FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland


Platinum Sponsor


Silver Sponsor


Local Host

CERT Coordination Center

Supporting Sponsors






Korea CertCC

  • A Distributed Intrusion Detection System Based on Passive Sensors

    Technical Track
    Wednesday – June 28th, 16:00

    SURFnet is a very high-speed network which connects the networks of Dutch universities, colleges, research centers, academic hospitals and scientific libraries to one another and to other networks in Europe and the rest of the world. SURFnet handles many computer security incidents in which a SURFnet...

    Authors & presenters: Rogier Spoor  Presenter (SURFnet-CERT – SURFnet, NL)

  • A Framework for Effective Alert Visualization

    Technical Track
    Friday – June 30th, 14:30

    Any organization/department that provides security typically deals with a large volume of alerts and logs generated from a variety of sources. These could originate from firewalls, intrusion detection/prevention devices and agents, vulnerability scanners, etc. It would seem like a good idea to apply...

    Authors & presenters: Jon Ramsey, Uday Banerjee  Presenter (SWRX CERT – SecureWorks, US)

  • A Strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems

    Business/Management Track
    Wednesday – June 28th, 15:00

    Early warning and detection mechanisms including distributed intrusion detection systems and honeynets are often deployed to detect new worm and virus infected machines. In a large enterprise network, especially in universities with more than 30,000 online nodes, it is often a challenge to cost-effectively...

    Authors & presenters: Steven Sim Kok Leong  Presenter (NUSCERT – National University of Singapore, SG)

  • Automated Extraction of Threat Signatures from Network Flows

    Technical Track
    Wednesday – June 28th, 14:30

    The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what...

    Authors & presenters: Piotr Kijewski  Presenter (CERT POLSKA – Research and Academic Computer Network in Poland, PL)

  • Behavioral Study of Bot Obedience using Causal Relationship Analysis

    Technical Track
    Wednesday – June 28th, 15:00

    Botnet discovery can be difficult, since the existence of a network is often discovered only after it used for widespread activity such as a DDoS or a phishing scam. Sharing intelligence on a potential botnet traffic is also problematic mainly due to data privacy issues.

    In this paper, we...

    Authors & presenters: Lari Huttunem, Pekka Pietikäinen  Presenter (University of Oulu, FI)

  • Botnets as Vehicle for Online Crime

    This presentation goes beyond simple explanation of what a botnet is and dives into specific bot technologies and how they are used in the commission of online crime. When the presentation is complete, attendees will have a better understanding of botnet technologies, how these technologies are leveraged...

    Authors & presenters: Aaron Hackworth  Presenter, Nicholas Ianelli  Presenter (CERT/CC – Carnegie Mellon University, US)

  • Building and Deploying Billy Goat: a Worm-Detection System

    Technical Track
    Thursday – June 29th, 14:00

    Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar...

    Authors & presenters: Diego Zamboni, James Riordan  Presenter, Yann Duponchel (IBM MSS – IBM Zurich Reserch Laboratory, CH)

  • CarmentiS - a German Early Warning Information System - Challenges and Approaches

    Business/Management Track
    Thursday – June 29th, 14:00

    In the last quarter of 2005, the German CERT-Verbund has started to implement an early warning information system (EWIS) called CarmentiS. Like in any known early warning information system, one building block of CarmentiS are decentralized sensor networks, which are building the backbone of the system....

    Authors & presenters: Jürgen Sander  Presenter (PRE-CERT – PRESECURE Consulting, GmbH, DE)

  • CERT's Virtual Training Environment: A New Model for Security and Compliance Training

    The CERT Virtual Training Environment (VTE, online at provides self-paced remote access to CERT’s suite of Information Assurance and Computer Forensics training material in virtual classroom and knowledge library formats. VTE follows a ‘read it, see it, do it’ instructional...

    Authors & presenters: James Wrubel  Presenter (CERT/CC – Carnegie Mellon University, US)

  • Counter-Forensic Tools: Analysis and Data Recovery

    Business/Management Track
    Thursday – June 29th, 14:30

    Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent...

    Authors & presenters: Matthew Geiger (CERT/CC – Carnegie Mellon University, US)

  • Designing and Developing an Application for Incident Response Teams

    Business/Management Track
    Wednesday – June 28th, 16:30

    Computer security incident response teams need to track incidents as they develop. To support day-to-day operations, teams need to be able to generate quick overviews of ongoing incidents, and they must be supported in their daily work by automating as much routine work as possible. AIRT is a web-based...

