The 11th Annual FIRST Conference on
Computer Security Incident Handling and Response

June 13 to June 18, 1999
Brisbane, Australia

Tutorial Content and Tutor's Biographies


Monday, June 14, 1999
Black Hats Session

09:00 - 15:30 Primary Tutorial Track: Black Hats Session (three quarter day tutorial, including 1 refreshment break and lunch)
Instructors: Ir. Walter Belgers (Origin), Hans van de Looy


The attendees of the FIRST '99 conference will probably all be White Hats, or simply 'the good guys'. This lecture of Belgers and Van de Looy will give the Black Hats viewpoint, i.e. that of the crackers who are trying to break in to your computers.

As somebody once said: "the amount of clue on the Internet is a fixed constant". Indeed, the percentage of people on the Internet who are really hacking is decreasing. However, the bad thing is that we now have a new phenomenon: the script kiddies. Using standard exploit scripts and detailed descriptions they can easily attack thousands of systems with only minimal effort.

This Black Hats Session will highlight the problems that exist in present operating systems, application software and how administrators set up and work with these issues. Not only will these problems be discussed on a high level (buffer overflows, denial of service attacks, privileges, sniffing, security through obscurity, etc.) but also on a tangible level (ypx, insecure default settings, portmapper, sendmail, etc.).

Not only will the problems be talked about, hints will also be given on how to prevent your systems from being vulnerable. A large part of the lecture will therefore be about tools to discover and prevent break-in attempts (such as SATAN, Cops, tcp wrappers, firewalls, encryption, etc.).

After the lecture, attendees will have an insight into the methods that are being used to break in to computer systems, and common examples of these methods. The attendees will also have a set of tools and methods that can help prevent, detect and limit the effects of break-ins.


Ir. Walter Belgers (29) lives in Eindhoven, the technological centre of the Netherlands. His interest for the Internet and UNIX started in 1988. During his study he wrote his first article "UNIX Password Security". In 1994, he got his degree in Computing Science and started working as Internet Specialist for Philips Communications and Processing Services. In 1995 Philips C&P merged with BSO to form Origin, the largest Dutch IT company. Walter now mainly works on secure access (firewalls, VPN) and scalable remote management. His interests include security in its broadest sense, music and swimming.

Hans van de Looy (37) lives in Utrecht, the geographical centre of the Netherlands. He has been hacking the C language and the UNIX Operating System since 1979 and has not stopped since. His private home-based network still contains several computers running different flavors of this operating system (besides NT and a small plan9 play station). In the middle of the 80s he finally got some intermittent access to the Internet. Since his graduation in 1984 he has worked for several companies in various functions. Ranging from senior software developer at a nuclear science development site, development manager for a telecommunications company and product manager for a high-end computer manufacturer. Recently he joined Roccade Finance as a senior consultant, working in the field he could never completely set free: "Computer and Network Security". His interests include but are not limited to security in its broadest sense, music and sailing.


Monday, June 14, 1999
Computer Forensics

09:00 - 12:30 Advanced Tutorial Track: Computer Forensics (half day tutorial, including 1 refreshment break)
Instructors: Prof. George Mohay (Queensland University of Technology), Rodney McKemmish (Queensland Forensic Computing Examination Unit), Dr. Alison Anderson (Queensland University of Technology), Byron Collie (Directorate of Information Warfare, Headquarters Air Command), Olivier de Vel (Defense Science and Technology Organization)


Computer forensics has become critically important in recent times with the increase in computer crime and increased expectations of law enforcement and legal systems in 'bringing the criminals to justice'. Recent conferences elsewhere (e.g. ACSAC 98, Scottsdale, Arizona) have recognized professional interest in the area of Computer Forensics, from workers in security, from IT researchers, from law enforcement agencies and in the legal system.

Consequently, this halfday Workshop concentrates on the topic with presentations addressing:
- the Law (in Australia) with respect to computer seizure procedures;
- recent computer forensics cases that have come to court and lessons to be learnt;
- the nature and adequacy of tools for computer forensics;
- law enforcement agency perspectives of computer forensics.

