the signature extraction system, describes various signature extraction techniques, including our own proposal and presents some results. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection and honeynets is helpful.

  • Behavioral Study of Bot Obedience using Causal Relationship AnalysisReturn to TOC

    Lari Huttunem, Pekka Pietikäinen


    Botnet discovery can be difficult, since the existence of a network is often discovered only after it used for widespread activity such as a DDoS or a phishing scam. Sharing intelligence on a potential botnet traffic is also problematic mainly due to data privacy issues.

    In this paper, we describe some currently used methods for identifying botnets and issues which arise when applying them in practice. We will identify the types of information that could be shared between different stakeholders and the technical means available to gather such data. Finally, we will present causality graphs and describe initial experiences in applying them to analyzing botnet incidents.

  • Botnets as Vehicle for Online CrimeReturn to TOC

    Aaron Hackworth (CERT/CC), Nicholas Ianelli (CERT/CC)


    This presentation goes beyond simple explanation of what a botnet is and dives into specific bot technologies and how they are used in the commission of online crime. When the presentation is complete, attendees will have a better understanding of botnet technologies, how these technologies are leveraged to enable physical world crime and what some of the motivating factors that have led malicious code authors to add specific features to their bot malware.

  • Building and Deploying Billy Goat: a Worm-Detection SystemReturn to TOC

    Diego Zamboni (IBM MSS), James Riordan (IBM MSS), Yann Duponchel (IBM MSS)


    Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar systems. We also discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat, allowing it to perform reliably in terms of scalability, accuracy, resilience and rapidity in detection and identification of worms without false positives.

  • CarmentiS - a German Early Warning Information System - Challenges and ApproachesReturn to TOC

    Jürgen Sander (PRE-CERT)


    In the last quarter of 2005, the German CERT-Verbund has started to implement an early warning information system (EWIS) called CarmentiS. Like in any known early warning information system, one building block of CarmentiS are decentralized sensor networks, which are building the backbone of the system. Therefore most of the technical challenges involved in setting up an EWIS are rather straight foreward, an overview of the basic concepts of CarmentiS was given at the last FIRST conference in Singapore.

    Well, the reason to introduce an additional paper to this topic is the second building block of CarmentiS – human analysis and of course the combination with classical sensor networks. The human analyst will add incorporating information sources, which are otherwise not available or cannot be automatically included and processed. The technical systems will support the analysts where ever it is possible to be able to concentrate the analyst viewpoint on the essentials.

    In this case the real impediments are not on the technical side, legal and organisational as well as human issues are in the way, making the building of such systems a real challenge. Of course, in the full paper the essential technical concepts, interfaces and services which are offered by CarmentiS will be explored and explained, but focusing on the following topics:
    • Information sharing - legal and technical aspects
    • The cooperative approach – technical and organizational aspects


  • CERT's Virtual Training Environment: A New Model for Security and Compliance TrainingReturn to TOC

    James Wrubel (CERT/CC)


    The CERT Virtual Training Environment (VTE, online at https://www.vte.cert.org) provides self-paced remote access to CERT’s suite of Information Assurance and Computer Forensics training material in virtual classroom and knowledge library formats. VTE follows a ‘read it, see it, do it’ instructional model, offering written training material, captured video of instructor-led lectures and demonstrations, and virtual training labs that are provisioned on-demand directly by students through virtual machine technology. VTE is currently in use by the Army Reserve Information Operations Command, the Marine Forces Pacific Command, and the Department of Homeland Security National Cyber Security Division.

    This presentation will cover the following topics:
    • VTE History and Background
    • VTE Training and Library Mode
    • Features and Benefits
    • Platform Requirements
    • Demonstrations of the following functionality:
      • VTE Training Mode
      • Lecture topics
      • Assessements
      • Hands-on Labs

    At the end of the presentation, Mr. Wrubel will offer VTE access accounts valid through January 1, 2007 to any interested audience members.

  • Counter-Forensic Tools: Analysis and Data RecoveryReturn to TOC

    Matthew Geiger (CERT/CC)


    Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators.

    This paper details the analysis of 13 commercial counter-forensic tools, examining operational shortfalls that can permit the recovery of significant evidentiary data. The research also isolates filesystem fingerprints generated when these tools are used, which can identify the tool, demonstrate its actual use and, in many cases, provide insight into the extent and time of its use.