    Authors & presenters: Kees Leune  Presenter, Sebastiaan Tesink (Tilburg University, NL)

  • Design Your Network to Aid Forensic Investigation

    Technical Track
    Monday – June 26th, 14:00

    Although security and related tools have improved over the years, all too often the first signs of a compromise appear in the form of a trouble ticket or problem report. Even though many monitoring methods are available, when deployed, security teams quickly find themselves buried in data or very busy...

    Authors & presenters: Robert Sisk  Presenter (IBM MSS – IBM Corporation, US)

  • Effectiveness of Proactive CSIRT Services

    Business/Management Track
    Friday – June 30th, 14:00


    For the FIRST 2005 conference we put together a paper researching limitations related to the reactive CSIRT services, mainly the response to low priority incidents. As the PhD research project of Johannes Wiik continued [Wiik et al. 2005], the scope was broaden to study the limitations...

    Authors & presenters: Johannes Wiik, Jose Gonzalez (Agder University, NO), Klaus-Peter Kossakowski  Presenter (Software Engineering Institute, DE)

  • Evaluating CSIRT Operations

    Business/Management Track
    Monday – June 26th, 14:00

    This tutorial will discuss the reasons, outcomes, and benefits of evaluating incident management capabilities such as CSIRTs.

    Four different methodologies will be presented that can be used to evaluate various aspects of incident management capabilities.

    During the tutorial,...

    Authors & presenters: Audrey Dorofee  Presenter, Chris Alberts, Robin Ruefle  Presenter (CERT/CC – Carnegie Mellon University, US)

  • Honeypot Technology: Principles and Applications

    Technical Track
    Tuesday – June 27th, 14:00

    A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Based on this definition, we will introduce the topic with an overview of the evolution of this technology, from the beginning to the latest advances.

    This tutorial will cover in...

    Authors & presenters: Franck Veysset  Presenter, Laurent Butti  Presenter (France Télécom R&D, FR)

  • If You Don't Know What You Don't Know

    IT Security has per definition always been a re-active business. It is like having a castle, protecting the crown jewels with locked gates (firewalls) intrusion detection (the watch) and intrusion prevention methods (hot oil and peck, arrows, stones, dead horses etc) Preventing anyone unauthorized to...

    Authors & presenters: Arjen de Landgraaf  Presenter (Co-Logic Security, Ltd, NZ)

  • Keynote: Building Effective Relationships between CSIRTs and Law Enforcement

    Authors & presenters: Brian Nagel  Presenter (Assistant Director, Office of Investigations, U.S. Secret Service, US)

  • Keynote: Computer Security Incident Response - Past, Present, Future

    Authors & presenters: Richard Pethia  Presenter (CERT/CC – Carnegie Mellon University, US)

  • Keynote: Fixing Internet Security by Hacking the Business Climate

    Authors & presenters: Bruce Schneier  Presenter (Counterpane Internet Security, Inc., US)

  • Maximizing the Benefits of Intrusion Prevention Systems: Effective Deployment Strategies

    Business/Management Track
    Wednesday – June 28th, 16:00

    This paper discusses general intrusion prevention systems concepts and provides a context-based analysis of the techno-economic imperatives as the driver of this technology. Further, in light of the Gartner 2004 recommendations, the paper examines the security needs and functional requirements for enterprise...

    Authors & presenters: Calvin Miller, Charles Iheagwara, Farrukh Awan  Presenter, Yusuf Acar (District of Columbia Government, US)

  • Netflow Tools NfSen and NFDUMP

    Technical Track
    Wednesday – June 28th, 16:30

    For network security teams of any size, an accurate analysis of the traffic situation is essential. The well-known traffic graphs, do not give enough information especially to investigate security related incidents. To work with netflow data turned out to be a good balance between collecting and processing...

    Authors & presenters: Peter Haag  Presenter (SWITCH-CERT – The Swiss Education and Research Network, CH)

  • Proposal of RSS Extension for Security Information Exchange

    Business/Management Track
    Friday – June 30th, 14:30

    Unauthorized access intending to spread malware has been active and causing a lot of damage worldwide. In order to eliminate vulnerabilities and prevent unauthorized access, it is necessary to improve the way to distribute security information about computer software and hardware. When a new vulnerability...