The presentations are as follows:
1. Forensic Computing Tools: their Nature, Adequacy and Development (by Rodney McKemmish)
2. Moment of Truth: The Admissibility and Weight of Computer Forensic Evidence in the Australian Legal System (by A. Anderson, co-authors: G. Mohay, L. Smith, A. Tickle, S. Gillett, I. Wilson - all Queensland University of Technology)
3. Intrusion Investigation and Post-Attack Forensic Analysis (by Byron Collie)

The presentations will be followed by a panel discussion of the hot issues:
- directions for Computer Forensics
- current limitations and research required
- adequacy of present laws in dealing with Computer Forensics

The workshop proposers have had extensive experience with computer security and intrusion detection and are currently involved with a number of Computer Forensics initiatives. They are consequently well placed to bring together the invited speakers and expertise required to make this an informative session for both the broad computer security community and, perhaps more importantly, for professionals working in Computer Forensics so as to allow them to focus on critical issues which need to be addressed for further progress.


George Mohay is Associate Professor and Head of School of Computing Science at the Queensland University of Technology in Brisbane, Australia. His teaching and research interests lie in the areas of concurrency, distributed systems and security. He has supervised PhD and Masters students in the areas of security, operating systems and distributed systems and has published and presented papers and attracted research funding in these and related areas. He has also co-authored an advanced textbook on Modula-2 for systems programming and serves on course accreditation committees, and as a referee for research funding bodies, journals and international conferences.

Dr Alison Anderson is Senior Lecturer in the School of Information Systems at the Queensland University of Technology. Her research interests include information security risk modelling and new techniques for expressing dependence on information.


Monday, June 14, 1999
Computer Virus Operation and New Directions

13:30 - 18:00 Advanced Tutorial Track: Computer Virus Operation and New Directions (half day tutorial, including 2 refreshment breaks)
Instructors: Klaus-Peter Kossakowski (Secunet), Prof. Emilia Rosti (CERT-IT), Roger Safian (Northwestern University)
Authors: William J. Orvis (CIAC), Ron Moritz CISSP CISA (Finjan Software, Ltd.)

Abstract: (exact content under reservation due to change in presenters)

This presentation is in four parts:

The first part is a presentation discussing how computer viruses work, where they hide in computer systems and how they prevent you from finding them. This presentation will cover PC/Windows viruses, Macintosh viruses, Macro viruses, Hoaxes, and Jokes.

Following the presentation is a demonstration of a virus infection of a real system. Attendees will see the virus infect the target system and then use stealth techniques to make them difficult to detect. A second infection will be performed with a macro virus, showing the infection process and payload.

In the third part the issue of "mobile code" will be addressed:
* explore the problems associated with and alternatives available for allowing untrusted code to execute on the corporate network;
* examine both the current and historical security issues associated with mobile code;
* describe the risks of executable content within the context of new client-server computing;
* explain Java JDK 1.2 security, author certification, and capability signing models;
* demonstrate threats associated with mobile code technology;
* provide guidance for using mobile code on the corporate network through a roadmap for mobile code deployment; and
* review mobile code security solutions available today.

In the fourth part current trends (including Melissa) and future developments will be discussed.