    The result is an indexed resource for forensic analysts, covering 19 tools and tool versions, that can help identify traces of disk-scrubbing activity and guide the search for residual data. In addition, a new forensic utility, named Aperio, is presented. It employs a signature library to automate the hunt for traces of counter-forensic tool use. Aperio can search filesystems presented as images or devices, and provides a detailed audit report of its findings. Together these resources may assist in establishing the usage of counter-forensic tools where such activity has legal implications.

  • Designing and Developing an Application for Incident Response TeamsReturn to TOC

    Kees Leune, Sebastiaan Tesink


    Computer security incident response teams need to track incidents as they develop. To support day-to-day operations, teams need to be able to generate quick overviews of ongoing incidents, and they must be supported in their daily work by automating as much routine work as possible. AIRT is a web-based system to provide incident tracking capabilities to computer security incident response teams. Its design goals include to provide a comprehensive incident management console, ability to quickly associate external teams with IP addresses, the ability to create an incident in 30 seconds after receiving it, provisions for PGP signed mail, and more. This paper presents AIRT, its goals, architecture and its functionality.

  • Design Your Network to Aid Forensic InvestigationReturn to TOC

    Robert Sisk (IBM MSS)


    Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy with the care and feeding of such tools. This course will review network design and monitoring with the intent of identifying and providing adequate compromise detection, developing appropriate security response to suspicious “eventsâ€, and increasing readiness for forensics investigation. We will do this by identifying and setting security goals, applying simple, but adequate, monitoring methods to meet those goals, and developing some response methods for investigating and mitigating specific attacks. A production network architecture, including "lessons learned" during its development and maintenance, will serve as a case study for facilitated discussion.

  • Effectiveness of Proactive CSIRT ServicesReturn to TOC

    Johannes Wiik, Jose Gonzalez, Klaus-Peter Kossakowski


    Background

    For the FIRST 2005 conference we put together a paper researching limitations related to the reactive CSIRT services, mainly the response to low priority incidents. As the PhD research project of Johannes Wiik continued [Wiik et al. 2005], the scope was broaden to study the limitations of other services perceived as mandatory, most importantly the advisory service. The intermediate results related to the advisory service seem suggest very interesting, but also provocative, insights. Therefore we agreed to prepare a proposal for the upcoming FIRST conference in Baltimore.

    Proactive Services as Cross-Organizational Learning Process

    Almost all authors discussing these teams have suggested that Computer Security Incident Response Teams (CSIRTs) need to deliver new as well as additional proactive services to stay effective, but there are hardly any studies investigating to what extent existing proactive services are indeed effective or how to make them more effective. Indeed the advisory service is one of the core CSIRT services and proactive in scope – already part of the description even in the oldest CERT related documents – which has not changed much over the years. Only some technical development can be seen in regard to system categorization, identification schemes for vulnerabilities or formats for the effective exchange.

    We argue that the potential of proactive services should be viewed as cross-organisational learning process. They carry the promise of avoiding incidents and the hope of saving considerable resources. The advisory service instigates the transfer of information between vendors of commercial off-the-shelf-software (COTS) or open source software and users of these products in the CSIRT constituency. Another proactive approach is actively searching for vulnerabilities in networks and organizations. Quite specific information is provided through analysis of systems within the constituency and informing the administrators about much needed patches or changes to the setup. Rather than carrying out this analysis only on demand the networks and systems are routinely surveyed. Thus, it is similar to (and hence we call it) a "neighbourhood watch": your neighbours keep an eye on your assets.

    In this paper we evaluate two proactive services:
    1. The common advisory service as an example of an existing service, and
    2. Neighbourhood watch (NBHW) as a new service that builds on the advisory service.

    Based on a case study and organisational learning theory, we build a system dynamics simulation model to test the effectiveness of the two services. Preliminary findings indicate that neighbourhood watch has several significant strengths compared to the traditional advisory service with respect to knowledge acquisition, information distribution, information interpretation and organisational memory.

    However, as the advisory service is a community service the aim is to reach out to all constituents and it can therefore make an overall impact, despite its weaknesses. As NBHW is dependent on authorisation to scan the networks of each constituent, its effectiveness in the constituency as a whole is very much dependent on the take-up rate.

    We also evaluate the short term impact of using NBHW that typically helps new customers of this service to detect previously unnoticed incidents. Thereafter we look at the long term impact as customers mature their way of using more effectively the information provided by this service to secure their networks and organizations.

    This last issue is important to put our observations back into the broader picture. It stresses again [Wiik et al. 2005] that all CSIRT related activities are impacting each other and cannot be seen as separate activities. As current management approaches do not consider this aspect, we recommend to all CSIRTs to revisit their services and interdependencies not yet addressed in their current setup.