    Authors & presenters: Masato Terada  Presenter (HIRT – Hitachi, JP)

  • RAPIER - A 1st Responders Info Collection Tool

    Technical Track
    Thursday – June 29th, 14:30


    RAPIER (Rapid Assessment & Potential Incident Examination Report) is a security tool built to assist in malware collection and analysis. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates...

    Authors & presenters: Joseph Schwendt  Presenter, Steven Mancini  Presenter (IFT – Intel Corporation, US)

  • Reliably Determining the Outcome of Computer Network Attacks

    Technical Track
    Wednesday – June 28th, 14:00

    Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination...

    Authors & presenters: Barry Mullins, David Chaboya  Presenter, Richard Raines, Rusty Baldwin (AFCERT – Air Force Institute of Technology, US)

  • Risk Analysis Methodology for New IT Service

    Business/Management Track
    Wednesday – June 28th, 14:00

    This research intends to provide a new risk management methodology that predicts the security of future oriented IT services and help to create a counter strategy in advance. The proposed methodology is founded on domestic as well as foreign methodology and information protection reference model ITU-T...

    Authors & presenters: Jun Heo  Presenter, Yoojae Won (KrCERT/CC – Korea Information Security Agency, KR)

  • Secure Coding in C and C++

    Technical Track
    Monday – June 26th, 09:10

    Secure Coding in C and C++ provides practical advice on secure practices in C and C++ programming. Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming.

    Authors & presenters: Robert Seacord  Presenter (CERT/CC – Carnegie Mellon University, US)

  • The Impact of Honeynets for CSIRTs

    Business/Management Track
    Wednesday – June 28th, 14:30

    For the daily work of a CSIRT it is of major importance to know which vulnerabilities are currently abused to compromise computers and to timely warn the constituency if a zero-day exploit is found. Besides the traditional incident response work, honeypots have shown to become more important to follow...

    Authors & presenters: Jan Kohlrausch  Presenter, Jochen Schönfelder (DFN-CERT – DFN-CERT Services GmbH, DE)

  • The Network-Centric Incident Response and Forensics Imperative

    Business/Management Track
    Friday – June 30th, 15:00

    Security staff often take a host-centric approach to determining the scope and damage of computer intrusions. Standard forensics techniques are hard-drive centric, with collection and analysis of live data only gradually being adopted. This presentation offers a complementary set of practices focusing...

    Authors & presenters: Richard Bejtlich  Presenter (TaoSecurity, US)

  • The Survivability and Information Assurance (SIA) Curriculum

    Today’s professional system and network administrators are increasingly challenged to make computer and network security a greater part of their overflowing set of daily activities. In response to this trend, the Software Engineering Institute (SEI1), specifically the CERT® Program2, has designed a three-course...

    Authors & presenters: Lawrence Rogers  Presenter (CERT/CC – Carnegie Mellon University, US)

  • Threats of P2P File Sharing Software - a Japanese Situation About "Winny"

    Business/Management Track
    Wednesday – June 28th, 17:00

    Information leakage incident (especially for important confidential one) has been increased in Japan. Most of those incidents are caused by a virus named "Antinny" which is a name of virus developed for P2P file sharing software "Winny". Winny is a name of P2P file sharing software. In this presentation,...

    Authors & presenters: Keisuke Kamata  Presenter, Yuichi Miyagawa (JPCERT/CC – JPCERT Coordination Center, JP)

  • Time Signatures to Detect Multi-headed Stealthy Attack Tools

    Technical Track
    Friday – June 30th, 15:00

    In this paper, we present a method to detect the existence of sophisticated attack tools in the Internet that combine, in a misleading way, several exploits. These tools apply various attack strategies, resulting into several different attack fingerprints. A few of these sophisticated tools have already been...

    Authors & presenters: Fabien Pouget  Presenter (CERTA – French Government, FR), Guillaume Urvoy-Keller, Marc Dacier (Institut EURECOM, FR)

  • VisFlowConnect-IP : A Link-Based Visualization of NetFlows for Security Monitoring

    Network traffic dynamics have become an important behavior-based approach to assist security administrators in protecting networks. In this paper/presentation we present VisFlowConnect-IP, a link-based network flow visualization tool that allows operators to detect and investigate anomalous internal...

    Authors & presenters: William Yurcik  Presenter (NCSA-IRST – National Center for Supercomputing Applications, US)

  • Worm Poisoning Technology and Application

    Technical Track
    Friday – June 30th, 14:00

    Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For...

    Authors & presenters: Cui Xiang  Presenter, Wu Bing, Yonglin Zhou, Zou Xin (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)