Klaus-Peter Kossakowski is a senior consultant and project manager at SECUNET, an IT security provider; and he is a visiting scientist within the CERT Coordination Center based at the Software Engineering Institute (SEI). Kossakowski's work currently involves incident response services, intrusion detection, network security, and security improvement. Kossakowski has worked in the security field for more than 10 years. In 1988 he was one of the first members of the Virus Test Center in Hamburg (headed by Prof. Klaus Brunnstein) where he focused on malicious network programs. He was involved with DFN-CERT (the first German CSIRT for an open network) from its inception. From January 1993 until he left DFN-CERT at the end of 1997, he managed the DFN-CERT team, which was modeled after the CERT Coordination Center. He successfully led the team from a research effort to a functional and well-respected entity in the CSIRT community.
Kossakowski's particular interests in the CSIRT arena are international issues, cooperation, and establishing a CSIRT infrastructure. As the co-chair of the IETF working group "Guide-lines and Recommendations for Incident Processing" (GRIP), he has been involved with the development of several RFCs since 1994. Together with Don Stikvoort he initiated a closer cooperation among European CSIRTs and organized several annual meetings to support these. His vocal role in the European CSIRT community resulted in him becoming chair for a TERENA task force "CERTs in Europe." This task force outlined the concept and service definition of a European CSIRT Coordination Center. Resulting from this effort, EuroCERT was implemented in late 1996. He was elected as a member of the Forum of Incident Re-sponse and Security Teams (FIRST) Steering Committee in 1997, and in this role he actively supports international CSIRT cooperation and the move of FIRST toward a new organizational structure.
Kossakowski is in the process of completing his Doctorate in Information Technology-Inci-dent Response Capabilities. He holds a first-class degree in Information Science from the University of Hamburg. Kossakowski is a member of the Internet Society (ISOC), the Infor-mation Systems Security Association (ISSA), and the German "Gesellschaft fuer Informatik e. V." (GI).

Prof. Emilia Rosti teaches at Milano University and is a member of CERT-IT, the Italian CERT.

Roger Safian is the Information Security Coordinator at Northwestern University where he has worked, taught and attended classes for the last 15 years. He founded Northwestern University's FIRST team, and has been it's representative since they became members in 1995. He has been a member if the FIRST Steering Committee since 1996.

William Jay Orvis received his BS and MS degrees in Physics from the University of Denver in 1973 and 1976 respectively. He has worked at the Idaho National Engineering Laboratory (INEL) and the Lawrence Livermore National Laboratory (LLNL). His research includes nuclear reactor instrumentation, design and modeling of solid state and vacuum microelectronic devices. He is a member of the Computer Incident Advisory Capability (CIAC). He is the author of more than 10 books on computers and engineering.

Ron Moritz is Director of the Technology Office at Finjan Software where he serves as primary technology visionary. As a key member of the senior management team interfacing between sales, marketing, product management, and product development, Ron helps establish and maintain the company's technological standards and preserve the company's leadership role as a developer of advanced Internet security solutions. Ron was instrumental in the organization of Finjan's Java Security Alliance and established and chairs Finjan's Technical Advisory Board. He is currently chairing the Common Content Inspection API specification initiative. Ron is one of a select group of Certified Information Systems Security Professionals. Ron earned his M.S.E., M.B.A., and B.A. from Case Western Reserve University in Cleveland, Ohio.
Ron has served in various capacities, including president, with both the North Coast chapter of the Information Systems Security Association and the Northeast Ohio chapter of the Information Systems Audit and Control Association. He has lectured on web security, mobile code security, computer ethics, intellectual property rights, and business continuity and resumption planning. Ron is a member of the SOCKS Summit 1998 technical advisory faculty. Over the past year, his presentation on mobile code security has been well received at the European Security Forum (London), the FBI's InfraGuard Conference (Cleveland), CSI's NetSec (San Antonio), MISTI's WebSec Europe (London), and RSA Data Security (San Francisco). His most recent article, "Enabling Safer Deployment of Internet Mobile Code Technologies," is scheduled for publication in the forthcoming Handbook of Internet Management by Auerbach (CRC Press).


Monday, June 14, 1999
Will the real owner of this IP address please stand up?

16:00 - 18:00 Primary Tutorial Track: Will the real owner of this IP address please stand up?
Instructors: Jeffrey J. Carpenter (CERT/CC), Brian P. Dunphy (ASSIST)


Once you identify an IP address that is involved in an incident, how do you determine what organisational entity that owns the IP number and where the actual location of the machine(s) using that IP number. This paper will discuss the issues involved in finding the organisational owner and security contact for an IP number, and how accurate and trustworthy the information may be. It also discuss ways the real owner and location of a machine using an IP address can be masked, either intentionally or unintentionally.