    References

    [Wiik et al. 2005] Limits to Effectiveness in CSIRTs / Johannes Wiik; Jose J. Gonzalez; Klaus-Peter Kossakowski. - [Paper for the FIRST 2005 Conference, Conference Proceedings. Also available from www.cert.org/csirts/]

  • Evaluating CSIRT OperationsReturn to TOC

    Audrey Dorofee (CERT/CC), Chris Alberts (CERT/CC), Robin Ruefle (CERT/CC)


    This tutorial will discuss the reasons, outcomes, and benefits of evaluating incident management capabilities such as CSIRTs.

    Four different methodologies will be presented that can be used to evaluate various aspects of incident management capabilities.

    During the tutorial, practical exercises will be conducted that demonstrate various components of each methodology to give a real-life perspective on performing such evaluations.

  • Honeypot Technology: Principles and ApplicationsReturn to TOC

    Franck Veysset, Laurent Butti


    A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Based on this definition, we will introduce the topic with an overview of the evolution of this technology, from the beginning to the latest advances.

    This tutorial will cover in depth examples of use in corporate environments, including low interaction honeypot to gather statistics on malicious activities (worms & viruses…), wifi honeypots, fully operational architectures…

    Some demonstrations will be done during the tutorial, presenting most useful resources and open source projects (honeyd, sebek, mwcollect…).

    Good interaction with the audience is expected.

  • If You Don't Know What You Don't KnowReturn to TOC

    Arjen de Landgraaf


    IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to attack and enter.

    However, major changes over the last couple of years in requirements of businesses to keep up with the competition and markets demanded a different approach to Web based services, resulting in openness of systems to visitors, customers, and our own teleworkers. Its like having to maintain a 24 hrs market, open to everyone, in the middle of your castle, with stalls of next generation technology, enticing visitors to buy. How do you strip-search 500K unique visitors to your site each month?

    Emphasis of demands on today’s web designers and programmers is more and more on becoming open and accessible, visually attractive and smart functions.

    The ”New Breed” of web designers and programmers of today is artistic, they learned all on market-focused design, with educational institutes jumping to the demand, delivering new breed courses and degrees. Today’s programmers program “On the Fly”, constantly needing to meet requirements of marketing and sales departments. The demand on them is huge, after all, static websites are out, and dynamic content is in. The “can you do this, can you do that, we need it live this Monday” puts enormous pressure on them to deliver. Deliver quickly.

    To the aid of this new breed is an unbelievable enormous pool of programs, scripts, and tools, available on the Internet, and either free or low cost. Re-Use has gained another meaning – what is easier than including code snippets and scripts to have the new Web Application deliver what the Marketing and Sales people require. Today’s web programmers are artists, not the logical, structured breed of developers we used to have working to develop accounting and warehouse management applications. Artists who may claim paintings of others as their own. If you are an artist, would you admit copying someone elses work?

    Also the Teleworkers of today, become one of the main areas of productivity improvement for organizations – after all the physically traveling to and from work is in most cities in the world becoming more and more a burden, or virtually impossible with the huge traffic jams – are not IT persons. They have the same pressure of having to deliver. And their kids may have secretly LimeWire or other sharing software installed on their parents notebook, downloading files, video, music and the rest, for their own satisfaction. They are no IT Security Experts.

    All these groups together just do what they can do to make ends meet, to deliver value to their employer, to not have to work through the weekend, to catch up with their workload. And here lies the danger. If You Don’t Know what you Don’t Know, it does not exist. You don’t know even enough to be able to ask the question.

    If IT Security staff does not know what it doesn’t know, the Question will never be asked. The Answer to this “Question We Do Not Know To Ask” can mean the difference between an organization’s success, or that of corporate disaster. The difference between either an IT Security Job well done, or an unexpected career change.

  • Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment StrategiesReturn to TOC

    Calvin Miller, Charles Iheagwara, Farrukh Awan, Yusuf Acar


    This paper discusses general intrusion prevention systems concepts and provides a context-based analysis of the techno-economic imperatives as the driver of this technology. Further, in light of the Gartner 2004 recommendations, the paper examines the security needs and functional requirements for enterprise network IPS deployments. Given the complexity of the implementation environment, the paper will seek to demonstrate the value associated with a well thought out deployment strategy. To this end, the paper introduces performance measures and proposes effective deployment strategies to enhance the performance the IPS. Using field data, we measure the financial benefit of an IPS deployment.

  • Netflow Tools NfSen and NFDUMPReturn to TOC

    Peter Haag (SWITCH-CERT)


    For network security teams of any size, an accurate analysis of the traffic situation is essential. The well-known traffic graphs, do not give enough information especially to investigate security related incidents. To work with netflow data turned out to be a good balance between collecting and processing the data and the information gained from this process.

    A lot of tools to collect netflow data are available, but the flexibility to process the flows was either poor, or resulted in expensive commercial systems. The Open Source tools nfdump and NfSen close this gap. They provide a flexible and powerful system to collect and process netflow data for a great variety of tasks.

    The presentation starts with a small introduction of netflow and explains how nfdump and NfSen can be used to look at your network traffic, to create easily top N statistics of hosts and networks demanding most bandwidth of your network, as well as to detect host and port scans. It shows how a security incident can be tracked and profiled. Last but not least it gives an overview how to extend NfSen with custom plugins for dedicated tasks specific to your network.

  • Proposal of RSS Extension for Security Information ExchangeReturn to TOC

    Masato Terada (HIRT)


    Unauthorized access intending to spread malware has been active and causing a lot of damage worldwide. In order to eliminate vulnerabilities and prevent unauthorized access, it is necessary to improve the way to distribute security information about computer software and hardware. When a new vulnerability is discovered or a security advisory is released, the security administrators try to collect information about and countermeasures against the vulnerability. In this paper, we examines how we can provide a more efficient security information distribution service for the security administrators that helps them reduce their workload related to collecting and grouping various information and take care of security incidents.

    We propose JVNRSS (JP Vendor Status Notes RSS) as a security information sharing and exchanging specification. Currently, JPCERT/CC and IPA (Information-technology Promotion Agency) are promoting a framework to handle vulnerability information in Japan.

    They offer JVN, a portal site to provide security information about the domestic computer software and hardware manufactured by the vendors participating in the framework. JVNRSS is one of the methods JVN has been using to distribute security information. JVNRSS is based on RSS 1.0 and uses the "dc:relation" field defined in the Dublin Core as a Relational ID to correlate security information issued by various sources (Figure 1). JVNRSS uses the reference URL specified in a security alert, for example, an URL of the Common Vulnerability Exposure, CERT Advisory, CERT Vulnerability Note and CIAC Bulletin. In this paper, firstly we explain the specification and application of JVNRSS. Secondly, we'll introduce the result of our feasibility study on JVNRSS (Figure 2) and lastly we'll propose the RSS Extension for security information sharing.

  • RAPIER - A 1st Responders Info Collection ToolReturn to TOC

    Joseph Schwendt (IFT), Steven Mancini (IFT)


    Topic

    RAPIER (Rapid Assessment & Potential Incident Examination Report) is a security tool built to assist in malware collection and analysis. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. With the results, a security analyst is provided information which can aid in determining if a system has been compromised, and potentially determine the method of infection, the changes to the system, and determine how to recover/clean the system. RAPIER can also be used to provide anti-malware vendors with the information necessary to update their definitions files. It is the first tool within Intel that fully automates the entire process, thus enabling a highly effective means for rapid response to potential malware infections.

    Outline

    • Problem Statement
    • Fundamental Operational Solution
    • Framework Engine
    • How to design your own modules
    • Feature Modules

    Technical Detail

    Moderate - we will cover what content the modules capture so understanding basic attributed of Microsoft Windows OS is helpful.

    Audience

    • Incident Handlers
    • Investigators
    • Security Operations Center management/participants.

  • Reliably Determining the Outcome of Computer Network AttacksReturn to TOC

    Barry Mullins (AFCERT), David Chaboya (AFCERT), Richard Raines (AFCERT), Rusty Baldwin (AFCERT)


    Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination is often left to the security analyst or system administrator. Large-scale networks pose a particular challenge for IDS analysts. The process of manually checking systems to determine if an attack is successful becomes burdensome as the size and geographic location of the network increases. Many analysts use network data alone, in particular the server response, to determine the outcome of the attack. Intuitively, the server response is the packet or packets the target computer returns after an attack. However, in the case of buffer overflows, the attacker has the ability to forge or modify this response.

    This paper examines two key aspects of network defense: the ability to circumvent detection devices and how network analysts respond to evasion techniques. We examine how social engineering can be used to influence an analyst's decisions and we recommend ways to counter this threat. The intended audience will be responsible for either developing IDS signatures, or analyzing network IDS results. The technical detail is moderate, but does assume some exposure to network traffic analysis, intrusion detection, and exploits in general.

  • Risk Analysis Methodology for New IT ServiceReturn to TOC

    Jun Heo (KrCERT/CC), Yoojae Won (KrCERT/CC)


    This research intends to provide a new risk management methodology that predicts the security of future oriented IT services and help to create a counter strategy in advance. The proposed methodology is founded on domestic as well as foreign methodology and information protection reference model ITU-T X.805 and was executed in 3 parts: security factor distrimination phase, risk calculation phase,and counter strategy deduction phase. In the security factor discrimination phase the ITU-T X.805 is applied to determine the new IT services´s infraestructure, service, application level as well as the protecion subject by management, control and user plane. In the risk calculation phase, the X.805 creates risk scenarios for each module by level/plane and calculates the degree of risk by taking fatality, frequency of occurrence and degree of attack into consideration. In the counter strategy was devised by prioritizing risk and applying counter technologies from the list of required technologies based on the 8 information protection requirements.

  • Secure Coding in C and C++Return to TOC

    Robert Seacord (CERT/CC)


    Secure Coding in C and C++ provides practical advice on secure practices in C and C++ programming. Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming.

    This tutorial provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The tutorial concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. It does not emphasize security issues involving interactions with external systems such as databases and web servers, as these are rich topics on their own. The intent is that this tutorial be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

  • The Impact of Honeynets for CSIRTsReturn to TOC

    Jan Kohlrausch (DFN-CERT), Jochen Schönfelder (DFN-CERT)


    For the daily work of a CSIRT it is of major importance to know which vulnerabilities are currently abused to compromise computers and to timely warn the constituency if a zero-day exploit is found. Besides the traditional incident response work, honeypots have shown to become more important to follow these aims.

    In this talk we give an overview on the NoAH project and related projects devoted to the deployment of distributed honeypots and show how CSIRTs and other security teams can profit from the deployment of their infrastructure.

  • The Network-Centric Incident Response and Forensics ImperativeReturn to TOC

    Richard Bejtlich


    Security staff often take a host-centric approach to determining the scope and damage of computer intrusions. Standard forensics techniques are hard-drive centric, with collection and analysis of live data only gradually being adopted. This presentation offers a complementary set of practices focusing on network-centric techniques. In an age of kernel-based rootkits and savvy intruders, sometimes only the network can tell the truth.

  • The Survivability and Information Assurance (SIA) CurriculumReturn to TOC

    Lawrence Rogers (CERT/CC)


    Today’s professional system and network administrators are increasingly challenged to make computer and network security a greater part of their overflowing set of daily activities. In response to this trend, the Software Engineering Institute (SEI1), specifically the CERT® Program2, has designed a three-course curriculum in survivability and information assurance (SIA).

  • Threats of P2P file sharing software - a Japanese situation about "Winny"Return to TOC

    Keisuke Kamata (JPCERT/CC), Yuichi Miyagawa (JPCERT/CC)


    Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation, we will explain the serious situation about information leakage incidents in Japan and technical details about Winny.

  • Threats of P2P File Sharing Software - a Japanese Situation About "Winny"Return to TOC

    Keisuke Kamata (JPCERT/CC), Yuichi Miyagawa (JPCERT/CC)


    Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation, we will explain the serious situation about information leakage incidents in Japan and technical details about Winny.

  • Time Signatures to Detect Multi-headed Stealthy Attack ToolsReturn to TOC

    Fabien Pouget (CERTA), Guillaume Urvoy-Keller, Marc Dacier


    In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been identified, e.g. Welchia. However, devising a method to automatically detect them is very challenging since their different fingerprints are apparently unrelated. We propose a technique to automatically detect their existence through their time signatures. We exemplify the interest of the technique on a large set of real world attack traces and discover a handful of those new sophisticated tools.

  • VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security MonitoringReturn to TOC

    William Yurcik (NCSA-IRST)


    Network traffic dynamics have become an important behavior-based approach to assist security administrators in protecting networks. In this paper/presentation we present VisFlowConnect-IP, a link-based network flow visualization tool that allows operators to detect and investigate anomalous internal and external network traffic. We model the network as a graph with hosts being nodes and traffic flows being edges. We present a detailed description of VisFlowConnect-IP functionality and demonstrate its application to traffic dynamics in order to monitor, discover, and investigate security-relevant events.

  • Worm Poisoning Technology and ApplicationReturn to TOC

    Cui Xiang (CNCERT/CC), Wu Bing (CNCERT/CC), Yonglin Zhou (CNCERT/CC), Zou Xin (CNCERT/CC)


    Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For infected cockroach, we don’t expect it dead at once. We hope it goes back nest and infects others, by which way can kill pests at an exponential rate.

    The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.

    Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).

    In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.