Jeffrey J. Carpenter is the team leader for incident response on the CERT Operations team, part of the CERT Coordination Center (CERT/CC). He has been with the CERT/CC since 1995. As the incident response team leader, Jeffrey manages the staff that provide technical assistance to Internet sites that have computer security issues, concerns, or have experienced a computer security compromise. He also presents tutorials on Internet security issues and participates in information security evaluations. In addition, Jeffrey supports the CERT/CC computing infrastructure with his work on CERT computing resources and the development of specialized computing tools.
Before joining the CERT/CC, Jeffrey was a systems analyst for the University of Pittsburgh, where he was responsible for many of the UNIX-based services provided by the computer center. He also was one of the designers of the University's distributed UNIX environment. Jeffrey has earned a bachelor's degree in Computer Science.

Brian P. Dunphy is a Defensive Information Operations Officer for the Defense Information System Agency's ASSIST. He has been with ASSIST since 1996.
As a member of the ASSIST's Information Assurance Defense Cell, Brian handles Department of Defense network incidents, with the cooperation of various Law Enforcement Agencies. Brian fields technical computer security questions, and provides ASSIST with internal tools, incident handling procedures, and infrastructure support. Brian has earned a bachelor's degree in Electrical and Computer Engineering


Thursday, June 17, 1999
Secure Shell (SSH) Tutorial

14:00 - 16:00 Primary Tutorial Track: Secure Shell (SSH)
Instructor: Steve Acheson (Cisco Systems)


The tutorial will examine: SSH Introduction through Implementation:
SSH, the Secure Shell program, has matured into a popular and powerful tool for secure system access and securely performing remote functions, such as rdist. This tutorial will help you navigate the many ssh features and related software and will show how to use SSH in a large networked environment. The class will focus on:
- SSH features and authentication methods
- Overview of the different versions (both public and commercial)
- How to secure X11 connections using SSH
- How to do secure port forwarding with SSH
- Softare available for use with SSH (eg, rdist, rsync)
- How to impliment SSH in a large networked environment


Thursday-Friday, June 17-18, 1999
Risk Avoidance and Risk Management

Thursday 14:00 - 16:00 Advanced Tutorial Track: Risk Avoidance and Risk Management : Phrenology in Cyberspace - First half of tutorial.
Instructor: Bob Ayers (Admiral Management Services)
Friday 09:00 - 13:00 Second half of tutorial, including 1 refreshment break.


The tutorial will examine:

1. Why DoD Information Security efforts Failed:
A detailed recapitulation of the evaluation process that lead to much publicised conclusion the US Department of Defense had been attacked and penetrated over 250,000 times in 1995. The question of, "Why after so many years of making major investments in security was the DoD so vulnerable to successful attack?" will be answered.

2. Why Risk Avoidance failed:
The underlying causes and reasons why Risk Avoidance, the "Orange Book", The NCSC all failed as a security management approach will be examined and explained.

3. Why Risk Management will fail:
The reasons why the currently in vogue philosophy of Risk Management will also fail as will be examined and explained.

4. Dynamic Security Management:
The concept of Dynamic Security Management will be introduced. The argument that "Time" is the only viable metric for assessing the adequacy of security will be made and justified. The "PDR Model" of

"Protection(t) > Detection(t) +Reaction(t)" (where "t" equals time)

will be examined in detail.

5. An examination of the interrelationship between the security functions of "Protection", "Detection" and "Reaction" will be made. The advantages of the PDR Model in making cost effective security decisions demonstrated. The technical and managerial requirements to implement a successful Dynamic Security management program will be discussed.


Bob Ayers is now a Security Consultant for Admiral Management Services in the UK after a 29 year career with the US DoD. His principal IT security related Security related assignments with the Defense Intelligence Agency where he served as the Chief of the DoD Intelligence Information System (DoDIIS) Computer Security Program. During this assignment Bob developed and implemented new methodologies to insure the security of over 40,000 computers processing highly classified intelligence information. Bob also founded the DoD CERT also known as the Automate Systems Security Incident Support Team or ASSIST while at the DIA Noticed for his work in DoDIIS information systems security, the US Assistant Secretary of Defence for Command & Control Communications, Intelligence selected Bob to create and manage a 155 person, $100M/Yr DoD-wide program to make systemic improvements to all aspects of DoD IT Security to include; Security Policy, Penetration Testing, Incident Response, Certification and Accreditation, Training & Education, Architecture & Engineering, and Multi-Level Security. Bob has also served as the Chief of the DoD Defensive Information Warfare Program Management Office where he managed a program to protect DoD Computers from hostile attack.


Friday, June 18, 1999
Creating an Incident Response Team

09:00 - 13:00 Primary Tutorial Track: Creating an Incident Response Team (half day tutorial, including 1 refreshment break)
Instructors: Rob McMillan (AusCERT)
Authors: Sandy Sparks (CIAC), Marianne Swanson (NIST)
Tutorial including presentation of "FedCIRC Today: The U.S. Government's Approach to Incident Response" by Judith A. Spencer (Director of FedCIRC)


This session addresses the administrative and technical issues involved in establishing an incident handling capability. It is designed for security, systems, and network specialists responsible for managing and ensuring the availability and integrity of an organization's information systems. As a case example - and an update on FedCIRC Judith A. Spencer, Director of the Center for Governmentwide Security will present "FedCIRC Today: The U.S. Government's Approach to Incident Response".

Outline of tutorial:
Planning a Computer Security Incident Handling Capability:
- The role of organizational goals and structure
- Roles and responsibilities
- Infrastructure requirements
- Funding options or making a business case
- Reporting requirements
- Policy issues
- Operating a Computer Security Incident Handling Capability
- Staffing
- Administrative procedures.o Incident handling procedures
- Testing the incident handling capability
- Communications to users and others
- Information collection and handling
- Protecting your incident response activity
- Legal issues
Lessons learned from agency experiences in establishing incident response teams will be included.

The FedCIRC case in short: On October 1, 1998, FedCIRC transitioned from a pilot initiative to an operational program. Using lessons learned during the pilot phase a new Charter and Concept of Operations were devised. Management moved from the National Institute of Standards and Technology (NIST) to the General Services Administration (GSA). FedCIRC focuses on key requirements necessary for providing a government-wide capability for computer incident response and handling. To accomplish this mission successfully, FedCIRC established partnerships with industry, academia, Department of Defense, law enforcement and other Federal Civil agencies to create a virtual team of professionals dedicated to the protection of the nation's IT infrastructure.


Rob McMillan is a Senior Security Analyst with AusCERT, an organisation he co-founded in 1993. Before starting his second term of employment at AusCERT he spent three and a half years addressing Internet security issues at Carnegie Mellon University's CERT Coordination Center in the United States, an organisation sponsored by the United States Department of Defense. Previous assignments at other organisations have included the creation of security policies and other operational security functions. He's written papers and articles on a range of computer network security topics, and co-authored an article for the Encyclopedia for Telecommunications. He is an active participant in Copyright Law reform in Australia and its effects on computer and network security, and also pursues an interest in the defence of the National Information Infrastructure.

Ms. Sandra L. Sparks has worked in the computing industry for 18 years as an employee at Lawrence Livermore National Laboratory (LLNL). As a computer scientist at LLNL, she has experience in databases, end-user systems, training and consulting. She has been the Project Leader for the Computer Incident Advisory Capability (CIAC), the Department of Energy's (DOE) official incident response team that serves all of DOE including LLNL since 1993. She has been the Project Leader for the Federal Computer Incident Response Capability--West (FedCIRC--West) that provides federal civilian agencies technical assistance and incident handling support since 1997.. These teams provide incident handling, vulnerability assessments, plus awareness, education, and training for the entire DOE/DOE contractor complex and the federal civilian agencies.

Judith Spencer is the Director, Center for Governmentwide Security in the Office of Information Security, Federal Technology Service, General Services Administration. She has been involved with Information Systems Security for over 20, beginning as a Communications Security Repair Technician in the U.S. Army. She has been with the General Services Administration for 15 years, providing information systems security services to U.S. Federal agencies on a global basis. In addition to FedCIRC, she administers the public key technology initiatives and disaster emergency response capabilities for the General Services Administration.

Last modified: 6 June 1999

Copyright 1999 by FIRST.ORG , Inc. / Contact: